- 产品与解决方案
- 行业解决方案
- 服务
- 支持
- 合作伙伴
- 关于我们
13-H3C MSR系列路由器 移动通信Modem管理典型配置举例
本章节下载: 13-H3C MSR系列路由器 移动通信Modem管理典型配置举例 (522.01 KB)
H3C MSR系列路由器
移动通信Modem管理典型配置举例
Copyright © 2024 新华三技术有限公司 版权所有,保留一切权利。
非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部,并不得以任何形式传播。
除新华三技术有限公司的商标外,本手册中出现的其它公司的商标、产品标识及商品名称,由各自权利人拥有。
本文档中的信息可能变动,恕不另行通知。
目 录
适用于MSR集中式、MSR分布式产品R6728P13及以后版本。
如图1所示,Router A上具有5G Modem模块,用户通过DDR自动定时拨号接入5G网络,并建立永久在线连接。具体要求如下:
· 在Router A的Cellular1/0接口上通道化出以太网接口Eth-channel1/0:0,将该接口作为DDR拨号接口,并采用Modem私有协议获取运营商自动分配的IP地址。
· 在Router A上配置拨号方式为传统DDR拨号,去往对端的拨号串根据运营商属性选择,一般中国大陆移动/联通配置“*99#”,电信配置“#777”。
· 在Router A上配置动态接入点作为参数模板,接入点名称在拨号协商时由运营商分配。
· Router A所在的子网为192.168.1.0/24,且仅对IPv4协议报文进行DDR拨号。
图1 5G Modem拨号上网组网图
使用普通的5G SIM卡拨号上网时,在配置5G Modem参数模板中配置动态接入点路由器就可以接入5G网络。当使用5G物联网卡或者VPDN专用SIM卡,则需要在5G Modem参数模板中配置静态接入点作为5G网络的接入点,并需要根据运营商提供的用户和密码配置接入5G网络的认证方式。
(1) 配置设备接口IP地址,步骤略。
(2) 配置5G Modem拨号。
# 配置拨号访问组1以及对应的拨号访问控制条件。
<RouterA> system-view
[RouterA] dialer-group 1 rule ip permit
# 配置5G Modem参数模板,配置动态接入点作为参数模板。
[RouterA] apn-profile dynamic1
[RouterA-apn-profile-dynamic] apn dynamic
[RouterA-apn-profile-dynamic] quit
# 将Cellular1/0接口通道化出以太网通道接口。
[RouterA] controller cellular 1/0
[RouterA-Cellular1/0] eth-channel 0
[RouterA-Cellular1/0] quit
# 配置Eth-channel1/0:0接口采用Modem私有协议获取运营商自动分配的IP地址。
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ip address cellular-alloc
# 配置Eth-channel1/0:0接口使用的5G Modem参数模板。
[RouterA-Eth-channel1/0:0] apn-profile apply dynamic1
# 在Eth-channel1/0:0接口上开启传统DDR,并与拨号访问组1关联。
[RouterA-Eth-channel1/0:0] dialer circular enable
[RouterA-Eth-channel1/0:0] dialer-group 1
# 配置允许链路空闲的时间为0,呼叫建立超时时间为30秒,自动拨号的时间间隔为5秒。
[RouterA-Eth-channel1/0:0] dialer timer idle 0
[RouterA-Eth-channel1/0:0] dialer timer wait-carrier 30
[RouterA-Eth-channel1/0:0] dialer timer autodial 5
# 配置自动拨号时去往对端的拨号串,拨号串视具体运营商而定,一般中国大陆移动/联通配置“*99#”,电信配置“#777”。
[RouterA-Eth-channel1/0:0] dialer number *99# autodial
# 配置Eth-channel1/0:0接口允许对内部所有报文进行地址转换。
[RouterA-Eth-channel1/0:0] nat outbound
[RouterA-Eth-channel1/0:0] quit
# 配置缺省路由。
[RouterA] ip route-static 0.0.0.0 0 eth-channel 1/0:0
# 查看路由表,配置的缺省路由生效,用户可以通过设备进行上网。
[RouterA] display ip routing-table
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 60 0 0.0.0.0 E-Ch1/0:0
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
1.0.0.2/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
...
#
interface gigabitethernet 1/0/1
ip address 192.168.1.1 255.255.255.0
#
dialer-group 1 rule ip permit
#
apn-profile dynamic1
apn dynamic
#
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ip address cellular-alloc
apn-profile apply dynamic1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 30
dialer timer autodial 5
dialer number *99# autodial
nat outbound
#
ip route-static 0.0.0.0 0.0.0.0 eth-channel 1/0:0
#
适用于MSR集中式、MSR分布式产品R6728P13及以后版本。
如图2所示,Router A可以通过有线链路Router A->Router B访问Internet;同时,Router A上具有5G Modem模块,也可以通过DDR拨号接入5G网络访问Internet。具体要求如下:
· 在Router A上配置传统DDR自动定时拨号接入5G网络,建立永久5G在线连接。
· 在Router A上配置两条路由可以去往Internet。其中,有线链路作为主链路转发数据,5G链路作为备份链路转发数据。
· 在Router A上检测有线链路的状态,并在有线链路状态变化时可以及时切换链路。
图2 5G Modem拨号链路备份组网图
为了让有线链路作为主链路转发数据,需要配置经过有线链路的路由优先级高于5G网络。
为了检测链路状态,需要在Router A上配置NQA监测有线链路,实时检测链路状态变化。
为了在有线链路状态变化时及时切换链路,需要配置Track项与静态路由联动。NQA探测到有线链路不通时,自动将有线链路接口路由Inactive,5G链路的静态路由生效,数据走5G网络转发。NQA探测到有线链路正常,自动将有线链路接口路由激活,有线链路的静态路由生效,数据走有线转发。
使用普通的5G SIM卡拨号上网时,在配置5G Modem参数模板中配置动态接入点路由器就可以接入5G网络。当使用5G物联网卡或者VPDN专用SIM卡,则需要在5G Modem参数模板中配置静态接入点作为5G网络的接入点,并需要根据运营商提供的用户和密码配置接入5G网络的认证方式。
(1) 配置设备接口的IP地址,步骤略。
(2) 配置5G Modem拨号。
# 配置拨号访问组1以及对应的拨号访问控制条件。
<RouterA> system-view
[RouterA] dialer-group 1 rule ip permit
# 配置5G Modem参数模板,配置动态接入点作为参数模板。
[RouterA] apn-profile dynamic1
[RouterA-apn-profile-dynamic] apn dynamic
[RouterA-apn-profile-dynamic] quit
# 将Cellular1/0接口通道化出以太网通道接口。
[RouterA] controller cellular 1/0
[RouterA-Cellular1/0] eth-channel 0
[RouterA-Cellular1/0] quit
# 配置Eth-channel1/0:0接口采用Modem私有协议获取运营商自动分配的IP地址。
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ip address cellular-alloc
# 配置Eth-channel1/0:0接口使用的5G Modem参数模板。
[RouterA-Eth-channel1/0:0] apn-profile apply dynamic1
# 在Eth-channel1/0:0接口上开启传统DDR,并与拨号访问组1关联。
[RouterA-Eth-channel1/0:0] dialer circular enable
[RouterA-Eth-channel1/0:0] dialer-group 1
# 配置允许链路空闲的时间为0,呼叫建立超时时间为30秒,自动拨号的时间间隔为5秒。
[RouterA-Eth-channel1/0:0] dialer timer idle 0
[RouterA-Eth-channel1/0:0] dialer timer wait-carrier 30
[RouterA-Eth-channel1/0:0] dialer timer autodial 5
# 配置自动拨号时去往对端的拨号串,拨号串视具体运营商而定,一般中国大陆移动/联通配置“*99#”,电信配置“#777”。
[RouterA-Eth-channel1/0:0] dialer number *99# autodial
# 配置Eth-channel1/0:0接口允许对内部所有报文进行地址转换。
[RouterA-Eth-channel1/0:0] nat outbound
[RouterA-Eth-channel1/0:0] quit
# 配置缺省路由,有线链路的路由优先级为60,并与Track 1联动;5G链路路由优先级为60。
[RouterA] ip route-static 0.0.0.0 0 gigabitethernet 1/0/2 192.168.2.2 track 1 preference 50
[RouterA] ip route-static 0.0.0.0 0 eth-channel 1/0:0 preference 60
(3) 配置NQA测试组。
# 创建ICMP-echo类型的NQA测试组(管理员为admin,操作标签为test),并配置探测报文的目的地址为1.1.1.1(目的地址根据实际组网选择,以接口GigabitEthernet1/0/2的地址为例)。
[RouterA] nqa entry admin test
[RouterA-nqa-admin-test] type icmp-echo
[RouterA-nqa-admin-test-icmp-echo] destination ip 1.1.1.1
# 配置探测报文的下一跳地址为192.168.2.2。
[RouterA-nqa-admin-test-icmp-echo] next-hop ip 192.168.2.2
# 配置可选参数:一次NQA测试中探测的次数为5,探测的超时时间为500毫秒,测试组连续测试开始时间的时间间隔为5000毫秒。
[RouterA-nqa-admin-test-icmp-echo] probe count 5
[RouterA-nqa-admin-test-icmp-echo] probe timeout 500
[RouterA-nqa-admin-test-icmp-echo] frequency 5000
# 建立序号为1的联动项,连续探测失败2次,触发其他模块联动。
[RouterA-nqa-admin-test-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 2 action-type trigger-only
[RouterA-nqa-admin-test-icmp-echo] quit
# 配置Track项1,关联NQA测试组(管理员为admin,操作标签为test)的联动项1。
[RouterA] track 1 nqa entry admin test reaction 1
[RouterA-track-1] quit
# 测试组的立即启动测试,并一直进行测试持续。
[RouterA] nqa schedule admin test start-time now lifetime forever
(1) 配置设备接口IP地址,步骤略。
(2) 配置路由。
# 配置接口GigabitEthernet1/0/2允许对内部所有报文进行地址转换。
<RouterB> system-view
[RouterB] interface gigabitethernet 1/0/2
[RouterB-GigabitEthernet1/0/2] nat outbound
[RouterB-GigabitEthernet1/0/2] quit
# 配置去往192.168.1.0/24网段的静态路由。
[RouterB] ip route-static 192.168.1.0 255.255.255.0 gigabitethernet 1/0/1 192.168.2.1
# 查看Router A的路由表,有线链路的缺省路由生效。
[RouterA] display ip routing-table
Destinations : 20 Routes : 20
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 50 0 192.168.2.2 GE1/0/2
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
1.0.0.2/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
...
# 将GigabitEthernet1/0/2接口down掉之后,查看Router A的路由表,5G网络的缺省路由生效。
[RouterA] display ip routing-table
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 60 0 0.0.0.0 E-Ch1/0:0
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
1.0.0.2/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
...
· Router A:
#
interface gigabitethernet 1/0/1
ip address 192.168.1.1 255.255.255.0
#
interface gigabitethernet 1/0/2
ip address 192.168.2.1 255.255.255.0
#
dialer-group 1 rule ip permit
#
apn-profile dynamic1
apn dynamic
#
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ip address cellular-alloc
apn-profile apply dynamic1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 30
dialer timer autodial 5
dialer number *99# autodial
nat outbound
#
ip route-static 0.0.0.0 0 gigabitethernet 1/0/2 192.168.2.2 track 1 preference 50
ip route-static 0.0.0.0 0 eth-channel 1/0:0 preference 60
nqa entry admin test
type icmp-echo
destination ip 1.1.1.1
next-hop ip 192.168.2.2
probe count 5
probe timeout 500
frequency 5000
reaction 1 checked-element probe-fail threshold-type consecutive 2 action-type trigger-only
#
nqa schedule admin test start-time now lifetime forever
track 1 nqa entry admin test reaction 1
#
· Router B:
#
interface gigabitethernet 1/0/1
ip address 192.168.2.2 255.255.255.0
#
interface gigabitethernet 1/0/2
ip address 1.1.1.1 255.255.255.0
nat outbound
#
ip route-static 192.168.1.0 255.255.255.0 gigabitethernet 1/0/1 192.168.2.1
适用于MSR集中式、MSR分布式产品R6728P13及以后版本。
如图3所示,Router A上具有5G Modem模块,用户通过DDR自动定时拨号接入5G网络。在分支网关Router A和总部网关Router B之间建立一条IPsec隧道,对分支网络192.168.1.0/24与总部网络192.168.2.0/24之间的数据流进行安全保护。具体要求如下:
· 在Router A上配置传统DDR自动定时拨号接入5G网络,建立永久5G在线连接。
· 配置IPsec隧道封装形式为隧道模式,安全协议采用ESP协议,加密算法采用CBC模式的DES,认证算法采用SHA1,使用IKE协商方式建立IPsec SA。
图3 5G Modem拨号+IPsec隧道组网图
在Router A的Cellular1/0接口上通道化出以太网接口Eth-channel1/0:0,并配置接口Eth-channel1/0:0采用Modem私有协议获取运营商自动分配的IP地址。在接口Eth-channel1/0:0上配置DDR自动拨号接入5G网络,并配置永久在线连接。
由于拨号接口Eth-channel1/0:0地址会动态变化,在配置IPsec隧道时,需要在总部网关Router B上采用IPsec策略模板,对端地址指定为0.0.0.0/0,隧道建立请求由分支网关Router A发起。
为了保证总部网关Router B上有到任意分支网关的私网路由,需要在Router B上开启IPsec反向路由注入功能,总部到分支的静态路会随IPsec SA的建立而动态生成。
使用普通的5G SIM卡拨号上网时,在配置5G Modem参数模板中配置动态接入点路由器就可以接入5G网络。当使用5G物联网卡或者VPDN专用SIM卡,则需要在5G Modem参数模板中配置静态接入点作为5G网络的接入点,并需要根据运营商提供的用户和密码配置接入5G网络的认证方式。
(1) 配置设备接口IP地址,步骤略。
(2) 配置5G Modem拨号。
# 配置拨号访问组1以及对应的拨号访问控制条件。
<RouterA> system-view
[RouterA] dialer-group 1 rule ip permit
# 配置5G Modem的参数模板,接入点为动态接入点。
[RouterA] apn-profile dynamic1
[RouterA-apn-profile-vpdn1] apn dynamic
[RouterA-apn-profile-vpdn1] quit
# 将Cellular1/0接口通道化出以太网通道接口。
[RouterA] controller cellular 1/0
[RouterA-Cellular1/0] eth-channel 0
[RouterA-Cellular1/0] quit
# 配置Eth-channel1/0:0接口通过Modem私有协议获取IP地址。
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ip address cellular-alloc
# 配置Eth-channel1/0:0接口使用的5G Modem参数模板。
[RouterA-Eth-channel1/0:0] apn-profile apply dynamic1
# 在Eth-channel1/0:0接口上开启传统DDR,并与拨号访问组1关联。
[RouterA-Eth-channel1/0:0] dialer circular enable
[RouterA-Eth-channel1/0:0] dialer-group 1
# 配置允许链路空闲的时间为0,呼叫建立超时时间为30秒,自动拨号的时间间隔为5秒。
[RouterA-Eth-channel1/0:0] dialer timer idle 0
[RouterA-Eth-channel1/0:0] dialer timer wait-carrier 30
[RouterA-Eth-channel1/0:0] dialer timer autodial 5
# 配置数据包去往对端的拨号串,拨号串视具体运营商而定,一般中国大陆移动/联通配置“*99#”,电信配置“#777”。
[RouterA-Eth-channel1/0:0] dialer number *99# autodial
[RouterA-Eth-channel1/0:0] quit
# 配置缺省路由。
[RouterA] ip route-static 0.0.0.0 0 eth-channel 1/0:0
(3) 配置IPsec策略。
# 配置IPv4高级ACL 3001,允许192.168.1.0/24网段的IP报文发往192.168.2.0/24网段。
[RouterA] acl advanced 3001
[RouterA-acl-ipv4-adv-3001] rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[RouterA-acl-ipv4-adv-3001] quit
# 创建IPsec安全提议:名称为tran1,采用隧道模式传输,认证算法为SHA1算法,加密算法为CBC模式的DES算法。
[RouterA] ipsec transform-set tran1
[RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[RouterA-ipsec-transform-set-tran1] protocol esp
[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[RouterA-ipsec-transform-set-tran1] quit
# 创建并配置IKE提议1:使用预共享密钥认证方式、3DES加密算法、HMAC-SHA1认证算法。
[RouterA] ike proposal 1
[RouterA-ike-proposal-1] encryption-algorithm 3des-cbc
[RouterA-ike-proposal-1] authentication-algorithm sha
[RouterA-ike-proposal-1] authentication-method pre-share
[RouterA-ike-proposal-1] quit
# 创建IKE keychain:名称为key1,并配置与地址为1.1.1.1的对端使用的预共享密钥为明文123456。
[RouterA] ike keychain key1
[RouterA-ike-keychain-key1] pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456
[RouterA-ike-keychain-key1] quit
# 创建IKE profile:名称为ike1,指定引用的IKE keychain为key1,并指定需要匹配对端身份类型为IP地址,取值为1.1.1.1,配置按需探测的DPD请求报文的重传时间间隔为5秒。
[RouterA] ike profile ike1
[RouterA-ike-profile-ike1] keychain key1
[RouterA-ike-profile-ike1] match remote identity address 1.1.1.1 255.255.255.0
[RouterA-ike-profile-ike1] dpd interval 5 periodic
[RouterA-ike-profile-ike1] quit
# 创建IPsec安全策略:名称为policy1的,指定引用的安全提议为tran1,引用的IKE profile为ike1,引用IPv4高级ACL 3001,指定IPsec隧道的对端IPv4地址为1.1.1.1。
[RouterA] ipsec policy policy1 10 isakmp
[RouterA-ipsec-policy-isakmp-policy1-10] transform-set tran1
[RouterA-ipsec-policy-isakmp-policy1-10] ike-profile ike1
[RouterA-ipsec-policy-isakmp-policy1-10] security acl 3001
[RouterA-ipsec-policy-isakmp-policy1-10] remote-address 1.1.1.1
[RouterA-ipsec-policy-isakmp-policy1-10] quit
# 在接口Eth-channel1/0:0上应用名为policy1的IPsec安全策略。
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ipsec apply policy policy1
[RouterA-Eth-channel1/0:0] quit
(1) 配置设备接口IP地址,步骤略。Router B作为总部网关设备默认存在去往公网下一跳的缺省路由。
(2) 配置IPsec策略。
# 配置IPv4高级ACL 3003,允许192.168.2.0/24网段的IP报文发往192.168.1.0/24网段。
<RouterB> system-view
[RouterB] acl advanced 3003
[RouterB-acl-ipv4-adv-3003] rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[RouterB-acl-ipv4-adv-3003] quit
# 创建IPsec安全提议tran1,采用的认证算法为SHA1算法,加密算法为CBC模式的DES算法。
[RouterB] ipsec transform-set tran1
[RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[RouterB-ipsec-transform-set-tran1] protocol esp
[RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[RouterB-ipsec-transform-set-tran1] quit
# 创建IKE提议1:指定预共享密钥认证方式、3DES加密算法、HMAC-SHA1认证算法。
[RouterB] ike proposal 1
[RouterB-ike-proposal-1] encryption-algorithm 3des-cbc
[RouterB-ike-proposal-1] authentication-algorithm sha
[RouterB-ike-proposal-1] authentication-method pre-share
[RouterB-ike-proposal-1] quit
# 创建IKE keychain:名称为key1,并配置与对端使用的预共享密钥为明文123456。
[RouterB] ike keychain key1
[RouterB-ike-keychain-key1] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[RouterB-ike-keychain-key1] quit
# 创建IKE profile:名称为ike1,指定引用的IKE keychain为key1,并指定需要匹配对端身份类型为IP地址,取值为0.0.0.0。
[RouterB] ike profile ike1
[RouterB-ike-profile-ike1] keychain key1
[RouterB-ike-profile-ike1] match remote identity address 0.0.0.0 0.0.0.0
[RouterB-ike-profile-ike1] quit
# 创建IPsec安全策略模板:名称为temp1,引用安全提议tran1,引用IKE profile为ike1,引用IPv4高级ACL 3003。
[RouterB] ipsec policy-template temp1 1
[RouterB-ipsec-policy-template-temp1-1] transform-set tran1
[RouterB-ipsec-policy-template-temp1-1] ike-profile ike1
[RouterB-ipsec-policy-template-temp1-1] security acl 3003
# 开启IPsec反向路由注入功能,根据协商成功的IPsec SA动态生成静态路由。
[RouterB-ipsec-policy-template-temp1-1] reverse-route dynamic
[RouterB-ipsec-policy-template-temp1-1] quit
# 使用IPsec安全策略模板temp1创建一个名称为policy1、顺序号为10、采用IKE方式协商IPsec SA的IPsec安全策略。
[RouterB] ipsec policy policy1 10 isakmp template temp1
# 在接口GigabitEthernet1/0/1上应用名为policy1的IPsec安全策略。
[RouterB] interface gigabitethernet 1/0/1
[RouterB-GigabitEthernet1/0/1] ipsec apply policy policy1
[RouterB-GigabitEthernet1/0/1] quit
以上配置完成后,当分支子网192.168.1.0/24向总部网络192.168.2.0/24发起数据连接时,将触发Router A和Router B之间进行IKE协商。IKE成功协商出IPsec SA后,企业总部与分支子网之间的数据流传输将受到IPsec SA的保护。
# 在Router A和Router B上可以相互ping通对端私网。
<RouterA> ping -a 192.168.1.1 192.168.2.1
Ping 192.168.2.1 (192.168.2.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.1: icmp_seq=0 ttl=254 time=7.343 ms
56 bytes from 192.168.2.1: icmp_seq=1 ttl=254 time=1.164 ms
56 bytes from 192.168.2.1: icmp_seq=2 ttl=254 time=1.080 ms
56 bytes from 192.168.2.1: icmp_seq=3 ttl=254 time=1.234 ms
56 bytes from 192.168.2.1: icmp_seq=4 ttl=254 time=1.391 ms
--- Ping statistics for 192.168.2.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.080/2.442/7.343/2.452 ms
# 在Router A上可通过以下显示查看到协商生成的IPsec SA。
<RouterA> display ipsec sa
-------------------------------
Interface: Eth-channel1/0:0
-------------------------------
-----------------------------
IPsec policy: policy
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1444
Tunnel:
local address/port: 2.2.2.1/500
remote address/port: 1.1.1.1/500
Flow:
sour addr: 192.168.1.0/255.255.255.0 port: 4500 protocol: ip
dest addr: 192.168.2.0/255.255.255.0 port: 4500 protocol: ip
...
· Router A:
#
interface gigabitethernet 1/0/1
ip address 192.168.1.1 255.255.255.0
#
dialer-group 1 rule ip permit
#
apn-profile dynamic1
apn dynamic
#
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ip address cellular-alloc
apn-profile apply dynamic1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 30
dialer timer autodial 5
dialer number *99# autodial
#
ip route-static 0.0.0.0 0.0.0.0 eth-channel 1/0:0
#
acl advanced 3001
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp authentication-algorithm sha1
esp encryption-algorithm des-cbc
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm sha
authentication-method pre-share
#
ike keychain key1
pre-shared-key address 1.1.1.1 255.255.255.0 key cipher $c$3$6xffbOeJQiOn1UzvH2Vdd1H+2PenaF8c3g==
#
ike profile ike1
dpd interval 5 periodic
keychain key1
match remote identity address 1.1.1.1 255.255.255.0
dpd interval 5 periodic
#
ipsec policy policy1 10 isakmp
transform-set tran1
ike-profile ike1
security acl 3001
remote-address 1.1.1.1
#
interface eth-channel 1/0:0
ipsec apply policy policy1
#
· Router B:
#
interface gigabitethernet 1/0/1
ip address 1.1.1.1 255.255.255.0
#
interface gigabitethernet 1/0/2
ip address 192.168.2.1 255.255.255.0
#
acl advanced 3003
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp authentication-algorithm sha1
esp encryption-algorithm des-cbc
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm sha
authentication-method pre-share
#
ike keychain key1
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$6xffbOeJQiOn1UzvH2Vdd1H+2PenaF8c3g==
#
ike profile ike1
keychain key1
match remote identity address 0.0.0.0 0.0.0.0
#
ipsec policy-template temp1 1
transform-set tran1
ike-profile ike1
security acl 3003
#
reverse-route dynamic
#
ipsec policy policy1 10 isakmp template temp1
#
interface gigabitethernet 1/0/1
ipsec apply policy policy1
#
适用于MSR集中式、MSR分布式产品R6728P13及以后版本。
如图4所示,Router A上具有5G Modem模块,用户通过DDR自动定时拨号接入5G网络。在分支网关Router A、Router B和总部网关Router C之间建立ADVPN隧道,实现分支与分支间网络、分支与总部间网络全互联。具体要求如下:
· 在Router A上配置传统DDR自动定时拨号接入5G网络,建立永久在线连接。
· Router A、Router B作为Spoke,Router C作为Hub,Spoke和Hub之间建立永久ADVPN隧道建立永久的ADVPN隧道。
· Router A和Router B作为Spoke,两个Spoke之间由数据触发动态建立ADVPN隧道。
图4 5G Modem拨号+ADVPN隧道组网图
|
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
|
Router A(Spoke1) |
GE1/0/1 |
192.168.1.1/24 |
Router C(Hub) |
GE1/0/1 |
192.168.3.1/24 |
|
|
Tunnel1 |
192.168.0.1/24 |
|
GE1/0/2 |
1.1.1.1/24 |
|
Router B(Spoke2) |
GE1/0/1 |
192.168.2.1/24 |
|
Tunnel1 |
192.168.0.3/24 |
|
|
Tunnel1 |
192.168.0.2/24 |
Router D(VAM Server) |
GE1/0/1 |
1.1.1.2/24 |
在Router A的Cellular1/0接口上通道化出以太网接口Eth-channel1/0:0,并配置接口Eth-channel1/0:0采用Modem私有协议获取运营商自动分配的IP地址。在接口Eth-channel1/0:0上配置DDR自动拨号接入5G网络,并配置永久在线连接。
为保证分支到总部、分支到分支之间的数据的保密性,需要在ADVPN隧道上应用IPsec框架对数据进行加密。由于拨号接口Eth-channel1/0:0地址会动态变化,在ADVPN隧道上应用IPsec框架时,需要对端地址指定为0.0.0.0/0。
本举例中配置Router D(VAM Server)对Router A、Router B、Router C(VAM Client)的身份不进行AAA验证,若需要配置身份验证,用户可根据实际情况配置对VAM Client身份进行AAA验证。
使用普通的5G SIM卡拨号上网时,在配置5G Modem参数模板中配置动态接入点路由器就可以接入5G网络。当使用5G物联网卡或者VPDN专用SIM卡,则需要在5G Modem参数模板中配置静态接入点作为5G网络的接入点,并需要根据运营商提供的用户和密码配置接入5G网络的认证方式。
(1) 配置设备接口IP地址,步骤略。
(2) 配置5G Modem拨号。
# 配置拨号访问组1以及对应的拨号访问控制条件。
<RouterA> system-view
[RouterA] dialer-group 1 rule ip permit
# 配置5G Modem的参数模板,接入点为动态接入点。
[RouterA] apn-profile dynamic1
[RouterA-apn-profile-vpdn1] apn dynamic
[RouterA-apn-profile-vpdn1] quit
# 将Cellular1/0接口通道化出以太网通道接口。
[RouterA] controller cellular 1/0
[RouterA-Cellular1/0] eth-channel 0
[RouterA-Cellular1/0] quit
# 配置Eth-channel1/0:0接口采用Modem私有协议获取运营商自动分配的IP地址。
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ip address cellular-alloc
# 配置Eth-channel1/0:0接口使用的5G Modem参数模板。
[RouterA-Eth-channel1/0:0] apn-profile apply dynamic1
# 在Eth-channel1/0:0接口上开启传统DDR,并与拨号访问组1关联。
[RouterA-Eth-channel1/0:0] dialer circular enable
[RouterA-Eth-channel1/0:0] dialer-group 1
# 配置允许链路空闲的时间为0,呼叫建立超时时间为30秒,自动拨号的时间间隔为5秒。
[RouterA-Eth-channel1/0:0] dialer timer idle 0
[RouterA-Eth-channel1/0:0] dialer timer wait-carrier 30
[RouterA-Eth-channel1/0:0] dialer timer autodial 5
# 配置数据包去往对端的拨号串,拨号串视具体运营商而定,一般中国大陆移动/联通配置“*99#”,电信配置“#777”。
[RouterA-Eth-channel1/0:0] dialer number *99# autodial
# 配置Eth-channel1/0:0接口允许对内部所有报文进行地址转换。
[RouterA-Eth-channel1/0:0] nat outbound
[RouterA-Eth-channel1/0:0] quit
# 配置缺省路由。
[RouterA] ip route-static 0.0.0.0 0 eth-channel 1/0:0
(3) 配置VAM Client Spoke。
# 创建VAM Client Spoke1,并配置VAM Client所属的ADVPN域为abc。
[RouterA] vam client name spoke1
[RouterA-vam-client-Spoke1] advpn-domain abc
# 配置VAM Client的预共享密钥123456。
[RouterA-vam-client-Spoke1] pre-shared-key simple 123456
# 配置VAM Server的IP地址,并开启VAM Client功能。
[RouterA-vam-client-Spoke1] server primary ip-address 1.1.1.2
[RouterA-vam-client-Spoke1] client enable
[RouterA-vam-client-Spoke1] quit
# 创建IKE keychain,名称为key,并配置与对端使用的预共享密钥为明文123456。
[RouterA] ike keychain key
[RouterA-ike-keychain-key] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[RouterA-ike-keychain-key] quit
# 创建IKE profile:名称为ike,指定引用的IKE keychain为key。
[RouterA] ike profile ike
[RouterA-ike-profile-abc] keychain key
[RouterA-ike-profile-ike] quit
# 创建IPsec安全提议:名称为tran,采用传输模式,认证算法为SHA1算法,加密算法为CBC模式的DES算法。
[RouterA] ipsec transform-set tran
[RouterA-ipsec-transform-set-tran] encapsulation-mode transport
[RouterA-ipsec-transform-set-tran] esp encryption-algorithm des-cbc
[RouterA-ipsec-transform-set-tran] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran] quit
# 创建IPsec安全框架:名称为profile1,通过IKE协商建立安全联盟,指定引用的安全提议为tran,引用的IKE profile为ike。
[RouterA] ipsec profile profile1 isakmp
[RouterA-ipsec-profile-isakmp-profile1] transform-set tran
[RouterA-ipsec-profile-isakmp-profile1] ike-profile ike
[RouterA-ipsec-profile-isakmp-profile1] quit
# 配置OSPF私网路由信息。
[RouterA] ospf 1
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] quit
[RouterA-ospf-1] quit
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。将Router A的DR优先级配置为0,以使RouterA不参与DR/BDR选举。
[RouterA] interface tunnel1 mode advpn gre
[RouterA-Tunnel1] ip address 192.168.0.1 255.255.255.0
[RouterA-Tunnel1] vam client spoke1
[RouterA-Tunnel1] ospf network-type broadcast
[RouterA-Tunnel1] ospf dr-priority 0
[RouterA-Tunnel1] source eth-channel 1/0:0
[RouterA-Tunnel1] tunnel protection ipsec profile ipsec
[RouterA-Tunnel1] quit
(1) 配置设备接口IP地址,步骤略。
(2) 配置5G Modem拨号。
# 配置拨号访问组1以及对应的拨号访问控制条件。
<RouterB> system-view
[RouterB] dialer-group 1 rule ip permit
# 配置5G Modem的参数模板,接入点为动态接入点。
[RouterB] apn-profile dynamic1
[RouterB-apn-profile-vpdn1] apn dynamic
[RouterB-apn-profile-vpdn1] quit
# 将Cellular1/0接口通道化出以太网通道接口。
[RouterB] controller cellular 1/0
[RouterB-Cellular1/0] eth-channel 0
[RouterB-Cellular1/0] quit
# 配置Eth-channel1/0:0接口采用Modem私有协议获取运营商自动分配的IP地址。
[RouterB] interface eth-channel 1/0:0
[RouterB-Eth-channel1/0:0] ip address cellular-alloc
# 配置Eth-channel1/0:0接口使用的5G Modem参数模板。
[RouterB-Eth-channel1/0:0] apn-profile apply dynamic1
# 在Eth-channel1/0:0接口上开启传统DDR,并与拨号访问组1关联。
[RouterB-Eth-channel1/0:0] dialer circular enable
[RouterB-Eth-channel1/0:0] dialer-group 1
# 配置允许链路空闲的时间为0,呼叫建立超时时间为30秒,自动拨号的时间间隔为5秒。
[RouterB-Eth-channel1/0:0] dialer timer idle 0
[RouterB-Eth-channel1/0:0] dialer timer wait-carrier 30
[RouterB-Eth-channel1/0:0] dialer timer autodial 5
# 配置数据包去往对端的拨号串,拨号串视具体运营商而定,一般中国大陆移动/联通配置“*99#”,电信配置“#777”。
[RouterB-Eth-channel1/0:0] dialer number *99# autodial
# 配置Eth-channel1/0:0接口允许对内部所有报文进行地址转换。
[RouterB-Eth-channel1/0:0] nat outbound
[RouterB-Eth-channel1/0:0] quit
# 配置缺省路由。
[RouterB] ip route-static 0.0.0.0 0 eth-channel 1/0:0
(3) 配置VAM Client Spoke。
# 创建VAM Client Spoke2,并配置VAM Client所属的ADVPN域为abc。
[RouterB] vam client name spoke2
[RouterB-vam-client-Spoke2] advpn-domain abc
# 配置VAM Client的预共享密钥123456。
[RouterB-vam-client-Spoke2] pre-shared-key simple 123456
# 配置VAM Server的IP地址,并开启VAM Client功能。
[RouterB-vam-client-Spoke2] server primary ip-address 1.1.1.2
[RouterB-vam-client-Spoke2] client enable
[RouterB-vam-client-Spoke2] quit
# 创建IKE keychain,名称为key,并配置与对端使用的预共享密钥为明文123456。
[RouterB] ike keychain key
[RouterB-ike-keychain-key] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[RouterB-ike-keychain-key] quit
# 创建IKE profile:名称为ike,指定引用的IKE keychain为key。
[RouterB] ike profile ike
[RouterB-ike-profile-ike] keychain key
[RouterB-ike-profile-ike] quit
# 创建IPsec安全提议:名称为tran,采用传输模式,认证算法为SHA1算法,加密算法为CBC模式的DES算法。
[RouterB] ipsec transform-set tran
[RouterB-ipsec-transform-set-tran] encapsulation-mode transport
[RouterB-ipsec-transform-set-tran] esp encryption-algorithm des-cbc
[RouterB-ipsec-transform-set-tran] esp authentication-algorithm sha1
[RouterB-ipsec-transform-set-tran] quit
# 创建IPsec安全框架:名称为profile1,通过IKE协商建立安全联盟,指定引用的安全提议为tran,引用的IKE profile为ike。
[RouterB] ipsec profile profile1 isakmp
[RouterB-ipsec-profile-isakmp-profile1] transform-set tran
[RouterB-ipsec-profile-isakmp-profile1] ike-profile ike
[RouterB-ipsec-profile-isakmp-profile1] quit
# 配置OSPF私网的路由信息。
[RouterB] ospf 1
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] quit
[RouterB-ospf-1] quit
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。将RouterB的DR优先级配置为0,以使RouterB不参与DR/BDR选举。
[RouterB] interface tunnel1 mode advpn gre
[RouterB-Tunnel1] ip address 192.168.0.2 255.255.255.0
[RouterB-Tunnel1] vam client spoke2
[RouterB-Tunnel1] ospf network-type broadcast
[RouterB-Tunnel1] ospf dr-priority 0
[RouterB-Tunnel1] source eth-channel 1/0:0
[RouterB-Tunnel1] tunnel protection ipsec profile ipsec
[RouterB-Tunnel1] quit
(1) 配置设备接口的IP地址,步骤略。Router C默认存在到达公网下一跳的缺省路由。
(2) 配置VAM Client Hub。
# 配置接口GigabitEthernet1/0/2允许对内部所有报文进行地址转换。
<RouterC> system-view
[RouterC] interface gigabitethernet 1/0/2
[RouterC-GigabitEthernet1/0/2] nat outbound
[RouterC-GigabitEthernet1/0/2] quit
# 创建VAM Client Hub,并配置VAM Client所属的ADVPN域为abc。
[RouterC] vam client name Hub
[RouterC-vam-client-Hub] advpn-domain abc
# 配置VAM Client的预共享密钥为123456。
[RouterC-vam-client-Hub] pre-shared-key simple 123456
# 配置VAM Server的IP地址,并开启VAM Client功能。
[RouterC-vam-client-Hub] server primary ip-address 1.1.1.2
[RouterC-vam-client-Hub] client enable
[RouterC-vam-client-Hub] quit
# 创建IKE keychain:名称为key,并配置与对端使用的预共享密钥为明文123456。
[RouterC] ike keychain key
[RouterC-ike-keychain-key] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[RouterC-ike-keychain-key] quit
# 创建IKE profile:名称为ike,指定引用的IKE keychain为key。
[RouterC] ike profile ike
[RouterC-ike-profile-ike] keychain key
[RouterC-ike-profile-ike] quit
# 创建IPsec安全提议:名称为tran,采用传输模式,认证算法为SHA1算法,加密算法为CBC模式的DES算法。
[RouterC] ipsec transform-set tran
[RouterC-ipsec-transform-set-tran] encapsulation-mode transport
[RouterC-ipsec-transform-set-tran] esp encryption-algorithm des-cbc
[RouterC-ipsec-transform-set-tran] esp authentication-algorithm sha1
[RouterC-ipsec-transform-set-tran] quit
# 创建IPsec安全框架:名称为profile1,通过IKE协商建立安全联盟,指定引用的安全提议为tran,引用的IKE profile为ike。
[RouterC] ipsec profile profile1 isakmp
[RouterC-ipsec-profile-isakmp-profile1] transform-set tran
[RouterC-ipsec-profile-isakmp-profile1] ike-profile ike
[RouterC-ipsec-profile-isakmp-profile1] quit
# 配置OSPF私网路由信息。
[RouterC] ospf 1
[RouterC-ospf-1] area 0
[RouterC-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[RouterC-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255
[RouterC-ospf-1-area-0.0.0.0] quit
[RouterC-ospf-1] quit
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。
[RouterC] interface tunnel1 mode advpn gre
[RouterC-Tunnel1] ip address 192.168.0.3 255.255.255.0
[RouterC-Tunnel1] vam client Hub
[RouterC-Tunnel1] ospf network-type broadcast
[RouterC-Tunnel1] source gigabitethernet 1/0/2
[RouterC-Tunnel1] tunnel protection ipsec profile ipsec
[RouterC-Tunnel1] quit
(1) 配置设备接口的IP地址,步骤略。Router D默认存在到达公网下一跳的缺省路由。
(2) 配置VAM Server。
# 创建ADVPN域abc。
<RouterD> system-view
[RouterD] vam server advpn-domain abc id 1
# 创建Hub组0。
[RouterD-vam-server-domain-abc] hub-group 0
# 指定Hub组内Hub的IPv4私网地址为192.168.0.3,NAT映射公网地址为1.1.1.1。
[RouterD-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.3 public-address 1.1.1.1
# 指定Hub组内Spoke的IPv4私网地址范围。
[RouterD-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 255.255.255.0
[RouterD-vam-server-domain-abc-hub-group-0] quit
# 配置VAM Server的预共享密钥为123456,对VAM Client的身份不进行AAA认证。
[RouterD-vam-server-domain-abc] pre-shared-key simple 123456
[RouterD-vam-server-domain-abc] authentication-method none
# 开启该ADVPN域的VAM Server功能。
[RouterD-vam-server-domain-abc] server enable
[RouterD-vam-server-domain-abc] quit
以上配置完成后,Router A、Router B和Router C之间将建立ADVPN隧道,Router A、Router B和Router C之间的私网可以实现互联互通。
# 显示注册到VAM Server的所有VAM Client的IPv4私网地址映射信息。
[RouterD] display vam server address-map
Total private address mappings: 3
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.1.1.2 Spoke Yes 0H 4M 35S
0 192.168.0.2 1.1.1.3 Spoke Yes 0H 4M 17S
0 192.168.0.3 1.1.1.1 Hub No 0H 2M 42S
以上显示信息表示Hub、Spoke1和Spoke2均已将地址映射信息注册到VAM Server。
# 在Spoke1上使用ping命令验证到Spoke2的私网地址192.168.2.1的连通性。
<RouterA> ping 192.168.2.1
Ping 192.168.2.1 (192.168.2.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.1: icmp_seq=0 ttl=255 time=2.000 ms
56 bytes from 192.168.2.1: icmp_seq=1 ttl=255 time=60.000 ms
56 bytes from 192.168.2.1: icmp_seq=2 ttl=255 time=7.000 ms
56 bytes from 192.168.2.1: icmp_seq=3 ttl=255 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=4 ttl=255 time=1.000 ms
--- Ping statistics for 192.168.2.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.080/2.442/7.343/2.452 ms
# 显示Spoke1上的IPv4 ADVPN隧道信息。
[RouterA] display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.2 1.1.1.3 -- S-S Establishing 0H 0M 22S
192.168.0.3 1.1.1.1 -- S-H Success 0H 1M 25S
# 显示Hub上的IPv4 ADVPN隧道信息。
[RouterC] display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.1 1.1.1.2 -- H-S Success 0H 2M 40S
192.168.0.2 1.1.1.3 -- H-S Success 0H 1M 53S
· Router A:
#
interface gigabitethernet 1/0/1
ip address 192.168.1.1 255.255.255.0
#
dialer-group 1 rule ip permit
#
apn-profile dynamic1
apn dynamic
#
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ip address cellular-alloc
apn-profile apply dynamic1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 30
dialer timer autodial 5
dialer number *99# autodial
nat outbound
#
ip route-static 0.0.0.0 0 eth-channel 1/0:0
vam client name spoke1
advpn-domain abc
pre-shared-key cipher $c$3$k4hxzHYdkYZ8QUIr6+XsNTxsG/lGk6SGeQ==
server primary ip-address 1.1.1.2
client enable
#
ike keychain key
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$i/ODxQdpM7b0kmqHCMj+VpV6G+x/IBDycg==
#
ike profile ike
keychain key
#
ipsec transform-set tran
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile profile1 isakmp
transform-set tran
ike-profile ike
#
ospf 1
area 0
network 192.168.1.0 0.0.0.255
network 192.168.0.0 0.0.0.255
#
interface tunnel1 mode advpn gre
ip address 192.168.0.1 255.255.255.0
vam client spoke1
ospf network-type broadcast
ospf dr-priority 0
source eth-channel 1/0:0
tunnel protection ipsec profile ipsec
#
· Router B:
#
interface gigabitethernet 1/0/1
ip address 192.168.2.1 255.255.255.0
#
dialer-group 1 rule ip permit
#
apn-profile dynamic1
apn dynamic
#
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ip address cellular-alloc
apn-profile apply dynamic1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 30
dialer timer autodial 5
dialer number *99# autodial
nat outbound
#
ip route-static 0.0.0.0 0 eth-channel 1/0:0
vam client name spoke2
advpn-domain abc
pre-shared-key cipher $c$3$k4hxzHYdkYZ8QUIr6+XsNTxsG/lGk6SGeQ==
server primary ip-address 1.1.1.2
client enable
#
ike keychain key
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$i/ODxQdpM7b0kmqHCMj+VpV6G+x/IBDycg==
#
ike profile ike
keychain key
#
ipsec transform-set tran
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile profile1 isakmp
transform-set tran
ike-profile ike
#
ospf 1
area 0
network 192.168.2.0 0.0.0.255
network 192.168.0.0 0.0.0.255
#
interface tunnel1 mode advpn gre
ip address 192.168.0.2 255.255.255.0
vam client spoke2
ospf network-type broadcast
ospf dr-priority 0
source eth-channel 1/0:0
tunnel protection ipsec profile ipsec
#
· Router C:
#
interface gigabitethernet 1/0/1
ip address 192.168.3.1 255.255.255.0
#
interface gigabitethernet 1/0/2
ip address 1.1.1.1 255.255.255.0
nat outbound
#
vam client name Hub
advpn-domain abc
pre-shared-key cipher $c$3$k4hxzHYdkYZ8QUIr6+XsNTxsG/lGk6SGeQ==
server primary ip-address 1.1.1.2
client enable
#
ike keychain key
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$i/ODxQdpM7b0kmqHCMj+VpV6G+x/IBDycg==
#
ike profile ike
keychain key
#
ipsec transform-set tran
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile profile1 isakmp
transform-set tran
ike-profile ike
#
ospf 1
area 0
network 192.168.0.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
interface tunnel1 mode advpn gre
ip address 192.168.0.3 255.255.255.0
vam client Hub
ospf network-type broadcast
source gigabitethernet 1/0/2
tunnel protection ipsec profile ipsec
#
· Router D:
#
interface gigabitethernet 1/0/1
ip address 1.1.1.2 255.255.255.0
#
vam server advpn-domain abc id 1
hub-group 0
hub private-address 192.168.0.3 public-address 1.1.1.1
spoke private-address network 192.168.0.0 255.255.255.0
#
pre-shared-key cipher $c$3$qb30FA4sK0lRsl3UgtHXhVZwwJtz4YdPrg==
authentication-method none
server enable
#
适用于MSR集中式、MSR分布式产品R6728P13及以后版本。
如图5所示,Router A上具有5G Modem模块,用户通过DDR自动定时拨号接入运营商VPDN专用网络。在分支网关Router A和总部网关Router B之间建立IPsec隧道,运营商LAC设备和总部网关Router B之间建立L2TP隧道。具体要求如下:
· 在Router A上配置传统DDR通过IPv4和IPv6双协议栈拨号接入5G网络,建立永久5G在线连接。
· 在LAC设备和Router B之间采用NAS-Initiated模式建立的L2TP隧道,分支和总部网关之间流量走运营商专线,与公共网络隔离。
· 在Router A和Router B采用IKE协商的方式配置IPsec隧道,对分支和总部网关之间的流量进行加密。
图5 5G Modem拨号+VPDN隧道组网图
在Router A的Cellular1/0接口上通道化出以太网接口Eth-channel1/0:0,并配置接口Eth-channel1/0:0采用Modem私有协议获取运营商自动分配的IP地址。在接口Eth-channel1/0:0上配置DDR自动拨入运营商VPDN专用网络,并配置永久在线连接。
在LAC设备和Router B之间采用NAS-Initiated模式建立的L2TP隧道,运营商LAC设备、总部网关Router B作为LNS设备均采用本地认证。
为保证分支网关可以拨号接入运营商VPDN专用网络,需要使用VPDN专用SIM卡进行DDR拨号。配置DDR拨号时,根据运营商提供的VPDN的接入点名称/认证方式/用户名/密码用以配置5G Modem参数模板和拨号认证。
(1) 配置设备接口IP地址,步骤略。
(2) 配置5G Modem拨号。
# 配置拨号访问组1以及对应的拨号访问控制条件。
<RouterA> system-view
[RouterA] dialer-group 1 rule ip permit
[RouterA] dialer-group 1 rule ipv6 permit
# 配置5G Modem参数模板vpdn1,静态接入点名称为vpdn,PDP协议的数据负载类型为IPv4v6,认证方式为CHAP或PAP,用户名为user1,明文密码为password1(接入点名称/认证方式/用户名/密码均以运营商提供为准)。
[RouterA] apn-profile vpdn1
[RouterA-apn-profile-vpdn1] pdp-type ipv4v6
[RouterA-apn-profile-vpdn1] apn static vpdn
[RouterA-apn-profile-vpdn1] authentication-mode pap-chap user1 password simple password1
[RouterA-apn-profile-vpdn1] quit
# 将Cellular1/0接口通道化出以太网通道接口。
[RouterA] controller cellular 1/0
[RouterA-Cellular1/0] eth-channel 0
[RouterA-Cellular1/0] quit
# 配置Eth-channel1/0:0接口采用Modem私有协议获取运营商自动分配的IPv4和IPv6地址。
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ip address cellular-alloc
[RouterA-Eth-channel1/0:0] ipv6 address cellular-alloc
# 配置Eth-channel1/0:0接口使用的5G Modem参数模板。
[RouterA-Eth-channel1/0:0] apn-profile apply vpdn1
# 在Eth-channel1/0:0接口上开启传统DDR,并与拨号访问组1关联。
[RouterA-Eth-channel1/0:0] dialer circular enable
[RouterA-Eth-channel1/0:0] dialer-group 1
# 配置允许链路空闲的时间为0,呼叫建立超时时间为30秒,自动拨号的时间间隔为5秒。
[RouterA-Eth-channel1/0:0] dialer timer idle 0
[RouterA-Eth-channel1/0:0] dialer timer wait-carrier 30
[RouterA-Eth-channel1/0:0] dialer timer autodial 5
# 配置数据包去往对端的拨号串,拨号串视具体运营商而定,一般中国大陆移动/联通配置“*99#”,电信配置“#777”。
[RouterA-Eth-channel1/0:0] dialer number *99# autodial
[RouterA-Eth-channel1/0:0] quit
# 配置缺省路由。
[RouterA] ip route-static 0.0.0.0 0 eth-channel 1/0:0
[RouterA] ipv6 route-static 0::0 0 eth-channel 1/0:0
(3) 配置IPsec隧道。
# 配置IPv4高级ACL 3000,允许192.168.1.0/24网段的IP报文发往192.168.2.0/24网段。
[RouterA] acl advanced 3000
[RouterA-acl-ipv4-adv-3000] rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[RouterA-acl-ipv4-adv-3000] quit
# 配置IPv6高级ACL 3500,允许2001::/64网段的IPv6报文发往2002::/64网段。
[RouterA] acl ipv6 advanced 3500
[RouterA-acl-ipv6-adv-3500] rule 0 permit ipv6 source 2001::0 64 destination 2002::0 64
[RouterA-acl-ipv6-adv-3500] quit
# 创建名为tran1的IPsec安全提议,采用的认证算法为SHA1算法,加密算法为CBC模式的DES算法。
[RouterA] ipsec transform-set tran1
[RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[RouterA-ipsec-transform-set-tran1] protocol esp
[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[RouterA-ipsec-transform-set-tran1] quit
# 创建IKE keychain,名称为key1,并配置与IPv4地址为192.168.0.1,IPv6地址为2003::1的对端使用的预共享密钥为明文的123456。
[RouterA] ike keychain key1
[RouterA-ike-keychain-key1] pre-shared-key address 192.168.0.1 24 key simple 123456
[RouterA-ike-keychain-key1] pre-shared-key address ipv6 2003::1 64 key simple 123456
[RouterA-ike-keychain-key1] quit
# 创建IKE profile,名称为ike1,指定引用的IKE keychain为key1,并指定需要匹配对端身份类型为IPv4地址,取值为192.168.0.1,指定需要匹配对端身份类型为IPv6地址,取值为2003::1。
[RouterA] ike profile ike1
[RouterA-ike-profile-ike1] keychain key1
[RouterA-ike-profile-ike1] match remote identity address 192.168.0.1 24
[RouterA-ike-profile-ike1] match remote identity address ipv6 2003::1 64
[RouterA-ike-profile-ike1] quit
# 创建名称为policy1的IPv4 IPsec安全策略,指定引用的安全提议为tran1,引用的IKE profile为ike1,引用IPv4高级ACL 3000,指定IPsec隧道的对端IPv4地址为192.168.0.1。
[RouterA] ipsec policy policy1 10 isakmp
[RouterA-ipsec-policy-isakmp-policy1-10] transform-set tran1
[RouterA-ipsec-policy-isakmp-policy1-10] ike-profile ike1
[RouterA-ipsec-policy-isakmp-policy1-10] security acl 3000
[RouterA-ipsec-policy-isakmp-policy1-10] remote-address 192.168.0.1
[RouterA-ipsec-policy-isakmp-policy1-10] quit
# 创建名称为policy2的IPv6 IPsec安全策略,指定引用的安全提议为tran1,引用的IKE profile为ike1,引用IPv6高级ACL 3500,IPv6地址为2003::1。
[RouterA] ipsec ipv6-policy policy2 20 isakmp
[RouterA-ipsec-policy-isakmp-policy2-20] transform-set tran1
[RouterA-ipsec-policy-isakmp-policy2-20] ike-profile ike1
[RouterA-ipsec-policy-isakmp-policy2-20] security acl ipv6 3500
[RouterA-ipsec-policy-isakmp-policy2-20] remote-address ipv6 2003::1
[RouterA-ipsec-policy-isakmp-policy2-20] quit
# 在接口Eth-channel1/0:0上分别应用IPv4 IPsec安全策略policy1和IPv6 IPsec安全策略policy2。
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ipsec apply policy policy1
[RouterA-Eth-channel1/0:0] ipsec apply ipv6-policy policy2
[RouterA-Eth-channel1/0:0] quit
(1) 配置设备接口IP地址,步骤略。LAC设备作为运营商设备,以下配置仅供参考,实际配置中LAC端不需要配置。
(2) 配置L2TP隧道LAC端。
# 创建本地VPDN用户user1,设置密码为password1,并指定用户使用PPP服务。
<LAC> system-view
[LAC] local-user user1 class network
[LAC-luser-network-user1] password simple password1
[LAC-luser-network-user1] service-type ppp
[LAC-luser-network-user1] quit
# 配置ISP域system对VPDN用户采用本地验证。
[LAC] domain system
[LAC-isp-system] authentication ppp local
[LAC-isp-system] quit
# 开启L2TP功能。
[LAC] l2tp enable
# 创建LAC模式的L2TP组1,配置LAC端本端名称为LAC,指定接入的VPDN用户的用户名为user1时LAC向LNS发起隧道建立请求,并指定LNS的IP地址为10.1.1.2。
[LAC] l2tp-group 1 mode lac
[LAC-l2tp1] tunnel name LAC
[LAC-l2tp1] user fullusername user1
[LAC-l2tp1] lns-ip 10.1.1.2
# 开启隧道验证功能,并设置隧道验证密钥为aabbcc。
[LAC-l2tp1] tunnel authentication
[LAC-l2tp1] tunnel password simple aabbcc
[LAC-l2tp1] quit
(1) 配置设备接口的IP地址,步骤略。Rouer B作为总部网关设备默认存在去往公网下一跳的缺省路由。
(2) 配置L2TP隧道LNS端。
# 创建本地VPDN用户user1,设置密码为password1,并指定用户使用PPP服务。
<RouterB> system-view
[RouterB] local-user user1 class network
[RouterB-luser-network-user1] password simple password1
[RouterB-luser-network-user1] service-type ppp
[RouterB-luser-network-user1] quit
# 配置ISP域system对VPDN用户采用本地验证。
[RouterB] domain system
[RouterB-isp-system] authentication ppp local
# 在ISP域下配置为用户授权IPv6前缀属性。
[RouterB-isp-system] authorization-attribute ipv6-prefix 2003:: 64
[RouterB-isp-system] quit
# 开启L2TP功能,并创建LNS模式的L2TP组1。
[RouterB] l2tp enable
[RouterB] l2tp-group 1 mode lns
# 配置LNS端本端名称为LNS,指定接收呼叫的虚拟模板接口为VT1,并配置隧道对端名称为LAC。
[RouterB-l2tp1] tunnel name LNS
[RouterB-l2tp1] allow l2tp virtual-template 1 remote LAC
# 启用隧道验证功能,并设置隧道验证密钥为aabbcc。
[RouterB-l2tp1] tunnel authentication
[RouterB-l2tp1] tunnel password simple aabbcc
[RouterB-l2tp1] quit
# 配置PPP地址池。
[RouterB] ip pool aaa 192.168.0.10 192.168.0.20
[RouterB] ip pool aaa gateway 192.168.0.1
# 创建接口Virtual-Template1,配置接口的IPv4地址为192.168.0.1/24,IPv6地址为2003::1/64,并关闭对RA消息发布的抑制。配置对端的认证方式为CHAP和PAP,使用地址池aaa为Router A分配IPv4地址。
[RouterB] interface virtual-template 1
[RouterB-virtual-template1] ip address 192.168.0.1 255.255.255.0
[RouterB-virtual-template1] ipv6 address 2003::1 64
[RouterB-virtual-template1] undo ipv6 nd ra halt
[RouterB-virtual-template1] ppp authentication-mode chap domain system
[RouterB-virtual-template1] remote address pool aaa
[RouterB-virtual-template1] quit
(3) 配置IPsec隧道。
# 创建IPsec安全提议tran1,采用esp安全协议,认证算法为SHA1算法,加密算法为CBC模式的DES算法。
[RouterB] ipsec transform-set tran1
[RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[RouterB-ipsec-transform-set-tran1] protocol esp
[RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[RouterB-ipsec-transform-set-tran1] quit
# 创建IKE keychain,名称为key1,并配置与对端使用的预共享密钥为明文的123456。
[RouterB] ike keychain key1
[RouterB-ike-keychain-key1] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[RouterB-ike-keychain-key1] pre-shared-key address ipv6 0::0 0 key simple 123456
[RouterB-ike-keychain-key1] quit
# 创建IKE profile,名称为ike1,指定引用的IKE keychain为key1,并指定需要匹配对端身份类型为IPv4地址,取值为0.0.0.0,指定需要匹配对端身份类型为IPv6地址,取值为0::0。
[RouterB] ike profile ike1
[RouterB-ike-profile-ike1] keychain key1
[RouterB-ike-profile-ike1] match remote identity address 0.0.0.0 0.0.0.0
[RouterB-ike-profile-ike1] match remote identity address ipv6 0::0 0
[RouterB-ike-profile-ike1] quit
# 创建并配置名为temp1的IPv4 IPsec安全策略模板,指定引用的安全提议为tran1,引用的IKE profile为ike1,并开启IPsec反向路由注入功能。
[RouterB] ipsec policy-template temp1 1
[RouterB-ipsec-policy-template-temp1-1] transform-set tran1
[RouterB-ipsec-policy-template-temp1-1] ike-profile ike1
[RouterB-ipsec-policy-template-temp1-1] reverse-route dynamic
[RouterB-ipsec-policy-template-temp1-1] quit
# 创建并配置名为temp2的IPv6 IPsec安全策略模板,指定引用的安全提议为tran1,引用的IKE profile为ike1,并开启IPsec反向路由注入功能。
[RouterB] ipsec ipv6-policy-template temp2 2
[RouterB-ipsec-ipv6-policy-template-temp2-2] transform-set tran1
[RouterB-ipsec-ipv6-policy-template-temp2-2] ike-profile ike1
[RouterB-ipsec-ipv6-policy-template-temp2-2] reverse-route dynamic
[RouterB-ipsec-ipv6-policy-template-temp2-2] quit
# 使用IPv4 IPsec安全策略模板temp1创建一个名称为policy1、顺序号为10、采用IKE方式协商IPsec SA的IPsec安全策略。
[RouterB] ipsec policy policy1 10 isakmp template temp1
# 使用IPv6 IPsec安全策略模板temp2创建一个名称为policy2、顺序号为20、采用IKE方式协商IPsec SA的IPsec安全策略。
[RouterB] ipsec ipv6-policy policy2 20 isakmp template temp2
# 在接口Virtual-Template1上应用IPv4 IPsec安全策略policy1和IPv6 IPsec安全策略policy2。
[RouterB] interface virtual-template 1
[RouterB-Virtual-Template1] ipsec apply policy policy1
[RouterB-Virtual-Template1] ipsec apply ipv6-policy policy2
[RouterB-Virtual-Template1] quit
以上配置完成后,当Router A通过DDR拨号成功后,将触发LAC设备和Router B之间将建立L2TP隧道和L2TP会话,Router A和Router B之间的私网可以实现互联互通。当Router A和Router B之间有流量转发时,还将触发建立IPsec隧道,对Router A和Router B之间的私网流量进行加密。
# 在Router B上可通过以下显示查看建立的L2TP隧道,以及L2TP会话信息。
[RouterB] display l2tp tunnel
LocalTID RemoteTID State Sessions RemoteAddress RemotePort RemoteName
18986 558 Established 1 10.1.1.1 1701 LAC
[RouterB] display l2tp session
LocalSID RemoteSID LocalTID State
50693 61202 18986 Established
# 在Router A上可通过以下显示查看到协商生成的IPsec SA。
[RouterA] display ipsec sa
-------------------------------
Interface: Eth-channel1/0:0
-------------------------------
-----------------------------
IPsec policy: policy1
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1444
Tunnel:
local address/port: 192.168.0.10/500
remote address/port: 192.168.0.1/500
Flow:
sour addr: 192.168.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 192.168.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 367543574 (0x15e84516)
Connection ID: 4294967296
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3533
Max received sequence-number: 4
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 4212574134 (0xfb16c7b6)
Connection ID: 4294967297
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3533
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N
Status: Active
-----------------------------
IPsec policy: policy2
Sequence number: 20
Alias: policy2-20
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1424
Tunnel:
local address/port: 2003::F85B:7EE1:1410:74C9/500
remote address/port: 2003::1/500
Flow:
sour addr: 2001::/64 port: 0 protocol: ipv6
dest addr: 2002::/64 port: 0 protocol: ipv6
[Inbound ESP SAs]
SPI: 3314600301 (0xc590c96d)
Connection ID: 4294967296
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843196/3462
Max received sequence-number: 29
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 3370073640 (0xc8df3e28)
Connection ID: 4294967297
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843196/3462
Max sent sequence-number: 29
UDP encapsulation used for NAT traversal: N
Status: Active
· Router A:
#
interface gigabitethernet 1/0/1
ip address 192.168.1.1 255.255.255.0
ipv6 address 2001::1 64
#
dialer-group 1 rule ip permit
dialer-group 1 rule ipv6 permit
#
apn-profile vpdn1
pdp-type ipv4v6
apn static vpdn
authentication-mode pap-chap user1 password simple password1
#
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ip address cellular-alloc
ipv6 address cellular-alloc
apn-profile apply vpdn1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 30
dialer timer autodial 5
dialer number *99# autodial
ipsec apply policy policy1
ipsec apply ipv6-policy policy2
#
ip route-static 0.0.0.0 0 eth-channel 1/0:0
ipv6 route-static :: 0 eth-channel 1/0:0
#
acl advanced 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
acl ipv6 advanced 3500
rule 0 permit ipv6 source 2001::/64 destination 2002::/64
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp authentication-algorithm sha1
esp encryption-algorithm des-cbc
#
ike keychain key1
pre-shared-key address 192.168.0.1 255.255.255.0 key cipher $c$3$0kzuqazKcTGikVRekZ1E8R7jTOC2ZrJR2A==
pre-shared-key address ipv6 2003::1 64 key cipher $c$3$+93VGZhgfe4yG5D0d9VsLxWS6dlGVw2/Fw==
#
ike profile ike1
keychain key1
match remote identity address 192.168.0.1 255.255.255.0
match remote identity address ipv6 2003::1 64
#
ipsec policy policy1 10 isakmp
transform-set tran1
ike-profile ike1
security acl 3000
remote-address 192.168.0.1
#
ipsec ipv6-policy policy2 20 isakmp
transform-set tran1
security acl ipv6 3500
remote-address ipv6 2003::1
ike-profile ike1
#
· LAC:
#
interface gigabitethernet 1/0/1
ip address 10.1.1.1 255.255.255.0
#
local-user user1 class network
password simple password1
service-type ppp
#
domain system
authentication ppp local
#
l2tp enable
l2tp-group 1 mode lac
tunnel name LAC
user fullusername user1
lns-ip 10.1.1.2
tunnel authentication
tunnel password simple aabbcc
#
· Router B:
#
interface gigabitethernet 1/0/1
ip address 10.1.1.2 255.255.255.0
#
interface gigabitethernet 1/0/2
ip address 192.168.1.2 255.255.255.0
ipv6 address 2002::1 64
#
interface virtual-template 1
ip address 192.168.0.1 255.255.255.0
ipv6 address 2003::1 64
undo ipv6 nd ra halt
ppp authentication-mode chap domain system
remote address pool aaa
ipsec apply policy policy1
ipsec apply ipv6-policy policy2
#
local-user user1 class network
password simple password1
service-type ppp
#
domain system
authentication ppp local
authorization-attribute ipv6-prefix 2003:: 64
#
l2tp enable
l2tp-group 1 mode lns
tunnel name LNS
allow l2tp virtual-template 1 remote LAC
tunnel authentication
tunnel password simple aabbcc
#
ip pool aaa 192.168.0.10 192.168.0.20
ip pool aaa gateway 192.168.0.1
#
acl advanced 3000
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
acl ipv6 advanced 3500
rule 0 permit ipv6 source 2002::/64 destination 2001::/64
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp authentication-algorithm sha1
esp encryption-algorithm des-cbc
#
ike keychain key1
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$vZXXcxKbhB/YCMg4oFr5IVJyrxwQTcB4Mg==
pre-shared-key address ipv6 0::0 0 key cipher $c$3$ua9potCkbZArSufmcQhY+LgLA+38vxmiXw==
#
ike profile ike1
keychain key1
match remote identity address 0.0.0.0 0.0.0.0
match remote identity address ipv6 :: 0
#
ipsec policy-template temp1 1
transform-set tran1
ike-profile ike1
security acl 3000
reverse-route dynamic
#
ipsec ipv6-policy-template temp2 2
transform-set tran1
security acl ipv6 3500
ike-profile ike1
reverse-route dynamic
#
ipsec policy policy1 10 isakmp template temp1
#
ipsec ipv6-policy policy2 20 isakmp template temp2
#
适用于MSR集中式、MSR分布式产品R6728P13及以后版本。
如图6所示,Router A上具有5G Modem模块,用户通过DDR自动定时拨号接入IPv6 5G网络,并建立永久在线连接。具体要求如下:
· 在Router A上配置传统DDR自动定时拨号接入IPv6 5G网络,建立永久5G在线连接。
· 在Router A上配置拨号方式为传统DDR拨号,去往对端的拨号串根据运营商属性选择,一般中国大陆移动/联通配置“*99#”,电信配置“#777”。
· Router A所在的IPv6子网为2001::/64,且仅对IPv6协议报文进行DDR拨号。
图6 5G Modem IPv6拨号组网图
在Router A的Cellular1/0接口上通道化出以太网接口Eth-channel1/0:0,并配置接口Eth-channel1/0:0采用Modem私有协议获取运营商自动分配的IP地址。在接口Eth-channel1/0:0上配置DDR自动拨号接入IPv6 5G网络,并配置永久在线连接。
(1) 配置设备接口IP地址,步骤略。
(2) 配置5G Modem拨号。
# 配置拨号访问组1以及对应的拨号访问控制条件。
<RouterA> system-view
[RouterA] dialer-group 1 rule ipv6 permit
# 配置5G Modem的参数模板dynamic1,接入点为动态接入点。
[RouterA] apn-profile dynamic1
[RouterA-apn-profile-vpdn1] apn dynamic
[RouterA-apn-profile-vpdn1] quit
# 将Cellular1/0接口通道化出以太网通道接口。
[RouterA] controller cellular 1/0
[RouterA-Cellular1/0] eth-channel 0
[RouterA-Cellular1/0] quit
# 配置Eth-channel1/0:0接口采用Modem私有协议获取运营商自动分配的IP地址。
[RouterA] interface eth-channel 1/0:0
[RouterA-Eth-channel1/0:0] ipv6 address cellular-alloc
# 配置Eth-channel1/0:0接口使用的5G Modem参数模板。
[RouterA-Eth-channel1/0:0] apn-profile apply dynamic1
# 在Eth-channel1/0:0接口上开启传统DDR,并与拨号访问组1关联。
[RouterA-Eth-channel1/0:0] dialer circular enable
[RouterA-Eth-channel1/0:0] dialer-group 1
# 配置允许链路空闲的时间为0,呼叫建立超时时间为30秒,自动拨号的时间间隔为5秒。
[RouterA-Eth-channel1/0:0] dialer timer idle 0
[RouterA-Eth-channel1/0:0] dialer timer wait-carrier 30
[RouterA-Eth-channel1/0:0] dialer timer autodial 5
# 配置自动拨号时去往对端的拨号串,拨号串视具体运营商而定,一般中国大陆移动/联通配置“*99#”,电信配置“#777”。
[RouterA-Eth-channel1/0:0] dialer number *99# autodial
# 配置Eth-channel1/0:0接口将IPv6地址前缀2001::/64转换为2002:0DF8:0001::/48,假设Router A拨号接口获取的IPv6地址前缀为2002:0DF8:0001::/48。
[RouterA-Eth-channel1/0:0] nat66 prefix source 2001:: 64 2002:0df8:0001:: 48
[RouterA-Eth-channel1/0:0] quit
# 配置缺省路由。
[RouterA] ipv6 route-static :: 0 eth-channel 1/0:0
# 查看路由表,配置的缺省路由生效,用户可以通过设备进行上网。
[RouterA] display ipv6 routing-table
Destinations : 6 Routes : 6
Destination: ::/0 Protocol : Static
NextHop : ::1 Preference: 60
Interface : E-CH1/0:0 Cost : 0
Destination: 100::/128 Protocol : Direct
NextHop : ::1 Preference: 4
Interface : InLoop0 Cost : 0
Destination: 100::1/128 Protocol : Direct
NextHop : ::1 Preference: 4
Interface : InLoop0 Cost : 0
Destination: 100::7B/128 Protocol : Direct
NextHop : ::1 Preference: 4
Interface : InLoop0 Cost : 0
...
# 在Host主机上通过Ping验证可以访问外网,例如百度。
C:\Users\host1>ping www.baidu.com
正在Ping www.baidu.com[112.80.248.76]具有32字节的数据:
来自112.80.248.76的回复: 字节=32 时间=91ms TTL=122
来自112.80.248.76的回复: 字节=32 时间=92ms TTL=122
来自112.80.248.76的回复: 字节=32 时间=81ms TTL=122
来自112.80.248.76的回复: 字节=32 时间=88ms TTL=122
112.80.248.76的Ping统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 81ms,最长 = 92ms,平均 = 88ms
#
interface gigabitethernet 1/0/1
ipv6 address 2001::1 64
#
dialer-group 1 rule ipv6 permit
#
apn-profile dynamic1
apn dynamic
#
controller cellular 1/0
eth-channel 0
#
dialer-group 1 rule ipv6 permit
controller cellular 1/0
eth-channel 0
#
interface eth-channel 1/0:0
ipv6 address cellular-alloc
apn-profile apply dynamic1
dialer circular enable
dialer-group 1
dialer timer idle 0
dialer timer wait-carrier 30
dialer timer autodial 5
dialer number *99# autodial
nat66 prefix source 2001:: 64 2002:0df8:0001:: 48
#
ipv6 route-static :: 0 eth-channel 1/0:0
#
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!
支持
