1、大量分支GRE over IPSec接入的簡易配置 一、 組網需求客戶的網絡拓撲比較大，一個中心網點和N個分支網點，且每個分支網點都需要利用GRE OVER IPSec與中心網點建立VPN連接。由于GRE隧道有一定的局限性，Tunnel接口過多，造成配置的復雜，而Tunnel接口的最大數目為4096個，那么，分支數目超過此數就無法繼續(xù)建立GRE隧道，且還沒有算上有些是備份的鏈路。采用P2MP將大大簡化Tunnel接口的配置，且也解決了Tunnel接口數目不足帶來的問題。同樣，設備的公網出接口數目是有限的，我們不可能在N個出接口上建立IPSec隧道。采用IPsec的模板配置，

2、解決相應配置的問題。 二、 組網拓撲圖實驗所用設備：中心設備為SecBlade防火墻插卡；軟件版本Feature 3171P11；公網出接口G0/3：。分部一設備為SecBlade防火墻插卡；軟件版本Feature 3171P11；公網出接口G0/3：。分部二設備為SecPath V3防火墻；軟件版本Release 1662P07；公網出接口G0/1：。因特網設備為S7503E-S交換機；軟件版本Release 6616P01；實驗中所用接口為G0/0/25：，G0/0/27：，。 三、 配置步驟1) 基本配置各個設備的接口和區(qū)域的配置。分部的

3、IP地址本應該為動態(tài)獲取，這里為了簡化配置，直接改為靜態(tài)了。路由配置：/公網路由      /將業(yè)務數據流引向Tunnel接口，從而觸發(fā)GRE封裝/公網路由             /將業(yè)務數據流引向Tunnel接口，從而觸發(fā)GRE封裝分部二：ip route-static 0.0.0.0 0.0.0.0 172.16.20.2 preference 60 ip route-static 1.1.1.1 255.25

4、5.255.255 10.0.0.1 preference 60 2) GRE配置中心設備：interface Tunnel1  tunnel-protocol gre p2mp /這里默認采用GRE，改為P2MP       /源封裝地址為回環(huán)接口Lookback1的地址                 &

5、#160;          /采用P2MP的封裝模式，無表示對端的封裝地址為多少，只能設置一個掩碼表示范圍分部一設備：interface Tunnel1   /分部設備對中心設備來與是點到點的類型，直接封裝相應的源地址和目標地址就行了分部二：interface Tunnel1    3) IPSec配置在本實驗中，分部的IP都不是固定的，都為動態(tài)獲取所得，所以，IKE的協(xié)商方式這里采用野蠻模式中心設備：ike lo

6、cal-name fw1  /IKE本端名字（千萬不能忘記） ike peer 10 exchange-mode aggressive pre-shared-key cipher $c$3$/3EvhWhcCcw0SYCWzLohIg2r1bGeCVY= id-type name remote-name fw2  remote-address fw2 dynamic/此處可以不做配置，如果不做配置默認為所有IP地址，如圖所示：ipsec proposal 10/安全提議采用默認的配置即可，也可以自行更改，默認為：&

7、#160;ipsec policy-template zb1 10 ike-peer 10 proposal 10/總部的類型為點到多點，所以這里采用模板的方法，這樣無法配置ACL進行數據流匹配ipsec policy cnc 10 isakmp template zb1/模板的應用方式interface GigabitEthernet0/3 port link-mode route  ipsec policy cnc 分部一：acl number 3000 rule 0 permit ip source 192.168.1

8、0.2 0 destination 192.168.10.1 0ike local-name fw2 /配置本端名字ike peer 10 exchange-mode aggressive pre-shared-key cipher $c$3$UaPgUwWG/SiXbHB6XVbtbAVmEBQk1AE= id-type name remote-name fw1 #ipsec proposal 10/采用默認，這里也可以不做配置#ipsec policy fb 10 isakmp security acl 3000 ike

9、-peer 10 proposal 10/分部為點到點模式，不用配置模板，此里的acl可以用于中心設備的反向匹配 分部二：ike peer 10 exchange-mode aggressive pre-shared-key cipher KqbfKcrPdHA= id-type name remote-name fw1                  &

10、#160;       #ipsec proposal 10#ipsec policy fb 10 isakmp security acl 3000 ike-peer 10 proposal 10#acl number 3000 rule 0 permit ip source 192.168.10.3 0 destination 192.168.10.1 0 4) 連通性測試只能由分部觸發(fā)建立，中心側無法觸發(fā)。分部一：  PING 1.1.1.1: 56&

11、#160; data bytes, press CTRL_C to break    Request time out    Reply from 1.1.1.1: bytes=56 Sequence=2 ttl=255 time=1 ms    Reply from 1.1.1.1: bytes=56 Sequence=3 ttl=255 time=1 ms    Reply from 1.1.1.1: bytes=56 Sequence=4 ttl=255 time=1

12、ms    Reply from 1.1.1.1: bytes=56 Sequence=5 ttl=255 time=1 ms   - 1.1.1.1 ping statistics -    5 packet(s) transmitted    4 packet(s) received    20.00% packet loss    round-trip min/avg/max = 1/1/1 ms H3C分部二

13、：  PING 1.1.1.1: 56  data bytes, press CTRL_C to break    Reply from 1.1.1.1: bytes=56 Sequence=1 ttl=255 time=1 ms    Reply from 1.1.1.1: bytes=56 Sequence=2 ttl=255 time=1 ms    Reply from 1.1.1.1: bytes=56 Sequence=3 ttl=255 time=1 ms &#

14、160;  Reply from 1.1.1.1: bytes=56 Sequence=4 ttl=255 time=1 ms    Reply from 1.1.1.1: bytes=56 Sequence=5 ttl=255 time=1 ms   - 1.1.1.1 ping statistics -    5 packet(s) transmitted    5 packet(s) received    0.00% packet los

15、s    round-trip min/avg/max = 1/1/1 ms<Quidway>中心設備情況：<H3C>display ike sa    total phase-1 SAs:  2    connection-id  peer            flag       

16、; phase   doi      status  -     1                 RD            1     IPSEC

17、0;   -     3                 RD            1     IPSEC    -     2  

18、60;              RD            2     IPSEC    -     4            

19、     RD            2     IPSEC    -   flag meaning  RD-READY ST-STAYALIVE RL-REPLACED FD-FADING TO-TIMEOUT<H3C>分部一與分部二都已經成功建立隧道查看IPSec SA隧道<H3C>display ipsec sa=In

20、terface: GigabitEthernet0/3    path MTU: 1500=   -  IPsec policy name: "zb"  sequence number: 10  mode: template  -    connection id: 1    encapsulation mode: tunnel    perfect forward secrecy: &

21、#160;  tunnel:        local           /這個是分部一    flow:         port: 0  protocol: IP  port: 0  protocol: IP     inb

22、ound ESP SAs      spi: 3758878501 (0xe00bef25)/這個與分部一的出方向的SA相同      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5      sa duration (kilobytes/sec): 1843200/3600      sa remaining duration (kilobytes/sec

23、): 1843196/1246      max received sequence-number: 34      anti-replay check enable: Y      anti-replay window size: 32      udp encapsulation used for nat traversal: N      s

24、tatus: -     outbound ESP SAs      spi: 2870550202 (0xab191eba)      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5      sa duration (kilobytes/sec): 1843200/3600      sa remaining du

25、ration (kilobytes/sec): 1843196/1246      max received sequence-number: 35      udp encapsulation used for nat traversal: N      status: -   -  IPsec policy name: "zb"  sequence number: 10 

26、mode: template  -    connection id: 2    encapsulation mode: tunnel    perfect forward secrecy:    tunnel:        local           /這個是分部二 &#

27、160;  flow:         port: 0  protocol: IP  port: 0  protocol: IP     inbound ESP SAs      spi: 3651661767 (0xd9a7efc7)      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

28、60;     sa duration (kilobytes/sec): 1843200/3600      sa remaining duration (kilobytes/sec): 1843197/1559      max received sequence-number: 19      anti-replay check enable: Y    

29、0; anti-replay window size: 32      udp encapsulation used for nat traversal: N      status: -     outbound ESP SAs      spi: 460917123 (0x1b790983)      proposal: ESP-ENCRYPT

30、-DES ESP-AUTH-MD5      sa duration (kilobytes/sec): 1843200/3600      sa remaining duration (kilobytes/sec): 1843197/1559      max received sequence-number: 20      udp encapsulation used for nat trav

31、ersal: N      status: -<H3C>  分部一的IPSec SA<H3C>display ipsec sa=Interface: GigabitEthernet0/3    path MTU: 1500=   -  IPsec policy name: "fb"  sequence number: 10  mode: isakmp  -   

32、connection id: 1    encapsulation mode: tunnel    perfect forward secrecy:    tunnel:        local         remote address: 172.16.10.1 /與總部方向建立SA    flow: 

33、        port: 0  protocol: IP         port: 0  protocol: IP     inbound ESP SAs      spi: 2870550202 (0xab191eba)/對比總部的第一個出方向的SA，這兩個值相同     

34、 proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5      sa duration (kilobytes/sec): 1843200/3600      sa remaining duration (kilobytes/sec): 1843196/738      max received sequence-number: 34      anti-replay ch

35、eck enable: Y      anti-replay window size: 32      udp encapsulation used for nat traversal: N      status: -     outbound ESP SAs      spi: 3758878501 (0xe00bef25) 

36、0;    proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5      sa duration (kilobytes/sec): 1843200/3600      sa remaining duration (kilobytes/sec): 1843196/738      max received sequence-number: 35    &

37、#160; udp encapsulation used for nat traversal: N      status: -<H3C>分部二IPSec SA<Quidway>display ipsec sa=Interface: GigabitEthernet0/1    path MTU: 1500=   -  IPsec policy name: "fb"  sequence number: 10  mode: i

38、sakmp  -    Created by: "Host"    connection id: 4    encapsulation mode: tunnel    perfect forward secrecy: None    tunnel:        local      &#

39、160;   /與總部方向建立SA    flow:    (38 times matched)         port: 0  protocol: IP         port: 0  protocol: IP     inbound ESP SAs      spi: 460917123 (0x1b790983)         /與總部第二個出方向的SA值相同      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5