R/AR系列路由器IPSec/IKE多实例配置举例
一、组网要求
在MPLS网络中需要对PE和CE进行IPSec加密。
二、网络结构
三、配置
|
VPN1-CE1配置 |
|
#
sysname CE1
#
ike peer test
pre-shared-key huawei
remote-address 21.21.21.1
#
ipsec proposal prop
#
ipsec policy map 1 isakmp
security acl 3000
ike-peer test
proposal prop
#
acl number 3000
rule 0 permit ip source 32.32.32.0 0.0.0.255 destination 33.33.33.0 0.0.0.255
#
interface Ethernet0/1
port link-mode route
ip address 21.21.21.2 255.255.255.0
ipsec policy map
#
interface LoopBack1
ip address 32.32.32.1 255.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 21.21.21.1
ip route-static 33.33.33.0 255.255.255.0 21.21.21.1
# |
|
PE1配置 |
|
#
sysname PE1
#
mpls lsr-id 100.100.100.1
#
mpls
#
mpls ldp
#
ip vpn-instance vrf1
route-distinguisher 100:1
vpn-target 100:1 export-extcommunity
vpn-target 100:1 import-extcommunity
#
ike peer test
pre-shared-key huawei
remote-address 21.21.21.2
#
ipsec proposal prop
#
ipsec policy map 1 isakmp
security acl 3000
ike-peer test
proposal prop
#
acl number 3000
rule 0 permit ip vpn-instance vrf1 source 33.33.33.0 0.0.0.255 destination 32.32.32.0 0.0.0.255
#
interface Ethernet0/0/0
ip address 41.41.41.1 255.255.255.0
mpls
mpls ldp enable
#
interface Ethernet0/0/1
ip binding vpn-instance vrf1
ip address 21.21.21.1 255.255.255.0
ipsec policy map
#
interface LoopBack0
ip address 100.100.100.1 255.255.255.255
#
bgp 100
undo synchronization
group g1 internal
peer 100.100.100.2 group g1
peer 100.100.100.2 connect-interface LoopBack0
#
ipv4-family vpn-instance vrf1
import-route direct
import-route static
undo synchronization
#
ipv4-family vpnv4
peer g1 enable
peer 100.100.100.2 group g1
#
ospf 1
area 0.0.0.0
network 41.41.41.0 0.0.0.255
network 100.100.0.0 0.0.255.255
#
ip route-static vpn-instance vrf1 32.32.32.0 255.255.255.0 21.21.21.2 preferen
ce 60
# |
|
PE2配置 |
|
#
sysname PE2
#
mpls lsr-id 100.100.100.2
#
mpls
#
mpls ldp
#
ip vpn-instance vrf1
route-distinguisher 100:1
vpn-target 100:1 export-extcommunity
vpn-target 100:1 import-extcommunity
#
interface Ethernet0/0
ip address 41.41.41.2 255.255.255.0
mpls
mpls ldp enable
#
interface Ethernet0/1
ip binding vpn-instance vrf1
ip address 51.51.51.2 255.255.255.0
#
interface LoopBack0
ip address 100.100.100.2 255.255.255.255
#
bgp 100
undo synchronization
group gl internal
peer 100.100.100.1 group gl
peer 100.100.100.1 connect-interface LoopBack0
#
ipv4-family vpn-instance vrf1
import-route direct
import-route static
undo synchronization
#
ipv4-family vpnv4
peer gl enable
peer 100.100.100.1 group gl
#
ospf 1
area 0.0.0.0
network 41.41.41.0 0.0.0.255
network 100.100.0.0 0.0.255.255
#
ip route-static vpn-instance vrf1 33.33.33.0 255.255.255.0 51.51.51.1 preferen
ce 60
# |
|
VPN1-CE3配置 |
|
#
sysname CE2
#
interface Ethernet0/0
ip address 51.51.51.1 255.255.255.0
#
interface LoopBack1
ip address 33.33.33.1 255.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 51.51.51.2 preference 60
ip route-static 32.32.32.0 255.255.255.0 51.51.51.2 preference 60
# |
VPN-CE2参见VPN-CE1,VPN-CE4参见VPN-CE3。
配置注意:在PE1上对入IPSec的报文设置ACL的时候,用vpn-instance指定VPN实例。
四、验证
1.查看VRF1的私网路由是否建立:
[PE1]dis ip rou vpn vrf1
vrf1 Route Information
Routing Table: vrf1 Route-Distinguisher: 100:1
Destination/Mask Protocol Pre Cost Nexthop Interface
21.21.21.0/24 DIRECT 0 0 21.21.21.1 Ethernet0/0/1
21.21.21.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
32.32.32.0/24 STATIC 60 0 21.21.21.2 Ethernet0/0/1
33.33.33.0/24 BGP 256 0 100.100.100.2 InLoopBack0
51.51.51.0/24 BGP 256 0 100.100.100.2 InLoopBack0
<PE2>dis ip rou vpn vrf1
vrf1 Route Information
Routing Table: vrf1 Route-Distinguisher: 100:1
Destination/Mask Protocol Pre Cost Nexthop Interface
21.21.21.0/24 BGP 256 0 100.100.100.1 InLoopBack0
32.32.32.0/24 BGP 256 0 100.100.100.1 InLoopBack0
33.33.33.0/24 STATIC 60 0 51.51.51.1 Ethernet0/1
51.51.51.0/24 DIRECT 0 0 51.51.51.2 Ethernet0/1
51.51.51.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0
2.查看ipsec sa建立情况:
[CE1]dis ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
3 21.21.21.1 RD|ST 2 IPSEC
2 21.21.21.1 RD|ST 1 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT
[CE1]dis ipsec sa
===============================
Interface: Ethernet0/1
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "map"
sequence number: 1
mode: isakmp
-----------------------------
connection id: 3
encapsulation mode: tunnel
perfect forward secrecy: None
tunnel:
local address: 21.21.21.2
remote address: 21.21.21.1
flow: (5 times matched)
sour addr: 32.32.32.0/255.255.255.0 port: 0 protocol: IP
dest addr: 33.33.33.0/255.255.255.0 port: 0 protocol: IP
[inbound ESP SAs]
spi: 1876033376 (0x6fd1ff60)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436464/2999
max received sequence-number: 4
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 3601361327 (0xd6a869af)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436464/2999
max sent sequence-number: 5
udp encapsulation used for nat traversal: N
[PE1]dis ipsec tunnel
------------------------------------------------
Connection ID : 3
Perfect forward secrecy: None
SA's SPI :
Inbound : 3601361327 (0xd6a869af) [ESP]
Outbound : 1876033376 (0x6fd1ff60) [ESP]
Tunnel :
Local Address: 21.21.21.1 Remote Address : 21.21.21.2
Flow : (8 times matched)
Sour Addr : 33.33.33.0/255.255.255.0 Port: 0 Protocol : IP
Dest Addr : 32.32.32.0/255.255.255.0 Port: 0 Protocol : IP
3.在CE1上ping验证:ping -a 32.32.32.1 33.33.33.1
