H3C IPSEC+IKE预共享密钥实验

IPSEC+IKE实验

实验拓扑

实验要求

1.按照图示要求搭建实验拓扑，并更改设备名称，配置图示要求的IP地址。

2.要求配置公网路由部分使得公网能够互通。

3.在RTA和RTB之间配置IPSEC VPN，要求使用IKE预共享密钥的方式，并且要求使用隧道模式。

4.验证实验效果

实验步骤

1、搭建实验拓扑，更改设备名称并配置IP地址

更改设备名称 和配置IP地址

北京总部 IP

成都分部IP

RT1

[RT1-GigabitEthernet0/0]ip address 192.168.10.254 24 
[RT1-GigabitEthernet0/0]int g0/1 
[RT1-GigabitEthernet0/1]ip address 100.1.1.1 30 

公网

[G-GigabitEthernet0/0]ip address 100.1.1.2 30 
[G-GigabitEthernet0/0]int g0/1 
[G-GigabitEthernet0/1]ip address 100.2.2.2 30

RT3

[RT3-GigabitEthernet0/0]ip address 100.2.2.1 30
[RT3-GigabitEthernet0/0]int g0/1
[RT3-GigabitEthernet0/1]ip address 192.168.20.254 24 

2.在RTA和RTB上配置默认路由都指向RTB，使得公网部分能够互通

[RT1]ip route-static 0.0.0.0 0 100.1.1.2
[RT3]ip route-static 0.0.0.0 0 100.2.2.2

3.在RTA和RTB上配置IPSEC VPN

RT1

ike配置

[RT1]ike  key
[RT1]ike  keychain keychain1 
[RT1-ike-keychain-keychain1]pre-shared-key address 100.2.2.1 key simple h3c
[RT1-ike-keychain-keychain1]quit
[RT1]ike proposal 1 
[RT1-ike-proposal-1]quit
[RT1]ike profile profile1 
[RT1-ike-profile-profile1]local-identity address 100.1.1.1
[RT1-ike-profile-profile1]proposal 1
[RT1-ike-profile-profile1]keychain keychain1
[RT1-ike-profile-profile1]match remote identity address 100.2.2.1
[RT1-ike-profile-profile1]quit

acl配置

[RT1]acl number 3000
[RT1-acl-ipv4-adv-3000]rule 0 permit ip source 192.168.10.0 0.0.0.255 destinatio
n 192.168.20.0 0.0.0.255

IPsec转换集

[RT1]ipsec transform-set tran1
[RT1-ipsec-transform-set-tran1]encapsulation-mode tun
[RT1-ipsec-transform-set-tran1]esp encryption-algorithm des-cbc
[RT1-ipsec-transform-set-tran1]esp authentication-algorithm sha1

IPsec 安全策略

[RT1]ipsec  policy policy1 1 isakmp 
[RT1-ipsec-policy-isakmp-policy1-1]security acl 3000
[RT1-ipsec-policy-isakmp-policy1-1]transform-set tran1 
[RT1-ipsec-policy-isakmp-policy1-1]ike-profile  profile1
[RT1-ipsec-policy-isakmp-policy1-1]remote-address 100.2.2.1 
[RT1-ipsec-policy-isakmp-policy1-1]quit
[RT1]int g0/1
[RT1-GigabitEthernet0/1]ipsec apply policy policy1
[RT1-GigabitEthernet0/1]quit

RT3
ike配置

[RT3]ike keychain keychain1 
[RT3-ike-keychain-keychain1]pre-shared-key a
[RT3-ike-keychain-keychain1]pre-shared-key address 100.1.1.1 key simple h3c
[RT3-ike-keychain-keychain1]quit
[RT3]ike proposal 1 
[RT3-ike-proposal-1]quit
[RT3]ike profile profile1 
[RT3-ike-profile-profile1]local-identity address 100.2.2.1 
[RT3-ike-profile-profile1]proposal 1
[RT3-ike-profile-profile1]keychain keychain1 
[RT3-ike-profile-profile1]match remote identity address 100.1.1.1

acl配置

[RT3]acl number  3000
[RT3-acl-ipv4-adv-3000]rule 0 permit ip source 192.168.20.0 0.0.0.255 destinatio
n 192.168.10.0 0.0.0.255

IPsec转换集

[RT3]ipsec transform-set  tran1 
[RT3-ipsec-transform-set-tran1]esp encryption-algorithm des-cbc
[RT3-ipsec-transform-set-tran1]esp authentication-algorithm sha1 

IPsec 安全策略

[RT3]ipsec policy policy1 1 isakmp 
[RT3-ipsec-policy-isakmp-policy1-1]security acl 3000
[RT3-ipsec-policy-isakmp-policy1-1]transform-set tran1 
[RT3-ipsec-policy-isakmp-policy1-1]ike-profile profile1 
[RT3-ipsec-policy-isakmp-policy1-1]remote-address 100.1.1.1
[RT3-ipsec-policy-isakmp-policy1-1]quit
[RT3]int g0/0
[RT3-GigabitEthernet0/0]ipsec apply policy policy1

4.验证实验效果

ping 192.168.20.1