实验要求
- 配置 IPsec vpn 采用手动方式
- 同时要满足上网和VPN两种需求
- 使用NAT进行地址映射
- 认证方法和加密算法自行配置采用安全的方法
实验配置
R1:
#基本配置 sy sy R1 dhcp enable acl 2000 rule permit sour 192.168.1.0 0.0.0.255 inter g0/0/0 ip ad 12.1.1.1 24 nat outbound 2000 inter g0/0/1 ip ad 192.168.1.254 24 dhcp select int q ip route-s 0.0.0.0 0 12.1.1.2 #VPN配置 sy acl 3001 rule 1 deny ip des 192.168.3.0 0.0.0.255 rule 2 permit ip inter g0/0/0 undo nat outbound 2000 nat outbound 3001 acl 3000 rule 1 permit ip sou 192.168.1.0 0.0.0.255 des 192.168.3.0 0.0.0.255 ipsec proposal To-shanghai esp auth sha2-256 esp encry aes-256 ipsec policy beijing-VPN 1 manual security acl 3000 proposal To-shanghai tunnel local 12.1.1.1 tunnel remote 23.1.1.3 sa spi inbound esp 54321 sa string-key inbound esp cip huawei sa spi outbound esp 12345 sa string-key outbound esp cip huawei inter g0/0/0 ipsec policy beijing-VPN
R2:
sy sy ISP inter g0/0/0 ip ad 23.1.1.2 24 inter g0/0/1 ip ad 12.1.1.2 24 inter loop0 ip add 2.2.2.2 32 q
R3:
#基本配置 sy sy R3 dhcp enable acl 2000 rule permit sourc 192.168.3.0 0.0.0.255 inter g0/0/0 ip ad 23.1.1.3 24 nat outbound 2000 inter g0/0/1 ip ad 192.168.3.254 24 dhcp select int q ip route-s 0.0.0.0 0 23.1.1.2 #VPN配置 sy acl 3001 rule 1 deny ip des 192.168.1.0 0.0.0.255 rule 2 permit ip inter g0/0/0 undo nat outbound 2000 nat outbound 3001 acl 3000 rule 1 permit ip sou 192.168.3.0 0.0.0.255 des 192.168.1.0 0.0.0.255 ipsec proposal To-beijing esp auth sha2-256 esp encry aes-256 ipsec policy shanghai-VPN 1 manual security acl 3000 proposal To-beijing tunnel local 23.1.1.3 tunnel remote 12.1.1.1 sa spi inbound esp 12345 sa string-key inbound esp cip huawei sa spi outbound esp 54321 sa string-key outbound esp cip huawei inter g0/0/0 ipsec policy shanghai-VPN
Author:DC