51工具盒子

依楼听风雨
笑看云卷云舒,淡观潮起潮落

华为传统组网GER-over-IPSec(双机-主设备配置)

主设备数据头 {#%E4%B8%BB%E8%AE%BE%E5%A4%87%E6%95%B0%E6%8D%AE%E5%A4%B4}

LineID:601697G1
PE:dgb-vpnpe2
Tunnel:Tunnel0/0/1020
wanip:10.10.43.244/30
PE 对接:10.20.241.253
CE 对接:10.20.241.212
PE AS号:65000
CE AS号:65205

拨号PE:dgb-upe2
对接IP:10.20.241.253
LoopIP:10.20.241.212
拨号ip:183.60.153.188
秘钥:both-win

主设备wan口(电路专线):
IP:10.231.231.186/30
网关:10.231.231.185/30

备设备wan口(ADSL宽带):
IP:120.197.159.67/29
网关:120.197.159.65/29

LAN IP:
主:192.168.50.252
备:192.168.50.253
vrrp:192.168.50.254

配置模板 {#%E9%85%8D%E7%BD%AE%E6%A8%A1%E6%9D%BF}

clock timezone bj add 08:00
sys
telnet server enable
sysname 601697G1-DGQSDZ-Main
aaa
undo local-user admin
local-user bothwin password irreversible-cipher Tfe28@w%
local-user bothwin privilege level 15
local-user bothwin service-type telnet terminal ssh http

acl number 2707
rule 10 permit source 192.168.0.0 0.0.255.255
rule 20 permit source 172.16.0.0 0.15.255.255
rule 30 permit source 10.0.0.0 0.255.255.255
rule 40 permit source 114.112.238.8 0.0.0.7
rule 50 permit source 192.168.55.250 0
rule 60 permit source 113.105.190.147 0
rule 70 permit source 202.104.174.178 0
rule 80 permit source 120.76.31.146 0
rule 90 permit source 59.37.126.140 0
rule 100 permit source 183.61.239.168 0


user-interface vty 0 4
acl 2707 inbound
authentication-mode aaa
user privilege level 15

`ntp-service enable
ntp-service unicast-server 192.168.55.250
`

AAA配置 {#aaa%E9%85%8D%E7%BD%AE}

hwtacacs-server template fnetlink_tacacs
hwtacacs-server authentication 192.168.55.250
hwtacacs-server authorization 192.168.55.250
hwtacacs-server accounting 192.168.55.250

设定认证源IP {#%E8%AE%BE%E5%AE%9A%E8%AE%A4%E8%AF%81%E6%BA%90ip}

hwtacacs-server source-ip 10.10.43.246 #认证源IP是WANIP地址

图片-1677405262629

hwtacacs-server shared-key cipher bothwin

aaa
authentication-scheme fnet_tac
authentication-mode hwtacacs local
authorization-scheme fnet_tac
authorization-mode hwtacacs local
authorization-cmd 15 hwtacacs local
accounting-scheme fnet_tac
accounting start-fail online
accounting interim-fail online
accounting-mode hwtacacs
recording-scheme fnet_tac
recording-mode hwtacacs fnetlink_tacacs
cmd recording-scheme fnet_tac
service-scheme fnet_tac
admin-user privilege level 15
domain fnet_tac
authentication-scheme fnet_tac
accounting-scheme fnet_tac
authorization-scheme fnet_tac
hwtacacs-server fnetlink_tacacs


domain fnet_tac admin


interface LoopBack1 #编号别冲突
description To IPSec
ip address 10.20.241.212 255.255.255.255


acl number 3333
rule 1 permit ip source 10.20.241.212 0 destination 10.20.241.253 0


ike proposal 10
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
sa duration 28800
authentication-method pre-share
integrity-algorithm hmac-sha1-96
prf hmac-sha1


ipsec proposal ipsectran1
esp authentication-algorithm sha1
esp encryption-algorithm 3des


ike peer main
undo version 2
pre-shared-key cipher %\^%#CI$E\<'\^}6UkO=v\&g$:D!O0J8I+vA_,tA\*q0_\*49P%\^%#
ike-proposal 10
remote-address 183.60.153.188
dpd idle-time 30
dpd retry-limit 3
dpd retransmit-interval 30
dpd packet receive if-related enable


ipsec policy S2S-IPSEC 10 isakmp
security acl 3333
pfs dh-group2
ike-peer main
proposal ipsectran1


interface GigabitEthernet0/0/9
description wan
ip address 10.231.231.186 255.255.255.252
ipsec policy S2S-IPSEC


interface GigabitEthernet0/0/0
undo portswitch
description "lan vip:192.168.60.254 pri:192.168.60.252 bk:192.168.60.253"
ip address 192.168.60.252 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.60.254
vrrp vrid 1 priority 120


ip route-static 0.0.0.0 0.0.0.0 10.231.231.185 preference 222 tag 7777
ip route-static 183.60.153.188 255.255.255.255 10.231.231.185 tag 7777
ip route-static 114.113.245.99 255.255.255.255 10.10.43.245 preference 1 tag 7777 description To_zabbix
ip route-static 192.168.55.10 255.255.255.255 10.10.43.245 preference 1 tag 7777 description To_zabbix
ip route-static 192.168.55.250 255.255.255.255 10.10.43.245 preference 1 tag 7777 description To_center
ip route-static 192.168.254.107 255.255.255.255 10.10.43.245 preference 1 tag 7777 description To_netflow
ip route-static 10.20.241.253 255.255.255.255 10.231.231.185 tag 7777


interface Tunnel0/0/1020
description "pri to dgb-vpnpe2-Tunnel1020"
mtu 1400
tcp adjust-mss 1300
ip address 10.10.43.246 255.255.255.252
tunnel-protocol gre
source 10.20.241.212
destination 10.20.241.253
qos car outbound cir 10240 pir 10240 cbs 1925120 pbs 3205120 green pass yellow pass red discard

`route-policy bgp-To--VPN-Redistribute-Static deny node 100
description Deny Redistribution of Static Routes to MPLS VPN
if-match tag 7777
`

route-policy bgp-To--VPN-Redistribute-Static permit node 200
if-match tag 8888
apply community 65201:100

route-policy bgp-To--VPN-Redistribute-Static permit node 300
description Redistribute All Other Static Routes Without Tag


route-policy bgp-route-policy-pri-import permit node 100
apply local-preference 200


route-policy bgp-route-policy-pri-import permit node 200


ip ip-prefix bgp-filte-pre-export index 10 permit 192.168.60.0 24 greater-equal 24 less-equal 32
ip ip-prefix bgp-filte-pre-export index 20 permit 10.10.43.244 30 greater-equal 30 less-equal 32


bgp 65205
router-id 10.10.43.246
peer 10.20.241.253 as-number 65000
peer 192.168.60.253 as-number 65205


ipv4-family unicast
undo synchronization
preference 20 200 200
filter-policy ip-prefix bgp-filte-pre-export export
import-route direct
import-route static route-policy bgp-To--VPN-Redistribute-Static
peer 10.20.241.253 enable
peer 10.20.241.253 advertise-community
peer 10.20.241.253 ip-prefix bgp-filte-pre-export export
peer 10.20.241.253 route-policy bgp-route-policy-pri-import import
peer 10.20.241.253 next-hop-local
peer 192.168.60.253 enable
peer 192.168.60.253 advertise-community
peer 192.168.60.253 next-hop-local

`snmp-agent trap enable
snmp-agent sys-info version all
snmp-agent community read both-win
`

赞(1)
未经允许不得转载:工具盒子 » 华为传统组网GER-over-IPSec(双机-主设备配置)