配置两个网关之间通过IPSec VPN互联并通过总部IPSec网关进行NAT后上网
规格
适用于V200R002C00及更高版本、所有形态的AR路由器。
组网需求
如图1所示,某企业分为总部和两个分支机构。分支机构1和分支机构2分别通过RouterB和RouterC与Internet相连。RouterA为NAT网关,总部RouterA和分支RouterB为固定公网地址,RouterC为动态公网IP地址;RouterA和RouterB以及RouterA和RouterC相互路由可达。企业要求实现如下组网需求:
- 分支机构PC2、PC3能与总部PC1之间进行安全通信。
- RouterA、RouterB以及RouterA、RouterC之间分别建立IPSec隧道。RouterB、RouterC不直接建立任何IPSec连接。
- PC1可以直接访问公网,PC2和PC3通过总部网关访问公网。
操作步骤
- 配置RouterA
<span style="color:#333333"><span style="background-color:#dddddd"># sysname RouterA # acl number 3000 rule 5 permit ip destination 10.1.2.0 0.0.0.255 rule 10 permit ip destination 10.1.3.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 # ike proposal 10 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer c pre-shared-key %^%#0ljf5R_9LXP|Qe=WVA6-Y%'}%^%# ike-proposal 10 # ipsec policy-template temp 1 security acl 3000 ike-peer c proposal tran1 # ipsec policy map1 10 isakmp template temp # interface GigabitEthernet0/0/3 undo shutdown ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/1 undo shutdown ip address 1.1.3.1 255.255.255.0 ipsec policy map1 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # ip route-static 0.0.0.0 0.0.0.0 1.1.3.2 # security-policy rule name policy1 source-zone trust destination-zone untrust source-address 10.1.1.0 mask 255.255.255.0 destination-address 10.1.2.0 mask 255.255.255.0 destination-address 10.1.3.0 mask 255.255.255.0 action permit rule name policy2 source-zone untrust destination-zone trust source-address 10.1.2.0 mask 255.255.255.0 source-address 10.1.3.0 mask 255.255.255.0 destination-address 10.1.1.0 mask 255.255.255.0 action permit rule name policy3 source-zone local destination-zone untrust source-address 1.1.3.1 mask 255.255.255.255 action permit rule name policy4 source-zone untrust destination-zone local destination-address 1.1.3.1 mask 255.255.255.255 action permit # nat-policy rule name policy_nat1 source-zone trust destination-zone untrust source-address 10.1.1.0 mask 255.255.255.0 destination-address 10.1.2.0 mask 255.255.255.0 destination-address 10.1.3.0 mask 255.255.255.0 action no-nat rule name policy_nat2 source-zone trust source-zone untrust destination-zone untrust source-address 10.1.1.0 mask 255.255.255.0 source-address 10.1.2.0 mask 255.255.255.0 source-address 10.1.3.0 mask 255.255.255.0 action source-nat easy-ip # return</span></span> - 配置RouterB
<span style="color:#333333"><span style="background-color:#dddddd"># sysname RouterB # acl number 3000 rule 5 permit ip source 10.1.2.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 # ike proposal 10 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer a pre-shared-key %^%#St4#CBb9$L>G`5W(HV*BKTnm%^%# ike-proposal 10 remote-address 1.1.3.1 # ipsec policy map1 10 isakmp security acl 3000 ike-peer a proposal tran1 # interface GigabitEthernet0/0/3 undo shutdown ip address 10.1.2.1 255.255.255.0 # interface GigabitEthernet0/0/1 undo shutdown ip address 1.1.5.1 255.255.255.0 ipsec policy map1 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # ip route-static 10.1.0.0 255.255.0.0 GigabitEthernet0/0/1 # security-policy rule name policy1 source-zone trust destination-zone untrust source-address 10.1.2.0 mask 255.255.255.0 destination-address 10.1.1.0 mask 255.255.255.0 destination-address 10.1.3.0 mask 255.255.255.0 action permit rule name policy2 source-zone untrust destination-zone trust source-address 10.1.1.0 mask 255.255.255.0 source-address 10.1.3.0 mask 255.255.255.0 destination-address 10.1.2.0 mask 255.255.255.0 action permit rule name policy3 source-zone local destination-zone untrust source-address 1.1.5.1 mask 255.255.255.255 destination-address 1.1.3.1 mask 255.255.255.255 action permit rule name policy4 source-zone untrust destination-zone local source-address 1.1.3.1 mask 255.255.255.255 destination-address 1.1.5.1 mask 255.255.255.255 action permit # return</span></span> - 配置RouterC
<span style="color:#333333"><span style="background-color:#dddddd"># sysname RouterC # acl number 3000 rule 5 permit ip source 10.1.3.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 # ike proposal 10 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer a pre-shared-key %^%#LV|sQ=~fUQO:M$CeqaMEnwVD%^%# ike-proposal 10 remote-address 1.1.3.1 # ipsec policy map1 10 isakmp security acl 3000 ike-peer a proposal tran1 # interface GigabitEthernet0/0/3 undo shutdown ip address 10.1.3.1 255.255.255.0 # interface GigabitEthernet0/0/1 /*configuration of obtaining IP*/ undo shutdown ipsec policy map1 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # ip route-static 10.1.0.0 255.255.0.0 GigabitEthernet0/0/1 # security-policy rule name policy1 source-zone trust destination-zone untrust source-address 10.1.3.0 mask 255.255.255.0 destination-address 10.1.1.0 mask 255.255.255.0 destination-address 10.1.2.0 mask 255.255.255.0 action permit rule name policy2 source-zone untrust destination-zone trust source-address 10.1.1.0 mask 255.255.255.0 source-address 10.1.2.0 mask 255.255.255.0 destination-address 10.1.3.0 mask 255.255.255.0 action permit rule name policy3 source-zone local destination-zone untrust destination-address 1.1.3.1 mask 255.255.255.255 action permit rule name policy4 source-zone untrust destination-zone local source-address 1.1.3.1 mask 255.255.255.255 action permit # return</span></span> - 验证配置结果。
- 配置完成后,PC1在任何时候都可以访问公网,可以ping通RouterB的1.1.5.1,同时在RouterA上可以查看NAT转换session表项。
<span style="color:#333333"><span style="background-color:#dddddd"><RouterA> <strong>display firewall session table</strong> Current Total Sessions : 5 icmp VPN:public --> public 10.1.1.2:61251[1.1.3.1:2048]-->1.1.5.1:2048 icmp VPN:public --> public 10.1.1.2:62019[1.1.3.1:2049]-->1.1.5.1:2048 icmp VPN:public --> public 10.1.1.2:62275[1.1.3.1:2050]-->1.1.5.1:2048 icmp VPN:public --> public 10.1.1.2:62531[1.1.3.1:2051]-->1.1.5.1:2048 icmp VPN:public --> public 10.1.1.2:62787[1.1.3.1:2052]-->1.1.5.1:2048</span></span> - PC2在任何时候可以访问到公网,可以ping通公网的IP地址(假设为1.1.6.1),同时在RouterA上可以查看NAT转换session表项。
<span style="color:#333333"><span style="background-color:#dddddd"><RouterA> <strong>display firewall session table</strong> Current Total Sessions : 5 icmp VPN:public --> public 10.1.2.2:61251[1.1.3.1:2053]-->1.1.6.1:2048 icmp VPN:public --> public 10.1.2.2:62019[1.1.3.1:2054]-->1.1.6.1:2048 icmp VPN:public --> public 10.1.2.2:62275[1.1.3.1:2055]-->1.1.6.1:2048 icmp VPN:public --> public 10.1.2.2:62531[1.1.3.1:2056]-->1.1.6.1:2048 icmp VPN:public --> public 10.1.2.2:62787[1.1.3.1:2057]-->1.1.6.1:2048</span></span> - PC2发起访问,之后PC1与PC2之间可以相互访问。
- 总部RouterA上可以查看到对应的IKE SA。
<span style="color:#333333"><span style="background-color:#dddddd"><RouterA> <strong>display ike sa</strong> IKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID ------------------------------------------------------------------------- 83887864 1.1.5.1:500 RD|A v2:2 IP 1.1.5.1 83887652 1.1.5.1:500 RD|A v2:1 IP 1.1.5.1 Number of IKE SA : 2 -------------------------------------------------------------------------- Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING </span></span> - 分支上RouterB可以查看到对端为总部的IKE SA,RouterB是发起方,标志位为ST。
<span style="color:#333333"><span style="background-color:#dddddd"><RouterB> <strong>display ike sa</strong> IKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID ------------------------------------------------------------------------- 62887864 1.1.3.1:500 RD|ST|A v2:2 IP 1.1.3.1 62887652 1.1.3.1:500 RD|ST|A v2:1 IP 1.1.3.1 Number of IKE SA : 2 ------------------------------------------------------------------------- Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING </span></span> - 总部RouterA上可以查看到一对双向的IPSec SA,对应分支RouterB。
<span style="color:#333333"><span style="background-color:#dddddd"><RouterA> <strong>display ipsec sa brief</strong> Current ipsec sa num:2 Spu board slot 1, cpu 1 ipsec sa information: Number of SAs:2 Src address Dst address SPI VPN Protocol Algorithm ------------------------------------------------------------------------------- 1.1.5.1 1.1.3.1 3923280450 ESP E:AES-256 A:SHA2_256_128 1.1.3.1 1.1.5.1 787858613 ESP E:AES-256 A:SHA2_256_128 </span></span> - 分支节点RouterB上可以查看到一对双向IPSec SA。
<span style="color:#333333"><span style="background-color:#dddddd"><RouterB> <strong>display ipsec sa brief</strong> Current ipsec sa num:2 Spu board slot 1, cpu 1 ipsec sa information: Number of SAs:2 Src address Dst address SPI VPN Protocol Algorithm ------------------------------------------------------------------------------- 1.1.3.1 1.1.5.1 787858613 ESP E:AES-256 A:SHA2_256_128 1.1.5.1 1.1.3.1 3923280450 ESP E:AES-256 A:SHA2_256_128 </span></span>
- 配置完成后,PC1在任何时候都可以访问公网,可以ping通RouterB的1.1.5.1,同时在RouterA上可以查看NAT转换session表项。