上一篇文章考虑到pe router的安全性,*** gateway放在了前面.
今天翻译一个按照标准cisco ***架构设定的ipsec ***解决方案。
标准的方案虽然不怎么样,但是条理很清晰,比较容易理解。
mpls部分的配置更是经典,到哪里照抄就是了哈哈。
拓扑
Pe路由器上只需要一个公网ip,每个客户拨上来之后通过 vrf导入各自的network
原理示意图如下
客户端config
spoke-***1-east#show running-config
hostname spoke-***1-east
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key ***1aes address 9.1.1.35
crypto isakmp keepalive 10 10
!
crypto ipsec transform-set test esp-3des esp-sha-hmac
!
crypto map *** 1 ipsec-isakmp
set peer 9.1.1.35
set transform-set test
match address 100
!
interface Serial0/0
ip address 9.1.1.146 255.255.255.252
crypto map ***
!
interface Ethernet0/1
ip address 10.0.68.1 255.255.255.0
half-duplex
no keepalive
!
ip classless
ip route 0.0.0.0 0.0.0.0 9.1.1.145
!
access-list 100 permit ip 10.0.68.0 0.0.0.255 any
hostname spoke-***1-east
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key ***1aes address 9.1.1.35
crypto isakmp keepalive 10 10
!
crypto ipsec transform-set test esp-3des esp-sha-hmac
!
crypto map *** 1 ipsec-isakmp
set peer 9.1.1.35
set transform-set test
match address 100
!
interface Serial0/0
ip address 9.1.1.146 255.255.255.252
crypto map ***
!
interface Ethernet0/1
ip address 10.0.68.1 255.255.255.0
half-duplex
no keepalive
!
ip classless
ip route 0.0.0.0 0.0.0.0 9.1.1.145
!
access-list 100 permit ip 10.0.68.0 0.0.0.255 any
Pe 端配置
# show running-configuration
version 12.3
service timestamps debug datetime
service timestamps log datetime msec
no service password-encryption
!
hostname ***-gw1-east
aaa new-model
!
aaa authentication login ***1 group radius
aaa authorization network ***1 group radius
aaa accounting update periodic 5
aaa accounting network *** start-stop group radius
aaa session-id common
ip subnet-zero
!
!
!
!
ip vrf ***1
rd 200:1
route-target export 200:1
route-target import 200:1
!
ip vrf ***2
rd 201:1
route-target export 201:1
route-target import 201:1
!
ip cef
mpls label protocol ldp
tag-switching ip default-route
no ftp-server write-enable
!
crypto keyring ***1
pre-shared-key address 9.1.1.146 key ***1aes
crypto keyring ***2
pre-shared-key address 9.1.1.150 key ***2ikev2
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp keepalive 10 10
crypto isakmp profile ***1
vrf ***1
keyring ***1
match identity address 9.1.1.146 255.255.255.255
crypto isakmp profile ***1-ra---------------------------------------EZ***客户端 拨接
vrf ***1
match identity group ***1group
client authentication list ***
isakmp authorization list ***
client configuration address respond
accounting ***
crypto isakmp profile ***2
vrf ***2
keyring ***2
match identity address 9.1.1.150 255.255.255.255
!
!
crypto ipsec transform-set ***1 esp-3des esp-sha-hmac
crypto ipsec transform-set ***2 esp-3des esp-md5-hmac
!
crypto dynamic-map dynamic 1
set transform-set ***1
set isakmp-profile ***1-ra
reverse-route remote-peer 9.1.1.33
!
crypto map *** 1 ipsec-isakmp
set peer 9.1.1.146
set transform-set ***1
set isakmp-profile ***1
reverse-route remote-peer address 9.1.1.33
match address 101
crypto map *** 2 ipsec-isakmp
set peer 9.1.1.150
set transform-set ***2
set isakmp-profile ***2
reverse-route remote-peer address 9.1.1.33
match address 102
crypto map *** 3 ipsec-isakmp dynamic dynamic
!
interface Loopback0
ip address 9.2.1.100 255.255.255.255
!
interface FastEthernet0/0
ip address 9.1.1.35 255.255.255.248
duplex full
crypto map ***
!
interface FastEthernet2/0
ip address 100.1.1.147 255.255.255.0
duplex full
!
interface FastEthernet4/0
ip address 9.2.1.1 255.255.255.252
duplex full
tag-switching ip
!
router ospf 1
log-adjacency-changes
network 9.2.1.0 0.0.0.3 area 0
network 9.2.1.100 0.0.0.0 area 0
!
router bgp 1001
no synchronization
bgp log-neighbor-changes
neighbor 153.1.1.1 remote-as 1001
neighbor 153.1.1.1 update-source Loopback0
no auto-summary
!
address-family ***v4
neighbor 153.1.1.1 activate
neighbor 153.1.1.1 send-community extended
exit-address-family
!
address-family ipv4 vrf ***2
redistribute connected
redistribute static
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf ***1
redistribute connected
redistribute static
no auto-summary
no synchronization
exit-address-family
!
ip local pool ***1pool 10.254.245.1 10.254.254.254 group ***1group
ip classless
ip route 0.0.0.0 0.0.0.0 9.1.1.33
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
version 12.3
service timestamps debug datetime
service timestamps log datetime msec
no service password-encryption
!
hostname ***-gw1-east
aaa new-model
!
aaa authentication login ***1 group radius
aaa authorization network ***1 group radius
aaa accounting update periodic 5
aaa accounting network *** start-stop group radius
aaa session-id common
ip subnet-zero
!
!
!
!
ip vrf ***1
rd 200:1
route-target export 200:1
route-target import 200:1
!
ip vrf ***2
rd 201:1
route-target export 201:1
route-target import 201:1
!
ip cef
mpls label protocol ldp
tag-switching ip default-route
no ftp-server write-enable
!
crypto keyring ***1
pre-shared-key address 9.1.1.146 key ***1aes
crypto keyring ***2
pre-shared-key address 9.1.1.150 key ***2ikev2
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp keepalive 10 10
crypto isakmp profile ***1
vrf ***1
keyring ***1
match identity address 9.1.1.146 255.255.255.255
crypto isakmp profile ***1-ra---------------------------------------EZ***客户端 拨接
vrf ***1
match identity group ***1group
client authentication list ***
isakmp authorization list ***
client configuration address respond
accounting ***
crypto isakmp profile ***2
vrf ***2
keyring ***2
match identity address 9.1.1.150 255.255.255.255
!
!
crypto ipsec transform-set ***1 esp-3des esp-sha-hmac
crypto ipsec transform-set ***2 esp-3des esp-md5-hmac
!
crypto dynamic-map dynamic 1
set transform-set ***1
set isakmp-profile ***1-ra
reverse-route remote-peer 9.1.1.33
!
crypto map *** 1 ipsec-isakmp
set peer 9.1.1.146
set transform-set ***1
set isakmp-profile ***1
reverse-route remote-peer address 9.1.1.33
match address 101
crypto map *** 2 ipsec-isakmp
set peer 9.1.1.150
set transform-set ***2
set isakmp-profile ***2
reverse-route remote-peer address 9.1.1.33
match address 102
crypto map *** 3 ipsec-isakmp dynamic dynamic
!
interface Loopback0
ip address 9.2.1.100 255.255.255.255
!
interface FastEthernet0/0
ip address 9.1.1.35 255.255.255.248
duplex full
crypto map ***
!
interface FastEthernet2/0
ip address 100.1.1.147 255.255.255.0
duplex full
!
interface FastEthernet4/0
ip address 9.2.1.1 255.255.255.252
duplex full
tag-switching ip
!
router ospf 1
log-adjacency-changes
network 9.2.1.0 0.0.0.3 area 0
network 9.2.1.100 0.0.0.0 area 0
!
router bgp 1001
no synchronization
bgp log-neighbor-changes
neighbor 153.1.1.1 remote-as 1001
neighbor 153.1.1.1 update-source Loopback0
no auto-summary
!
address-family ***v4
neighbor 153.1.1.1 activate
neighbor 153.1.1.1 send-community extended
exit-address-family
!
address-family ipv4 vrf ***2
redistribute connected
redistribute static
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf ***1
redistribute connected
redistribute static
no auto-summary
no synchronization
exit-address-family
!
ip local pool ***1pool 10.254.245.1 10.254.254.254 group ***1group
ip classless
ip route 0.0.0.0 0.0.0.0 9.1.1.33
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
转载于:https://blog.51cto.com/lovelili/95593
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
