H3C IPV6之ipsec+IKE野蛮模式典型组网配置案例
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
组网说明:
本案例采用H3C HCL模拟器来模拟IPV6 IPSEC IKE+野蛮模式典型组网配置。为了确保数据的传输安全,在R1与R2之间建立IPSEC VPN隧道采用野蛮模式。最后R1与R2之间采用OSPFV3路由协议互联。
配置思路:
1、按照网络拓扑图正确配置IP地址
2、R1与R2之间运行OSPFV3路由协议
3、R1与R2采用IPSEC IKE+野蛮模式建立VPN隧道。
配置过程:
第一阶段调试(基础网络配置):
SW1:
System View: return to User View with Ctrl+Z.
[H3C]sysname SW1
[SW1]int loopback 0
[SW1-LoopBack0]ip address 3.3.3.3 32
[SW1-LoopBack0]quit
[SW1]ospfv3 1
[SW1-ospfv3-1]import-route direct
[SW1-ospfv3-1]router-id 3.3.3.3
[SW1-ospfv3-1]quit
[SW1]int gi 1/0/1
[SW1-GigabitEthernet1/0/1]port link-mode route
[SW1-GigabitEthernet1/0/1]des
[SW1-GigabitEthernet1/0/1]ipv6 address 3::2 64
[SW1-GigabitEthernet1/0/1]ospfv3 1 area 0
[SW1-GigabitEthernet1/0/1]quit
R1:
System View: return to User View with Ctrl+Z. [H3C]sysname R1
[R1]int loopback 0
[R1-LoopBack0]ip address 1.1.1.1 32
[R1-LoopBack0]quit
[R1]ospfv3 1
[R1-ospfv3-1]router-id 1.1.1.1
[R1-ospfv3-1]import-route direct
[R1-ospfv3-1]quit
[R1]int gi 0/0
[R1-GigabitEthernet0/0]ipv6 address 1::1 64 [R1-GigabitEthernet0/0]ospfv3 1 area 0
[R1-GigabitEthernet0/0]quit
[R1]int s 1/0
[R1-Serial1/0]des
[R1-Serial1/0]ipv6 address 2::1 64
[R1-Serial1/0]ospfv3 1 area 0
[R1-Serial1/0]quit
R2:
System View: return to User View with Ctrl+Z. [H3C]sysname R2
[R2]int loopback 0
[R2-LoopBack0]ip address 2.2.2.2 32
[R2-LoopBack0]quit
[R2]ospfv3 1
[R2-ospfv3-1]import-route direct
[R2-ospfv3-1]router-id 2.2.2.2
[R2-ospfv3-1]quit
[R2]int s 1/0
[R2-Serial1/0]des
[R2-Serial1/0]ipv6 address 2::2 64
[R2-Serial1/0]ospfv3 1 area 0
[R2-Serial1/0]quit
[R2]int gi 0/0
[R2-GigabitEthernet0/0]des
[R2-GigabitEthernet0/0]quit
第一阶段测试:
物理机填写IP地址:
物理机能PING通SW1:
第二阶段调试(IPSEC+IKE野蛮模式关键配置点):
[R1]acl ipv6 advanced 3000
[R1-acl-ipv6-adv-3000]rule 0 permit ipv6 source 1::/64 destination 3::/64 [R1-acl-ipv6-adv-3000]quit
[R1]ike identity fqdn r1
[R1]ike proposal 1
[R1-ike-proposal-1]quit
[R1]ike keychain james
[R1-ike-keychain-james]pre-shared-key address ipv6 2::2 64 key simple james [R1-ike-keychain-james]quit
[R1]ike profile james
[R1-ike-profile-james]keychain james
[R1-ike-profile-james]proposal 1
[R1-ike-profile-james]match remote identity address ipv6 2::2
[R1-ike-profile-james]exchange-mode aggressive
[R1-ike-profile-james]quit
[R1]ipsec transform-set james
[R1-ipsec-transform-set-james]protocol esp
[R1-ipsec-transform-set-james]encapsulation-mode tunnel
[R1-ipsec-transform-set-james]esp authentication-algorithm md5
[R1-ipsec-transform-set-james]esp encryption-algorithm des-cbc
[R1-ipsec-transform-set-james]quit
[R1]ipsec ipv6-policy james 1 isakmp
[R1-ipsec-ipv6-policy-isakmp-james-1]security acl ipv6 3000
[R1-ipsec-ipv6-policy-isakmp-james-1]transform-set james
[R1-ipsec-ipv6-policy-isakmp-james-1]ike-profile james
[R1-ipsec-ipv6-policy-isakmp-james-1]remote-address ipv6 2::2
[R1-ipsec-ipv6-policy-isakmp-james-1]quit
[R1]int s 1/0
[R1-Serial1/0]ipsec apply ipv6-policy james
[R1-Serial1/0]quit
R2:
[R2]acl ipv6 advanced 3000
[R2-acl-ipv6-adv-3000]rule 0 permit ipv6 source 3::/64 destination 1::/64 [R2-acl-ipv6-adv-3000]quit
[R2]ike identity fqdn r2
[R2]ike proposal 1
[R2-ike-proposal-1]quit
[R2]ike keychain james
[R2-ike-keychain-james]pre-shared-key hostname r1 key simple james
[R2-ike-keychain-james]quit
[R2]ipsec transform-set james
[R2-ipsec-transform-set-james]protocol esp
[R2-ipsec-transform-set-james]encapsulation-mode tunnel
[R2-ipsec-transform-set-james]esp authentication-algorithm md5
[R2-ipsec-transform-set-james]esp encryption-algorithm des-cbc
[R2-ipsec-transform-set-james]quit
[R2]ike profile james