AR G3 IPSec一端地址固定一端地址變化配置方法
2014/10/12 13:53:59點擊:
問題描述
此種場(chǎng)景中,IP地址固定端使用template-policy,不用指定remote-address,也可(kě)以不配置ACL(不用擔心不配就不會(huì)保護數(shù)據流量,因為ACL是可(kě)以從對端協商過來(lái)的),如果配置了ACL,則必須要指定distination,否則協商會(huì)出問題
告警信息
無
處理(lǐ)過程
IP地址不變端配置:
acl number 3000
rule 5 permit ip source 172.18.1.0 0.0.0.255 destination 172.18.2.0 0.0.0.255
#
ipsec proposal 1
#
ike proposal 1
#
ike peer 189 v2
pre-shared-key huawei
ike-proposal 1
#
ipsec policy-template 1 1
security acl 3000 ----------------可(kě)配可(kě)不配,建議不要配
ike-peer 189
proposal 1
#
ipsec policy 2 1 isakmp template 1
#
interface GigabitEthernet0/0/1
ip address 172.18.1.189 255.255.255.0
ipsec policy 2
#
IP地址變化端:
acl number 3000
rule 5 permit ip source 172.18.2.0 0.0.0.255 destination 172.18.1.0 0.0.0.255
#
ipsec proposal 1
#
ike proposal 1
#
ike peer 190 v2
pre-shared-key huawei
ike-proposal 1
remote-address 172.18.1.189
#
ipsec policy 1 1 isakmp
security acl 3000
ike-peer 190
proposal 1
#
interface Dialer0
link-protocol ppp
ip address ppp-negotiate
dialer user 190
dialer bundle 1
dialer-group 1
ipsec policy 1 ---------------Dialer口下綁定IPSec
#
interface GigabitEthernet0/0/0
pppoe-client dial-bundle-number 1
#
dialer-rule
dialer-rule 1 ip permit
#
通(tōng)過如下命令行(xíng)可(kě)以查看IPsec是否成功建立:
display ike sa v2
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
5 172.18.1.189 0 RD|ST 2
3 172.18.1.189 0 RD|ST 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
display ipsec sa
===============================
Interface: Dialer0
Path MTU: 1492
===============================
-----------------------------
IPSec policy name: "1"
Sequence number : 1
Mode : ISAKMP
-----------------------------
Connection ID : 5
Encapsulation mode: Tunnel
Tunnel local : 172.18.2.254
Tunnel remote : 172.18.1.189
[Outbound ESP SAs]
SPI: 2804632727 (0xa72b4c97)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2877
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 3010961613 (0xb377a0cd)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2877
Max received sequence-number: 0
UDP encapsulation used for NAT traversal: N
通(tōng)過下面命令行(xíng)可(kě)以查看流量是否入IPSec隧道(dào):
display ipsec statistics esp
Inpacket count : 10
Inpacket auth count : 0
Inpacket decap count : 0
Outpacket count : 10
Outpacket auth count : 0
Outpacket encap count : 0
Inpacket drop count : 0
Outpacket drop count : 0
BadAuthLen count : 0
AuthFail count : 0
PktDuplicateDrop count : 0
PktSeqNoTooSmallDrop count: 0
PktInSAMissDrop count : 0
acl number 3000
rule 5 permit ip source 172.18.1.0 0.0.0.255 destination 172.18.2.0 0.0.0.255
#
ipsec proposal 1
#
ike proposal 1
#
ike peer 189 v2
pre-shared-key huawei
ike-proposal 1
#
ipsec policy-template 1 1
security acl 3000 ----------------可(kě)配可(kě)不配,建議不要配
ike-peer 189
proposal 1
#
ipsec policy 2 1 isakmp template 1
#
interface GigabitEthernet0/0/1
ip address 172.18.1.189 255.255.255.0
ipsec policy 2
#
IP地址變化端:
acl number 3000
rule 5 permit ip source 172.18.2.0 0.0.0.255 destination 172.18.1.0 0.0.0.255
#
ipsec proposal 1
#
ike proposal 1
#
ike peer 190 v2
pre-shared-key huawei
ike-proposal 1
remote-address 172.18.1.189
#
ipsec policy 1 1 isakmp
security acl 3000
ike-peer 190
proposal 1
#
interface Dialer0
link-protocol ppp
ip address ppp-negotiate
dialer user 190
dialer bundle 1
dialer-group 1
ipsec policy 1 ---------------Dialer口下綁定IPSec
#
interface GigabitEthernet0/0/0
pppoe-client dial-bundle-number 1
#
dialer-rule
dialer-rule 1 ip permit
#
通(tōng)過如下命令行(xíng)可(kě)以查看IPsec是否成功建立:
display ike sa v2
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
5 172.18.1.189 0 RD|ST 2
3 172.18.1.189 0 RD|ST 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
display ipsec sa
===============================
Interface: Dialer0
Path MTU: 1492
===============================
-----------------------------
IPSec policy name: "1"
Sequence number : 1
Mode : ISAKMP
-----------------------------
Connection ID : 5
Encapsulation mode: Tunnel
Tunnel local : 172.18.2.254
Tunnel remote : 172.18.1.189
[Outbound ESP SAs]
SPI: 2804632727 (0xa72b4c97)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2877
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 3010961613 (0xb377a0cd)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2877
Max received sequence-number: 0
UDP encapsulation used for NAT traversal: N
通(tōng)過下面命令行(xíng)可(kě)以查看流量是否入IPSec隧道(dào):
display ipsec statistics esp
Inpacket count : 10
Inpacket auth count : 0
Inpacket decap count : 0
Outpacket count : 10
Outpacket auth count : 0
Outpacket encap count : 0
Inpacket drop count : 0
Outpacket drop count : 0
BadAuthLen count : 0
AuthFail count : 0
PktDuplicateDrop count : 0
PktSeqNoTooSmallDrop count: 0
PktInSAMissDrop count : 0
根因
無
建議與總結
無
- 上(shàng)一篇:華為入圍中國移動UPS集采項目 為全球最大(dà)運營商提供可(kě)靠供電(diàn) 2014/10/12
- 下一篇:AR G3 NAT業務私網每IP限速配置方法 2014/10/12