IPSec隧道配置实验（手工方式）

实验目的：

采用手工方式建立IPSec隧道

组网需求：

R1为企业总部出口路由，R2为企业分支出口路由，总部与分支通过公网建立通信。

企业希望对总部子网与分支子网之间相互访问的流量进行安全保护。总部与分支通过公网建立通信，可以在总部出口路由网关与分支出口路由网关之间建立一个IPSec隧道来实现安全保护。

配置操作：

******************R1企业总部************

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname R1-head-office
[R1-head-office]int gi 0/0/0
[R1-head-office-GigabitEthernet0/0/0]ip addr 1.1.1.1 24
[R1-head-office-GigabitEthernet0/0/0]int gi 0/0/1
[R1-head-office-GigabitEthernet0/0/1]ip addr 10.1.1.1 24
[R1-head-office-GigabitEthernet0/0/1]
[R1-head-office-GigabitEthernet0/0/1]q
[R1-head-office]ospf 1 router-id 1.1.1.1
[R1-head-office-ospf-1]area 0                                      //配置ospf，实现模拟外网互通，现实中不需要这样配置，只需要配置静态路由
[R1-head-office-ospf-1-area-0.0.0.0]network 1.1.1.0 0.0.0.255

[R1-head-office-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[R1-head-office-ospf-1-area-0.0.0.0]q
[R1-head-office-ospf-1]q

[R1-head-office]acl 3101                       //配置acl3101，匹配从总部子网到分支子网的流量
[R1-head-office-acl-adv-3101]rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[R1-head-office-acl-adv-3101]ipsec proposal tran1     //配置IPSec安全提议
[R1-head-office-ipsec-proposal-tran1]esp authentication-algorithm sha2-256
[R1-head-office-ipsec-proposal-tran1]esp encryption-algorithm aes-128
[R1-head-office-ipsec-proposal-tran1]q
[R1-head-office]ipsec policy map1 10 manual                        //配置手动方式安全策略
[R1-head-office-ipsec-policy-manual-map1-10]security acl 3101
[R1-head-office-ipsec-policy-manual-map1-10]proposal tran1
[R1-head-office-ipsec-policy-manual-map1-10]tunnel local 1.1.1.1
[R1-head-office-ipsec-policy-manual-map1-10]tunnel remote 2.1.1.1
[R1-head-office-ipsec-policy-manual-map1-10]sa spi inbound esp 54321
[R1-head-office-ipsec-policy-manual-map1-10]sa string-key inbound esp cipher huawei         //配置入方向SA的认证秘钥
[R1-head-office-ipsec-policy-manual-map1-10]sa spi outbound esp 12345
[R1-head-office-ipsec-policy-manual-map1-10]sa string-key outbound esp cipher huawei       //配置出方向SA的认证秘钥
[R1-head-office-ipsec-policy-manual-map1-10]q
[R1-head-office]int gi 0/0/0
[R1-head-office-GigabitEthernet0/0/0]ipsec policy map1                                    //在外网出接口上绑定IPSec策略
[R1-head-office-GigabitEthernet0/0/0]

 

******************R2企业分支************

 

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname R2-office-other
[R2-office-other]int gi 0/0/0
[R2-office-other-GigabitEthernet0/0/0]ip addr 2.1.1.1 24
[R2-office-other-GigabitEthernet0/0/0]int gi 0/0/1
[R2-office-other-GigabitEthernet0/0/1]ip addr 10.1.2.1 24
[R2-office-other-GigabitEthernet0/0/1]
[R2-office-other-GigabitEthernet0/0/1]q
[R2-office-other]ospf 1 router-id 2.2.2.2
[R2-office-other-ospf-1]area 0
[R2-office-other-ospf-1-area-0.0.0.0]network 2.1.1.0 0.0.0.255

[R2-office-other-ospf-1-area-0.0.0.0]network 10.1.2.0 0.0.0.255
[R2-office-other-ospf-1-area-0.0.0.0]q
[R2-office-other-ospf-1]q
[R2-office-other]
[R2-office-other]acl 3101
[R2-office-other-acl-adv-3101]rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[R2-office-other-acl-adv-3101]q
[R2-office-other]ipsec proposal tran1
[R2-office-other-ipsec-proposal-tran1]esp authentication-algorithm sha2-256
[R2-office-other-ipsec-proposal-tran1]esp encryption-algorithm aes-128
[R2-office-other-ipsec-proposal-tran1]q

[R2-office-other]ipsec policy use1 10 manual
[R2-office-other-ipsec-policy-manual-use1-10]security acl 3101
[R2-office-other-ipsec-policy-manual-use1-10]proposal tran1
[R2-office-other-ipsec-policy-manual-use1-10]tunnel local 2.1.1.1
[R2-office-other-ipsec-policy-manual-use1-10]tunnel remote 1.1.1.1
[R2-office-other-ipsec-policy-manual-use1-10]sa spi inbound esp 12345
[R2-office-other-ipsec-policy-manual-use1-10]sa string-key inbound esp cipher huawei
[R2-office-other-ipsec-policy-manual-use1-10]sa spi outbound esp 54321
[R2-office-other-ipsec-policy-manual-use1-10]sa string-key outbound esp cipher huawei
[R2-office-other-ipsec-policy-manual-use1-10]q
[R2-office-other]int gi 0/0/0
[R2-office-other-GigabitEthernet0/0/0]ipsec policy use1
[R2-office-other-GigabitEthernet0/0/0]dis ipsec sa

===============================
Interface: GigabitEthernet0/0/0
 Path MTU: 1500
===============================

  -----------------------------
  IPSec policy name: "use1"
  Sequence number  : 10
  Acl Group        : 3101
  Acl rule         : 0
  Mode             : Manual
  -----------------------------
    Encapsulation mode: Tunnel
    Tunnel local      : 2.1.1.1
    Tunnel remote     : 1.1.1.1
    Qos pre-classify  : Disable

    [Outbound ESP SAs] 
      SPI: 54321 (0xd431)
      Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128
      No duration limit for this SA

    [Inbound ESP SAs]        SPI: 12345 (0x3039)       Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128       No duration limit for this SA