以下内容摘自正在全面热销的最新网络设备图书“豪华四件套”之一《H3C路由器配置与管理完全手册》(第二版)(其余三本分别是:《Cisco交换机配置与管理完全手册》(第二版)、《Cisco路由器配置与管理完全手册》(第二版)和《H3C交换机配置与管理完全手册》(第二版)) 。目前本套图书在当当网、京东网、卓越网、互动出版网等书店全面热销中,在当当网、京东网购买该套装将直减30元:http://book.dangdang.com/20130730_aife、http://item.jd.com/11299332.html
(京东网上目前仅7折,折后再减30元)
15.3.1 全互联结构DVPN综合配置示例
本示例拓扑结构如图15-6所示。整个DVPN网络呈Full-Mesh(全互联)结构,各设备接口的IP地址分配如表15-15所示。示例中,主/备VAM 服务器负责管理、维护各个节点的信息;AAA服务器负责对VAM客户端进行认证和计费管理;两个Hub互为备份,负责数据的转发和路由信息的交换。Spoke与Hub之间建立永久隧道连接,其中Spoke 1只通过一个隧道接口Tunnel1与其他VAM客户端建立DVPN连接,Spoke 3只通过一个隧道接口Tunnel2与其他VAM客户端建立DVPN连接,Spoke 2通过两个隧道接口Tunnel1、Tunnel2与其他VAM客户端建立DVPN连接。且同一VPN域中,任意的两个Spoke之间在有数据传输时可直接动态建立隧道连接。
图15-6 全互联结构DVPN配置示例的拓扑结构
表15-15 全互联结构DVPN配置示例中的设备接口IP地址分配
设备 | 接口 | IP地址 | 设备 | 接口 | IP地址 |
Hub 1 | Eth1/1 | 192.168.1.1/24 | Spoke 1 | Eth1/1 | 192.168.1.3/24 |
Tunnel1 | 10.0.1.1/24 | Eth1/2 | 10.0.3.1/24 | ||
Tunnel2 | 10.0.2.1/24 | Tunnel1 | 10.0.1.3/24 | ||
Hub 2 | Eth1/1 | 192.168.1.2/24 | Spoke 2 | Eth1/1 | 192.168.1.4/24 |
Tunnel1 | 10.0.1.2/24 | Eth1/2 | 10.0.4.1/24 | ||
Tunnel2 | 10.0.2.2/24 | Tunnel1 | 10.0.1.4/24 | ||
主VAM服务器 | Eth1/1 | 192.168.1.22/24 | Tunnel2 | 10.0.2.4/24 | |
备份VAM服务器 | Eth1/1 | 192.168.1.33//24 | Spoke 3 | Eth1/1 | 192.168.1.5/24 |
AAA服务器 | 192.168.1.11/24 | Eth1/2 | 10.0.5.1/24 | ||
Tunnel2 | 10.0.2.3/24 |
根据15.2介绍的DVPN基本配置思路可以很容易地得出Hub路由器、各Spoke路由器,以及各VAM服务器的以下具体配置步骤。
一、主VAM服务器的配置
(1)按照图中标注配置主VAM服务器IP地址(略)
(2)配置AAA认证(方案为RADIUS)。
<MainServer> system-view
[MainServer] radius scheme rad1 !---创建一个名为rad1的RADIUS认证方案
[MainServer-radius-radsun] primary authentication 192.168.1.11 1812 !--- 配置主RADIUS认证/授权服务器的IP地址为192.168.1.11,UDP端口采用默认的1812号端口
[MainServer-radius-radsun] primary accounting 192.168.1.11 1813 !--- 配置主RADIUS计费服务器的IP地址为192.168.1.11,UDP端口采用默认的1813号端口
[MainServer-radius-radsun] key authentication lycb !--- 配置RADIUS认证/授权报文的共享密钥为lycb
[MainServer-radius-radsun] key accounting lycb !--- 配置RADIUS计费报文的共享密钥为lycb
[MainServer-radius-radsun] server-type standard !--- 指定采用标准类型的RADIUS服务器,还可以选择“extended”选项,指定RADIUS服务器支持私有RADIUS标准
[MainServer-radius-radsun] user-name-format with-domain !--- 设置发送给RADIUS服务器的用户名采用带ISP域名的格式:userid@isp-name,还可以选择“without-domain”选项,则用户名格式不带ISP域名。如果采用不带域名格式,则不同域中的用户名不要一样
[MainServer-radius-radsun] quit
(3)配置ISP域的AAA方案。
[MainServer] domain domain1 !---创建一个名为domain1的ISP域
[MainServer-isp-domain1] authentication default radius-scheme rad1 !---指定domain1中所有用户默认采用名为前面创建的名为rad1的RADIUS认证/授权方案
[MainServer-isp-domain1] accounting default radius-scheme rad1 !---指定domain1中所有用户默认采用名为前面创建的名为rad1的RADIUS计费方案
[MainServer-isp-domain1] quit
[MainServer] domain default enable domain1 !--- 配置系统默认的ISP域为domain1,所有在登录时没有提供ISP域名的用户都属于这个域
(4)配置主VAM服务器,指定不同VPN域中的预共享密钥、认证模式和所对应的Hub地址,然后启用VAM服务器功能。
[MainServer] vam server ip-address 192.168.1.22 !----指定VAM Server上的监听IP地址,采用默认的UDP 18000号端口
[MainServer] vam server vpn 1 !----创建VPN域1。注意,这里的VPN域与ISP域不一样,一个ISP域下可以有多个VPN域
[MainServer-vam-server-vpn-1] pre-shared-key simple 123456 !---配置预共享密钥为123456
[MainServer-vam-server-vpn-1] authentication-method chap !----配置对客户端进行CHAP认证
!---下面三条用来指定VAM服务器所服务的,在VPN域1中的两个Hub的私网地址,对应Hub1和Hub2上的Tunnel1接口IP地址。
[MainServer-vam-server-vpn-1] hub private-ip 10.0.1.1
[MainServer-vam-server-vpn-1] hub private-ip 10.0.1.2
[MainServer-vam-server-vpn-1] quit
[MainServer] vam server vpn 2 !---创建VPN域2
[MainServer-vam-server-vpn-2] pre-shared-key simple 654321 !----配置预共享密钥为654321
[MainServer-vam-server-vpn-2] authentication-method pap !---配置对客户端进行PAP认证
!--- 面三条用来指定VAM服务器所服务的,在VPN域2中的两个Hub的私网地址,对应Hub1和Hub2上的Tunnel2接口IP地址。
[MainServer-vam-server-vpn-2] hub private-ip 10.0.2.1
[MainServer-vam-server-vpn-2] hub private-ip 10.0.2.2
[MainServer-vam-server-vpn-1] quit
[MainServer] vam server enable all !----启动所有VPN域的VAM 服务器功能
二、备份VAM服务器的配置
下面再来配置备份VAM服务器。这部分除备份VAM服务器的监听IP地址配置外,其他的配置与主VAM服务器的都一样,因为它们本来就是用来进行相互备份的,具体配置参见前面介绍的主VAM服务器配置。
三、Hub1的配置
(1)配置各接口的IP地址(略)。
(2)配置VAM客户端,为不同VPN域创建不同的VAM客户端,并指定主/备VAM服务器地址,进行身份认证的本地用户名和预共享密钥,最后启用VAM客户端服务。
<Hub1> system-view
!---下面两条是创建VPN域1的客户端dvpn1hub1。
[Hub1] vam client name dvpn1hub1
[Hub1-vam-client-name-dvpn1hub1] vpn 1
!---下面三条是配置VAM服务器的IP地址及VAM客户端的预共享密钥。
[Hub1-vam-client-name-dvpn1hub1] server primary ip-address 192.168.1.22
[Hub1-vam-client-name-dvpn1hub1] server secondary ip-address 192.168.1.33
[Hub1-vam-client-name-dvpn1hub1] pre-shared-key simple 123456
!---下面三条是配置Hub1上VPN1域中的本地用户,用户名为dvpn1hub1,密码为dvpn1hub1。
[Hub1-vam-client-name-dvpn1hub1] user dvpn1hub1 password simple dvpn1hub1
[Hub1-vam-client-name-dvpn1hub1] client enable
[Hub1-vam-client-name-dvpn1hub1] quit
!---下面两条创建VPN域2的客户端dvpn2hub1。
[Hub1] vam client name dvpn2hub1
[Hub1-vam-client-name-dvpn2hub1] vpn 2
!---下面三条是配置VAM Server的IP地址及VAM Client的预共享密钥。
[Hub1-vam-client-name-dvpn2hub1] server primary ip-address 192.168.1.22
[Hub1-vam-client-name-dvpn2hub1] server secondary ip-address 192.168.1.33
[Hub1-vam-client-name-dvpn2hub1] pre-shared-key simple 654321
!---下面三条是配置Hub1上VPN2域中的本地用户,用户名为dvpn2hub1,密码为dvpn2hub1。
[Hub1-vam-client-name-dvpn2hub1] user dvpn2hub1 password simple dvpn2hub1
[Hub1-vam-client-name-dvpn2hub1] client enable
[Hub1-vam-client-name-dvpn2hub1] quit
(3)配置IPsec安全框架,创建安全提议,对等体、IPSec安全框架。
!---下面几条是配置IPsec安全提议。
[Hub1] ipsec proposal propo1
[Hub1-ipsec-proposal-vam] encapsulation-mode tunnel
[Hub1-ipsec-proposal-vam] transform esp
[Hub1-ipsec-proposal-vam] esp encryption-algorithm des
[Hub1-ipsec-proposal-vam] esp authentication-algorithm sha1
[Hub1-ipsec-proposal-vam] quit
!---下面几条是配置IKE对等体。
[Hub1] ike peer peer1
[Hub1-ike-peer-vam] pre-shared-key abcdef
[Hub1-ike-peer-vam] quit
!---下面几条是配置IPsec安全框架。
[Hub1] ipsec profile profile1
[Hub1-ipsec-profile-vamp] proposal propo1
[Hub1-ipsec-profile-vamp] ike-peer peer1
[Hub1-ipsec-profile-vamp] sa duration time-based 600
[Hub1-ipsec-profile-vamp] pfs dh-group2
[Hub1-ipsec-profile-vamp] quit
【经验之谈】IPSec安全框架中所配置的安全提议名、对等体名和安全框架名可以在全网中采用相同的名称,当然也可以采用不同的名称,因为它们都是本地配置,仅对本地有意义。通常为了怕搞混,整个网络都采用相同的安全提议名、相同的的对等体名,相同的安全框架名。
(4)配置DVPN隧道,指定不同VPN域中的隧道接口IP地址(这要与前面在VAM服务器配置的Hub地址一致)、OSPF网络类型和引用的安全框架名称。
!---下面几条是配置VPN域1的隧道接口Tunnel1。
[Hub1] interface tunnel 1
[Hub1-Tunnel1] tunnel-protocol dvpn udp
[Hub1-Tunnel1] vam client dvpn1hub1
[Hub1-Tunnel1] ip address 10.0.1.1 255.255.255.0
[Hub1-Tunnel1] source ethernet 1/1
[Hub1-Tunnel1] ospf network-type broadcast
[Hub1-Tunnel1] ipsec profile profile1
[Hub1-Tunnel1] quit
!---下面几条是配置VPN域2的隧道接口Tunnel2。
[Hub1] interface tunnel 2
[Hub1-Tunnel2] tunnel-protocol dvpn udp
[Hub1-Tunnel2] vam client dvpn2hub1
[Hub1-Tunnel2] ip address 10.0.2.1 255.255.255.0
[Hub1-Tunnel2] source ethernet 1/1
[Hub1-Tunnel2] ospf network-type broadcast
[Hub1-Tunnel2] ipsec profile profile1
[Hub1-Tunnel2] quit
(5)配置OSPF路由,宣告所连接的私网与公网。所连接的私网就是其Tunnel接口所连接的网络。但这里宣告的都是对应接口的IP地址,指定在对应接口上启用OSPF路由协议。Tunnel接口上所配置的IP地址都私网的。
!---下面几条是配置公网的路由信息。
[Hub1] ospf 100
[Hub1-ospf-100] area 0
[Hub1-ospf-100-area-0.0.0.0] network 192.168.1.1 0.0.0.255
[Hub1-ospf-100-area-0.0.0.0] quit
!---下面几条是配置私网的路由信息。
[Hub1] ospf 200
[Hub1-ospf-200] area 0
[Hub1-ospf-200-area-0.0.0.0] network 10.0.1.1 0.0.0.255
[Hub1-ospf-200-area-0.0.0.0] quit
[Hub1] ospf 300
[Hub1-ospf-300] area 0
[Hub1-ospf-300-area-0.0.0.0] network 10.0.2.1 0.0.0.255
【经验之谈】公网与私网的OSPF路由进程要不一样,物理连接的私网和通过Tunnel接口连接的虚拟私网也要用不同的OSPF路由进程。但都可以仅在骨干区域area 0中配置。
四、Hub2的配置
(1)配置各接口的IP地址(略)。
(2)配置VAM客户端。
<Hub2> system-view
!---下面两条是创建VPN域1的客户端dvpn1hub2。
[Hub2] vam client name dvpn1hub2
[Hub2-vam-client-name-dvpn1hub2] vpn 1
!---下面三条是配置VAM服务器的IP地址及VAM客户端的预共享密钥。
[Hub2-vam-client-name-dvpn1hub2] server primary ip-address 192.168.1.22
[Hub2-vam-client-name-dvpn1hub2] server secondary ip-address 192.168.1.33
[Hub2-vam-client-name-dvpn1hub2] pre-shared-key simple 123456
!---下面三条是配置Hub1的本地用户,用户名为dvpn1hub2,密码为dvpn1hub2。
[Hub2-vam-client-name-dvpn1hub2] user dvpn1hub1 password simple dvpn1hub2
[Hub2-vam-client-name-dvpn1hub2] client enable
[Hub2-vam-client-name-dvpn1hub2] quit
!---下面两条创建VPN域2的客户端dvpn2hub2。
[Hub2] vam client name dvpn2hub2
[Hub2-vam-client-name-dvpn2hub2] vpn 2
!---下面三条是配置VAM Server的IP地址及VAM Client的预共享密钥。
[Hub2-vam-client-name-dvpn2hub2] server primary ip-address 192.168.1.22
[Hub2-vam-client-name-dvpn2hub2] server secondary ip-address 192.168.1.33
[Hub2-vam-client-name-dvpn2hub2] pre-shared-key simple 654321
!---下面两条是配置本地用户,用户名为dvpn2hub2,密码为dvpn2hub2。
[Hub2-vam-client-name-dvpn2hub2] user dvpn2hub2 password simple dvpn2hub2
[Hub2-vam-client-name-dvpn2hub2] client enable
[Hub2-vam-client-name-dvpn2hub2] quit
(3)配置IPsec安全框架。因为它与Hub1是互为备份的,所以在安全框架中的配置要与Hub1上的配置一致。
!---下面几条是配置IPsec安全提议。
[Hub2] ipsec proposal propo1
[Hub2-ipsec-proposal-vam] encapsulation-mode tunnel
[Hub2-ipsec-proposal-vam] transform esp
[Hub2-ipsec-proposal-vam] esp encryption-algorithm des
[Hub2-ipsec-proposal-vam] esp authentication-algorithm sha1
[Hub2-ipsec-proposal-vam] quit
!---下面几条是配置IKE对等体。
[Hub2] ike peer peer1
[Hub2-ike-peer-vam] pre-shared-key abcdef
[Hub2-ike-peer-vam] quit
!---下面几条是配置IPsec安全框架。
[Hub2] ipsec profile profile1
[Hub2-ipsec-profile-vamp] proposal propo1
[Hub2-ipsec-profile-vamp] ike-peer peer1
[Hub2-ipsec-profile-vamp] sa duration time-based 600
[Hub2-ipsec-profile-vamp] pfs dh-group2
[Hub2-ipsec-profile-vamp] quit
(4)配置DVPN隧道。
!---下面几条是配置VPN域1的隧道接口Tunnel1。
[Hub2] interface tunnel 1
[Hub2-Tunnel1] tunnel-protocol dvpn udp
[Hub2-Tunnel1] vam client dvpn1hub2
[Hub2-Tunnel1] ip address 10.0.1.2 255.255.255.0
[Hub2-Tunnel1] source ethernet 1/1
[Hub2-Tunnel1] ospf network-type broadcast
[Hub2-Tunnel1] ipsec profile profile1
[Hub2-Tunnel1] quit
!---下面几条是配置VPN域2的隧道接口Tunnel2。
[Hub2] interface tunnel 2
[Hub2-Tunnel2] tunnel-protocol dvpn udp
[Hub2-Tunnel2] vam client dvpn2hub2
[Hub2-Tunnel2] ip address 10.0.2.2 255.255.255.0
[Hub2-Tunnel2] source ethernet 1/1
[Hub2-Tunnel2] ospf network-type broadcast
[Hub2-Tunnel2] ipsec profile profile1
[Hub2-Tunnel2] quit
(5)配置OSPF路由。
!---下面几条是配置公网的路由信息。
[Hub2] ospf 100
[Hub2-ospf-100] area 0
[Hub2-ospf-100-area-0.0.0.0] network 192.168.1.2 0.0.0.255
[Hub2-ospf-100-area-0.0.0.0] quit
!---下面几条是配置私网的路由信息。
[Hub2] ospf 200
[Hub2-ospf-200] area 0
[Hub2-ospf-200-area-0.0.0.0] network 10.0.1.2 0.0.0.255
[Hub2-ospf-200-area-0.0.0.0] quit
[Hub2] ospf 300
[Hub2-ospf-300] area 0
[Hub2-ospf-300-area-0.0.0.0] network 10.0.2.2 0.0.0.255
五、Spoke1的配置
(1)配置各接口的IP地址(略)。
(2)配置VAM客户端,因为Sopke 1只有Tunnel 1一个虚拟隧道接口,所以只需配置VPN 1域,无需配置VPN 2中的VAM客户端。
<Spoke1> system-view
!---下面两条是创建VPN域1的客户端dvpn1spoke1。
[Spoke1] vam client name dvpn1spoke1
[Spoke1-vam-client-name-dvpn1spoke1] vpn 1
!---下面三条是配置VAM Server的IP地址及VAM Client的预共享密钥。
[Spoke1-vam-client-name-dvpn1spoke1] server primary ip-address 192.168.1.22
[Spoke1-vam-client-name-dvpn1spoke1] server secondary ip-address 192.168.1.33
[Spoke1-vam-client-name-dvpn1spoke1] pre-shared-key simple 123456
!---下面三条是配置本地用户,用户名为dvpn1spoke1,密码为dvpn1spoke1。
[Spoke1-vam-client-name-dvpn1spoke1] user dvpn1spoke1 password simple dvpn1spoke1
[Spoke1-vam-client-name-dvpn1spoke1] client enable
[Spoke1-vam-client-name-dvpn1spoke1] quit
(3)配置IPsec安全框架,在名称上可以不一样,但配置上要与Hub上的配置一致。
!---下面几条是配置IPsec安全提议。
[Spoke1] ipsec proposal propo1
[Spoke1-ipsec-proposal-vam] encapsulation-mode tunnel
[Spoke1-ipsec-proposal-vam] transform esp
[Spoke1-ipsec-proposal-vam] esp encryption-algorithm des
[Spoke1-ipsec-proposal-vam] esp authentication-algorithm sha1
[Spoke1-ipsec-proposal-vam] quit
!---下面三条是配置IKE对等体。
[Spoke1] ike peer peer1
[Spoke1-ike-peer-vam] pre-shared-key abcde
[Spoke1-ike-peer-vam] quit
!---下面几条是配置IPsec安全框架。
[Spoke1] ipsec profile profile1
[Spoke1-ipsec-profile-vamp] proposal propo1
[Spoke1-ipsec-profile-vamp] sa duration time-based 600
[Spoke1-ipsec-profile-vamp] pfs dh-group2
[Spoke1-ipsec-profile-vamp] quit
(4)配置DVPN隧道,因为Spoke 1只有Tunnel 1一个虚拟隧道接口,所以只需配置VPN域1的隧道接口Tunnel1及属性。
[Spoke1] interface tunnel 1
[Spoke1-Tunnel1] tunnel-protocol dvpn udp
[Spoke1-Tunnel1] vam client dvpn1spoke1
[Spoke1-Tunnel1] ip address 10.0.1.3 255.255.255.0
[Spoke1-Tunnel1] source ethernet 1/1
[Spoke1-Tunnel1] ospf network-type broadcast
[Spoke1-Tunnel1] ospf dr-priority 0
[Spoke1-Tunnel1] ipsec profile profile1
[Spoke1-Tunnel1] quit
(5)配置OSPF路由,宣告它上面三个接口所连接的公网和私网接口IP地址。
!---下面几条是配置公网的路由信息。
[Spoke1] ospf 100
[Spoke1-ospf-100] area 0
[Spoke1-ospf-100-area-0.0.0.0] network 192.168.1.3 0.0.0.255
[Spoke1-ospf-100-area-0.0.0.0] quit
!---下面几条是配置私网的路由信息。
[Spoke1] ospf 200
[Spoke1-ospf-200] area 0
[Spoke1-ospf-200-area-0.0.0.0] network 10.0.1.3 0.0.0.255
[Spoke1-ospf-200-area-0.0.0.0] network 10.0.3.1 0.0.0.255
六、Spoke2的配置
(1)配置各接口的IP地址(略)。
(2)配置VAM客户端,因为Spoke 2有两个Tunnel接口,分属于VPN1、VPN2两个VPN域,所以需要配置两个VPN域中的VAM客户端。
<Spoke2> system-view
!---下面两条是创建VPN域1的客户端dvpn1spoke2。
[Spoke2] vam client name dvpn1spoke2
[Spoke2-vam-client-name-dvpn1spoke2] vpn 1
!---下面三条是配置VAM Server的IP地址及VAM Client的预共享密钥。
[Spoke2-vam-client-name-dvpn1spoke2] server primary ip-address 192.168.1.22
[Spoke2-vam-client-name-dvpn1spoke2] server secondary ip-address 192.168.1.33
[Spoke2-vam-client-name-dvpn1spoke2] pre-shared-key simple 123456
!---下面三条是配置本地用户,用户名为dvpn1spoke2,密码为dvpn1spoke2。
[Spoke2-vam-client-name-dvpn1spoke2] user dvpn1spoke2 password simple dvpn1spoke2
[Spoke2-vam-client-name-dvpn1spoke2] client enable
[Spoke2-vam-client-name-dvpn1spoke2] quit
!---下面两条是创建VPN域2的客户端dvpn1spoke2。
[Spoke2] vam client name dvpn1spoke2
[Spoke2-vam-client-name-dvpn1spoke2] vpn 2
!---下面三条是配置VAM Server的IP地址及VAM Client的预共享密钥。
[Spoke2-vam-client-name-dvpn2spoke2] server primary ip-address 192.168.1.22
[Spoke2-vam-client-name-dvpn2spoke2] server secondary ip-address 192.168.1.33
[Spoke2-vam-client-name-dvpn2spoke2] pre-shared-key simple 654321
!---下面三条是配置本地用户,用户名为dvpn2spoke2,密码为dvpn2spoke2。
[Spoke2-vam-client-name-dvpn2spoke2] user dvpn2spoke2 password simple dvpn2spoke2
[Spoke2-vam-client-name-dvpn2spoke2] client enable
[Spoke2-vam-client-name-dvpn2spoke2] quit
(3)配置IPsec安全框架。在名称上可以与Hub上的配置不一样,但在配置上要一致。
!---下面几条是配置IPsec安全提议。
[Spoke2] ipsec proposal propo2
[Spoke2-ipsec-proposal-vam] encapsulation-mode tunnel
[Spoke2-ipsec-proposal-vam] transform esp
[Spoke2-ipsec-proposal-vam] esp encryption-algorithm des
[Spoke2-ipsec-proposal-vam] esp authentication-algorithm sha1
[Spoke2-ipsec-proposal-vam] quit
!---下面三条是配置IKE对等体。
[Spoke2] ike peer peer2
[Spoke2-ike-peer-vam] pre-shared-key abcdef
[Spoke2-ike-peer-vam] quit
!---下面几条是配置IPsec安全框架。
[Spoke2] ipsec profile profile2
[Spoke2-ipsec-profile-vamp] proposal propo2
[Spoke2-ipsec-profile-vamp] sa duration time-based 600
[Spoke2-ipsec-profile-vamp] pfs dh-group2
[Spoke2-ipsec-profile-vamp] quit
(4)配置DVPN隧道。因为Spoke 2有Tunnel 1和Tunnel 2两个虚拟隧道接口,所以需配置VPN域1和VPN域2的两个隧道接口及属性。
!—下面几条是配置VPN域1的隧道接口Tunnel1及属性
[Spoke2] interface tunnel 1
[Spoke2-Tunnel1] tunnel-protocol dvpn udp
[Spoke2-Tunnel1] vam client dvpn1spoke2
[Spoke2-Tunnel1] ip address 10.0.1.4 255.255.255.0
[Spoke2-Tunnel1] source ethernet 1/1
[Spoke2-Tunnel1] ospf network-type broadcast
[Spoke2-Tunnel1] ospf dr-priority 0
[Spoke2-Tunnel1] ipsec profile profile2
[Spoke2-Tunnel1] quit
!—下面几条是配置VPN域2的隧道接口Tunnel1及属性
[Spoke2] interface tunnel 2
[Spoke2-Tunnel2] tunnel-protocol dvpn udp
[Spoke2-Tunnel2] vam client dvpn2spoke2
[Spoke2-Tunnel2] ip address 10.0.2.4 255.255.255.0
[Spoke2-Tunnel2] source ethernet 1/1
[Spoke2-Tunnel2] ospf network-type broadcast
[Spoke2-Tunnel2] ospf dr-priority 0
[Spoke2-Tunnel2] ipsec profile profile2
[Spoke2-Tunnel2] quit
? (5)配置OSPF路由。
!---下面几条是配置公网的路由信息。
[Spoke2] ospf 100
[Spoke2-ospf-100] area 0
[Spoke2-ospf-100-area-0.0.0.0] network 192.168.1.4 0.0.0.255
[Spoke2-ospf-100-area-0.0.0.0] quit
!---下面几条是配置私网的路由信息。
[Spoke2] ospf 200
[Spoke2-ospf-200] area 0
[Spoke2-ospf-200-area-0.0.0.0] network 10.0.1.4 0.0.0.255
[Spoke2] ospf 300
[Spoke2-ospf-300] area 0
[Spoke2-ospf-300-area-0.0.0.0] network 10.0.2.4 0.0.0.255
[Spoke2-ospf-300-area-0.0.0.0] network 10.0.4.1 0.0.0.255
七、Spoke3的配置
(1)配置各接口的IP地址(略)。
(2)配置VAM客户端。因为Sopke 3只有Tunnel 2一个虚拟隧道接口,所以只需配置VPN 2域,无需配置VPN 1中的VAM客户端。
<Spoke3> system-view
!---下面两条是创建VPN域2的客户端dvpn2spoke2。
[Spoke3] vam client name dvpn2spoke3
[Spoke3-vam-client-name-dvpn2spoke3] vpn 2
!---下面三条是配置VAM Server的IP地址及VAM Client的预共享密钥。
[Spoke3-vam-client-name-dvpn2spoke3] server primary ip-address 192.168.1.22
[Spoke3-vam-client-name-dvpn2spoke3] server secondary ip-address 192.168.1.33
[Spoke3-vam-client-name-dvpn2spoke3] pre-shared-key simple 654321
!---下面三条是配置本地用户,用户名为dvpn2spoke3,密码为dvpn2spoke3。
[Spoke3-vam-client-name-dvpn2spoke3] user dvpn2spoke3 password simple dvpn2spoke3
[Spoke3-vam-client-name-dvpn2spoke3] client enable
[Spoke3-vam-client-name-dvpn2spoke3] quit
(3)配置IPsec安全框架。在名称上可以不一样,但配置上要与Hub上的配置一致。
!---下面几条是配置IPsec安全提议。
[Spoke3] ipsec proposal propo3
[Spoke3-ipsec-proposal-vam] encapsulation-mode tunnel
[Spoke3-ipsec-proposal-vam] transform esp
[Spoke3-ipsec-proposal-vam] esp encryption-algorithm des
[Spoke3-ipsec-proposal-vam] esp authentication-algorithm sha1
[Spoke3-ipsec-proposal-vam] quit
!---下面三条是配置IKE对等体。
[Spoke3] ike peer peer3
[Spoke3-ike-peer-vam] pre-shared-key abcdef
[Spoke3-ike-peer-vam] quit
!---下面几条是配置IPsec安全框架。
[Spoke3] ipsec profile profile3
[Spoke3-ipsec-profile-vamp] proposal propo3
[Spoke3-ipsec-profile-vamp] sa duration time-based 600
[Spoke3-ipsec-profile-vamp] pfs dh-group2
[Spoke3-ipsec-profile-vamp] quit
(4)配置DVPN隧道。
!—下面几条是配置VPN域2的隧道接口Tunnel2及属性
[Spoke3] interface tunnel 2
[Spoke3-Tunnel2] tunnel-protocol dvpn udp
[Spoke3-Tunnel2] vam client dvpn2spoke3
[Spoke3-Tunnel2] ip address 10.0.2.3 255.255.255.0
[Spoke3-Tunnel2] source ethernet 1/1
[Spoke3-Tunnel2] ospf network-type broadcast
[Spoke3-Tunnel2] ospf dr-priority 0
[Spoke3-Tunnel2] ipsec profile profile3
[Spoke3-Tunnel2] quit
(5)配置OSPF路由。
!---下面几条是配置公网的路由信息。
[Spoke3] ospf 100
[Spoke3-ospf-100] area 0
[Spoke3-ospf-100-area-0.0.0.0] network 192.168.1.5 0.0.0.255
[Spoke3-ospf-100-area-0.0.0.0] quit
!---下面几条是配置私网的路由信息。
[Spoke3] ospf 200
[Spoke3-ospf-200] area 0
[Spoke3-ospf-200-area-0.0.0.0] network 10.0.2.3 0.0.0.255
[Spoke3-ospf-200-area-0.0.0.0] network 10.0.5.1 0.0.0.255
八、验证配置结果。
首先可使用“display vam server address-map all”命令查看注册到主VAM服务器的所有VAM客户端的地址映射信息。结果显示Hub1、Hub2、Spoke1、Spoke2和Spoke3均已将地址映射信息注册到VAM服务器。
[MainServer] display vam server address-map all
VPN name: 1
Total address-map number: 4
Private-ip Public-ip Type Holding time
10.0.1.1 192.168.1.1 Hub 0H 52M 7S
10.0.1.2 192.168.1.2 Hub 0H 47M 31S
10.0.1.3 192.168.1.3 Spoke 0H 28M 25S
10.0.1.4 192.168.1.4 Spoke 0H 19M 15S
VPN name: 2
Total address-map number: 4
Private-ip Public-ip Type Holding time
10.0.2.1 192.168.1.1 Hub 0H 51M 44S
10.0.2.2 192.168.1.2 Hub 0H 46M 45S
10.0.2.3 192.168.1.5 Spoke 0H 11M 25S
10.0.2.4 192.168.1.4 Spoke 0H 18M 32S
用同样方法可以查看注册到备份VAM服务器的所有VAM客户端的地址映射信息。
再使用display dvpn session all命令查看Hub1上的DVPN隧道信息。输出信息显示VPN 1中Hub1与Hub2、Spoke1、Spoke2建立了永久隧道;VPN 2中Hub1与Hub2、Spoke2、Spoke3建立了永久隧道。Hub2上的显示信息与Hub1类似。
[Hub1] display dvpn session all
Interface: Tunnel1 VPN name: 1 Total number: 3
Private IP: 10.0.1.2
Public IP: 192.168.1.2
Session type: Hub-Hub
State: SUCCESS
Holding time: 0h 1m 44s
Input: 101 packets, 100 data packets, 1 control packets
87 multicasts, 0 errors
Output: 106 packets, 99 data packets, 7 control packets
87 multicasts, 10 errors
Private IP: 10.0.1.3
Public IP: 192.168.1.3
Session type: Hub-Spoke
State: SUCCESS
Holding time: 0h 8m 7s
Input: 164 packets, 163 data packets, 1 control packets
54 multicasts, 0 errors
Output: 77 packets, 76 data packets, 1 control packets
55 multicasts, 0 errors
Private IP: 10.0.1.4
Public IP: 192.168.1.4
Session type: Hub-Spoke
State: SUCCESS
Holding time: 0h 27m 13s
Input: 174 packets, 167 data packets, 7 control packets
160 multicasts, 0 errors
Output: 172 packets, 171 data packets, 1 control packets
165 multicasts, 0 errors
Interface: Tunnel2 VPN name: 2 Total number: 3
Private IP: 10.0.2.2
Public IP: 192.168.1.2
Session type: Hub-Hub
State: SUCCESS
Holding time: 0h 12m 10s
Input: 183 packets, 182 data packets, 1 control packets
0 multicasts, 0 errors
Output: 186 packets, 185 data packets, 1 control packets
155 multicasts, 0 errors
Private IP: 10.0.2.4
Public IP: 192.168.1.4
Session type: Hub-Spoke
State: SUCCESS
Holding time: 0h 26m 39s
Input: 174 packets, 169 data packets, 5 control packets
162 multicasts, 0 errors
Output: 173 packets, 172 data packets, 1 control packets
167 multicasts, 0 errors
Private IP: 10.0.2.3
Public IP: 192.168.1.5
Session type: Hub-Spoke
State: SUCCESS
Holding time: 0h 19m 30s
Input: 130 packets, 127 data packets, 3 control packets
120 multicasts, 0 errors
Output: 127 packets, 126 data packets, 1 control packets
119 multicasts, 0 errors
再使用display dvpn session all命令查看Spoke2上的DVPN隧道信息。输出信息显示VPN 1中Spoke2与Hub1、Hub2建立了Hub-Spoke永久隧道;VPN 2中Spoke2与Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke1和Spoke3上的显示信息与Spoke2类似。
[Spoke2] display dvpn session all
Interface: Tunnel1 VPN name: 1 Total number: 2
Private IP: 10.0.1.1
Public IP: 192.168.1.1
Session type: Spoke-Hub
State: SUCCESS
Holding time: 1h 1m 22s
Input: 381 packets, 380 data packets, 1 control packets
374 multicasts, 0 errors
Output: 384 packets, 376 data packets, 8 control packets
369 multicasts, 0 errors
Private IP: 10.0.1.2
Public IP: 192.168.1.2
Session type: Spoke-Hub
State: SUCCESS
Holding time: 0h 21m 53s
Input: 251 packets, 249 data packets, 1 control packets
230 multicasts, 0 errors
Output: 252 packets, 240 data packets, 7 control packets
224 multicasts, 0 errors
Interface: Tunnel2 VPN name: 2 Total number: 2
Private IP: 10.0.2.1
Public IP: 192.168.1.1
Session type: Spoke-Hub
State: SUCCESS
Holding time: 0h 2m 47s
Input: 383 packets, 382 data packets, 1 control packets
377 multicasts, 0 errors
Output: 385 packets, 379 data packets, 6 control packets
372 multicasts, 0 errors
Private IP: 10.0.2.2
Public IP: 192.168.1.2
Session type: Spoke-Hub
State: SUCCESS
Holding time: 0h 1m 50s
Input: 242 packets, 241 data packets, 1 control packets
231 multicasts, 0 errors
Output: 251 packets, 241 data packets, 7 control packets
225 multicasts, 0 errors
再在Spoke2上ping Spoke3的私网地址10.0.5.1,结果是通的。
[Spoke2] ping 10.0.5.1
PING 10.0.5.1: 56 data bytes, press CTRL_C to break
Reply from 10.0.5.1: bytes=56 Sequence=1 ttl=254 time=5 ms
Reply from 10.0.5.1: bytes=56 Sequence=2 ttl=254 time=5 ms
Reply from 10.0.5.1: bytes=56 Sequence=3 ttl=254 time=5 ms
Reply from 10.0.5.1: bytes=56 Sequence=4 ttl=254 time=4 ms
Reply from 10.0.5.1: bytes=56 Sequence=5 ttl=254 time=4 ms
--- 10.0.5.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 4/4/5 ms
再可使用display dvpn session interface tunnel 2命令查看Spoke2上Tunnel2接口的DVPN隧道信息。结果显示Spoke2和Spoke3之间动态建立了Spoke-Spoke隧道。
[Spoke2] display dvpn session interface tunnel 2
Interface: Tunnel2 VPN name: 2 Total number: 3
Private IP: 10.0.2.1
Public IP: 192.168.1.1
Session type: Spoke-Hub
State: SUCCESS
Holding time: 1h 10m 0s
Input: 451 packets, 450 data packets, 1 control packets
435 multicasts, 0 errors
Output: 453 packets, 447 data packets, 6 control packets
430 multicasts, 0 errors
Private IP: 10.0.2.2
Public IP: 192.168.1.2
Session type: Spoke-Hub
State: SUCCESS
Holding time: 0h 1m 50s
Input: 242 packets, 241 data packets, 1 control packets
231 multicasts, 0 errors
Output: 251 packets, 241 data packets, 7 control packets
225 multicasts, 0 errors
Private IP: 10.0.2.3
Public IP: 192.168.1.5
Session type: Spoke-Spoke
State: SUCCESS
Holding time: 0h 0m 0s
Input: 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
Output: 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors