ipsec-vpn實驗與ipsec-vpn+nat穿越實驗

ENSP版本為：1.2.00

（1）ipsec-vpn實驗：這個實驗只是簡單的跨兩個地方，實現了局域網的相互通信；但是他沒有訪問互聯網的能力

R1 配置命令：

#

sysname R1

#

acl number 3001

rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 172.16.10.0 0.0.0.255

#

ipsec proposal tran1

#

ike proposal 10

#

ike peer ikep1 v2

pre-shared-key simple 12345678

ike-proposal 10

peer-id-type ip

nat traversal

remote-address 222.1.1.2

#

ipsec policy vpn1 10 isakmp

security acl 3001

ike-peer ikep1

proposal tran1

#

interface Ethernet0/0/0

ip address 192.168.10.1 255.255.255.0

#

interface Ethernet0/0/1

ip address 211.1.1.2 255.255.255.0

ipsec policy vpn1

#

ip route-static 0.0.0.0 0.0.0.0 211.1.1.1

#

R2配置命令：

#

interface Ethernet0/0/0

ip address 211.1.1.1 255.255.255.0

#

interface Ethernet0/0/1

ip address 222.1.1.1 255.255.255.0

#

R3配置命令：

sysname R3

#

acl number 3001

rule 5 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

#

ipsec proposal tran1

#

ike proposal 10

#

ike peer ikep1 v2

pre-shared-key simple 12345678

ike-proposal 10

peer-id-type ip

nat traversal

remote-address 211.1.1.2

#

ipsec policy vpn1 10 isakmp

security acl 3001

ike-peer ikep1

proposal tran1

#

interface Ethernet0/0/0

ip address 172.16.10.1 255.255.255.0

#

interface Ethernet0/0/1

ip address 222.1.1.2 255.255.255.0

ipsec policy vpn1

#

ip route-static 0.0.0.0 0.0.0.0 222.1.1.1

#

（2）ipsec-vpn+nat穿越：這個實驗可以實現分部和總部之間的局域網通信，也可以使得局域網內的所有設備訪問互聯網（比較高端）

3、配置要點

總公司的配置

#

sysname ZongGongSi

#

acl number 3000

rule 5 deny ip source 172.16.10.0 0.0.0.255 destination 172.16.20.0 0.0.0.255 \\\\注意這裡是deny

rule 10 permit ip

acl number 3001

rule 5 permit ip source 172.16.10.0 0.0.0.255 destination 172.16.20.0 0.0.0.255

#

ipsec proposal test

#

ike proposal 1

#

ike peer test v2

pre-shared-key simple huawei

remote-address 23.1.1.2

#

ipsec policy test 10 isakmp

security acl 3001

ike-peer test

proposal test

#

interface GigabitEthernet0/0/0

ip address 172.16.10.1 255.255.255.0

#

interface GigabitEthernet0/0/1

ip address 12.1.1.1 255.255.255.0

ipsec policy test

nat outbound 3000

#

ip route-static 0.0.0.0 0.0.0.0 12.1.1.2

分公司的配置

sysname FenGongSi

#

acl number 3000

rule 5 deny ip source 172.16.20.0 0.0.0.255 destination 172.16.10.0 0.0.0.255 \\\\這裡是deny

rule 10 permit ip

acl number 3001

rule 5 permit ip source 172.16.20.0 0.0.0.255 destination 172.16.10.0 0.0.0.255

#

ipsec proposal test

#

ike peer test v2

pre-shared-key simple huawei

remote-address 12.1.1.1

#

ipsec policy test 10 isakmp

security acl 3001

ike-peer test

proposal test

#

interface GigabitEthernet0/0/0

ip address 172.16.20.1 255.255.255.0

#

interface GigabitEthernet0/0/1

ip address 23.1.1.2 255.255.255.0

ipsec policy test //優先級低於nat

nat outbound 3000 //優先級高於ipsec

#

ip route-static 0.0.0.0 0.0.0.0 23.1.1.1

互聯網的配置

#

sysname Internet

#

interface GigabitEthernet0/0/0

ip address 12.1.1.2 255.255.255.0

#

interface GigabitEthernet0/0/1

ip address 23.1.1.1 255.255.255.0

#

interface LoopBack100

ip address 100.100.100.100 255.255.255.0

#

interface LoopBack200

ip address 200.200.200.200 255.255.255.0

#

總結這兩個實驗都是可以做通的，而且效果非常明顯：

思路：nat的優先級比ipsec-vpn的高，因此的做時，流量首先匹配nat，nat都會成功

閱讀更多 運維李小木 的文章

關鍵字: 穿越 5g快樂年 局域網