Software version: 1.14.0 build 27[4898f3c54] (date 13/10/2021 time 11:03:09
Hardware version: 1v9
Интересует возможность создания DMVPN у spoke с динамическим внешним ip за nat.
Предположил, что в этом случае в tunnel gre необходимо указывать не local address, а local interface в сторону провайдера, и так же в security ike gateway, но при попытке применить параметры, ругается, что в security ike gateway по прежнему необходимо указать local network - и тут не совсем понятно, что именно указывать в таком случае? Внешний ip может меняться и он за nat, указывать внутренний (т.е. к примеру local network 192.168.0.254 /32 protocol gre)?
Вообще на ESR такое реализуемо?
На ESR-200 (Spoke), основные настройки:
Код: Выделить всё
interface gigabitethernet 1/0/2
description "ISP-2"
security-zone untrusted
ip address 192.168.0.254/24
object-group network dmvpnHUB
ip address-range ###.###.###.###
exit
tunnel gre 1
ttl 16
mtu 1416
multipoint
ip firewall disable
local interface gigabitethernet 1/0/2
ip address 10.10.0.2/27
ip ospf instance 1
ip ospf area 10.10.0.0
ip ospf priority 0
ip ospf
ip nhrp holding-time 300
ip nhrp map 10.10.0.1 ###.###.###.###
ip nhrp nhs 10.10.0.1/27
ip nhrp ipsec ipsec_hub static
ip nhrp ipsec ipsec_spoke dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_client
enable
exit
rule 10
action permit
match protocol gre
enable
exit
rule 11
action permit
match protocol esp
enable
exit
rule 12
action permit
match protocol ah
enable
exit
rule 30
description "IPSec"
action permit
match protocol udp
match source-address dmvpnHUB
enable
exit
rule 31
description "ICMP"
action permit
match protocol icmp
match source-address dmvpnHUB
enable
exit
exit
security ike proposal ike_prop
authentication algorithm md5
encryption algorithm aes128
dh-group 2
exit
security ike policy ike_pol
pre-shared-key ascii-text encrypted ###################
proposal ike_prop
exit
security ike gateway ike_spoke
ike-policy ike_pol
local interface gigabitethernet 1/0/2
local network 192.168.0.254/32 protocol gre
remote address any
remote network any
mode policy-based
exit
security ike gateway ike_hub
ike-policy ike_pol
local interface gigabitethernet 1/0/2
local network 192.168.0.254/32 protocol gre
remote address ###.###.###.###
remote network ###.###.###.###/32 protocol gre
mode policy-based
exit
security ipsec vpn ipsec_spoke
mode ike
ike establish-tunnel route
ike gateway ike_spoke
ike ipsec-policy ipsec_pol
enable
exit
security ipsec vpn ipsec_hub
mode ike
ike establish-tunnel route
ike gateway ike_hub
ike ipsec-policy ipsec_pol
enable
exit
ip route 0.0.0.0/0 192.168.0.1
На ESR-1200 (Hub):
Код: Выделить всё
vlan 4
name "ISP-1"
exit
bridge 4
vlan 4
security-zone untrusted
ip address dhcp
enable
exit
interface gigabitethernet 1/0/1
description "ISP-1"
mode hybrid
security-zone untrusted
switchport forbidden default-vlan
switchport general pvid 4
switchport general allowed vlan add 4 untagged
ip address ###.###.###.###/30
exit
tunnel gre 1
ttl 16
mtu 1416
multipoint
security-zone untrusted
local address ###.###.###.###
ip address 10.10.0.1/27
ip ospf instance 1
ip ospf area 10.10.0.0
ip ospf priority 255
ip ospf
ip nhrp ipsec ipsec_spoke dynamic
ip nhrp multicast dynamic
ip nhrp enable
enable
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_client
enable
exit
rule 10
action permit
match protocol gre
enable
exit
rule 11
action permit
match protocol esp
enable
exit
rule 12
action permit
match protocol ah
enable
exit
exit
security ike proposal ike_prop
authentication algorithm md5
encryption algorithm aes128
dh-group 2
exit
security ike policy ike_pol
pre-shared-key ascii-text encrypted ###################
proposal ike_prop
exit
security ike gateway ike_spoke
ike-policy ike_pol
local address ###.###.###.###
local network ###.###.###.###/32 protocol gre
remote address any
remote network any
mode policy-based
exit
security ipsec proposal ipsec_prop
authentication algorithm md5
encryption algorithm aes128
pfs dh-group 2
exit
security ipsec policy ipsec_pol
proposal ipsec_prop
exit
security ipsec vpn ipsec_spoke
mode ike
ike establish-tunnel route
ike gateway ike_spoke
ike ipsec-policy ipsec_pol
enable
exit
ip route 0.0.0.0/0 ###.###.###.###