手动配置IPSec ah-esp 认证与加密

试验拓扑如下：

FW1与FW2之间配置IPSec，使用ah-esp 认证与加密

FW1部分关键代码：

acl number 3000
 rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
#
ipsec proposal xk
 transform ah-esp
 ah authentication-algorithm sha2-256
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256
#
ipsec policy map1 10 manual
 security acl 3000
 proposal xk
 tunnel local 1.1.1.1
 tunnel remote 1.1.1.2
 sa spi inbound ah 678  // ah 与 esp 的 名称不能一样，实际配置如果配成ah 54321 IPSec不生效。
 sa string-key inbound ah %@%@N[vuP^XI)=Bd$x:8b3=>73Li%@%@
 sa spi outbound ah 876 //同理，不能配置成 ah 12345
 sa string-key outbound ah %@%@N4_gA5ncE;PMW0;8%JYPOu4(%@%@
 sa spi inbound esp 54321
 sa string-key inbound esp %@%@v<Y|U<c*vY0cmE>Qg/8Z*[R;%@%@
 sa spi outbound esp 12345
 sa string-key outbound esp %@%@T4P~VpoC[<lTC>:UI)$F61T)%@%@

ip route-static 10.0.0.0 255.255.255.0 1.1.1.2

#
security-policy // 四个方向的策略必须配置
 rule name kk  
  source-zone untrust
  destination-zone dmz
  action permit
 rule name xu
  source-zone dmz
  destination-zone untrust
  action permit
 rule name untrust_to_local
  source-zone untrust
  destination-zone local
  action permit
 rule name local_to_untrust
  source-zone local
  destination-zone untrust
  action permit
#

FW2 的关键配置：

acl number 3000
 rule 10 permit ip source 10.0.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec proposal map2
 transform ah-esp
 ah authentication-algorithm sha2-256
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256
#
ipsec policy use1 10 manual
 security acl 3000
 proposal map2
 tunnel local 1.1.1.2
 tunnel remote 1.1.1.1
 sa spi inbound ah 876
 sa string-key inbound ah %@%@"Vx6-]jc#:VC`EH#^SP!rX`I%@%@
 sa spi outbound ah 678
 sa string-key outbound ah %@%@Lv^.8SpMe.kf;\)"`j_Yo)%X%@%@
 sa spi inbound esp 12345
 sa string-key inbound esp %@%@xGG~8H/AV3a0W!XK)7]Kl#+#%@%@
 sa spi outbound esp 54321
 sa string-key outbound esp %@%@ZG*qGtx=m"72#=Zy8/WX;kP'%@%@
#

ip route-static 192.168.1.0 255.255.255.0 1.1.1.1 // 配置选路

security-policy  rule name xk   source-zone untrust   destination-zone dmz   action permit  rule name dmz_to_untrust   source-zone dmz   destination-zone untrust   action permit  rule name untrust_to_loca   source-zone untrust   destination-zone local   action permit  rule name local_to_untrust   source-zone local   destination-zone untrust   action permit