锐捷路由器nat上网+ipsec配置案例

网络规划设计

1、r1和r2两个分支之间建立ipsec vpn

2、两边pc不但可以上网访问1.1.1.1还能互相通过ipsec vpn 隧道互访

3、最后扩展为换R2为ipsec模板模式配置

r1配置

sz#show running-config

Building configuration...

Current configuration: 1614 bytes

version RG-NSE-Route(V1.06)

hostname sz

!

ip access-list extended 100

5 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 //把不做nat的数据给干掉

10 permit ip 192.168.10.0 0.0.0.255 any //nat上公网的数据

!

ip access-list extended 101

10 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 //用于ipsec感兴趣流

!

no cwmp

!

service dhcp

!

ip dhcp pool 10 //用于pc的dhcp

network 192.168.10.0 255.255.255.0

dns-server 114.114.114.114

default-router 192.168.10.254

!

webmaster level 0 username admin password 7 073f07221c1c

!

crypto isakmp policy 1 // 里面参数两边要一样

encryption 3des

authentication pre-share

!

crypto isakmp keepalive 10 periodic //PDP探测

!

crypto isakmp key 0 admin address 58.58.2.2 //预共享密钥和对端地址

crypto ipsec transform-set admin esp-des esp-md5-hmac //加密方式

!

crypto map admin 5 ipsec-isakmp

set peer 58.58.2.2 //对端地址

set transform-set admin

match address 101

!

interface GigabitEthernet 0/0

ip address 192.168.10.254 255.255.255.0

ip nat inside

!

interface GigabitEthernet 0/1

ip address 58.58.1.2 255.255.255.252

crypto map admin //调用

ip nat outside

!

ip nat inside source list 100 interface GigabitEthernet 0/1 overload //nat上网

!

ip route 0.0.0.0 0.0.0.0 58.58.1.1

r2配置

bj#show running-config

Building configuration...

Current configuration: 1614 bytes

version RG-NSE-Route(V1.06)

hostname bj

!

ip access-list extended 100

5 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

10 permit ip 192.168.20.0 0.0.0.255 any

!

ip access-list extended 101

10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

!

no cwmp

!

service dhcp

!

ip dhcp pool 20

network 192.168.20.0 255.255.255.0

dns-server 114.114.114.144

default-router 192.168.20.254

!

install 0 X86

!

sysmac 5000.0002.0001

!

webmaster level 0 username admin password 7 1226011f4303

!

crypto isakmp policy 1

encryption 3des

authentication pre-share

!

crypto isakmp keepalive 10 periodic

!

crypto isakmp key 7 04361c0b370d address 58.58.1.2

crypto ipsec transform-set admin esp-des esp-md5-hmac

!

crypto map admin 5 ipsec-isakmp

set peer 58.58.1.2

set transform-set admin

match address 101

!

no service password-encryption

!

redundancy

!

vpdn limit_rate 15

!

vlan 1

!

interface GigabitEthernet 0/0

ip address 192.168.20.254 255.255.255.0

ip nat inside

!

interface GigabitEthernet 0/1

ip address 58.58.2.2 255.255.255.252

crypto map admin

ip nat outside

!

ip nat inside source list 100 interface GigabitEthernet 0/1 overload

!

ip route 0.0.0.0 0.0.0.0 58.58.2.1

验证

上面是nat记录同,下面是ipsec数据(注意两pc不ping一下,是看不到任何ipsec数据的,必须得先ping一下触发建立)

扩展测试,R2做成模板方式被动接受分支连接配置(R1配置不变),以后新增分支同R1一样就可以了

!

ip access-list extended 100

5 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

10 permit ip 192.168.20.0 0.0.0.255 any

!

原ipsec感兴趣流访问控制列表不需要了
ip access-list extended 101
10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

!

service dhcp

!

ip dhcp pool 20

network 192.168.20.0 255.255.255.0

dns-server 114.114.114.144

default-router 192.168.20.254

!

crypto isakmp policy 1 //和分支保持一致

encryption 3des

authentication pre-share

!

crypto isakmp key 0 admin address 0.0.0.0 0.0.0.0 //密码和分支一样

crypto ipsec transform-set admin esp-des esp-md5-hmac //配置ipsec加密转换集

!

crypto dynamic-map dymymap 5

set transform-set admin //调用转换集

reverse-route //反向注入路由

!

crypto map admin 10 ipsec-isakmp dynamic dymymap //将动态ipsec加密图映射到静态的ipsec加密图中

!

interface GigabitEthernet 0/0

ip address 192.168.20.254 255.255.255.0

ip nat inside

!

interface GigabitEthernet 0/1

ip address 58.58.2.2 255.255.255.252

crypto map admin //接口调用静态ipsec加密图

ip nat outside

!

ip nat inside source list 100 interface GigabitEthernet 0/1 overload

!

ip route 0.0.0.0 0.0.0.0 58.58.2.1

这个模板配置逻辑是一环套一环

r1主动访问测试发现丢两个包就通了

之后r2模板方就可以主动访问分支了

在r2模板方查看

相关推荐
fei_sun21 小时前
开放最短路径优先OSPF----基于链路状态
网络
精明的身影21 小时前
网络计划WebApp求解:融合Python与AI决策的项目管理系统
网络·python·web app
Let's Chat Coding1 天前
对称密钥认证:主机和设备共享同一把密钥
运维·服务器·网络
anbingsoft121 天前
企业加密软件软件有哪些?企业加密软件:让设计图纸安全无忧,年度热销
网络·安全·电脑
fei_sun1 天前
虚拟局域网VLAN
网络
技术不好的崎鸣同学1 天前
[极客大挑战 2019]EasySQL 思路及解法
网络·安全·web安全
Web极客码1 天前
跨国网络抖动下的 AI 爬虫流调优:我如何用 Claude 打造“智能退避”资讯清洗管道
网络·人工智能·爬虫
念何架构之路1 天前
moby-http-api-server
网络·网络协议·http
namexingyun1 天前
Scaling Law bug实战启示:从“虚胖“到“精瘦“的算力效率革命
开发语言·网络·人工智能·bug·ai编程
阿拉斯攀登1 天前
NAT 穿透详解:STUN / TURN / ICE
运维·服务器·网络·webrtc·nat