Shulou(Shulou.com)06/01 Report--

[experimental Topology and Software]

The switch used in this experiment is H3C simulator, and the download address is as follows: http://forum.h4c.com/forum.php? Mod=viewthread&tid=109740&highlight=H3C%E6%A8%A1%E6% 8B%9F%E5%99%A8 interested friends can download it on the forum.

[demand Information]

R2 and R4 establish EBGP neighbor information, the neighbors are the addresses of the tunnel port, and the packets flowing through the tunnel port need to be encrypted by ipsec!

[configuration Information]

R2

Vlan 1024

#

Domain system

Access-limit disable

State active

Idle-cut disable

Self-service-url disable

#

Ike peer r4

Pre-shared-key simple 1234567

Remote-address 192.168.24.4

#

Ipsec proposal 1

#

Ipsec policy jc 10 isakmp

Security acl 3000

Ike-peer r4

Proposal 1

#

Acl number 3000

Rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.11.0 0.0.0.255

Rule 5 permit ip source 172.16.1.0 0.0.0.255 destination 172.16.11.0 0.0.0.255

#

#

Interface LoopBack0

Ip address 192.168.1.1 255.255.255.255

#

Interface Vlan-interface1024

Ip address 192.168.28.2 255.255.255.0

#

Interface Tunnel0

Ip address 192.168.24.2 255.255.255.0

Source 192.168.28.2

Destination 192.168.48.4

Ipsec policy jc

#

Bgp 65001

Network 192.168.1.1 255.255.255.255

Undo synchronization

Peer 192.168.24.4 as-number 65002

#

Ip route-static 0.0.0.0 0.0.0.0 192.168.28.8

SW4

#

Interface Vlan-interface1024

Ip address 192.168.28.8 255.255.255.0

#

Interface Vlan-interface1044

Ip address 192.168.48.8 255.255.255.0

#

Interface Ethernet0/4/0

Port link-mode bridge

#

Interface Ethernet0/4/1

Port link-mode bridge

#

Interface Ethernet0/4/2

Port link-mode bridge

Port access vlan 1024

#

Interface Ethernet0/4/3

Port link-mode bridge

#

Interface Ethernet0/4/4

Port link-mode bridge

Port access vlan 1044

R4

#

Vlan 1044

#

Domain system

Access-limit disable

State active

Idle-cut disable

Self-service-url disable

#

Ike peer r2

Pre-shared-key simple 1234567

Remote-address 192.168.24.2

#

Ipsec proposal 1

#

Ipsec policy jc 10 isakmp

Security acl 3000

Ike-peer r2

Proposal 1

#

Acl number 3000

Rule 0 permit ip source 192.168.11.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

Rule 5 permit ip source 172.16.11.0 0.0.0.255 destination 172.16.1.0 0.0.0.255

#

Interface Serial0/6/0

Link-protocol ppp

#

Interface Serial0/6/1

Link-protocol ppp

#

Interface Serial0/6/2

Link-protocol ppp

#

Interface Serial0/6/3

Link-protocol ppp

#

Interface NULL0

#

Interface LoopBack0

Ip address 192.168.11.1 255.255.255.255

#

Interface Vlan-interface1044

Ip address 192.168.48.4 255.255.255.0

#

Interface Ethernet0/4/0

Port link-mode bridge

#

Interface Ethernet0/4/1

Port link-mode bridge

Port access vlan 1044

Interface Tunnel0

Ip address 192.168.24.4 255.255.255.0

Source 192.168.48.4

Destination 192.168.28.2

Ipsec policy jc

#

Bgp 65002

Network 192.168.11.1 255.255.255.255

Undo synchronization

Peer 192.168.24.2 as-number 65001

#

Ip route-static 0.0.0.0 0.0.0.0 192.168.48.8

#

[verify]

View ike and ipsec sa

Dis ike sa

Total phase-1 SAs: 0

Connection-id peer flag phase doi

Dis ipsec sa

There is no sa because there is no packet match yet.

Ping-a 192.168.1.1 192.168.11.1

PING 192.168.11.1: 56 data bytes, press CTRL_C to break

Request time out

Reply from 192.168.11.1: bytes=56 Sequence=2 ttl=255 time=50 ms

Reply from 192.168.11.1: bytes=56 Sequence=3 ttl=255 time=44 ms

Reply from 192.168.11.1: bytes=56 Sequence=4 ttl=255 time=45 ms

Reply from 192.168.11.1: bytes=56 Sequence=5 ttl=255 time=50 ms

-192.168.11.1 ping statistics-

5 packet (s) transmitted

4 packet (s) received

20.00% packet loss

Round-trip min/avg/max = 44-47-50 ms

Dis ike sa

Total phase-1 SAs: 1

Connection-id peer flag phase doi

6 192.168.24.4 RD | ST 2 IPSEC

5 192.168.24.4 RD | ST 1 IPSEC

Flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT

Dis ipsec sa

= =

Interface: Tunnel0

Path MTU: 1476

= =

-

IPsec policy name: "jc"

Sequence number: 10

Mode: isakmp

-

Connection id: 4

Encapsulation mode: tunnel

Perfect forward secrecy: None

Tunnel:

Local address: 192.168.24.2

Remote address: 192.168.24.4

Flow:

Sour addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP

Dest addr: 192.168.11.0/255.255.255.0 port: 0 protocol: IP

[inbound ESP SAs]

Spi: 2478830021 (0x93bff1c5)

Proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

Sa remaining key duration (bytes/sec): 1887436464Universe 3588

Max received sequence-number: 4

Udp encapsulation used for nat traversal: N

[outbound ESP SAs]

Spi: 645607044 (0x267b2e84)

Proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

Sa remaining key duration (bytes/sec): 1887436464Universe 3588

Max sent sequence-number: 5

Udp encapsulation used for nat traversal: N

Dis ike sa

Total phase-1 SAs: 1

Connection-id peer flag phase doi

4 192.168.24.2 RD 2 IPSEC

3 192.168.24.2 RD 1 IPSEC

Flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT

Dis ipsec sa

= =

Interface: Tunnel0

Path MTU: 1476

= =

-

IPsec policy name: "jc"

Sequence number: 10

Mode: isakmp

-

Connection id: 4

Encapsulation mode: tunnel

Perfect forward secrecy: None

Tunnel:

Local address: 192.168.24.4

Remote address: 192.168.24.2

Flow:

Sour addr: 192.168.11.0/255.255.255.0 port: 0 protocol: IP

Dest addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP

[inbound ESP SAs]

Spi: 645607044 (0x267b2e84)

Proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

Sa remaining key duration (bytes/sec): 1887436464Universe 3523

Max received sequence-number: 4

Udp encapsulation used for nat traversal: N

[outbound ESP SAs]

Spi: 2478830021 (0x93bff1c5)

Proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

Sa remaining key duration (bytes/sec): 1887436464Universe 3523

Max sent sequence-number: 5

Udp encapsulation used for nat traversal: N

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.