做商业网站的服务费维护费,南京建筑信息平台,7k7k电脑版网页游戏,aspcms网站地图生成【华为】IPSec VPN手动配置 拓扑配置ISP - 2AR1NAT - Easy IPIPSec VPN AR3NATIPsec VPN PC检验 配置文档AR1AR2 拓扑 配置
配置步骤 1、配置IP地址#xff0c;ISP 路由器用 Lo0 模拟互联网 2、漳州和福州两个出口路由器配置默认路由指向ISP路由器 3、进行 IPsec VPN配置ISP 路由器用 Lo0 模拟互联网 2、漳州和福州两个出口路由器配置默认路由指向ISP路由器 3、进行 IPsec VPN配置让两个站点内网互通同时数据加密
4、IPSec 手动配置步骤
ISP - 2
[Huawei]sysn ISP-2[ISP-2]undo info-center enable
Info: Information center is disabled.[ISP-2]int g0/0/0
[ISP-2-GigabitEthernet0/0/0]ip address 202.101.12.2 30
[ISP-2-GigabitEthernet0/0/0]QU[ISP-2]INT g0/0/1[ISP-2-GigabitEthernet0/0/1]ip address 202.101.23.2 30
[ISP-2-GigabitEthernet0/0/1]qu[ISP-2]int LoopBack 0
[ISP-2-LoopBack0]ip address 1.1.1.1 32
[ISP-2-LoopBack0]quAR1
NAT - Easy IP
Huaweisystem-view
Enter system view, return user view with CtrlZ.[Huawei]sysname AR1[AR1]undo info-center enable
Info: Information center is disabled.[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip address 202.101.12.1 30
[AR1-GigabitEthernet0/0/0]qu[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]ip address 192.168.10.254 24
[AR1-GigabitEthernet0/0/1]qu## 高级ACL要记得把IPSec VPN走得流量先deny掉这样子VPN才能通信成功
[AR1]acl 3000
## deny掉我漳州分公司内部流量192.168.10.0/24 去往福州总公司192.168.20.0/24 的流量
[AR1-acl-adv-3000]rule deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
## 这个就是漳州公司需要上网的流量
[AR1-acl-adv-3000]rule permit ip source 192.168.10.0 0.0.0.255 destination any
[AR1-acl-adv-3000]qu## 作Easy IP进行上网
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]nat outbound 3000
[AR1-GigabitEthernet0/0/0]qu## 配置默认路由指向ISP
[AR1]ip route-static 0.0.0.0 0.0.0.0 202.101.12.2IPSec VPN
## 匹配上需要走VPN的流量
[AR1]acl number 3001
[AR1-acl-adv-3001] rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 19
2.168.20.0 0.0.0.255 ## 规则5匹配源为192.168.10.0/24 目的为192.168.20.0/24 的流量
[AR1-acl-adv-3001]quit[AR1]ipsec proposal zz ## 创建IPSec 提议名为“zz”
[AR1-ipsec-proposal-zz]esp authentication-algorithm md5 ## 认证算法采用md5缺省
[AR1-ipsec-proposal-zz]esp encryption-algorithm des ## 加密算法采用des缺省
[AR1-ipsec-proposal-zz]encapsulation-mode tunnel ## 传输方式为tunnel缺省
[AR1-ipsec-proposal-zz]quit[AR1]ipsec policy zhangzhou 1 manual ## 配置IPSec策略“zhangzhou”方式为手动
[AR1-ipsec-policy-manual-zhangzhou-1]security acl 3001 ## 包含ACL 3001
[AR1-ipsec-policy-manual-zhangzhou-1]proposal zz ## 关联IPSec提议“zz”
[AR1-ipsec-policy-manual-zhangzhou-1]tunnel local 202.101.12.1 ## 配置隧道本端地址 202.101.12.1
[AR1-ipsec-policy-manual-zhangzhou-1]tunnel remote 202.101.23.1 ## 配置隧道对端地址 202.101.23.1
[AR1-ipsec-policy-manual-zhangzhou-1]sa spi inbound esp 12345 ## 配置入方向的SA编号为12345
[AR1-ipsec-policy-manual-zhangzhou-1]sa string-key inbound esp cipher baixi ## 配置入方向SA的认证密钥为baixi
[AR1-ipsec-policy-manual-zhangzhou-1]sa spi outbound esp 54321 ## 配置出方向的SA编号为54321
[AR1-ipsec-policy-manual-zhangzhou-1]sa string-key outbound esp cipher baixi ## 配置出方向的SA认证密钥为baixi## 在接口下应用IPsec策略“zhangzhou”
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ipsec policy zhangzhou
[AR1-GigabitEthernet0/0/0]qu查看IPSec SA display ipsec sa brief
AR3
NAT
Huaweisys
Enter system view, return user view with CtrlZ.[Huawei] sysname AR3[AR3] undo info-center enable
Info: Information center is disabled.[AR3]acl number 3000
[AR3-acl-adv-3000] rule 5 deny ip source 192.168.20.0 0.0.0.255 destination 192.
168.10.0 0.0.0.255
[AR3-acl-adv-3000] rule 10 permit ip source 192.168.20.0 0.0.0.255
[AR3-acl-adv-3000]#quit[AR3]interface GigabitEthernet0/0/0
[AR3-GigabitEthernet0/0/0] ip address 202.101.23.1 255.255.255.252
[AR3-GigabitEthernet0/0/0] nat outbound 3000
[AR3-GigabitEthernet0/0/0]quit[AR3]interface GigabitEthernet0/0/1
[AR3-GigabitEthernet0/0/1] ip address 192.168.20.254 255.255.255.0
[AR3-GigabitEthernet0/0/1]quit[AR3]ip route-static 0.0.0.0 0.0.0.0 202.101.23.2IPsec VPN
[AR3]acl number 3001
[AR3-acl-adv-3001] rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 19
2.168.10.0 0.0.0.255
[AR3-acl-adv-3001]quit[AR3]ipsec proposal fz
[AR3-ipsec-proposal-fz] esp authentication-algorithm md5
[AR3-ipsec-proposal-fz] esp encryption-algorithm des
[AR3-ipsec-proposal-fz] encapsulation-mode tunnel
[AR3-ipsec-proposal-fz]quit[AR3]ipsec policy fuzhou 1 manual
[AR3-ipsec-policy-manual-fuzhou-1] security acl 3001
[AR3-ipsec-policy-manual-fuzhou-1] proposal fz
[AR3-ipsec-policy-manual-fuzhou-1] tunnel local 202.101.23.1
[AR3-ipsec-policy-manual-fuzhou-1] tunnel remote 202.101.12.1
[AR3-ipsec-policy-manual-fuzhou-1]sa spi inbound esp 54321
[AR3-ipsec-policy-manual-fuzhou-1]sa string-key inbound esp cipher baixi
[AR3-ipsec-policy-manual-fuzhou-1]sa spi outbound esp 12345
[AR3-ipsec-policy-manual-fuzhou-1]sa string-key outbound esp cipher baixi
[AR3-ipsec-policy-manual-fuzhou-1]qu[AR3]int g0/0/0
[AR3-GigabitEthernet0/0/0]ipsec policy fuzhou 查看AR3上的IPSec SA表
PC 检验
ping 成功啦 抓包查看 数据也全都进行ESP加密成功
配置文档
AR1
#sysname AR1
#undo info-center enable
#
acl number 3000 rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255rule 10 permit ip source 192.168.10.0 0.0.0.255
#
interface GigabitEthernet0/0/0ip address 202.101.12.1 255.255.255.252 nat outbound 3000ipsec policy zhangzhou
#
interface GigabitEthernet0/0/1ip address 192.168.10.254 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 202.101.12.2
#
acl number 3001 rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.2
55
#
ipsec proposal zzesp authentication-algorithm md5 esp encryption-algorithm des encapsulation-mode tunnel
#
ipsec policy zhangzhou 1 manualsecurity acl 3001proposal zztunnel local 202.101.12.1tunnel remote 202.101.23.1sa spi inbound esp 12345sa string-key inbound esp cipher baixisa spi outbound esp 54321sa string-key outbound esp cipher baixi
#AR2
#sysname AR3
#undo info-center enable
#
acl number 3000 rule 5 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255rule 10 permit ip source 192.168.20.0 0.0.0.255
#
interface GigabitEthernet0/0/0ip address 202.101.23.1 255.255.255.252 nat outbound 3000ipsec policy fuzhou
#
interface GigabitEthernet0/0/1ip address 192.168.20.254 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 202.101.23.2
#
acl number 3001 rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
#
ipsec proposal fzesp authentication-algorithm md5 esp encryption-algorithm des encapsulation-mode tunnel
#
ipsec policy fuzhou 1 manualsecurity acl 3001proposal fztunnel local 202.101.23.1tunnel remote 202.101.12.1sa spi inbound esp 54321sa string-key inbound esp cipher baixisa spi outbound esp 12345sa string-key outbound esp cipher baixi
#
