changxing站点与chengdu和aliyun分别建立vpn隧道使得vpc 和vpc6通信
changxing站点配置
Router#sh run
Building configuration...
Current configuration : 2715 bytes
!
! Last configuration change at 14:41:58 EET Mon Aug 2 2021
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone EET 2 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!
!
!
crypto ikev2 proposal qyt-proposal
encryption 3des aes-cbc-256
integrity sha256 sha512
group 2 5 14
!
crypto ikev2 policy qyt-policy
proposal qyt-proposal
!
crypto ikev2 keyring qyt-key
peer chengdu
address 172.16.12.1
pre-shared-key cisco
!
!
crypto ikev2 keyring qyt-key2
peer aliyun
address 172.16.45.5
pre-shared-key cisco
!
!
!
crypto ikev2 profile qyt-profile
match identity remote address 172.16.12.1 255.255.255.255
identity local address 172.16.23.3
authentication remote pre-share
authentication local pre-share
keyring local qyt-key
!
crypto ikev2 profile qyt-profile2
match identity remote address 172.16.45.5 255.255.255.255
identity local address 172.16.34.3
authentication remote pre-share
authentication local pre-share
keyring local qyt-key2
!
!
!
crypto ipsec transform-set qyt-trans1 esp-des esp-md5-hmac
mode tunnel
crypto ipsec transform-set qyt-trans2 esp-3des esp-sha256-hmac
mode tunnel
!
!
!
crypto map qyt-map 10 ipsec-isakmp
set peer 172.16.12.1
set transform-set qyt-trans1 qyt-trans2
set ikev2-profile qyt-profile
match address vpn
!
crypto map qyt-map2 10 ipsec-isakmp
set peer 172.16.45.5
set transform-set qyt-trans1 qyt-trans2
set ikev2-profile qyt-profile2
match address vpn1
!
!
!
!
!
interface Ethernet0/0
ip address 192.168.2.254 255.255.255.0
!
interface Ethernet0/1
ip address 172.16.34.3 255.255.255.0
crypto map qyt-map2
!
interface Ethernet0/2
ip address 172.16.23.3 255.255.255.0
crypto map qyt-map
!
interface Ethernet0/3
no ip address
shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 172.16.12.0 255.255.255.0 172.16.23.2
ip route 172.16.45.0 255.255.255.0 172.16.34.4
ip route 192.168.1.0 255.255.255.0 172.16.23.2
ip route 192.168.3.0 255.255.255.0 172.16.34.4
!
ip access-list extended vpn
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended vpn1
permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
transport input none
!
!
end
Router#sh cryp
Router#sh crypto ike
Router#sh crypto ikev2 sa
IPv4 Crypto IKEv2SA
Tunnel-id Local Remotefvrf/ivrfStatus
2 172.16.23.3/500 172.16.12.1/500 none/noneREADY
Encr: 3DES, PRF: SHA256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/286 sec
Tunnel-id Local Remotefvrf/ivrfStatus
1 172.16.34.3/500 172.16.45.5/500 none/noneREADY
Encr: 3DES, PRF: SHA256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/288 sec
IPv6 Crypto IKEv2SA
Router#sh crypto ikev2 se
Router#sh crypto ikev2 session
IPv4 Crypto IKEv2 Session
Session-id:8, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remotefvrf/ivrfStatus
2 172.16.23.3/500 172.16.12.1/500 none/noneREADY
Encr: 3DES, PRF: SHA256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/288 sec
Child sa: local selector192.168.3.0/0 - 192.168.3.255/65535
remote selector 192.168.1.0/0 - 192.168.1.255/65535
ESP spi in/out: 0x7E9D92B9/0x7A5920C7
Session-id:7, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remotefvrf/ivrfStatus
1 172.16.34.3/500 172.16.45.5/500 none/noneREADY
Encr: 3DES, PRF: SHA256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/290 sec
Child sa: local selector192.168.1.0/0 - 192.168.1.255/65535
remote selector 192.168.3.0/0 - 192.168.3.255/65535
ESP spi in/out: 0x2F6FF4AC/0xB13E5C6D
IPv6 Crypto IKEv2 Session
Router#
Router con0 is now available
Press RETURN to get started.
Router>
Router>
Router>
Router>
Router>
Router>en
Router#
Router#sh run
Building configuration...
Current configuration : 2715 bytes
!
! Last configuration change at 14:41:58 EET Mon Aug 2 2021
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone EET 2 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!
!
!
crypto ikev2 proposal qyt-proposal
encryption 3des aes-cbc-256
integrity sha256 sha512
group 2 5 14
!
crypto ikev2 policy qyt-policy
proposal qyt-proposal
!
crypto ikev2 keyring qyt-key
peer chengdu
address 172.16.12.1
pre-shared-key cisco
!
!
crypto ikev2 keyring qyt-key2
peer aliyun
address 172.16.45.5
pre-shared-key cisco
!
!
!
crypto ikev2 profile qyt-profile
match identity remote address 172.16.12.1 255.255.255.255
identity local address 172.16.23.3
authentication remote pre-share
authentication local pre-share
keyring local qyt-key
!
crypto ikev2 profile qyt-profile2
match identity remote address 172.16.45.5 255.255.255.255
identity local address 172.16.34.3
authentication remote pre-share
authentication local pre-share
keyring local qyt-key2
!
!
!
crypto ipsec transform-set qyt-trans1 esp-des esp-md5-hmac
mode tunnel
crypto ipsec transform-set qyt-trans2 esp-3des esp-sha256-hmac
mode tunnel
!
!
!
crypto map qyt-map 10 ipsec-isakmp
set peer 172.16.12.1
set transform-set qyt-trans1 qyt-trans2
set ikev2-profile qyt-profile
match address vpn
!
crypto map qyt-map2 10 ipsec-isakmp
set peer 172.16.45.5
set transform-set qyt-trans1 qyt-trans2
set ikev2-profile qyt-profile2
match address vpn1
!
!
!
!
!
interface Ethernet0/0
ip address 192.168.2.254 255.255.255.0
!
interface Ethernet0/1
ip address 172.16.34.3 255.255.255.0
crypto map qyt-map2
!
interface Ethernet0/2
ip address 172.16.23.3 255.255.255.0
crypto map qyt-map
!
interface Ethernet0/3
no ip address
shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 172.16.12.0 255.255.255.0 172.16.23.2
ip route 172.16.45.0 255.255.255.0 172.16.34.4
ip route 192.168.1.0 255.255.255.0 172.16.23.2
ip route 192.168.3.0 255.255.255.0 172.16.34.4
!
ip access-list extended vpn
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended vpn1
permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
transport input none
!
!
end
Router#sh cr
Router#sh cryp
Router#sh crypto ike
Router#sh crypto ikev2 sa
IPv4 Crypto IKEv2SA
Tunnel-id Local Remotefvrf/ivrfStatus
2 172.16.23.3/500 172.16.12.1/500 none/noneREADY
Encr: 3DES, PRF: SHA256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/961 sec
Tunnel-id Local Remotefvrf/ivrfStatus
1 172.16.34.3/500 172.16.45.5/500 none/noneREADY
Encr: 3DES, PRF: SHA256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/963 sec
IPv6 Crypto IKEv2SA
Router#sh crypto ikev2 se
Router#sh crypto ikev2 session
IPv4 Crypto IKEv2 Session
Session-id:8, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remotefvrf/ivrfStatus
2 172.16.23.3/500 172.16.12.1/500 none/noneREADY
Encr: 3DES, PRF: SHA256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/964 sec
Child sa: local selector192.168.3.0/0 - 192.168.3.255/65535
remote selector 192.168.1.0/0 - 192.168.1.255/65535
ESP spi in/out: 0x7E9D92B9/0x7A5920C7
Session-id:7, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remotefvrf/ivrfStatus
1 172.16.34.3/500 172.16.45.5/500 none/noneREADY
Encr: 3DES, PRF: SHA256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/966 sec
Child sa: local selector192.168.1.0/0 - 192.168.1.255/65535
remote selector 192.168.3.0/0 - 192.168.3.255/65535
ESP spi in/out: 0x2F6FF4AC/0xB13E5C6D
IPv6 Crypto IKEv2 Session
Router#