好消息,超酷的在线虚拟网络实验室上线了!点击开始实验

为获得更好的浏览效果,建议您使用 Firefox 或者 Chrome 浏览器



MSR系列路由器

VRRP虚地址建立IPSec功能的配置

 

关键字:MSR;IPSec;IKE;DPD;VRRP

 

一、组网需求

RTARTBBranch都连接在一台交换机上,RTARTBVRRP,虚地址是1.0.0.128RTA作为VRRP MasterRTB作为BackupBranchVRRP虚地址之间建立基于IKEIPSec。实际应用中,建议RTARTB连接内网接口也启用VRRP,对内提供统一网关。

设备清单:MSR系列路由器3

二、组网图:

三、配置步骤:

设备和版本:MSR系列、Version 5.20, Release 1509

RTA配置

#

//配置DPDvrrp,采用默认配置10秒空闲计时,5秒应答等候超时

ike dpd vrrp

#

//IKE Peer配置

ike peer Branch

 pre-shared-key h3c

 remote-address 1.0.0.254

 local-address 1.0.0.128

 //指定dpd

 dpd vrrp

#

//IPSec提议配置

ipsec proposal def

#

//IPSec策略配置

ipsec policy branch 1 isakmp

 security acl 3000

 ike-peer branch

 proposal def

#

//ACL配置

acl number 3000

 rule 0 permit ip source 192.168.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

#

//对接接口

interface GigabitEthernet0/0

 port link-mode route

 ip address 1.0.0.1 255.255.255.0

 //配置VRRP1的虚地址1.0.0.128,使用默认优先级

 vrrp vrid 1 virtual-ip 1.0.0.128

 //绑定IPSec策略

 ipsec policy branch

#

//内网接口

interface GigabitEthernet0/1

 port link-mode route

 ip address 192.168.0.1 255.255.255.0

#

 //静态路由配置,使其进入IPSec接口

 ip route-static 192.168.1.0 255.255.255.0 1.0.0.254

#

RTB配置

#

//配置DPDvrrp,采用默认配置10秒空闲计时,5秒应答等候超时

ike dpd vrrp

#

//IKE Peer配置

ike peer Branch

 pre-shared-key h3c

 remote-address 1.0.0.254

 local-address 1.0.0.128

 //指定dpd

 dpd vrrp

#

//IPSec提议配置

ipsec proposal def

#

//IPSec策略配置

ipsec policy branch 1 isakmp

 security acl 3000

 ike-peer branch

 proposal def

#

//ACL配置

//ACL配置

acl number 3000

 rule 0 permit ip source 192.168.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

#

//对接接口

interface GigabitEthernet0/0

 port link-mode route

 ip address 1.0.0.2 255.255.255.0

 //配置VRRP1的虚地址1.0.0.128

 vrrp vrid 1 virtual-ip 1.0.0.128

 //配置VRRP1的优先级为80,使RTB成为Backup

 vrrp vrid 1 priority 80

 //绑定IPSec策略

 ipsec policy branch

#

#

//内网接口

interface GigabitEthernet0/1

 port link-mode route

 ip address 192.168.0.2 255.255.255.0

#

 //静态路由配置,使其进入IPSec接口

 ip route-static 192.168.1.0 255.255.255.0 1.0.0.254

#

Branch上配置

#

//配置DPDvrrp,采用默认配置10秒空闲计时,5秒应答等候超时

ike dpd vrrp

#

//IKE Peer配置

ike peer center

 pre-shared-key h3c

 remote-address 1.0.0.128

 local-address 1.0.0.254

 //指定dpd

 dpd vrrp

#

//IPSec提议配置

ipsec proposal def

#

//IPSec策略配置

ipsec policy center 1 isakmp

 security acl 3000

 ike-peer center

 proposal def

#

//ACL配置

acl number 3000

 rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.0 0.0.0.255

 

#

//对接接口

interface Ethernet0/0

 port link-mode route

 ip address 1.0.0.254 255.255.255.0

 //绑定IPSec策略

 ipsec policy center

#

//内网接口

interface Ethernet0/1

 port link-mode route

 ip address 192.168.1.1 255.255.255.0

#

 //静态路由配置,使其进入IPSec接口

 ip route-static 192.168.0.0 255.255.255.0 1.0.0.128

#

四、配置关键点

1) RTARTB上配置VRRP,参考VRRP典型配置;

2) RTARTBIPSec配置一致,都指定IKE Local-addressVRRP虚地址;

3) BranchIKE指定对端地址为VRRP虚地址。

X Close
X Close