IPsec_VPN配置实验

2018年9月13日吴代鹏 华为 实验 网络

一、手动模式:

Site1:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#
acl number 3000
rule 5 permit ip source 172.16.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal daupon-proposal
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#
ipsec policy daupon-policy 10 manual
security acl 3000
proposal daupon-proposal
tunnel local 61.128.1.1
tunnel remote 202.100.1.1
sa spi inbound esp 12345
sa string-key inbound esp simple daupon123
sa spi outbound esp 54321
sa string-key outbound esp simple daupon321
interface GigabitEthernet0/0/0
ip address 172.16.1.254 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 61.128.1.1 255.255.255.0
ipsec policy daupon-policy
#
ip route-static 0.0.0.0 0.0.0.0 61.128.1.10

Site2:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
#
ipsec proposal daupon-proposal
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#
ipsec policy daupon-policy 10 manual
security acl 3000
proposal daupon-proposal
tunnel local 202.100.1.1
tunnel remote 61.128.1.1
sa spi inbound esp 54321
sa string-key inbound esp simple daupon321
sa spi outbound esp 12345
sa string-key outbound esp simple daupon123
#
interface GigabitEthernet0/0/0
ip address 202.100.1.1 255.255.255.0
ipsec policy daupon-policy
#
interface GigabitEthernet0/0/1
ip address 10.1.1.254 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 202.100.1.10

 

二、自动模式

Site1:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#
acl number 3000
rule 5 permit ip source 172.16.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal daupon-proposal
#
ike proposal 10
encryption-algorithm aes-cbc-256
dh group14
authentication-algorithm aes-xcbc-mac-96
prf aes-xcbc-128
#
ike peer Site2 v2
pre-shared-key simple daupon
ike-proposal 10
remote-address 202.100.1.1
#
ipsec policy daupon-policy 10 isakmp
security acl 3000
ike-peer Site2
proposal daupon-proposal
#
interface GigabitEthernet0/0/0
ip address 172.16.1.254 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 61.128.1.1 255.255.255.0
ipsec policy daupon-policy
#
ip route-static 0.0.0.0 0.0.0.0 61.128.1.10

Site2:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
#
ipsec proposal daupon-proposal
#
ike proposal 10
encryption-algorithm aes-cbc-256
dh group14
authentication-algorithm aes-xcbc-mac-96
prf aes-xcbc-128
#
ike peer Site1 v2
pre-shared-key simple daupon
ike-proposal 10
remote-address 61.128.1.1
#
ipsec policy daupon-policy 10 isakmp
security acl 3000
ike-peer Site1
proposal daupon-proposal
#
interface GigabitEthernet0/0/0
ip address 202.100.1.1 255.255.255.0
ipsec policy daupon-policy
#
interface GigabitEthernet0/0/1
ip address 10.1.1.254 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 202.100.1.10