H3C SecPath防火牆GRE＋IPSEC＋OSPF典型配置舉例

此方案能夠解決分支機構的IP地址是通過ISP動態獲取，而且Secpath網關互相備份，同時在GRE封裝上實現ipsec加密等多個需求。
1. 組網需求
分支機構的用戶訪問公司總部過程如下：
分支機構的用戶上網方式沒有限制，撥號或者固定IP上網。
分支機構的網關設備接口地址是動態獲取的
公司總部有兩臺SecPath，兩臺SecPath互相備份
公司總部與分支機構之間的數據連接要求IPSEC加密
3680模擬Internet，爲分支結構動態分配IP地址
2. 組網圖

3. 配置步驟
(1) 2630的配置

#
 sysname Quidway
#
 ike local-name client
#  //由於2630要與SecPath1與SecPath2都建立GRE連接，所以需要建立兩個ike協商
ike peer 1   //ike對等體的名字爲1
 exchange-mode aggressive
 pre-shared-key 1  //配置身份驗證字爲1
 id-type name  //使用name方式作爲ike協商的ID類型
 remote-name 1  //指定對端的name，也就是SecPath1的name
 remote-address 2.1.1.2  //指定對端的IP地址
 nat traversal
#
ike peer 2  //第二個ike
 exchange-mode aggressive
 pre-shared-key 1
 id-type name
 remote-name 2
 remote-address 3.1.1.2
 nat traversal
#
ipsec proposal 1  //配置一個安全提議，使用默認的安全提議參數
#
ipsec policy 1 1 isakmp //使用IKE創建第一個安全策略，第一個1是安全策略組的名字，
第二個1是安全策略的序列號
 security acl 3000  //引用訪問控制列表3000
 ike-peer 1    //引用ike對等體1，注意1是ike對等體的名字，而不是編號
 proposal 1   //引用安全提議1
#
ipsec policy 1 2 isakmp//使用IKE創建第二個安全策略，安全策略組的名字爲1
 security acl 3001
 ike-peer 2
 proposal 1
#
controller T1 2/0
#
controller T1 2/1
#
interface Virtual-Template1 //l2tp配置使用虛擬模板用於配置動態創建的虛接口的參數
 ip address 172.31.4.1 255.255.255.0
#
interface Aux0
 async mode flow
 link-protocol ppp
#
interface Dialer1  //創建一個共享式撥號接口1
 link-protocol ppp  //撥號接口封裝的鏈路層協議爲PPP
 mtu 1450
 ip address ppp-negotiate //撥號接口的地址採用PPP協商方式得到
 dialer user test //配置呼叫對端的用戶
 dialer bundle 1  //創建撥號接口池1
 ipsec policy 1
#
interface Ethernet0/0
 pppoe-client dial-bundle-number 1 //pppoe client配置在以太網接口上配置，
也可以在virtual-ethernet上配置，此配置是配置pppoe會話，一個撥號接口對應創建一個pppoe會話
#
interface Tunnel0
 ip address 6.1.1.3 255.255.255.0
 source 192.168.0.4
 destination 192.168.0.1
 ospf cost 100
#
interface Tunnel1
 ip address 7.1.1.3 255.255.255.0
 source 192.168.0.4
 destination 192.168.0.2
 ospf cost 99
#
interface NULL0
#
interface LoopBack0 //這裏配置loopback解決的目的是爲了給tunnel接口配置源ip地址
 ip address 192.168.0.4 255.255.255.255
#
acl number 3000
 rule 0 permit ip source 192.168.0.4 0 destination 192.168.0.1 0
acl number 3001
 rule 0 permit ip source 192.168.0.4 0 destination 192.168.0.2 0
#
ospf 1
 area 0.0.0.0
  network 6.1.1.0 0.0.0.255
  network 7.1.1.0 0.0.0.255
  network 172.31.4.0 0.0.0.255
#
 ip route-static 0.0.0.0 0.0.0.0 Dialer 1 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
#
return

(2)3640的配置

#
 sysname Quidway
#
 ike local-name client
#
ike peer 1
 exchange-mode aggressive
 pre-shared-key 1
 id-type name
 remote-name 1
 remote-address 2.1.1.2
 nat traversal
#
ike peer 2
 exchange-mode aggressive
 pre-shared-key 1
 id-type name
 remote-name 2
 remote-address 3.1.1.2
 nat traversal
#
ipsec proposal 1
#
ipsec policy 1 1 isakmp
 security acl 3000
 ike-peer 1
 proposal 1
#
ipsec policy 1 2 isakmp
 security acl 3001
 ike-peer 2
 proposal 1
#
interface Virtual-Template1
 ip address 172.31.3.1 255.255.255.0
#
interface Aux0
 async mode flow
 link-protocol ppp
#
interface Dialer1
 link-protocol ppp
 ppp pap local-user 1 password simple 1
 mtu 1450
 ip address ppp-negotiate
 dialer user test
 dialer bundle 1
 ipsec policy 1
#
interface Ethernet2/0
 pppoe-client dial-bundle-number 1
#
interface Ethernet2/1
#
interface Ethernet3/0
#
interface Serial0/0
 link-protocol ppp
#
interface Serial0/1
 clock DTECLK1
 link-protocol ppp
#
interface GigabitEthernet1/0
#
interface Tunnel0
 ip address 4.1.1.3 255.255.255.0
 source 192.168.0.3
 destination 192.168.0.1
 ospf cost 100
#
interface Tunnel1
 ip address 5.1.1.3 255.255.255.0
 source 192.168.0.3
 destination 192.168.0.2
 ospf cost 99
#
interface Tunnel9
#
interface NULL0
#
interface LoopBack0
 ip address 192.168.0.3 255.255.255.255
#
acl number 3000
 rule 0 permit ip source 192.168.0.3 0 destination 192.168.0.1 0
acl number 3001
 rule 0 permit ip source 192.168.0.3 0 destination 192.168.0.2 0
#
ospf 1
 area 0.0.0.0
  network 4.1.1.0 0.0.0.255
  network 5.1.1.0 0.0.0.255
  network 172.31.3.0 0.0.0.255
#
 ip route-static 0.0.0.0 0.0.0.0 Dialer 1 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
#
return

 

(3) 3680的配置  //主要進行PPPOE Server的配置

 sysname Quidway
#
interface Virtual-Template1 //一個虛模板對應一個pppoe client
 ip address 1.1.1.2 255.255.255.0
 remote address 1.1.1.1
#
interface Virtual-Template2
 ip address 1.1.2.2 255.255.255.0
 remote address 1.1.2.1
#
interface Aux0
 async mode flow
 link-protocol ppp
#
interface Ethernet0/0
 ip address 2.1.1.1 255.255.255.0
#
interface Ethernet0/1
 ip address 3.1.1.1 255.255.255.0
#
interface Ethernet4/0
 pppoe-server bind Virtual-Template 1  //pppoe server必須關聯一個虛模板
#
interface Ethernet7/0
 pppoe-server bind Virtual-Template 2
#
interface Serial5/0
 link-protocol ppp
#
interface Serial5/1
 clock DTECLK1
 link-protocol ppp
#
interface NULL0
#
acl number 2000
 rule 0 permit
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
#
return

(4) SecPath1的配置

 sysname Quidway
#
 ike local-name 1
#
ike peer 1 //ike配置
 exchange-mode aggressive
 pre-shared-key 1
 id-type name
 remote-name client
 nat traversal
 max-connections 10
#
ipsec proposal 1
#
ipsec policy-template tp 1 //使用安全策略模板創建安全策略
 ike-peer 1
 proposal 1
#
ipsec policy 1 1 isakmp template tp //在安全策略1中引用安全策略模板tp
#
interface Virtual-Template0
 ip address 172.31.1.1 255.255.255.0
#
interface Aux0
 async mode flow
 link-protocol ppp
#
interface GigabitEthernet0/0
 ip address 2.1.1.2 255.255.255.0
 ipsec policy 1
#
interface GigabitEthernet0/1
 ip address 11.0.0.1 255.255.255.0
 ospf cost 100
#
interface Tunnel0
 ip address 4.1.1.1 255.255.255.0
#
interface Tunnel1
 ip address 6.1.1.1 255.255.255.0
#
interface NULL0
#
interface LoopBack0
 ip address 192.168.0.1 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 4.1.1.0 0.0.0.255
  network 6.1.1.0 0.0.0.255
  network 11.0.0.0 0.0.0.255
  network 172.31.1.0 0.0.0.255
#
 ip route-static 0.0.0.0 0.0.0.0 2.1.1.1 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
#
return

(5) SecPath2的配置

 sysname Quidway
#
 ike local-name 2
#
ike peer 1
 exchange-mode aggressive
 pre-shared-key 1
 id-type name
 remote-name client
 nat traversal
 max-connections 10
#
ipsec proposal 1
#
ipsec policy-template tp 1
 ike-peer 1
 proposal 1
#
ipsec policy 1 1 isakmp template tp
#
interface Virtual-Template1
 ip address 172.31.2.1 255.255.255.0
#
interface Aux0
 async mode flow
 link-protocol ppp
#
interface GigabitEthernet0/0
 ip address 3.1.1.2 255.255.255.0
 ipsec policy 1
#
interface GigabitEthernet0/1
 ip address 10.0.0.1 255.255.255.0
 ospf cost 99
#
interface Tunnel0
 ip address 5.1.1.2 255.255.255.0
#
interface Tunnel1
 ip address 7.1.1.2 255.255.255.0
#
interface NULL0
#
interface LoopBack0
 ip address 192.168.0.2 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 5.1.1.0 0.0.0.255
  network 7.1.1.0 0.0.0.255
  network 10.0.0.0 0.0.0.255
  network 172.31.2.0 0.0.0.255
#
 ip route-static 0.0.0.0 0.0.0.0 3.1.1.1 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
#
return

(6) 1760的配置

 sysname Quidway
#
 sysname Quidway
#
interface Aux0
 async mode flow
 link-protocol ppp
#
interface Ethernet0/0
 ip address 11.0.0.2 255.255.255.0
 ospf cost 100
#
interface Ethernet1/0
 ip address 10.0.0.2 255.255.255.0
 ospf cost 99
#
interface Tunnel0
#
interface NULL0
#
interface LoopBack0
 ip address 155.0.0.1 255.255.255.0
#
ospf 1
 area 0.0.0.0
  network 10.0.0.0 0.0.0.255
  network 11.0.0.0 0.0.0.255
  network 155.0.0.0 0.0.0.255
#
user-interface con 0
user-interface tty 1
 modem both
user-interface aux 0
user-interface vty 0 4
#
return