国家 / 地区

H3C MSR系列路由器典型配置举例(V5)-6W100

87-MSR系列路由器总部双出口固定IP、分支动态地址IPsec备份的配置举例

本章节下载  (146.65 KB)

docurl=/cn/Service/Document_Software/Document_Center/Routers/Catalog/MSR/MSR_50/Configure/Typical_Configuration_Example/H3C_MSR_(V5)-6W100/201401/812798_30005_0.htm

87-MSR系列路由器总部双出口固定IP、分支动态地址IPsec备份的配置举例

MSR系列路由器总部双出口固定IP、分支动态地址IPsec备份的配置举例

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

H3C_彩色.emf

 



1  简介

本文档介绍总部双出口固定IP、分支动态地址IPSec备份的配置举例。

2  配置前提

本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请参考相关产品手册,或以设备实际情况为准。

本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。

本文档假设您已了解IPSEC和双出口特性。

3  配置举例

3.1  组网需求

图1所示,总部Router A使用运营商1、运营商2双出口,分支单出口。要求总部和分支之间通过IPSec建立VPN,并进行相互备份。部分分支与总部运营商1线路相连,运营商2链路作为备份;另一部分与总部运营商2线路相连,运营商1线路作为备份。

假设Router C是优选运营商2线路,Router D是优选运营商1线路。

图1 双出口固定IP、分支动态地址IPSec备份的配置组网图

设备

接口

IP地址

设备

接口

IP地址

Router A

Eth0/0

2.1.1.1/24

Router C

Eth0/0

4.1.1.1/24

 

Eth0/1

3.1.1.1/24

 

Eth0/1

10.1.1.1/24

 

Loop0

192.168.254.1/32

 

Loop0

192.168.254.2/32

 

Loop1

192.168.254.129/32

 

Loop1

192.168.254.130/32

 

Loop10

10.10.10.10/32

Router D

Eth0/0

5.1.1.1/24

Router B

Eth0/0

3.1.1.2/24

 

Eth0/1

11.1.1.1/24

 

Eth0/1

2.1.1.2/24

 

Loop1

192.168.254.3/32

 

Eth0/2

4.1.1.2/24

 

Loop2

192.168.254.131/32

 

Eth0/3

5.1.1.2/24

 

-

 

 

3.2  配置思路

为实现链路备份,为每个分支建立两条隧道,并设置备份路由。分支动态分配地址,使用野蛮模式建立IPSEC。

3.3  使用版本

本举例是在Release 2317版本上进行配置和验证的。

3.4  配置注意事项

·     在配置总部的IKE对等体的时候,不能配置remote-address,否则不能实现总部到多个分支的通信。

·     配置总部安全策略的时候,使用模板,不用配置ACL。

3.5  配置步骤

3.5.1  Router A的配置

# 为运营商1线路创建LoopBack0

[RouterA] interface LoopBack0

[RouterA-LoopBack0] ip address 192.168.254.1 255.255.255.255

[RouterA-LoopBack0] quit

# 为运营商2线路创建LoopBack1

[RouterA] interface LoopBack1

[RouterA-LoopBack1] ip address 192.168.254.129 255.255.255.255

[RouterA-LoopBack1] quit

# 创建LoopBack10 模拟总部的内部网络

[RouterA] interface LoopBack10

[RouterA-LoopBack10] ip address 10.10.10.10 255.255.255.255

[RouterA-LoopBack10] quit

# 创建总部到分支Router C的运营商1GRE隧道

[RouterA] interface Tunnel 2

[RouterA-Tunnel2] ip address 7.1.1.2 255.255.255.0

[RouterA-Tunnel2] source 192.168.254.1

[RouterA-Tunnel2] destination 192.168.254.2

[RouterA-Tunnel2] keepalive

[RouterA-Tunnel2] quit

# 创建总部到分支Router D的运营商1GRE隧道

[RouterA] interface Tunnel 3

[RouterA-Tunnel3] ip address 12.1.1.2 255.255.255.0

[RouterA-Tunnel3] source 192.168.254.1

[RouterA-Tunnel3] destination 192.168.254.3

[RouterA-Tunnel3] keepalive

[RouterA-Tunnel3] quit

# 创建总部到分支Router C的运营商2 GRE隧道

[RouterA] interface Tunnel 130

[RouterA-Tunnel130] ip address 8.1.1.2 255.255.255.0

[RouterA-Tunnel130] source 192.168.254.129

[RouterA-Tunnel130] destination 192.168.254.130

[RouterA-Tunnel130] keepalive

[RouterA-Tunnel130] quit

# 创建总部到分支Router D的运营商2 GRE隧道

[RouterA] interface Tunnel 131

[RouterA-Tunnel131] ip address 13.1.1.2 255.255.255.0

[RouterA-Tunnel131] source 192.168.254.129

[RouterA-Tunnel131] destination 192.168.254.131

[RouterA-Tunnel131] keepalive

[RouterA-Tunnel131] quit

#运营商2线路作为前往分支4.1.1.1主线路

[RouterA] ip route-static 4.1.1.0 255.255.255.0 3.1.1.2

#运营商1线路作为前往分支4.1.1.1的备份

[RouterA] ip route-static 4.1.1.0 255.255.255.0 2.1.1.2 preference 80

#运营商2线路作为前往分支5.1.1.1备份

[RouterA] ip route-static 5.1.1.0 255.255.255.0 3.1.1.2 preference 80

#运营商1线路作为前往分支5.1.1.1主线路

[RouterA] ip route-static 5.1.1.0 255.255.255.0 2.1.1.2

# 配置运营商2的GRE隧道为总部到分支RTC的主线路

[RouterA] ip route-static 10.1.1.0 255.255.255.0 Tunnel 130

# 配置运营商1的GRE隧道为总部到分支RTC的备份

[RouterA] ip route-static 10.1.1.0 255.255.255.0 Tunnel 2 preference 80

# 配置运营商2的GRE隧道为总部到分支RTD的备份

[RouterA] ip route-static 11.1.1.0 255.255.255.0 Tunnel 131 preference 80

# 配置运营商1的GRE隧道为总部到分支RTD的主线路

[RouterA] ip route-static 11.1.1.0 255.255.255.0 Tunnel 3

# 通过运营商1线路到达每个分支的LoopBack0

[RouterA] ip route-static 192.168.254.0 255.255.255.128 2.1.1.2

# 通过运营商2通线路到达每个分支的LoopBack1

[RouterA] ip route-static 192.168.254.128 255.255.255.128 3.1.1.2

# 由于分支端地址由拨号动态获取或存在NAT设备,所以使用野蛮模式IKE

[RouterA] ike peer branch

[RouterA-ike-peer-branch] exchange-mode aggressive

[RouterA-ike-peer-branch] pre-shared-key 123

[RouterA-ike-peer-branch] nat traversal

[RouterA-ike-peer-branch] quit

# 配置安全协议

[RouterA] ipsec proposal def

[RouterA-ipsec-transform-set-def] esp authentication-algorithm md5

# 总部用模板,不设置AC L

[RouterA-ipsec-transform-set-def] ipsec policy-template temp 1

[RouterA-ipsec-policy-template-temp-1] ike-peer branch

[RouterA-ipsec-policy-template-temp-1] proposal def

[RouterA-ipsec-policy-template-temp-1] quit

[RouterA] ipsec policy branch 1 isakmp template temp

#运营商1接口

[RouterA] interface ethernet 0/0

[RouterA-Ethernet0/0] port link-mode route

[RouterA-Ethernet0/0] ip address 2.1.1.1 255.255.255.0

[RouterA-Ethernet0/0] ipsec policy branch

[RouterA-Ethernet0/0] quit

#运营商2接口

[RouterA] interface ethernet 0/1

[RouterA-Ethernet0/1] port link-mode route

[RouterA-Ethernet0/1] ip address 3.1.1.1 255.255.255.0

[RouterA-Ethernet0/1] ipsec policy branch

[RouterA-Ethernet0/1] quit

3.5.2  Router B的配置

# Router B来模拟Ineternet

[RouterB] interface ethernet 0/0

[RouterB-Ethernet0/0] port link-mode route

[RouterB-Ethernet0/0] ip address 3.1.1.2 255.255.255.0

[RouterB-Ethernet0/0] quit

[RouterB] interface ethernet 0/1

[RouterB-Ethernet0/1] port link-mode route

[RouterB-Ethernet0/1] ip address 2.1.1.2 255.255.255.0

[RouterB-Ethernet0/1] quit

[RouterB] interface ethernet 0/2

[RouterB-Ethernet0/2] port link-mode route

[RouterB-Ethernet0/2] ip address 4.1.1.2 255.255.255.0

[RouterB-Ethernet0/2] quit

[RouterB] interface ethernet 0/3

[RouterB-Ethernet0/3] port link-mode route

[RouterB-Ethernet0/3] ip address 5.1.1.2 255.255.255.0

[RouterB-Ethernet0/3] quit

[RouterB] ip route-static 192.168.254.1 255.255.255.255 2.1.1.1

[RouterB] ip route-static 192.168.254.2 255.255.255.255 4.1.1.1

[RouterB] ip route-static 192.168.254.3 255.255.255.255 5.1.1.1

[RouterB] ip route-static 192.168.254.129 255.255.255.255 3.1.1.1

[RouterB] ip route-static 192.168.254.130 255.255.255.255 4.1.1.1

[RouterB] ip route-static 192.168.254.131 255.255.255.255 5.1.1.1

3.5.3  Router C的配置

# 为运营商1线路创建LoopBack0

[RouterC] interface LoopBack0

[RouterC-LoopBack0] ip address 192.168.254.2 255.255.255.255

[RouterC-LoopBack0] quit

# 为运营商2线路创建LoopBack1

[RouterC] interface LoopBack1

[RouterC-LoopBack1] ip address 192.168.254.130 255.255.255.255

[RouterC-LoopBack1] quit

# 创建运营商1线路的GRE隧道

[RouterC] interface Tunnel 2

[RouterC-Tunnel2] ip address 7.1.1.1 255.255.255.0

[RouterC-Tunnel2] source 192.168.254.2

[RouterC-Tunnel2] destination 192.168.254.1

[RouterC-Tunnel2] keepalive

[RouterC-Tunnel2] quit

# 创建运营商2线路的GRE隧道

[RouterC] interface Tunnel130

[RouterC-Tunnel130] ip address 8.1.1.1 255.255.255.0

[RouterC-Tunnel130] source 192.168.254.130

[RouterC-Tunnel130] destination 192.168.254.129

[RouterC-Tunnel130] keepalive

[RouterC-Tunnel130] quit

# 配置一条默认路由来制定出口方向

[RouterC] ip route-static 0.0.0.0 0.0.0.0 4.1.1.2

# 配置运营商1的GRE隧道为分支访问总部的备份线路

[RouterC] ip route-static 10.10.10.10 255.255.255.255 Tunnel 2 preference 80

# 配置运营商2的GRE隧道为分支访问总部的主线路

[RouterC] ip route-static 10.10.10.10 255.255.255.255 Tunnel 130

# 配置ACL 3000匹配运营商1线路GRE流量

[RouterC] acl number 3000

[RouterC-acl-adv-3000] rule 0 permit gre source 192.168.254.2 0 destination 192.1

68.254.1 0

[RouterC-acl-adv-3000] quit

# 配置ACL 3000匹配运营商2线路GRE流量

[RouterC] acl number 3001

[RouterC-acl-adv-3001] rule 0 permit gre source 192.168.254.130 0 destination 192

.168.254.129 0

[RouterC-acl-adv-3001] quit

# 配置运营商2线路的IKE对等体

[RouterC] ike peer telecom

[RouterC-ike-peer-telecom] exchange-mode aggressive

[RouterC-ike-peer-telecom] pre-shared-key 123

[RouterC-ike-peer-telecom] remote-address 3.1.1.1

[RouterC-ike-peer-telecom] nat traversal

[RouterC-ike-peer-telecom] quit

# 配置运营商1线路的IKE对等体

[RouterC] ike peer unicom

[RouterC-ike-peer-unicom] exchange-mode aggressive

[RouterC-ike-peer-unicom] pre-shared-key 123

[RouterC-ike-peer-unicom] remote-address 2.1.1.1

[RouterC-ike-peer-unicom] nat traversal

[RouterC-ike-peer-unicom] quit

# 配置安全协议

[RouterC] ipsec proposal def

[RouterC-ipsec-transform-set-def] esp authentication-algorithm md5

[RouterC-ipsec-transform-set-def] ipsec policy headquarter 1 isakmp

[RouterC-ipsec-policy-isakmp-headquarter-1] security acl 3000

[RouterC-ipsec-policy-isakmp-headquarter-1] ike-peer unicom

[RouterC-ipsec-policy-isakmp-headquarter-1] proposal def

[RouterC-ipsec-policy-isakmp-headquarter-1] quit

[RouterC] ipsec policy headquarter 2 isakmp

[RouterC-ipsec-policy-isakmp-headquarter-2] security acl 3001

[RouterC-ipsec-policy-isakmp-headquarter-2] ike-peer telecom

[RouterC-ipsec-policy-isakmp-headquarter-2] proposal def

[RouterC-ipsec-policy-isakmp-headquarter-2] quit

[RouterC] interface ethernet 0/0

[RouterC-Ethernet0/0] port link-mode route

[RouterC-Ethernet0/0] ip address 4.1.1.1 255.255.255.0

[RouterC-Ethernet0/0] ipsec policy headquarter

[RouterC-Ethernet0/0] quit

[RouterC] interface ethernet 0/1

[RouterC-Ethernet0/1] port link-mode route

[RouterC-Ethernet0/1] ip address 10.1.1.1 255.255.255.0

[RouterC-Ethernet0/1] quit

3.5.4  Router D的配置

# 为运营商1线路创建LoopBack0

[RouterD] interface LoopBack0

[RouterD-LoopBack0] ip address 192.168.254.3 255.255.255.255

[RouterD-LoopBack0] quit

# 为运营商2线路创建LoopBack1

[RouterD] interface LoopBack1

[RouterD-LoopBack1] ip address 192.168.254.131 255.255.255.255

[RouterD-LoopBack1] quit

# 创建运营商1线路的GRE隧道

[RouterD] interface Tunnel 3

[RouterD-Tunnel3] ip address 12.1.1.1 255.255.255.0

[RouterD-Tunnel3] source 192.168.254.3

[RouterD-Tunnel3] destination 192.168.254.1

[RouterD-Tunnel3] keepalive

[RouterD-Tunnel3] quit

# 创建运营商2线路的GRE隧道

[RouterD] interface Tunnel 131

[RouterD-Tunnel131] ip address 13.1.1.1 255.255.255.0

[RouterD-Tunnel131] source 192.168.254.131

[RouterD-Tunnel131] destination 192.168.254.129

[RouterD-Tunnel131] keepalive

[RouterD-Tunnel131] quit

# 配置一条默认路由来制定出口方向

[RouterD] ip route-static 0.0.0.0 0.0.0.0 5.1.1.2

# 配置运营商1的GRE隧道为分支访问总部的主线路

[RouterD] ip route-static 10.10.10.10 255.255.255.255 Tunnel 3

# 配置运营商2的GRE隧道为分支访问总部的备份线路

[RouterD] ip route-static 10.10.10.10 255.255.255.255 Tunnel 131 preference 80

# 配置ACL 3000匹配运营商1线路GRE流量

[RouterD] acl number 3000

[RouterD-acl-adv-3000] rule 0 permit gre source 192.168.254.3 0 destination 192.1

68.254.1 0

[RouterD-acl-adv-3000] quit

# 配置ACL 3001匹配运营商2线路GRE流量

[RouterD] acl number 3001

[RouterD-acl-adv-3001] rule 0 permit gre source 192.168.254.131 0 destination 192

.168.254.129 0

[RouterD-acl-adv-3001] quit

# 配置运营商2线路的IKE对等体

[RouterD] ike peer telecom

[RouterD-ike-peer-telecom] exchange-mode aggressive

[RouterD-ike-peer-telecom] pre-shared-key 123

[RouterD-ike-peer-telecom] remote-address 3.1.1.1

[RouterD-ike-peer-telecom] nat traversal

[RouterD-ike-peer-telecom] quit

# 配置运营商1线路的IKE对等体

[RouterD] ike peer unicom

[RouterD-ike-peer-unicom] exchange-mode aggressive

[RouterD-ike-peer-unicom] pre-shared-key 123

[RouterD-ike-peer-unicom] remote-address 2.1.1.1

[RouterD-ike-peer-unicom] nat traversal

[RouterD-ike-peer-unicom] quit

# 配置安全协议

[RouterD] ipsec proposal def

[RouterD-ipsec-transform-set-def] esp authentication-algorithm md5

[RouterD-ipsec-transform-set-def] ipsec policy headquarter 1 isakmp

[RouterD-ipsec-policy-isakmp-headquarter-1] security acl 3000

[RouterD-ipsec-policy-isakmp-headquarter-1] ike-peer unicom

[RouterD-ipsec-policy-isakmp-headquarter-1] proposal def

[RouterD-ipsec-policy-isakmp-headquarter-1] quit

[RouterD] ipsec policy headquarter 2 isakmp

[RouterD-ipsec-policy-isakmp-headquarter-2] security acl 3001

[RouterD-ipsec-policy-isakmp-headquarter-2] ike-peer telecom

[RouterD-ipsec-policy-isakmp-headquarter-2] proposal def

[RouterD-ipsec-policy-isakmp-headquarter-2] quit

[RouterD] interface ethernet 0/0

[RouterD-Ethernet0/0] port link-mode route

[RouterD-Ethernet0/0] ip address 5.1.1.1 255.255.255.0

[RouterD-Ethernet0/0] ipsec policy headquarter

[RouterD-Ethernet0/0] quit

[RouterD] interface ethernet 0/1

[RouterD-Ethernet0/1] port link-mode route

[RouterD-Ethernet0/1] ip address 11.1.1.1 255.255.255.0

[RouterD-Ethernet0/1] quit

3.6  验证配置

1)     Router A上查看IPSec状态

<RouterA>display ipsec sa brief

 total phase-2 IPv4 SAs: 8

Src Address            Dst Address            SPI        Protocol Algorithm

-----------------------------------------------------------------------------

3.1.1.1                4.1.1.1                4273063068 ESP      E:NULL

                                                                  A:HMAC-MD5-96

4.1.1.1                2.1.1.1                1601976515 ESP      E:NULL

                                                                  A:HMAC-MD5-96

2.1.1.1                4.1.1.1                373419746  ESP      E:NULL

                                                                  A:HMAC-MD5-96

2.1.1.1                5.1.1.1                432547588  ESP      E:NULL

                                                                  A:HMAC-MD5-96

3.1.1.1                5.1.1.1                2730487603 ESP      E:NULL

                                                                  A:HMAC-MD5-96

5.1.1.1                3.1.1.1                3287952200 ESP      E:NULL

                                                                  A:HMAC-MD5-96

4.1.1.1                3.1.1.1                1353440193 ESP      E:NULL

                                                                  A:HMAC-MD5-96

5.1.1.1                2.1.1.1                4151631860 ESP      E:NULL

                                                                  A:HMAC-MD5-96

 total phase-2 IPv6 SAs: 0

Src Address            Dst Address            SPI        Protocol Algorithm

-----------------------------------------------------------------------------

2)     网关设备和链路均正常工作时,Router C与Router D两个分支都可以连通总部

 <RouterC>ping 10.10.10.10

  PING 10.10.10.10: 56  data bytes, press CTRL_C to break

    Reply from 10.10.10.10: bytes=56 Sequence=0 ttl=255 time=3 ms

    Reply from 10.10.10.10: bytes=56 Sequence=1 ttl=255 time=3 ms

    Reply from 10.10.10.10: bytes=56 Sequence=2 ttl=255 time=3 ms

    Reply from 10.10.10.10: bytes=56 Sequence=3 ttl=255 time=3 ms

    Reply from 10.10.10.10: bytes=56 Sequence=4 ttl=255 time=3 ms

 

  --- 10.10.10.10 ping statistics ---

    5 packet(s) transmitted

    5 packet(s) received

    0.00% packet loss

round-trip min/avg/max = 3/3/3 ms

<RouterD>ping 10.10.10.10

  PING 10.10.10.10: 56  data bytes, press CTRL_C to break

    Reply from 10.10.10.10: bytes=56 Sequence=0 ttl=255 time=3 ms

    Reply from 10.10.10.10: bytes=56 Sequence=1 ttl=255 time=2 ms

    Reply from 10.10.10.10: bytes=56 Sequence=2 ttl=255 time=2 ms

    Reply from 10.10.10.10: bytes=56 Sequence=3 ttl=255 time=3 ms

    Reply from 10.10.10.10: bytes=56 Sequence=4 ttl=255 time=2 ms

 

  --- 10.10.10.10 ping statistics ---

    5 packet(s) transmitted

    5 packet(s) received

    0.00% packet loss

round-trip min/avg/max = 2/2/3 ms

3)     当运营商1线路Tunnel 2故障时时,总部可以ping通分支Router D

<RouterA>ping 11.1.1.1

  PING 11.1.1.1: 56  data bytes, press CTRL_C to break

    Reply from 11.1.1.1: bytes=56 Sequence=0 ttl=255 time=3 ms

    Reply from 11.1.1.1: bytes=56 Sequence=1 ttl=255 time=3 ms

    Reply from 11.1.1.1: bytes=56 Sequence=2 ttl=255 time=2 ms

    Reply from 11.1.1.1: bytes=56 Sequence=3 ttl=255 time=3 ms

    Reply from 11.1.1.1: bytes=56 Sequence=4 ttl=255 time=3 ms

 

  --- 11.1.1.1 ping statistics ---

    5 packet(s) transmitted

    5 packet(s) received

    0.00% packet loss

    round-trip min/avg/max = 2/2/3 ms

 

# 此时根据路由表可知,运营商1线路故障,总部通过运营商2线路连接分支Router D

<RouterA>dis ip routing-table

Routing Tables: Public

         Destinations : 16       Routes : 16

 

Destination/Mask    Proto  Pre  Cost         NextHop         Interface

 

3.1.1.0/24          Direct 0    0            3.1.1.1         Eth0/1

3.1.1.1/32          Direct 0    0            127.0.0.1       InLoop0

4.1.1.0/24          Static 60   0            3.1.1.2         Eth0/1

5.1.1.0/24          Static 80   0            3.1.1.2         Eth0/1

8.1.1.0/24          Direct 0    0            8.1.1.2         Tun130

8.1.1.2/32          Direct 0    0            127.0.0.1       InLoop0

10.1.1.0/24         Static 60   0            8.1.1.2         Tun130

10.10.10.10/32      Direct 0    0            127.0.0.1       InLoop0

11.1.1.0/24         Static 80   0            13.1.1.2        Tun131

13.1.1.0/24         Direct 0    0            13.1.1.2        Tun131

13.1.1.2/32         Direct 0    0            127.0.0.1       InLoop0

127.0.0.0/8         Direct 0    0            127.0.0.1       InLoop0

127.0.0.1/32        Direct 0    0            127.0.0.1       InLoop0

192.168.254.1/32    Direct 0    0            127.0.0.1       InLoop0

192.168.254.128/25  Static 60   0            3.1.1.2         Eth0/1

192.168.254.129/32  Direct 0    0            127.0.0.1       InLoop0

3.7  配置文件

·     Router A:

#

ike peer branch

 exchange-mode aggressive

 pre-shared-key cipher $c$3$L79wq+pDjevyzrepMRZrsdAqH50WVA==

 nat traversal

#

ipsec transform-set def

 encapsulation-mode tunnel

 transform esp

 esp authentication-algorithm md5

#

ipsec policy-template temp 1

 ike-peer branch

 transform-set def

#

ipsec policy branch 1 isakmp template temp

#

user-group system

 group-attribute allow-guest

#

local-user admin

 password cipher $c$3$40gC1cxf/wIJNa1ufFPJsjKAof+QP5aV

 authorization-attribute level 3

 service-type telnet

#

cwmp

 undo cwmp enable

#

interface Aux0

 async mode flow

 link-protocol ppp

#

interface Cellular0/0

 async mode protocol

 link-protocol ppp

#

interface Ethernet0/0

 port link-mode route

 ip address 2.1.1.1 255.255.255.0

 ipsec policy branch

#

interface Ethernet0/1

 port link-mode route

 ip address 3.1.1.1 255.255.255.0

 ipsec policy branch

#

interface NULL0

#

interface LoopBack0

 ip address 192.168.254.1 255.255.255.255

#

interface LoopBack1

 ip address 192.168.254.129 255.255.255.255

#

interface LoopBack10

 ip address 10.10.10.10 255.255.255.255

#

interface Tunnel2

 ip address 7.1.1.2 255.255.255.0

 source 192.168.254.1

 destination 192.168.254.2

 keepalive 10 3

#

interface Tunnel3

 ip address 12.1.1.2 255.255.255.0

 source 192.168.254.1

 destination 192.168.254.3

 keepalive 10 3

#

interface Tunnel130

 ip address 8.1.1.2 255.255.255.0

 source 192.168.254.129

 destination 192.168.254.130

 keepalive 10 3

#

interface Tunnel131

 ip address 13.1.1.2 255.255.255.0

 source 192.168.254.129

 destination 192.168.254.131

 keepalive 10 3

#

 ip route-static 4.1.1.0 255.255.255.0 3.1.1.2

 ip route-static 4.1.1.0 255.255.255.0 2.1.1.2 preference 80

 ip route-static 5.1.1.0 255.255.255.0 3.1.1.2 preference 80

 ip route-static 5.1.1.0 255.255.255.0 2.1.1.2

 ip route-static 10.1.1.0 255.255.255.0 Tunnel130

 ip route-static 10.1.1.0 255.255.255.0 Tunnel2 preference 80

 ip route-static 11.1.1.0 255.255.255.0 Tunnel3

 ip route-static 11.1.1.0 255.255.255.0 Tunnel131 preference 80

 ip route-static 192.168.254.0 255.255.255.128 2.1.1.2

 ip route-static 192.168.254.128 255.255.255.128 3.1.1.2

#

·     Router B:

#

interface Ethernet0/0

 port link-mode route

 ip address 3.1.1.2 255.255.255.0

#

interface Ethernet0/1

 port link-mode route

 ip address 2.1.1.2 255.255.255.0

#

interface Ethernet0/2

 port link-mode route

 ip address 4.1.1.2 255.255.255.0

#

interface Ethernet0/3

 port link-mode route

 ip address 5.1.1.2 255.255.255.0

#

ip route-static 192.168.254.1 255.255.255.255 2.1.1.1

 ip route-static 192.168.254.2 255.255.255.255 4.1.1.1

 ip route-static 192.168.254.3 255.255.255.255 5.1.1.1

 ip route-static 192.168.254.129 255.255.255.255 3.1.1.1

 ip route-static 192.168.254.130 255.255.255.255 4.1.1.1

 ip route-static 192.168.254.131 255.255.255.255 5.1.1.1

#

·     Router C:

#

acl number 3000

 rule 0 permit gre source 192.168.254.2 0 destination 192.168.254.1 0

acl number 3001

 rule 0 permit gre source 192.168.254.130 0 destination 192.168.254.129 0

#

ike peer telecom

 exchange-mode aggressive

 pre-shared-key cipher $c$3$Eclh00SfISOK0Ya+YpYW1XlCpO7Ubw==

 remote-address 3.1.1.1

 nat traversal

#

ike peer unicom

 exchange-mode aggressive

 pre-shared-key cipher $c$3$ITGbqGRZ8oxRNeVc9UewnVVgJ2oQdA==

 remote-address 2.1.1.1

 nat traversal

#

ipsec transform-set def

 encapsulation-mode tunnel

 transform esp

 esp authentication-algorithm md5

#

ipsec policy headquarter 1 isakmp

 security acl 3000

 ike-peer unicom

 transform-set def

#

ipsec policy headquarter 2 isakmp

 security acl 3001

 ike-peer telecom

 transform-set def

#

user-group system

 group-attribute allow-guest

#

cwmp

 undo cwmp enable

#

interface Aux0

 async mode flow

 link-protocol ppp

#

interface Cellular0/0

 async mode protocol

 link-protocol ppp

#

interface Ethernet0/0

 port link-mode route

 ip address 4.1.1.1 255.255.255.0

 ipsec policy headquarter

#

interface Ethernet0/1

 port link-mode route

 ip address 10.1.1.1 255.255.255.0

#

interface NULL0

#

interface LoopBack0

 ip address 192.168.254.2 255.255.255.255

#

interface LoopBack1

 ip address 192.168.254.130 255.255.255.255

#

interface Tunnel2

 ip address 7.1.1.1 255.255.255.0

 source 192.168.254.2

 destination 192.168.254.1

 keepalive 10 3

#

interface Tunnel130

 ip address 8.1.1.1 255.255.255.0

 source 192.168.254.130

 destination 192.168.254.129

 keepalive 10 3

#

 ip route-static 0.0.0.0 0.0.0.0 4.1.1.2

 ip route-static 10.10.10.10 255.255.255.255 Tunnel2 preference 80

 ip route-static 10.10.10.10 255.255.255.255 Tunnel130

#

·     Router D

#

acl number 3000

 rule 0 permit gre source 192.168.254.3 0 destination 192.168.254.1 0

acl number 3001

 rule 0 permit gre source 192.168.254.131 0 destination 192.168.254.129 0

#

ike peer telecom

 exchange-mode aggressive

 pre-shared-key cipher $c$3$DgSOJydCGR9QSclrdyLA92iZ0Fnzcw==

 remote-address 3.1.1.1

 nat traversal

#

ike peer unicom

 exchange-mode aggressive

 pre-shared-key cipher $c$3$Fpv6Rh/hTBsYdTPEa6Au28lg+IyVFg==

 remote-address 2.1.1.1

 nat traversal

#

ipsec transform-set def

 encapsulation-mode tunnel

 transform esp

 esp authentication-algorithm md5

#

ipsec policy headquarter 1 isakmp

 security acl 3000

 ike-peer unicom

 transform-set def

#

ipsec policy headquarter 2 isakmp

 security acl 3001

 ike-peer telecom

 transform-set def

#

interface LoopBack0

 ip address 192.168.254.3 255.255.255.255

#

interface LoopBack1

 ip address 192.168.254.131 255.255.255.255

#

interface Ethernet0/0

 port link-mode route

 ip address 5.1.1.1 255.255.255.0

 ipsec policy headquarter

#

interface Ethernet0/1

 port link-mode route

 ip address 11.1.1.1 255.255.255.0

#

interface Tunnel3

 ip address 12.1.1.1 255.255.255.0

 source 192.168.254.3

 destination 192.168.254.1

 keepalive 10 3

#

interface Tunnel131

 ip address 13.1.1.1 255.255.255.0

 source 192.168.254.131

 destination 192.168.254.129

 keepalive 10 3

#

 ip route-static 0.0.0.0 0.0.0.0 5.1.1.2

 ip route-static 10.10.10.10 255.255.255.255 Tunnel3

 ip route-static 10.10.10.10 255.255.255.255 Tunnel131 preference 80

 ip route-static 192.168.254.1 255.255.255.255 5.1.1.2

 ip route-static 192.168.254.129 255.255.255.255 5.1.1.2

#

4  相关资料

·     H3C MSR 系列路由器 命令参考(V5)-R2311

·     H3C MSR 系列路由器 配置指导(V5)-R2311

不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!