龙空技术网

H3C 路由器 IPSEC VPN配置方法

平静如水的温柔 642

前言:

当前同学们对“h3c路由器配置网址”大致比较关切,同学们都需要知道一些“h3c路由器配置网址”的相关资讯。那么小编也在网络上搜集了一些有关“h3c路由器配置网址””的相关资讯,希望我们能喜欢,你们快快来学习一下吧!

现网中企业总部与分支机构为了保证互通内网数据的安全,大量采用IPSEC VPN的技术,实现了低成本的安全内网互联。

下面介绍H3C路由设备的IPSEC VPN点对点的配置方法

拓扑如图

基础配置

PC1 192.168.1.2/24 PC2 172.16.1.2/24

R1

sysname R1

acl advanced 3000

rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255

rule 5 permit ip

   //内网互访流量不走NAT

interface GigabitEthernet0/0

ip address 12.0.0.1 255.255.255.252

nat outbound 3000

interface GigabitEthernet0/1

ip address 192.168.1.1 255.255.255.0

ip route-static 0.0.0.0 0 12.0.0.2

//配置接口IP,EASY IP方式访问外网

ISP

sysname ISP

interface GigabitEthernet0/0

ip address 12.0.0.2 255.255.255.252

interface GigabitEthernet0/1

ip address 23.0.0.2 255.255.255.252

R2

sysname R2

acl advanced 3000

rule 0 deny ip source 172.16.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

rule 5 permit ip

interface GigabitEthernet0/0

ip address 23.0.0.1 255.255.255.252

nat outbound 3000

interface GigabitEthernet0/1

ip address 172.16.1.1 255.255.255.0

ip route-static 0.0.0.0 0 23.0.0.2

基础配置完成后,总部PC1可ping通分部网关设备,PING不同分部内网,分部PC设备也一样。

在R1配置IPSEC VPN

acl advanced 3001

rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255

//配置感兴趣流,抓取内网互访流量

ike proposal 1

authentication-method pre-share

encryption-algorithm aes-cbc-128

//创建 IKE 提议,配置验证模式为预共享密钥,并配置加密算法

ike keychain r2

pre-shared-key address 23.0.0.1 255.255.255.255 key simple h3c@123456

//配置预共享密钥

ike profile r2

keychain r2

local-identity address 12.0.0.1

match remote identity address 23.0.0.1 255.255.255.255

proposal 1

//配置IKE Profile,指定本端和对端公网地址,并调用预共享密钥和 IKE 提议

ipsec transform-set r2

esp encryption-algorithm aes-cbc-128

esp authentication-algorithm sha1

//配置IPsec 转换集,配置加密和验证算法。由于工作模式默认是隧道模式,且协议默认使用 ESP,所以无需配置

ipsec policy r2 10 isakmp

transform-set r2

security acl 3001

remote-address 23.0.0.1

ike-profile r2

//配置IPsec 策略,调用上述配置

interface GigabitEthernet0/0

ipsec apply policy r2

//出接口应用IPsec 策略

在R2配置IPSEC VPN

ike proposal 1

authentication-method pre-share

encryption-algorithm aes-cbc-128

ike keychain r1

pre-shared-key address 12.0.0.1 255.255.255.255 key simple h3c@123456

ike profile r1

keychain r1

local-identity address 23.0.0.1

match remote identity address 12.0.0.1 255.255.255.255

proposal 1

ipsec transform-set r1

esp encryption-algorithm aes-cbc-128

esp authentication-algorithm sha1

ipsec policy r1 10 isakmp

transform-set r1

security acl 3001

remote-address 12.0.0.1

ike-profile r1

interface GigabitEthernet0/0

ipsec apply policy r1

配置完成后,两侧内网互通正常,IKE SA 和 IPSEC SA建立正常,IPSEC VPN正常建立。

标签: #h3c路由器配置网址 #h3c路由器登录地址1921681241