核心思想

1）基础配置

每个接口配置IP地址

2）内部网络配置

ospf 100 router-id X.X.X.X

3）配置静态默认路由

ip route-static 0.0.0.0 0 出接口 下一跳

4）配置ipsec 协商 名称

ipsec proposal 2to4

5）配置感应兴趣流

acl number 3000

rule 5 permit ip source 网段 反掩码 destination 网段 反掩码

6）建立ipsec policy

ipsec policy yeslab 10 manual//策略名称

security acl 3000 //感兴趣安全数据流

proposal 2to4 //建议名称 2to4

tunnel local 20.1.1.2 //本地公网ip地址

tunnel remote 30.1.1.2 //对端公网ip地址g//

sa spi inbound esp 12345 //安全联盟协商参数

sa string-key inbound esp cipher %$%$}H"z!S,^u*;l(AQmOU4+,.2n%$%$

sa spi outbound esp 54321//安全联盟协商参数

sa string-key outbound esp cipher %$%$}H"z!S,^u*;l(AQmOU4+,.2n%$%$

7）安全策略在物理口应用

int g0/0/0

ipsec policy yeslab //调用安全策略名称

8）特别注意路由

需要将对端网段引入

ip route-static 对端目的网段 子网掩码 出接口 下一跳

详细配置内容

R1:

<r1>display current-configuration  

[V200R003C00]

#

sysname r1

#

snmp-agent local-engineid 800007DB03000000000000

snmp-agent  

#

clock timezone China-Standard-Time minus 08:00:00

#

portal local-server load portalpage.zip

#

drop illegal-mac alarm

#

set cpu-usage threshold 80 restore 75

#

aaa  

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default  

domain default_admin  

local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$

local-user admin service-type http

#

firewall zone Local

priority 15

#

interface GigabitEthernet0/0/0

ip address 192.168.1.1 255.255.255.0  

#

interface GigabitEthernet0/0/1

ip address 10.1.1.2 255.255.255.0  

#

interface GigabitEthernet0/0/2

#

interface NULL0

#

interface LoopBack0

ip address 1.1.1.1 255.255.255.255  

#

ospf 100 router-id 1.1.1.1  

import-route static

area 0.0.0.0  

 network 10.1.1.0 0.0.0.255  

 network 192.168.1.0 0.0.0.255  

#

ip route-static 192.168.2.0 255.255.255.0 GigabitEthernet0/0/1 10.1.1.1

#

user-interface con 0

authentication-mode password

user-interface vty 0 4

user-interface vty 16 20

#

wlan ac

#

return

<r1>

R2:

<r2>display current-configuration  

[V200R003C00]

#

sysname r2

#

snmp-agent local-engineid 800007DB03000000000000

snmp-agent  

#

clock timezone China-Standard-Time minus 08:00:00

#

portal local-server load portalpage.zip

#

drop illegal-mac alarm

#

set cpu-usage threshold 80 restore 75

#

acl number 3000  

rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

 

#

ipsec proposal 2to4

#

ipsec policy yeslab 10 manual

security acl 3000

proposal 2to4

tunnel local 20.1.1.2

tunnel remote 30.1.1.2

sa spi inbound esp 12345

sa string-key inbound esp cipher %$%$}H"z!S,^u*;l(AQmOU4+,.2n%$%$

sa spi outbound esp 54321

sa string-key outbound esp cipher %$%$}H"z!S,^u*;l(AQmOU4+,.2n%$%$

#

aaa  

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default  

domain default_admin  

local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$

local-user admin service-type http

#

firewall zone Local

priority 15

#

interface GigabitEthernet0/0/0

ip address 10.1.1.1 255.255.255.0  

#

interface GigabitEthernet0/0/1

ip address 20.1.1.2 255.255.255.0  

ipsec policy yeslab

#

interface GigabitEthernet0/0/2

#

interface NULL0

#

interface LoopBack0

ip address 2.2.2.2 255.255.255.255  

#

ospf 100 router-id 2.2.2.2  

import-route direct

import-route static

area 0.0.0.0  

 network 10.1.1.0 0.0.0.255  

#

ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 20.1.1.1

ip route-static 192.168.1.0 255.255.255.0 GigabitEthernet0/0/0 10.1.1.2

#

user-interface con 0

authentication-mode password

user-interface vty 0 4

user-interface vty 16 20

#

wlan ac

#

return

<r2>

R3:

<r3>display current-configuration  

[V200R003C00]

#

sysname r3

#

snmp-agent local-engineid 800007DB03000000000000

snmp-agent  

#

clock timezone China-Standard-Time minus 08:00:00

#

portal local-server load portalpage.zip

#

drop illegal-mac alarm

#

set cpu-usage threshold 80 restore 75

#

aaa  

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default  

domain default_admin  

local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$

local-user admin service-type http

#

firewall zone Local

priority 15

#

interface GigabitEthernet0/0/0

ip address 20.1.1.1 255.255.255.0  

#

interface GigabitEthernet0/0/1

ip address 30.1.1.1 255.255.255.0  

#

interface GigabitEthernet0/0/2

#

interface NULL0

#

user-interface con 0

authentication-mode password

user-interface vty 0 4

user-interface vty 16 20

#

wlan ac

#

return

<r3>

R4:

<r4>display current-configuration  

[V200R003C00]

#

sysname r4

#

snmp-agent local-engineid 800007DB03000000000000

snmp-agent  

#

clock timezone China-Standard-Time minus 08:00:00

#

portal local-server load portalpage.zip

#

drop illegal-mac alarm

#

set cpu-usage threshold 80 restore 75

#

acl number 3000  

rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

 

#

ipsec proposal 2to4

#

ipsec policy yeslab 10 manual

security acl 3000

proposal 2to4

tunnel local 30.1.1.2

tunnel remote 20.1.1.2

sa spi inbound esp 54321

sa string-key inbound esp cipher %$%$}H"z!S,^u*;l(AQmOU4+,.2n%$%$

sa spi outbound esp 12345

sa string-key outbound esp cipher %$%$}H"z!S,^u*;l(AQmOU4+,.2n%$%$

#

aaa  

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default  

domain default_admin  

local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$

local-user admin service-type http

#

firewall zone Local

priority 15

#

interface GigabitEthernet0/0/0

ip address 30.1.1.2 255.255.255.0  

ipsec policy yeslab

#

interface GigabitEthernet0/0/1

ip address 40.1.1.1 255.255.255.0  

#

interface GigabitEthernet0/0/2

#

interface NULL0

#

interface LoopBack0

ip address 4.4.4.4 255.255.255.255  

#

ospf 100 router-id 4.4.4.4  

import-route direct

import-route static

area 0.0.0.0  

 network 40.1.1.0 0.0.0.255  

#

ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 30.1.1.1

ip route-static 192.168.2.0 255.255.255.0 GigabitEthernet0/0/1 40.1.1.2

#

user-interface con 0

authentication-mode password

user-interface vty 0 4

user-interface vty 16 20

#

wlan ac

#

return

<r4>

R5:

<r5>display current-configuration  

[V200R003C00]

#

sysname r5

#

snmp-agent local-engineid 800007DB03000000000000

snmp-agent  

#

clock timezone China-Standard-Time minus 08:00:00

#

portal local-server load portalpage.zip

#

drop illegal-mac alarm

#

set cpu-usage threshold 80 restore 75

#

aaa  

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default  

domain default_admin  

local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$

local-user admin service-type http

#

firewall zone Local

priority 15

#

interface GigabitEthernet0/0/0

ip address 40.1.1.2 255.255.255.0  

#

interface GigabitEthernet0/0/1

ip address 192.168.2.1 255.255.255.0  

#

interface GigabitEthernet0/0/2

#

interface NULL0

#

interface LoopBack0

ip address 5.5.5.5 255.255.255.255  

#

ospf 100 router-id 5.5.5.5  

import-route static

area 0.0.0.0  

 network 40.1.1.0 0.0.0.255  

 network 192.168.2.0 0.0.0.255  

#

ip route-static 192.168.1.0 255.255.255.0 GigabitEthernet0/0/0 40.1.1.1

#

user-interface con 0

authentication-mode password

user-interface vty 0 4

user-interface vty 16 20

#

wlan ac

#

return

<r5>