gre隧道配置 centos gre隧道配置 华为路由器

公司内部的网络并不是很复杂，典型的星型结构。总部与多个分支建立了×××，同时还需要跑一些组播以及OSPF的东西，所以采用了比较经典的 GRE OVER IPSEC 的配置。之前的H3C设备上配置没有发现什么问题，但最近基于设备性能的考虑准备换用华为的AR系列产品。相对而言华为的设备较H3C价格稍贵，但性能上要强不少。此次使用的设备主要是华为AR2220以及AR151。

华为设备在配置ipsec ***的时候如果采用传统的方式配置则每个2220路由器只能和16个分支建立***连接，超过16个变无法配置成功。对于这个问题华为提出了在核心网一侧的路由器上采用策略模板的方式来建立多个ipsec ***，这种方式在核心网一侧不需要配置ACL，在分支一侧需要指定acl。另外如果华为跟其他厂商的设备配置IPSEC ××× 则应该选择配置v1版本的ike peer。以下是我核心网采用2220 分支采用151的配置。

网络结构比较简单

 

<SZ_CR_1>disp cur
[V200R002C01SPC200]
#
 sysname SZ_CR_1
#
 snmp-agent local-engineid 800007DB03E0247F20C08B
 snmp-agent 
#
 drop illegal-mac alarm
#
acl number 3000  
#
ipsec proposal 1
#
ike peer br v1
 pre-shared-key simple 123
 local-address 202.96.1.9
#
ipsec policy-template br 1
 ike-peer br
 proposal 1
#
ipsec policy cr 1 isakmp template br
#
aaa 
 authentication-scheme default            
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%${*|FV4WA)E/|SkH9I0I7gulc%$%$
 local-user admin privilege level 3
 local-user admin service-type telnet ssh
#
interface GigabitEthernet0/0/0
 description connect to sz_cs_1/0/0/48
 ip address 20.0.29.1 255.255.255.252 
#
interface GigabitEthernet0/0/1
 description connect to internet
 ip address 202.96.1.1 255.255.255.252 
 ipsec policy cr
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
interface Tunnel0/0/0
 description connect to sz_brr_1
 ip address 20.0.1.1 255.255.255.248      
 tunnel-protocol gre
 source 202.96.1.9
 destination 202.96.1.1
#
ip route-static 20.0.0.0 255.255.255.248 Tunnel0/0/0
ip route-static 202.96.0.0 255.255.0.0 202.96.1.2
#
user-interface con 0
 authentication-mode password
 set authentication password cipher %$%$}vVu=u!Vr.+&il)6m3#',"vm+Mx[TaM\W!+abu=@)VPR#(|w%$%$
user-interface vty 0 4
 authentication-mode aaa
user-interface vty 16 20
#
voice 
 #
 diagnose
#
Return

<sz_br_1>disp cur
[V200R002C01SPC200]
#
 sysname sz_br_1
#
 snmp-agent local-engineid 800007DB03CCCC8174F532
 snmp-agent 
#
 drop illegal-mac alarm
#
acl number 3000  
 rule 0 permit ip source 202.96.1.9 0.0.0.0  destination 202.96.1.1  0.0.0.0
 #
ipsec proposal 1
#
ike peer cr v1
 pre-shared-key simple 123
 local-address 202.96.1.9
 remote-address 202.96.1.1
#
ipsec policy br 1 isakmp
 security acl 3000
 ike-peer cr
 proposal 1
#                                         
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$Z'#iOA:^$!]-{U(C97{XhH~6%$%$
 local-user admin privilege level 3
 local-user admin service-type telnet ssh
#
interface Vlanif1
 ip address 20.0.0.1 255.255.255.248 
#
interface Ethernet0/0/0
 port link-type access
#
interface Ethernet0/0/1
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
 description connect to internet          
 ip address 202.96.1.9 255.255.255.252 
 ipsec policy br
#
interface NULL0
#
interface Tunnel0/0/0
 description connect to sz_cr_1
 ip address 20.0.1.2 255.255.255.248 
 tunnel-protocol gre
 source 202.96.1.1
 destination 202.96.1.9
#
ip route-static 20.0.0.0 255.255.0.0 Tunnel0/0/0
ip route-static 202.96.0.0 255.255.0.0 202.96.1.10
#
user-interface con 0
 authentication-mode password
 set authentication password cipher %$%$n~z&;^8SvD+%tH'4{pn0,md[".Y^'ppeO$Ut&ZSQb*73*sje%$%$
user-interface vty 0
 authentication-mode aaa
 user privilege level 15
user-interface vty 1 4
 authentication-mode aaa
user-interface vty 16 20                  
#
voice 
 #
 diagnose
#
return
<sz_br_1>

转载于:https://blog.51cto.com/txtyx/1098597