- 项目拓扑与项目求
项目需求
某企业网络使用ospf作为IGP协议实现内部网络的互联互通,区域规划和IP规划如图所示,现在要求实现如下需求:
- 公司总部和分支之间互访,使用IPSec VPN传递流量,并且对其加密,公司内部访问公网直接访问,无需加密
- 实验步骤
步骤1:设备重命名以及IP地址的配置
| 设备 | 接口编号 | IP地址 |
| AR1 | G0/0/0 | 100.1.1.1/24 |
| G0/0/1 | 10.0.11.1/24 | |
| AR3 | G0/0/0 | 64.1.1.3/24 |
| G0/0/1 | 10.0.23.3/24 | |
| AR2 | G0/0/0 | 100.1.1.2/24 |
| G0/0/1 | 64.1.1.2/24 | |
| Loop back0 | 100.100.100.100/32(外网出口) | |
| LSW1 | Vlanif1 | 10.0.11.2/24 |
| LSW2 | Vlanif1 | 10.0.23.2/24 |
步骤二:按照规划划分vlan并开启vlanif接口,配置链路类型实现vlan之间的互通
LSW1的配置
<Huawei>system-view
[Huawei]sysname LSW1
[LSW1]vlan batch 10 20
[LSW1]interface g0/0/1
[LSW1-GigabitEthernet0/0/1]port link-type trunk
[LSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
[LSW1-GigabitEthernet0/0/1]quit
[LSW1]interface g0/0/2
[LSW1-GigabitEthernet0/0/2]port link-type access
[LSW1-GigabitEthernet0/0/2]port default vlan 10
[LSW1-GigabitEthernet0/0/2]quit
[LSW1]interface g0/0/3
[LSW1-GigabitEthernet0/0/3]port link-type trunk
[LSW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 20
[LSW1]interface Vlanif 10
[LSW1-Vlanif10]ip address 192.168.1.254 24
[LSW1-Vlanif10]quit
[LSW1]interface Vlanif 20
[LSW1-Vlanif20]ip address 192.168.2.254 24
LSW2的配置
<Huawei>system-view
[Huawei]sysname LSW2
[LSW2]vlan 30 40
[LSW2-vlan30]quit
[LSW2]interface g0/0/1
[LSW2-GigabitEthernet0/0/1]port link-type trunk
[LSW2-GigabitEthernet0/0/1]port trunk allow-pass vlan 30 40
[LSW2-GigabitEthernet0/0/1]quit
[LSW2]interface g0/0/2
[LSW-GigabitEthernet0/0/2]port link-type access
[LSW2-GigabitEthernet0/0/2]port default vlan 30
[LSW2-GigabitEthernet0/0/2] interface g0/0/3
[LSW2-GigabitEthernet0/0/3] port link-type access
[LSW2-GigabitEthernet0/0/2]port default vlan 40
[LSW2]interface Vlanif 30
[LSW2-Vlanif30]ip address 192.168.3.254 24
[LSW2-Vlanif30]quit
[LSW2]interface Vlanif 40
[LSW2-Vlanif100]ip address 192.168.4.254 24
PC静态配置IP地址,不做赘述
步骤2 :配置OSPF实现公司内部通信,配置静态路由实现AR1和AR3路由可达
AR1的配置
[AR1]ospf
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]network 10.0.11.0 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]quit
[AR1-ospf-1]quit
LSW1的配置
[LSW1]ospf
[LSW1-ospf-1]area 0
[LSW1-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]network 192168.2.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.10]network 10.0.11.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.10]quit
AR3的配置
[AR3]ip route-static 0.0.0.0 0 64.1.1.2
测试连通性:
[AR3]ping 100.1.1.1
PING 100.1.1.1: 56 data bytes, press CTRL_C to break
Request time out
Reply from 100.1.1.1: bytes=56 Sequence=2 ttl=254 time=40 ms
Reply from 100.1.1.1: bytes=56 Sequence=3 ttl=254 time=30 ms
Reply from 100.1.1.1: bytes=56 Sequence=4 ttl=254 time=30 ms
Reply from 100.1.1.1: bytes=56 Sequence=5 ttl=254 time=30 ms
--- 100.1.1.1 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 30/32/40 ms
[AR3]ping 100.100.100.100
PING 100.100.100.100: 56 data bytes, press CTRL_C to break
Reply from 100.100.100.100: bytes=56 Sequence=1 ttl=255 time=60 ms
Reply from 100.100.100.100: bytes=56 Sequence=2 ttl=255 time=20 ms
Reply from 100.100.100.100: bytes=56 Sequence=3 ttl=255 time=30 ms
Reply from 100.100.100.100: bytes=56 Sequence=4 ttl=255 time=30 ms
Reply from 100.100.100.100: bytes=56 Sequence=5 ttl=255 time=40 ms
--- 100.100.100.100 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/36/60 ms
下发缺省路由,使网关设备有去往对端的路由‘
AR1:
[AR1-ospf-1]default-route-advertise always
AR3:
[AR3-ospf-1]default-route-advertise always
查看LSW1的路由表:
[LSW1]display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 9 Routes : 9
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 O_ASE 150 1 D 10.0.11.1 Vlanif1
10.0.11.0/24 Direct 0 0 D 10.0.11.2 Vlanif1
10.0.11.2/32 Direct 0 0 D 127.0.0.1 Vlanif1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.1.0/24 Direct 0 0 D 192.168.1.254 Vlanif10
192.168.1.254/32 Direct 0 0 D 127.0.0.1 Vlanif10
192.168.2.0/24 Direct 0 0 D 192.168.2.254 Vlanif20
192.168.2.254/32 Direct 0 0 D 127.0.0.1 Vlanif20
由表可知缺省路由下发成功
步骤3:配置IPSec VPN
1. 用ACL匹配需要加密的流量
[AR1]acl number 3000
[AR1-acl-adv-3000]rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[AR1-acl-adv-3000]rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.4.0 0.0.0.255
[AR1-acl-adv-3000] rule 15 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[AR1-acl-adv-3000] rule 20 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.4.0 0.0.0.255
[AR3]acl number 3000
[AR3-acl-adv-3000]rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[AR3-acl-adv-3000]rule 10 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[AR3-acl-adv-3000]rule 15 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[AR3-acl-adv-3000] rule 20 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
- 配置IKE的安全联盟(协商IPSec的协商报文传递时的加密、认证参数)
AR1的配置
[AR1]ike proposal 1 //创建安全提议
[AR1]ike peer huawei v1
[AR1-ike-peer-huawei]ike-proposal 1//调用写的提议
[AR1-ike-peer-huawei]pre-shared-key simple huawei //密钥huawei
[AR1-ike-peer-huawei]remote-address 64.1.1.3//配置对等体IP地址,即分公司的出口IP
AR3的配置:
[AR3]ike peer huawei v1
[AR3-ike-peer-huawei]pre-shared-key simple huawei
[AR3-ike-peer-huawei]ike-proposal 1
[AR3-ike-peer-huawei]remote-address 100.1.1.1
3. 配置IPSec的安全联盟(协商业务数据加密时使用的参数)
[AR1]ipsec proposal 1
[AR1]display ipsec proposal//缺省
Number of proposals: 1
IPSec proposal name: 1
Encapsulation mode: Tunnel //封装
Transform : esp-new
ESP protocol : Authentication MD5-HMAC-96 //认证
Encryption DES //业务流量加密方式
- 配置IPSec的安全策略
AR1的配置:
[AR1]ipsec policy huawei 10 isakmp //创建安全策略 isa表示自动协商
[AR1-ipsec-policy-isakmp-huawei-10]security acl 3000
[AR1-ipsec-policy-isakmp-huawei-10]proposal 1
[AR1-ipsec-policy-isakmp-huawei-10]ike-peer huawei
AR3同理
[AR3]ipsec policy huawei 10 isakmp
[AR3-ipsec-policy-isakmp-huawei-10]security acl 3000
[AR3-ipsec-policy-isakmp-huawei-10]ike-peer huawei
[AR3-ipsec-policy-isakmp-huawei-10]proposal 1
5.调用IPSec的安全策略
[AR1-GigabitEthernet0/0/0]ipsec policy huawei
测试连通性:
PC>ping 192.168.3.1
Ping 192.168.3.1: 32 data bytes, Press Ctrl_C to break
From 192.168.3.1: bytes=32 seq=1 ttl=125 time=141 ms
From 192.168.3.1: bytes=32 seq=2 ttl=125 time=78 ms
From 192.168.3.1: bytes=32 seq=3 ttl=125 time=47 ms
From 192.168.3.1: bytes=32 seq=4 ttl=125 time=78 ms
From 192.168.3.1: bytes=32 seq=5 ttl=125 time=62 ms
--- 192.168.3.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 47/81/141 ms
抓包查看配置现象:
[AR1]display ipsec sa
[Outbound ESP SAs]
SPI: 331953965 (0x13c9372d)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887360000/3429
Max sent sequence-number: 5
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 499229182 (0x1dc1a1fe)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436500/3429
Max received sequence-number: 5
发了5个包 加密5个包
步骤4:配置NAT,实现内网访问外网
AR1的配置:
[AR1]acl number 3001
[AR1-acl-adv-3001]rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[AR1-acl-adv-3001]rule 10 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.4.0 0.0.0.255
[AR1-acl-adv-3001]rule 20 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[AR1-acl-adv-3001]rule 25 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.4.0 0.0.0.255
AR3同理不做赘述
PC1访问PC3:
PC>ping 192.168.3.1
Ping 192.168.3.1: 32 data bytes, Press Ctrl_C to break
From 192.168.3.1: bytes=32 seq=1 ttl=125 time=62 ms
From 192.168.3.1: bytes=32 seq=2 ttl=125 time=79 ms
From 192.168.3.1: bytes=32 seq=3 ttl=125 time=78 ms
From 192.168.3.1: bytes=32 seq=4 ttl=125 time=78 ms
From 192.168.3.1: bytes=32 seq=5 ttl=125 time=62 ms
--- 192.168.3.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 62/71/79 ms
可知NAT配置成功
关注+点赞+发送私信领取资料
