H3C-×××的配置

最新推荐文章于 2024-03-09 17:15:50 发布

weixin_34259559

最新推荐文章于 2024-03-09 17:15:50 发布

阅读量83

点赞数

原文链接：http://blog.51cto.com/oraclong/668386

版权

H3C-×××的配置

拓扑图

配置IP地址
<R1>system-view

[R1]interface e0/1

[R1-Ethernet0/1]ip address 192.168.100.254 255.255.255.0

[R1]interface e0/0

[R1-Ethernet0/0]ip address 192.168.13.1 255.255.255.0

<R2>system-view

[R2]interface e0/1

[R2-Ethernet0/1]ip address 192.168.200.254 255.255.255.0

[R2]interface e0/0

[R2-Ethernet0/0]ip address 192.168.23.2 255.255.255.0

<R3>system-view

[R3]interface e0/0

[R3-Ethernet0/0]ip address 192.168.13.3 255.255.255.0

[R3]interface e0/1

[R3-Ethernet0/1]ip address 192.168.23.3 255.255.255.0

PC1的设置

PC2的设置
配置手工方式的Tunnel
[R1]acl 3000

[R1-acl-3000]rule permit ip source 192.168.100.1 0.0.0.255 destination 192.168.200.2 0.0.0.255

[R1-acl-3000]rule deny ip source any destination any

[R1-acl-3000]quit

//创建访问规则

[R1]ipsec proposal trans1

[R1-ipsec-proposal-trans1]encapsulation-mode tunnel

[R1-ipsec-proposal-trans1]transform esp-new

[R1-ipsec-proposal-trans1]esp-new authentication md5-hmac-96

[R1-ipsec-proposal-trans1]esp-new encryption-algorithm des

[R1-ipsec-proposal-trans1]quit

//创建提议，以及对提议的加密、认证方式

[R1]ipsec policy p1 100 manual

[R1-ipsec-policy-p1-100]security acl 3000

[R1-ipsec-policy-p1-100]proposal trans1

[R1-ipsec-policy-p1-100]tunnel local 192.168.13.1

[R1-ipsec-policy-p1-100]tunnel remote 192.168.23.2

[R1-ipsec-policy-p1-100]sa inbound esp spi 123456

[R1-ipsec-policy-p1-100]sa inbound esp string-key asdf

[R1-ipsec-policy-p1-100]sa outbound esp spi 654321

[R1-ipsec-policy-p1-100]sa outbound esp string-key fdsa

[R1-ipsec-policy-pl -100]quit

//创建策略，包含上述提议，该策略将应用于Tunnel中，需要注意的是Tunnel两端的路由器策略配置，R1中的tunnel local地址是R2的tunnel remote， inbound是R2的outbound。

[R1]interface e0/0

[R1-Ethernet0/0]ipsec policy p1

//在出口上应用策略

[R2]acl 3001

[R2-acl-3001]rule permit ip source 192.168.200.2 0.0.0.255 destination 192.168.100.1 0.0.0.255

[R2-acl-3001]rule deny ip source any destination any

[R2-acl-3001]quit

//创建访问规则

[R2]ipsec proposal trans2

[R2-ipsec-proposal-trans2]encapsulation-mode tunnel

[R2-ipsec-proposal-trans2]transform esp-new

[R2-ipsec-proposal-trans2]esp-new authentication md5-hmac-96

[R2-ipsec-proposal-trans2]esp-new encryption-algorithm des

[R2-ipsec-proposal-trans2]quit

//创建提议，以及对提议的加密、认证方式

[R2]ipsec policy p2 200 manual

[R2-ipsec-policy-p2-200]security acl 3001

[R2-ipsec-policy-p2-200]proposal trans2

[R2-ipsec-policy-p2-200]tunnel local 192.168.23.2

[R2-ipsec-policy-p2-200]tunnel remote 192.168.13.1

[R2-ipsec-policy-p2-200]sa inbound esp spi 654321

[R2-ipsec-policy-p2-200]sa inbound esp string-key fdsa

[R2-ipsec-policy-p2-200]sa outbound esp spi 123456

[R2-ipsec-policy-p2-200]sa outbound esp string-key asdf

[R2-ipsec-policy-p2-200]quit

[R2]interface e0/0
[R2-Ethernet0/0]ipsec policy p2
在Tunnel两端的路由器上各添加一条默认路由，是内网地址能够和外部连接。
ip route-static 0.0.0.0 0.0.0.0 192.168.13.3 preference 60 //R1上的默认路由

ip route-static 0.0.0.0 0.0.0.0 192.168.23.3 preference 60 //R2上的默认路由
查看Tunnel状态，以及PC1和PC2之间的连通性。
ipsec policy name: p1

ipsec policy sequence: 100

negotiation mode: manual

security acl: 3000

local address: 192.168.13.1

remote address: 192.168.23.2

proposal name: trans1

esp(inbound) setting:

   esp spi: 654321 (0x9fbf1)

   esp string-key: fdsa

   esp encryption-hex:

   esp authen-hex:

esp(outbound) setting:

   esp spi: 123456 (0x1e240)

   esp string-key: asdf

   esp encryption-hex:

   esp authen-hex:

OutBound SA has been established.

InBound SA has been established.

//路由器R1端的Tunnel状态

ipsec policy name: p2

ipsec policy sequence: 200

negotiation mode: manual

security acl: 3001

local address: 192.168.23.2

remote address: 192.168.13.1

proposal name: trans2

esp(inbound) setting:

esp spi: 123456 (0x1e240)

esp string-key: asdf

esp encryption-hex:

esp authen-hex:

esp(outbound) setting:

esp spi: 654321 (0x9fbf1)

esp string-key: fdsa

esp encryption-hex:

esp authen-hex:

OutBound SA has been established.

InBound SA has been established.

//路由器R2端的Tunnel状态

//在PC1上pingPC2

正在 Ping 192.168.200.2 具有 32 字节的数据:

来自 192.168.200.2 的回复: 字节=32 时间=3ms TTL=254

来自 192.168.200.2 的回复: 字节=32 时间=9ms TTL=254

来自 192.168.200.2 的回复: 字节=32 时间=3ms TTL=254

来自 192.168.200.2 的回复: 字节=32 时间=3ms TTL=254

来自 192.168.200.2 的回复: 字节=32 时间=9ms TTL=254
配置自动方式的Tunnel。
[R1]ipsec policy p3 300 isakmp

[R1-ipsec-policy-p3-300]security acl 3000

[R1-ipsec-policy-p3-300]proposal trans1

[R1-ipsec-policy-p3-300]tunnel local 192.168.13.1

[R1-ipsec-policy-p3-300]tunnel remote 192.168.23.2

[R1-ipsec-policy-p3-300]quit

[R1]ike pre-shared-key 12345 remote 192.168.23.2

[R1]interface e0/0

[R1-Ethernet0/0]ipsec policy p3

//提议和手工方式一样，策略修改为自动方式的，而且共享密钥的设置，Tunnel两端要一致。

[R2]ipsec policy p4 400 isakmp

[R2-ipsec-policy-p4-400]security acl 3001

[R2-ipsec-policy-p4-400]proposal trans2

[R2-ipsec-policy-p4-400]tunnel local 192.168.23.2

[R2-ipsec-policy-p4-400]tunnel remote 192.168.13.1

[R2-ipsec-policy-p4-400]quit

[R2]ike pre-shared-key 12345 remote 192.168.13.1

[R2]interface e0/0

[R2-Ethernet0/0]ipsec policy p4
Tunnel状态以及PC1和PC2之间的连通性。
ipsec policy name: p3

ipsec policy sequence: 300

negotiation mode: isakmp

security acl: 3000

remote address 0: 192.168.23.2

Proposal name: trans1

ipsec sa duration: 3600 seconds

ipsec sa duration: 1843200 kilobytes

OutBound SA has been established.

InBound SA has been established.

//路由器R1端的Tunnel状态

ipsec policy name: p4

ipsec policy sequence: 400

negotiation mode: isakmp

security acl: 3001

remote address 0:192.168.13.1

Proposal name: trans2

ipsec sa duration: 3600 seconds

ipsec sa duration: 1843200 kilobytes

OutBound SA has been established.

InBound SA has been established.
//路由器R2端的Tunnel状态
正在 Ping 192.168.200.2 具有 32 字节的数据:

来自 192.168.200.2 的回复: 字节=32 时间=3ms TTL=254

来自 192.168.200.2 的回复: 字节=32 时间=9ms TTL=254

来自 192.168.200.2 的回复: 字节=32 时间=3ms TTL=254

来自 192.168.200.2 的回复: 字节=32 时间=3ms TTL=254

//从PC1 ping PC2的情况

转载于:https://blog.51cto.com/oraclong/668386

weixin_34259559

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
H3C-×××的配置

H3C-×××的配置拓扑图配置IP地址 <R1>system-view [R1]interface e0/1 [R1-Ethernet0/1]ip address 192.168.100.254 255.255.255.0 [R1]interface e0/0 [R1-Ethernet0/0...
复制链接

扫一扫