10.4 DVPN典型配置
10.4.1 DVPN基本配置
【需求】
通过配置DVPN,client1、client2可以和server互通,client1和client2之间可以互通。
【组网图】
【配置脚本】
|
Server配置脚本 |
|
# sysname Server # radius scheme system # domain system # local-user admin password cipher .]@USE=B,53Q=^Q`MAF4<1!! service-type telnet terminal level 3 service-type ftp # dvpn policy 1 /创建dvpn-policy视图1/ # interface Aux0 async mode flow # interface Ethernet0/0 ip address 202.1.1.1 255.255.255.0 # interface Ethernet0/1 ip address dhcp-alloc # interface Serial1/0 clock DTECLK1 link-protocol ppp ip address ppp-negotiate # interface Serial1/1 clock DTECLK1 link-protocol ppp ip address ppp-negotiate # interface Tunnel0
/创建Tunnel0接口/ ip address 10.0.0.1 255.255.255.0 tunnel-protocol udp
dvpn /Tunnel接口的封装格式/ source Ethernet0/0 dvpn interface-type
server /指定了Tunnel接口类型为server/ dvpn dvpn-id 1 /配置Tunnel接口所属的DVPN域1/ dvpn policy 1
/引用dvpn-policy视图1/ # interface NULL0 # interface LoopBack0 ip address 172.16.1.1 255.255.255.0 # FTP server enable # dvpn service enable
/使能DVPN功能/ dvpn server pre-shared-key 12345
/配置Server的身份pre-shared-key/ # ip route-static 172.16.2.0 255.255.255.0 10.0.0.2
preference 60 /配置路由信息/ ip route-static 172.16.3.0 255.255.255.0 10.0.0.3
preference 60 # user-interface con 0 user-interface aux 0 user-interface vty 0 4 authentication-mode scheme # return |
|
Client1配置脚本 |
|
# sysname Client1 # radius scheme system # domain system # local-user admin password cipher .]@USE=B,53Q=^Q`MAF4<1!! service-type telnet terminal level 3 service-type ftp # dvpn class test
/配置Tunnel接口使用的dvpn-class/ public-ip 202.1.1.1 authentication-server method pre-share pre-shared-key 12345 # interface Aux0 async mode flow # interface Ethernet0/0 ip address 202.1.1.2 255.255.255.0 # interface Tunnel0
/创建Tunnel0接口/ ip address 10.0.0.2 255.255.255.0 tunnel-protocol udp dvpn
/Tunnel接口的封装格式/ source Ethernet0/0 dvpn interface-type client
/指定了Tunnel接口类型为client/ dvpn dvpn-id 1
/配置Tunnel接口所属的DVPN域1/ dvpn server test
/引用配置的dvpn-class/ # interface NULL0 # interface LoopBack0 ip address 172.16.2.1 255.255.255.0 # FTP server enable # dvpn service enable
/使能DVPN功能/ # ip route-static 172.16.1.0 255.255.255.0 10.0.0.1
preference 60 /配置路由信息/ ip route-static 172.16.3.0 255.255.255.0 10.0.0.3
preference 60 # user-interface con 0 user-interface aux 0 user-interface vty 0 4 authentication-mode scheme # return |
|
Client2配置脚本 |
|
# sysname Client2 # radius scheme system # domain system # local-user admin password cipher .]@USE=B,53Q=^Q`MAF4<1!! service-type telnet terminal level 3 service-type ftp # dvpn class test
/配置Tunnel接口使用的dvpn-class/ public-ip 202.1.1.1 authentication-server method pre-share pre-shared-key 12345 # interface Aux0 async mode flow # interface Ethernet0/0 ip address 202.1.1.3 255.255.255.0 # interface Ethernet0/1 ip address dhcp-alloc # interface Tunnel0
/创建Tunnel0接口/ ip address 10.0.0.3 255.255.255.0 tunnel-protocol udp dvpn
/Tunnel接口的封装格式/ source Ethernet0/0 dvpn interface-type client
/指定了Tunnel接口类型为client/ dvpn dvpn-id 1
/配置Tunnel接口所属的DVPN域1/ dvpn server test
/引用配置的dvpn-class/ # interface NULL0 # interface LoopBack0 ip address 172.16.3.1 255.255.255.0 # FTP server enable # dvpn service enable
/使能DVPN功能/ # ip route-static 172.16.1.0 255.255.255.0 10.0.0.1
preference 60 /配置路由信息/ ip route-static 172.16.2.0 255.255.255.0 10.0.0.2
preference 60 # user-interface con 0 user-interface aux 0 user-interface vty 0 4 authentication-mode scheme # return |
【验证】
Server、 Clinent1和Clinent2可以两两互通。
Server上的map信息和session信息:
[Server]dis dvpn
map all
vpn-id private-ip
public-ip port state type client-id
------------------------------------------------------------------------------
1
10.0.0.3
202.1.1.3 40959 FINISHED S->C 88383300
1
10.0.0.2
202.1.1.2 40959 FINISHED S->C 91175268
[Server]display
dvpn session all
vpn-id private-ip
public-ip
port
state type
-----------------------------------------------------------------
1
10.0.0.2
202.1.1.2 40959 SUCCESS S->C
1
10.0.0.3
202.1.1.3 40959 SUCCESS S->C
Client1上的map信息和session信息:
[Client1]dis dvpn
map all
vpn-id private-ip public-ip port state type client-id
------------------------------------------------------------------------------
1
10.0.0.1
202.1.1.1 40959 SUCCESS C->S 91175268
[Client1]dis dvpn
se all
vpn-id private-ip public-ip port state type
-----------------------------------------------------------------
1
10.0.0.1
202.1.1.1 40959 SUCCESS C->S
1
10.0.0.3
202.1.1.3 40959 SUCCESS C->C
Client1上的map信息和session信息:
[Client2]dis dvpn
map all
vpn-id private-ip public-ip port state type client-id
------------------------------------------------------------------------------
1
10.0.0.1
202.1.1.1 40959 SUCCESS C->S 88383300
[Client2]dis dvpn
se all
vpn-id private-ip public-ip port state type
-----------------------------------------------------------------
1
10.0.0.1
202.1.1.1 40959 SUCCESS C->S
1
10.0.0.2
202.1.1.2 40959 SUCCESS C->C
【提示】
1、
当DVPN数据传输阶段,缺省情况下系统对所有的数据都采用了上述的IPSec加密方式,用户不需要进行配置。
2、
在Client需要通过pre-shared-key进行身份验证时,Client需要指定需要接入的Server的pre-shared-key,
而且和Server的pre-shared-key必须一致。
3、
每个接口最多应用一个dvpn-policy;如果需要应用新的dvpn-policy,则必须删除原有的dvpn-policy;
另外一个dvpn-Policy可以被多个接口同时使用。
4、
在配置DVPN其他参数前,请务必在Tunnel接口上封装UDP DVPN。