一、组网需求

某组织有2个分支,分支使用运营商动态分配IP地址,总部接入运营商地址固定50.0.0.1/30,总部内部网段10.0.50.0/24需要通过路由器作NAT访问Internet,同时总部和各分支之间的流量需要通过IPSec穿越NAT传送。

设备清单:MSR三台

二、组网图:

MSR系列路由器总部多分支互通功能的配置(GRE OVER IPSEC)_IPSEC

三、配置步骤:

适用设备和版本:MSR系列、Version 5.20, Release 1205P01后所有版本。

总部配置

#

 ike local-name center

#

ike peer branch51

 exchange-mode aggressive

 pre-shared-key h3c-msr-branch51

 id-type name

 remote-name branch51

 nat traversal

#

ike peer branch52

 exchange-mode aggressive

 pre-shared-key h3c-msr-branch52

 id-type name

 remote-name branch52

 nat traversal

#

ipsec proposal default

#

ipsec policy branch 51 isakmp

 security acl 3051

 ike-peer branch51

 proposal default

#

ipsec policy branch 52 isakmp

 security acl 3052

 ike-peer branch52

 proposal default

#

//ACL 2000用于内网访问InternetNAT,允许10.0.50.0/24的源

acl number 2000

 description "NAT"

 rule 10 permit source 10.0.50.0 0.0.0.255

 

#

//用于匹配GRE Over IPSecACL

acl number 3051

 description "GRE to 192.168.254.51"

 rule 0 permit gre source 192.168.254.50 0 destination 192.168.254.51 0

acl number 3052

 description "GRE to 192.168.254.52"

 rule 0 permit gre source 192.168.254.50 0 destination 192.168.254.52 0

#

//用于建立GRE隧道的环回接口

interface LoopBack0

 ip address 192.168.254.50 255.255.255.255

#

interface GigabitEthernet0/0

 port link-mode route

 //让内部主机可以访问Internet

 nat outbound 2000

 ip address 50.0.0.1 255.255.255.252

 //绑定IPSec策略

 ipsec policy branch

#

interface GigabitEthernet0/1

 port link-mode route

 ip address 10.0.50.1 255.255.255.0

#

//连接到分支51GRE接口

interface Tunnel51

 ip address 192.168.0.1 255.255.255.252

 source LoopBack0

 destination 192.168.254.51

#

//连接到分支52GRE接口

interface Tunnel52

 ip address 192.168.0.5 255.255.255.252

 source LoopBack0

 destination 192.168.254.52

#

 ip route-static 0.0.0.0 0.0.0.0 50.0.0.2

 ip route-static 10.0.51.0 255.255.255.0 192.168.0.2

 ip route-static 10.0.52.0 255.255.255.0 192.168.0.6

#

分支配置(只介绍10.0.51.0/24网段分支配置,另一个分支类似)

#

 ike local-name branch51

#

ike peer center

 exchange-mode aggressive

 pre-shared-key h3c-msr-branch51

 id-type name

 remote-name center

 remote-address 50.0.0.1

 nat traversal

#

ipsec proposal default

#

ipsec policy center 1 isakmp

 security acl 3050

 ike-peer center

 proposal default

#

//ACL 2000用于内网访问InternetNAT,允许10.0.51.0/24的源

acl number 2000

 description "NAT"

 rule 10 permit source 10.0.51.0 0.0.0.255

 

#

//用于匹配GRE Over IPSecACL

acl number 3050

 description "GRE to 192.168.254.51"

 rule 0 permit gre source 192.168.254.51 0 destination 192.168.254.50 0

#

//用于创建GRE隧道的环回接口

interface LoopBack0

 ip address 192.168.254.51 255.255.255.255

#

interface GigabitEthernet0/0

 port link-mode route

 //内部主机访问Internet

 nat outbound 2000

 //地址由运营商分配

 ip address dhcp

 //绑定IPSec策略

 ipsec policy center

#

interface GigabitEthernet0/1

 port link-mode route

 ip address 10.0.51.1 255.255.255.0

#

//连接总部的GRE接口

interface Tunnel50

 ip address 192.168.0.2 255.255.255.252

 source LoopBack0

 destination 192.168.254.50

#

 ip route-static 10.0.0.0 255.255.0.0 192.168.0.1

#

 

四、配置关键点

1) NAT使用的ACL不能和IPSec使用的ACL重叠,如果重叠会先进行NAT处理,这样原本需要进行IPSec加密的就有可能匹配不上IPSecACL了,所以上面使用了新建一个网段作为GRE隧道的源、目的地址;

2) 总部IPSec所使用ACL配置不能有Deny ip any的操作,否则有的数据不会进行IPSec策略其它序号的匹配操作,一般IPSec使用ACL不配置Deny

 

参考http://kms.h3c.com/kms/kms/search/view.html?id=11586

http://forum.h3c.com/showtopic-73013-2.aspx这2个帖子