1. networking Requirements
The MSR V5 Router uses PPPoE dialing method to surf the Internet, IP address is not fixed, the MSR V7 router uses fixed IP address to surf the internet, and two devices use Savage mode to establish IPSec VPN to protect the traffic of intranet exchange.
2. Configuration Steps
1) MSR V5 router
# Configure an Access control list that defines the traffic that subnets 192.168.1.0/24 to subnet 172.16.1.0/24.
<H3C>System-view
[H3C] ACL Number
[h3c-acl-adv-3000] Rule 0 Permit IP Source 192.168.1 . 0 0.0.0.255 destination 172.16.1. 0 0.0.0.255
[h3c-acl-adv-3000] quit
# configure ACL 3001, which is used for external ports to configure NAT references, to prevent IPSec traffic from being translated by Nat precedence.
[H3C] ACL Number 1
[h3c-acl-adv-3001] Rule 0 Deny IP source 192.168.1. 0 0.0.0.255 destination 172.16.1. 0 0.0.0.255
[h3c-acl-adv-3001] Rule 1 Permit I P
[h3c-acl-adv-3001] quit
[H3C] Ike Local-name V5 // Configure this End Ann the name of the full gateway
# Create an IKE proposition 1
[H3C] Ike Proposal 1
[H3C-IKE-PROPOSAL-1] authentication-algorithm MD5 //Specify the authentication algorithm that IKE proposes to use as MD5
[H3C-IKE-PROPOSAL-1] Encryption-algorithm 3DES-CBC //Specify the encryption algorithm that IKE proposes to use as 3DES-CBC
[H3C-IKE-PROPOSAL-1] quit
# Configure IPSec security offer V5.
[H3C] IPSec Transform-set V5
[H3C-IPSEC-TRANSFORM-SET-V5] Encapsulation -mode Tunnel
[H3C-IPSEC-TRANSFORM-SET-V5] Transform ESP
[H3C-IPSEC-TRANSFORM-SET-V5] ESP Encryption-algorithm 3DES the encryption algorithm used by the//ESP protocol is 3DES
[H3C-IPSEC-TRANSFORM-SET-V5] ESP authentication-algorithm MD5 the authentication algorithm used in//ESP protocol MD5
[H3C-IPSEC-TRANSFORM-SET-V5] quit
# Create IKE Peers
[H3C] Ike Peer V5
[H3C-IKE-PEER-V5] Exchange-mode Aggressive //configure IKE The first phase of the negotiation mode for Savage mode
[H3C-IKE-PEER-V5] pre-shared-key 123456 //Configure pre-shared password
[H3C-IKE-PEER-V5] Proposal 1 //Refer to IKE security offer 1
[H3C-IKE-PEER-V5] Id-type name //Select the type of ID used during the first phase of the IKE negotiation process is name
[H3C-IKE-PEER-V5] remote-address 2.2.2.2 //Configure the IP address of the peer security Gateway, which is the public address of the peer device
[H3C-IKE-PEER-V5] Remote-name V7 //Configure the name of the peer security gateway
[H3C-IKE-PEER-V5] Local-name v5 //Configure the name of the local security gateway, which is the previously configured IKE Local-name
[H3C-IKE-PEER-V5] quit
# Create an IPSec security policy, negotiated as ISAKMP.
[H3C] IPSec Policy V5 1 ISAKMP
[H3c-ipsec-policy-isakmp-v5-1] Security ACL the //reference security ACL
[H3c-ipsec-policy-isakmp-v5-1] Ike -peer V5 //reference IKE peer
[H3c-ipsec-policy-isakmp-v5-1] Transform-set v5 //reference IPSec security offer
[H3c-ipsec-policy-isakmp-v5-1] quit
# Apply an IPSec security policy at the appropriate dialer port (this example assumes that dialer 10 is used).
[H3C] Interface Dialer Ten
[H3c-dialer10] IPSec Policy V5
[H3c-dialer10] Nat Outbound 3001
[H3c-dialer10] quit
[H3C] IP route-static 0.0.0.0 0.0.0.0 Dialer Ten //Add static route to public network, out interface is actual dialer dial port
2) MSR V7 router
# Configure an Access control list that defines the traffic that subnets 172.16.1.0/24 to subnet 192.168.1.0/24.
<H3C>System-view
[H3C] ACL Advanced
[h3c-acl-ipv4-adv-3000] Rule 0 Permit IP Source 172.16.1.0 0.0.0.255 Destination 192.168.1 . 0 0.0.0.255
[h3c-acl-ipv4-adv-3000] quit
# configure ACL 3001, which is used for external ports to configure NAT references, to prevent IPSec traffic from being translated by Nat precedence.
[H3C] ACL Advanced 1
[h3c-acl-ipv4-adv-3001] Rule 0 Deny IP Source 172.16.1 . 0 0.0.0.255 Destination 192.168.1 . 0 0.0.0.255
[h3c-acl-ipv4-adv-3001] Rule 1 Permit IP
[h3c-acl-adv-3001] quit
# Create an IKE proposition 1
[H3C] Ike Proposal 1
[H3C-IKE-PROPOSAL-1] authentication-algorithm MD5 //Specifies that the IKE proposal uses the authentication algorithm MD5, the configuration must be consistent with the V5 end
[H3C-IKE-PROPOSAL-1] encryption-algorithm 3DES-CBC //Specifies that the IKE proposal uses an encryption algorithm of 3DES-CBC, and the configuration must be consistent with the V5 side
[H3C-IKE-PROPOSAL-1] quit
[H3C] Ike Identity FQDN V7 //Configure the local FQDN name
#创建IKE keychain, because the address of the terminal is not fixed, it is configured to 0.0.0.0 match all.
[H3C] Ike Keychain V7
[H3C-IKE-KEYCHAIN-V7] Pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456 The pre-shared key configured here must be the same as the pre-shared key configured under the V5-side IKE peer view
[H3C-IKE-KEYCHAIN-V7] quit
# Create and configure an IKE profile with the name V7.
[H3C] Ike Profile V7
[H3C-IKE-PROFILE-V7] Keychain V7 //Refer to the keychain configured above
[H3C-IKE-PROFILE-V7] Exchange-mode Aggressive //configure IKE The first phase of the negotiation mode for Savage mode
[H3C-IKE-PROFILE-V7] local-identity FQDN V7 //Configuring the identity information on the local side
[H3C-IKE-PROFILE-V7] Match Remote Identity FQDN V5 //Specifies that a matching peer identity type of FQDN is required and the value is V5
[H3C-IKE-PROFILE-V7] Proposal 1 //reference before configuring IKE proposal
[H3C-IKE-PROFILE-V7] quit
# Configure IPSec security offer V7.
[H3C] IPSec Transform-set v 7
[H3C-IPSEC-TRANSFORM-SET-V7] Encapsulation -mode Tunnel
[H3C-IPSEC-TRANSFORM-SET-V7] ESP encryption-algorithm 3DES-CBC //ESP protocol uses an encryption algorithm for 3DES-CBC
[H3C-IPSEC-TRANSFORM-SET-V7] ESP authentication-algorithm MD5 //ESP protocol uses the authentication algorithm as MD5
[H3C-IPSEC-TRANSFORM-SET-V5] quit
# Create a security policy template with a template named 1 and a sequence number of 1.
[H3C] IPSec policy-template 1 1
[H3c-ipsec-policy-template-1-1] transform-set v7 //Specify IPSec security offer for reference
[H3c-ipsec-policy-template-1-1] Security ACL //reference security ACL
[H3c-ipsec-policy-template-1-1] Ike -profile v7 //Specify IKE profile for reference
[H3c-ipsec-policy-template-1-1] quit
# Refer to IPSec policy template 1 to create an IPSec security policy named Policy V7 with sequence number 1.
[H3C] IPSec Policy V7 1 ISAKMP Template 1
# Apply IPSec security policy on interface GIGABITETHERNET0/1
[H3c]interface gigabitethernet 0/1
[H3C-GIGABITETHERNET0/1] Nat Outbound 3001
[H3C-GIGABITETHERNET0/1] IPSec Apply Policy V7
[H3C-GIGABITETHERNET0/1] qui T
[H3C] IP route-static 0.0.0.0 0.0.0.0 x.x.x.x //Add a static route to the public network, where x.x.x.x configure the gateway address of the public network interface
Note: After the configuration is complete, the active access is initiated by the dial-up to trigger an IPSec tunnel.
MSR V5 and MSR V7 routers IPSec VPN Docking typical configuration (Savage mode)