日日操夜夜添-日日操影院-日日草夜夜操-日日干干-精品一区二区三区波多野结衣-精品一区二区三区高清免费不卡

公告:魔扣目錄網為廣大站長提供免費收錄網站服務,提交前請做好本站友鏈:【 網站目錄:http://www.ylptlb.cn 】, 免友鏈快審服務(50元/站),

點擊這里在線咨詢客服
新站提交
  • 網站:51998
  • 待審:31
  • 小程序:12
  • 文章:1030137
  • 會員:747

華為IPsec VPN基本配置

發布時間:2023-07-02 22:58:47 作者:網友整理

  • 實驗拓撲

實驗拓步

  • 環境說明

某企業北京辦公區和上海辦公區實現京滬FTP_Server數據互通,作為企業網絡管理員考慮IT部成本,使用互聯網走企業內部數據,保證數據完整性、機密性;需要在北京邊緣路由器BJ_AR1和上海邊緣路由器SH_AR1之間配置IPsec VPN解決方案,建立IPsec隧道用于某個部門數據互通。

  • 配置設備IP

inte.NET路由設備接口地址

[internet]interface g0/0/1
[internet-GigabitEthernet0/0/1]ip address 58.58.58.1 24
[internet]interface g0/0/2
[internet-GigabitEthernet0/0/2]ip address 102.35.35.1 24
[internet]inter LoopBack 0
[internet-LoopBack0]ip address 100.25.25.25 32

BJ_AR1邊界路由接口地址

[BJ_AR1]interface g0/0/0
[BJ_AR1-GigabitEthernet0/0/0]ip address 58.58.58.2 24
[BJ_AR1]interface g0/0/1
[BJ_AR1-GigabitEthernet0/0/1]ip address 192.168.1.1 24
[BJ_AR1]interface LoopBack 0
[BJ_AR1-LoopBack0]ip address 10.10.10.10 32

BJ_Core交換機接口地址

Interface                         IP Address/Mask      Physical   Protocol  
LoopBack0                         5.5.5.5/32              up         up(s)     
MEth0/0/1                          unassigned          down       down      
NULL0                                 unassigned           up         up(s)     
Vlanif1                                 unassigned          up         down      
Vlanif100                         192.168.1.254/24     up         up        
Vlanif200                         192.168.2.254/24     up         up        
Vlanif300                         192.168.3.254/24     up         up        
Vlanif400                         192.168.4.254/24     up         up

 

SH_AR1邊界路由接口地址

[SH_AR1]interface g0/0/0
[SH_AR1-GigabitEthernet0/0/0]ip address 102.35.35.2 24
[SH_AR1]interface g0/0/1
[SH_AR1-GigabitEthernet0/0/1]ip address 172.16.30.1 24
[SH_AR1]interface LoopBack 0
[SH_AR1-LoopBack0]ip address 9.9.9.9 32

SH_Core交換機接口地址

Interface                         IP Address/Mask      Physical   Protocol  
LoopBack0                            4.4.4.4/32           up         up(s)     
MEth0/0/1                          unassigned           down       down      
NULL0                                 unassigned           up         up(s)     
Vlanif1                                unassigned           up         down      
Vlanif100                         172.16.30.254/24     up         up        
Vlanif200                         172.16.31.254/24     up         up        
Vlanif300                         172.16.32.254/24     up         up        
Vlanif400                         172.16.33.254/24     up         up
  • 配置OSPF路由協議(實現內網互通)

BJ_AR1路由表(配置步驟略過)

Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 16       Routes : 16       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   Static  60   0          RD   58.58.58.1      GigabitEthernet0/0/0
        5.5.5.5/32  OSPF    10   1           D   192.168.1.254   GigabitEthernet0/0/1
    10.10.10.10/32  Direct  0    0           D   127.0.0.1       LoopBack0
     58.58.58.0/24  Direct  0    0           D   58.58.58.2      GigabitEthernet0/0/0
     58.58.58.2/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/0
   58.58.58.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/0
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
    192.168.1.0/24  Direct  0    0           D   192.168.1.1     GigabitEthernet0/0/1
    192.168.1.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/1
  192.168.1.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/1
    192.168.2.0/24  OSPF    10   2           D   192.168.1.254   GigabitEthernet0/0/1
    192.168.3.0/24  OSPF    10   2           D   192.168.1.254   GigabitEthernet0/0/1
    192.168.4.0/24  OSPF    10   2           D   192.168.1.254   GigabitEthernet0/0/1
255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

BJ_Core路由表(配置步驟略過)

Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 13       Routes : 13       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   Static  60   0          RD   192.168.1.1     Vlanif100
        5.5.5.5/32  Direct  0    0           D   127.0.0.1       LoopBack0
    10.10.10.10/32  OSPF    10   1           D   192.168.1.1     Vlanif100
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
    192.168.1.0/24  Direct  0    0           D   192.168.1.254   Vlanif100
  192.168.1.254/32  Direct  0    0           D   127.0.0.1       Vlanif100
    192.168.2.0/24  Direct  0    0           D   192.168.2.254   Vlanif200
  192.168.2.254/32  Direct  0    0           D   127.0.0.1       Vlanif200
    192.168.3.0/24  Direct  0    0           D   192.168.3.254   Vlanif300
  192.168.3.254/32  Direct  0    0           D   127.0.0.1       Vlanif300
    192.168.4.0/24  Direct  0    0           D   192.168.4.254   Vlanif400
  192.168.4.254/32  Direct  0    0           D   127.0.0.1       Vlanif400

SH_AR1路由表(配置步驟略過)

Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 16       Routes : 16       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   Static  60   0          RD   102.35.35.1     GigabitEthernet0/0/0
        4.4.4.4/32  OSPF    10   1           D   172.16.30.254   GigabitEthernet0/0/1
        9.9.9.9/32  Direct  0    0           D   127.0.0.1       LoopBack0
    102.35.35.0/24  Direct  0    0           D   102.35.35.2     GigabitEthernet0/0/0
    102.35.35.2/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/0
  102.35.35.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/0
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
    172.16.30.0/24  Direct  0    0           D   172.16.30.1     GigabitEthernet0/0/1
    172.16.30.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/1
  172.16.30.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/1
    172.16.31.0/24  OSPF    10   2           D   172.16.30.254   GigabitEthernet0/0/1
    172.16.32.0/24  OSPF    10   2           D   172.16.30.254   GigabitEthernet0/0/1
    172.16.33.0/24  OSPF    10   2           D   172.16.30.254   GigabitEthernet0/0/1
255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
  • 配置Easy IP在接口上實用

BJ_AR1邊界路由

[BJ_AR1]acl 3000
[BJ_AR1-acl-adv-3000]rule 5 permit ip source 192.168.1.0 0.0.0.255
[BJ_AR1-acl-adv-3000]rule 10 permit ip source 192.168.2.0 0.0.0.255
[BJ_AR1-acl-adv-3000]rule 15 permit ip source 192.168.3.0 0.0.0.255
[BJ_AR1-acl-adv-3000]rule 20 permit ip source 192.168.4.0 0.0.0.255
[BJ_AR1]interface g0/0/0
[BJ_AR1-GigabitEthernet0/0/0]nat outbound 3000

北京PC1可以上外網

北京辦公區PC1可以ping通外網

SH_AR1邊界路由

[SH_AR1]acl 3000
[SH_AR1-acl-adv-3000]rule 5 permit ip source 172.16.30.0 0.0.0.255
[SH_AR1-acl-adv-3000]rule 10 permit ip source 172.16.31.0 0.0.0.255
[SH_AR1-acl-adv-3000]rule 15 permit ip source 172.16.32.0 0.0.0.255
[SH_AR1-acl-adv-3000]rule 20 permit ip source 172.16.33.0 0.0.0.255
[SH_AR1]interface g0/0/0
[SH_AR1-GigabitEthernet0/0/0]nat outbound 3000

上海PC5可以上外網

上海辦公區PC5可以ping通外網

  • 配置IPsec VPN

BJ_AR1邊界路由

創建高級ACL;定義保護數據流-感興趣流
[BJ_AR1]acl 3100
[BJ_AR1-acl-adv-3100] rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 172.16.30.0 0.0.0.255
創建IPsec安全提議
[BJ_AR1]ipsec proposal BJ                                                             #創建名為BJ的IPsec安全提議
[BJ_AR1-ipsec-proposal-BJ]encapsulation-mode tunnel              #定義報文封裝模式為隧道模式
[BJ_AR1-ipsec-proposal-BJ]transform esp                                    #定義隧道協議為ESP
[BJ_AR1-ipsec-proposal-BJ]esp authentication-algorithm sha1   #定義認證算法為sha1
[BJ_AR1-ipsec-proposal-BJ]esp encryption-algorithm 3des         #定義加密算法為3des
創建IPsec安全策略
[BJ_AR1]ipsec policy P10 10 manual                                                   #創建名為P10的IPsec安全策略
[BJ_AR1-ipsec-policy-manual-P10-10]security acl 3100                     #引用安全ACL
[BJ_AR1-ipsec-policy-manual-P10-10]proposal BJ                             #引用安全提議
[BJ_AR1-ipsec-policy-manual-P10-10]tunnel local 58.58.58.2            #本端隧道地址
[BJ_AR1-ipsec-policy-manual-P10-10]tunnel remote 102.35.35.2      #對端隧道地址
[BJ_AR1-ipsec-policy-manual-P10-10]sa spi inbound esp 123456     #定義sa入站參數
[BJ_AR1-ipsec-policy-manual-P10-10]sa string-key inbound esp simple BJSH  #定義sa入站密鑰
[BJ_AR1-ipsec-policy-manual-P10-10]sa spi outbound esp 654321   #定義sa出站參數
[BJ_AR1-ipsec-policy-manual-P10-10]sa string-key outbound esp simple BJSH #定義sa入站密鑰
接口應用IPsec安全策略
[BJ_AR1]interface g0/0/0
[BJ_AR1-GigabitEthernet0/0/0]ipsec policy P1

SH_AR1邊界路由

創建高級ACL;定義保護數據流-感興趣流
[SH_AR1]acl 3100
[SH_AR1-acl-adv-3100] rule 5 permit ip source 172.16.30.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
創建IPsec安全提議
[SH_AR1]ipsec proposal SH                                                             #創建名為SH的IPsec安全提議
[SH_AR1-ipsec-proposal-SH]encapsulation-mode tunnel              #定義報文封裝模式為隧道模式
[SH_AR1-ipsec-proposal-SH]transform esp                                    #定義隧道協議為ESP
[SH_AR1-ipsec-proposal-SH]esp authentication-algorithm sha1   #定義認證算法為sha1
[SH_AR1-ipsec-proposal-SH]esp encryption-algorithm 3des         #定義加密算法為3des
創建IPsec安全策略
[SH_AR1]ipsec policy P10 10 manual                                                   #創建名為P10的IPsec安全策略
[SH_AR1-ipsec-policy-manual-P10-10]security acl 3100                     #引用安全ACL
[SH_AR1-ipsec-policy-manual-P10-10]proposal SH                             #引用安全提議
[SH_AR1-ipsec-policy-manual-P10-10]tunnel local 102.35.35.2           #本端隧道地址
[SH_AR1-ipsec-policy-manual-P10-10]tunnel remote 58.58.58.2         #對端隧道地址
[SH_AR1-ipsec-policy-manual-P10-10]sa spi inbound esp 654321     #定義sa入站參數
[SH_AR1-ipsec-policy-manual-P10-10]sa string-key inbound esp simple BJSH  #定義sa入站密鑰
[SH_AR1-ipsec-policy-manual-P10-10]sa spi outbound esp 123456   #定義sa出站參數
[SH_AR1-ipsec-policy-manual-P10-10]sa string-key outbound esp simple BJSH #定義sa入站密鑰
接口應用IPsec安全策略
[SH_AR1]interface g0/0/0
[SH_AR1-GigabitEthernet0/0/0]ipsec policy P10
  • 配置nat豁免

BJ_AR1邊界路由

[BJ_AR1]acl 3000
[BJ_AR1-acl-adv-3000]rule 4 deny ip source 192.168.1.0 0.0.0.255 destination 172.16.30.0 0.0.0.255

SH_AR1邊界路由

[SH_AR1]acl 3000
[SH_AR1-acl-adv-3000]rule 4 deny ip source 172.16.30.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
  • 實現京滬FTP_Server互通

北京服務器ping上海服務器可以ping通


北京核心交換機ping上海服務器可以ping通


上海服務器ping北京服務器可以ping通


上海核心交換可以登錄北京ftp服務器

分享到:
標簽:VPN
用戶無頭像

網友整理

注冊時間:

網站:5 個   小程序:0 個  文章:12 篇

  • 51998

    網站

  • 12

    小程序

  • 1030137

    文章

  • 747

    會員

趕快注冊賬號,推廣您的網站吧!
最新入駐小程序

數獨大挑戰2018-06-03

數獨一種數學游戲,玩家需要根據9

答題星2018-06-03

您可以通過答題星輕松地創建試卷

全階人生考試2018-06-03

各種考試題,題庫,初中,高中,大學四六

運動步數有氧達人2018-06-03

記錄運動步數,積累氧氣值。還可偷

每日養生app2018-06-03

每日養生,天天健康

體育訓練成績評定2018-06-03

通用課目體育訓練成績評定