适用于V200R002C00及更高版本、所有形态的AR路由器。
如图1所示,某企业分为总部和两个分支机构。分支机构1和分支机构2分别通过RouterB和RouterC与Internet相连。RouterA为NAT网关,总部RouterA和分支RouterB为固定公网地址,RouterC为动态公网IP地址;RouterA和RouterB以及RouterA和RouterC相互路由可达。企业要求实现如下组网需求:
- #
- sysname RouterA
- #
- acl number 3000
- rule 5 permit ip destination 10.1.2.0 0.0.0.255
- rule 10 permit ip destination 10.1.3.0 0.0.0.255
- #
- ipsec proposal tran1
- esp authentication-algorithm sha2-256
- esp encryption-algorithm aes-256
- #
- ike proposal 10
- encryption-algorithm aes-256
- dh group14
- authentication-algorithm sha2-256
- authentication-method pre-share
- integrity-algorithm hmac-sha2-256
- prf hmac-sha2-256
- #
- ike peer c
- pre-shared-key %^%#0ljf5R_9LXP|Qe=WVA6-Y%'}%^%#
- ike-proposal 10
- #
- ipsec policy-template temp 1
- security acl 3000
- ike-peer c
- proposal tran1
- #
- ipsec policy map1 10 isakmp template temp
- #
- interface GigabitEthernet0/0/3
- undo shutdown
- ip address 10.1.1.1 255.255.255.0
- #
- interface GigabitEthernet0/0/1
- undo shutdown
- ip address 1.1.3.1 255.255.255.0
- ipsec policy map1
- #
- firewall zone trust
- set priority 85
- add interface GigabitEthernet0/0/3
- #
- firewall zone untrust
- set priority 5
- add interface GigabitEthernet0/0/1
- #
- ip route-static 0.0.0.0 0.0.0.0 1.1.3.2
- #
- security-policy
- rule name policy1
- source-zone trust
- destination-zone untrust
- source-address 10.1.1.0 mask 255.255.255.0
- destination-address 10.1.2.0 mask 255.255.255.0
- destination-address 10.1.3.0 mask 255.255.255.0
- action permit
- rule name policy2
- source-zone untrust
- destination-zone trust
- source-address 10.1.2.0 mask 255.255.255.0
- source-address 10.1.3.0 mask 255.255.255.0
- destination-address 10.1.1.0 mask 255.255.255.0
- action permit
- rule name policy3
- source-zone local
- destination-zone untrust
- source-address 1.1.3.1 mask 255.255.255.255
- action permit
- rule name policy4
- source-zone untrust
- destination-zone local
- destination-address 1.1.3.1 mask 255.255.255.255
- action permit
- #
- nat-policy
- rule name policy_nat1
- source-zone trust
- destination-zone untrust
- source-address 10.1.1.0 mask 255.255.255.0
- destination-address 10.1.2.0 mask 255.255.255.0
- destination-address 10.1.3.0 mask 255.255.255.0
- action no-nat
- rule name policy_nat2
- source-zone trust
- source-zone untrust
- destination-zone untrust
- source-address 10.1.1.0 mask 255.255.255.0
- source-address 10.1.2.0 mask 255.255.255.0
- source-address 10.1.3.0 mask 255.255.255.0
- action source-nat easy-ip
- #
- return
- #
- sysname RouterB
- #
- acl number 3000
- rule 5 permit ip source 10.1.2.0 0.0.0.255
- #
- ipsec proposal tran1
- esp authentication-algorithm sha2-256
- esp encryption-algorithm aes-256
- #
- ike proposal 10
- encryption-algorithm aes-256
- dh group14
- authentication-algorithm sha2-256
- authentication-method pre-share
- integrity-algorithm hmac-sha2-256
- prf hmac-sha2-256
- #
- ike peer a
- pre-shared-key %^%#St4#CBb9$L>G`5W(HV*BKTnm%^%#
- ike-proposal 10
- remote-address 1.1.3.1
- #
- ipsec policy map1 10 isakmp
- security acl 3000
- ike-peer a
- proposal tran1
- #
- interface GigabitEthernet0/0/3
- undo shutdown
- ip address 10.1.2.1 255.255.255.0
- #
- interface GigabitEthernet0/0/1
- undo shutdown
- ip address 1.1.5.1 255.255.255.0
- ipsec policy map1
- #
- firewall zone trust
- set priority 85
- add interface GigabitEthernet0/0/3
- #
- firewall zone untrust
- set priority 5
- add interface GigabitEthernet0/0/1
- #
- ip route-static 10.1.0.0 255.255.0.0 GigabitEthernet0/0/1
- #
- security-policy
- rule name policy1
- source-zone trust
- destination-zone untrust
- source-address 10.1.2.0 mask 255.255.255.0
- destination-address 10.1.1.0 mask 255.255.255.0
- destination-address 10.1.3.0 mask 255.255.255.0
- action permit
- rule name policy2
- source-zone untrust
- destination-zone trust
- source-address 10.1.1.0 mask 255.255.255.0
- source-address 10.1.3.0 mask 255.255.255.0
- destination-address 10.1.2.0 mask 255.255.255.0
- action permit
- rule name policy3
- source-zone local
- destination-zone untrust
- source-address 1.1.5.1 mask 255.255.255.255
- destination-address 1.1.3.1 mask 255.255.255.255
- action permit
- rule name policy4
- source-zone untrust
- destination-zone local
- source-address 1.1.3.1 mask 255.255.255.255
- destination-address 1.1.5.1 mask 255.255.255.255
- action permit
- #
- return
- #
- sysname RouterC
- #
- acl number 3000
- rule 5 permit ip source 10.1.3.0 0.0.0.255
- #
- ipsec proposal tran1
- esp authentication-algorithm sha2-256
- esp encryption-algorithm aes-256
- #
- ike proposal 10
- encryption-algorithm aes-256
- dh group14
- authentication-algorithm sha2-256
- authentication-method pre-share
- integrity-algorithm hmac-sha2-256
- prf hmac-sha2-256
- #
- ike peer a
- pre-shared-key %^%#LV|sQ=~fUQO:M$CeqaMEnwVD%^%#
- ike-proposal 10
- remote-address 1.1.3.1
- #
- ipsec policy map1 10 isakmp
- security acl 3000
- ike-peer a
- proposal tran1
- #
- interface GigabitEthernet0/0/3
- undo shutdown
- ip address 10.1.3.1 255.255.255.0
- #
- interface GigabitEthernet0/0/1 /*configuration of obtaining IP*/
- undo shutdown
- ipsec policy map1
- #
- firewall zone trust
- set priority 85
- add interface GigabitEthernet0/0/3
- #
- firewall zone untrust
- set priority 5
- add interface GigabitEthernet0/0/1
- #
- ip route-static 10.1.0.0 255.255.0.0 GigabitEthernet0/0/1
- #
- security-policy
- rule name policy1
- source-zone trust
- destination-zone untrust
- source-address 10.1.3.0 mask 255.255.255.0
- destination-address 10.1.1.0 mask 255.255.255.0
- destination-address 10.1.2.0 mask 255.255.255.0
- action permit
- rule name policy2
- source-zone untrust
- destination-zone trust
- source-address 10.1.1.0 mask 255.255.255.0
- source-address 10.1.2.0 mask 255.255.255.0
- destination-address 10.1.3.0 mask 255.255.255.0
- action permit
- rule name policy3
- source-zone local
- destination-zone untrust
- destination-address 1.1.3.1 mask 255.255.255.255
- action permit
- rule name policy4
- source-zone untrust
- destination-zone local
- source-address 1.1.3.1 mask 255.255.255.255
- action permit
- #
- return
display firewall session table - Current Total Sessions : 5
- icmp VPN:public --> public 10.1.1.2:61251[1.1.3.1:2048]-->1.1.5.1:2048
- icmp VPN:public --> public 10.1.1.2:62019[1.1.3.1:2049]-->1.1.5.1:2048
- icmp VPN:public --> public 10.1.1.2:62275[1.1.3.1:2050]-->1.1.5.1:2048
- icmp VPN:public --> public 10.1.1.2:62531[1.1.3.1:2051]-->1.1.5.1:2048
- icmp VPN:public --> public 10.1.1.2:62787[1.1.3.1:2052]-->1.1.5.1:2048
display firewall session table - Current Total Sessions : 5
- icmp VPN:public --> public 10.1.2.2:61251[1.1.3.1:2053]-->1.1.6.1:2048
- icmp VPN:public --> public 10.1.2.2:62019[1.1.3.1:2054]-->1.1.6.1:2048
- icmp VPN:public --> public 10.1.2.2:62275[1.1.3.1:2055]-->1.1.6.1:2048
- icmp VPN:public --> public 10.1.2.2:62531[1.1.3.1:2056]-->1.1.6.1:2048
- icmp VPN:public --> public 10.1.2.2:62787[1.1.3.1:2057]-->1.1.6.1:2048
display ike sa - IKE SA information :
- Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
- -------------------------------------------------------------------------
- 83887864 1.1.5.1:500 RD|A v2:2 IP 1.1.5.1
- 83887652 1.1.5.1:500 RD|A v2:1 IP 1.1.5.1
- Number of IKE SA : 2
- --------------------------------------------------------------------------
- Flag Description:
- RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
- HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
- M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
display ike sa - IKE SA information :
- Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
- -------------------------------------------------------------------------
- 62887864 1.1.3.1:500 RD|ST|A v2:2 IP 1.1.3.1
- 62887652 1.1.3.1:500 RD|ST|A v2:1 IP 1.1.3.1
- Number of IKE SA : 2
- -------------------------------------------------------------------------
- Flag Description:
- RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
- HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
- M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
display ipsec sa brief - Current ipsec sa num:2
- Spu board slot 1, cpu 1 ipsec sa information:
- Number of SAs:2
- Src address Dst address SPI VPN Protocol Algorithm
- -------------------------------------------------------------------------------
- 1.1.5.1 1.1.3.1 3923280450 ESP E:AES-256 A:SHA2_256_128
- 1.1.3.1 1.1.5.1 787858613 ESP E:AES-256 A:SHA2_256_128
display ipsec sa brief - Current ipsec sa num:2
- Spu board slot 1, cpu 1 ipsec sa information:
- Number of SAs:2
- Src address Dst address SPI VPN Protocol Algorithm
- -------------------------------------------------------------------------------
- 1.1.3.1 1.1.5.1 787858613 ESP E:AES-256 A:SHA2_256_128
- 1.1.5.1 1.1.3.1 3923280450 ESP E:AES-256 A:SHA2_256_128