AR G3 IPSec一端地址固定一端地址变化配置方法
2014/10/12 13:53:59点击:
问题描述
此种场景中,IP地址固定端使用template-policy,不用指定remote-address,也可以不配置ACL(不用担心不配就不会保护数据流量,因为ACL是可以从对端协商过来的),如果配置了ACL,则必须要指定distination,否则协商会出问题
告警信息
无
处理过程
IP地址不变端配置:
acl number 3000
rule 5 permit ip source 172.18.1.0 0.0.0.255 destination 172.18.2.0 0.0.0.255
#
ipsec proposal 1
#
ike proposal 1
#
ike peer 189 v2
pre-shared-key huawei
ike-proposal 1
#
ipsec policy-template 1 1
security acl 3000 ----------------可配可不配,建议不要配
ike-peer 189
proposal 1
#
ipsec policy 2 1 isakmp template 1
#
interface GigabitEthernet0/0/1
ip address 172.18.1.189 255.255.255.0
ipsec policy 2
#
IP地址变化端:
acl number 3000
rule 5 permit ip source 172.18.2.0 0.0.0.255 destination 172.18.1.0 0.0.0.255
#
ipsec proposal 1
#
ike proposal 1
#
ike peer 190 v2
pre-shared-key huawei
ike-proposal 1
remote-address 172.18.1.189
#
ipsec policy 1 1 isakmp
security acl 3000
ike-peer 190
proposal 1
#
interface Dialer0
link-protocol ppp
ip address ppp-negotiate
dialer user 190
dialer bundle 1
dialer-group 1
ipsec policy 1 ---------------Dialer口下绑定IPSec
#
interface GigabitEthernet0/0/0
pppoe-client dial-bundle-number 1
#
dialer-rule
dialer-rule 1 ip permit
#
通过如下命令行可以查看IPsec是否成功建立:
display ike sa v2
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
5 172.18.1.189 0 RD|ST 2
3 172.18.1.189 0 RD|ST 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
display ipsec sa
===============================
Interface: Dialer0
Path MTU: 1492
===============================
-----------------------------
IPSec policy name: "1"
Sequence number : 1
Mode : ISAKMP
-----------------------------
Connection ID : 5
Encapsulation mode: Tunnel
Tunnel local : 172.18.2.254
Tunnel remote : 172.18.1.189
[Outbound ESP SAs]
SPI: 2804632727 (0xa72b4c97)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2877
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 3010961613 (0xb377a0cd)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2877
Max received sequence-number: 0
UDP encapsulation used for NAT traversal: N
通过下面命令行可以查看流量是否入IPSec隧道:
display ipsec statistics esp
Inpacket count : 10
Inpacket auth count : 0
Inpacket decap count : 0
Outpacket count : 10
Outpacket auth count : 0
Outpacket encap count : 0
Inpacket drop count : 0
Outpacket drop count : 0
BadAuthLen count : 0
AuthFail count : 0
PktDuplicateDrop count : 0
PktSeqNoTooSmallDrop count: 0
PktInSAMissDrop count : 0
acl number 3000
rule 5 permit ip source 172.18.1.0 0.0.0.255 destination 172.18.2.0 0.0.0.255
#
ipsec proposal 1
#
ike proposal 1
#
ike peer 189 v2
pre-shared-key huawei
ike-proposal 1
#
ipsec policy-template 1 1
security acl 3000 ----------------可配可不配,建议不要配
ike-peer 189
proposal 1
#
ipsec policy 2 1 isakmp template 1
#
interface GigabitEthernet0/0/1
ip address 172.18.1.189 255.255.255.0
ipsec policy 2
#
IP地址变化端:
acl number 3000
rule 5 permit ip source 172.18.2.0 0.0.0.255 destination 172.18.1.0 0.0.0.255
#
ipsec proposal 1
#
ike proposal 1
#
ike peer 190 v2
pre-shared-key huawei
ike-proposal 1
remote-address 172.18.1.189
#
ipsec policy 1 1 isakmp
security acl 3000
ike-peer 190
proposal 1
#
interface Dialer0
link-protocol ppp
ip address ppp-negotiate
dialer user 190
dialer bundle 1
dialer-group 1
ipsec policy 1 ---------------Dialer口下绑定IPSec
#
interface GigabitEthernet0/0/0
pppoe-client dial-bundle-number 1
#
dialer-rule
dialer-rule 1 ip permit
#
通过如下命令行可以查看IPsec是否成功建立:
display ike sa v2
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
5 172.18.1.189 0 RD|ST 2
3 172.18.1.189 0 RD|ST 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
display ipsec sa
===============================
Interface: Dialer0
Path MTU: 1492
===============================
-----------------------------
IPSec policy name: "1"
Sequence number : 1
Mode : ISAKMP
-----------------------------
Connection ID : 5
Encapsulation mode: Tunnel
Tunnel local : 172.18.2.254
Tunnel remote : 172.18.1.189
[Outbound ESP SAs]
SPI: 2804632727 (0xa72b4c97)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2877
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 3010961613 (0xb377a0cd)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2877
Max received sequence-number: 0
UDP encapsulation used for NAT traversal: N
通过下面命令行可以查看流量是否入IPSec隧道:
display ipsec statistics esp
Inpacket count : 10
Inpacket auth count : 0
Inpacket decap count : 0
Outpacket count : 10
Outpacket auth count : 0
Outpacket encap count : 0
Inpacket drop count : 0
Outpacket drop count : 0
BadAuthLen count : 0
AuthFail count : 0
PktDuplicateDrop count : 0
PktSeqNoTooSmallDrop count: 0
PktInSAMissDrop count : 0
根因
无
建议与总结
无
- 上一篇:华为入围中国移动UPS集采项目 为全球最大运营商提供可靠供电 2014/10/12
- 下一篇:AR G3 NAT业务私网每IP限速配置方法 2014/10/12