huawei ipsec v p n

原创

潇洒哥来啦 2019-07-17 15:27:45 博主文章分类：路由交换 ©著作权

©著作权归作者所有：来自51CTO博客作者潇洒哥来啦的原创作品，谢绝转载，否则将追究法律责任

实验拓扑图：

实验目的：武汉分公司和哈尔滨总部通过ipsec v p n 建立连接，实现两边内网互相访问。

主要记录ipsec的配置。预先配置好模拟环境，武汉和哈尔滨的pc可以正常去访问公网，也就是这个区域的网络

武汉出口路由配置：

<wuhan-r>dis ip rout | in Sta
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 12       Routes : 12       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

0.0.0.0/0   Static  60   0          RD   222.73.1.1      GigabitEthernet0/0/0
192.168.0.0/16  Static  60   0          RD   1.1.1.2         GigabitEthernet0/0/1


<wuhan-r>

哈尔滨出口路由配置：

<wuhan-r>dis ip rout | in Sta
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 12       Routes : 12       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

0.0.0.0/0   Static  60   0          RD   222.73.1.1      GigabitEthernet0/0/0
192.168.0.0/16  Static  60   0          RD   1.1.1.2         GigabitEthernet0/0/1


<wuhan-r>

武汉nat配置：

<wuhan-r>dis acl 2000
Basic ACL 2000, 1 rule
Acl's step is 5
rule 10 permit source 192.168.0.0 0.0.255.255 

<wuhan-r>dis nat ou	
<wuhan-r>dis nat outbound 
NAT Outbound Information:
-------------------------------------------------------------------------
Interface                     Acl     Address-group/IP/Interface      Type
-------------------------------------------------------------------------
GigabitEthernet0/0/0         2000                     222.73.1.2    easyip  
-------------------------------------------------------------------------
Total : 1
<wuhan-r>

哈尔滨nat配置：

<haerb-r>dis acl 2000
Basic ACL 2000, 1 rule
Acl's step is 5
 rule 10 permit source 172.16.0.0 0.0.255.255 

<haerb-r>dis nat out	
<haerb-r>dis nat outbound 
 NAT Outbound Information:
 --------------------------------------------------------------------------
 Interface                     Acl     Address-group/IP/Interface      Type
 --------------------------------------------------------------------------
 GigabitEthernet0/0/0         2000                     180.73.2.2    easyip  
 --------------------------------------------------------------------------
  Total : 1
<haerb-r>

二层配置不做介绍。现在武汉和哈尔滨内部pc可以正常上网。但是武汉和哈尔滨pc不能相互访问，这个时候配置ipsec v pn实现武汉和哈尔滨能内网能相互访问。

“配置采用手工方式建立IPSec隧道” 1，分别在wuhan-r和haerb-r上配置ACL，定义各自要保护的数据流武汉：

[wuhan-r]dis acl 3000
Advanced ACL 3000, 2 rules
Acl's step is 5
 rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255 
 rule 10 permit ip source 222.73.1.2 0.0.0.252 destination 172.16.0.0 0.0.255.255

哈尔滨：

 [haerb-r]dis acl 3000
Advanced ACL 3000, 2 rules
Acl's step is 5
 rule 5 permit ip source 172.16.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255 
 rule 10 permit ip source 180.73.2.2 0.0.0.252 destination 192.168.0.0 0.0.255.255

注意：我这里各加了一条rule 10，原因是我要保护的数据流同时也是nat的ip段，所有这里把nat装换后的ip加进去。

2，分别在wuhan-r和haerb-r上创建IPSec安全提议武汉：

[wuhan-r]display ipsec proposal name tran1

IPSec proposal name: tran1                            
 Encapsulation mode: Tunnel                            
 Transform         : esp-new
 ESP protocol      : Authentication SHA2-HMAC-256                             
                     Encryption     AES-128

哈尔滨：

[haerb-r]dis ipsec proposal name tran1

IPSec proposal name: tran1                            
 Encapsulation mode: Tunnel                            
 Transform         : esp-new
 ESP protocol      : Authentication SHA2-HMAC-256                             
                     Encryption     AES-128

3，分别在wuhan-r和haerb-r上创建安全策略武汉：

[wuhan-r] ipsec policy whtohaerb 10 manual
[wuhan-r-ipsec-policy-manual-map1-10] security acl 3000
[wuhan-r-ipsec-policy-manual-map1-10] proposal tran1
[wuhan-r-ipsec-policy-manual-map1-10] tunnel remote 180.73.2.2
[wuhan-r-ipsec-policy-manual-map1-10] tunnel local 222.73.1.2
[wuhan-r-ipsec-policy-manual-map1-10] sa spi outbound esp 12345
[wuhan-r-ipsec-policy-manual-map1-10] sa spi inbound esp 54321
[wuhan-r-ipsec-policy-manual-map1-10] sa string-key outbound esp cipher antiy
[wuhan-r-ipsec-policy-manual-map1-10] sa string-key inbound esp cipher antiy
[wuhan-r-ipsec-policy-manual-map1-10] quit

哈尔滨：

[haerb-r] ipsec policy haerbtowh 10 manual
[haerb-r-ipsec-policyl-manual-use1-10] security acl 3000
[haerb-r-ipsec-policyl-manual-use1-10] proposal tran1
[haerb-r-ipsec-policyl-manual-use1-10] tunnel remote 222.73.1.2
[haerb-r-ipsec-policyl-manual-use1-10] tunnel local 180.73.2.2
[haerb-r-ipsec-policyl-manual-use1-10] sa spi outbound esp 54321
[haerb-r-ipsec-policyl-manual-use1-10] sa spi inbound esp 12345
[haerb-r-ipsec-policyl-manual-use1-10] sa string-key outbound esp cipher antiy
[haerb-r-ipsec-policyl-manual-use1-10] sa string-key inbound esp cipher antiy
[haerb-r-ipsec-policyl-manual-use1-10] quit

此时分别在wuhan-r和haerb-r上执行display ipsec policy会显示所配置的信息

[wuhan-r]dis ipsec policy name whtohaerb 

===========================================
IPSec policy group: "whtohaerb"
Using interface: GigabitEthernet0/0/0
===========================================

    Sequence number: 10
    Security data flow: 3000
    Tunnel local  address: 222.73.1.2
    Tunnel remote address: 180.73.2.2
    Qos pre-classify: Disable
    Proposal name:tran1
    Inbound AH setting: 
      AH SPI: 
      AH string-key: 
      AH authentication hex key: 
    Inbound ESP setting: 
      ESP SPI: 54321 (0xd431)
      ESP string-key: aUUOJ`$]T*KQ=^Q`MAF4<1!!
      ESP encryption hex key: 
      ESP authentication hex key: 
    Outbound AH setting: 
      AH SPI: 
      AH string-key: 
      AH authentication hex key: 
    Outbound ESP setting: 
      ESP SPI: 12345 (0x3039)
      ESP string-key: aUUOJ`$]T*KQ=^Q`MAF4<1!!
      ESP encryption hex key: 
      ESP authentication hex key:

[haerb-r]display ipsec policy name haerbtowh 

===========================================
IPSec policy group: "haerbtowh"
Using interface: GigabitEthernet0/0/0
===========================================

    Sequence number: 10
    Security data flow: 3000
    Tunnel local  address: 180.73.2.2
    Tunnel remote address: 222.73.1.2
    Qos pre-classify: Disable
    Proposal name:tran1
    Inbound AH setting: 
      AH SPI: 
      AH string-key: 
      AH authentication hex key: 
    Inbound ESP setting: 
      ESP SPI: 12345 (0x3039)
      ESP string-key: aUUOJ`$]T*KQ=^Q`MAF4<1!!
      ESP encryption hex key: 
      ESP authentication hex key: 
    Outbound AH setting: 
      AH SPI: 
      AH string-key: 
      AH authentication hex key: 
    Outbound ESP setting: 
      ESP SPI: 54321 (0xd431)
      ESP string-key: aUUOJ`$]T*KQ=^Q`MAF4<1!!
      ESP encryption hex key: 
      ESP authentication hex key:

4，分别在wuhan-r和haerb-r的接口上引用各自的安全策略，使接口具有IPSec的保护功能武汉：

[wuhan-r-GigabitEthernet0/0/0]dis th
[V200R003C00]
#
interface GigabitEthernet0/0/0
 ip address 222.73.1.2 255.255.255.252 
 ipsec policy whtohaerb
 nat outbound 2000
#
return

哈尔滨：

[haerb-r-GigabitEthernet0/0/0]dis th
[V200R003C00]
#
interface GigabitEthernet0/0/0
 ip address 180.73.2.2 255.255.255.252 
 ipsec policy haerbtowh
 nat outbound 2000
#
return

验证: 武汉公司内网192.168.10.10可以正常ping哈尔滨公司内网172.16.10.10

执行命令display ipsec statistics esp可以查看数据包的统计信息

[wuhan-r]display ipsec statistics esp 
 Inpacket count            : 16
 Inpacket auth count       : 0
 Inpacket decap count      : 0
 Outpacket count           : 14
 Outpacket auth count      : 0
 Outpacket encap count     : 0
 Inpacket drop count       : 0
 Outpacket drop count      : 0
 BadAuthLen count          : 0
 AuthFail count            : 0
 InSAAclCheckFail count    : 0
 PktDuplicateDrop count    : 0
 PktSeqNoTooSmallDrop count: 0
 PktInSAMissDrop count     : 0

“采用默认配置通过IKE协商方式建立IPSec隧道”

参考：https://support.huawei.com/enterprise/zh/routers/ar2200-pid-6078842?category=configuration-commissioning