IPSEC(IKE)穿透nat的典型组网和配置
1.1 典型组网和介绍
图1 IPSEC(IKE)穿透nat的典型组网
路由器A,是分部的出口路由器,只负责nat转换;
路由器B,是分部内IPSEC加密的路由器,不做nat;
路由器C,是总部路由器,有固定IP。
路由器B和C的IPSEC穿透了路由器A的nat转换。
1.2 中端路由器B和C的版本需要VRP3.3-002
1.3 IPSEC的配置介绍
此组网的配置用到了IPSEC的野蛮模式,和IKE的nat穿越配置;IPSEC野蛮模式的介绍和配置详见《配置手册》。
IKE的nat穿越配置仅一条命令:nat traversal
1.4.1 总部路由器C的配置
<Center>disp cur
#
sysname Center
#
tcp window 8
#
ike local id Center
#
ike peer other
exchange-mode aggressive
pre-shared-key abc
id-type name
remote-id P2
nat traversal
local single-subnet
peer single-subnet
#
ipsec proposal center-1
esp authentication-algorithm sha1
#
ipsec policy center_1 2 isakmp
security acl 100
ike-peer other
proposal center-1
#
controller E1 3/0
channel-set 0 timeslot-list 1
#
controller E1 3/1
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Ethernet1/0
ip address 169.254.0.1 255.255.0.0
#
interface Ethernet1/1
#
interface Serial3/0:0
link-protocol ppp
ip address 61.1.1.2 255.255.255.0
nat outbound 102
ipsec policy center_1
#
interface NULL0
#
interface LoopBack1
ip address 192.168.2.1 255.255.255.0
#
acl number 100
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
rule 2 deny ip
acl number 102
rule 0 deny ip source 192.168.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255
rule 1 permit ip source 192.168.2.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 61.1.1.1
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode none
user privilege level 3
set authentication password simple a
#
return
<Center>
1.4.2 分部路由器B的配置
<P2-1760> disp cur
#
sysname P2-1760
#
tcp window 8
#
ike local id P2
#
ike peer part-1
exchange-mode aggressive
pre-shared-key abc
id-type name
remote-id Center
remote-address 61.1.1.2
nat traversal
local single-subnet
peer single-subnet
#
ipsec proposal part-1
esp authentication-algorithm sha1
#
ipsec policy part_1 1 isakmp
security acl 100
ike-peer part-1
proposal part-1
#
interface Aux0
async mode protocol
link-protocol ppp
#
interface Ethernet0/0
ip address 16.1.1.2 255.255.255.252
ipsec policy part_1
#
interface Serial0/0
clock DTECLK1
link-protocol ppp
#
interface NULL0
#
interface LoopBack0
ip address 192.168.0.1 255.255.255.0
#
acl number 100
rule 1 permit ip source 192.168.0.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 2 deny ip
#
ip route-static 0.0.0.0 0.0.0.0 16.1.1.1
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
user privilege level 3
set authentication password simple a
#
return
1.4.3 分部路由器A的nat配置
<P1>disp cur
#
sysname P1
#
super password level 3 simple a
#
local-user a password simple a
local-user a level 3
#
tcp window 8
#
controller E1 1/0
#
controller E1 1/1
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Ethernet0/0
ip address 16.1.1.1 255.255.255.252
#
interface Ethernet0/1
#
interface Serial2/0
clock DTECLK1
link-protocol ppp
ip address ppp-negotiate
nat outbound 101
#
interface Serial2/1
clock DTECLK1
link-protocol ppp
#
interface NULL0
#
acl number 101
rule 0 permit ip source 192.168.0.0 0.0.0.255
rule 1 permit ip source 16.1.1.0 0.0.0.3
rule 2 deny ip
#
ip route-static 0.0.0.0 0.0.0.0 Serial 2/0
ip route-static 192.168.0.0 255.255.255.0 16.1.1.2
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode local
set authentication password simple a
#
return
此处必须注意的一点是:acl中必须包括路由器B的上行口地址网段,文中是16.1.1.0/30网段。
1.4.4 上文IPSEC配置中必须注意的地方
除了
ike local id P2
中的P2是网络中必须确定唯一的,其他的参数,如:
ipsec proposal part-1
ipsec policy part_1 1 isakmp
ike peer part-1
中的红色部分,均是本机有效,名字可以任意指定,但必须注意上下文的对应关系。
<P2-1760>disp ike sa
connection-id peer flag phase doi
----------------------------------------------------------
19 61.1.1.2 RD|ST 1 IPSEC
20 61.1.1.2 RD|ST 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
<P2-1760>disp ipsec sa
===============================
Interface: Ethernet0/0
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "part_1"
sequence number: 1
mode: isakmp
-----------------------------
connection id: 20
encapsulation mode: tunnel
tunnel local : 16.1.1.2 tunnel remote: 61.1.1.2
[inbound ESP SAs]
spi: 2868691373 (0xaafcc1ad)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887436528/3590
max received sequence-number: 4
[outbound ESP SAs]
spi: 3055419155 (0xb61dff13)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887436464/3590
max sent sequence-number: 5
<Center>disp ike sa
connection-id peer flag phase doi
----------------------------------------------------------
19 202.1.1.2 RD 1 IPSEC
20 202.1.1.2 RD 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT
<Center>disp ipsec sa
===============================
Interface: Serial3/0:0
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "center_1"
sequence number: 2
mode: isakmp
-----------------------------
connection id: 20
encapsulation mode: tunnel
tunnel local : 61.1.1.2 tunnel remote: 202.1.1.2
[inbound ESP SAs]
spi: 2827112779 (0xa882514b)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887436732/3369
max received sequence-number: 1
[outbound ESP SAs]
spi: 3601280070 (0xd6a72c46)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887436716/3369
max sent sequence-number: 2
<P1>dis nat session
Protocol GlobalAddr Port InsideAddr Port DestAddr Port
17 202.1.1.2 12288 16.1.1.2 500 61.1.1.2 500
VPN: 0, status: 11, TTL: 00:10:00, Left: 00:09:56
更多内容请看校园网专题、局域网、网络组网手册专题,或进入讨论组讨论。
相关专题
- VPN技术详解(一)[图] (981次浏览)
- VPN技术详解(二)[图] (539次浏览)
- 什么是SSL VPN (503次浏览)
- 打造基于VPN的移动“办公室” (71次浏览)
- Win2000配置VPN的简单实例 (67次浏览)
- VPN远程网络 (41次浏览)
- UT斯达康正式发布新款IPTV机顶盒 (34次浏览)
- 虚拟专用网(VPN)的原理和组建(5) -实现篇 (32次浏览)
- 虚拟专用网(VPN)的原理和组建(4) -实现篇 (31次浏览)
- 虚拟专用网(VPN)的原理和组建(2) -原理篇 (29次浏览)
