H3C-V7-IpSec

一：目的：100.1.1.1与200.1.1.2建立ipsec隧道。

二：配置基本命令

1 配置acl ：

[MSR_1]acl advanced 3400

[MSR_1]rule 5 deny ip source 192.168.0.0 0.0.0.255 destination 10.0.0.0 0.0.0.255

[MSR_1]rule 6 permit ip source 192.168.0.0 0.0.0.255

[MSR_1]acl advanced 3000

[MSR_1-acl-ipv4-adv-3000]rule permit ip source 192.168.0.1 0 destination 10.0.0.1 0

2创建IPsec安全提议

[MSR_1]ipsec transform-set tran

[MSR_1-ipsec-transform-set-tran]encapsulation-mode tunnel

[MSR_1-ipsec-transform-set-tran]protocol esp

[MSR_1-ipsec-transform-set-tran]esp encryption-algorithm aes-cbc-128

[MSR_1-ipsec-transform-set-tran]esp authentication-algorithm sha1

 

3创建IKE keychain

[MSR_1]ike keychain test

[MSR_1-ike-keychain-test]pre-shared-key address 200.1.1.2 255.255.255.0 key simple 123456

 

4创建IKE提议

[MSR_1]ike proposal 100

[MSR_1-ike-proposal-100]encryption-algorithm 3des-cbc

[MSR_1-ike-proposal-100]authentication-method pre-share

[MSR_1-ike-proposal-100]authentication-algorithm md5

[MSR_1-ike-proposal-100]dh group1

 

5创建IKE profile

[MSR_1]ike profile profile1

[MSR_1-ike-profile-profile1]keychain test

[MSR_1-ike-profile-profile1]local-identity address 100.1.1.1

[MSR_1-ike-profile-profile1]match remote identity address 200.1.1.2 255.255.255.0

[MSR_1-ike-profile-profile1]proposal 100

[MSR_1-ike-profile-profile1]exchange-mode main

 6创建一条IKE协商方式的IPsec安全策略

[MSR_1]ipsec policy test 10 isakmp

[MSR_1-ipsec-policy-isakmp-test-10]remote-address 200.1.1.2

[MSR_1-ipsec-policy-isakmp-test-10]security acl 3000

[MSR_1-ipsec-policy-isakmp-test-10]transform-set tran

[MSR_1-ipsec-policy-isakmp-test-10]ike-profile profile1

7接口应用：

[MSR_1]int g0/0

[MSR_1-GigabitEthernet0/0]ipsec apply policy test

[MSR_1-GigabitEthernet0/0]nat outbound 3400

8路由：

ip route-static 10.0.0.0 255.255.255.0 GigabitEthernet 0/0 200.1.1.2