IPSEC over GRE with BGP
【实验拓扑和软件】
本文实验采用的交换机是H3C模拟器,下载地址如下: http://forum.h4c.com/forum.php? mod=viewthread&tid=109740&highlight=H3C%E6%A8%A1%E6% 8B%9F%E5%99%A8 有兴趣的朋 友可以在论坛上去下载
【需求信息】
R2和R4建立EBGP邻居信息,邻居都是tunnel口的地址,而流经tunnel口的数据包都是需要ipsec加密 的!
【配置信息】
R2
vlan 1024
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
ike peer r4
pre-shared-key simple 1234567
remote-address 192.168.24.4
#
ipsec proposal 1
#
ipsec policy jc 10 isakmp
security acl 3000
ike-peer r4
proposal 1
#
acl number 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.11.0 0.0.0.255
rule 5 permit ip source 172.16.1.0 0.0.0.255 destination 172.16.11.0 0.0.0.255
#
#
interface LoopBack0
ip address 192.168.1.1 255.255.255.255
#
interface Vlan-interface1024
ip address 192.168.28.2 255.255.255.0
#
interface Tunnel0
ip address 192.168.24.2 255.255.255.0
source 192.168.28.2
destination 192.168.48.4
ipsec policy jc
#
bgp 65001
network 192.168.1.1 255.255.255.255
undo synchronization
peer 192.168.24.4 as-number 65002
#
ip route-static 0.0.0.0 0.0.0.0 192.168.28.8
SW4
#
interface Vlan-interface1024
ip address 192.168.28.8 255.255.255.0
#
interface Vlan-interface1044
ip address 192.168.48.8 255.255.255.0
#
interface Ethernet0/4/0
port link-mode bridge
#
interface Ethernet0/4/1
port link-mode bridge
#
interface Ethernet0/4/2
port link-mode bridge
port access vlan 1024
#
interface Ethernet0/4/3
port link-mode bridge
#
interface Ethernet0/4/4
port link-mode bridge
port access vlan 1044
R4
#
vlan 1044
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
ike peer r2
pre-shared-key simple 1234567
remote-address 192.168.24.2
#
ipsec proposal 1
#
ipsec policy jc 10 isakmp
security acl 3000
ike-peer r2
proposal 1
#
acl number 3000
rule 0 permit ip source 192.168.11.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 5 permit ip source 172.16.11.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
#
interface Serial0/6/0
link-protocol ppp
#
interface Serial0/6/1
link-protocol ppp
#
interface Serial0/6/2
link-protocol ppp
#
interface Serial0/6/3
link-protocol ppp
#
interface NULL0
#
interface LoopBack0
ip address 192.168.11.1 255.255.255.255
#
interface Vlan-interface1044
ip address 192.168.48.4 255.255.255.0
#
interface Ethernet0/4/0
port link-mode bridge
#
interface Ethernet0/4/1
port link-mode bridge
port access vlan 1044
interface Tunnel0
ip address 192.168.24.4 255.255.255.0
source 192.168.48.4
destination 192.168.28.2
ipsec policy jc
#
bgp 65002
network 192.168.11.1 255.255.255.255
undo synchronization
peer 192.168.24.2 as-number 65001
#
ip route-static 0.0.0.0 0.0.0.0 192.168.48.8
#
【验证】
查看ike 和ipsec sa
total phase-1 SAs: 0
connection-id peer flag phase doi
----------------------------------------------------------
PING 192.168.11.1: 56 data bytes, press CTRL_C to break
Request time out
Reply from 192.168.11.1: bytes=56 Sequence=2 ttl=255 time=50 ms
Reply from 192.168.11.1: bytes=56 Sequence=3 ttl=255 time=44 ms
Reply from 192.168.11.1: bytes=56 Sequence=4 ttl=255 time=45 ms
Reply from 192.168.11.1: bytes=56 Sequence=5 ttl=255 time=50 ms
--- 192.168.11.1 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 44/47/50 ms
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
6 192.168.24.4 RD|ST 2 IPSEC
5 192.168.24.4 RD|ST 1 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
===============================
Interface: Tunnel0
path MTU: 1476
===============================
-----------------------------
IPsec policy name: "jc"
sequence number: 10
mode: isakmp
-----------------------------
connection id: 4
encapsulation mode: tunnel
perfect forward secrecy: None
tunnel:
local address: 192.168.24.2
remote address: 192.168.24.4
Flow :
sour addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP
dest addr: 192.168.11.0/255.255.255.0 port: 0 protocol: IP
[inbound ESP SAs]
spi: 2478830021 (0x93bff1c5)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436464/3588
max received sequence-number: 4
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 645607044 (0x267b2e84)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436464/3588
max sent sequence-number: 5
udp encapsulation used for nat traversal: N
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
4 192.168.24.2 RD 2 IPSEC
3 192.168.24.2 RD 1 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
===============================
Interface: Tunnel0
path MTU: 1476
===============================
-----------------------------
IPsec policy name: "jc"
sequence number: 10
mode: isakmp
-----------------------------
connection id: 4
encapsulation mode: tunnel
perfect forward secrecy: None
tunnel:
local address: 192.168.24.4
remote address: 192.168.24.2
Flow :
sour addr: 192.168.11.0/255.255.255.0 port: 0 protocol: IP
dest addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP
[inbound ESP SAs]
spi: 645607044 (0x267b2e84)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436464/3523
max received sequence-number: 4
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 2478830021 (0x93bff1c5)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436464/3523
max sent sequence-number: 5
udp encapsulation used for nat traversal: N
