书犹药也,善读可以医愚;久尝其味,便可心如止水

    

IPsec+DDNS典型配置

1      配置举例

1.1      组网需求

MSR 50-60作为企业网核心,MSR 20-20MSR 30-20MSR 30-40分别作为分支的接入路由器。中心与分支分别通过ISP接入到互联网实现连接。分支和总部都是PPPoE拨号动态获取地址,需要使用DDNS技术使分支与总结设备之间建立IPSec VPN

1.2      组网图

image.png

图 1      网络拓扑图

1.3      配置步骤

1.   使用的版本

[H3C]_dis ver

H3C Comware Platform Software

Comware Software, Version 5.20, ESS 1809P01

Comware Platform Software Version COMWAREV500R002B66D008

2. 分支路由器参考配置

[H3C]dis cur

#

 version 5.20, ESS 1809P01

#

 sysname H3C

#

 clock timezone Beijing add 08:00:00

#

 domain default enable system

#

 dns resolve

 dns proxy enable

 dns server 202.106.0.20运营商提供

#

telnet server enable

#

 dar p2p signature-file flash:/p2p_default.mtd

#

 port-security enable

#

acl number 3000

 rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.0 0.0.0.255

#

ike peer client

 pre-shared-key cipher pTHDptKNjg0=

 remote-address iptest.3322.org dynamic

#

ipsec proposal client

#

ipsec policy client 1 isakmp

 security acl 3000

 ike-peer client

 proposal client

#

dhcp server ip-pool vlan1 extended

 network ip range 192.168.1.2 192.168.1.254

 network mask 255.255.255.0

 gateway-list 192.168.1.1

 dns-list 192.168.1.1

#

user-group system

#

#

interface Dialer10

 ink-protocol ppp

 ppp chap user test

 ppp chap password cipher =W6JJ`N_LBKQ=^Q`MAF4<1!!

 ppp pap local-user test password cipher =W6JJ`N_LBKQ=^Q`MAF4<1!!

 ppp ipcp dns admit-any

 ppp ipcp dns request

 mtu 1492

 ip address ppp-negotiate

 tcp mss 1024

 dialer user username

 dialer-group 10

 dialer bundle 10

 ipsec policy client

#

interface Ethernet0/0

 port link-mode route

#

interface Ethernet0/1

 port link-mode route

 pppoe-client dial-bundle-number 10

#

interface NULL0

#

interface Vlan-interface1

 ip address 192.168.1.1 255.255.255.0

 dhcp server apply ip-pool vlan1

#

interface Ethernet0/2

 port link-mode bridge

#

interface Ethernet0/3

 port link-mode bridge

#

interface Ethernet0/4

 port link-mode bridge

#

interface Ethernet0/5

 port link-mode bridge

#

interface Ethernet0/6

 port link-mode bridge

#

interface Ethernet0/7

 port link-mode bridge

#

interface Ethernet0/8

 port link-mode bridge

#

interface Ethernet0/9

 port link-mode bridge

#

interface WLAN-BSS0

#

 ip route-static 0.0.0.0 0.0.0.0 Dialer10

#

 dhcp enable

#

 dialer-rule 10 ip permit

#

user-interface con 0

user-interface tty 13

 modem both

user-interface vty 0 4

 authentication-mode scheme

#                                

3. 中心路由器参考配置

[H3C]dis cur

#

 version 5.20, ESS 1809P01

#

 sysname H3C

#

 clock timezone Beijing add 08:00:00

#

 domain default enable system

#

 dns resolve

 dns proxy enable

 dns server 202.106.0.20运营商提供

#

telnet server enable

#

 dar p2p signature-file flash:/p2p_default.mtd

#

 port-security enable

#

ike peer peer

 pre-shared-key h3c

#

ipsec proposal proposal

#

ipsec policy-template server 1

 ike-peer peer

 proposal proposal

#

ipsec policy in 1 isakmp template server 

#

dhcp server ip-pool vlan1 extended

 network ip range 192.168.0.2 192.168.0254

 network mask 255.255.255.0

 gateway-list 192.168.01

 dns-list 192.168.01

#

user-group system

#

ddns policy 3322

 url http://iptest:iptest@members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>

#

interface Dialer10

 ink-protocol ppp

 ppp chap user test

 ppp chap password cipher =W6JJ`N_LBKQ=^Q`MAF4<1!!

 ppp pap local-user test password cipher =W6JJ`N_LBKQ=^Q`MAF4<1!!

 ppp ipcp dns admit-any

 ppp ipcp dns request

 mtu 1492

 ip address ppp-negotiate

 tcp mss 1024

 dialer user username

 dialer-group 10

 dialer bundle 10

 ipsec policy in

 ddns apply policy 3322 fqdn iptest.3322.org

#

interface Ethernet0/0

 port link-mode route

#

interface Ethernet0/1

 port link-mode route

 pppoe-client dial-bundle-number 10

#

interface NULL0

#

interface Vlan-interface1

 ip address 192.168.0.1 255.255.255.0

 dhcp server apply ip-pool vlan1

#

interface Ethernet0/2

 port link-mode bridge

#

interface Ethernet0/3

 port link-mode bridge

#

interface Ethernet0/4

 port link-mode bridge

#

interface Ethernet0/5

 port link-mode bridge

#

interface Ethernet0/6

 port link-mode bridge

#

interface Ethernet0/7

 port link-mode bridge

#

interface Ethernet0/8

 port link-mode bridge

#

interface Ethernet0/9

 port link-mode bridge

#

interface WLAN-BSS0

#

 ip route-static 0.0.0.0 0.0.0.0 Dialer10

#

 dhcp enable

#

 dialer-rule 10 ip permit

#

user-interface con 0

user-interface tty 13

 modem both

user-interface vty 0 4

 authentication-mode scheme

#                      


所有原创文章采用 知识共享署名-非商业性使用 4.0 国际许可协议 进行许可。
您可以自由的转载和修改,但请务必注明文章来源并且不可用于商业目的。
本站部分内容收集于互联网,如果有侵权内容、不妥之处,请联系我们删除。敬请谅解!

添加新评论

icon_mrgreen.gificon_neutral.gificon_twisted.gificon_arrow.gificon_eek.gificon_smile.gificon_confused.gificon_cool.gificon_evil.gificon_biggrin.gificon_idea.gificon_redface.gificon_razz.gificon_rolleyes.gificon_wink.gificon_cry.gificon_surprised.gificon_lol.gificon_mad.gificon_sad.gificon_exclaim.gificon_question.gif

要铭记在心:每天都是一年中最美好的日子。

生活远没有咖啡那么苦涩,关键是喝它的人怎么品味!每个人都喜欢和向往随心所欲的生活,殊不知随心所欲根本不是生活。

如果错过了太阳时你流泪了,那么你也要错过群星了。

不如意的时候不要尽往悲伤里钻,想想有笑声的日子吧。

我不明白为什么要那么在意别人的看法,评头论足只是无聊人的消遣,何必看得如临大敌。如果你不吃别人家的饭,就别太把别人的话放在心上。