华为IPSec简单配置-ENSP
拓扑:
具体配置:(路由器连接配置省略)
前期
配置通可以访问
Switch_A:
dhcp enable
vlan batch 8 9 16 to 18
interface Vlanif1
ip address 192.168.0.2 255.255.255.0
interface Vlanif18
ip address 192.168.18.1 255.255.255.0
dhcp select global
ip pool 18
gateway-list 192.168.18.1
network 192.168.18.0 mask 255.255.255.0
excluded-ip-address 192.168.18.2 192.168.18.100
dns-list 202.96.128.86
interface GigabitEthernet0/0/2
port link-type access
port default vlan 18
ip route-static 0.0.0.0 0.0.0.0 192.168.0.1
Switch_B:
dhcp enable
vlan batch 8 9 16 to 18
interface Vlanif1
ip address 192.168.9.10 255.255.255.0
dhcp select global
ip pool 9
gateway-list 192.168.9.10
network 192.168.9.0 mask 255.255.255.0
excluded-ip-address 192.168.9.2 192.168.9.9
excluded-ip-address 192.168.9.10 192.168.9.50
dns-list 202.96.128.86
ip route-static 0.0.0.0 0.0.0.0 192.168.9.1
配置阶段一
ike:
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm md5
authentication-method pre-share
sa duration 1200
ike邻居:
AR1:
ike peer 1 v2
pre-shared-key simple khb123456
ike-proposal 1
remote-address 172.10.100.1
AR2:
ike peer 1 v2
pre-shared-key simple khb123456
ike-proposal 1
remote-address 10.10.100.1
配置阶段二
匹配流量
R_总部
acl number 3000
rule 1 permit ip source 192.168.18.0 0.0.0.255 destination 192.168.9.0 0.0.0.255
R_分部
acl number 3000
rule 1 permit ip source 192.168.9.0 0.0.0.255 destination 192.168.18.0 0.0.0.255
IPSec提案
AR1:
ipsec proposal 1
encapsulation-mode tunnel
esp authentication-algorithm md5
esp encryption-algorithm 3des
AR2:
ipsec proposal 1
encapsulation-mode tunnel
esp authentication-algorithm md5
esp encryption-algorithm 3des
IPsec 策略
AR1:
ipsec policy 1 1 isakmp
security acl 3000
ike-peer 1
proposal 1
AR2:
ipsec policy 1 1 isakmp
security acl 3000
ike-peer 1
proposal 1
ipsec策略应用到接口
AR1:
interface GigabitEthernet0/0/1
ipsec policy 1
AR2:
interface GigabitEthernet0/0/1
ipsec policy 1
查询阶段一
dis ike sa v2
查询阶段二
dis ipsec sa brief
抓包图: