一、实验目的及拓扑
1、实验思路:FW1为总部固定IP,FW2和FW3为分支动态地址,通过mGRE over IPsec实现,并加载NHR解决多点隧道目的地址问题
2、网络拓扑
二、基本配置
(一)配置相关接口地址,并在路由器上启用loopback0地址150.1.1.1(此处省略)
(二)将防火墙连接PC的接口g1/0/1全部设置于信任区域,连接路由器的接口设置于非信任区域(此处省略)
(三)在R1上启用DHCP,并在端口g0/0/0和g0/0/2上启用dhcp
#
dhcp enable
#
interface GigabitEthernet0/0/0
ip address 155.1.131.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/2
ip address 155.1.141.1 255.255.255.0
dhcp select interface
#
(四)在防火墙FW2和FW3的外网口上启用DHCP
#
dhcp enable
#
#
interface GigabitEthernet1/0/0
undo shutdown
ip address dhcp-alloc
#
三、详细配置
(一)多点mGRE的配置,将传统GRE隧道点对点类型的tunnel接口扩展为点到多点类型的mGRE隧道,并在tunnel接口实现NHRP(下一跳地址解析地址)的静态表项设置,设置静态路由后实现PC1与PC2和PC3的联通
1、mGRE的设置
[FW1-Tunnel0]dis th
#
interface Tunnel0
ip address 10.1.0.12 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
#
[FW2-Tunnel0]dis th
#
interface Tunnel0
ip address 10.1.0.13 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
#
[FW3-Tunnel0]dis th
#
interface Tunnel0
ip address 10.1.0.14 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
#
2、NHRP(下一跳地址解析地址)的静态设置
[FW1-Tunnel0]dis th
2024-07-05 07:10:12.850
#
interface Tunnel0
ip address 10.1.0.12 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
service-manage ping permit
nhrp entry 10.1.0.13 155.1.131.254
nhrp entry 10.1.0.14 155.1.141.254
#
[FW2-Tunnel0]dis th
#
interface Tunnel0
ip address 10.1.0.13 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp
ospf timer hello 10
service-manage ping permit
nhrp entry 10.1.0.12 155.1.121.12
#
[FW3-Tunnel0]dis th
2024-07-05 07:12:16.560
#
interface Tunnel0
ip address 10.1.0.14 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
service-manage ping permit
nhrp entry 10.1.0.12 155.1.121.12
#
3、设置静态路由
[FW1]dis ip routing-table protocol static
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 155.1.121.1 GigabitEthernet1/0/0
10.1.13.0/24 Static 60 0 RD 10.1.0.13 Tunnel0
10.1.14.0/24 Static 60 0 RD 10.1.0.14 Tunnel0
[FW2]dis ip routing-table protocol static
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.12.0/24 Static 60 0 RD 10.1.0.12 Tunnel0
10.1.14.0/24 Static 60 0 RD 10.1.0.12 Tunnel0
[FW3]dis ip routing-table protocol static
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.12.0/24 Static 60 0 RD 10.1.0.12 Tunnel0
10.1.13.0/24 Static 60 0 RD 10.1.0.12 Tunnel0
4、将防火墙的安全策略全部放开,并打开防火墙的tracert功能
default action permit
icmp ttl-exceeded send
5、验证结果
PC1>ping 10.1.13.10
Ping 10.1.13.10: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 10.1.13.10: bytes=32 seq=2 ttl=126 time=15 ms
PC1>ping 10.1.14.10
Ping 10.1.14.10: 32 data bytes, Press Ctrl_C to break
From 10.1.14.10: bytes=32 seq=1 ttl=126 time=32 ms
PC2>tracert 10.1.14.10
traceroute to 10.1.14.10, 8 hops max
(ICMP), press Ctrl+C to stop
1 10.1.12.12 <1 ms 15 ms <1 ms
2 10.1.0.14 16 ms 16 ms 15 ms
3 10.1.14.10 <1 ms 31 ms 16 ms
(二)同样是mGRE设置,但通过NHRP(下一跳地址解析地址)的动态表项,实现PC1、PC2、PC3的联通
[FW2-Tunnel0]dis th
2024-07-05 07:36:22.240
#
interface Tunnel0
ip address 10.1.0.13 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
service-manage ping permit
nhrp entry 10.1.0.12 155.1.121.12 register
#
[FW3-Tunnel0]dis th
2024-07-05 07:38:26.340
#
interface Tunnel0
ip address 10.1.0.14 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
service-manage ping permit
nhrp entry 10.1.0.12 155.1.121.12 register
#
[FW1]dis nhrp peer all
--------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
--------------------------------------------------------------------------------
10.1.0.13 32 155.1.131.254 10.1.0.13 registered up|unique
--------------------------------------------------------------------------------
10.1.0.14 32 155.1.141.254 10.1.0.14 registered up|unique
-------------------------------------------------------------------------------
(二)在各防火墙之间建立OSPF路由并删除静态路由
1、使用p2mp网络类型
[FW1-Tunnel0]dis th
#
interface Tunnel0
ip address 10.1.0.12 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp
ospf timer hello 10
service-manage ping permit
nhrp entry multicast dynamic
#
各防火墙上配置ospf并宣告路由10.1.0.0
2、使用broadcast网络
[FW1-Tunnel0]dis th
#
interface Tunnel0
ip address 10.1.0.12 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type broadcast
service-manage ping permit
nhrp entry multicast dynamic
#
[FW2-Tunnel0]dis th
#
interface Tunnel0
ip address 10.1.0.13 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type broadcast
ospf dr-priority 0
service-manage ping permit
nhrp entry 10.1.0.12 155.1.121.12 register
#
(三)在各防火墙加载IPsecVPN(三台防火墙配置相同)
#
ipsec proposal DM_SET
encapsulation-mode transport
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal 10
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer ALL
pre-shared-key HUAWEI
ike-proposal 10
#
ipsec profile DM_PRO
ike-peer ALL
proposal DM_SET
#
[FW1-Tunnel0]dis th
#
interface Tunnel0
ipsec profile DM_PRO
#
结果验证
[FW1]dis ike sa
2 155.1.131.254:500 RD|A
v2:2 IP 155.1.131.254
1 155.1.131.254:500 RD|A
v2:1 IP 155.1.131.254
4 155.1.141.254:500 RD|A
v2:2 IP 155.1.141.254
3 155.1.141.254:500 RD|A
[FW2-Tunnel0]dis ike sa
2 155.1.121.12:500 RD|ST
|A v2:2 IP 155.1.121.12
1 155.1.121.12:500 RD|ST
|A v2:1 IP 155.1.121.12
4 155.1.141.254:500 RD|A
v2:2 IP 155.1.141.254
3 155.1.141.254:500 RD|A
v2:1 IP 155.1.141.254
Number of IKE SA : 4
![一道有意思的简单题 [NOIP2010 普及组] 接水问题](https://i-blog.csdnimg.cn/direct/26387e3e0f2447fc9304aa042b78b6bb.png)
![Spring学习04-[Spring容器核心技术AOP学习]](https://i-blog.csdnimg.cn/direct/a7c05cf7d91d4a7982484e9018e4818e.png)
