• SE 2014年5月27日

    R1模拟总部,R2 与R3模拟分部
    如图配置


    要求使用 GRE over IPSec VPN 主模式,启用动态路由协议rip使得总部与两分部内网可相互通讯,但要求分部用户数据流不允许互通!

    步骤:

    1、  完成GRE隧道的配置

    [RT1-Tunnel10]ip add 10.0.1.1 24

    [[RT1-Tunnel10]source 67.61.1.1

    [RT1-Tunnel10]destination 202.112.1.1

    [RT1-Tunnel10]keepalive

    [RT4-Tunnel10]ip add 10.0.1.2 24

    [RT4-Tunnel10]source 202.112.1.1

    [RT4-Tunnel10]destination 67.61.1.1

    [RT1-Tunnel20]ip add 10.0.2.1 24

    [RT1-Tunnel20]source 67.61.1.1

    [RT1-Tunnel20]destination 202.112.2.1

    [RT3-Tunnel20]ip add 10.0.2.2 24

    [RT3-Tunnel20]source 202.112.2.1

    [RT3-Tunnel20]destination 67.61.1.1

    [RT3-Tunnel20]keepalive

    2、  配置RIP协议

    [RT1-rip-1]version 2

    [RT1-rip-1]undo summary

    [RT1-rip-1]network 172.16.0.0

    [RT1-rip-1]network 10.0.1.0

    [RT3-rip-1]version 2

    [RT3-rip-1]undo summary

    [RT3-rip-1]network 192.168.2.0

    [RT3-rip-1]network 10.0.0.0

    [RT4-rip-1]version 2

    [RT4-rip-1]undo summary

    [RT4-rip-1]network 10.0.0.0

    [RT4-rip-1]network 192.168.1.0

    3、  配置IKE peer

    [RT1-ike-peer-rt4]proposal 1

    [RT1-ike-peer-rt4]pre-shared-key simple cisco

    [RT1-ike-peer-rt4]remote-address 202.112.1.1

    [RT1-ike-peer-rt3]proposal 2

    [RT1-ike-peer-rt3]pre-shared-key simple cisco

    [RT1-ike-peer-rt3]remote-address 202.112.2.1

    [RT4-ike-peer-rt1]proposal 1

    [RT4-ike-peer-rt1]pre-shared-key simple cisco

    [RT4-ike-peer-rt1]remote-address 67.61.1.1

    [RT3-ike-peer-rt1]proposal 1

    [RT3-ike-peer-rt1]pre-shared-key simple cisco

    [RT3-ike-peer-rt1]remote-address 67.61.1.1

    4、  配置 ipsec policy

    [RT1-acl-adv-3001]rule permit ip source 67.61.1.1 0 destination 202.112.1.1 0

    [RT1-acl-adv-3002]rule permit ip source 67.61.1.1 0 destination 202.112.1.1 0

    [RT1-ipsec-policy-isakmp-h3c-1]security acl 3001

    [RT1-ipsec-policy-isakmp-h3c-1]ike-peer rt4

    [RT1-ipsec-policy-isakmp-h3c-1]proposal rt4

    [RT1-ipsec-policy-isakmp-h3c-2]security acl 3002

    [RT1-ipsec-policy-isakmp-h3c-2]ike-peer rt3

    [RT1-ipsec-policy-isakmp-h3c-2]proposal rt3

    [RT3-acl-adv-3000]rule permit ip source 202.112.1.1 0 destination 67.61.1.1 0

    [RT3-ipsec-policy-isakmp-h3c-1]security acl 3000

    [RT3-ipsec-policy-isakmp-h3c-1]ike-peer rt1

    [RT3-ipsec-policy-isakmp-h3c-1]proposal 1

    [RT4-acl-adv-3000]rule permit ip source 202.112.2.1 0 destination 67.61.1.1 0

    [RT4-ipsec-policy-isakmp-h3c-1]security acl 3000

    [RT4-ipsec-policy-isakmp-h3c-1]ike-peer rt1

    [RT4-ipsec-policy-isakmp-h3c-1]proposal 1

    5、  应用ipsec policy到接口

    [RT1-GigabitEthernet0/0/0]ipsec policy h3c

    [RT3-GigabitEthernet0/0/3]ipsec policy h3c

    [RT4-GigabitEthernet0/0/2]ipsec policy h3c

    6、  过滤RIP路由

    [RT1-acl-basic-2000]rule deny source 192.168.2.0 0.0.0.255

    [RT1-acl-basic-2000]rule deny source 192.168.1.0 0.0.0.255

    [RT1-rip-1]filter-policy 2000 export

    7、  测试

    192.168.1.100  ping 172.16.1.100

     

    192.168.2.100 ping 172.16.1.100

    查看RT4的路由表

     

    查看RT1的IKE SA

     
  • 相关阅读:
    反汇编测试20191325
    20191325mystat
    20191325学习笔记8
    20191325学习笔记7
    2.3.1测试 20191325
    20191214-改进ls
    团队作业4
    20191214-反汇编测试
    stat命令的实现-mysate(必做)
    图片
  • 原文地址:https://www.cnblogs.com/networking/p/3755966.html
Copyright © 2020-2023  润新知