发布时间 : 星期五 文章H3C设备GRE over IPSec VPN更新完毕开始阅读80411393960590c69ec3769e
1. 2. 3. 4.
配置GRE,封装私网之间流量 配置路由OSPF,学习私网路由
配置NAT,使私网用户可以访问公网资源 配置IPSec,加密GRE封装的流量
RTA配置
[RTA]dis cu #
ike peer rtb
pre-shared-key simple aabbcc
remote-address 2.2.2.2 \\\\指定对端Site公网IP #
ipsec proposal pro
esp authentication-algorithm sha1 esp encryption-algorithm aes 128 #
ipsec policy map 10 isakmp security acl 3001 ike-peer rtb proposal pro #
acl number 3000
rule 20 permit ip source 192.168.1.0 0.0.0.255 \\\\定义需要NAT的流量 acl number 3001
rule 10 permit ip source 1.1.1.2 0 destination 2.2.2.2 0 \\\\定义感兴趣流量,site-to-site公网IP #
interface Ethernet0/1/1 port link-mode route
nat outbound 3000 \\\\Easy NAT ip address 1.1.1.2 255.255.255.0 ipsec policy map #
interface Tunnel0 \\\\配置GRE tunnel-protocol gre
ip address 10.1.1.1 255.255.255.0 source 1.1.1.2 destination 2.2.2.2 #
ospf 1 \\\\运行OSPF,学习GRE及私网路由 area 0.0.0.0
network 10.1.1.0 0.0.0.255 network 192.168.1.0 0.0.0.255 #
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1 #
RTB配置
[RTB]dis cu #
ike peer rta
pre-shared-key simple aabbcc remote-address 1.1.1.2 #
ipsec proposal pro
esp authentication-algorithm sha1 esp encryption-algorithm aes 128 #
ipsec policy map 10 isakmp security acl 3001 ike-peer rta proposal pro #
acl number 3000
rule 20 permit ip source 192.168.2.0 0.0.0.255 acl number 3001
rule 10 permit ip source 2.2.2.2 0 destination 1.1.1.2 0 #
interface Ethernet0/1/0 port link-mode route
ip address 192.168.2.1 255.255.255.0 #
interface Ethernet0/1/1 port link-mode route nat outbound 3000
ip address 2.2.2.2 255.255.255.0 ipsec policy map #
interface Tunnel0
ip address 10.1.1.2 255.255.255.0 source 2.2.2.2 destination 1.1.1.2 # ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255 network 192.168.2.0 0.0.0.255 #
ip route-static 0.0.0.0 0.0.0.0 2.2.2.1 #