【华为】IPSec VPN手动配置

张白夕

于 2024-05-06 19:30:50 发布

阅读量918

点赞数 14

分类专栏：软考中级-网络工程师文章标签：华为网络 IPSec VPN 路由器网络安全数据加密

本文链接：https://blog.csdn.net/2301_77161465/article/details/138499915

版权

软考中级-网络工程师专栏收录该内容

10 篇文章 0 订阅

订阅专栏

【华为】IPSec VPN手动配置

拓扑
配置
- ISP - 2
- AR1
- - NAT - Easy IP
  - IPSec VPN
- AR3
- - NAT
  - IPsec VPN
- PC
- 检验
配置文档
- AR1
- AR2

在这里插入图片描述

拓扑

在这里插入图片描述

配置

配置步骤
1、配置IP地址，ISP 路由器用 Lo0 模拟互联网
2、漳州和福州两个出口路由器配置默认路由指向ISP路由器
3、进行 IPsec VPN配置，让两个站点内网互通，同时数据加密

4、IPSec 手动配置步骤
在这里插入图片描述

ISP - 2

[Huawei]sysn ISP-2

[ISP-2]undo info-center enable 
Info: Information center is disabled.

[ISP-2]int g0/0/0
[ISP-2-GigabitEthernet0/0/0]ip address 202.101.12.2 30
[ISP-2-GigabitEthernet0/0/0]QU

[ISP-2]INT g0/0/1

[ISP-2-GigabitEthernet0/0/1]ip address 202.101.23.2 30
[ISP-2-GigabitEthernet0/0/1]qu

[ISP-2]int LoopBack 0
[ISP-2-LoopBack0]ip address 1.1.1.1 32
[ISP-2-LoopBack0]qu

AR1

NAT - Easy IP

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.

[Huawei]sysname AR1

[AR1]undo info-center enable
Info: Information center is disabled.

[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip address 202.101.12.1 30
[AR1-GigabitEthernet0/0/0]qu

[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]ip address 192.168.10.254 24
[AR1-GigabitEthernet0/0/1]qu

## 高级ACL，要记得把IPSec VPN走得流量先deny掉，这样子VPN才能通信成功
[AR1]acl 3000
## deny掉我漳州分公司内部流量192.168.10.0/24 去往福州总公司192.168.20.0/24 的流量
[AR1-acl-adv-3000]rule deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255     
## 这个就是漳州公司需要上网的流量    
[AR1-acl-adv-3000]rule permit ip source 192.168.10.0 0.0.0.255 destination any 
[AR1-acl-adv-3000]qu

## 作Easy IP进行上网
[AR1]int g0/0/0	
[AR1-GigabitEthernet0/0/0]nat outbound 3000
[AR1-GigabitEthernet0/0/0]qu

## 配置默认路由指向ISP
[AR1]ip route-static 0.0.0.0 0.0.0.0 202.101.12.2

IPSec VPN

## 匹配上需要走VPN的流量
[AR1]acl number 3001  
[AR1-acl-adv-3001] rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 19
2.168.20.0 0.0.0.255  ## 规则5，匹配源为192.168.10.0/24 目的为192.168.20.0/24 的流量
[AR1-acl-adv-3001]quit

[AR1]ipsec proposal zz    ## 创建IPSec 提议，名为“zz”
[AR1-ipsec-proposal-zz]esp authentication-algorithm md5 ## 认证算法采用md5（缺省）
[AR1-ipsec-proposal-zz]esp encryption-algorithm des 	## 加密算法采用des（缺省）
[AR1-ipsec-proposal-zz]encapsulation-mode tunnel        ## 传输方式为tunnel（缺省）
[AR1-ipsec-proposal-zz]quit

[AR1]ipsec policy zhangzhou 1 manual                    ## 配置IPSec策略“zhangzhou”，方式为手动
[AR1-ipsec-policy-manual-zhangzhou-1]security acl 3001  ## 包含ACL 3001
[AR1-ipsec-policy-manual-zhangzhou-1]proposal zz        ## 关联IPSec提议“zz”  
[AR1-ipsec-policy-manual-zhangzhou-1]tunnel local 202.101.12.1 ## 配置隧道本端地址 202.101.12.1
[AR1-ipsec-policy-manual-zhangzhou-1]tunnel remote 202.101.23.1 ## 配置隧道对端地址 202.101.23.1
[AR1-ipsec-policy-manual-zhangzhou-1]sa spi inbound esp 12345   ## 配置入方向的SA编号为12345
[AR1-ipsec-policy-manual-zhangzhou-1]sa string-key inbound esp cipher baixi  ## 配置入方向SA的认证密钥为baixi
[AR1-ipsec-policy-manual-zhangzhou-1]sa spi outbound esp 54321   ## 配置出方向的SA编号为54321
[AR1-ipsec-policy-manual-zhangzhou-1]sa string-key outbound esp cipher baixi  ## 配置出方向的SA认证密钥为baixi

## 在接口下应用IPsec策略“zhangzhou”
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ipsec policy zhangzhou
[AR1-GigabitEthernet0/0/0]qu

查看IPSec SA
display ipsec sa brief
在这里插入图片描述

AR3

NAT

<Huawei>sys
Enter system view, return user view with Ctrl+Z.

[Huawei] sysname AR3

[AR3] undo info-center enable
Info: Information center is disabled.

[AR3]acl number 3000  
[AR3-acl-adv-3000] rule 5 deny ip source 192.168.20.0 0.0.0.255 destination 192.
168.10.0 0.0.0.255
[AR3-acl-adv-3000] rule 10 permit ip source 192.168.20.0 0.0.0.255 
[AR3-acl-adv-3000]#quit

[AR3]interface GigabitEthernet0/0/0
[AR3-GigabitEthernet0/0/0] ip address 202.101.23.1 255.255.255.252 
[AR3-GigabitEthernet0/0/0] nat outbound 3000
[AR3-GigabitEthernet0/0/0]quit

[AR3]interface GigabitEthernet0/0/1
[AR3-GigabitEthernet0/0/1] ip address 192.168.20.254 255.255.255.0 
[AR3-GigabitEthernet0/0/1]quit

[AR3]ip route-static 0.0.0.0 0.0.0.0 202.101.23.2

IPsec VPN

[AR3]acl number 3001  
[AR3-acl-adv-3001] rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 19
2.168.10.0 0.0.0.255 
[AR3-acl-adv-3001]quit

[AR3]ipsec proposal fz
[AR3-ipsec-proposal-fz] esp authentication-algorithm md5 
[AR3-ipsec-proposal-fz] esp encryption-algorithm des 	
[AR3-ipsec-proposal-fz] encapsulation-mode tunnel 
[AR3-ipsec-proposal-fz]quit

[AR3]ipsec policy fuzhou 1 manual
[AR3-ipsec-policy-manual-fuzhou-1] security acl 3001
[AR3-ipsec-policy-manual-fuzhou-1] proposal fz
[AR3-ipsec-policy-manual-fuzhou-1] tunnel local 202.101.23.1
[AR3-ipsec-policy-manual-fuzhou-1] tunnel remote 202.101.12.1
[AR3-ipsec-policy-manual-fuzhou-1]sa spi inbound esp 54321
[AR3-ipsec-policy-manual-fuzhou-1]sa string-key inbound esp cipher baixi
[AR3-ipsec-policy-manual-fuzhou-1]sa spi outbound esp 12345
[AR3-ipsec-policy-manual-fuzhou-1]sa string-key outbound esp cipher baixi
[AR3-ipsec-policy-manual-fuzhou-1]qu

[AR3]int g0/0/0
[AR3-GigabitEthernet0/0/0]ipsec policy fuzhou

查看AR3上的IPSec SA表
在这里插入图片描述

PC

在这里插入图片描述

检验

ping 成功啦
在这里插入图片描述
抓包查看
数据也全都进行ESP加密，成功

配置文档

AR1

#
 sysname AR1
#
 undo info-center enable
#
acl number 3000  
 rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
 
 rule 10 permit ip source 192.168.10.0 0.0.0.255 
#
interface GigabitEthernet0/0/0
 ip address 202.101.12.1 255.255.255.252 
 nat outbound 3000
 ipsec policy zhangzhou
#
interface GigabitEthernet0/0/1
 ip address 192.168.10.254 255.255.255.0 
#
ip route-static 0.0.0.0 0.0.0.0 202.101.12.2
#
acl number 3001  
 rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.2
55 
#
ipsec proposal zz
 esp authentication-algorithm md5 
 esp encryption-algorithm des 	
 encapsulation-mode tunnel 
#
ipsec policy zhangzhou 1 manual
 security acl 3001
 proposal zz
 tunnel local 202.101.12.1
 tunnel remote 202.101.23.1
 sa spi inbound esp 12345
 sa string-key inbound esp cipher baixi
 sa spi outbound esp 54321
 sa string-key outbound esp cipher baixi
#

AR2

#
 sysname AR3
#
 undo info-center enable
#
acl number 3000  
 rule 5 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
 
 rule 10 permit ip source 192.168.20.0 0.0.0.255 
#
interface GigabitEthernet0/0/0
 ip address 202.101.23.1 255.255.255.252 
 nat outbound 3000
 ipsec policy fuzhou
#
interface GigabitEthernet0/0/1
 ip address 192.168.20.254 255.255.255.0 
#
ip route-static 0.0.0.0 0.0.0.0 202.101.23.2
#
acl number 3001  
 rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 
#
ipsec proposal fz
 esp authentication-algorithm md5 
 esp encryption-algorithm des 	
 encapsulation-mode tunnel 
#
ipsec policy fuzhou 1 manual
 security acl 3001
 proposal fz
 tunnel local 202.101.23.1
 tunnel remote 202.101.12.1
 sa spi inbound esp 54321
 sa string-key inbound esp cipher baixi
 sa spi outbound esp 12345
 sa string-key outbound esp cipher baixi
#