ENSP版本為:1.2.00
(1)ipsec-vpn實驗:這個實驗只是簡單的跨兩個地方,實現了局域網的相互通信;但是他沒有訪問互聯網的能力
R1 配置命令:
#
sysname R1
#
acl number 3001
rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
#
ipsec proposal tran1
#
ike proposal 10
#
ike peer ikep1 v2
pre-shared-key simple 12345678
ike-proposal 10
peer-id-type ip
nat traversal
remote-address 222.1.1.2
#
ipsec policy vpn1 10 isakmp
security acl 3001
ike-peer ikep1
proposal tran1
#
interface Ethernet0/0/0
ip address 192.168.10.1 255.255.255.0
#
interface Ethernet0/0/1
ip address 211.1.1.2 255.255.255.0
ipsec policy vpn1
#
ip route-static 0.0.0.0 0.0.0.0 211.1.1.1
#
R2配置命令:
#
interface Ethernet0/0/0
ip address 211.1.1.1 255.255.255.0
#
interface Ethernet0/0/1
ip address 222.1.1.1 255.255.255.0
#
R3配置命令:
sysname R3
#
acl number 3001
rule 5 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
#
ipsec proposal tran1
#
ike proposal 10
#
ike peer ikep1 v2
pre-shared-key simple 12345678
ike-proposal 10
peer-id-type ip
nat traversal
remote-address 211.1.1.2
#
ipsec policy vpn1 10 isakmp
security acl 3001
ike-peer ikep1
proposal tran1
#
interface Ethernet0/0/0
ip address 172.16.10.1 255.255.255.0
#
interface Ethernet0/0/1
ip address 222.1.1.2 255.255.255.0
ipsec policy vpn1
#
ip route-static 0.0.0.0 0.0.0.0 222.1.1.1
#
(2)ipsec-vpn+nat穿越:這個實驗可以實現分部和總部之間的局域網通信,也可以使得局域網內的所有設備訪問互聯網(比較高端)
3、配置要點
總公司的配置
#
sysname ZongGongSi
#
acl number 3000
rule 5 deny ip source 172.16.10.0 0.0.0.255 destination 172.16.20.0 0.0.0.255 \\\\注意這裡是deny
rule 10 permit ip
acl number 3001
rule 5 permit ip source 172.16.10.0 0.0.0.255 destination 172.16.20.0 0.0.0.255
#
ipsec proposal test
#
ike proposal 1
#
ike peer test v2
pre-shared-key simple huawei
remote-address 23.1.1.2
#
ipsec policy test 10 isakmp
security acl 3001
ike-peer test
proposal test
#
interface GigabitEthernet0/0/0
ip address 172.16.10.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 12.1.1.1 255.255.255.0
ipsec policy test
nat outbound 3000
#
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
分公司的配置
sysname FenGongSi
#
acl number 3000
rule 5 deny ip source 172.16.20.0 0.0.0.255 destination 172.16.10.0 0.0.0.255 \\\\這裡是deny
rule 10 permit ip
acl number 3001
rule 5 permit ip source 172.16.20.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
#
ipsec proposal test
#
ike peer test v2
pre-shared-key simple huawei
remote-address 12.1.1.1
#
ipsec policy test 10 isakmp
security acl 3001
ike-peer test
proposal test
#
interface GigabitEthernet0/0/0
ip address 172.16.20.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 23.1.1.2 255.255.255.0
ipsec policy test //優先級低於nat
nat outbound 3000 //優先級高於ipsec
#
ip route-static 0.0.0.0 0.0.0.0 23.1.1.1
互聯網的配置
#
sysname Internet
#
interface GigabitEthernet0/0/0
ip address 12.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 23.1.1.1 255.255.255.0
#
interface LoopBack100
ip address 100.100.100.100 255.255.255.0
#
interface LoopBack200
ip address 200.200.200.200 255.255.255.0
#
總結這兩個實驗都是可以做通的,而且效果非常明顯:
思路:nat的優先級比ipsec-vpn的高,因此的做時,流量首先匹配nat,nat都會成功
閱讀更多 運維李小木 的文章