全互联结构DVPN综合配置示例
以下内容摘自正在全面热销的最新网络设备图书“豪华四件套”之一《H3C路由器配置与管理完全手册》(第二版)(其余三本分别是:《Cisco交换机配置与管理完全手册》(第二版)、《Cisco路由器配置与管理完全手册》(第二版)和《H3C交换机配置与管理完全手册》(第二版)) 。目前本套图书在当当网、京东网、卓越网、互动出版网等书店全面热销中,在当当网、京东网购买该套装将直减30元:http://book.dangdang.com/20130730_aife、http://item.jd.com/11299332.html
(京东网上目前仅7折,折后再减30元)
15.3.1 全互联结构DVPN综合配置示例
本示例拓扑结构如图15-6所示。整个DVPN网络呈Full-Mesh(全互联)结构,各设备接口的IP地址分配如表15-15所示。示例中,主/备VAM 服务器负责管理、维护各个节点的信息;AAA服务器负责对VAM客户端进行认证和计费管理;两个Hub互为备份,负责数据的转发和路由信息的交换。Spoke与Hub之间建立永久隧道连接,其中Spoke 1只通过一个隧道接口Tunnel1与其他VAM客户端建立DVPN连接,Spoke 3只通过一个隧道接口Tunnel2与其他VAM客户端建立DVPN连接,Spoke 2通过两个隧道接口Tunnel1、Tunnel2与其他VAM客户端建立DVPN连接。且同一VPN域中,任意的两个Spoke之间在有数据传输时可直接动态建立隧道连接。
图15-6 全互联结构DVPN配置示例的拓扑结构
表15-15 全互联结构DVPN配置示例中的设备接口IP地址分配
|
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
|
Hub 1 |
Eth1/1 |
192.168.1.1/24 |
Spoke 1 |
Eth1/1 |
192.168.1.3/24 |
|
Tunnel1 |
10.0.1.1/24 |
Eth1/2 |
10.0.3.1/24 |
||
|
Tunnel2 |
10.0.2.1/24 |
Tunnel1 |
10.0.1.3/24 |
||
|
Hub 2 |
Eth1/1 |
192.168.1.2/24 |
Spoke 2 |
Eth1/1 |
192.168.1.4/24 |
|
Tunnel1 |
10.0.1.2/24 |
Eth1/2 |
10.0.4.1/24 |
||
|
Tunnel2 |
10.0.2.2/24 |
Tunnel1 |
10.0.1.4/24 |
||
|
主VAM服务器 |
Eth1/1 |
192.168.1.22/24 |
Tunnel2 |
10.0.2.4/24 |
|
|
备份VAM服务器 |
Eth1/1 |
192.168.1.33//24 |
Spoke 3 |
Eth1/1 |
192.168.1.5/24 |
|
AAA服务器 |
192.168.1.11/24 |
Eth1/2 |
10.0.5.1/24 |
||
|
Tunnel2 |
10.0.2.3/24 |
根据15.2介绍的DVPN基本配置思路可以很容易地得出Hub路由器、各Spoke路由器,以及各VAM服务器的以下具体配置步骤。
一、主VAM服务器的配置
(1)按照图中标注配置主VAM服务器IP地址(略)
(2)配置AAA认证(方案为RADIUS)。
<MainServer> system-view
[MainServer] radius scheme rad1 !---创建一个名为rad1的RADIUS认证方案
[MainServer-radius-radsun] primary authentication 192.168.1.11 1812 !--- 配置主RADIUS认证/授权服务器的IP地址为192.168.1.11,UDP端口采用默认的1812号端口
[MainServer-radius-radsun] primary accounting 192.168.1.11 1813 !--- 配置主RADIUS计费服务器的IP地址为192.168.1.11,UDP端口采用默认的1813号端口
[MainServer-radius-radsun] key authentication lycb !--- 配置RADIUS认证/授权报文的共享密钥为lycb
[MainServer-radius-radsun] key accounting lycb !--- 配置RADIUS计费报文的共享密钥为lycb
[MainServer-radius-radsun] server-type standard !--- 指定采用标准类型的RADIUS服务器,还可以选择“extended”选项,指定RADIUS服务器支持私有RADIUS标准
[MainServer-radius-radsun] user-name-format with-domain !--- 设置发送给RADIUS服务器的用户名采用带ISP域名的格式:userid@isp-name,还可以选择“without-domain”选项,则用户名格式不带ISP域名。如果采用不带域名格式,则不同域中的用户名不要一样
[MainServer-radius-radsun] quit
(3)配置ISP域的AAA方案。
[MainServer] domain domain1 !---创建一个名为domain1的ISP域
[MainServer-isp-domain1] authentication default radius-scheme rad1 !---指定domain1中所有用户默认采用名为前面创建的名为rad1的RADIUS认证/授权方案
[MainServer-isp-domain1] accounting default radius-scheme rad1 !---指定domain1中所有用户默认采用名为前面创建的名为rad1的RADIUS计费方案
[MainServer-isp-domain1] quit
[MainServer] domain default enable domain1 !--- 配置系统默认的ISP域为domain1,所有在登录时没有提供ISP域名的用户都属于这个域
(4)配置主VAM服务器,指定不同VPN域中的预共享密钥、认证模式和所对应的Hub地址,然后启用VAM服务器功能。
[MainServer] vam server ip-address 192.168.1.22 !----指定VAM Server上的监听IP地址,采用默认的UDP 18000号端口
[MainServer] vam server vpn 1 !----创建VPN域1。注意,这里的VPN域与ISP域不一样,一个ISP域下可以有多个VPN域
[MainServer-vam-server-vpn-1] pre-shared-key simple 123456 !---配置预共享密钥为123456
[MainServer-vam-server-vpn-1] authentication-method chap !----配置对客户端进行CHAP认证
!---下面三条用来指定VAM服务器所服务的,在VPN域1中的两个Hub的私网地址,对应Hub1和Hub2上的Tunnel1接口IP地址。
[MainServer-vam-server-vpn-1] hub private-ip 10.0.1.1
[MainServer-vam-server-vpn-1] hub private-ip 10.0.1.2
[MainServer-vam-server-vpn-1] quit
[MainServer] vam server vpn 2 !---创建VPN域2
[MainServer-vam-server-vpn-2] pre-shared-key simple 654321 !----配置预共享密钥为654321
[MainServer-vam-server-vpn-2] authentication-method pap !---配置对客户端进行PAP认证
!--- 面三条用来指定VAM服务器所服务的,在VPN域2中的两个Hub的私网地址,对应Hub1和Hub2上的Tunnel2接口IP地址。
[MainServer-vam-server-vpn-2] hub private-ip 10.0.2.1
[MainServer-vam-server-vpn-2] hub private-ip 10.0.2.2
[MainServer-vam-server-vpn-1] quit
[MainServer] vam server enable all !----启动所有VPN域的VAM 服务器功能
二、备份VAM服务器的配置
下面再来配置备份VAM服务器。这部分除备份VAM服务器的监听IP地址配置外,其他的配置与主VAM服务器的都一样,因为它们本来就是用来进行相互备份的,具体配置参见前面介绍的主VAM服务器配置。
三、Hub1的配置
(1)配置各接口的IP地址(略)。
(2)配置VAM客户端,为不同VPN域创建不同的VAM客户端,并指定主/备VAM服务器地址,进行身份认证的本地用户名和预共享密钥,最后启用VAM客户端服务。
<Hub1> system-view
!---下面两条是创建VPN域1的客户端dvpn1hub1。
[Hub1] vam client name dvpn1hub1
[Hub1-vam-client-name-dvpn1hub1] vpn 1
!---下面三条是配置VAM服务器的IP地址及VAM客户端的预共享密钥。
[Hub1-vam-client-name-dvpn1hub1] server primary ip-address 192.168.1.22
[Hub1-vam-client-name-dvpn1hub1] server secondary ip-address 192.168.1.33
[Hub1-vam-client-name-dvpn1hub1] pre-shared-key simple 123456
!---下面三条是配置Hub1上VPN1域中的本地用户,用户名为dvpn1hub1,密码为dvpn1hub1。
[Hub1-vam-client-name-dvpn1hub1] user dvpn1hub1 password simple dvpn1hub1
[Hub1-vam-client-name-dvpn1hub1] client enable
[Hub1-vam-client-name-dvpn1hub1] quit
!---下面两条创建VPN域2的客户端dvpn2hub1。
[Hub1] vam client name dvpn2hub1
[Hub1-vam-client-name-dvpn2hub1] vpn 2
!---下面三条是配置VAM Server的IP地址及VAM Client的预共享密钥。
[Hub1-vam-client-name-dvpn2hub1] server primary ip-address 192.168.1.22
[Hub1-vam-client-name-dvpn2hub1] server secondary ip-address 192.168.1.33
[Hub1-vam-client-name-dvpn2hub1] pre-shared-key simple 654321
!---下面三条是配置Hub1上VPN2域中的本地用户,用户名为dvpn2hub1,密码为dvpn2hub1。
[Hub1-vam-client-name-dvpn2hub1] user dvpn2hub1 password simple dvpn2hub1
[Hub1-vam-client-name-dvpn2hub1] client enable
[Hub1-vam-client-name-dvpn2hub1] quit
(3)配置IPsec安全框架,创建安全提议,对等体、IPSec安全框架。
!---下面几条是配置IPsec安全提议。
[Hub1] ipsec proposal propo1
[Hub1-ipsec-proposal-vam] encapsulation-mode tunnel
[Hub1-ipsec-proposal-vam] transform esp
[Hub1-ipsec-proposal-vam] esp encryption-algorithm des
[Hub1-ipsec-proposal-vam] esp authentication-algorithm sha1
[Hub1-ipsec-proposal-vam] quit
!---下面几条是配置IKE对等体。
[Hub1] ike peer peer1
[Hub1-ike-peer-vam] pre-shared-key abcdef
[Hub1-ike-peer-vam] quit
!---下面几条是配置IPsec安全框架。
[Hub1] ipsec profile profile1
[Hub1-ipsec-profile-vamp] proposal propo1
[Hub1-ipsec-profile-vamp] ike-peer peer1
[Hub1-ipsec-profile-vamp] sa duration time-based 600
[Hub1-ipsec-profile-vamp] pfs dh-group2
[Hub1-ipsec-profile-vamp] quit
【经验之谈】IPSec安全框架中所配置的安全提议名、对等体名和安全框架名可以在全网中采用相同的名称,当然也可以采用不同的名称,因为它们都是本地配置,仅对本地有意义。通常为了怕搞混,整个网络都采用相同的安全提议名、相同的的对等体名,相同的安全框架名。
(4)配置DVPN隧道,指定不同VPN域中的隧道接口IP地址(这要与前面在VAM服务器配置的Hub地址一致)、OSPF网络类型和引用的安全框架名称。
!---下面几条是配置VPN域1的隧道接口Tunnel1。
[Hub1] interface tunnel 1
[Hub1-Tunnel1] tunnel-protocol dvpn udp
[Hub1-Tunnel1] vam client dvpn1hub1
[Hub1-Tunnel1] ip address 10.0.1.1 255.255.255.0
[Hub1-Tunnel1] source ethernet 1/1
[Hub1-Tunnel1] ospf network-type broadcast
[Hub1-Tunnel1] ipsec profile profile1
[Hub1-Tunnel1] quit
!---下面几条是配置VPN域2的隧道接口Tunnel2。
[Hub1] interface tunnel 2
[Hub1-Tunnel2] tunnel-protocol dvpn udp
[Hub1-Tunnel2] vam client dvpn2hub1
[Hub1-Tunnel2] ip address 10.0.2.1 255.255.255.0
[Hub1-Tunnel2] source ethernet 1/1
[Hub1-Tunnel2] ospf network-type broadcast
[Hub1-Tunnel2] ipsec profile profile1
[Hub1-Tunnel2] quit
(5)配置OSPF路由,宣告所连接的私网与公网。所连接的私网就是其Tunnel接口所连接的网络。但这里宣告的都是对应接口的IP地址,指定在对应接口上启用OSPF路由协议。Tunnel接口上所配置的IP地址都私网的。
!---下面几条是配置公网的路由信息。
[Hub1] ospf 100
[Hub1-ospf-100] area 0
[Hub1-ospf-100-area-0.0.0.0] network 192.168.1.1 0.0.0.255
[Hub1-ospf-100-area-0.0.0.0] quit
!---下面几条是配置私网的路由信息。
[Hub1] ospf 200
[Hub1-ospf-200] area 0
[Hub1-ospf-200-area-0.0.0.0] network 10.0.1.1 0.0.0.255
[Hub1-ospf-200-area-0.0.0.0] quit
[Hub1] ospf 300
[Hub1-ospf-300] area 0
[Hub1-ospf-300-area-0.0.0.0] network 10.0.2.1 0.0.0.255
【经验之谈】公网与私网的OSPF路由进程要不一样,物理连接的私网和通过Tunnel接口连接的虚拟私网也要用不同的OSPF路由进程。但都可以仅在骨干区域area 0中配置。
四、Hub2的配置
(1)配置各接口的IP地址(略)。
(2)配置VAM客户端。
<Hub2> system-view
!---下面两条是创建VPN域1的客户端dvpn1hub2。
[Hub2] vam client name dvpn1hub2
[Hub2-vam-client-name-dvpn1hub2] vpn 1
!---下面三条是配置VAM服务器的IP地址及VAM客户端的预共享密钥。
[Hub2-vam-client-name-dvpn1hub2] server primary ip-address 192.168.1.22
[Hub2-vam-client-name-dvpn1hub2] server secondary ip-address 192.168.1.33
[Hub2-vam-client-name-dvpn1hub2] pre-shared-key simple 123456
!---下面三条是配置Hub1的本地用户,用户名为dvpn1hub2,密码为dvpn1hub2。
[Hub2-vam-client-name-dvpn1hub2] user dvpn1hub1 password simple dvpn1hub2
[Hub2-vam-client-name-dvpn1hub2] client enable
[Hub2-vam-client-name-dvpn1hub2] quit
!---下面两条创建VPN域2的客户端dvpn2hub2。
[Hub2] vam client name dvpn2hub2
[Hub2-vam-client-name-dvpn2hub2] vpn 2
!---下面三条是配置VAM Server的IP地址及VAM Client的预共享密钥。
[Hub2-vam-client-name-dvpn2hub2] server primary ip-address 192.168.1.22
[Hub2-vam-client-name-dvpn2hub2] server secondary ip-address 192.168.1.33
[Hub2-vam-client-name-dvpn2hub2] pre-shared-key simple 654321
!---下面两条是配置本地用户,用户名为dvpn2hub2,密码为dvpn2hub2。
[Hub2-vam-client-name-dvpn2hub2] user dvpn2hub2 password simple dvpn2hub2
[Hub2-vam-client-name-dvpn2hub2] client enable
[Hub2-vam-client-name-dvpn2hub2] quit
(3)配置IPsec安全框架。因为它与Hub1是互为备份的,所以在安全框架中的配置要与Hub1上的配置一致。
!---下面几条是配置IPsec安全提议。
[Hub2] ipsec proposal propo1
[Hub2-ipsec-proposal-vam] encapsulation-mode tunnel
[Hub2-ipsec-proposal-vam] transform esp
[Hub2-ipsec-proposal-vam] esp encryption-algorithm des
[Hub2-ipsec-proposal-vam] esp authentication-algorithm sha1
[Hub2-ipsec-proposal-vam] quit
!---下面几条是配置IKE对等体。
[Hub2] ike peer peer1
[Hub2-ike-peer-vam] pre-shared-key abcdef
[Hub2-ike-peer-vam] quit
!---下面几条是配置IPsec安全框架。
[Hub2] ipsec profile profile1
[Hub2-ipsec-profile-vamp] proposal propo1
[Hub2-ipsec-profile-vamp] ike-peer peer1
[Hub2-ipsec-profile-vamp] sa duration time-based 600
[Hub2-ipsec-profile-vamp] pfs dh-group2
[Hub2-ipsec-profile-vamp] quit
(4)配置DVPN隧道。
!---下面几条是配置VPN域1的隧道接口Tunnel1。
[Hub2] interface tunnel 1
[Hub2-Tunnel1] tunnel-protocol dvpn udp
[Hub2-Tunnel1] vam client dvpn1hub2
[Hub2-Tunnel1] ip address 10.0.1.2 255.255.255.0
[Hub2-Tunnel1] source ethernet 1/1
[Hub2-Tunnel1] ospf network-type broadcast
[Hub2-Tunnel1] ipsec profile profile1
[Hub2-Tunnel1] quit
!---下面几条是配置VPN域2的隧道接口Tunnel2。
[Hub2] interface tunnel 2
[Hub2-Tunnel2] tunnel-protocol dvpn udp
[Hub2-Tunnel2] vam client dvpn2hub2
[Hub2-Tunnel2] ip address 10.0.2.2 255.255.255.0
[Hub2-Tunnel2] source ethernet 1/1
[Hub2-Tunnel2] ospf network-type broadcast
[Hub2-Tunnel2] ipsec profile profile1
[Hub2-Tunnel2] quit
(5)配置OSPF路由。
!---下面几条是配置公网的路由信息。
[Hub2] ospf 100
[Hub2-ospf-100] area 0
[Hub2-ospf-100-area-0.0.0.0] network 192.168.1.2 0.0.0.255
[Hub2-ospf-100-area-0.0.0.0] quit
!---下面几条是配置私网的路由信息。
[Hub2] ospf 200
[Hub2-ospf-200] area 0
[Hub2-ospf-200-area-0.0.0.0] network 10.0.1.2 0.0.0.255
[Hub2-ospf-200-area-0.0.0.0] quit
[Hub2] ospf 300
[Hub2-ospf-300] area 0
[Hub2-ospf-300-area-0.0.0.0] network 10.0.2.2 0.0.0.255
五、Spoke1的配置
(1)配置各接口的IP地址(略)。
(2)配置VAM客户端,因为Sopke 1只有Tunnel 1一个虚拟隧道接口,所以只需配置VPN 1域,无需配置VPN 2中的VAM客户端。
<Spoke1> system-view
!---下面两条是创建VPN域1的客户端dvpn1spoke1。
[Spoke1] vam client name dvpn1spoke1
[Spoke1-vam-client-name-dvpn1spoke1] vpn 1
!---下面三条是配置VAM Server的IP地址及VAM Client的预共享密钥。
[Spoke1-vam-client-name-dvpn1spoke1] server primary ip-address 192.168.1.22
[Spoke1-vam-client-name-dvpn1spoke1] server secondary ip-address 192.168.1.33
[Spoke1-vam-client-name-dvpn1spoke1] pre-shared-key simple 123456
!---下面三条是配置本地用户,用户名为dvpn1spoke1,密码为dvpn1spoke1。
[Spoke1-vam-client-name-dvpn1spoke1] user dvpn1spoke1 password simple dvpn1spoke1
[Spoke1-vam-client-name-dvpn1spoke1] client enable
[Spoke1-vam-client-name-dvpn1spoke1] quit
(3)配置IPsec安全框架,在名称上可以不一样,但配置上要与Hub上的配置一致。
!---下面几条是配置IPsec安全提议。
[Spoke1] ipsec proposal propo1
[Spoke1-ipsec-proposal-vam] encapsulation-mode tunnel
[Spoke1-ipsec-proposal-vam] transform esp
[Spoke1-ipsec-proposal-vam] esp encryption-algorithm des
[Spoke1-ipsec-proposal-vam] esp authentication-algorithm sha1
[Spoke1-ipsec-proposal-vam] quit
!---下面三条是配置IKE对等体。
[Spoke1] ike peer peer1
[Spoke1-ike-peer-vam] pre-shared-key abcde
[Spoke1-ike-peer-vam] quit
!---下面几条是配置IPsec安全框架。
[Spoke1] ipsec profile profile1
[Spoke1-ipsec-profile-vamp] proposal propo1
[Spoke1-ipsec-profile-vamp] sa duration time-based 600
[Spoke1-ipsec-profile-vamp] pfs dh-group2
[Spoke1-ipsec-profile-vamp] quit
(4)配置DVPN隧道,因为Spoke 1只有Tunnel 1一个虚拟隧道接口,所以只需配置VPN域1的隧道接口Tunnel1及属性。
[Spoke1] interface tunnel 1
[Spoke1-Tunnel1] tunnel-protocol dvpn udp
[Spoke1-Tunnel1] vam client dvpn1spoke1
[Spoke1-Tunnel1] ip address 10.0.1.3 255.255.255.0
[Spoke1-Tunnel1] source ethernet 1/1
[Spoke1-Tunnel1] ospf network-type broadcast
[Spoke1-Tunnel1] ospf dr-priority 0
[Spoke1-Tunnel1] ipsec profile profile1
[Spoke1-Tunnel1] quit
(5)配置OSPF路由,宣告它上面三个接口所连接的公网和私网接口IP地址。
!---下面几条是配置公网的路由信息。
[Spoke1] ospf 100
[Spoke1-ospf-100] area 0
[Spoke1-ospf-100-area-0.0.0.0] network 192.168.1.3 0.0.0.255
[Spoke1-ospf-100-area-0.0.0.0] quit
!---下面几条是配置私网的路由信息。
[Spoke1] ospf 200
[Spoke1-ospf-200] area 0
[Spoke1-ospf-200-area-0.0.0.0] network 10.0.1.3 0.0.0.255
[Spoke1-ospf-200-area-0.0.0.0] network 10.0.3.1 0.0.0.255
六、Spoke2的配置
(1)配置各接口的IP地址(略)。
(2)配置VAM客户端,因为Spoke 2有两个Tunnel接口,分属于VPN1、VPN2两个VPN域,所以需要配置两个VPN域中的VAM客户端。
<Spoke2> system-view
!---下面两条是创建VPN域1的客户端dvpn1spoke2。
[Spoke2] vam client name dvpn1spoke2
[Spoke2-vam-client-name-dvpn1spoke2] vpn 1
!---下面三条是配置VAM Server的IP地址及VAM Client的预共享密钥。
[Spoke2-vam-client-name-dvpn1spoke2] server primary ip-address 192.168.1.22
[Spoke2-vam-client-name-dvpn1spoke2] server secondary ip-address 192.168.1.33
[Spoke2-vam-client-name-dvpn1spoke2] pre-shared-key simple 123456
!---下面三条是配置本地用户,用户名为dvpn1spoke2,密码为dvpn1spoke2。
[Spoke2-vam-client-name-dvpn1spoke2] user dvpn1spoke2 password simple dvpn1spoke2
[Spoke2-vam-client-name-dvpn1spoke2] client enable
[Spoke2-vam-client-name-dvpn1spoke2] quit
!---下面两条是创建VPN域2的客户端dvpn1spoke2。
[Spoke2] vam client name dvpn1spoke2
[Spoke2-vam-client-name-dvpn1spoke2] vpn 2
!---下面三条是配置VAM Server的IP地址及VAM Client的预共享密钥。
[Spoke2-vam-client-name-dvpn2spoke2] server primary ip-address 192.168.1.22
[Spoke2-vam-client-name-dvpn2spoke2] server secondary ip-address 192.168.1.33
[Spoke2-vam-client-name-dvpn2spoke2] pre-shared-key simple 654321
!---下面三条是配置本地用户,用户名为dvpn2spoke2,密码为dvpn2spoke2。
[Spoke2-vam-client-name-dvpn2spoke2] user dvpn2spoke2 password simple dvpn2spoke2
[Spoke2-vam-client-name-dvpn2spoke2] client enable
[Spoke2-vam-client-name-dvpn2spoke2] quit
(3)配置IPsec安全框架。在名称上可以与Hub上的配置不一样,但在配置上要一致。
!---下面几条是配置IPsec安全提议。
[Spoke2] ipsec proposal propo2
[Spoke2-ipsec-proposal-vam] encapsulation-mode tunnel
[Spoke2-ipsec-proposal-vam] transform esp
[Spoke2-ipsec-proposal-vam] esp encryption-algorithm des
[Spoke2-ipsec-proposal-vam] esp authentication-algorithm sha1
[Spoke2-ipsec-proposal-vam] quit
!---下面三条是配置IKE对等体。
[Spoke2] ike peer peer2
[Spoke2-ike-peer-vam] pre-shared-key abcdef
[Spoke2-ike-peer-vam] quit
!---下面几条是配置IPsec安全框架。
[Spoke2] ipsec profile profile2
[Spoke2-ipsec-profile-vamp] proposal propo2
[Spoke2-ipsec-profile-vamp] sa duration time-based 600
[Spoke2-ipsec-profile-vamp] pfs dh-group2
[Spoke2-ipsec-profile-vamp] quit
(4)配置DVPN隧道。因为Spoke 2有Tunnel 1和Tunnel 2两个虚拟隧道接口,所以需配置VPN域1和VPN域2的两个隧道接口及属性。
!—下面几条是配置VPN域1的隧道接口Tunnel1及属性
[Spoke2] interface tunnel 1
[Spoke2-Tunnel1] tunnel-protocol dvpn udp
[Spoke2-Tunnel1] vam client dvpn1spoke2
[Spoke2-Tunnel1] ip address 10.0.1.4 255.255.255.0
[Spoke2-Tunnel1] source ethernet 1/1
[Spoke2-Tunnel1] ospf network-type broadcast
[Spoke2-Tunnel1] ospf dr-priority 0
[Spoke2-Tunnel1] ipsec profile profile2
[Spoke2-Tunnel1] quit
!—下面几条是配置VPN域2的隧道接口Tunnel1及属性
[Spoke2] interface tunnel 2
[Spoke2-Tunnel2] tunnel-protocol dvpn udp
[Spoke2-Tunnel2] vam client dvpn2spoke2
[Spoke2-Tunnel2] ip address 10.0.2.4 255.255.255.0
[Spoke2-Tunnel2] source ethernet 1/1
[Spoke2-Tunnel2] ospf network-type broadcast
[Spoke2-Tunnel2] ospf dr-priority 0
[Spoke2-Tunnel2] ipsec profile profile2
[Spoke2-Tunnel2] quit
? (5)配置OSPF路由。
!---下面几条是配置公网的路由信息。
[Spoke2] ospf 100
[Spoke2-ospf-100] area 0
[Spoke2-ospf-100-area-0.0.0.0] network 192.168.1.4 0.0.0.255
[Spoke2-ospf-100-area-0.0.0.0] quit
!---下面几条是配置私网的路由信息。
[Spoke2] ospf 200
[Spoke2-ospf-200] area 0
[Spoke2-ospf-200-area-0.0.0.0] network 10.0.1.4 0.0.0.255
[Spoke2] ospf 300
[Spoke2-ospf-300] area 0
[Spoke2-ospf-300-area-0.0.0.0] network 10.0.2.4 0.0.0.255
[Spoke2-ospf-300-area-0.0.0.0] network 10.0.4.1 0.0.0.255
七、Spoke3的配置
(1)配置各接口的IP地址(略)。
(2)配置VAM客户端。因为Sopke 3只有Tunnel 2一个虚拟隧道接口,所以只需配置VPN 2域,无需配置VPN 1中的VAM客户端。
<Spoke3> system-view
!---下面两条是创建VPN域2的客户端dvpn2spoke2。
[Spoke3] vam client name dvpn2spoke3
[Spoke3-vam-client-name-dvpn2spoke3] vpn 2
!---下面三条是配置VAM Server的IP地址及VAM Client的预共享密钥。
[Spoke3-vam-client-name-dvpn2spoke3] server primary ip-address 192.168.1.22
[Spoke3-vam-client-name-dvpn2spoke3] server secondary ip-address 192.168.1.33
[Spoke3-vam-client-name-dvpn2spoke3] pre-shared-key simple 654321
!---下面三条是配置本地用户,用户名为dvpn2spoke3,密码为dvpn2spoke3。
[Spoke3-vam-client-name-dvpn2spoke3] user dvpn2spoke3 password simple dvpn2spoke3
[Spoke3-vam-client-name-dvpn2spoke3] client enable
[Spoke3-vam-client-name-dvpn2spoke3] quit
(3)配置IPsec安全框架。在名称上可以不一样,但配置上要与Hub上的配置一致。
!---下面几条是配置IPsec安全提议。
[Spoke3] ipsec proposal propo3
[Spoke3-ipsec-proposal-vam] encapsulation-mode tunnel
[Spoke3-ipsec-proposal-vam] transform esp
[Spoke3-ipsec-proposal-vam] esp encryption-algorithm des
[Spoke3-ipsec-proposal-vam] esp authentication-algorithm sha1
[Spoke3-ipsec-proposal-vam] quit
!---下面三条是配置IKE对等体。
[Spoke3] ike peer peer3
[Spoke3-ike-peer-vam] pre-shared-key abcdef
[Spoke3-ike-peer-vam] quit
!---下面几条是配置IPsec安全框架。
[Spoke3] ipsec profile profile3
[Spoke3-ipsec-profile-vamp] proposal propo3
[Spoke3-ipsec-profile-vamp] sa duration time-based 600
[Spoke3-ipsec-profile-vamp] pfs dh-group2
[Spoke3-ipsec-profile-vamp] quit
(4)配置DVPN隧道。
!—下面几条是配置VPN域2的隧道接口Tunnel2及属性
[Spoke3] interface tunnel 2
[Spoke3-Tunnel2] tunnel-protocol dvpn udp
[Spoke3-Tunnel2] vam client dvpn2spoke3
[Spoke3-Tunnel2] ip address 10.0.2.3 255.255.255.0
[Spoke3-Tunnel2] source ethernet 1/1
[Spoke3-Tunnel2] ospf network-type broadcast
[Spoke3-Tunnel2] ospf dr-priority 0
[Spoke3-Tunnel2] ipsec profile profile3
[Spoke3-Tunnel2] quit
(5)配置OSPF路由。
!---下面几条是配置公网的路由信息。
[Spoke3] ospf 100
[Spoke3-ospf-100] area 0
[Spoke3-ospf-100-area-0.0.0.0] network 192.168.1.5 0.0.0.255
[Spoke3-ospf-100-area-0.0.0.0] quit
!---下面几条是配置私网的路由信息。
[Spoke3] ospf 200
[Spoke3-ospf-200] area 0
[Spoke3-ospf-200-area-0.0.0.0] network 10.0.2.3 0.0.0.255
[Spoke3-ospf-200-area-0.0.0.0] network 10.0.5.1 0.0.0.255
八、验证配置结果。
首先可使用“display vam server address-map all”命令查看注册到主VAM服务器的所有VAM客户端的地址映射信息。结果显示Hub1、Hub2、Spoke1、Spoke2和Spoke3均已将地址映射信息注册到VAM服务器。
[MainServer] display vam server address-map all
VPN name: 1
Total address-map number: 4
Private-ip Public-ip Type Holding time
10.0.1.1 192.168.1.1 Hub 0H 52M 7S
10.0.1.2 192.168.1.2 Hub 0H 47M 31S
10.0.1.3 192.168.1.3 Spoke 0H 28M 25S
10.0.1.4 192.168.1.4 Spoke 0H 19M 15S
VPN name: 2
Total address-map number: 4
Private-ip Public-ip Type Holding time
10.0.2.1 192.168.1.1 Hub 0H 51M 44S
10.0.2.2 192.168.1.2 Hub 0H 46M 45S
10.0.2.3 192.168.1.5 Spoke 0H 11M 25S
10.0.2.4 192.168.1.4 Spoke 0H 18M 32S
用同样方法可以查看注册到备份VAM服务器的所有VAM客户端的地址映射信息。
再使用display dvpn session all命令查看Hub1上的DVPN隧道信息。输出信息显示VPN 1中Hub1与Hub2、Spoke1、Spoke2建立了永久隧道;VPN 2中Hub1与Hub2、Spoke2、Spoke3建立了永久隧道。Hub2上的显示信息与Hub1类似。
[Hub1] display dvpn session all
Interface: Tunnel1 VPN name: 1 Total number: 3
Private IP: 10.0.1.2
Public IP: 192.168.1.2
Session type: Hub-Hub
State: SUCCESS
Holding time: 0h 1m 44s
Input: 101 packets, 100 data packets, 1 control packets
87 multicasts, 0 errors
Output: 106 packets, 99 data packets, 7 control packets
87 multicasts, 10 errors
Private IP: 10.0.1.3
Public IP: 192.168.1.3
Session type: Hub-Spoke
State: SUCCESS
Holding time: 0h 8m 7s
Input: 164 packets, 163 data packets, 1 control packets
54 multicasts, 0 errors
Output: 77 packets, 76 data packets, 1 control packets
55 multicasts, 0 errors
Private IP: 10.0.1.4
Public IP: 192.168.1.4
Session type: Hub-Spoke
State: SUCCESS
Holding time: 0h 27m 13s
Input: 174 packets, 167 data packets, 7 control packets
160 multicasts, 0 errors
Output: 172 packets, 171 data packets, 1 control packets
165 multicasts, 0 errors
Interface: Tunnel2 VPN name: 2 Total number: 3
Private IP: 10.0.2.2
Public IP: 192.168.1.2
Session type: Hub-Hub
State: SUCCESS
Holding time: 0h 12m 10s
Input: 183 packets, 182 data packets, 1 control packets
0 multicasts, 0 errors
Output: 186 packets, 185 data packets, 1 control packets
155 multicasts, 0 errors
Private IP: 10.0.2.4
Public IP: 192.168.1.4
Session type: Hub-Spoke
State: SUCCESS
Holding time: 0h 26m 39s
Input: 174 packets, 169 data packets, 5 control packets
162 multicasts, 0 errors
Output: 173 packets, 172 data packets, 1 control packets
167 multicasts, 0 errors
Private IP: 10.0.2.3
Public IP: 192.168.1.5
Session type: Hub-Spoke
State: SUCCESS
Holding time: 0h 19m 30s
Input: 130 packets, 127 data packets, 3 control packets
120 multicasts, 0 errors
Output: 127 packets, 126 data packets, 1 control packets
119 multicasts, 0 errors
再使用display dvpn session all命令查看Spoke2上的DVPN隧道信息。输出信息显示VPN 1中Spoke2与Hub1、Hub2建立了Hub-Spoke永久隧道;VPN 2中Spoke2与Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke1和Spoke3上的显示信息与Spoke2类似。
[Spoke2] display dvpn session all
Interface: Tunnel1 VPN name: 1 Total number: 2
Private IP: 10.0.1.1
Public IP: 192.168.1.1
Session type: Spoke-Hub
State: SUCCESS
Holding time: 1h 1m 22s
Input: 381 packets, 380 data packets, 1 control packets
374 multicasts, 0 errors
Output: 384 packets, 376 data packets, 8 control packets
369 multicasts, 0 errors
Private IP: 10.0.1.2
Public IP: 192.168.1.2
Session type: Spoke-Hub
State: SUCCESS
Holding time: 0h 21m 53s
Input: 251 packets, 249 data packets, 1 control packets
230 multicasts, 0 errors
Output: 252 packets, 240 data packets, 7 control packets
224 multicasts, 0 errors
Interface: Tunnel2 VPN name: 2 Total number: 2
Private IP: 10.0.2.1
Public IP: 192.168.1.1
Session type: Spoke-Hub
State: SUCCESS
Holding time: 0h 2m 47s
Input: 383 packets, 382 data packets, 1 control packets
377 multicasts, 0 errors
Output: 385 packets, 379 data packets, 6 control packets
372 multicasts, 0 errors
Private IP: 10.0.2.2
Public IP: 192.168.1.2
Session type: Spoke-Hub
State: SUCCESS
Holding time: 0h 1m 50s
Input: 242 packets, 241 data packets, 1 control packets
231 multicasts, 0 errors
Output: 251 packets, 241 data packets, 7 control packets
225 multicasts, 0 errors
再在Spoke2上ping Spoke3的私网地址10.0.5.1,结果是通的。
[Spoke2] ping 10.0.5.1
PING 10.0.5.1: 56 data bytes, press CTRL_C to break
Reply from 10.0.5.1: bytes=56 Sequence=1 ttl=254 time=5 ms
Reply from 10.0.5.1: bytes=56 Sequence=2 ttl=254 time=5 ms
Reply from 10.0.5.1: bytes=56 Sequence=3 ttl=254 time=5 ms
Reply from 10.0.5.1: bytes=56 Sequence=4 ttl=254 time=4 ms
Reply from 10.0.5.1: bytes=56 Sequence=5 ttl=254 time=4 ms
--- 10.0.5.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 4/4/5 ms
再可使用display dvpn session interface tunnel 2命令查看Spoke2上Tunnel2接口的DVPN隧道信息。结果显示Spoke2和Spoke3之间动态建立了Spoke-Spoke隧道。
[Spoke2] display dvpn session interface tunnel 2
Interface: Tunnel2 VPN name: 2 Total number: 3
Private IP: 10.0.2.1
Public IP: 192.168.1.1
Session type: Spoke-Hub
State: SUCCESS
Holding time: 1h 10m 0s
Input: 451 packets, 450 data packets, 1 control packets
435 multicasts, 0 errors
Output: 453 packets, 447 data packets, 6 control packets
430 multicasts, 0 errors
Private IP: 10.0.2.2
Public IP: 192.168.1.2
Session type: Spoke-Hub
State: SUCCESS
Holding time: 0h 1m 50s
Input: 242 packets, 241 data packets, 1 control packets
231 multicasts, 0 errors
Output: 251 packets, 241 data packets, 7 control packets
225 multicasts, 0 errors
Private IP: 10.0.2.3
Public IP: 192.168.1.5
Session type: Spoke-Spoke
State: SUCCESS
Holding time: 0h 0m 0s
Input: 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
Output: 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
全互联结构DVPN综合配置示例的更多相关文章
- 华为交换机VRRP 综合配置示例
组网需求: 楼层1和楼层2分别通过两条线路做冗余接入交换机(本示例只考虑vrrp,暂不考虑其他方面).当其中一段链路故障时,能通过另外一条链路传输. 配置信息: <lsw9>dis cu ...
- Wireguard 全互联模式(full mesh)配置指南
上篇文章给大家介绍了如何使用 wg-gen-web 来方便快捷地管理 WireGuard 的配置和秘钥,文末埋了两个坑:一个是 WireGuard 的全互联模式(full mesh),另一个是使用 W ...
- Haproxy的安装和配置示例
1.ha proxy简介ha proxy是一个开源的,高性能的,基于tcp第四层和http第七层应用的负载均衡软件优点:可靠性和稳定性非常好 最高可以同时维护40000-50000个 ...
- MyBatis Generator配置示例
(一).MBG介绍 MyBatis Generator(MBG)是一个Mybatis的代码生成器,它可以用来生成可以访问(多个)表的基础对象.MBG解决了对数据库操作有最大影响的一些简单的CRUD(插 ...
- java日志规约及配置示例终极总结
目录 什么是日志 常用日志框架 日志级别详解 日志的记录时机 日志使用规约 logback 配置示例 loh4j2 配置示例 什么是日志? 简单的说,日志就是记录程序的运行轨迹,方便查找关键信息,也方 ...
- Mysql半同步复制模式说明及配置示例 - 运维小结
MySQL主从复制包括异步模式.半同步模式.GTID模式以及多源复制模式,默认是异步模式 (如之前详细介绍的mysql主从复制).所谓异步模式指的是MySQL 主服务器上I/O thread 线程将二 ...
- 【转】Vim自动补全插件----YouCompleteMe安装与配置
原文网址:http://www.cnblogs.com/zhongcq/p/3630047.html 使用Vim编写程序少不了使用自动补全插件,在Linux下有没有类似VS中的Visual Assis ...
- Vim自动补全插件----YouCompleteMe安装与配置
Vim自动补全插件----YouCompleteMe安装与配置 使用Vim编写程序少不了使用自动补全插件,在Linux下有没有类似VS中的Visual Assist X这么方便快捷的补全插件呢?以前用 ...
- PIE SDK组件式开发综合运用示例
1. 功能概述 关于PIE SDK的功能开发,在我们的博客上已经分门别类的进行了展示,点击PIESat博客就可以访问,为了初学者入门,本章节将对从PIE SDK组件式二次开发如何搭建界面.如何综合开发 ...
随机推荐
- Oracle EBS-SQL (INV-5):检查期间拉式物料领用记录数.sql
select FU.description 操作者, KK.DESCRIPTION ...
- Java IO读写中文各种乱码问题 【转】
Java IO读写中文各种乱码问题 转自:http://blog.sina.com.cn/s/blog_484ab56f0101muzh.html java.io.*读写中文各种乱码,很费劲.不完全解 ...
- leetcode_question_111 Minimum Depth of Binary Tree
Given a binary tree, find its minimum depth. The minimum depth is the number of nodes along the shor ...
- UNIX网络编程--读书笔记
会集中这段时间写UNIX网络编程这本书的读书笔记,准备读三本,这一系类的文章会不断更新,一直会持续一个月多,每篇的前半部分是书中讲述的内容,每篇文章的后半部分是自己的心得体会,文章中的红色内容是很重要 ...
- OceanBase中主备Rootserver如何管理切换
主RootServer会不断给备RootServer发送lease.被RootServer收到该lease后会保存到几个变量中: int ObCheckRunnable::renew_lease(co ...
- UVA 10163 Storage Keepers(dp + 背包)
Problem C.Storage Keepers Background Randy Company has N (1<=N<=100) storages. Company wants ...
- MAC COCOA call command 调用终端控制台程序
MAC COCOA call command 调用终端控制台程序 STEP 1 先写一个C++ DOS程序 STEP2 使用NSTask来运行,然后用NSPipe和 NSData来接受运行的结果字符串 ...
- Ibatis代码自动生成工具——Abator安装与应用实例(图解)
Abator 能自动生成DAO,DTO和sqlMap,大大提高开发效率.Abator 的官方网站:http://ibatis.apache.org/ibator.html 使用也比较简单,以下做个实例 ...
- node.js(三)url处理
1.parse函数的基础用法 parse函数的作用是解析url,返回一个json格式的数组,请看如下示例: var url = require('url'); url.parse('http://ww ...
- 20160121--Spring
package com.hanqi; public class HelloWorld { public HelloWorld() { } public HelloWorld(String name) ...