《VPN实验报告.docx》由会员分享,可在线阅读,更多相关《VPN实验报告.docx(22页珍藏版)》请在三一文库上搜索。
1、VPN实验报告1.拓扑图 图1-12.实验环境2.1 实验要求如图1-1,Router AR1为企业总部出口路由器,Router AR3为分支机构出口路由器。企业希望对分支与总部之间相互访问的流量进行安全保护,RouterAR2和Router AR3 RouterAR1之间运行ospf协议模拟外网环境(不宣告内网接口,内网访问外网采用NAT转换),PC1及PC2之间通信通过gre over ipsec vpn及ipsec over gre vpn来进行互访。2.2 网络规划2.2.1 Gre over Ipsec规划 Center内网网段10.0.0.0/24内网网关g0/0/010.0.0.
2、254/24出口地址g0/0/112.12.12.1/24PC1地址10.0.0.1/24回环口地址1.1.1.1/32Gre Tunnel 0/0/0192.168.2.1/24Branch 1内网网段10.1.1.1/24内网网关g0/0/110.1.1.254/24出口地址g0/0/023.23.23.3/24PC2地址10.1.1.1/24回环口地址3.3.3.3/32Gre Tunnel 0/0/0192.168.2.2/24ISPg0/0/012.12.12.2/24G0/0/123.23.23.2/24回环口地址2.2.2.2/322.2.2 Ipsec over Gre 规划C
3、enter内网网段10.0.0.0/24内网网关g0/0/010.0.0.254/24出口地址g0/0/112.12.12.1/24PC1地址10.0.0.1/24回环口地址1.1.1.1/32Gre Tunnel 0/0/0192.168.2.1/24Ipsec Tunnel 0/0/1192.168.3.1/24Branch 1内网网段10.1.1.1/24内网网关g0/0/110.1.1.254/24出口地址g0/0/023.23.23.3/24PC2地址10.1.1.1/24回环口地址3.3.3.3/32Gre Tunnel 0/0/0192.168.2.2/24Ipsec Tunne
4、l 0/0/1192.168.3.2/24ISPg0/0/012.12.12.2/24G0/0/123.23.23.2/24回环口地址2.2.2.2/323.Gre over Ipsec3.1实验配置3.1.1配置思路1.配置物理接口的IP地址及ospf配置,保证ISP路由可达。2.配置IPSec安全提议,定义IPSec的保护方法。3.配置IKE对等体,定义对等体间IKE协商时的属性。4.配置安全框架,并引用安全提议和IKE对等体。5.配置GRE Tunnel接口,在Tunnel接口上应用安全框架,6.配置Tunnel接口的转发路由。7.配置nat3.1.2配置文档Center配置为例:Hua
5、weidis current-configuration V200R003C00# snmp-agent local-engineid 800007DB03000000000000 snmp-agent # clock timezone China-Standard-Time minus 08:00:00#portal local-server load flash:/portalpage.zip# drop illegal-mac alarm# wlan ac-global carrier id other ac id 0# set cpu-usage threshold 80 restor
6、e 75#acl number 3000 rule 5 permit ip #ipsec proposal 1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128#ike proposal 2 encryption-algorithm aes-cbc-128#ike peer ar3 v2 pre-shared-key cipher %$%$uVj70TpB0_K8vu71O,.2n%$%$ ike-proposal 2#ipsec profile 123 ike-peer ar3 proposal 1#
7、aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password cipher %$%$K8m.Nt84DZe#_K8vu71O,.2n%$%$ ike-proposal 2#ipsec profile 123 ike-peer ar3 proposal 1#aaa authentication-scheme default authorization-sche
8、me default accounting-scheme default domain default domain default_admin local-user admin password cipher %$%$K8m.Nt84DZe#08bmE3Uw%$%$ local-user admin service-type http#firewall zone Local priority 15#interface GigabitEthernet0/0/0 ip address 10.0.0.254 255.255.255.0 #interface GigabitEthernet0/0/1
9、 ip address 12.12.12.1 255.255.255.0 nat outbound 3000#interface NULL0#interface LoopBack1 ip address 1.1.1.1 255.255.255.255 #interface Tunnel0/0/0 ip address 2.2.2.2 255.255.255.0 tunnel-protocol gre source 12.12.12.1 destination 23.23.23.3 ipsec profile 123#ospf 1 router-id 1.1.1.1 area 0.0.0.0 n
10、etwork 12.12.12.0 0.0.0.255 #ip route-static 0.0.0.0 0.0.0.0 12.12.12.2ip route-static 10.1.1.0 255.255.255.0 Tunnel0/0/0#user-interface con 0 authentication-mode passworduser-interface vty 0 4user-interface vty 16 20#wlan ac#returnISP配置Huaweidis current-configuration V200R003C00# snmp-agent local-e
11、ngineid 800007DB03000000000000 snmp-agent # clock timezone China-Standard-Time minus 08:00:00#portal local-server load flash:/portalpage.zip# drop illegal-mac alarm# wlan ac-global carrier id other ac id 0# set cpu-usage threshold 80 restore 75#aaa authentication-scheme default authorization-scheme
12、default accounting-scheme default domain default domain default_admin local-user admin password cipher %$%$K8m.Nt84DZe#_K8vu71O,.2n%$%$ ike-proposal 2#ipsec profile 123 ike-peer ar3 proposal 1#aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default dom
13、ain default_admin local-user admin password cipher %$%$K8m.Nt84DZe#08bmE3Uw%$%$ local-user admin service-type http#firewall zone Local priority 15#interface GigabitEthernet0/0/0 ip address 10.0.0.254 255.255.255.0 #interface GigabitEthernet0/0/1 ip address 12.12.12.1 255.255.255.0 nat outbound 2000#
14、 interface NULL0#interface LoopBack1 ip address 1.1.1.1 255.255.255.255 #interface Tunnel0/0/0 ip address 192.168.2.1 255.255.255.0 tunnel-protocol gre source 12.12.12.1 destination 23.23.23.3#interface Tunnel0/0/1 ip address 192.168.3.1 255.255.255.0 tunnel-protocol ipsec source Tunnel0/0/0 destina
15、tion 192.168.2.2 ipsec profile 123#ospf 1 router-id 1.1.1.1 area 0.0.0.0 network 12.12.12.0 0.0.0.255 #ip route-static 0.0.0.0 0.0.0.0 12.12.12.2ip route-static 10.1.1.0 255.255.255.0 Tunnel0/0/0#user-interface con 0 authentication-mode passworduser-interface vty 0 4user-interface vty 16 20#wlan ac#
16、ReturnISP 配置:Huaweidis current-configurationV200R003C00# snmp-agent local-engineid 800007DB03000000000000 snmp-agent # clock timezone China-Standard-Time minus 08:00:00#portal local-server load flash:/portalpage.zip# drop illegal-mac alarm# wlan ac-global carrier id other ac id 0# set cpu-usage thre
17、shold 80 restore 75#aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password cipher %$%$K8m.Nt84DZe#08bmE3Uw%$%$ local-user admin service-type http#firewall zone Local priority 15#interface GigabitEthernet0
18、/0/0 ip address 12.12.12.2 255.255.255.0 #interface GigabitEthernet0/0/1 ip address 23.23.23.2 255.255.255.0 #interface NULL0#interface LoopBack1 ip address 2.2.2.2 255.255.255.255 #ospf 1 router-id 2.2.2.2 area 0.0.0.0 network 12.12.12.0 0.0.0.255 network 23.23.23.0 0.0.0.255 #user-interface con 0
19、authentication-mode passworduser-interface vty 0 4user-interface vty 16 20#wlan acreturn4.2测试结果5.问题及解决最初开始做gre 及ipsec单独实验,gre单独并没有出现问题,进行ipsec实验对于ipsec policy调用acl策略和nat 调用acl策略对于来自内网的数据流匹配出现冲突,单独建立ipsec vpn分支之间访问可以,再配置nat 分支访问失败。解决方案是写nat acl策略时禁掉分支之间访问数据流,后ipsec vpn及nat均可正常使用。配置ipsec over gre 及gre over ipsec 均出现ipsec vpn 开始的问题,尝试使用回环口建立同样无法vpn及nat同时使用,随后上华为官网查找找到新的基于acl的配置方案出现模拟器不支持ipsec policy在tunnel口下调用,无法进行实验,后进行配置虚拟隧道接口建立vpn 不需配置ipsec policy 仅需配置安全框架无需调用acl来匹配数据流,仅nat需要匹配acl 数据流,nat及vpn均可以使用测试结果正常。