GRE VPN:
Generic Routing Encapsulation 即通用路由封装协议,是对某些网络层协议(如IP和IPX)的数据报进行封装,
使这些被封装的数据报能够在另一个网络层协议(如IP)中传输。安全性不高配置简单。
[R1-GigabitEthernet0/0/0]IP address 10.1.1.8 24
[R1-Vlanif1]ip address 172.16.1.1 24
[R1]IP route-static 0.0.0.0 0.0.0.0 10.1.1.10
[R2-GigabitEthernet0/0/0]IP address 20.1.1.3 24
[R2]IP route-static 0.0.0.0 0.0.0.0 20.1.1.10
[R2-Vlanif1]ip address 192.168.1.1 24
[R3-GigabitEthernet0/0/0]IP address 10.1.1.10 24
[R3-GigabitEthernet0/0/1]IP address 20.1.1.10 24
[R1]interface Tunnel 0/0/1
[R1-Tunnel0/0/1]tunnel-protocol gre
[R1-Tunnel0/0/1]ip address 40.1.1.2 24
[R1-Tunnel0/0/1]source 10.1.1.8
[R1-Tunnel0/0/1]destination 20.1.1.3
[R1]ip route-static 192.168.1.0 24 Tunnel 0/0/1
[R2]interface Tunnel 0/0/1
[R2-Tunnel0/0/1]tunnel-protocol gre
[R2-Tunnel0/0/1]ip address 40.1.1.3 24
[R2-Tunnel0/0/1]source 20.1.1.3
[R2-Tunnel0/0/1]destination 10.1.1.8
[R2]ip route-static 172.16.1.0 24 Tunnel 0/0/1
IPSecVPN:
IPSec(IP Security)是IETF制定的为保证在internet上传送数据的安全保密性能的框架协议。
IPSec包括报文验证头协议AH(协议号51)和报文安全封装协议ESP(协议号50)两个协议。
IPSec有隧道(tunnel)和传输(transport)两种工作方式。
基于ACL方式手工建立IPSec隧道:
[R1]acl 3100
[R1-acl-adv-3100]rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.25
[R1-acl-adv-3100]rule deny ip
[R1]ipsec proposal leqee 建立名为leqee的安全提议
[R1-ipsec-proposal-leqee]esp authentication-algorithm sha1 定义认证算法
[R1-ipsec-proposal-leqee]esp encryption-algorithm aes-128 定义加密算法
[R1]ipsec policy leqee 10 manual 配置名为leqee 序号为10的的安全策略
[R1-ipsec-policy-manual-leqee-10]security acl 3100
[R1-ipsec-policy-manual-leqee-10]proposal leqee
[R1-ipsec-policy-manual-leqee-10]tunnel remote 20.1.2.1
[R1-ipsec-policy-manual-leqee-10]tunnel local 20.1.1.1
[R1-ipsec-policy-manual-leqee-10]sa spi outbound esp 12345
[R1-ipsec-policy-manual-leqee-10]sa spi inbound esp 54321
[R1-ipsec-policy-manual-leqee-10]sa string-key outbound esp simple admin
[R1-ipsec-policy-manual-leqee-10]sa string-key inbound esp simple admin123
[R1-ipsec-policy-manual-leqee-10]sa encryption-hex inbound esp simple 1234567890
abcdef1234567890abcdef
[R1-ipsec-policy-manual-leqee-10]sa encryption-hex outbound esp simple abcdef123
4567890abcdef1234567890
[R1-GigabitEthernet0/0/0]ipsec policy leqee 在接口上应用刚创建的leqee安全策略。
[R1]ip route-static 10.1.2.0 24 20.1.1.2
[R2]acl 3100
[R2-acl-adv-3100]rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[R2-acl-adv-3100]rule deny ip
[R2]ipsec proposal leqeeB
[R2-ipsec-proposal-leqeeB]esp authentication-algorithm sha1
[R2-ipsec-proposal-leqeeB]esp encryption-algorithm aes-128
[R2]ipsec policy leqeeb 10 manual
[R2-ipsec-policy-manual-leqeeb-10]security acl 3100
[R2-ipsec-policy-manual-leqeeb-10]tunnel remote 20.1.1.1
[R2-ipsec-policy-manual-leqeeb-10]tunnel local 20.1.2.1
[R2-ipsec-policy-manual-leqeeb-10]sa spi inbound esp 12345
[R2-ipsec-policy-manual-leqeeb-10]sa spi outbound esp 54321
[R2-ipsec-policy-manual-leqeeb-10]sa string-key outbound esp simple admin123
[R2-ipsec-policy-manual-leqeeb-10]sa string-key inbound esp simple admin
[R2-ipsec-policy-manual-leqeeb-10]sa encryption-hex inbound esp simple abcdef123
4567890abcdef1234567890
[R2-ipsec-policy-manual-leqeeb-10]sa encryption-hex outbound esp simple 1234567890
abcdef1234567890abcdef
[R2-GigabitEthernet0/0/0]ipsec policy leqeeb
[R2]ip route-static 10.1.1.0 24 20.1.2.2
IKE动态协商方式建立IPSecVPN:
[R1]acl 3100
[R1-acl-adv-3100]rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[R1-acl-adv-3100]rule deny ip
[R1]ipsec proposal tang
[R1-ipsec-proposal-tang]esp authentication-algorithm sha1
[R1-ipsec-proposal-tang]esp encryption-algorithm aes-128
[R1]ike peer ytwu v1
[R1-ike-peer-ytwu]pre-shared-key simple admin123
[R1-ike-peer-ytwu]remote-address 20.1.2.1
[R1]ipsec policy leqee 10 isakmp
[R1-ipsec-policy-isakmp-leqee-10]ike-peer ytwu
[R1-ipsec-policy-isakmp-leqee-10]proposal tang
[R1-ipsec-policy-isakmp-leqee-10]security acl 3100
[R1-GigabitEthernet0/0/0]ipsec policy leqee
[R1]ip route-static 10.1.2.0 24 20.1.1.2
[R2]acl 3100
[R2-acl-adv-3100]rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[R2-acl-adv-3100]rule deny ip
[R2]ipsec proposal tang
[R2-ipsec-proposal-tang]esp authentication-algorithm sha1
[R2-ipsec-proposal-tang]esp encryption-algorithm aes-128
[R2]ike peer ytwu v1
[R2-ike-peer-ytwu]pre-shared-key simple admin123
[R2-ike-peer-ytwu]remote-address 20.1.1.1
[R2]ipsec policy leqee 10 isakmp
[R2-ipsec-policy-isakmp-leqee-10]proposal tang
[R2-ipsec-policy-isakmp-leqee-10]ike-peer ytwu
[R2-ipsec-policy-isakmp-leqee-10]security acl 3100
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ipsec policy leqee
[R2]ip route-static 10.1.1.0 24 20.1.2.2
总部采用策略模板与分支建立多条IPSec隧道:
[R1]ipsec proposal leqeeA
[R1-ipsec-proposal-leqeeA]quit 使用默认参数
[R1]ike peer leqeeA v2 建立IKE实体
[R1-ike-peer-leqeeA]pre-shared-key simple admin123
[R1]ipsec policy-template leqeeA 10 建立协议模板
[R1-ipsec-policy-templet-leqeeA-10]ike-peer leqeeA
[R1-ipsec-policy-templet-leqeeA-10]proposal leqeeA
[R1]ipsec policy leqeeaa 10 isakmp template leqeeA 通过此模板创建策略
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ipsec policy leqeeaa 应用到接口
[R1]ip route-static 10.1.2.0 24 20.1.1.2
[R1]ip route-static 10.1.3.0 24 20.1.1.2
[R4]acl 3100
[R4-acl-adv-3100]rule permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[R4-acl-adv-3100]rule deny ip
[R4]ipsec proposal leqeeb
[R4-ipsec-proposal-leqeeb]quit
[R4]ike peer leqeeb v2
[R4-ike-peer-leqeeb]pre-shared-key simple admin123
[R4-ike-peer-leqeeb]remote-address 20.1.1.1
[R4-ike-peer-leqeeb]local-address 20.1.3.1
[R4]ipsec policy leqeeb 10 isakmp
[R4-ipsec-policy-isakmp-leqeeb-10]ike-peer leqeeb
[R4-ipsec-policy-isakmp-leqeeb-10]proposal leqeeb
[R4-ipsec-policy-isakmp-leqeeb-10]security acl 3100
[R4]interface GigabitEthernet 0/0/0
[R4-GigabitEthernet0/0/0]ipsec policy leqeeb
[R4]ip route-static 10.1.1.0 24 20.1.3.2
总部采用安全策略组与分支建立多条IPSec隧道:
[R1]acl 3100
[R1-acl-adv-3100]rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255
[R1]acl 3200
[R1-acl-adv-3200]rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[R1]ipsec proposal leqeea
[R1-ipsec-proposal-leqeea]quit
[R1]ike peer leqeea v2
[R1-ike-peer-leqeea]pre-shared-key simple admim123
[R1-ike-peer-leqeea]remote-address 20.1.3.1
[R1]ike peer leqeeb v2
[R1-ike-peer-leqeeb]pre-shared-key simple admim321
[R1-ike-peer-leqeeb]remote-address 20.1.2.1
[R1]ipsec policy leqeea 10 isakmp
[R1-ipsec-policy-isakmp-leqeea-10]ike-peer leqeea
[R1-ipsec-policy-isakmp-leqeea-10]security acl 3100
[R1-ipsec-policy-isakmp-leqeea-10]proposal leqeea
[R1]ipsec policy leqeea 20 isakmp
[R1-ipsec-policy-isakmp-leqeea-20]security acl 3200
[R1-ipsec-policy-isakmp-leqeea-20]proposal leqeea
[R1-ipsec-policy-isakmp-leqeea-20]ike-peer leqeeb
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ipsec policy leqeea
[R1]ip route-static 10.1.2.0 24 20.1.1.2
[R1]ip route-static 10.1.3.0 24 10.1.1.2
[R2]acl 3200
[R2-acl-adv-3200]rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[R2]ipsec proposal leqeeb
[R2-ipsec-proposal-leqeeb]quit
[R2]ike peer leqeeb v2
[R2]ipsec policy leqeeb 10 isakmp
[R2-ike-peer-leqeeb]pre-shared-key simple admim321
[R2-ike-peer-leqeeb]remote-address 20.1.1.1
[R2-ipsec-policy-isakmp-leqeeb-10]proposal leqeeb
[R2-ipsec-policy-isakmp-leqeeb-10]security acl 3200
[R2-ipsec-policy-isakmp-leqeeb-10]ike-peer leqeeb
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ipsec policy leqeeb
[R2]ip route-static 10.1.1.0 24 20.1.2.2
基于Tunnel接口的IPSecVPN:
[R1]ipsec proposal leqee
[R1-ipsec-proposal-leqee]quit
[R1]ike peer leqee v2
[R1-ike-peer-leqee]peer-id-type ip
[R1-ike-peer-leqee]pre-shared-key simple admim123
[R1]ipsec profile leqee
[R1-ipsec-profile-leqee]proposal leqee
[R1-ipsec-profile-leqee]ike-peer leqee
[R1]interface Tunnel 0/0/0
[R1-Tunnel0/0/0]ip address 192.168.0.1 24
[R1-Tunnel0/0/0]tunnel-protocol ipsec
[R1-Tunnel0/0/0]source 20.1.1.1
[R1-Tunnel0/0/0]destination 20.1.3.1
[R1-Tunnel0/0/0]ipsec profile leqee
[R1]ip route-static 10.1.3.0 24 192.168.0.2
[R4]ipsec proposal leqee
[R4-ipsec-proposal-leqee]quit
[R4]ike peer leqee v2
[R4-ike-peer-leqee]peer-id-type ip
[R4-ike-peer-leqee]pre-shared-key simple admim123
[R4]ipsec profile leqee
[R4-ipsec-profile-leqee]proposal leqee
[R4-ipsec-profile-leqee]ike-peer leqee
[R4]interface Tunnel 0/0/0
[R4-Tunnel0/0/0]ip address 192.168.0.2 24
[R4-Tunnel0/0/0]tunnel-protocol ipsec
[R4-Tunnel0/0/0]source 20.1.3.1
[R4-Tunnel0/0/0]destination 20.1.1.1
[R4-Tunnel0/0/0]ipsec profile leqee
[R4]ip route-static 10.1.1.0 24 192.168.0.1
配置路由器实现L2TP实现远程访问VPN:
[R1]aaa
[R1-aaa]local-user admim password cipher admim123
[R1-aaa]local-user admim service-type ppp
[R1]ip pool leqee
[R1-ip-pool-leqee]network 192.168.1.0 mask 24
[R1-ip-pool-leqee]gateway-list 192.168.1.1
[R1]interface Virtual-Template 1
[R1-Virtual-Template1]ip address 192.168.1.1 24
[R1-Virtual-Template1]ppp authentication-mode pap
[R1-Virtual-Template1]remote address pool leqee
[R1]l2tp enable
[R1]l2tp-group 1
[R1-l2tp1]tunnel authentication
[R1-l2tp1]tunnel password simple huawei
[R1-l2tp1]allow l2tp virtual-template 1
自拨号发起L2TP隧道连接:
[R1]aaa
[R1-aaa]local-user admin123 password cipher admin123
[R1-aaa]local-user admin123 service-type ppp
[R1]ip pool leqee
[R1-ip-pool-leqee]network 10.1.4.0 mask 24
[R1-ip-pool-leqee]gateway-list 10.1.4.1
[R1]interface Virtual-Template 1
[R1-Virtual-Template1]ppp authentication-mode chap
[R1-Virtual-Template1]remote address pool leqee
[R1-Virtual-Template1]ip address 10.1.4.1 24
[R1]l2tp enable
[R1]l2tp-group 1
[R1-l2tp1]tunnel name leqee
[R1-l2tp1]allow l2tp virtual-template 1 remote leqee2
[R1-l2tp1]tunnel authentication
[R1-l2tp1]tunnel password simple admin321
[R1]ip route-static 10.1.2.0 24 Virtual-Template 1
[R2]l2tp enable
[R2]l2tp-group 1
[R2-l2tp1]tunnel name leqee2
[R2-l2tp1]start l2tp ip 20.1.1.1 fullusername admin123
[R2-l2tp1]tunnel authentication
[R2-l2tp1]tunnel password simple admin321
[R2]interface Virtual-Template 1
[R2-Virtual-Template1]ppp chap user admin123
[R2-Virtual-Template1]ppp chap password cipher admin123
[R2-Virtual-Template1]ip address ppp-negotiate
[R2-Virtual-Template1]l2tp-auto-client enable
[R2]ip route-static 10.1.1.0 24 Virtual-Template 1
动态智能VPN(DSVPN):
[R1]interface Tunnel 0/0/0
[R1-Tunnel0/0/0]ip address 10.10.10.1 24
[R1-Tunnel0/0/0]tunnel-protocol gre p2mp
[R1-Tunnel0/0/0]source GigabitEthernet 0/0/0
[R1-Tunnel0/0/0]nhrp entry multicast dynamic
[R1]ip route-static 10.1.2.0 24 10.10.10.2
[R1]ip route-static 10.1.3.0 24 10.10.10.3
[R2]interface Tunnel 0/0/0
[R2-Tunnel0/0/0]ip address 10.10.10.2 24
[R2-Tunnel0/0/0]tunnel-protocol gre p2mp
[R2-Tunnel0/0/0]source GigabitEthernet 0/0/0
[R2-Tunnel0/0/0]nhrp entry 10.10.10.1 20.1.1.1 register
[R2]ip route-static 10.1.1.0 24 10.10.10.1
[R2]ip route-static 10.1.3.0 24 10.10.10.3
[R4]interface Tunnel 0/0/0
[R4-Tunnel0/0/0]ip address 10.10.10.3 24
[R4-Tunnel0/0/0]tunnel-protocol gre p2mp
[R4-Tunnel0/0/0]source GigabitEthernet 0/0/0
[R4-Tunnel0/0/0]nhrp entry 10.10.10.1 20.1.1.1 register
[R4]ip route-static 10.1.1.0 24 10.10.10.1
[R4]ip route-static 10.1.2.0 24 10.10.10.2
分支网络多将DSVPN配置为shortcut模式:
[R1]interface Tunnel 0/0/0
[R1-Tunnel0/0/0]ip address 10.10.10.1 24
[R1-Tunnel0/0/0]tunnel-protocol gre p2mp
[R1-Tunnel0/0/0]source GigabitEthernet 0/0/0
[R1-Tunnel0/0/0]nhrp entry multicast dynamic
[R1-Tunnel0/0/0]nhrp redirect
[R1]ip route-static 10.1.2.0 24 10.10.10.2
[R1]ip route-static 10.1.3.0 24 10.10.10.3
[R2]interface Tunnel 0/0/0
[R2-Tunnel0/0/0]ip address 10.10.10.2 24
[R2-Tunnel0/0/0]tunnel-protocol gre p2mp
[R2-Tunnel0/0/0]source GigabitEthernet 0/0/0
[R2-Tunnel0/0/0]nhrp entry 10.10.10.1 20.1.1.1 register
[R2-Tunnel0/0/0]nhrp shortcut
[R2]ip route-static 10.1.0.0 16 10.10.10.1
[R4]interface Tunnel 0/0/0
[R4-Tunnel0/0/0]ip address 10.10.10.3 24
[R4-Tunnel0/0/0]tunnel-protocol gre p2mp
[R4-Tunnel0/0/0]source GigabitEthernet 0/0/0
[R4-Tunnel0/0/0]nhrp entry 10.10.10.1 20.1.1.1 register
[R4-Tunnel0/0/0]nhrp shortcut
[R4]ip route-static 10.1.0.0 16 10.10.10.1