组网图
实验需求
R1与R2建立Ipsec VPN,IPSEC VPN 保护PC1访问服务器的流量。
实验思路
1、PC与服务器网关发布在两台路由器上
2、配置VPN
(1)ike提议
(2)ike邻居建立
(3)ipsec参数
(4)设置ACL
(5)配置IPESC策略
(6)接口引用数据加密策略
网关发布
R1
<Huawei>un ter mon
Info: Current terminal monitor is off.
<Huawei>
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]
[Huawei]un in en
Info: Information center is disabled.
[Huawei]
[Huawei]sysname R1
[R1]
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]
[R1-GigabitEthernet0/0/0]ip ad 192.168.1.1 24
[R1-GigabitEthernet0/0/0]
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]
[R1-GigabitEthernet0/0/1]ip ad 20.1.1.1 24
[R1-GigabitEthernet0/0/1]
R2
<Huawei>un ter mon
Info: Current terminal monitor is off.
<Huawei>
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]
[Huawei]un in en
Info: Information center is disabled.
[Huawei]
[Huawei]sysname R2
[R2]
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]
[R2-GigabitEthernet0/0/0]ip ad 192.168.2.1 24
[R2-GigabitEthernet0/0/0]
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]
[R2-GigabitEthernet0/0/1]ip ad 20.1.1.2 24
[R2-GigabitEthernet0/0/1]
ike提议
R1
[R1]ike pro 1
[R1-ike-proposal-1]encryption-algorithm aes-cbc-128 //设置加密算法
[R1-ike-proposal-1]authentication-method pre-share //设置验证方法
[R1-ike-proposal-1]authentication-algorithm sha1 //设置认证算法
[R1-ike-proposal-1]dh group14
[R1-ike-proposal-1]q
R2
[R2]ike pro 1
[R2-ike-proposal-1]encryption-algorithm aes-cbc-128
[R2-ike-proposal-1]authentication-algorithm sha1
[R2-ike-proposal-1]authentication-method pre-share
[R2-ike-proposal-1]dh group14
[R2-ike-proposal-1]q
ike邻居建立
R1
[R1]ike peer R2 v1
[R1-ike-peer-R2]exchange-mode main
[R1-ike-peer-R2]remote-address 20.1.1.2
[R1-ike-peer-R2]local-address 20.1.1.1
[R1-ike-peer-R2]pre-shared-key cipher huawei@123
[R1-ike-peer-R2]ike-proposal 1
[R1-ike-peer-R2]q
R2
[R2]ike peer R1 v1
[R2-ike-peer-R1]ike-pro 1
[R2-ike-peer-R1]remote-address 20.1.1.1
[R2-ike-peer-R1]local-address 20.1.1.2
[R2-ike-peer-R1]pre-shared-key cipher huawei@123
[R2-ike-peer-R1]q
ipsec参数
R1
[R1]ipsec prop 1
[R1-ipsec-proposal-1]encapsulation-mode tunnel
[R1-ipsec-proposal-1]transform esp
[R1-ipsec-proposal-1]esp authentication-algorithm sha1
[R1-ipsec-proposal-1]esp encryption-algorithm aes-128
[R1-ipsec-proposal-1]q
R2
[R2]ipsec prop 1
[R2-ipsec-proposal-1]encapsulation-mode tunnel
[R2-ipsec-proposal-1]transform esp
[R2-ipsec-proposal-1]esp encryption-algorithm aes-128
[R2-ipsec-proposal-1]esp authentication-algorithm sha1
[R2-ipsec-proposal-1]q
设置ACL
R1
[R1]acl 3000
[R1-acl-adv-3000]ru per ip so 192.168.1.0 0.0.0.255 de 192.168.2.0 0.0.0.255
[R1-acl-adv-3000]q
R2
[R2]acl 3000
[R2-acl-adv-3000]ru per ip so 192.168.2.0 0.0.0.255 de 192.168.1.0 0.0.0.255
[R2-acl-adv-3000]q
配置IPESC策略
R1
[R1]ipsec policy ipsec 1 isakmp
[R1-ipsec-policy-isakmp-ipsec-1]proposal 1
[R1-ipsec-policy-isakmp-ipsec-1]security acl 3000
[R1-ipsec-policy-isakmp-ipsec-1]ike-peer R2
R2
[R2]ipsec policy ipsec 1 isakmp
[R2-ipsec-policy-isakmp-ipsec-1]security acl 3000
[R2-ipsec-policy-isakmp-ipsec-1]ike-peer R1
[R2-ipsec-policy-isakmp-ipsec-1]pro 1
接口引用数据加密策略
R1
[R1-ipsec-policy-isakmp-ipsec-1]int g0/0/0
[R1-GigabitEthernet0/0/0]ipsec policy ipsec
R2
[R2-ipsec-policy-isakmp-ipsec-1]int g0/0/0
[R2-GigabitEthernet0/0/0]ipsec policy ipsec
[R2-GigabitEthernet0/0/0]q
写静态路由,强制让流量经过IPSEC VPN通道
R1
[R1]ip route-static 192.168.2.0 24 20.1.1.2
R2
[R2]ip route-static 192.168.1.0 24 20.1.1.1
ping测抓包
配置汇总
R1
un ter mon
sys
un in en
sysname R1
int g0/0/0
ip ad 20.1.1.1 24
int g0/0/1
ip ad 192.168.1.1 24
q
//IKE协商
ike proposal 1
encryption-algorithm aes-cbc-128
authentication-algorithm sha1
authentication-method pre-share
dh group 14
q
//IKE邻居
ike peer R2 v1
pre-shared-key cipher Huawei@123
exchange-mode main
remote-address 20.1.1.2
local-address 20.1.1.1
ike-proposal 1
q
//IPSEC协商
ipsec proposal 1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm aes-128
q
acl 3000
rule permit ip so 192.168.1.0 0.0.0.255 de 192.168.2.0 0.0.0.255
q
//IPESC策略
ipsec policy ipsec 1 isakmp
security acl 3000
ike-peer R2
proposal 1 //ipsec提议
//接口引用数据加密策略
int g0/0/0
ipsec policy ipsec
q
//静态路由 //强制引入流量
ip route-static192.168.2.0 24 20.1.1.2
R2
un ter mon
sys
un in en
sysname R2
int g0/0/0
ip ad 20.1.1.2 24
int g0/0/1
ip ad 192.168.2.1 24
q
ike proposal 1
encryption-algorithm aes-cbc-128 //两边一致
authentication-algorithm sha1
authentication-method pre-share
dh group 14
q
ike peer R1 v1
pre-shared-key cipher Huawei@123 //两边一致
exchange-mode main
remote-address 20.1.1.1
local-address 20.1.1.2 //(可不设置)
ike-proposal 1
q
ipsec proposal 1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm aes-128
q
acl 3000
rule permit ip so 192.168.2.0 0.0.0.255 de 192.168.1.0 0.0.0.255
q
ipsec policy ipsec 10 isakmp
security acl 3000
ike-peer R1
proposal 1
int g0/0/0
ipsec policy ipsec
ip route-static 192.168.1.0 24 20.1.1.1