R/AR系列路由器IPSec/IKE多实例配置举例

关键词:
功能需求

R/AR系列路由器IPSec/IKE多实例配置举例

 

一、组网要求

MPLS网络中需要对PECE进行IPSec加密。

 

二、网络结构

 

三、配置

VPN1-CE1配置

#

sysname CE1

#

ike peer test

pre-shared-key huawei

remote-address 21.21.21.1

#

ipsec proposal prop

#

ipsec policy map 1 isakmp

security acl 3000

ike-peer test

proposal prop

#

acl number 3000

rule 0 permit ip source 32.32.32.0 0.0.0.255 destination 33.33.33.0 0.0.0.255

#

interface Ethernet0/1

port link-mode route

ip address 21.21.21.2 255.255.255.0

ipsec policy map

#

interface LoopBack1

ip address 32.32.32.1 255.255.255.255

#

ip route-static 0.0.0.0 0.0.0.0 21.21.21.1

ip route-static 33.33.33.0 255.255.255.0 21.21.21.1

#

PE1配置

#

sysname PE1

#

mpls lsr-id 100.100.100.1

#

mpls

#

mpls ldp

#

ip vpn-instance vrf1

route-distinguisher 100:1

vpn-target 100:1 export-extcommunity

vpn-target 100:1 import-extcommunity

#

ike peer test

pre-shared-key huawei

remote-address 21.21.21.2

#

ipsec proposal prop

#

ipsec policy map 1 isakmp

security acl 3000

ike-peer test

proposal prop

#

acl number 3000

rule 0 permit ip vpn-instance vrf1 source 33.33.33.0 0.0.0.255 destination 32.32.32.0 0.0.0.255

#

interface Ethernet0/0/0

ip address 41.41.41.1 255.255.255.0

mpls

mpls ldp enable

#

interface Ethernet0/0/1

ip binding vpn-instance vrf1

ip address 21.21.21.1 255.255.255.0

ipsec policy map

#

interface LoopBack0

ip address 100.100.100.1 255.255.255.255

#

bgp 100

undo synchronization

group g1 internal

peer 100.100.100.2 group g1

peer 100.100.100.2 connect-interface LoopBack0

#

ipv4-family vpn-instance vrf1

import-route direct

import-route static

undo synchronization

#

ipv4-family vpnv4

peer g1 enable

peer 100.100.100.2 group g1

#

ospf 1

area 0.0.0.0

network 41.41.41.0 0.0.0.255

network 100.100.0.0 0.0.255.255

#

ip route-static vpn-instance vrf1 32.32.32.0 255.255.255.0 21.21.21.2  preferen

ce 60

#

PE2配置

#

sysname PE2

#

mpls lsr-id 100.100.100.2

#

mpls

#

mpls ldp

#

ip vpn-instance vrf1

route-distinguisher 100:1

vpn-target 100:1 export-extcommunity

vpn-target 100:1 import-extcommunity

#

interface Ethernet0/0

ip address 41.41.41.2 255.255.255.0

mpls

mpls ldp enable

#

interface Ethernet0/1

ip binding vpn-instance vrf1

ip address 51.51.51.2 255.255.255.0

#

interface LoopBack0

ip address 100.100.100.2 255.255.255.255

#

bgp 100

undo synchronization

group gl internal

peer 100.100.100.1 group gl

peer 100.100.100.1 connect-interface LoopBack0

#

ipv4-family vpn-instance vrf1

import-route direct

import-route static

undo synchronization

#

ipv4-family vpnv4

peer gl enable

peer 100.100.100.1 group gl

#

ospf 1

area 0.0.0.0

network 41.41.41.0 0.0.0.255

network 100.100.0.0 0.0.255.255

#

ip route-static vpn-instance vrf1 33.33.33.0 255.255.255.0 51.51.51.1  preferen

ce 60

#

VPN1-CE3配置

#

sysname CE2

#

interface Ethernet0/0

ip address 51.51.51.1 255.255.255.0

#

interface LoopBack1

ip address 33.33.33.1 255.255.255.255

#

ip route-static 0.0.0.0 0.0.0.0 51.51.51.2 preference 60

ip route-static 32.32.32.0 255.255.255.0 51.51.51.2 preference 60

#

VPN-CE2参见VPN-CE1VPN-CE4参见VPN-CE3

配置注意PE1上对入IPSec的报文设置ACL的时候vpn-instance指定VPN实例。

 

四、验证

1.查看VRF1的私网路由是否建立

[PE1]dis ip rou vpn vrf1

vrf1   Route Information

Routing Table:  vrf1   Route-Distinguisher:   100:1

Destination/Mask   Protocol Pre  Cost        Nexthop         Interface

21.21.21.0/24      DIRECT   0    0           21.21.21.1      Ethernet0/0/1

21.21.21.1/32      DIRECT   0    0           127.0.0.1       InLoopBack0

32.32.32.0/24      STATIC   60   0           21.21.21.2      Ethernet0/0/1

33.33.33.0/24      BGP      256  0           100.100.100.2   InLoopBack0

51.51.51.0/24      BGP      256  0           100.100.100.2   InLoopBack0

 

<PE2>dis ip rou vpn vrf1

vrf1   Route Information

Routing Table:  vrf1   Route-Distinguisher:   100:1

Destination/Mask   Protocol Pre  Cost        Nexthop         Interface

21.21.21.0/24      BGP      256  0           100.100.100.1   InLoopBack0

32.32.32.0/24      BGP      256  0           100.100.100.1   InLoopBack0

33.33.33.0/24      STATIC   60   0           51.51.51.1      Ethernet0/1

51.51.51.0/24      DIRECT   0    0           51.51.51.2      Ethernet0/1

51.51.51.2/32      DIRECT   0    0           127.0.0.1       InLoopBack0

 

2.查看ipsec sa建立情况:

 [CE1]dis ike sa

total phase-1 SAs:  1

connection-id  peer            flag        phase   doi

----------------------------------------------------------

3          21.21.21.1      RD|ST         2     IPSEC

2          21.21.21.1      RD|ST         1     IPSEC

flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT

[CE1]dis ipsec sa

===============================

Interface: Ethernet0/1

path MTU: 1500

===============================

-----------------------------

IPsec policy name: "map"

sequence number: 1

mode: isakmp

-----------------------------

connection id: 3

encapsulation mode: tunnel

perfect forward secrecy: None

tunnel:

local  address: 21.21.21.2

remote address: 21.21.21.1

flow:    (5 times matched)

sour addr: 32.32.32.0/255.255.255.0  port: 0  protocol: IP

dest addr: 33.33.33.0/255.255.255.0  port: 0  protocol: IP

[inbound ESP SAs]

spi: 1876033376 (0x6fd1ff60)

proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

sa remaining key duration (bytes/sec): 1887436464/2999

max received sequence-number: 4

udp encapsulation used for nat traversal: N

[outbound ESP SAs]

spi: 3601361327 (0xd6a869af)

proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

sa remaining key duration (bytes/sec): 1887436464/2999

max sent sequence-number: 5

udp encapsulation used for nat traversal: N

 

[PE1]dis ipsec tunnel

------------------------------------------------

Connection ID : 3

Perfect forward secrecy: None

SA's SPI :

Inbound :  3601361327 (0xd6a869af) [ESP]

Outbound : 1876033376 (0x6fd1ff60) [ESP]

Tunnel :

Local Address:  21.21.21.1  Remote Address : 21.21.21.2

Flow :     (8 times matched)

Sour Addr : 33.33.33.0/255.255.255.0  Port: 0  Protocol : IP

Dest Addr : 32.32.32.0/255.255.255.0  Port: 0  Protocol : IP

 

3.CE1ping验证:ping -a 32.32.32.1 33.33.33.1

 

 

案例信息

案例类型:典型配置
案例号:KMS - 11263
创建时间:2007年5月28日
更新时间:2007年5月29日
发布时间:2007/5/29 10:03:43
文章密级:游客可见
有效期:长期有效
发布者:赵刚 [z03320]
点击次数:449
评论平均得分:0
关键词:
产品线:中低端路由器
产品系列:
产品版本:
技术分类:

常用操作
收藏