采用手工方式建立IPSec隧道
R1为企业总部出口路由,R2为企业分支出口路由,总部与分支通过公网建立通信。
企业希望对总部子网与分支子网之间相互访问的流量进行安全保护。总部与分支通过公网建立通信,可以在总部出口路由网关与分支出口路由网关之间建立一个IPSec隧道来实现安全保护。
******************R1企业总部************
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname R1-head-office
[R1-head-office]int gi 0/0/0
[R1-head-office-GigabitEthernet0/0/0]ip addr 1.1.1.1 24
[R1-head-office-GigabitEthernet0/0/0]int gi 0/0/1
[R1-head-office-GigabitEthernet0/0/1]ip addr 10.1.1.1 24
[R1-head-office-GigabitEthernet0/0/1]
[R1-head-office-GigabitEthernet0/0/1]q
[R1-head-office]ospf 1 router-id 1.1.1.1
[R1-head-office-ospf-1]area 0 //配置ospf,实现模拟外网互通,现实中不需要这样配置,只需要配置静态路由
[R1-head-office-ospf-1-area-0.0.0.0]network 1.1.1.0 0.0.0.255
[R1-head-office-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[R1-head-office-ospf-1-area-0.0.0.0]q
[R1-head-office-ospf-1]q
[R1-head-office]acl 3101 //配置acl3101,匹配从总部子网到分支子网的流量
[R1-head-office-acl-adv-3101]rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[R1-head-office-acl-adv-3101]ipsec proposal tran1 //配置IPSec安全提议
[R1-head-office-ipsec-proposal-tran1]esp authentication-algorithm sha2-256
[R1-head-office-ipsec-proposal-tran1]esp encryption-algorithm aes-128
[R1-head-office-ipsec-proposal-tran1]q
[R1-head-office]ipsec policy map1 10 manual //配置手动方式安全策略
[R1-head-office-ipsec-policy-manual-map1-10]security acl 3101
[R1-head-office-ipsec-policy-manual-map1-10]proposal tran1
[R1-head-office-ipsec-policy-manual-map1-10]tunnel local 1.1.1.1
[R1-head-office-ipsec-policy-manual-map1-10]tunnel remote 2.1.1.1
[R1-head-office-ipsec-policy-manual-map1-10]sa spi inbound esp 54321
[R1-head-office-ipsec-policy-manual-map1-10]sa string-key inbound esp cipher huawei //配置入方向SA的认证秘钥
[R1-head-office-ipsec-policy-manual-map1-10]sa spi outbound esp 12345
[R1-head-office-ipsec-policy-manual-map1-10]sa string-key outbound esp cipher huawei //配置出方向SA的认证秘钥
[R1-head-office-ipsec-policy-manual-map1-10]q
[R1-head-office]int gi 0/0/0
[R1-head-office-GigabitEthernet0/0/0]ipsec policy map1 //在外网出接口上绑定IPSec策略
[R1-head-office-GigabitEthernet0/0/0]
******************R2企业分支************
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname R2-office-other
[R2-office-other]int gi 0/0/0
[R2-office-other-GigabitEthernet0/0/0]ip addr 2.1.1.1 24
[R2-office-other-GigabitEthernet0/0/0]int gi 0/0/1
[R2-office-other-GigabitEthernet0/0/1]ip addr 10.1.2.1 24
[R2-office-other-GigabitEthernet0/0/1]
[R2-office-other-GigabitEthernet0/0/1]q
[R2-office-other]ospf 1 router-id 2.2.2.2
[R2-office-other-ospf-1]area 0
[R2-office-other-ospf-1-area-0.0.0.0]network 2.1.1.0 0.0.0.255
[R2-office-other-ospf-1-area-0.0.0.0]network 10.1.2.0 0.0.0.255
[R2-office-other-ospf-1-area-0.0.0.0]q
[R2-office-other-ospf-1]q
[R2-office-other]
[R2-office-other]acl 3101
[R2-office-other-acl-adv-3101]rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[R2-office-other-acl-adv-3101]q
[R2-office-other]ipsec proposal tran1
[R2-office-other-ipsec-proposal-tran1]esp authentication-algorithm sha2-256
[R2-office-other-ipsec-proposal-tran1]esp encryption-algorithm aes-128
[R2-office-other-ipsec-proposal-tran1]q
[R2-office-other]ipsec policy use1 10 manual
[R2-office-other-ipsec-policy-manual-use1-10]security acl 3101
[R2-office-other-ipsec-policy-manual-use1-10]proposal tran1
[R2-office-other-ipsec-policy-manual-use1-10]tunnel local 2.1.1.1
[R2-office-other-ipsec-policy-manual-use1-10]tunnel remote 1.1.1.1
[R2-office-other-ipsec-policy-manual-use1-10]sa spi inbound esp 12345
[R2-office-other-ipsec-policy-manual-use1-10]sa string-key inbound esp cipher huawei
[R2-office-other-ipsec-policy-manual-use1-10]sa spi outbound esp 54321
[R2-office-other-ipsec-policy-manual-use1-10]sa string-key outbound esp cipher huawei
[R2-office-other-ipsec-policy-manual-use1-10]q
[R2-office-other]int gi 0/0/0
[R2-office-other-GigabitEthernet0/0/0]ipsec policy use1
[R2-office-other-GigabitEthernet0/0/0]dis ipsec sa
===============================
Interface: GigabitEthernet0/0/0
Path MTU: 1500
===============================
-----------------------------
IPSec policy name: "use1"
Sequence number : 10
Acl Group : 3101
Acl rule : 0
Mode : Manual
-----------------------------
Encapsulation mode: Tunnel
Tunnel local : 2.1.1.1
Tunnel remote : 1.1.1.1
Qos pre-classify : Disable
[Outbound ESP SAs]
SPI: 54321 (0xd431)
Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128
No duration limit for this SA
[Inbound ESP SAs] SPI: 12345 (0x3039) Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128 No duration limit for this SA