华为DSVPN配置

上张贴CrossGrave发表回复

拓扑说明:AR1、AR2、AR3之间实施DSVPN。使用172.16.0.0/24网段运行,在GRE隧道中使用ospf并且发布每个路由器的lo接口地址进入ospf,使用NHRP 的shortcut模式,AR1作为HUB端,AR2、AR3作为Spoke端。AR1做NHRP的redirect。

AR1:

#
 sysname AR1
#
ipsec proposal AAA
 encapsulation-mode transport
 esp encryption-algorithm 3des
#
ike proposal 1
 encryption-algorithm aes-cbc-192
 authentication-algorithm md5
#
ike peer AAA v1
 pre-shared-key simple huawei
 ike-proposal 1
 local-address 202.100.1.1
#
ipsec profile 1
ipsec profile AAA
 ike-peer AAA
 proposal AAA
#
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255 
 ospf enable 1 area 0.0.0.0
#
interface GigabitEthernet0/0/0
 ip address 202.100.1.1 255.255.255.0 
#
interface Tunnel0/0/0
 ip address 172.16.0.1 255.255.255.0 
 tunnel-protocol gre p2mp
 source 202.100.1.1
 ospf network-type broadcast
 ospf dr-priority 255
 ospf enable 1 area 0.0.0.0
 ipsec profile AAA
 nhrp redirect
 nhrp entry multicast dynamic
#
ospf 1 
 area 0.0.0.0 
#
ip route-static 0.0.0.0 0.0.0.0 202.100.1.100
#

AR2:

#
 sysname AR2
#
ipsec proposal AAA
 encapsulation-mode transport
 esp encryption-algorithm 3des
#
ike proposal 1
 encryption-algorithm aes-cbc-192
 authentication-algorithm md5
#
ike peer AAA v1
 pre-shared-key simple huawei
 ike-proposal 1
 local-address 202.100.2.2
#
ipsec profile AAA
 ike-peer AAA
 proposal AAA
#
interface GigabitEthernet0/0/0
 ip address 202.100.2.2 255.255.255.0 
#
interface LoopBack0
 ip address 2.2.2.2 255.255.255.255 
 ospf enable 1 area 0.0.0.0
#
interface Tunnel0/0/0
 ip address 172.16.0.2 255.255.255.0 
 tunnel-protocol gre p2mp
 source 202.100.2.2
 ospf network-type broadcast
 ospf dr-priority 0
 ospf enable 1 area 0.0.0.0
 ipsec profile AAA
 nhrp shortcut
 nhrp entry 172.16.0.1 202.100.1.1 register
#
ospf 1 
 area 0.0.0.0 
#
ip route-static 0.0.0.0 0.0.0.0 202.100.2.100
#

AR3:

#
 sysname AR3
#
ipsec proposal AAA
 encapsulation-mode transport
 esp encryption-algorithm 3des
#
ike proposal 1
 encryption-algorithm aes-cbc-192
 authentication-algorithm md5
#
ike peer AAA v1
 pre-shared-key simple huawei
 ike-proposal 1
 local-address 202.100.3.3
#
ipsec profile AAA
 ike-peer AAA
 proposal AAA
#
interface GigabitEthernet0/0/0
 ip address 202.100.3.3 255.255.255.0 
#
interface LoopBack0
 ip address 3.3.3.3 255.255.255.255 
 ospf enable 1 area 0.0.0.0
#
interface Tunnel0/0/0
 ip address 172.16.0.3 255.255.255.0 
 tunnel-protocol gre p2mp
 source 202.100.3.3
 ospf network-type broadcast
 ospf dr-priority 0
 ospf enable 1 area 0.0.0.0
 ipsec profile AAA
 nhrp shortcut
 nhrp entry 172.16.0.1 202.100.1.1 register
#
ospf 1 
 area 0.0.0.0 
#
ip route-static 0.0.0.0 0.0.0.0 202.100.3.100
#

注意要点:AR1作为HUB端,一定要是DR角色。OSPF运行在逻辑接口上一定要切换为广播或NBMA模式,P2P模式会造成部分邻居建立不起来的情况。

发表评论

您的电子邮箱地址不会被公开。

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据