IPSEC VPN配置

已于 2024-08-06 20:56:08 修改
阅读量266 收藏 3
点赞数 14
分类专栏: VPN 文章标签: 网络
于 2024-08-06 19:56:33 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/m0_62452465/article/details/140963848
版权

组网图

实验需求

R1与R2建立Ipsec VPN,IPSEC VPN 保护PC1访问服务器的流量。

实验思路

1、PC与服务器网关发布在两台路由器上

2、配置VPN

(1)ike提议

(2)ike邻居建立

(3)ipsec参数

(4)设置ACL

(5)配置IPESC策略

(6)接口引用数据加密策略

网关发布

R1

<Huawei>un ter mon
Info: Current terminal monitor is off.
<Huawei>
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]
[Huawei]un in en
Info: Information center is disabled.
[Huawei]
[Huawei]sysname  R1
[R1]
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]
[R1-GigabitEthernet0/0/0]ip ad 192.168.1.1  24
[R1-GigabitEthernet0/0/0]
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]
[R1-GigabitEthernet0/0/1]ip ad 20.1.1.1  24
[R1-GigabitEthernet0/0/1]

R2

<Huawei>un ter mon
Info: Current terminal monitor is off.
<Huawei>
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]
[Huawei]un in en
Info: Information center is disabled.
[Huawei]
[Huawei]sysname  R2
[R2]
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]
[R2-GigabitEthernet0/0/0]ip ad 192.168.2.1  24
[R2-GigabitEthernet0/0/0]
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]
[R2-GigabitEthernet0/0/1]ip ad 20.1.1.2  24
[R2-GigabitEthernet0/0/1]

ike提议

R1

[R1]ike pro 1 
[R1-ike-proposal-1]encryption-algorithm aes-cbc-128  //设置加密算法
[R1-ike-proposal-1]authentication-method pre-share   //设置验证方法
[R1-ike-proposal-1]authentication-algorithm sha1  //设置认证算法
[R1-ike-proposal-1]dh group14
[R1-ike-proposal-1]q

R2

[R2]ike pro 1
[R2-ike-proposal-1]encryption-algorithm aes-cbc-128
[R2-ike-proposal-1]authentication-algorithm sha1 
[R2-ike-proposal-1]authentication-method pre-share
[R2-ike-proposal-1]dh group14
[R2-ike-proposal-1]q

ike邻居建立

R1

[R1]ike peer R2 v1
[R1-ike-peer-R2]exchange-mode main  
[R1-ike-peer-R2]remote-address  20.1.1.2
[R1-ike-peer-R2]local-address 20.1.1.1
[R1-ike-peer-R2]pre-shared-key  cipher huawei@123
[R1-ike-peer-R2]ike-proposal 1
[R1-ike-peer-R2]q

R2

[R2]ike peer R1 v1
[R2-ike-peer-R1]ike-pro 1
[R2-ike-peer-R1]remote-address 20.1.1.1 
[R2-ike-peer-R1]local-address 20.1.1.2
[R2-ike-peer-R1]pre-shared-key cipher  huawei@123
[R2-ike-peer-R1]q

ipsec参数

R1

[R1]ipsec prop 1 
[R1-ipsec-proposal-1]encapsulation-mode tunnel
[R1-ipsec-proposal-1]transform esp
[R1-ipsec-proposal-1]esp authentication-algorithm sha1
[R1-ipsec-proposal-1]esp encryption-algorithm aes-128
[R1-ipsec-proposal-1]q

R2

[R2]ipsec prop 1
[R2-ipsec-proposal-1]encapsulation-mode tunnel
[R2-ipsec-proposal-1]transform esp 
[R2-ipsec-proposal-1]esp encryption-algorithm aes-128
[R2-ipsec-proposal-1]esp authentication-algorithm sha1
[R2-ipsec-proposal-1]q

设置ACL

R1

[R1]acl 3000
[R1-acl-adv-3000]ru per ip so 192.168.1.0  0.0.0.255  de 192.168.2.0 0.0.0.255
[R1-acl-adv-3000]q

R2

[R2]acl 3000
[R2-acl-adv-3000]ru per ip  so 192.168.2.0 0.0.0.255  de 192.168.1.0  0.0.0.255
[R2-acl-adv-3000]q

配置IPESC策略

R1

[R1]ipsec policy ipsec  1 isakmp 
[R1-ipsec-policy-isakmp-ipsec-1]proposal  1
[R1-ipsec-policy-isakmp-ipsec-1]security acl 3000
[R1-ipsec-policy-isakmp-ipsec-1]ike-peer R2

R2

[R2]ipsec policy ipsec 1 isakmp 
[R2-ipsec-policy-isakmp-ipsec-1]security acl 3000
[R2-ipsec-policy-isakmp-ipsec-1]ike-peer R1
[R2-ipsec-policy-isakmp-ipsec-1]pro 1

接口引用数据加密策略

R1

[R1-ipsec-policy-isakmp-ipsec-1]int g0/0/0
[R1-GigabitEthernet0/0/0]ipsec policy ipsec

R2

[R2-ipsec-policy-isakmp-ipsec-1]int g0/0/0
[R2-GigabitEthernet0/0/0]ipsec policy ipsec
[R2-GigabitEthernet0/0/0]q

写静态路由,强制让流量经过IPSEC  VPN通道

R1

[R1]ip route-static  192.168.2.0 24  20.1.1.2

R2

[R2]ip route-static 192.168.1.0  24  20.1.1.1

ping测抓包

配置汇总

R1

un ter mon
sys
un in  en
sysname R1
int g0/0/0
ip ad 20.1.1.1  24
int g0/0/1
ip ad 192.168.1.1  24
q

//IKE协商
ike  proposal 1
encryption-algorithm  aes-cbc-128
authentication-algorithm sha1
authentication-method pre-share 
dh group  14
q

//IKE邻居
ike peer R2  v1
pre-shared-key cipher Huawei@123
exchange-mode main
remote-address  20.1.1.2 
local-address  20.1.1.1
ike-proposal 1 
q

//IPSEC协商

ipsec proposal 1
encapsulation-mode  tunnel
transform   esp
esp authentication-algorithm sha1 
esp encryption-algorithm aes-128
q

acl  3000
rule  permit ip  so  192.168.1.0  0.0.0.255     de  192.168.2.0  0.0.0.255
q


//IPESC策略
ipsec policy ipsec  1  isakmp
security acl 3000
ike-peer R2
proposal 1  //ipsec提议


//接口引用数据加密策略
int g0/0/0
ipsec policy  ipsec
q
//静态路由 //强制引入流量
ip route-static192.168.2.0  24   20.1.1.2

R2

un ter mon
sys
un in  en
sysname R2
int g0/0/0
ip ad 20.1.1.2  24
int g0/0/1
ip ad 192.168.2.1  24
q

ike  proposal 1
encryption-algorithm  aes-cbc-128 //两边一致
authentication-algorithm sha1
authentication-method pre-share 
dh group  14
q

ike peer R1  v1

pre-shared-key cipher Huawei@123  //两边一致
exchange-mode main
remote-address  20.1.1.1 
local-address  20.1.1.2  //(可不设置)
ike-proposal 1 
q


ipsec proposal 1
encapsulation-mode  tunnel
transform   esp
esp authentication-algorithm sha1 
esp encryption-algorithm aes-128
q

acl  3000
rule  permit ip  so  192.168.2.0  0.0.0.255     de  192.168.1.0  0.0.0.255
q


ipsec policy ipsec  10  isakmp
security acl 3000
ike-peer R1
proposal 1


int g0/0/0
ipsec policy ipsec

ip  route-static 192.168.1.0  24   20.1.1.1

喜欢偷懒的小羊
关注
专栏目录
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值