《IPSEC野蛮模式实验.docx》由会员分享,可在线阅读,更多相关《IPSEC野蛮模式实验.docx(5页珍藏版)》请在三一办公上搜索。
1、IPSEC 野蛮模式实验 华为IPSEC-VPN-1-采用野蛮方式建立IPsec 安全隧道 一:企业组网需求: 1, 某公司有两个子公司分别在上海和广州,要求通过VPN实现公司之间相互通信! 2, 实验环境如下:要求192.168.1.0/24网段的员工分别与172.168.0/24,10.1.1.0/24的员工通信! 3, 本实验要求采用野蛮方式建立IPsec 安全隧道 第一步:IP地址配置省略,指默认路由 AR1ip route-static 0.0.0.0 0.0.0.0 12.1.1.2 AR3ip route-static 0.0.0.0 0.0.0.0 23.1.1.2 AR4ip
2、 route-static 0.0.0.0 0.0.0.0 24.1.1.2 第二步:使用ACL抓感兴趣流量 R1acl number 3001 R1-acl-adv-3001rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 172.168.1.0 0.0.0.255 AR1acl number 3002 AR1-acl-adv-3002rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 R3acl number 3001 R3
3、-acl-adv-3001rule 5 permit IP source 172.168.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 AR4acl number 3002 AR4-acl-adv-3001rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 第三步:配置安全提议zhu1和zhu2 AR1ipsec proposal zhu1 AR1-ipsec-proposal-zhu1encapsulation-mode tunnel AR1
4、-ipsec-proposal-zhu1transform esp AR1-ipsec-proposal-zhu1esp authentication-algorithm md5 AR1-ipsec-proposal-zhu1esp encryption-algorithm des AR1ipsec proposal zhu2 AR1-ipsec-proposal-zhu1encapsulation-mode tunnel AR1-ipsec-proposal-zhu1transform esp AR1-ipsec-proposal-zhu1esp authentication-algorit
5、hm md5 AR1-ipsec-proposal-zhu1esp encryption-algorithm des 第四步: AR1ike local-name fw1 AR1ike peer peer-1 v1 AR1-ike-peer-peer-1exchange-mode aggressive AR1-ike-peer-peer-1pre-shared-key simple 12345 AR1-ike-peer-peer-1local-id-type name AR1-ike-peer-peer-1local-address 12.1.1.1 AR1-ike-peer-peer-1re
6、mote-name fw2 AR1ike peer peer-2 v1 AR1-ike-peer-peer-2exchange-mode aggressive AR1-ike-peer-peer-2pre-shared-key simple 12345 AR1-ike-peer-peer-2local-id-type name AR1-ike-peer-peer-2local-address 12.1.1.1 AR1-ike-peer-peer-2remote-name fw3 第五步: AR1ipsec policy policy1 10 isakmp AR1-ipsec-policy-is
7、akmp-policy1-10sec acl 3001 AR1-ipsec-policy-isakmp-policy1-10proposal zhu1 AR1-ipsec-policy-isakmp-policy1-10ike peer peer-1 AR1-ike-peer-peer-1quit AR1ipsec policy policy1 20 isakmp AR1-ipsec-policy-isakmp-policy1-20security acl 3002 AR1-ipsec-policy-isakmp-policy1-20proposal zhu2 AR1-ipsec-policy
8、-isakmp-policy1-20ike peer peer-2 AR1-ike-peer-peer-2quit 第六步:在接口应用策略 AR1interface GigabitEthernet 0/0/0 AR1-GigabitEthernet0/0/0ipsec policy policy1 AR1-GigabitEthernet0/0/0quit 错误的提示,不为什么不让配置是ENSP版的问题么? 报错文本: AR1interface GigabitEthernet 0/0/0 AR1-GigabitEthernet0/0/0ipsec policy policy1 Error: Th
9、e IPSec policy does not configure an IKE peer. 第七步: AR3ipsec proposal zhu AR3-ipsec-proposal-zhuencapsulation-mode tunnel AR3-ipsec-proposal-zhutransform esp AR3-ipsec-proposal-zhuesp authentication-algorithm md5 AR3-ipsec-proposal-zhuesp encryption-algorithm des AR3-ipsec-proposal-zhuquit AR3ike pe
10、er peer-1 v1 AR3-ike-peer-peer-1exchange-mode aggressive AR3-ike-peer-peer-1pre-shared-key simple 12345 AR3-ike-peer-peer-1local-id-type name AR3-ike-peer-peer-1remote-name fw1 AR3-ike-peer-peer-1remote-address 12.1.1.1 AR3-ike-peer-peer-1quit AR3ipsec policy policy2 10 isakmp AR3-ipsec-policy-isakm
11、p-policy2-10security acl 3001 AR3-ipsec-policy-isakmp-policy2-10proposal zhu AR3-ipsec-policy-isakmp-policy2-10ike peer-1 AR3interface GigabitEthernet 0/0/1 AR3-GigabitEthernet0/0/1ipsec policy policy2 AR3-GigabitEthernet0/0/1quit 第八步:AR4路由器上的所有配置 ipsec proposal zhu-4 encapsulation-mode tunnel trans
12、form esp esp authentication-algorithm md5 esp encryption-algorithm des quit ike local-name fw3 ike peer peer-2 v1 exchange-mode aggressive pre-shared-key simple 12345 local-id-type name remote-name fw1 remote-address 12.1.1.1 quit ipsec policy policy4 20 isakmp security acl 3002 proposal zhu-4 ike peer-2 quit interface GigabitEthernet 0/0/2 ipsec policy policy4 quit