第一步:配置设备名称、接口IP和静态路由
<Huawei>sys
[Huawei]sysn R1
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]ip address 168.1.1.1 16
[R1-GigabitEthernet0/0/1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 172.22.1.100 16
[R1-GigabitEthernet0/0/0]quit
[R1]ip route-static 172.22.2.0 24 168.1.1.2
[R2]ip route-static 167.1.0.0 16 168.1.1.2
<Huawei>sys
[Huawei]sysn R2
[R2]int g0/0/1
[R2-GigabitEthernet0/0/1]ip add 167.1.1.2 16
[R2-GigabitEthernet0/0/1]int g0/0/2
[R2-GigabitEthernet0/0/2]ip add 168.1.1.2 16
[R2-GigabitEthernet0/0/2]quit
[R2]ip route-static 172.22.2.0 24 167.1.1.1
[R2]ip route-static 172.22.1.0 24 168.1.1.1
<Huawei>sys
[Huawei]sysn R3
[R3]int g0/0/0
[R3-GigabitEthernet0/0/0]ip address 172.22.2.100 24
[R3-GigabitEthernet0/0/0]int g0/0/2
[R3-GigabitEthernet0/0/2]ip address 167.1.1.1 16
[R3-GigabitEthernet0/0/2]quit
[R3]ip route-static 172.22.1.0 24 167.1.1.2
[R3]ip route-static 168.1.0.0 16 167.1.1.2
第二步:配置R1、R3的ACL保护数据流
[R1]acl 3101
[R1-acl-adv-3101]rule 5 permit ip source 172.22.2.0 0.0.0.255 destination 172.22.1.0 0.0.0.255
[R2]acl 3101
[R3-acl-adv-3101]rule 5 permit ip source 172.22.1.0 0.0.0.255 destination 172.22.2.0 0.0.0.255
第三步:配置R1、R3的IPSect安全协议
[R1]ipsec proposal tran1
[R1-ipsec-proposal-tran1]esp authentication-algorithm sha2-256
//配置认证算法
[R1-ipsec-proposal-tran1]esp encryption-algorithm aes-128
//配置加密算法
[R3]ipsec proposal tran1
[R3-ipsec-proposal-tran1]esp authentication-algorithm sha2-256
[R3-ipsec-proposal-tran1]esp encryption-algorithm aes-128
第四步:配置R1、R2的IKE对等体
1、配置IKE安全提议
[R1]ike proposal 5
[R1-ike-proposal-5]encryption-algorithm ?
3des-cbc 168 bits 3DES-CBC
aes-cbc-128 Use AES-128
aes-cbc-192 Use AES-192
aes-cbc-256 Use AES-256
des-cbc 56 bits DES-CBC
[R1-ike-proposal-5]encryption-algorithm aes-cbc-192
[R1-ike-proposal-5]authentication-algorithm ?
aes-xcbc-mac-96 Select aes-xcbc-mac-96 as the hash algorithm
md5 Select MD5 as the hash algorithm
sha1 Select SHA as the hash algorithm
sm3 Select sm3 as the hash algorithm
[R1-ike-proposal-5]authentication-algorithm sha1
[R3]ike proposal 5
[R3-ike-proposal-5]encryption-algorithm aes-cbc-128
[R3-ike-proposal-5]authentication-algorithm sha1
[R3-ike-proposal-5]dh group14
2、配置IKE对等体,并根据默认配置,配置预共享密钥和对端ID
[R1]ike peer spub v1 //创建对等体名称为spub 的V1版本
[R1-ike-peer-spub]ike-proposal 5 //配置协议
[R1-ike-peer-spub]pre-shared-key cipher huawei //配置预共享密钥
[R1-ike-peer-spub]remote-address 167.1.1.1 //配置对端ID
[R1-ike-peer-spub]
[R3]ike peer spua v1 //创建对等体名称为spua的v1版本
[R3-ike-peer-spua]ike-proposal 5
[R3-ike-peer-spua]pre-shared-key cipher huawei
[R3-ike-peer-spua]remote-address 168.1.1.1
[R3-ike-peer-spua]
第五步:分别在R1、R3上创建安全策略
[R1]ipsec policy map1 10 isakmp //创建名为map1安全策略
[R1-ipsec-policy-isakmp-map1-10]
[R1-ipsec-policy-isakmp-map1-10]ike-peer spub
[R1-ipsec-policy-isakmp-map1-10]proposal tran1
[R1-ipsec-policy-isakmp-map1-10]security acl 3101
[R1-ipsec-policy-isakmp-map1-10]quit
[R1]
[R3]ipsec policy use1 10 isakmp
[R3-ipsec-policy-isakmp-use1-10]ike-peer spua
[R3-ipsec-policy-isakmp-use1-10]proposal tran1
[R3-ipsec-policy-isakmp-use1-10]security acl 3101
[R3-ipsec-policy-isakmp-use1-10]quit
[R3]
第六步:在R1、R3相应的接口上应用各自的安全策略组,使接口具有IPSec的保护功能。
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]
[R1-GigabitEthernet0/0/1]ipsec policy map1 //应用map1安全策略
[R1-GigabitEthernet0/0/1]quit
[R3]int g0/0/2
[R3-GigabitEthernet0/0/2]ipsec policy use1 //应用use1安全策略
[R3-GigabitEthernet0/0/2]quit
第七步:测试配置结果
display ipsec statistics esp
display ipsec statistics ah
display ike sa
<R1>dis ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
55 167.1.1.1 0 RD 2
53 167.1.1.1 0 RD 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
以下是R1、R3完整的配置信息
<R1>dis cu
[V200R003C00]
#
sysname R1
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
undo info-center enable
#
set cpu-usage threshold 80 restore 75
#
acl number 3101
rule 5 permit ip source 172.22.2.0 0.0.0.255 destination 172.22.1.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5
encryption-algorithm aes-cbc-128
dh group14
#
ike peer spub v1
pre-shared-key cipher %$%$}H"z!S,^u*;l(AQmOU4+,.2n%$%$
ike-proposal 5
remote-address 167.1.1.1
#
ipsec policy map1 10 isakmp
security acl 3101
ike-peer spub
proposal tran1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 172.22.1.100 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 168.1.1.1 255.255.0.0
ipsec policy map1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 167.1.0.0 255.255.0.0 168.1.1.2
ip route-static 172.22.2.0 255.255.255.0 168.1.1.2
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
<R1>
<R3>dis cu
[V200R003C00]
#
sysname R3
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
undo info-center enable
#
set cpu-usage threshold 80 restore 75
#
acl number 3101
rule 5 permit ip source 172.22.1.0 0.0.0.255 destination 172.22.2.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5
encryption-algorithm aes-cbc-128
dh group14
#
ike peer spua v1
pre-shared-key cipher %$%$}H"z!S,^u*;l(AQmOU4+,.2n%$%$
ike-proposal 5
remote-address 168.1.1.1
#
ipsec policy use1 10 isakmp
security acl 3101
ike-peer spua
proposal tran1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 172.22.2.100 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
ip address 167.1.1.1 255.255.0.0
ipsec policy use1
#
interface NULL0
#
ip route-static 168.1.0.0 255.255.0.0 167.1.1.2
ip route-static 172.22.1.0 255.255.255.0 167.1.1.2
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
<R3>