好消息,超酷的在线虚拟网络实验室上线了!点击开始实验

为获得更好的浏览效果,建议您使用 Firefox 或者 Chrome 浏览器



10.4        DVPN典型配置

10.4.1 DVPN基本配置

【需求】

通过配置DVPNclient1client2可以和server互通,client1client2之间可以互通。

【组网图】

 

【配置脚本】

Server配置脚本

#

sysname Server

#

radius scheme system

#

domain system

#

local-user admin

password cipher .]@USE=B,53Q=^Q`MAF4<1!!

service-type telnet terminal

level 3

service-type ftp

#

dvpn policy 1                                     /创建dvpn-policy视图1/

#

interface Aux0

async mode flow

#

interface Ethernet0/0

ip address 202.1.1.1 255.255.255.0

#

interface Ethernet0/1

ip address dhcp-alloc

#

interface Serial1/0

clock DTECLK1

link-protocol ppp

ip address ppp-negotiate

#

interface Serial1/1

clock DTECLK1

link-protocol ppp

ip address ppp-negotiate

#

interface Tunnel0                                    /创建Tunnel0接口/

ip address 10.0.0.1 255.255.255.0

tunnel-protocol udp dvpn                             /Tunnel接口的封装格式/

source Ethernet0/0

dvpn interface-type server                           /指定了Tunnel接口类型为server/

dvpn dvpn-id 1                                       /配置Tunnel接口所属的DVPN1/

dvpn policy 1                                        /引用dvpn-policy视图1/

#

interface NULL0

#

interface LoopBack0

ip address 172.16.1.1 255.255.255.0

#

FTP server enable

#

dvpn service enable                                   /使能DVPN功能/

dvpn server pre-shared-key 12345                      /配置Server的身份pre-shared-key/

#

ip route-static 172.16.2.0 255.255.255.0 10.0.0.2 preference 60    /配置路由信息/

ip route-static 172.16.3.0 255.255.255.0 10.0.0.3 preference 60

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

Client1配置脚本

#

sysname Client1

#

radius scheme system

#

domain system

#

local-user admin

password cipher .]@USE=B,53Q=^Q`MAF4<1!!

service-type telnet terminal

level 3

service-type ftp

#

dvpn class test                              /配置Tunnel接口使用的dvpn-class/

public-ip 202.1.1.1

authentication-server method pre-share

pre-shared-key 12345

#

interface Aux0

async mode flow

#

interface Ethernet0/0

ip address 202.1.1.2 255.255.255.0

#

interface Tunnel0                             /创建Tunnel0接口/

ip address 10.0.0.2 255.255.255.0

tunnel-protocol udp dvpn                      /Tunnel接口的封装格式/

source Ethernet0/0

dvpn interface-type client                    /指定了Tunnel接口类型为client/

dvpn dvpn-id 1                                /配置Tunnel接口所属的DVPN1/

dvpn server test                              /引用配置的dvpn-class/

#

interface NULL0

#

interface LoopBack0

ip address 172.16.2.1 255.255.255.0

#

FTP server enable

#

dvpn service enable                           /使能DVPN功能/

#

ip route-static 172.16.1.0 255.255.255.0 10.0.0.1 preference 60  /配置路由信息/

ip route-static 172.16.3.0 255.255.255.0 10.0.0.3 preference 60

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

Client2配置脚本

#

sysname Client2

#

radius scheme system

#

domain system

#

local-user admin

password cipher .]@USE=B,53Q=^Q`MAF4<1!!

service-type telnet terminal

level 3

service-type ftp

#

dvpn class test                                /配置Tunnel接口使用的dvpn-class/

public-ip 202.1.1.1

authentication-server method pre-share

pre-shared-key 12345

#

interface Aux0

async mode flow

#

interface Ethernet0/0

ip address 202.1.1.3 255.255.255.0

#

interface Ethernet0/1

ip address dhcp-alloc

#

interface Tunnel0                                /创建Tunnel0接口/

ip address 10.0.0.3 255.255.255.0

tunnel-protocol udp dvpn                         /Tunnel接口的封装格式/

source Ethernet0/0

dvpn interface-type client                       /指定了Tunnel接口类型为client/

dvpn dvpn-id 1                                   /配置Tunnel接口所属的DVPN1/

dvpn server test                                 /引用配置的dvpn-class/

#

interface NULL0

#

interface LoopBack0

ip address 172.16.3.1 255.255.255.0

#

FTP server enable

#

dvpn service enable                               /使能DVPN功能/

#

ip route-static 172.16.1.0 255.255.255.0 10.0.0.1 preference 60   /配置路由信息/

ip route-static 172.16.2.0 255.255.255.0 10.0.0.2 preference 60

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

 

【验证】

Server Clinent1Clinent2可以两两互通。

Server上的map信息和session信息:

[Server]dis dvpn map all

vpn-id   private-ip       public-ip   port    state    type   client-id

------------------------------------------------------------------------------

1         10.0.0.3        202.1.1.3   40959  FINISHED  S->C     88383300

1         10.0.0.2        202.1.1.2   40959  FINISHED  S->C     91175268

 

[Server]display dvpn session all

vpn-id   private-ip       public-ip    port     state  type

-----------------------------------------------------------------

1         10.0.0.2        202.1.1.2   40959   SUCCESS  S->C

1         10.0.0.3        202.1.1.3   40959   SUCCESS  S->C

 

Client1上的map信息和session信息

[Client1]dis dvpn map all

vpn-id    private-ip      public-ip    port     state  type   client-id

------------------------------------------------------------------------------

1         10.0.0.1        202.1.1.1   40959   SUCCESS  C->S     91175268

 

[Client1]dis dvpn se all

vpn-id    private-ip      public-ip    port     state  type

-----------------------------------------------------------------

1         10.0.0.1        202.1.1.1   40959   SUCCESS  C->S

1         10.0.0.3        202.1.1.3   40959   SUCCESS  C->C

 

Client1上的map信息和session信息

[Client2]dis dvpn map all

vpn-id    private-ip      public-ip    port     state  type   client-id

------------------------------------------------------------------------------

1         10.0.0.1        202.1.1.1   40959   SUCCESS  C->S     88383300

 

[Client2]dis dvpn se all

vpn-id    private-ip      public-ip    port     state  type

-----------------------------------------------------------------

1         10.0.0.1        202.1.1.1   40959   SUCCESS  C->S

1         10.0.0.2        202.1.1.2   40959   SUCCESS  C->C

 

【提示】

1、 DVPN数据传输阶段,缺省情况下系统对所有的数据都采用了上述的IPSec加密方式,用户不需要进行配置。

2、 Client需要通过pre-shared-key进行身份验证时,Client需要指定需要接入的Server的pre-shared-key,

而且和Server的pre-shared-key必须一致。

3、 每个接口最多应用一个dvpn-policy;如果需要应用新的dvpn-policy,则必须删除原有的dvpn-policy;

另外一个dvpn-Policy可以被多个接口同时使用。

4、 在配置DVPN其他参数前,请务必在Tunnel接口上封装UDP DVPN。

X Close
X Close