HUB
#
# ===============================
# 1. 基础接口配置
# ===============================
interface GigabitEthernet2/0 # 配置物理接口 Gi2/0
port link-mode route # 设置接口为三层路由模式
ipv6 address 2001:1::2/64 # 分配 IPv6 地址(WAN 侧地址)
#
interface LoopBack0 # 配置逻辑环回接口
ipv6 address 1::1/128 # 分配环回 IPv6 地址(作为 OSPFv3 Router ID)
ospfv3 1 area 0.0.0.0 # 将 Loopback0 加入 OSPFv3 进程 1,区域 0
#
interface Tunnel1 # 配置 ADVPN GRE IPv6 隧道接口
mode advpn gre ipv6 # 隧道模式:ADVPN GRE over IPv6
source GigabitEthernet2/0 # 隧道源接口为 Gi2/0
ipv6 address 2001:123::1/64 # 分配隧道 IPv6 地址(Hub 内部地址)
ospfv3 1 area 0.0.0.0 # 将隧道接口加入 OSPFv3 进程 1,区域 0
tunnel protection ipsec profile ADVPN # 绑定 IPsec profile "ADVPN" 保护隧道
vam ipv6 client HUB # 启用 VAM IPv6 客户端身份为 HUB
#
# ===============================
# 2. 路由配置
# ===============================
ipv6 route-static :: 0 2001:1::1 # 配置缺省 IPv6 静态路由,下一跳为 2001:1::1(WAN 网关)
#
# ===============================
# 3. 用户与认证配置
# ===============================
local-user HUB class network # 定义本地用户 HUB(用于 ADVPN 认证)
password cipher HUB # 设置加密后的密码(HUB)
service-type advpn # 用户服务类型为 ADVPN
authorization-attribute user-role network-operator # 授权角色为 network-operator
#
local-user SPOKE1 class network # 定义本地用户 SPOKE1
password simple SPOKE1 # 设置加密后的密码(SPOKE1)
service-type advpn
authorization-attribute user-role network-operator
#
local-user SPOKE2 class network # 定义本地用户 SPOKE2
password simple SPOKE2 # 设置加密后的密码(SPOKE2)
service-type advpn
authorization-attribute user-role network-operator
#
# ===============================
# 4. IPsec 与 IKE 配置
# ===============================
ipsec transform-set ADVPN # 创建 IPsec transform-set "ADVPN"
encapsulation-mode transport # 使用传输模式(Transport Mode)
esp encryption-algorithm des-cbc # ESP 使用 DES-CBC 加密算法
esp authentication-algorithm sha1 # ESP 使用 SHA1 认证算法
#
ipsec profile ADVPN isakmp # 创建 IPsec profile "ADVPN" 并关联 ISAKMP
transform-set ADVPN # 绑定 transform-set "ADVPN"
ike-profile ADVPN # 绑定 IKE profile "ADVPN"
#
ike profile ADVPN # 创建 IKE profile "ADVPN"
keychain ADVPN # 使用 IKE keychain "ADVPN"
#
ike keychain ADVPN # 创建 IKE 密钥链 "ADVPN"
pre-shared-key address ipv6 :: 0 key simple ADVPN # 为所有 IPv6 地址配置预共享密钥(加密存储)
#
# ===============================
# 5. ADVPN 域与 VAM 配置
# ===============================
domain advpn # 创建 ADVPN 域
authentication advpn local # 使用本地认证方式
#
domain default enable advpn # 全局启用 ADVPN
#
vam client name HUB # 配置 VAM 客户端名称为 HUB
advpn-domain ADVPN # 关联到 ADVPN 域
server primary ipv6-address 2001:1::2 # 指定主服务器 IPv6 地址(本机)
pre-shared-key cipher ADVPN # 设置预共享密钥(加密存储)
user HUB password cipher HUB # 客户端认证用户/密码
client enable # 启用客户端
#
vam server advpn-domain ADVPN id 1 # 配置 VAM 服务器,绑定 ADVPN 域
pre-shared-key cipher HUB # 服务器端预共享密钥(加密存储)
server enable # 启用 VAM 服务器
hub-group HUB # 创建 HUB 组
hub ipv6 private-address 2001:123::1 # 设置 HUB 的内部 IPv6 地址
spoke ipv6 private-address range 2001:123:: 2001:123::FFFF:FFFF:FFFF:FFFF # 为 Spoke 分配 IPv6 地址池
#
Spoke
ospfv3 1
router-id 10.10.10.10
segment-routing ipv6 locator Spoke1
area 0.0.0.0
interface Tunnel1 mode advpn gre ipv6
ospfv3 1 area 0.0.0.0
source GigabitEthernet2/0
ipv6 address 2001:123::2/64
tunnel protection ipsec profile ADVPN
vam ipv6 client SPOKE1
ipsec profile ADVPN isakmp
transform-set ADVPN
ike-profile ADVPN
ike profile ADVPN
keychain ADVPN
ike keychain ADVPN
pre-shared-key address ipv6 :: 0 key simple ADVPN
vam client name SPOKE1
advpn-domain ADVPN
server primary ipv6-address 2001:1::2
pre-shared-key simple ADVPN
user SPOKE1 password simple SPOKE1
client enable