FAQ--分支与总部建立ipsec vpn,分支之间怎么通过总部互通?

发布时间:  2014-11-27 浏览次数:  484 下载次数:  0
问题描述
组网环境如下:

其中分支1有2个网段:
172.16.13.0/24
192.168.10.0/24
分支2有2个网段:
172.16.10.0/24
192.168.20.0/24
总部有很多网段,都是192.168.*.*或者172.16.*.*的。
解决方案
设备配置如下:
总部(ipsec 模板):

定义acl,这里由于分支之间需要通信,所以定义的acl需要包含所有分支的网段,建议使用一个大的网段来实现,因为分支很多,目的地址就不要写了,如下:

acl number 3030
rule 5 permit ip source 192.168.0.0 0.0.255.255
rule 10 permit ip source 172.16.0.0 0.0.255.255

做ipsec策略,这个需要保持与分支一致:

ike proposal 10                         
encryption-algorithm aes-cbc
dh group2
#
由于总部做模板,这里就不指peer了,让分支来找总部发起协商即可:
ike peer fenzhi
pre-shared-key %$%$2|9T!o;ZGVMt{,N"XU,,K"vm%$%$
ike-proposal 10
#
ipsec proposal fenzhi
esp authentication-algorithm md5
esp encryption-algorithm des
#
ipsec policy-template map 1
security acl 3030
ike-peer fenzhi
proposal fenzhi
#
ipsec policy map1 1 isakmp template map
#
interface GigabitEthernet0/0/2
ip address 220.249.*.* 255.255.255.252
ipsec policy map1
#
nat源转换里面,需要定义策略到所有分支的内网都不做源转换,否则不能命中ipsec策略,直接定义一个大段即可:

nat-policy interzone trust untrust outbound
policy 0
  action no-nat
  policy destination 172.16.0.0 mask 16
  policy destination 192.168.0.0 mask 16
          
分支一:
分支配置acl,不用跟目的地址,匹配自己内网的源网段即可,如下:
acl number 3030
rule 5 permit ip source 172.16.13.0 0.0.0.255
rule 10 permit ip source 192.168.10.0 0.0.0.255
#
ipsec策略的配置,其中peer里面必须要指定remote-address,才能发起到总部的协商:
ike proposal 10
encryption-algorithm aes-128
dh group2
#
ike peer zongbu
pre-shared-key %$%$Xiw{Wbk_%=k4q6X^(ne;JPG>%$%$
ike-proposal 10
remote-address 220.249.*.*
#
ipsec proposal zongbu
esp authentication-algorithm md5
esp encryption-algorithm des
#
ipsec policy map1 10 isakmp
security acl 3030                      
ike-peer zongbu
proposal zongbu
#
分支需要主动发起协商,ipsec策略后面需要加auto-neg 参数。
interface GigabitEthernet6/0/1                    
ip address 124.205.*.* 255.255.255.0
ipsec policy map1 auto-neg                                  
#
跟总部一样,需要定义策略到所有分支的内网都不做源转换,否则不能命中ipsec策略,直接定义一个大段即可:
nat-policy interzone trust dxt1 outbound
policy 0
  action no-nat
  policy destination 172.16.0.0 mask 16
  policy destination 192.168.0.0 mask 16

分支二:
配置与分之一类似,不做赘述。
acl number 3030
rule 5 permit ip source 172.16.10.0 0.0.0.255
rule 10 permit ip source 192.168.20.0 0.0.0.255
#
ike proposal 10
encryption-algorithm aes-128
dh group2
#
ike peer zongbu                          
pre-shared-key %$%$6>UuJ4K,~X`b'ALa|'s:K>5,%$%$
ike-proposal 10
remote-address 220.249.*.*
#
ipsec proposal zongbu
esp authentication-algorithm md5
esp encryption-algorithm des
#
ipsec policy map1 10 isakmp
security acl 3030
ike-peer zongbu
proposal zongbu
#
interface GigabitEthernet6/0/1
ip address 123.7.*.* 255.255.255.128
ipsec policy map1 auto-neg
#
nat-policy interzone trust liantong outbound
policy 0
  action no-nat
  policy destination 192.168.0.0 mask 16
  policy destination 172.16.0.0 mask 16

完成之后,ipsec隧道建立成功,如下:

[USG5100-1]display ipsec sa                  /*/一共有4条这里就列出一条
00:23:55  2014/11/25
===============================
Interface: GigabitEthernet6/0/1
    path MTU: 1500
===============================

  -----------------------------
  IPsec policy name: "map1"
  sequence number: 20
  mode: isakmp
  vpn: public
  -----------------------------
    connection id: 40260
    rule number: 5
    encapsulation mode: tunnel
    holding time: 0d 0h 30m 48s
    tunnel local : 124.205.*.*    tunnel remote: 220.249.*.*
    flow      source: 172.16.13.0-172.16.13.255 0-65535 0
    flow destination: 192.168.0.0-192.168.255.255 0-65535 0


    [inbound ESP SAs]
      spi: 164338786 (0x9cb9c62)
      vpn: public  said: 14  cpuid: 0x0000
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
      sa remaining key duration (bytes/sec): 1887436800/1752
      max received sequence-number: 1
      udp encapsulation used for nat traversal: N

    [outbound ESP SAs]
      spi: 153907011 (0x92c6f43)
      vpn: public  said: 15  cpuid: 0x0000
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
      sa remaining key duration (bytes/sec): 1887436800/1752
      max sent sequence-number: 1
      udp encapsulation used for nat traversal: N

[USG5100-2]display ipsec sa                  /*/一共有4条这里就列出一条
00:23:55  2014/11/25
===============================
Interface: GigabitEthernet6/0/1
    path MTU: 1500
===============================

  -----------------------------
  IPsec policy name: "map1"
  sequence number: 20
  mode: isakmp
  vpn: public
  -----------------------------
    connection id: 40260
    rule number: 5
    encapsulation mode: tunnel
    holding time: 0d 0h 30m 48s
    tunnel local : 123.7.*.*    tunnel remote: 220.249.*.*
    flow      source: 192.168.20.0-192.168.20.255 0-65535 0
    flow destination: 192.168.0.0-192.168.255.255 0-65535 0


    [inbound ESP SAs]
      spi: 167546254 (0x9FC8D8E)
      vpn: public  said: 14  cpuid: 0x0000
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
      sa remaining key duration (bytes/sec): 1887436800/1752
      max received sequence-number: 1
      udp encapsulation used for nat traversal: N

    [outbound ESP SAs]
      spi: 154321354 (0x932C1CA)
      vpn: public  said: 15  cpuid: 0x0000
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
      sa remaining key duration (bytes/sec): 1887436800/1752
      max sent sequence-number: 1
      udp encapsulation used for nat traversal: N



然后ping对端分支也通了,如下:

<USG5100>ping -a 172.16.13.1 192.168.20.1
11:11:55  2014/11/27
  PING 192.168.102.104: 56  data bytes, press CTRL_C to break
    Reply from 192.168.20.1: bytes=56 Sequence=1 ttl=127 time=60 ms
    Reply from 192.168.20.1: bytes=56 Sequence=2 ttl=127 time=40 ms
    Reply from 192.168.20.1: bytes=56 Sequence=3 ttl=127 time=40 ms
    Reply from 192.168.20.1: bytes=56 Sequence=4 ttl=127 time=42 ms
    Reply from 192.168.20.1: bytes=56 Sequence=5 ttl=127 time=43 ms

  --- 192.168.20.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 40/45/60 ms

END