华为 IPSec ***配置

配置步骤:

1.配置ip地址:

<Huawei>sys
[Huawei]sysname AR1
[AR1]inter g0/0/2
[AR1-GigabitEthernet0/0/2]ip address 192.168.1.254 24
[AR1-GigabitEthernet0/0/2]inter g0/0/0
[AR1-GigabitEthernet0/0/0]ip address 100.0.0.1 24

<Huawei>SYS
[Huawei]sysname AR2
[AR2]inter g0/0/1
[AR2-GigabitEthernet0/0/1]ip address 100.0.0.2 24
[AR2-GigabitEthernet0/0/1]inter g0/0/0
[AR2-GigabitEthernet0/0/0]ip address 200.0.0.2 24

<Huawei>SYS
[Huawei]sysname AR3
[AR3]inter g0/0/1
[AR3-GigabitEthernet0/0/1]ip address 200.0.0.1 24
[AR3-GigabitEthernet0/0/1]inter g0/0/2
[AR3-GigabitEthernet0/0/2]ip address 10.0.0.254 24
[AR3-GigabitEthernet0/0/2]q

2.配置×××:

[AR1]ip route-static 0.0.0.0 0.0.0.0 100.0.0.2
[AR1]ike proposal 1
[AR1-ike-proposal-1]encryption-algorithm 3des-cbc
[AR1-ike-proposal-1]authentication-algorithm md5
[AR1-ike-proposal-1]authentication-method pre-share
[AR1-ike-proposal-1]dh group2
[AR1-ike-proposal-1]q

[AR1]ike peer 200.0.0.1 v1
[AR1-ike-peer-200.0.0.1]pre-shared-key simple hahui
[AR1-ike-peer-200.0.0.1]ike-proposal 1
[AR1-ike-peer-200.0.0.1]remote-address 200.0.0.1
[AR1-ike-peer-200.0.0.1]q

[AR1]acl number 3000
[AR1-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
[AR1-acl-adv-3000]q

[AR1]ipsec proposal 1
[AR1-ipsec-proposal-1]transform ah-esp
[AR1-ipsec-proposal-1]q

[AR1]ipsec policy hh 1 isakmp
[AR1-ipsec-policy-isakmp-hh-1]security acl 3000
[AR1-ipsec-policy-isakmp-hh-1]ike-peer 200.0.0.1
[AR1-ipsec-policy-isakmp-hh-1]proposal 1
[AR1-ipsec-policy-isakmp-hh-1]q

[AR1]inter g0/0/0
[AR1-GigabitEthernet0/0/0]ipsec policy hh
[AR3]ip route-static 0.0.0.0 0.0.0.0 200.0.0.2
[AR3]ike proposal 1
[AR3-ike-proposal-1]encryption-algorithm 3des-cbc
[AR3-ike-proposal-1]authentication-algorithm md5
[AR3-ike-proposal-1]authentication-method pre-share
[AR3-ike-proposal-1]dh group2
[AR3-ike-proposal-1]q

[AR3]ike peer 100.0.0.1 v1
[AR3-ike-peer-100.0.0.1]pre-shared-key simple hahui
[AR3-ike-peer-100.0.0.1]ike-proposal 1
[AR3-ike-peer-100.0.0.1]remote-address 100.0.0.1
[AR3-ike-peer-100.0.0.1]q

[AR3]acl number 3000
[AR3-acl-adv-3000]rule permit ip source 10.0.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[AR3-acl-adv-3000]q

[AR3]ipsec proposal 1
[AR3-ipsec-proposal-1]transform ah-esp
[AR3-ipsec-proposal-1]q

[AR3]ipsec policy hh 1 isakmp
[AR3-ipsec-policy-isakmp-hh-1]security acl 3000
[AR3-ipsec-policy-isakmp-hh-1]ike-peer 100.0.0.1
[AR3-ipsec-policy-isakmp-hh-1]proposal 1
[AR3-ipsec-policy-isakmp-hh-1]q

[AR3]inter g0/0/1
[AR3-GigabitEthernet0/0/1]ipsec policy hh

查看状态:

AR1:第一阶段
华为 IPSec ***配置

AR1:第二阶段
华为 IPSec ***配置

AR2:第一状态
华为 IPSec ***配置

AR2:第二状态
华为 IPSec ***配置

测试:

1. 连接internet网
华为 IPSec ***配置
2. 访问client2
华为 IPSec ***配置

实验结果证明,client1 所在的网段,配置了×××技术之后,是不允许去访问internet网络的,只能通过加密隧道去访问client2 ,这样的配置,使信息得到了安全的保障,不会轻易地被截取!!!