IPSec简单实验-手工建立

底层

RA：
interface GigabitEthernet0/0/0
 ip address 192.168.1.254 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0 
 
ip route-static 0.0.0.0 0.0.0.0 1.1.1.100

RB:
interface GigabitEthernet0/0/0
 ip address 2.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 192.168.2.254 255.255.255.0 

ip route-static 0.0.0.0 0.0.0.0 2.1.1.100

INTERNET:

vlan batch 10 20

interface Vlanif10
 ip address 1.1.1.100 255.255.255.0
#
interface Vlanif20
 ip address 2.1.1.100 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 20

手工建立IPSEC

RA：
建立PCA-PCB的感兴趣流

acl number 3001  
 rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 

设置ipsec安全提议，封装和认证

ipsec proposal TRAN
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-128

设置安全策略

ipsec policy MAP 10 manual
 security acl 3001
 proposal TRAN                            
 tunnel local 1.1.1.1
 tunnel remote 2.1.1.1
 sa spi inbound esp 54321
 sa string-key inbound esp cipher huawei
 sa spi outbound esp 12345
 sa string-key outbound esp cipher huawei

端口引用

interface GigabitEthernet0/0/1 
 ipsec policy MAP
q

RB：
建立PCB-PCA的感兴趣流

acl number 3001  
 rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 

设置ipsec安全提议，封装和认证

ipsec proposal TRAN
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-128

设置安全策略

ipsec policy MAP 10 manual
 security acl 3001
 proposal TRAN                            
 tunnel local 2.1.1.1
 tunnel remote 1.1.1.1
 sa spi inbound esp 12345
 sa string-key inbound esp cipher huawei
 sa spi outbound esp 54321
 sa string-key outbound esp cipher huawei

端口引用

interface GigabitEthernet0/0/0 
 ipsec policy MAP
q

注意policy中inbound和outbound对应