#!/usr/bin/clish
#11
hostname 1700-ipsec
ip firewall sessions classification enable
tech-support login enable
root login enable
syslog max-files 10
syslog file-size 512
syslog file flash:syslog/messages info
syslog host logger 101.0.0.24 info udp 514
syslog console none
syslog monitor debug
Оглавление |
---|
Введение
При использовании аппартных EoGRE в 1.4.1 на ESR1200/1700 требуется, что бы пакеты GRE попадали на роутер через физический интерфейс. Пакет GRE, распакованный из IPsec появится сразу в ядре, поэтому его надо выпустить и подать обратно на ESR через физичейский интерфейс. Для этого потребуется вынести терминацию IPsec в отдельный VRF, а затем, соединив петлёй интерфейсы, из которых GRE пакет будет выходить из VRF IPsec, передавться его в дефолтный VRF ESR. Т.к. эта схема отличается от существующей - то потребуется перенастройка ESR1200/1700 OTT для возможности работы в схеме с аппартными тунелями EoGRE. В версии 1.4.0-OTT реализована работа IPsec в VRF, что позволит сразу выполнить настройку ESR с петлевым интерфейсом и произвести обновление на 1.4.1 без каких-либо изменений в кнфигурации.
В приведённой ниже конфигурации предполагается, что аплинком служит интерфейс te1/0/1, через который осуществляется взаимодействие с SoftWLC, подключение ТД OTT и выпуск клиентов в Интернет. Для разграничения IPsec трафика и подключения ТД OTT используется интерфейс te1/0/1.4000, po2, которые находятся в VRF ipsec. Затем интерфейс po2 подключается петлевым соединением (te1/0/2 в te1/0/6, te1/0/3 в te1/0/7) в интерфейс po6, который находится в дефолтном VRF. Важно, что бы подсеть терминации GRE пакетов находилась по отношению к VRF ipsec в таблице маршрутизации как connected подсеть.
Описание адресации
Настройка ESR
Создаем необходимые группы объектов:
object-group service telnet
port-range 23
exit
object-group service ssh
port-range 22
exit
object-group service dhcp_server
port-range 67
exit
object-group service dhcp_client
port-range 68
exit
object-group service ntp
port-range 123
exit
object-group service
...
ipsec_ports
port-range 500
port-range 4500
exit
object-group service snmp
port-range 161-162
exit
object-group service COA
port-range 3799
port-range 31812-31813
exit
object-group
...
network SoftWLC
ip address-range 101.0.0.24
exit
object-group network ipsec_remote_address
ip prefix
...
172.31.0.0/21
exit
object-group network gre_termination
ip prefix 192.168.7.0/
...
29
exit
object-group network
...
mgmt_AP
ip prefix 10.2.0.0/21
exit
object-group network clients_AP
ip prefix 172.31.236.0/22
ip prefix 172.31.240.0/22
ip prefix 172.31.244.0/22
ip prefix 172.31.248.0/22
exit
object-group url defaultserv
url http://eltex-co.ru
exit
ip vrf ipsec1
exit
Создаем VRF ipsec1:
ip vrf ipsec1
exit
Настраиваем взаимодействие с радиус-сервером:
radius-server timeout 10
radius-server retransmit 5
radius-server host 101.0.0.24
key ascii-text encrypted 88B11079B9014FAAF7B9
timeout 11
priority 20
source-address 10.255.0.2
auth-port 31812
acct-port 31813
retransmit 10
dead-interval 10
exit
aaa radius-profile PCRF
radius-server host 101.0.0.24
exit
das-server COA
key ascii-text encrypted 88B11079B9014FAAF7B9
port 3799
clients object-group SoftWLC
exit
aaa das-profile COA
das-server COA
exit
Создаем vlan 5
force-up
exit
vlan 7
name "mgmt"
:
vlan 5
force-up
exit
vlan
...
6
force-up
exit
vlan
...
7
force-up
exit
vlan 104
force-up
exit
vlan 4000
force-up
exit
vlan 50,1109,3993,3995-3996
exit
Содаем зоны безопасности:
security zone trusted
exit
security zone user
exit
security zone gre
exit
security zone ipsec
ip vrf forwarding ipsec1
exit
security zone untrusted
exit
security zone gre-vrf1
ip vrf forwarding ipsec1
exit
security zone trusted1
ip vrf forwarding ipsec1
exit
ip access-list extended WELCOME
rule 1
action permit
match protocol tcp
match source-address any
match destination-address any
match source-port any
match destination-port 443
enable
exit
rule 2
action permit
match protocol tcp
match source-address any
match destination-address any
match source-port any
match destination-port 8443
enable
exit
rule 3
action permit
match protocol tcp
match source-address any
match destination-address any
match source-port any
match destination-port 80
enable
exit
rule 4
action permit
match protocol tcp
match source-address any
match destination-address any
match source-port any
match destination-port 8080
enable
exit
rule 5
action permit
match protocol tcp
match source-address any
match destination-address any
match source-port any
match destination-port 9000
enable
exit
exit
ip access-list extended INTERNET
rule 1
action permit
match protocol any
match source-address any
match destination-address any
enable
exit
exit
ip access-list extended unauthUSER
rule 1
action permit
match protocol udp
match source-address any
match destination-address any
match source-port 68
match destination-port 67
enable
exit
rule 2
action permit
match protocol udp
match source-address any
match destination-address any
match source-port any
match destination-port 53
enable
exit
exit
subscriber-control filters-server-url http://101.0.0.24:7070/filters/file
subscriber-control apps-server-url http://101.0.0.24:7070/apps/file
subscriber-control
aaa das-profile COA
aaa sessions-radius-profile PCRF
aaa services-radius-profile PCRF
nas-ip-address 10.255.0.2
session mac-authentication
bypass-traffic-acl unauthUSER
ip proxy http listen-ports bras_proxi_http
ip proxy https listen-ports bras_proxi_https
default-service
class-map unauthUSER
filter-name remote gosuslugi
filter-action permit
default-action redirect http://101.0.0.24:8080/eltex_portal/
session-timeout 600
exit
exit
Настраиваем BGP:
route-map out_BGP_AP
rule 10
match ip address object-group mgmt_AP
action permit
exit
exit
route-map out_BGP_NAT
rule 10
match ip address object-group clients_AP
action permit
exit
exit
router bgp 64534
address-family ipv4
neighbor 10.255.0.1
remote-as 64512
route-map out_BGP_AP out
update-source 10.255.0.2
enable
exit
neighbor 10.255.0.5
remote-as 64512
route-map out_BGP_NAT out
update-source 10.255.0.6
enable
exit
enable
exit
exit
Настраиваем взаимодействие с SNMP-сервером:
snmp-server
snmp-server system-shutdown
snmp-server community "private1" rw
snmp-server community "public11" ro
snmp-server host 101.0.0.24
exit
class-map class-internet
match access-group INTERNET
exit
class-map default_rule
match access-group unauthUSER
exit
Настраиваем бриджи в дефолтном VRF для терминации GRE, трафика управления ТД, трафика клиентов ТД:
bridge 5
vlan 5
security-zone gre
ip address 192.168.7.1/29
ip address 192.168.7.2/29
enable
exit
bridge 6
vlan
...
6
security-zone trusted
ip address 10.2.0.1/21
ip helper-address 101.0.0.24
ip tcp adjust-mss 1312
protected-ports
protected-ports exclude vlan
enable
exit
bridge 7
vlan 7
security-zone user
ip address 172.31.236.1/22
ip helper-address 101.0.0.24
ip tcp adjust-mss 1312
location AP1
protected-ports
protected-ports exclude vlan
enable
exit
bridge 8
vlan 102
security-zone user
ip address 172.31.240.1/22
ip helper-address 101.0.0.24
ip tcp adjust-mss 1312
location AP2
protected-ports
protected-ports exclude vlan
enable
exit
bridge 9
vlan 103
security-zone user
ip address 172.31.244.1/22
ip helper-address 101.0.0.24
ip tcp adjust-mss 1312
location AP3
protected-ports
protected-ports exclude vlan
enable
exit
bridge 10
vlan 104
security-zone user
ip address 172.31.248.1/22
ip helper-address 101.0.0.24
ip tcp adjust-mss 1312
location AP4
protected-ports
protected-ports exclude vlan
enable
exit
Настраиваем петлевой интерфейс в VRF ipsec1, обратим внимание, что его адрес находится в подсети адресов терминации GRE пакетов:
interface port-channel 2
ip vrf forwarding ipsec1
speed 10G
security-zone gre-vrf1
ip address 192.168.7.3/29
exit
Настраиваем петлевой интерфейс в дефолтном VRF, через который GRE пакеты будут попадать в bridge 5, который терминирует GRE:
interface port-channel 6
speed 10G
switchport forbidden default-vlan
switchport general pvid 5
switchport general allowed vlan add 5 untagged
exit
interface gigabitethernet 1/0/1
switchport forbidden default-vlan
switchport general acceptable-frame-type tagged-only
exit
interface gigabitethernet 1/0/1.2
security-zone trusted
ip address 192.168.110.37/24
exit
interface gigabitethernet 1/0/2
switchport forbidden default-vlan
switchport general pvid 104
switchport general allowed vlan add 104 untagged
exit
interface gigabitethernet 1/0/3
shutdown
security-zone trusted
ip firewall disable
exit
interface gigabitethernet 1/0/4
shutdown
security-zone trusted
ip firewall disable
exit
interface Настраиваем интерфейс аплинка:
interface tengigabitethernet 1/0/1
switchport forbidden default-vlan
switchport general acceptable-frame-type tagged-only
exit
Настраиваем стыковый интерфейс в сторону SoftWLC:
interface tengigabitethernet 1/0/1.601
description "mgmt_SoftWLC"
security-zone trusted
ip address 10.255.0.2/30
exit
Настраиваем стыковый интерфейс в сторону NAT, через который будем выпускать клиентов в интернет:
interface tengigabitethernet 1/0/1.602
description "clients_to_inet"
security-zone untrusted
ip address 10.255.0.6/30
exit
Настраиваем стыковый интерфейс с белым IP для подключения ТД OTT через сеть Интернет, он будет находится в VRF ipsec1:
interface tengigabitethernet 1/0/1.4000
ip vrf forwarding ipsec1
security-zone ipsec
ip address 188.237.154.25/31
exit
Добавляем в интерфейс PO 2 физические интерфейсы:
interface tengigabitethernet 1/0/2
channel-group 2 mode auto
exit
interface tengigabitethernet 1/0/3
channel-group 2 mode auto
exit
interface tengigabitethernet 1/0/4
shutdown
exit
Добавляем в интерфейс PO 6 физические интерфейсы:
interface tengigabitethernet 1/0/
...
6
channel-group 6 mode auto
exit
interface tengigabitethernet 1/0/7
channel-group 6 mode auto
exit
interface tengigabitethernet 1/0/8
shutdown
exit
interface service-port 1
source interface te1/0/1-2,hp1/0/1
target interface te1/0/1-2
exit
Настраиваем softgre тунели:
tunnel softgre 1
description "mgmt"
mode management
local address 192.168.7.1
default-profile
enable
exit
tunnel softgre 1.1
bridge-group 6
enable
exit
tunnel softgre 2
description "data"
mode data
local address 192.168.7.2
default-profile
enable
exit
Включаем в port-channel балансировку по ip src, dst, port:
port-channel load-balance src-dst-ip-port
Настраиваем политики безопасности:
security zone-pair trusted self
rule 100
action permit
match protocol any
match source-address any
match destination-address any
enable
exit
exit
security zone-pair user self
rule 10
action permit
match protocol udp
match source-address any
match destination-address any
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 20
action permit
match protocol tcp
match source-address any
match destination-address any
match source-port any
match destination-port redirect
enable
exit
exit
security zone-pair gre self
rule 10
action permit
match protocol any
match source-address ipsec_remote_address
match destination-address gre_termination
enable
exit
exit
security zone-pair user trusted
rule 10
action permit
match protocol udp
match source-address any
match destination-address any
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
exit
security zone-pair ipsec self
rule 1
action permit
match protocol icmp
match source-address any
match destination-address any
enable
exit
rule 11
action permit
match protocol udp
match source-address any
match destination-address any
match source-port any
match destination-port ipsec_ports
enable
exit
rule 12
action permit
match protocol esp
match source-address any
match destination-address any
enable
exit
rule 13
action permit
match protocol gre
match source-address ipsec_remote_address
match destination-address gre_termination
enable
exit
rule 14
action permit
match protocol icmp
match source-address ipsec_remote_address
match destination-address gre_termination
enable
exit
exit
security zone-pair trusted trusted
rule 100
action permit
match protocol any
match source-address any
match destination-address any
enable
exit
exit
security zone-pair user untrusted
rule 100
action permit
match protocol any
match source-address any
match destination-address any
enable
exit
exit
security zone-pair untrusted self
rule 10
action permit
match protocol udp
match source-address any
match destination-address any
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
rule 20
action permit
match protocol icmp
match source-address any
match destination-address any
enable
exit
exit
security zone-pair ipsec gre-vrf1
rule 10
action permit
match protocol any
match source-address ipsec_remote_address
match destination-address gre_termination
enable
exit
exit
security zone-pair gre-vrf1 ipsec
rule 10
action permit
match protocol any
match source-address gre_termination
match destination-address ipsec_remote_address
enable
exit
exit
security zone-pair gre-vrf1 self
rule 100
action permit
match protocol any
match source-address any
match destination-address any
enable
exit
exit
security zone-pair trusted untrusted
rule 100
action permit
match protocol any
match source-address any
match destination-address any
enable
exit
exit
Создаем пул адресов и параметров, выдаваемых ТД по mode config:
address-assignment pool ipsec_pool_1
ip prefix 172.31.0.0/21
data-tunnel address 192.168.7.2
management-tunnel address 192.168.7.1
exit
user user1
password ascii-text encrypted 88B11079B9014FAA
exit
user user10
password ascii-text encrypted 88B11079B9014FAAF5
exit
user user100
password ascii-text encrypted 88B11079B9014FAAF5BA
exit
user user101
password ascii-text encrypted 88B11079B9014FAAF5BB
exit
user user102
password ascii-text encrypted 88B11079B9014FAAF5B8
exit
user user103
password ascii-text encrypted 88B11079B9014FAAF5B9
exit
user user104
password ascii-text encrypted 88B11079B9014FAAF5BE
exit
user user105
password ascii-text encrypted 88B11079B9014FAAF5BF
exit
user user106
password ascii-text encrypted 88B11079B9014FAAF5BC
exit
user user107
password ascii-text encrypted 88B11079B9014FAAF5BD
exit
user user108
password ascii-text encrypted 88B11079B9014FAAF5B2
exit
user user109
password ascii-text encrypted 88B11079B9014FAAF5B3
exit
user user11
password ascii-text encrypted 88B11079B9014FAAF4
exit
user user110
password ascii-text encrypted 88B11079B9014FAAF4BA
exit
user user111
password ascii-text encrypted 88B11079B9014FAAF4BB
exit
user user112
password ascii-text encrypted 88B11079B9014FAAF4B8
exit
user user113
password ascii-text encrypted 88B11079B9014FAAF4B9
exit
user user114
password ascii-text encrypted 88B11079B9014FAAF4BE
exit
user user115
password ascii-text encrypted 88B11079B9014FAAF4BF
exit
user user116
password ascii-text encrypted 88B11079B9014FAAF4BC
exit
user user117
password ascii-text encrypted 88B11079B9014FAAF4BD
exit
user user118
password ascii-text encrypted 88B11079B9014FAAF4B2
exit
user user119
password ascii-text encrypted 88B11079B9014FAAF4B3
exit
user user12
password ascii-text encrypted 88B11079B9014FAAF7
exit
user user120
password ascii-text encrypted 88B11079B9014FAAF7BA
exit
user user121
password ascii-text encrypted 88B11079B9014FAAF7BB
exit
user user122
password ascii-text encrypted 88B11079B9014FAAF7B8
exit
user user123
password ascii-text encrypted 88B11079B9014FAAF7B9
exit
user user124
password ascii-text encrypted 88B11079B9014FAAF7BE
exit
user user125
password ascii-text encrypted 88B11079B9014FAAF7BF
exit
user user126
password ascii-text encrypted 88B11079B9014FAAF7BC
exit
user user127
password ascii-text encrypted 88B11079B9014FAAF7BD
exit
user user128
password ascii-text encrypted 88B11079B9014FAAF7B2
exit
user user129
password ascii-text encrypted 88B11079B9014FAAF7B3
exit
user user13
password ascii-text encrypted 88B11079B9014FAAF6
exit
user user130
password ascii-text encrypted 88B11079B9014FAAF6BA
exit
user user131
password ascii-text encrypted 88B11079B9014FAAF6BB
exit
user user132
password ascii-text encrypted 88B11079B9014FAAF6B8
exit
user user133
password ascii-text encrypted 88B11079B9014FAAF6B9
exit
user user134
password ascii-text encrypted 88B11079B9014FAAF6BE
exit
user user135
password ascii-text encrypted 88B11079B9014FAAF6BF
exit
user user136
password ascii-text encrypted 88B11079B9014FAAF6BC
exit
user user137
password ascii-text encrypted 88B11079B9014FAAF6BD
exit
user user138
password ascii-text encrypted 88B11079B9014FAAF6B2
exit
user user139
password ascii-text encrypted 88B11079B9014FAAF6B3
exit
user user14
password ascii-text encrypted 88B11079B9014FAAF1
exit
user user140
password ascii-text encrypted 88B11079B9014FAAF1BA
exit
user user141
password ascii-text encrypted 88B11079B9014FAAF1BB
exit
user user142
password ascii-text encrypted 88B11079B9014FAAF1B8
exit
user user143
password ascii-text encrypted 88B11079B9014FAAF1B9
exit
user user144
password ascii-text encrypted 88B11079B9014FAAF1BE
exit
user user145
password ascii-text encrypted 88B11079B9014FAAF1BF
exit
user user146
password ascii-text encrypted 88B11079B9014FAAF1BC
exit
user user147
password ascii-text encrypted 88B11079B9014FAAF1BD
exit
user user148
password ascii-text encrypted 88B11079B9014FAAF1B2
exit
user user149
password ascii-text encrypted 88B11079B9014FAAF1B3
exit
user user15
password ascii-text encrypted 88B11079B9014FAAF0
exit
user user150
password ascii-text encrypted 88B11079B9014FAAF0BA
exit
user user151
password ascii-text encrypted 88B11079B9014FAAF0BB
exit
user user152
password ascii-text encrypted 88B11079B9014FAAF0B8
exit
user user153
password ascii-text encrypted 88B11079B9014FAAF0B9
exit
user user154
password ascii-text encrypted 88B11079B9014FAAF0BE
exit
user user155
password ascii-text encrypted 88B11079B9014FAAF0BF
exit
user user156
password ascii-text encrypted 88B11079B9014FAAF0BC
exit
user user157
password ascii-text encrypted 88B11079B9014FAAF0BD
exit
user user158
password ascii-text encrypted 88B11079B9014FAAF0B2
exit
user user159
password ascii-text encrypted 88B11079B9014FAAF0B3
exit
user user16
password ascii-text encrypted 88B11079B9014FAAF3
exit
user user160
password ascii-text encrypted 88B11079B9014FAAF3BA
exit
user user161
password ascii-text encrypted 88B11079B9014FAAF3BB
exit
user user162
password ascii-text encrypted 88B11079B9014FAAF3B8
exit
user user163
password ascii-text encrypted 88B11079B9014FAAF3B9
exit
user user164
password ascii-text encrypted 88B11079B9014FAAF3BE
exit
user user165
password ascii-text encrypted 88B11079B9014FAAF3BF
exit
user user166
password ascii-text encrypted 88B11079B9014FAAF3BC
exit
user user167
password ascii-text encrypted 88B11079B9014FAAF3BD
exit
user user168
password ascii-text encrypted 88B11079B9014FAAF3B2
exit
user user169
password ascii-text encrypted 88B11079B9014FAAF3B3
exit
user user17
password ascii-text encrypted 88B11079B9014FAAF2
exit
user user170
password ascii-text encrypted 88B11079B9014FAAF2BA
exit
user user171
password ascii-text encrypted 88B11079B9014FAAF2BB
exit
user user172
password ascii-text encrypted 88B11079B9014FAAF2B8
exit
user user173
password ascii-text encrypted 88B11079B9014FAAF2B9
exit
user user174
password ascii-text encrypted 88B11079B9014FAAF2BE
exit
user user175
password ascii-text encrypted 88B11079B9014FAAF2BF
exit
user user176
password ascii-text encrypted 88B11079B9014FAAF2BC
exit
user user177
password ascii-text encrypted 88B11079B9014FAAF2BD
exit
user user178
password ascii-text encrypted 88B11079B9014FAAF2B2
exit
user user179
password ascii-text encrypted 88B11079B9014FAAF2B3
exit
user user18
password ascii-text encrypted 88B11079B9014FAAFD
exit
user user180
password ascii-text encrypted 88B11079B9014FAAFDBA
exit
user user181
password ascii-text encrypted 88B11079B9014FAAFDBB
exit
user user182
password ascii-text encrypted 88B11079B9014FAAFDB8
exit
user user183
password ascii-text encrypted 88B11079B9014FAAFDB9
exit
user user184
password ascii-text encrypted 88B11079B9014FAAFDBE
exit
user user185
password ascii-text encrypted 88B11079B9014FAAFDBF
exit
user user186
password ascii-text encrypted 88B11079B9014FAAFDBC
exit
user user187
password ascii-text encrypted 88B11079B9014FAAFDBD
exit
user user188
password ascii-text encrypted 88B11079B9014FAAFDB2
exit
user user189
password ascii-text encrypted 88B11079B9014FAAFDB3
exit
user user19
password ascii-text encrypted 88B11079B9014FAAFC
exit
user user190
password ascii-text encrypted 88B11079B9014FAAFCBA
exit
user user191
password ascii-text encrypted 88B11079B9014FAAFCBB
exit
user user192
password ascii-text encrypted 88B11079B9014FAAFCB8
exit
user user193
password ascii-text encrypted 88B11079B9014FAAFCB9
exit
user user194
password ascii-text encrypted 88B11079B9014FAAFCBE
exit
user user195
password ascii-text encrypted 88B11079B9014FAAFCBF
exit
user user196
password ascii-text encrypted 88B11079B9014FAAFCBC
exit
user user197
password ascii-text encrypted 88B11079B9014FAAFCBD
exit
user user198
password ascii-text encrypted 88B11079B9014FAAFCB2
exit
user user199
password ascii-text encrypted 88B11079B9014FAAFCB3
exit
user user2
password ascii-text encrypted 88B11079B9014FA9
exit
user user20
password ascii-text encrypted 88B11079B9014FA9B0
exit
user user200
password ascii-text encrypted 88B11079B9014FA9B0CD
exit
user user201
password ascii-text encrypted 88B11079B9014FA9B0CC
exit
user user202
password ascii-text encrypted 88B11079B9014FA9B0CF
exit
user user203
password ascii-text encrypted 88B11079B9014FA9B0CE
exit
user user204
password ascii-text encrypted 88B11079B9014FA9B0C9
exit
user user205
password ascii-text encrypted 88B11079B9014FA9B0C8
exit
user user206
password ascii-text encrypted 88B11079B9014FA9B0CB
exit
user user207
password ascii-text encrypted 88B11079B9014FA9B0CA
exit
user user208
password ascii-text encrypted 88B11079B9014FA9B0C5
exit
user user209
password ascii-text encrypted 88B11079B9014FA9B0C4
exit
user user21
password ascii-text encrypted 88B11079B9014FA9B1
exit
user user210
password ascii-text encrypted 88B11079B9014FA9B1CD
exit
user user211
password ascii-text encrypted 88B11079B9014FA9B1CC
exit
user user212
password ascii-text encrypted 88B11079B9014FA9B1CF
exit
user user213
password ascii-text encrypted 88B11079B9014FA9B1CE
exit
user user214
password ascii-text encrypted 88B11079B9014FA9B1C9
exit
user user215
password ascii-text encrypted 88B11079B9014FA9B1C8
exit
user user216
password ascii-text encrypted 88B11079B9014FA9B1CB
exit
user user217
password ascii-text encrypted 88B11079B9014FA9B1CA
exit
user user218
password ascii-text encrypted 88B11079B9014FA9B1C5
exit
user user219
password ascii-text encrypted 88B11079B9014FA9B1C4
exit
user user22
password ascii-text encrypted 88B11079B9014FA9B2
exit
user user220
password ascii-text encrypted 88B11079B9014FA9B2CD
exit
user user221
password ascii-text encrypted 88B11079B9014FA9B2CC
exit
user user222
password ascii-text encrypted 88B11079B9014FA9B2CF
exit
user user223
password ascii-text encrypted 88B11079B9014FA9B2CE
exit
user user224
password ascii-text encrypted 88B11079B9014FA9B2C9
exit
user user225
password ascii-text encrypted 88B11079B9014FA9B2C8
exit
user user226
password ascii-text encrypted 88B11079B9014FA9B2CB
exit
user user227
password ascii-text encrypted 88B11079B9014FA9B2CA
exit
user user228
password ascii-text encrypted 88B11079B9014FA9B2C5
exit
user user229
password ascii-text encrypted 88B11079B9014FA9B2C4
exit
user user23
password ascii-text encrypted 88B11079B9014FA9B3
exit
user user230
password ascii-text encrypted 88B11079B9014FA9B3CD
exit
user user231
password ascii-text encrypted 88B11079B9014FA9B3CC
exit
user user232
password ascii-text encrypted 88B11079B9014FA9B3CF
exit
user user233
password ascii-text encrypted 88B11079B9014FA9B3CE
exit
user user234
password ascii-text encrypted 88B11079B9014FA9B3C9
exit
user user235
password ascii-text encrypted 88B11079B9014FA9B3C8
exit
user user236
password ascii-text encrypted 88B11079B9014FA9B3CB
exit
user user237
password ascii-text encrypted 88B11079B9014FA9B3CA
exit
user user238
password ascii-text encrypted 88B11079B9014FA9B3C5
exit
user user239
password ascii-text encrypted 88B11079B9014FA9B3C4
exit
user user24
password ascii-text encrypted 88B11079B9014FA9B4
exit
user user240
password ascii-text encrypted 88B11079B9014FA9B4CD
exit
user user241
password ascii-text encrypted 88B11079B9014FA9B4CC
exit
user user242
password ascii-text encrypted 88B11079B9014FA9B4CF
exit
user user243
password ascii-text encrypted 88B11079B9014FA9B4CE
exit
user user244
password ascii-text encrypted 88B11079B9014FA9B4C9
exit
user user245
password ascii-text encrypted 88B11079B9014FA9B4C8
exit
user user246
password ascii-text encrypted 88B11079B9014FA9B4CB
exit
user user247
password ascii-text encrypted 88B11079B9014FA9B4CA
exit
user user248
password ascii-text encrypted 88B11079B9014FA9B4C5
exit
user user249
password ascii-text encrypted 88B11079B9014FA9B4C4
exit
user user25
password ascii-text encrypted 88B11079B9014FA9B5
exit
user user250
password ascii-text encrypted 88B11079B9014FA9B5CD
exit
user user251
password ascii-text encrypted 88B11079B9014FA9B5CC
exit
user user252
password ascii-text encrypted 88B11079B9014FA9B5CF
exit
user user253
password ascii-text encrypted 88B11079B9014FA9B5CE
exit
user user254
password ascii-text encrypted 88B11079B9014FA9B5C9
exit
user user255
password ascii-text encrypted 88B11079B9014FA9B5C8
exit
user user256
password ascii-text encrypted 88B11079B9014FA9B5CB
exit
user user26
password ascii-text encrypted 88B11079B9014FA9B6
exit
user user27
password ascii-text encrypted 88B11079B9014FA9B7
exit
user user28
password ascii-text encrypted 88B11079B9014FA9B8
exit
user user29
password ascii-text encrypted 88B11079B9014FA9B9
exit
user user3
password ascii-text encrypted 88B11079B9014FA8
exit
user user30
password ascii-text encrypted 88B11079B9014FA85E
exit
user user31
password ascii-text encrypted 88B11079B9014FA85F
exit
user user32
password ascii-text encrypted 88B11079B9014FA85C
exit
user user33
password ascii-text encrypted 88B11079B9014FA85D
exit
user user34
password ascii-text encrypted 88B11079B9014FA85A
exit
user user35
password ascii-text encrypted 88B11079B9014FA85B
exit
user user36
password ascii-text encrypted 88B11079B9014FA858
exit
user user37
password ascii-text encrypted 88B11079B9014FA859
exit
user user38
password ascii-text encrypted 88B11079B9014FA856
exit
user user39
password ascii-text encrypted 88B11079B9014FA857
exit
user user4
password ascii-text encrypted 88B11079B9014FAF
exit
user user40
password ascii-text encrypted 88B11079B9014FAF6A
exit
user user41
password ascii-text encrypted 88B11079B9014FAF6B
exit
user user42
password ascii-text encrypted 88B11079B9014FAF68
exit
user user43
password ascii-text encrypted 88B11079B9014FAF69
exit
user user44
password ascii-text encrypted 88B11079B9014FAF6E
exit
user user45
password ascii-text encrypted 88B11079B9014FAF6F
exit
user user46
password ascii-text encrypted 88B11079B9014FAF6C
exit
user user47
password ascii-text encrypted 88B11079B9014FAF6D
exit
user user48
password ascii-text encrypted 88B11079B9014FAF62
exit
user user49
password ascii-text encrypted 88B11079B9014FAF63
exit
user user5
password ascii-text encrypted 88B11079B9014FAE
exit
user user50
password ascii-text encrypted 88B11079B9014FAEEC
exit
user user51
password ascii-text encrypted 88B11079B9014FAEED
exit
user user52
password ascii-text encrypted 88B11079B9014FAEEE
exit
user user53
password ascii-text encrypted 88B11079B9014FAEEF
exit
user user54
password ascii-text encrypted 88B11079B9014FAEE8
exit
user user55
password ascii-text encrypted 88B11079B9014FAEE9
exit
user user56
password ascii-text encrypted 88B11079B9014FAEEA
exit
user user57
password ascii-text encrypted 88B11079B9014FAEEB
exit
user user58
password ascii-text encrypted 88B11079B9014FAEE4
exit
user user59
password ascii-text encrypted 88B11079B9014FAEE5
exit
user user6
password ascii-text encrypted 88B11079B9014FAD
exit
user user60
password ascii-text encrypted 88B11079B9014FADF1
exit
user user61
password ascii-text encrypted 88B11079B9014FADF0
exit
user user62
password ascii-text encrypted 88B11079B9014FADF3
exit
user user63
password ascii-text encrypted 88B11079B9014FADF2
exit
user user64
password ascii-text encrypted 88B11079B9014FADF5
exit
user user65
password ascii-text encrypted 88B11079B9014FADF4
exit
user user66
password ascii-text encrypted 88B11079B9014FADF7
exit
user user67
password ascii-text encrypted 88B11079B9014FADF6
exit
user user68
password ascii-text encrypted 88B11079B9014FADF9
exit
user user69
password ascii-text encrypted 88B11079B9014FADF8
exit
user user7
password ascii-text encrypted 88B11079B9014FAC
exit
user user70
password ascii-text encrypted 88B11079B9014FAC49
exit
user user71
password ascii-text encrypted 88B11079B9014FAC48
exit
user user72
password ascii-text encrypted 88B11079B9014FAC4B
exit
user user73
password ascii-text encrypted 88B11079B9014FAC4A
exit
user user74
password ascii-text encrypted 88B11079B9014FAC4D
exit
user user75
password ascii-text encrypted 88B11079B9014FAC4C
exit
user user76
password ascii-text encrypted 88B11079B9014FAC4F
exit
user user77
password ascii-text encrypted 88B11079B9014FAC4E
exit
user user78
password ascii-text encrypted 88B11079B9014FAC41
exit
user user79
password ascii-text encrypted 88B11079B9014FAC40
exit
user user8
password ascii-text encrypted 88B11079B9014FA3
exit
user user80
password ascii-text encrypted 88B11079B9014FA369
exit
user user81
password ascii-text encrypted 88B11079B9014FA368
exit
user user82
password ascii-text encrypted 88B11079B9014FA36B
exit
user user83
password ascii-text encrypted 88B11079B9014FA36A
exit
user user84
password ascii-text encrypted 88B11079B9014FA36D
exit
user user85
password ascii-text encrypted 88B11079B9014FA36C
exit
user user86
password ascii-text encrypted 88B11079B9014FA36F
exit
user user87
password ascii-text encrypted 88B11079B9014FA36E
exit
user user88
password ascii-text encrypted 88B11079B9014FA361
exit
user user89
password ascii-text encrypted 88B11079B9014FA360
exit
user user9
password ascii-text encrypted 88B11079B9014FA2
exit
user user90
password ascii-text encrypted 88B11079B9014FA275
exit
user user91
password ascii-text encrypted 88B11079B9014FA274
exit
user user92
password ascii-text encrypted 88B11079B9014FA277
exit
user user93
password ascii-text encrypted 88B11079B9014FA276
exit
user user94
password ascii-text encrypted 88B11079B9014FA271
exit
user user95
password ascii-text encrypted 88B11079B9014FA270
exit
user user96
password ascii-text encrypted 88B11079B9014FA273
exit
user user97
password ascii-text encrypted 88B11079B9014FA272
exit
user user98
password ascii-text encrypted 88B11079B9014FA27D
exit
user user99
password ascii-text encrypted 88B11079B9014FA27C
exit
exit
Настраиваем IKE предложение, политику, шлюз:
security ike proposal dh1_md5_aes128
authentication algorithm md5
encryption algorithm aes128
exit
security ike
...
policy psk_xauth1
lifetime seconds 86400
pre-shared-key ascii-text encrypted 88B11079B9014FAAF7B9
authentication method xauth-psk-key
authentication mode radius
proposal dh1_md5_aes128
...
exit
security ike
...
gateway ike1_from_inet
ike-policy psk_xauth1
local address 188.237.154.25
local network 192.168.7.0/29
remote address any
remote network dynamic pool ipsec_pool_1
mode policy-based
dead-peer-detection action clear
dead-peer-detection interval 10
exit
security ike gateway load_test
ike-policy only_psk
local address 188.237.154.25
local network 192.168.7.0/29
remote address any
remote network 10.100.0.0/16
mode policy-based
dead-peer-detection action clear
dead-peer-detection interval 60
dead-peer-detection timeout 180
exit
security ike gateway load_test_2
ike-policy only_psk
local address 192.168.108.171
local network 192.168.7.0/29
remote address any
remote network 10.100.0.0/16
mode policy-based
dead-peer-detection action clear
dead-peer-detection interval 60
dead-peer-detection timeout 180
exit
security Настраиваем IPsec предложением, политику и VPN. В настройках VPN указыаем, что он работает в VRF ipsec1:
security ipsec proposal md5_aes128_esp
authentication algorithm md5
encryption algorithm aes128
exit
security ipsec
...
policy vpn1_pol1
proposal md5_aes128_esp
exit
security ipsec
...
vpn for_INET_1
mode ike
ip vrf forwarding ipsec1
ike establish-tunnel by-request
ike gateway ike1_from_inet
ike ipsec-policy
...
vpn1_pol1
enable
exit
security ipsec vpn load_test_2
mode ike
ike establish-tunnel by-request
ike gateway load_test_2
ike ipsec-policy vpn1_pol1
exit
Включаем DHCP-релей:
ip dhcp-relay
Настраиваем статические маршруты для передачи пакетов через петлевой интерфейс:
ip route 172.31.0.0/21 192.168.7.3 #Маршрут из дефолтного VRF к туннельным IP ТД, которые находятся в VRF ipsec1
ip route
...
188.237.154.24
...
/31
...
192.
...
168.
...
7.3 #Маршрут из дефолтного VRF к подсети терминации IPsec в VRF ipsec1
ip route vrf ipsec1
...
0.0
...
.
...
0.0/
...
0
...
188.237.154.24
...
#Маршрут по умолчанию для VRF ipsec1
Включаем механизм управления тунеллями softgre:
wireless-controller
nas-ip-address 10.255.0.2
data-tunnel configuration radius
aaa das-profile COA
aaa radius-profile PCRF
enable
exit
ip telnet serverНастраиваем прочие параметры:
ip telnet server
...
ip ssh server
...
clock timezone gmt +7
ntp enable
ntp server 101.0.0.24
prefer
exit