Сначала надо построить IpSec-туннель:
В филиале:
ip ipsec proposal add auth-algorithms=sha1 disabled=no enc-algorithms=aes-128-cbc lifetime=1h name=Kandava pfs-group=none
add address=hq_public_ip auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=2m dpd-maximum-failures=5 \ enc-algorithm=aes-128 exchange-mode=main generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=1d local-address=:: nat-traversal=no \ passive=no policy-template-group= \group1 port=500 proposal-check=obey secret=secretphrase send-initial-contact=yes
В главном офисе:
ip ipsec proposal add auth-algorithms=sha1 disabled=no enc-algorithms=aes-128-cbc lifetime=1h name=Kandava pfs-group=none
add address=branch_public_ip auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=2m dpd-maximum-failures=5 \ enc-algorithm=aes-128 exchange-mode=main generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=1d local-address=:: nat-traversal=no \ passive=no policy-template-group= \group1 port=500 proposal-check=obey secret=secretphrase send-initial-contact=yes
Далее создаю GRE-интерфейсы
В филиале:
ip interface add allow-fast-path=yes clamp-tcp-mss=yes disabled=no dont-fragment=no dscp=inherit !ipsec-secret !keepalive local-address=branch_gre_ip \ mtu=auto name=gre-tunnel1 remote-address=hq_gre_ip
В главном офисе:
ip interface add allow-fast-path=yes clamp-tcp-mss=yes disabled=no dont-fragment=no dscp=inherit !ipsec-secret !keepalive local-address=hq_gre_ip \ mtu=auto name=gre-tunnel1 remote-address=branch_gre_ip
Далее создаю ipsec-policy:
В филиале:
ip ipsec policy add action=encrypt comment=Kandava disabled=no dst-address=hq_gre_ip dst-port=any ipsec-protocols=esp level=require priority=0 \ proposal=Kandava protocol=all sa-dst-address=hq_public_ip sa-src-address=branch_public_ip src-address=branch_gre_ip src-port=any \ tunnel=yes
В главном офисе:
ip ipsec policy add action=encrypt comment=Kandava disabled=no dst-address=branch_gre_ip dst-port=any ipsec-protocols=esp level=require priority=0 \ proposal=Kandava protocol=all sa-dst-address=branch_public_ip sa-src-address=hq_public_ip src-address=hq_gre_ip src-port=any \ tunnel=yes
Осталось- прописать марщруты:
В филиале:
ip routes add dst-address=hq_public_ip gateway=provider_gw_ip !route-tag !routing-mark scope=30 target-scope=10
ip routes add !bgp-as-path !bgp-atomic-aggregate !bgp-communities !bgp-local-pref !bgp-med !bgp-origin !bgp-prepend !check-gateway \ disabled=no distance=1 dst-address=hq_lan_net gateway=gre-tunnel1 !route-tag !routing-mark scope=30 target-scope=10
ip routes add !bgp-as-path !bgp-atomic-aggregate !bgp-communities !bgp-local-pref !bgp-med !bgp-origin !bgp-prepend !check-gateway disabled=no distance=1 dst-address= 0.0.0.0/0 gateway=gre-tunnel1 !route-tag !routing-mark scope=30 target-scope=10
В главном офисе:
ip routes add !bgp-as-path !bgp-atomic-aggregate !bgp-communities !bgp-local-pref !bgp-med !bgp-origin !bgp-prepend !check-gateway \ disabled=no distance=1 dst-address=branch_lan_net gateway=gre-tunnel1 !route-tag !routing-mark scope=30 target-scope=10