AR2220 两端pppoe拨号如何建立ipsec

发布时间:  2017-03-02 浏览次数:  346 下载次数:  0
问题描述
组网:  AR1200A--(PPPOE)--------ISP---------(PPPOE)--AR1200B
AR2220 两端设备均是pppoe拨号动态获取地址如何建立ipsec

解决方案

因为pppoe动态获取地址,所以两端不能通过指定对端的ip地址方式建立,当前需要配置ddns代理dns解析,ddns服务器需要自行找第三方的ddns服务器注册解析。

注意:ddns服务器解析ip地址不固定,如果重新拨号更改了ip地址,则需要等30分钟或者更长时间等待ddns服务器更新解析成功后才能再次建立ipsec,所以条件允许的话,建议购买成为对应ddns服务器的vip用户,以便最快解析正确ip,避免业务受损

AR1200A
设备配置(部分配置)如下(其中关键配置已标黄、红并做了相应注解):
#
dns resolve 
dns server 8.8.8.8
dns proxy enable
#
acl number 3000 
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
acl number 3010 
rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 10 permit ip
#
ddns policy 10
interval 60
url
http://testA:testB@members.3322.org/dyndns/update?system=dyndns&hostname=<h>&ip=<a>                   
其中testA为用户名,testB为密码
#
ipsec proposal 1
#
ike peer 1 v2
pre-shared-key simple 722
dpd type periodic
remote-address cai722722.f3322.org
#
ipsec policy 1 10 isakmp
security acl 3000
ike-peer 1
proposal 1                              
#
interface Dialer1
link-protocol ppp                       
ppp chap user a100005043
ppp chap password cipher %$%$cruv5--{q0&Pu'0e5H.%,"t6%$%$
ppp pap local-user a100005043 password cipher %$%$"{$#ZdPV'&Y"A>7]_~"E,"t9%$%$
ppp ipcp dns admit-any
ppp ipcp dns request
tcp adjust-mss 1300
ip address ppp-negotiate
dialer user arweb
dialer bundle 1
dialer-group 4
ddns apply policy 10 fqdn cai722.f3322.org
ipsec policy 1
nat outbound 3010
#
interface GigabitEthernet0/0/0
pppoe-client dial-bundle-number 1 


AR1200B
设备配置(部分配置)如下:
#
dns resolve 
dns server 8.8.8.8
dns relay enable
#
acl number 3000 
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
acl number 3010 
rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 10 permit ip
#
ddns policy 10
interval 60
url http://testA:testB@members.3322.org/dyndns/update?system=dyndns&hostname=<h>&ip=<a>

#
ipsec proposal 1
#
ike peer 1 v2
pre-shared-key simple 722
dpd type periodic
remote-address cai722.f3322.org
#
ipsec policy 1 10 isakmp
security acl 3000
ike-peer 1
proposal 1
#
interface Dialer1
link-protocol ppp
ppp chap user a100004713
ppp chap password cipher %$%$C0_HAF0.M/OV4+3`mbLS,.ZE%$%$
ppp pap local-user a100004713 password cipher %$%$SJSm!l}@ZMkw=<GG$"QB,.ZJ%$%$
ppp ipcp dns admit-any
ppp ipcp dns request
tcp adjust-mss 1300
ip address ppp-negotiate
dialer user arweb
dialer bundle 1
dialer-group 4
ddns apply policy 10 fqdn cai722722.f3322.org
ipsec policy 1
nat outbound 3010
#
interface GigabitEthernet0/0/0
pppoe-client dial-bundle-number 1

END