採用手工方式建立IPSec隧道
R1爲企業總部出口路由,R2爲企業分支出口路由,總部與分支通過公網建立通信。
企業希望對總部子網與分支子網之間相互訪問的流量進行安全保護。總部與分支通過公網建立通信,可以在總部出口路由網關與分支出口路由網關之間建立一個IPSec隧道來實現安全保護。
******************R1企業總部************
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname R1-head-office
[R1-head-office]int gi 0/0/0
[R1-head-office-GigabitEthernet0/0/0]ip addr 1.1.1.1 24
[R1-head-office-GigabitEthernet0/0/0]int gi 0/0/1
[R1-head-office-GigabitEthernet0/0/1]ip addr 10.1.1.1 24
[R1-head-office-GigabitEthernet0/0/1]
[R1-head-office-GigabitEthernet0/0/1]q
[R1-head-office]ospf 1 router-id 1.1.1.1
[R1-head-office-ospf-1]area 0 //配置ospf,實現模擬外網互通,現實中不需要這樣配置,只需要配置靜態路由
[R1-head-office-ospf-1-area-0.0.0.0]network 1.1.1.0 0.0.0.255
[R1-head-office-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[R1-head-office-ospf-1-area-0.0.0.0]q
[R1-head-office-ospf-1]q
[R1-head-office]acl 3101 //配置acl3101,匹配從總部子網到分支子網的流量
[R1-head-office-acl-adv-3101]rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[R1-head-office-acl-adv-3101]ipsec proposal tran1 //配置IPSec安全提議
[R1-head-office-ipsec-proposal-tran1]esp authentication-algorithm sha2-256
[R1-head-office-ipsec-proposal-tran1]esp encryption-algorithm aes-128
[R1-head-office-ipsec-proposal-tran1]q
[R1-head-office]ipsec policy map1 10 manual //配置手動方式安全策略
[R1-head-office-ipsec-policy-manual-map1-10]security acl 3101
[R1-head-office-ipsec-policy-manual-map1-10]proposal tran1
[R1-head-office-ipsec-policy-manual-map1-10]tunnel local 1.1.1.1
[R1-head-office-ipsec-policy-manual-map1-10]tunnel remote 2.1.1.1
[R1-head-office-ipsec-policy-manual-map1-10]sa spi inbound esp 54321
[R1-head-office-ipsec-policy-manual-map1-10]sa string-key inbound esp cipher huawei //配置入方向SA的認證祕鑰
[R1-head-office-ipsec-policy-manual-map1-10]sa spi outbound esp 12345
[R1-head-office-ipsec-policy-manual-map1-10]sa string-key outbound esp cipher huawei //配置出方向SA的認證祕鑰
[R1-head-office-ipsec-policy-manual-map1-10]q
[R1-head-office]int gi 0/0/0
[R1-head-office-GigabitEthernet0/0/0]ipsec policy map1 //在外網出接口上綁定IPSec策略
[R1-head-office-GigabitEthernet0/0/0]
******************R2企業分支************
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname R2-office-other
[R2-office-other]int gi 0/0/0
[R2-office-other-GigabitEthernet0/0/0]ip addr 2.1.1.1 24
[R2-office-other-GigabitEthernet0/0/0]int gi 0/0/1
[R2-office-other-GigabitEthernet0/0/1]ip addr 10.1.2.1 24
[R2-office-other-GigabitEthernet0/0/1]
[R2-office-other-GigabitEthernet0/0/1]q
[R2-office-other]ospf 1 router-id 2.2.2.2
[R2-office-other-ospf-1]area 0
[R2-office-other-ospf-1-area-0.0.0.0]network 2.1.1.0 0.0.0.255
[R2-office-other-ospf-1-area-0.0.0.0]network 10.1.2.0 0.0.0.255
[R2-office-other-ospf-1-area-0.0.0.0]q
[R2-office-other-ospf-1]q
[R2-office-other]
[R2-office-other]acl 3101
[R2-office-other-acl-adv-3101]rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[R2-office-other-acl-adv-3101]q
[R2-office-other]ipsec proposal tran1
[R2-office-other-ipsec-proposal-tran1]esp authentication-algorithm sha2-256
[R2-office-other-ipsec-proposal-tran1]esp encryption-algorithm aes-128
[R2-office-other-ipsec-proposal-tran1]q
[R2-office-other]ipsec policy use1 10 manual
[R2-office-other-ipsec-policy-manual-use1-10]security acl 3101
[R2-office-other-ipsec-policy-manual-use1-10]proposal tran1
[R2-office-other-ipsec-policy-manual-use1-10]tunnel local 2.1.1.1
[R2-office-other-ipsec-policy-manual-use1-10]tunnel remote 1.1.1.1
[R2-office-other-ipsec-policy-manual-use1-10]sa spi inbound esp 12345
[R2-office-other-ipsec-policy-manual-use1-10]sa string-key inbound esp cipher huawei
[R2-office-other-ipsec-policy-manual-use1-10]sa spi outbound esp 54321
[R2-office-other-ipsec-policy-manual-use1-10]sa string-key outbound esp cipher huawei
[R2-office-other-ipsec-policy-manual-use1-10]q
[R2-office-other]int gi 0/0/0
[R2-office-other-GigabitEthernet0/0/0]ipsec policy use1
[R2-office-other-GigabitEthernet0/0/0]dis ipsec sa
===============================
Interface: GigabitEthernet0/0/0
Path MTU: 1500
===============================
-----------------------------
IPSec policy name: "use1"
Sequence number : 10
Acl Group : 3101
Acl rule : 0
Mode : Manual
-----------------------------
Encapsulation mode: Tunnel
Tunnel local : 2.1.1.1
Tunnel remote : 1.1.1.1
Qos pre-classify : Disable
[Outbound ESP SAs]
SPI: 54321 (0xd431)
Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128
No duration limit for this SA
[Inbound ESP SAs] SPI: 12345 (0x3039) Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128 No duration limit for this SA