GRE试验:
<Huawei>system-view
Enter system view, return user view withCtrl+Z.
[Huawei]sysname AR1
[AR1]interface GigabitEthernet 0/0/2
[AR1-GigabitEthernet0/0/2]ip address192.168.1.254 24
[AR1-GigabitEthernet0/0/2]quit
[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]ip address13.1.1.1 255.255.255.0
[AR1-GigabitEthernet0/0/0]quit
[AR1]ip route-static 0.0.0.0 0.0.0.013.1.1.3
[AR1]interface Tunnel 0/0/0
[AR1-Tunnel0/0/0]tunnel-protocol gre
[AR1-Tunnel0/0/0]source 13.1.1.1
[AR1-Tunnel0/0/0]destination 23.1.1.2
[AR1-Tunnel0/0/0]ip address 12.1.1.1 24
[AR1-Tunnel0/0/0]description 1to2
[AR1-Tunnel0/0/0]quit
[AR1]ospf 1 router-id 1.1.1.1
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]network192.168.1.0 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]network 12.1.1.00.0.0.255
[AR1-ospf-1-area-0.0.0.0]quit
[AR1-ospf-1]quit
[AR1]interface Tunnel 0/0/0
[AR1-Tunnel0/0/0]keepalive period 3
[AR1-Tunnel0/0/0]quit
[AR1]
<Huawei>system-view
Enter system view, return user view withCtrl+Z.
[Huawei]sysname AR3
[AR3]interface GigabitEthernet 0/0/0
[AR3-GigabitEthernet0/0/0]ip address13.1.1.3 255.255.255.0
[AR3-GigabitEthernet0/0/0]quit
[AR3]interface GigabitEthernet 0/0/01
[AR3-GigabitEthernet0/0/1]ip address23.1.1.3 24
[AR3-GigabitEthernet0/0/1]quit
<Huawei>system-view
Enter system view, return user view withCtrl+Z.
[Huawei]sysname AR2
[AR2]interface GigabitEthernet 0/0/1
[AR2-GigabitEthernet0/0/1]ip address23.1.1.2 24
[AR2-GigabitEthernet0/0/1]quit
[AR2]interface GigabitEthernet 0/0/2
[AR2-GigabitEthernet0/0/2]ip address172.16.2.254 24
[AR2-GigabitEthernet0/0/2]quit
[AR2]ip route-static 0.0.0.0 0.0.0.023.1.1.3
[AR2]interface Tunnel 0/0/0
[AR2-Tunnel0/0/0]tunnel-protocol gre
[AR2-Tunnel0/0/0]description 2to1
[AR2-Tunnel0/0/0]ip address 12.1.1.2 24
[AR2-Tunnel0/0/0]source 23.1.1.2
[AR2-Tunnel0/0/0]description
[AR2-Tunnel0/0/0]destination 13.1.1.1
[AR2-Tunnel0/0/0]quit
[AR2]ospf 1 router-id 2.2.2.2
[AR2-ospf-1-area-0.0.0.0]network 172.16.2.00.0.0.255
[AR2-ospf-1-area-0.0.0.0]network 12.1.1.00.0.0.255
[AR2-ospf-1-area-0.0.0.0]quit
[AR2-ospf-1]quit
[AR2]interface Tunnel 0/0/0
[AR2-Tunnel0/0/0]keepalive period 3
[AR2-Tunnel0/0/0]quit
所有的数据包都是可以看到的
写静态:
Ip route-static 172.16.0.0.24 10.0.0.3(tunnel 0/0/1)
静态的出接口和下一跳都要写隧道口
IPSec试验命令
清除除了物理口的IP配置的所有配置
R1:
Acl 3000
Rule 5 permit ip so 192.168.0.0 0.0.0.255des 172.16.0.0 0.0.0.255
R2:
Acl 3000
Rule 5 permit ip so 172.16.0.0 0.0.0.255des 192.168.0.0 0.0.0.255
R1:
IPsec proposal R2
创建并配置IPsec提议,默认采用esp协议、MD5认证算法和隧道封装模式
Transform esp 配置隧道采用的安全协议(默认esp)
Encapsulation-mode tunnel 配置报文的封装模式
Esp authentication-algorithm sha2-256 配置ESP协议使用的认证算法(默认MD5-HMAC-96)
Esp encryption-algorithm aes-128 配置esp的加密算法(默认DES)
Display IPsec proposal 查看IPsec提议中的配置参数
Quit 安全提议配置完成
IPsec policy P1 10 manual (manual,手动协商,)
—(创建并配置IPsec策略(P1为名字,调用使用改名字,10为序列号,类似acl的序列号)
Security acl 3000 配置IPsec策略管理的acl
Proposal R2 关联提议shanghai
Tunnel local 12.0.0.2 配置安全隧道本端地址
Tunnel remote 13.0.0.3 配置安全隧道远端地址
Sa spi outbound esp 12345
Sa spi inbound esp 54321
——配置SA的SPI,入方向和出方向都必须设置,并且双方的必须互相对应(自动时不用配置)
Sa string-key outbound esp cipher wakout
Sa string-key inbound esp cipher wakin
配置SA的认证秘钥,入方向和出方向都必须设置,并且双方向必须对应(自动协商时不用配置)
quit 安全策略配置完成
inte g0/0/1(连接公网的接口)
ipsec policy P1(应用)
验证命令:
Display IPsec policy
未使用AH,所以AH不会显示东西
查看数据包出入情况display IPsec statistics esp
GRE&IPsec
配置:
单台路由器配置
Interface tunnel 0/0/1
Ip address 10.0.0.2 8
Tunnel-protocol gre
Source 12.0.0.2
Destination 13.0.0.3
Quit
Ospf启用,建立邻居
Acl 3000
Rule 5 permit gre so 12.0.0.2 0.0.0.0 des13.0.0.3 0.0.0.0 (使用匹配GRE)
IPsec配置不变
Interface g0/0/0(公网接口)
IPsec policy P1