H3C防火墙IPSec命令行配置

IPsec配置

本配置通过IKE自动协商IPsec SA,工作模式采用主模式、安全协议采用ESP、封装方式采用隧道封装。

  • 配置感兴趣流
[H3C]acl advanced 3001
[H3C-acl-ipv4-adv-3001]rule 0 permit ip source 172.16.0.0 0.0.7.255 destination 172.16.8.0 0.0.3.255
[H3C-acl-ipv4-adv-3001]description ipsecvpn
[H3C-acl-ipv4-adv-3001]quit
  • 创建ike proposal(IKE提议)
# 创建ike proposal 1
[H3C]ike proposal 1
# 加密算法为aes-cbc-128
[H3C-ike-proposal-1]encryption-algorithm aes-cbc-128
# 认证算法为sha
[H3C-ike-proposal-1]authentication-algorithm sha
# 认证方法为预共享秘钥
[H3C-ike-proposal-1]authentication-method pre-share
# dh组为2
[H3C-ike-proposal-1]dh group 2
# SA超时时间3600秒
[H3C-ike-proposal-1]sa duration 3600
[H3C-ike-proposal-1]quit
  • 创建ike keychain(IKE秘钥)
# 创建预共享秘钥
[H3C]ike keychain key1
# 指定对端地址,设置秘钥为123456
[H3C-ike-keychain-key1]pre-shared-key address 100.2.2.2 255.255.255.0 key simple 123456
[H3C-ike-keychain-key1]quit
  • 创建ike profile(IKE模板)
# 创建模板p1
[H3C]ike profile p1
# 指定使用的秘钥
[H3C-ike-profile-p1]keychain key1
# 指定使用IP地址标识本端身份
[H3C-ike-profile-p1]local-identity address 100.1.1.1
# 限制profile使用范围
[H3C-ike-profile-p1]match local address 100.1.1.1
# 指定匹配对端的身份类型为ip地址
[H3C-ike-profile-p1]match remote identity address 100.2.2.2 255.255.255.0
# 指定使用的IKE提议
[H3C-ike-profile-p1]proposal 1 
[H3C-ike-profile-p1]quit
  • 创建IPsec tranform-set(ipsec转换集/模板)
# 创建ipsec转换集tran1
[H3C]ipsec transform-set tran1
# 指定esp加密算法
[H3C-ipsec-transform-set-tran1]esp encryption-algorithm aes-cbc-128 
# 指定esp认证算法
[H3C-ipsec-transform-set-tran1]esp authentication-algorithm sha1 
# 指定安全协议为esp
[H3C-ipsec-transform-set-tran1]protocol esp
# 指定封装模式为隧道模式
[H3C-ipsec-transform-set-tran1]encapsulation-mode tunnel
[H3C-ipsec-transform-set-tran1]quit
  • 创建ipsec policy(ipsec策略)
# 创建ipsec安全策略
[H3C]ipsec policy policy1 1 isakmp
# 指定ipsec转换集
[H3C-ipsec-policy-isakmp-policy1-1]transform-set tran1 
# 指定感兴趣流
[H3C-ipsec-policy-isakmp-policy1-1]security acl 3001 
# 指定隧道的本端地址
[H3C-ipsec-policy-isakmp-policy1-1]local-address 100.1.1.1
# 指定隧道的对端地址
[H3C-ipsec-policy-isakmp-policy1-1]remote-address 100.2.2.2
# 指定IPsec安全策略模板引用的IKE模板
[H3C-ipsec-policy-isakmp-policy1-1]ike-profile p1
[H3C-ipsec-policy-isakmp-policy1-1]description ipsecvpn
[H3C-ipsec-policy-isakmp-policy1-1]quit
  • 在接口应用ipsec策略
 [H3C]interface GigabitEthernet0/1
 # 应用ipsec安全策略
 [H3C-GigabitEthernet0/1]ipsec apply policy policy1
posted @ 2023-10-24 09:27  wanghongwei-dev  阅读(509)  评论(0编辑  收藏  举报