国家 / 地区

H3C MSR系列路由器典型配置举例(V5)-6W100

76-MSR系列路由器与Cisco进行IPsec over GRE互通典型配置举例

本章节下载  (176.6 KB)

docurl=/cn/Service/Document_Software/Document_Center/Routers/Catalog/MSR/MSR_50/Configure/Typical_Configuration_Example/H3C_MSR_(V5)-6W100/201401/812787_30005_0.htm

76-MSR系列路由器与Cisco进行IPsec over GRE互通典型配置举例

MSR系列路由器与Cisco进行IPSec over GRE互通典型配置举例

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



1  简介

本文档介绍MSR与Cisco进行IPsec over GRE互通的典型配置举例。

有两种方式能够实现MSR和Cisco的IPsec over GRE互通。

方式一:Cisco端进行正常配置,MSR端在IKE peer中指定remote-address为Cisco物理口地址,而不是Tunnel接口地址。

方式二:MSR端正常配置,在Cisco上需要创建loopback接口,Tunnel接口unnumbered指向loopback接口,并且配置crypto map tunnel local-address Loopback0。

按照方式一的配置,MSR和Cisco物理口地址进行IKE协商和IPsec协商,MSR发送报文时根据IPsec SA进行IPsec封装后直接发给对端物理口,不进行GRE封装,Cisco发送报文时会进行IPsec封装和GRE封装。这种方式下虽然能够通信,其实不能算作严格意义上的IPsec over GRE。

按照方式二配置,两端发送报文都会进行IPsec封装和GRE封装。

2  配置前提

本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请参考相关产品手册,或以设备实际情况为准。

本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。

本文档假设您已了解IPsec和GRE特性。

3  Cisco端正常配置进行IPsec over GRE互通配置举例

3.1  组网需求

图1所示,MSR和Cisco通过以太网相连,要求:Cisco端正常配置,MSR端IKE对等体地址为Cisco端物理口地址,实现IPsec over GRE 保护数据,负责传输内网之间路由。

图1 MSR与Cisco进行IPsec over GRE互通配置组网图

 

3.2  配置思路

·     通过配置静态路由穿越GRE隧道,从而使两端私网之间可以互通。

·     将IPsec与GRE结合使用,可以对通过GRE隧道的路由即两端私网间的通信进行保护。

·     在MSR端在IKE peer中指定remote-address为Cisco物理口地址,使MSR在发送报文时不进行GRE封装,Cisco端进行GRE封装。

3.3  使用版本

本举例是在Release 2317版本上进行配置和验证的。

3.4  配置步骤

3.4.1  MSR的配置

# 配置接口Gigabitethernet0/0的IP地址。

<MSR> system-view

[MSR] interface gigabitethernet 0/0

[MSR-GigabitEthernet0/0] ip address 1.0.0.2 24

[MSR-GigabitEthernet0/0] quit

# 配置LoopBack0的IP地址。

[MSR] interface loopback 0

[MSR-LoopBack0] ip address 100.0.0.1 32

[MSR-LoopBack0] quit

# 配置GRE隧道。

[MSR] interface tunnel 0

[MSR-Tunnel0] ip address 10.0.0.2 24

[MSR-Tunnel0] source 1.0.0.2

[MSR-Tunnel0] destination 1.0.0.1

[MSR-Tunnel0] quit

# 创建ACL3001,定义需要IPsec保护的数据流。

[MSR] acl number 3001

[MSR-acl-adv-3001] rule 0 permit ip source 10.0.0.2 0 destination 10.0.0.1 0

[MSR-acl-adv-3001] rule 10 permit ip source 100.0.0.0 0.0.0.255 destination 101.0.0.0 0.0.0.255

[MSR-acl-adv-3001] quit

# 配置IKE对等体。

[MSR] ike peer tunnel

[MSR-ike-peer-tunnel] pre-shared-key simple test

[MSR-ike-peer-tunnel] remote-address 1.0.0.1

[MSR-ike-peer-tunnel] quit

# 配置IPsec安全提议。

[MSR ]ipsec proposal test

[MSR-ipsec-proposal-test] esp encryption-algorithm 3des

[MSR-ipsec-proposal-test] quit

# 配置IPsec安全策略。

[MSR] ipsec policy tunnel 1 isakmp

[MSR-ipsec-policy-isakmp-tunnel-1] security acl 3001

[MSR-ipsec-policy-isakmp-tunnel-1] ike-peer tunnel

[MSR-ipsec-policy-isakmp-tunnel-1] proposal test

[MSR-ipsec-policy-isakmp-tunnel-1] quit

# 在GRE隧道接口上应用IPsec安全策略。

[MSR] interface tunnel 0

[MSR-Tunnel0] ipsec policy tunnel

[MSR-Tunnel0] quit

# 配置静态路由。

[MSR] ip route-static 101.0.0.0 255.255.255.0 Tunnel0

3.4.2  Cisco的配置

# 配置接口fastEthernet0/0的IP地址。

Cisco> enable

Cisco# configure terminal

Cisco(config)# interface fastEthernet 0/0

Cisco(config-if)# ip address 1.0.0.1 255.255.255.0

Cisco(config-if)# duplex full

Cisco(config-if)# exit

# 配置LoopBack0的IP地址。

Cisco(config)#interface loopback 0

Cisco(config-if)# ip address 101.0.0.1 255.255.255.255

Cisco(config-if)# exit

# 配置GRE隧道。

Cisco(config)# interface tunnel 0

Cisco(config-if)# ip address 10.0.0.1 255.255.255.0

Cisco(config-if)# tunnel source 1.0.0.1

Cisco(config-if)# tunnel destination 1.0.0.2

Cisco(config-if)# bandwidth 2048

Cisco(config-if)# exit

# 创建ACL102,定义需要IPsec保护的数据流。

Cisco(config)#access-list 102 permit ip host 10.0.0.1 host 10.0.0.2

Cisco(config)#access-list 102 permit ip 101.0.0.0 0.0.0.255 100.0.0.0 0.0.0.255

# 配置IKE对等体。

Cisco(config)# crypto isakmp policy 1

Cisco(config-isakmp)# authentication pre-share

Cisco(config-isakmp)# exit

Cisco(config)# crypto isakmp key test address 10.0.0.2

# 配置IPsec安全提议。

Cisco(config)# crypto ipsec transform-set test esp-3des esp-md5-hmac

Cisco(config-trans)# mode tunnel

Cisco(config-trans)# exit

# 配置IPsec安全策略。

Cisco(config)# crypto map tunnel 10 ipsec-isakmp

Cisco(config-crypto-map)# set peer 10.0.0.2

Cisco(config-crypto-map)# set transform-set test

Cisco(config-crypto-map)# match address 102

Cisco(config-crypto-map)# exit

# GRE隧道接口上应用IPsec安全策略。

Cisco(config)# interface tunnel 0

Cisco(config-if)# crypto map tunnel

Cisco(config-if)# exit

# 配置静态路由

Cisco(config)# ip route 100.0.0.0 255.255.255.0 Tunnel0

3.5  验证配置

# MSR上可以通过如下显示信息看到,IKE协商成功,生成了两个阶段的SA

<MSR> display ike sa

    total phase-1 SAs:  1

    connection-id  peer            flag        phase   doi

  ----------------------------------------------------------

     141           1.0.0.1         RD|ST         2     IPSEC

     140           1.0.0.1         RD|ST         1     IPSEC

  flag meaning

  RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT

# 在MSR上可以通过如下显示信息查看协商生成的IPsec SA

<MSR> display ipsec sa

===============================

Interface: Tunnel0

    path MTU: 1476

===============================

 

  -----------------------------

  IPsec policy name: "tunnel"

  sequence number: 1

  mode: isakmp

  -----------------------------

    connection id: 13

    encapsulation mode: tunnel

    perfect forward secrecy: None

    tunnel:

        local  address: 10.0.0.2

        remote address: 1.0.0.1

    Flow :

        sour addr: 10.0.0.2/255.255.255.255  port: 0  protocol: IP

        dest addr: 10.0.0.1/255.255.255.255  port: 0  protocol: IP

 

    [inbound ESP SAs]

      spi: 3234777945 (0xc0cecb59)

      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

      sa duration (kilobytes/sec): 1843200/3600

      sa remaining duration (kilobytes/sec): 1843199/3584

      max received sequence-number: 4

      anti-replay check enable: Y

      anti-replay window size: 32

      udp encapsulation used for nat traversal: N

 

    [outbound ESP SAs]

      spi: 3885596902 (0xe79980e6)

      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

      sa duration (kilobytes/sec): 1843200/3600

      sa remaining duration (kilobytes/sec): 1843199/3584

      max sent sequence-number: 5

      udp encapsulation used for nat traversal: N

# 在Cisco设备上可以通过如下显示信息查看生成的IKE SA。

Cisco# show crypto isakmp sa detail

Codes: C - IKE configuration mode, D - Dead Peer Detection

       K - Keepalives, N - NAT-traversal

       X - IKE Extended Authentication

       psk - Preshared key, rsig - RSA signature

       renc - RSA encryption

 

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

1     1.0.0.1         10.0.0.2                 ACTIVE des  sha  psk  1  23:58:44

       Connection-id:Engine-id =  1:1(software)

# 在Cisco设备上可以通过如下显示信息查看生成的IPsec SA。

Cisco#show crypto ipsec sa detail

 

interface: Tunnel0

    Crypto map tag: tunnel, local addr 1.0.0.1

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (10.0.0.2/255.255.255.255/0/0)

   current_peer 10.0.0.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0

    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0

    #pkts invalid prot (recv) 0, #pkts verify failed: 0

    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0

    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0

    ##pkts replay failed (rcv): 0

    #pkts internal err (send): 0, #pkts internal err (recv) 0

 

     local crypto endpt.: 1.0.0.1, remote crypto endpt.: 10.0.0.2

     path mtu 1476, ip mtu 1476

     current outbound spi: 0xC0CECB59(3234777945)

 

     inbound esp sas:

      spi: 0xE79980E6(3885596902)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2004, flow_id: SW:4, crypto map: tunnel

        sa timing: remaining key lifetime (k/sec): (1759742/3502)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

      spi: 0xC0CECB59(3234777945)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2006, flow_id: SW:6, crypto map: tunnel

        sa timing: remaining key lifetime (k/sec): (1759742/3502)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

 

     outbound ah sas:

 

     outbound pcp sas:

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (101.0.0.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (100.0.0.0/255.255.255.0/0/0)

   current_peer 10.0.0.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0

    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0

    #pkts invalid prot (recv) 0, #pkts verify failed: 0

    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0

    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0

    ##pkts replay failed (rcv): 0

    #pkts internal err (send): 0, #pkts internal err (recv) 0

 

     local crypto endpt.: 1.0.0.1, remote crypto endpt.: 10.0.0.2

     path mtu 1476, ip mtu 1476

     current outbound spi: 0x0(0)

 

     inbound esp sas:

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

 

     outbound ah sas:

 

     outbound pcp sas:

3.6  配置文件

·     MSR:

#

acl number 3001

 rule 0 permit ip source 10.0.0.2 0 destination 10.0.0.1 0

 rule 10 permit ip source 100.0.0.0 0.0.0.255 destination 101.0.0.0 0.0.0.255

#

ike peer tunnel

 pre-shared-key simple test

 remote-address 1.0.0.1

#

ipsec proposal test

 esp encryption-algorithm 3des

#

ipsec policy tunnel 1 isakmp

 security acl 3001

 ike-peer tunnel

 proposal test

#

interface LoopBack0

 ip address 100.0.0.1 255.255.255.255

#

interface GigabitEthernet0/0

 port link-mode route

 ip address 1.0.0.2 255.255.255.0

#

interface Tunnel0

 ip address 10.0.0.2 255.255.255.0

 source 1.0.0.2

 destination 1.0.0.1

 ipsec policy tunnel

#

ip route-static 101.0.0.0 255.255.255.0 Tunnel0

#

·     Cisco:

!

crypto isakmp policy 1

 authentication pre-share

crypto isakmp key test address 10.0.0.2

!

crypto ipsec transform-set test esp-3des esp-md5-hmac

 mode tunnel

!

crypto map tunnel 10 ipsec-isakmp

 set peer 10.0.0.2

 set transform-set test

 match address 102

!

interface Tunnel0

 bandwidth 2048

 ip address 10.0.0.1 255.255.255.0

 tunnel source 1.0.0.1

 tunnel destination 1.0.0.2

 crypto map tunnel

!

interface Loopback0

 ip address 101.0.0.1 255.255.255.255

!

interface FastEthernet0/0

 ip address 1.0.0.1 255.255.255.0

 duplex full

!

ip route 100.0.0.0 255.255.255.0 Tunnel0

!

access-list 102 permit ip host 10.0.0.1 host 10.0.0.2

access-list 102 permit ip 101.0.0.0 0.0.0.255 100.0.0.0 0.0.0.255

!

End

4  MSR端正常配置进行IPsec over GRE互通配置举例

4.1  组网需求

图2所示,MSR和Cisco通过以太网相连,要求:MSR端正常配置,IKE对等体地址为Cisco端GRE隧道地址,实现IPsec over GRE 保护数据,负责传输内网之间路由。

图2 MSR与Cisco进行IPsec over GRE互通配置组网图

 

4.2  配置思路

·     通过配置静态路由穿越GRE隧道,从而使两端私网之间可以互通。

·     将IPsec与GRE结合使用,可以对通过GRE隧道的路由即两端私网间的通信进行保护。

·     在Cisco上Tunnel接口unnumbered指向loopback接口,在MSR上,配置remote-address地址为对端GRE隧道地址,使两端都能够进行GRE封装和IPsec封装。

4.3  使用版本

本举例是在MSR Release 2207和Cisco12.4版本上进行配置和验证的。

4.4  配置步骤

4.4.1  MSR的配置

# 配置接口Gigabitethernet0/0的IP地址。

<MSR> system-view

[MSR] interface Gigabitethernet0/0

[MSR-GigabitEthernet0/0] ip address 1.0.0.2 24

[MSR-GigabitEthernet0/0] quit

# 配置LoopBack0的IP地址。

[MSR] interface LoopBack0

[MSR-LoopBack0] ip address 100.0.0.1 32

# 配置GRE隧道。

[MSR] interface tunnel0

[MSR-Tunnel0] ip address 10.0.0.2 32

[MSR-Tunnel0] source 1.0.0.2

[MSR-Tunnel0] destination 1.0.0.1

[MSR-Tunnel0] quit

# 创建ACL3001,定义需要IPsec保护的数据流。

[MSR] acl number 3001

[MSR-acl-adv-3001] rule 0 permit ip source 10.0.0.2 0 destination 10.0.0.1 0

[MSR-acl-adv-3001] rule 10 permit ip source 100.0.0.0 0.0.0.255 destination 101.0.0.0 0.0.0.255

[MSR-acl-adv-3001] quit

# 配置IKE对等体。

[MSR] ike peer tunnel

[MSR-ike-peer-tunnel] pre-shared-key simple test

[MSR-ike-peer-tunnel] remote-address 10.0.0.1

[MSR-ike-peer-tunnel] quit

# 配置IPsec安全提议。

[MSR] ipsec proposal test

[MSR-ipsec-proposal-test] esp encryption-algorithm 3des

[MSR-ipsec-proposal-test] quit

# 配置IPsec安全策略。

[MSR] ipsec policy tunnel 1 isakmp

[MSR-ipsec-policy-isakmp-tunnel-1] security acl 3001

[MSR-ipsec-policy-isakmp-tunnel-1] ike-peer tunnel

[MSR-ipsec-policy-isakmp-tunnel-1] proposal test

[MSR-ipsec-policy-isakmp-tunnel-1] quit

# 在GRE隧道接口上应用IPsec安全策略。

[MSR] interface tunnel0

[MSR-Tunnel0] ipsec policy tunnel

[MSR-Tunnel0] quit

# 配置静态路由。

[MSR]ip route-static 101.0.0.0 255.255.255.0 Tunnel0

4.4.2  Cisco的配置

# 配置接口fastEthernet0/0的IP地址。

Cisco> enable

Cisco# configure terminal

Cisco(config)# interface fastEthernet0/0

Cisco(config-if)# ip address 1.0.0.1 255.255.255.0

Cisco(config-if)# duplex full

Cisco(config-if)# exit

# 配置LoopBack0的IP地址。

Cisco(config)# interface loopback0

Cisco(config-if)# ip address 10.0.0.1 255.255.255.255

Cisco(config-if)# exit

# 配置LoopBack10的IP地址。

Cisco(config)# interface loopback10

Cisco(config-if)# ip address 101.0.0.1 255.255.255.255

Cisco(config-if)# exit

# 配置GRE隧道。

Cisco(config)# interface Tunnel0

Cisco(config-if)# ip unnumbered Loopback0

Cisco(config-if)# tunnel source 1.0.0.1

Cisco(config-if)# tunnel destination 1.0.0.2

Cisco(config-if)# bandwidth 2048

Cisco(config-if)# exit

# 创建ACL102,定义需要IPsec保护的数据流。

Cisco(config)# access-list 102 permit ip host 10.0.0.1 host 10.0.0.2

Cisco(config)# access-list 102 permit ip 101.0.0.0 0.0.0.255 100.0.0.0 0.0.0.255

# 配置IKE对等体。

Cisco(config)# crypto isakmp policy 1

Cisco(config-isakmp)# authentication pre-share

Cisco(config-isakmp)# exit

Cisco(config)# crypto isakmp key test address 10.0.0.2

# 配置IPsec安全提议。

Cisco(config)# crypto ipsec transform-set test esp-3des esp-md5-hmac

Cisco(config-trans)# mode tunnel

Cisco(config-trans)# exit

# 配置IPsec安全策略。

Cisco(config)# crypto map tunnel 10 ipsec-isakmp

Cisco(config-crypto-map)# set peer 10.0.0.2

Cisco(config-crypto-map)# set transform-set test

Cisco(config-crypto-map)# match address 102

Cisco(config-crypto-map)# exit

# GRE隧道接口上应用IPsec安全策略。

Cisco(config)# interface Tunnel0

Cisco(config-if)# crypto map tunnel

Cisco(config-if)# exit

# 配置静态路由

Cisco(config)# ip route 100.0.0.0 255.255.255.0 Tunnel0

4.5  验证配置

# 在MSR上可以通过如下显示信息看到,IKE协商成功,生成了两个阶段的SA。<MSR> display ike sa

    total phase-1 SAs:  1

    connection-id  peer            flag        phase   doi

  ----------------------------------------------------------

     87            10.0.0.1        RD|ST         1     IPSec

     89            10.0.0.1        RD            2     IPSec

 

  flag meaning

  RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT

# 在MSR上可以通过如下显示信息查看协商生成的IPsec SA

<MSR> display ipsec sa

===============================

Interface: Tunnel0

    path MTU: 1476

===============================

 

  -----------------------------

  IPsec policy name: "tunnel"

  sequence number: 1

  mode: isakmp

  -----------------------------

    connection id: 8

    encapsulation mode: tunnel

    perfect forward secrecy: None

    tunnel:

        local  address: 10.0.0.2

        remote address: 10.0.0.1

    Flow :

        sour addr: 100.0.0.0/255.255.255.0  port: 0  protocol: IP

        dest addr: 101.0.0.0/255.255.255.0  port: 0  protocol: IP

 

    [inbound ESP SAs]

      spi: 2043256353 (0x79c99e21)

      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

      sa duration (kilobytes/sec): 1843200/3600

      sa remaining duration (kilobytes/sec): 1843199/281

      max received sequence-number: 5

      anti-replay check enable: Y

      anti-replay window size: 32

      udp encapsulation used for nat traversal: N

 

    [outbound ESP SAs]

      spi: 4220072552 (0xfb893268)

      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

      sa duration (kilobytes/sec): 1843200/3600

      sa remaining duration (kilobytes/sec): 1843199/281

      max sent sequence-number: 6

      udp encapsulation used for nat traversal: N

# Cisco设备上可以通过如下显示信息查看生成的IKE SA

Cisco# show crypto isakmp sa detail

Codes: C - IKE configuration mode, D - Dead Peer Detection

       K - Keepalives, N - NAT-traversal

       X - IKE Extended Authentication

       psk - Preshared key, rsig - RSA signature

       renc - RSA encryption

 

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

10    10.0.0.1        10.0.0.2                 ACTIVE des  sha  psk  1  22:05:55

       Connection-id:Engine-id =  10:1(software)

# 在Cisco设备上可以通过如下显示信息查看生成的IPsec SA。

Cisco# show crypto ipsec sa detail

 

interface: Tunnel0

    Crypto map tag: tunnel, local addr 10.0.0.1

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (10.0.0.2/255.255.255.255/0/0)

   current_peer 10.0.0.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0

    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0

    #pkts invalid prot (recv) 0, #pkts verify failed: 0

    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0

    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0

    ##pkts replay failed (rcv): 0

    #pkts internal err (send): 0, #pkts internal err (recv) 0

 

     local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2

     path mtu 1476, ip mtu 1476

     current outbound spi: 0x0(0)

 

     inbound esp sas:

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

 

     outbound ah sas:

 

     outbound pcp sas:

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (101.0.0.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (100.0.0.0/255.255.255.0/0/0)

   current_peer 10.0.0.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9

    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0

    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0

    #pkts invalid prot (recv) 0, #pkts verify failed: 0

    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0

    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0

    ##pkts replay failed (rcv): 0

    #pkts internal err (send): 0, #pkts internal err (recv) 0

 

     local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2

     path mtu 1476, ip mtu 1476

     current outbound spi: 0x79C99E21(2043256353)

 

     inbound esp sas:

      spi: 0xFB893268(4220072552)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2006, flow_id: SW:6, crypto map: tunnel

        sa timing: remaining key lifetime (k/sec): (1780660/256)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

         

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

      spi: 0x79C99E21(2043256353)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2004, flow_id: SW:4, crypto map: tunnel

        sa timing: remaining key lifetime (k/sec): (1780660/256)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

 

     outbound ah sas:

 

     outbound pcp sas:

4.6  配置文件

·     MSR:

#

acl number 3001

 rule 0 permit ip source 10.0.0.2 0 destination 10.0.0.1 0

 rule 10 permit ip source 100.0.0.0 0.0.0.255 destination 101.0.0.0 0.0.0.255

#

ike peer tunnel

 pre-shared-key simple test

 remote-address 10.0.0.1

#

ipsec proposal test

 esp encryption-algorithm 3des

#

ipsec policy tunnel 1 isakmp

 security acl 3001

 ike-peer tunnel

 proposal test

#

interface LoopBack0

 ip address 100.0.0.1 255.255.255.255

#

interface GigabitEthernet0/0

 port link-mode route

 ip address 1.0.0.2 255.255.255.0

#

interface Tunnel0

 ip address 10.0.0.2 255.255.255.0

 source 1.0.0.2

 destination 1.0.0.1

 ipsec policy tunnel

#

ip route-static 101.0.0.0 255.255.255.0 Tunnel0

#

return

·     Cisco:

!

crypto isakmp policy 1

 authentication pre-share

crypto isakmp key test address 10.0.0.2

!

crypto ipsec transform-set test esp-3des esp-md5-hmac

 mode tunnel

!

crypto map tunnel local-address Loopback0

crypto map tunnel 10 ipsec-isakmp

 set peer 10.0.0.2

 set transform-set test

 match address 102

!

interface Tunnel0

 bandwidth 2048

 ip unnumbered Loopback0

 tunnel source 1.0.0.1

 tunnel destination 1.0.0.2

 crypto map tunnel

!

interface Loopback0

 ip address 10.0.0.1 255.255.255.255

!

interface Loopback10

 ip address 101.0.0.1 255.255.255.255

!

interface FastEthernet0/0

 ip address 1.0.0.1 255.255.255.0

 duplex full

!

ip route 100.0.0.0 255.255.255.0 Tunnel0

!

access-list 102 permit ip host 10.0.0.1 host 10.0.0.2

access-list 102 permit ip 101.0.0.0 0.0.0.255 100.0.0.0 0.0.0.255

!

end

5  相关资料

·     H3C MSR 系列路由器 命令参考(V5)-R2311

·     H3C MSR 系列路由器 配置指导(V5)-R2311

不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!