[Huawei]sy R1
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 10.10.10.254 255.255.255.0
Aug 1 2023 09:37:19-08:00 R1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 45.1.1.1 255.255.255.0
Aug 1 2023 09:37:49-08:00 R1 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
on the interface GigabitEthernet0/0/1 has entered the UP state.
[R1]ip route-static 20.20.20.0 255.255.255.0 45.1.1.5
[R1]ip route-static 56.1.1.0 255.255.255.0 45.1.1.5
[Huawei]sy R2
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 45.1.1.5 24
Aug 1 2023 09:42:53-08:00 R2 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]ip add 56.1.1.1 24
Aug 1 2023 09:43:17-08:00 R2 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
on the interface GigabitEthernet0/0/1 has entered the UP state.
[R2-GigabitEthernet0/0/1]
[Huawei]sy R3
[R3]int g0/0/0
[R3-GigabitEthernet0/0/0]ip add 56.1.1.6 255.255.255.0
Aug 1 2023 09:43:54-08:00 R3 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[R3-GigabitEthernet0/0/0]int g0/0/1
[R3-GigabitEthernet0/0/1]ip add 20.20.20.254 255.255.255.0
Aug 1 2023 09:44:37-08:00 R3 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
on the interface GigabitEthernet0/0/1 has entered the UP state.
[R3-GigabitEthernet0/0/1]q
[R3]ip route-static 10.10.10.0 255.255.255.0 56.1.1.1
[R3]ip route-static 45.1.1.0 255.255.255.0 56.1.1.1
[R3]
在r1和r3上使用高级IP acl定义需要过ipsec vpn的流量
[R1]acl 3010
[R1-acl-adv-3010]rule permit ip source 10.10.10.0 0.0.0.255 destination 20.20.20
.0 0.0.0.255
[R1-acl-adv-3010]rule 10 deny ip
[R3]acl 3020
[R3-acl-adv-3020]rule permit ip source 20.20.20.0 0.0.0.255 destination 10.10.1
0.0 0.0.0.255
[R3-acl-adv-3020]rule deny ip
[R3-acl-adv-3020]
在r1和r3上配置IPSec安全提议
[R1]ipsec proposal huawei20
[R1-ipsec-proposal-huawei20]encapsulation-mode tunnel
[R1-ipsec-proposal-huawei20]transform esp
[R1-ipsec-proposal-huawei20]esp authentication-algorithm sha1
[R1-ipsec-proposal-huawei20]esp authentication-algorithm sha2-256
[R1-ipsec-proposal-huawei20]esp encryption-algorithm aes-128
[R3-ipsec-proposal-huawei10]encapsulation-mode tunnel
[R3-ipsec-proposal-huawei10]transform esp
[R3-ipsec-proposal-huawei10]esp authentication-algorithm sha2-256
[R3-ipsec-proposal-huawei10]esp encryption-algorithm aes-128
[R3-ipsec-proposal-huawei10]
查看安全提议:
[R1]display ipsec proposal
Number of proposals: 1
IPSec proposal name: huawei20
Encapsulation mode: Tunnel
Transform : esp-new
ESP protocol : Authentication SHA2-HMAC-256
Encryption AES-128
[R1]
[R3]display ipsec proposal
Number of proposals: 1
IPSec proposal name: huawei10
Encapsulation mode: Tunnel
Transform : esp-new
ESP protocol : Authentication SHA2-HMAC-256
Encryption AES-128
在r1和r3上创建ike安全提议
[R1]ike proposal 20
[R1-ike-proposal-20]authentication-algorithm sha1
[R1-ike-proposal-20]authentication-method pre-share
[R1-ike-proposal-20]encryption-algorithm aes-cbc-128
[R1-ike-proposal-20]q
[R1]
[R3-ike-proposal-20]authentication-algorithm sha1
[R3-ike-proposal-20]authentication-method pre-share
[R3-ike-proposal-20]encryption-algorithm aes-cbc-128
[R3-ike-proposal-20]q
[R3]
在r1和r3上创建ike对等体
[R1]ike peer huawei20 v1
[R1-ike-peer-huawei20]ike-proposal 20
[R1-ike-peer-huawei20]pre-shared-key cipher huawei
[R1-ike-peer-huawei20]remote-address 56.1.1.6
[R1-ike-peer-huawei20]
[R3]ike peer huawei10 v1
[R3-ike-peer-huawei10]ike-proposal 20
[R3-ike-peer-huawei10]pre-shared-key cipher huawei
[R3-ike-peer-huawei10]re-authentication
[R3-ike-peer-huawei10]remote-address 45.1.1.1
[R3-ike-peer-huawei10]q
在r1和r3上配置ipsec策略
[R1]ipsec policy hw 10 isakmp
[R1-ipsec-policy-isakmp-hw-10]ike-peer huawei20
[R1-ipsec-policy-isakmp-hw-10]security acl 3010
[R1-ipsec-policy-isakmp-hw-10]
[R3]ipsec policy hw2 10 isakmp
[R3-ipsec-policy-isakmp-hw2-10]ike-peer huawei10
[R3-ipsec-policy-isakmp-hw2-10]security acl 3020
[R3-ipsec-policy-isakmp-hw2-10]q
在r1和r3上应用IPSec安全策略
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]ipsec policy hw
[R3]int g0/0/0
[R3-GigabitEthernet0/0/0]ipsec policy hw2