51CTO下载-H3C SecPath防火墙GRE+IPSEC+OSPF典型配置举例.doc

H3C SecPath防火墙GREIPSECOSPF典型配置举例 2007-05-10 16:02 JOY 51CTO.com 我要评论() 摘要：此方案能够解决分支机构的IP地址是通过ISP动态获取，而且Secpath网关互相备份，同时在GRE封装上实现ipsec加密等多个需求。 标签：OSPFGREIPSEC配置防火墙SecPathH3C 此方案能够解决分支机构的IP地址是通过ISP动态获取，而且Secpath网关互相备份，同时在GRE封装上实现ipsec加密等多个需求。1. 组网需求分支机构的用户访问公司总部过程如下：分支机构的用户上网方式没有限制，拨号或者固定IP上网。分支机构的网关设备接口地址是动态获取的公司总部有两台SecPath，两台SecPath互相备份公司总部与分支机构之间的数据连接要求IPSEC加密3680模拟Internet，为分支结构动态分配IP地址2. 组网图3. 配置步骤(1)2630的配置# sysname Quidway# ike local-name client# /由于2630要与SecPath1与SecPath2都建立GRE连接，所以需要建立两个ike协商ike peer 1 /ike对等体的名字为1 exchange-mode aggressive pre-shared-key 1 /配置身份验证字为1 id-type name /使用name方式作为ike协商的ID类型 remote-name 1 /指定对端的name，也就是SecPath1的name remote-address /指定对端的IP地址 nat traversal#ike peer 2 /第二个ike exchange-mode aggressive pre-shared-key 1 id-type name remote-name 2 remote-address nat traversal#ipsec proposal 1 /配置一个安全提议，使用默认的安全提议参数#ipsec policy 1 1 isakmp /使用IKE创建第一个安全策略，第一个1是安全策略组的名字，第二个1是安全策略的序列号 security acl 3000 /引用访问控制列表3000 ike-peer 1 /引用ike对等体1，注意1是ike对等体的名字，而不是编号 proposal 1 /引用安全提议1#ipsec policy 1 2 isakmp/使用IKE创建第二个安全策略，安全策略组的名字为1 security acl 3001 ike-peer 2 proposal 1#controller T1 2/0#controller T1 2/1#interface Virtual-Template1 /l2tp配置使用虚拟模板用于配置动态创建的虚接口的参数 ip address #interface Aux0 async mode flow link-protocol ppp#interface Dialer1 /创建一个共享式拨号接口1 link-protocol ppp /拨号接口封装的链路层协议为PPP mtu 1450 ip address ppp-negotiate /拨号接口的地址采用PPP协商方式得到 dialer user test /配置呼叫对端的用户 dialer bundle 1 /创建拨号接口池1 ipsec policy 1#interface Ethernet0/0 pppoe-client dial-bundle-number 1 /pppoe client配置在以太网接口上配置，也可以在virtual-ethernet上配置，此配置是配置pppoe会话，一个拨号接口对应创建一个pppoe会话#interface Tunnel0 ip address source destination ospf cost 100#interface Tunnel1 ip address source destination ospf cost 99#interface NULL0#interface LoopBack0 /这里配置loopback解决的目的是为了给tunnel接口配置源ip地址 ip address 55#acl number 3000 rule 0 permit ip source 0 destination 0acl number 3001 rule 0 permit ip source 0 destination 0#ospf 1 area network 55 network 55 network 55# ip route-static Dialer 1 preference 60#user-interface con 0user-interface aux 0user-interface vty 0 4#return(2)3640的配置# sysname Quidway# ike local-name client#ike peer 1 exchange-mode aggressive pre-shared-key 1 id-type name remote-name 1 remote-address nat traversal#ike peer 2 exchange-mode aggressive pre-shared-key 1 id-type name remote-name 2 remote-address nat traversal#ipsec proposal 1#ipsec policy 1 1 isakmp security acl 3000 ike-peer 1 proposal 1#ipsec policy 1 2 isakmp security acl 3001 ike-peer 2 proposal 1#interface Virtual-Template1 ip address #interface Aux0 async mode flow link-protocol ppp#interface Dialer1 link-protocol ppp ppp pap local-user 1 password simple 1 mtu 1450 ip address ppp-negotiate dialer user test dialer bundle 1 ipsec policy 1#interface Ethernet2/0 pppoe-client dial-bundle-number 1#interface Ethernet2/1#interface Ethernet3/0#interface Serial0/0 link-protocol ppp#interface Serial0/1 clock DTECLK1 link-protocol ppp#interface GigabitEthernet1/0#interface Tunnel0 ip address source destination ospf cost 100#interface Tunnel1 ip address source destination ospf cost 99#interface Tunnel9#interface NULL0#interface LoopBack0 ip address 55#acl number 3000 rule 0 permit ip source 0 destination 0acl number 3001 rule 0 permit ip source 0 destination 0#ospf 1 area network 55 network 55 network 55# ip route-static Dialer 1 preference 60#user-interface con 0user-interface aux 0user-interface vty 0 4#(3)3680的配置 /主要进行PPPOE Server的配置 sysname Quidway#interface Virtual-Template1 /一个虚模板对应一个pppoe client ip address remote address #interface Virtual-Template2 ip address remote address #interface Aux0 async mode flow link-protocol ppp#interface Ethernet0/0 ip address #interface Ethernet0/1 ip address #interface Ethernet4/0 pppoe-server bind Virtual-Template 1 /pppoe server必须关联一个虚模板#interface Ethernet7/0 pppoe-server bind Virtual-Template 2#interface Serial5/0 link-protocol ppp#interface Serial5/1 clock DTECLK1 link-protocol ppp#interface NULL0#acl number 2000 rule 0 permit#user-interface con 0user-interface aux 0user-interface vty 0 4#return(4)SecPath1的配置 sysname Quidway# ike local-name 1#ike peer 1 /ike配置 exchange-mode aggressive pre-shared-key 1 id-type name remote-name client nat traversal max-connections 10#ipsec proposal 1#ipsec policy-template tp 1 /使用安全策略模板创建安全策略 ike-peer 1 proposal 1#ipsec policy 1 1 isakmp template tp /在安全策略1中引用安全策略模板tp#interface Virtual-Template0 ip address #interface Aux0 async mode flow link-protocol ppp#interface GigabitEthernet0/0 ip address ipsec policy 1#interface GigabitEthernet0/1 ip address ospf cost 100#interface Tunnel0 ip address #interface Tunnel1 ip address #interface NULL0#interface LoopBack0 ip address 55#ospf 1 area network 55 network 55 network 55 network 55# ip route-static preference 60#user-interface con 0user-interface aux 0user-interface vty 0 4#return(5)SecPath2的配置 sysname Quidway# ike local-name 2#ike peer 1 exchange-mode aggressive pre-shared-key 1 id-type name remote-name client nat traversal max-connections 10#ipsec proposal 1#ipsec policy-template tp 1 ike-peer 1 proposal 1#ipsec policy 1 1 isakmp template tp#interface Virtual-Template1 ip address #interface Aux0 async mode flow link-protocol ppp#interface GigabitEthernet0/0 ip address ipsec policy 1#interface GigabitEthernet0/1 ip address ospf cost 99#interface Tunnel0 ip address #interface Tunnel1 ip address #interface NULL0#interface LoopBack0 ip address 55#ospf 1 area network 55 network