前言:
当前同学们对“h3c路由器配置网址”大致比较关切,同学们都需要知道一些“h3c路由器配置网址”的相关资讯。那么小编也在网络上搜集了一些有关“h3c路由器配置网址””的相关资讯,希望我们能喜欢,你们快快来学习一下吧!现网中企业总部与分支机构为了保证互通内网数据的安全,大量采用IPSEC VPN的技术,实现了低成本的安全内网互联。
下面介绍H3C路由设备的IPSEC VPN点对点的配置方法
拓扑如图
基础配置
PC1 192.168.1.2/24 PC2 172.16.1.2/24
R1
sysname R1
acl advanced 3000
rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
rule 5 permit ip
//内网互访流量不走NAT
interface GigabitEthernet0/0
ip address 12.0.0.1 255.255.255.252
nat outbound 3000
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip route-static 0.0.0.0 0 12.0.0.2
//配置接口IP,EASY IP方式访问外网
ISP
sysname ISP
interface GigabitEthernet0/0
ip address 12.0.0.2 255.255.255.252
interface GigabitEthernet0/1
ip address 23.0.0.2 255.255.255.252
R2
sysname R2
acl advanced 3000
rule 0 deny ip source 172.16.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 5 permit ip
interface GigabitEthernet0/0
ip address 23.0.0.1 255.255.255.252
nat outbound 3000
interface GigabitEthernet0/1
ip address 172.16.1.1 255.255.255.0
ip route-static 0.0.0.0 0 23.0.0.2
基础配置完成后,总部PC1可ping通分部网关设备,PING不同分部内网,分部PC设备也一样。
在R1配置IPSEC VPN
acl advanced 3001
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
//配置感兴趣流,抓取内网互访流量
ike proposal 1
authentication-method pre-share
encryption-algorithm aes-cbc-128
//创建 IKE 提议,配置验证模式为预共享密钥,并配置加密算法
ike keychain r2
pre-shared-key address 23.0.0.1 255.255.255.255 key simple h3c@123456
//配置预共享密钥
ike profile r2
keychain r2
local-identity address 12.0.0.1
match remote identity address 23.0.0.1 255.255.255.255
proposal 1
//配置IKE Profile,指定本端和对端公网地址,并调用预共享密钥和 IKE 提议
ipsec transform-set r2
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
//配置IPsec 转换集,配置加密和验证算法。由于工作模式默认是隧道模式,且协议默认使用 ESP,所以无需配置
ipsec policy r2 10 isakmp
transform-set r2
security acl 3001
remote-address 23.0.0.1
ike-profile r2
//配置IPsec 策略,调用上述配置
interface GigabitEthernet0/0
ipsec apply policy r2
//出接口应用IPsec 策略
在R2配置IPSEC VPN
ike proposal 1
authentication-method pre-share
encryption-algorithm aes-cbc-128
ike keychain r1
pre-shared-key address 12.0.0.1 255.255.255.255 key simple h3c@123456
ike profile r1
keychain r1
local-identity address 23.0.0.1
match remote identity address 12.0.0.1 255.255.255.255
proposal 1
ipsec transform-set r1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
ipsec policy r1 10 isakmp
transform-set r1
security acl 3001
remote-address 12.0.0.1
ike-profile r1
interface GigabitEthernet0/0
ipsec apply policy r1
配置完成后,两侧内网互通正常,IKE SA 和 IPSEC SA建立正常,IPSEC VPN正常建立。
