【华三】ADVPN的Full-Mesh组网实验

【华三】ADVPN的Full-Mesh组网实验

• 实验需求
• 配置
• • 拓扑
  • ISP
  • • 基础配置
  • VAM Server
  • • 基础配置
    • AAA设置
    • 指定谁是Hub、Spoke
  • Hub
  • • 基础配置
    • 配置VAM Client
    • IPSec安全策略
    • 隧道配置ADVPN
  • Spoke 1
  • • 基础配置
    • 配置VAM Client
    • IPSec安全策略
    • 配置advpn隧道
  • Spoke 2
  • • 基础配置
    • 配置VAM Client
    • IPSec安全策略
    • 配置advpn隧道
  • AAA服务器（Win7）
  • • 配置IP地址和网关
    • WinRadius配置
    • • 多重秘钥
      • 添加用来认证的本地用户
      • 查看WinRadius的日志
  • 检查
  • • 查看注册到VAM Server的VAM Client映射信息
    • 查看Hub上的IPv4 ADVPN隧道信息
    • 查看Spoke上的IPv4 ADVPN隧道信息
    • 查看Spoke上的IPv4 ADVPN隧道信息（Spoke数据交互）
    • 查看Hub和Spoke的路由表

基础内容可以查看本篇文章：【华三】ADVPN概述和组成

实验需求

根据拓扑结构和地址规划表，完成Hub和Spoke之间的ADVPN建立。

配置

拓扑

ISP

基础配置

[H3C]sysname ISP

[ISP]int g1/0
[ISP-GigabitEthernet1/0]ip address 202.101.100.254 24
[ISP-GigabitEthernet1/0]quit

[ISP]int g2/0
[ISP-GigabitEthernet2/0]ip address 202.101.10.1 30
[ISP-GigabitEthernet2/0]quit

[ISP]int g3/0
[ISP-GigabitEthernet3/0]ip address 202.101.20.1 30
[ISP-GigabitEthernet3/0]quit

[ISP]int g4/0
[ISP-GigabitEthernet4/0]ip address 202.101.30.1 30
[ISP-GigabitEthernet4/0]quit

VAM Server

基础配置

[H3C]sysname VAM_Server

[VAM_Server]int g1/0
[VAM_Server-GigabitEthernet1/0]ip address 202.101.100.100 24
[VAM_Server-GigabitEthernet1/0]quit

[VAM_Server]ip route-static 0.0.0.0 0 202.101.100.254

AAA设置

# i配置RADIUS方案 advpn
[VAM_Server]radius scheme advpn
[VAM_Server-radius-advpn]primary authentication 202.101.100.110 # 指定AAA服务器地址
[VAM_Server-radius-advpn]primary accounting 202.101.100.110     # AAA认证审计地址
[VAM_Server-radius-advpn]key authentication simple 123456       # AAA：客户端和服务器 认证密钥
[VAM_Server-radius-advpn]key accounting simple 123456		  	# AAA：客户端和服务器 审计密钥
[VAM_Server-radius-advpn]user-name-format without-domain 		# AAA认证域：用户认证时不用携带域名
[VAM_Server-radius-advpn]quit

# AAA认证激活
[VAM_Server]radius session-control enable 

# i配置ISP域的AAA方案‘advpn’
# i目的是调用前面的RADIUS方案‘advpn’
[VAM_Server]domain advpn
[VAM_Server-isp-advpn] authentication advpn radius-scheme advpn
[VAM_Server-isp-advpn] accounting advpn radius-scheme advpn
[VAM_Server-isp-advpn] quit

# i启用AAA方案‘advpn’
[VAM_Server]domain default enable advpn

指定谁是Hub、Spoke

# i创建ADVPN 的VAM 域‘advpn’‘1’
[VAM_Server]vam server advpn-domain advpn id 1
[VAM_Server-vam-server-domain-advpn]hub-group 1    								  # 创建Hub组“1”
[VAM_Server-vam-server-domain-advpn-hub-group-1]hub private-address 10.255.1.1	  # 指定hub的私网地址
[VAM_Server-vam-server-domain-advpn-hub-group-1]spoke private-address network 10  # 指定spoke的私网地址范围
.255.1.0 255.255.255.0
[VAM_Server-vam-server-domain-advpn-hub-group-1]quit
# i配置VAM Server的预共享密钥和认证方式，并开启server 功能
[VAM_Server-vam-server-domain-advpn]pre-shared-key simple 123456   
[VAM_Server-vam-server-domain-advpn]authentication-method chap 
[VAM_Server-vam-server-domain-advpn]server enable 
[VAM_Server-vam-server-domain-advpn]quit

Hub

基础配置

[H3C]sysname Hub

[Hub]int g1/0
[Hub-GigabitEthernet1/0]ip address 202.101.10.2 30
[Hub-GigabitEthernet1/0]qu

[Hub]int LoopBack 1
[Hub-LoopBack1]ip address 172.16.1.1 32
[Hub-LoopBack1]qu

[Hub]int LoopBack 2
[Hub-LoopBack2]ip address 172.16.1.2 32
[Hub-LoopBack2]quit

[Hub]int LoopBack 3
[Hub-LoopBack3]ip address 172.16.1.3 32
[Hub-LoopBack3]quit

[Spoke1]ip route-static 0.0.0.0 0 202.101.10.1

配置VAM Client

# i创建vam的client为“Hub”
[Hub]vam client name Hub
[Hub-vam-client-Hub]advpn-domain advpn            # 配置VAM Client所属的ADVPN域为“advpn”
[Hub-vam-client-Hub]pre-shared-key simple 123456  # 配置VAM Client的认证信息
[Hub-vam-client-Hub]user hub password simple hub 
[Hub-vam-client-Hub]server primary ip-address 202.101.100.100 # 指定VAM Server的IP地址
[Hub-vam-client-Hub]client enable                 # 启用client
[Hub-vam-client-Hub]quit

IPSec安全策略

# 因为与Hub进行数据传输的有很多Spoke，所以这边keychain的对等体地址设为匹配所有
[Hub]ike keychain advpn
[Hub-ike-keychain-advpn]pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Hub-ike-keychain-advpn]quit

[Hub]ike profile advpn
[Hub-ike-profile-advpn]keychain advpn
[Hub-ike-profile-advpn]quit

[Hub]ipsec transform-set advpn
[Hub-ipsec-transform-set-advpn]encapsulation-mode transport 
[Hub-ipsec-transform-set-advpn]esp encryption-algorithm des-cbc 
[Hub-ipsec-transform-set-advpn]esp authentication-algorithm md5 
[Hub-ipsec-transform-set-advpn]quit

[Hub]ipsec profile advpn isakmp 
[Hub-ipsec-profile-isakmp-advpn]transform-set advpn
[Hub-ipsec-profile-isakmp-advpn]ike-profile advpn
[Hub-ipsec-profile-isakmp-advpn]quit

隧道配置ADVPN

[Hub]ospf 1
[Hub-ospf-1]area 0
[Hub-ospf-1-area-0.0.0.0]network 10.255.1.0 0.0.0.255
[Hub-ospf-1-area-0.0.0.0]network 172.16.1.0 0.0.0.255

# 配置GRE封装的ADVPN隧道接口Tunnel1
[Hub]interface Tunnel1 mode advpn gre
[Hub-Tunnel1lip address 10.255.1.1 255.255.255.0
[Hub-Tunnel1]vam client Hub # 注意区分大小写
# Tunnel默认ospf网络类型为p2p，但此时Hub需要对多个Spoke建立邻居关系
# P2P并不支持，所以修改OSPF的网络类型为广播 
[Hub-Tunnel1]ospf network-type broadcast
[Hub-Tunnel1]source g1/0
# 调用IPSec安全策略
[Hub-Tunnel1]tunnel protection ipsec profile advpn

Spoke 1

基础配置

[H3C]sysname Spoke1

[Spoke1]int g1/0
[Spoke1-GigabitEthernet1/0]ip address 202.101.20.2 30
[Spoke1-GigabitEthernet1/0]quit

[Spoke1]int LoopBack 1
[Spoke1-LoopBack1]ip address 172.16.2.1 32
[Spoke1-LoopBack1]quit

[Spoke1]int LoopBack 2
[Spoke1-LoopBack2]ip address 172.16.2.2 32
[Spoke1-LoopBack2]quit

[Spoke1]int LoopBack 3
[Spoke1-LoopBack3]ip address 172.16.2.3 32
[Spoke1-LoopBack3]quit

[Spoke1]ip route-static 0.0.0.0 0 202.101.20.1

配置VAM Client

[Spoke1]vam client name Spoke1
[Spoke1-vam-client-Spoke1]advpn-domain advpn
[Spoke1-vam-client-Spoke1]pre-shared-key simple 123456
[Spoke1-vam-client-Spoke1]user spoke1 password simple spoke1
[Spoke1-vam-client-Spoke1]server primary ip-address 202.101.100.100
[Spoke1-vam-client-Spoke1]client enable 
[Spoke1-vam-client-Spoke1]quit

IPSec安全策略

[Spoke1]ike keychain advpn
[Spoke1-ike-keychain-advpn]pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Spoke1-ike-keychain-advpn]quit

[Spoke1]ike profile advpn
[Spoke1-ike-profile-advpn]keychain advpn
[Spoke1-ike-profile-advpn]quit

[Spoke1]ipsec transform-set advpn
[Spoke1-ipsec-transform-set-advpn]encapsulation-mode transport 
[Spoke1-ipsec-transform-set-advpn]esp encryption-algorithm des-cbc 
[Spoke1-ipsec-transform-set-advpn]esp authentication-algorithm md5
[Spoke1-ipsec-transform-set-advpn]quit

[Spoke1]ipsec profile advpn isakmp 
[Spoke1-ipsec-profile-isakmp-advpn]ike-profile advpn
[Spoke1-ipsec-profile-isakmp-advpn]transform-set advpn
[Spoke1-ipsec-profile-isakmp-advpn]quit

配置advpn隧道

[Spoke1]ospf 1
[spoke1-ospf-1]area 0
[Spoke1-ospf-1-area-0.0.0.0]network 10.255.1.0 0.0.0.255
[Spoke1-ospf-1-area-0.0.0.0]network 172.16.1.0 0.0.0.255
[spoke1-ospf-1-area-0.0.0.0]quit
[spoke1-ospf-1]quit

# 配置ADVPN隧道,并修改网络类型
[Spoke1]interface Tunnel1 mode advpn gre
[Spoke1-Tunnel1] ip address 10.255.1.2 255.255.255.0
[Spoke1-Tunnel1] ospf network-type broadcast
# Hub为DR，其它Spoke为DRother，所以DR优先级为 0
[Spoke1-Tunnel1] ospf dr-priority 0
[Spoke1-Tunnel1] source GigabitEthernet1/0
[Spoke1-Tunnel1] tunnel protection ipsec profile advpn
[Spoke1-Tunnel1] vam client Spoke1

Spoke 2

基础配置

[H3C]sysname Spoke2

[Spoke2]int g1/0
[Spoke2-GigabitEthernet1/0]ip address 202.101.30.2 30
[Spoke2-GigabitEthernet1/0]quit

[Spoke2]int LoopBack 1
[Spoke2-LoopBack1] ip address 172.16.3.1 32
[Spoke2-LoopBack1] quit

[Spoke2] int LoopBack 2
[Spoke2-LoopBack2] ip address 172.16.3.2 32
[Spoke2-LoopBack2] quit

[Spoke2] int LoopBack 3
[Spoke2-LoopBack3] ip address 172.16.3.3 32
[Spoke2-LoopBack3] quit

[Spoke2] ip route-static 0.0.0.0 0 202.101.30.1

配置VAM Client

[Spoke2]vam client name Spoke2
[Spoke2-vam-client-Spoke2]advpn-domain advpn
[Spoke2-vam-client-Spoke2]pre-shared-key simple 123456
[Spoke2-vam-client-Spoke2]user spoke2 password simple spoke2
[Spoke2-vam-client-Spoke2]server primary ip-address 202.101.100.100
[Spoke2-vam-client-Spoke2]client enable 
[Spoke2-vam-client-Spoke2]quit

IPSec安全策略

[Spoke2]ike keychain advpn
[Spoke2-ike-keychain-advpn]pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Spoke2-ike-keychain-advpn]quit

[Spoke2]ike profile advpn
[Spoke2-ike-profile-advpn]keychain advpn
[Spoke2-ike-profile-advpn]quit

[Spoke2]ipsec transform-set advpn
[Spoke2-ipsec-transform-set-advpn]encapsulation-mode transport 
[Spoke2-ipsec-transform-set-advpn]esp encryption-algorithm des-cbc 
[Spoke2-ipsec-transform-set-advpn]esp authentication-algorithm md5
[Spoke2-ipsec-transform-set-advpn]quit

[Spoke2]ipsec profile advpn isakmp 
[Spoke2-ipsec-profile-isakmp-advpn]transform-set advpn
[Spoke2-ipsec-profile-isakmp-advpn]ike-profile advpn
[Spoke2-ipsec-profile-isakmp-advpn]quit

配置advpn隧道

[Spoke2]ospf 1
[Spoke2-ospf-1]area 0
[Spoke2-ospf-1-area-0.0.0.0]network 10.255.1.0 0.0.0.255
[Spoke2-ospf-1-area-0.0.0.0]network 172.16.3.0 0.0.0.255
[Spoke2-ospf-1-area-0.0.0.0]quit
[Spoke2-ospf-1]quit

[Spoke2]int Tunnel1 mode advpn gre 
[Spoke2-Tunnel1]ip address 10.255.1.3 24
[Spoke2-Tunnel1]source g1/0
[Spoke2-Tunnel1]vam client Spoke2
[Spoke2-Tunnel1]ospf dr-priority 0
[Spoke2-Tunnel1]ospf network-type broadcast 
[Spoke2-Tunnel1]tunnel protection ipsec profile advpn
[Spoke2-Tunnel1]quit

AAA服务器（Win7）

配置IP地址和网关

ping成功

WinRadius配置

多重秘钥

添加用来认证的本地用户

查看WinRadius的日志

在添加好本地用户后，Hub和Spoke都认证通过了

检查

查看注册到VAM Server的VAM Client映射信息

查看Hub上的IPv4 ADVPN隧道信息

查看Spoke上的IPv4 ADVPN隧道信息

查看Spoke上的IPv4 ADVPN隧道信息（Spoke数据交互）

查看Hub和Spoke的路由表