Ipsec 配置
https://support.huawei.com/enterprise/zh/doc/EDOC0000707956/f3afe57a
注意 pfs dh-group2 命令与dh组一致 否则acl将只生效第一条目
注意 exchange-mode auto 注意协商模式
#
ipsec proposal y1 //安全提议y1
esp authentication-algorithm sha1
esp encryption-algorithm aes-128
#
ike proposal 2
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer ike1 //对等体ike1
undo version 2
ike-proposal 2 //ike安全提议2(1-4)
pre-shared-key cipher xxx
remote-address 2.1.1.1 //远程地址
#
ipsec policy-template x2 // 策略模板 x2
security acl 3001 //加密流量 acl 3001
ike-peer ike1 //对等体 ike1
proposal y1 //ipsec 安全提议y1
#
ipsec policy x1 1 isakmp template x2 //策略 x1 引用策略模板 x2
#
interface GigabitEthernet0/0/1
ipsec policy x1 //接口生效 策略x1
1对多时 a b为分公司 c为总公司
-
RouterA的配置文件
# sysname RouterA # acl number 3002 rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ike proposal 5 encryption-algorithm aes-128 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer rut1 undo version 2 pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# ike-proposal 5 remote-address 60.1.3.1 # ipsec policy policy1 10 isakmp security acl 3002 ike-peer rut1 proposal tran1 # interface GigabitEthernet0/0/1 ip address 60.1.1.1 255.255.255.0 ipsec policy policy1 # interface GigabitEthernet0/0/2 ip address 192.168.1.2 255.255.255.0 # ip route-static 60.1.3.0 255.255.255.0 60.1.1.2 ip route-static 192.168.3.0 255.255.255.0 60.1.1.2 # return
-
RouterB的配置文件
# sysname RouterB # acl number 3002 rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ike proposal 5
exchange-mode auto encryption-algorithm aes-128 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer rut1 undo version 2 pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# ike-proposal 5 remote-address 60.1.3.1 # ipsec policy policy1 10 isakmp security acl 3002 ike-peer rut1 proposal tran1 # interface GigabitEthernet0/0/1 ip address 60.1.2.1 255.255.255.0 ipsec policy policy1 # interface GigabitEthernet0/0/2 ip address 192.168.2.2 255.255.255.0 # ip route-static 60.1.3.0 255.255.255.0 60.1.2.2 ip route-static 192.168.3.0 255.255.255.0 60.1.2.2 # return -
RouterC的配置文件
# sysname RouterC # acl number 3002 rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 acl number 3003 rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ike proposal 5 encryption-algorithm aes-128 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer rut1 undo version 2 pre-shared-key cipher %^%#IRFGEiFPJ1$&a'Qy,L*XQL_+*Grq-=yMb}ULZdS6%^%# ike-proposal 5 remote-address 60.1.1.1 # ike peer rut2 undo version 2 pre-shared-key cipher %^%#(3fr1!&6O=)!GN#~{)n,2fq>4#4+%;lMTs5(]:c)%^%# ike-proposal 5 remote-address 60.1.2.1 # ipsec policy policy1 10 isakmp
- pfs dh-group2
-
security acl 3002 ike-peer rut1 proposal tran1 ipsec policy policy1 11 isakmp security acl 3003 ike-peer rut2 proposal tran1 # interface GigabitEthernet0/0/1 ip address 60.1.3.1 255.255.255.0 ipsec policy policy1 # interface GigabitEthernet0/0/2 ip address 192.168.3.2 255.255.255.0 # ip route-static 60.1.1.0 255.255.255.0 60.1.3.2 ip route-static 60.1.2.0 255.255.255.0 60.1.3.2 ip route-static 192.168.1.0 255.255.255.0 60.1.3.2 ip route-static 192.168.2.0 255.255.255.0 60.1.3.2 # return