实验拓扑图如下:
实验目的:把两个私网打通,PC1可以ping通PC2。
1、PC的配置:
PC1
PC2
2、R1基本信息配置:
< Huawei >sys
[Huawei]undo info-center enable
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 192.168.10.254 24
[Huawei-GigabitEthernet0/0/0]undo shut
[Huawei-GigabitEthernet0/0/0]quit
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 100.1.1.1 30
[Huawei-GigabitEthernet0/0/1]undo shut
[Huawei-GigabitEthernet0/0/1]quit
[Huawei]ip route-static 0.0.0.0 0.0.0.0 100.1.1.2
3、R2基本信息配置:
< Huawei >sys
[Huawei]undo info-center enable
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 200.1.1.1 30
[Huawei-GigabitEthernet0/0/1]undo shut
[Huawei-GigabitEthernet0/0/1]quit
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 192.168.20.254 24
[Huawei-GigabitEthernet0/0/0]undo shut
[Huawei-GigabitEthernet0/0/0]quit
[Huawei]ip route-static 0.0.0.0 0.0.0.0 200.1.1.2
4、ISP基本信息配置:
< Huawei >sys
[Huawei]undo info-center enable
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 100.1.1.2 30
[Huawei-GigabitEthernet0/0/0]undo shut
[Huawei-GigabitEthernet0/0/0]quit
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 200.1.1.2 30
[Huawei-GigabitEthernet0/0/1]undo shut
[Huawei-GigabitEthernet0/0/1]quit
[Huawei]int LoopBack 0
[Huawei-LoopBack0]ip add 2.2.2.2 32
[Huawei-LoopBack0]quit
5、IPSec的配置:
(1)、定义需要保护的数据流(也就是定义感兴趣的流量)
R1的配置:
[Huawei]acl 3000[Huawei-acl-adv-3000]rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255[Huawei-acl-adv-3000]
R2的配置:
[Huawei]acl 3000[Huawei-acl-adv-3000]rule 10 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255[Huawei-acl-adv-3000]
(2)、配置IPSec安全提议
R1的配置:
[Huawei]ipsec proposal cd[Huawei-ipsec-proposal-cd]encapsulation-mode tunnel \\IPSec VPN的工作模式是隧道模式[Huawei-ipsec-proposal-cd]transform esp \\IPSec安全提议的安全协议是esp[Huawei-ipsec-proposal-cd]esp encryption-algorithm des \\安全提议的加密算法为DES[Huawei-ipsec-proposal-cd]esp authentication-algorithm md5 \\安全提议的认证算法为md5
R2的配置:
[Huawei]ipsec proposal bj[Huawei-ipsec-proposal-bj]encapsulation-mode tunnel [Huawei-ipsec-proposal-bj]transform esp[Huawei-ipsec-proposal-bj]esp encryption-algorithm des[Huawei-ipsec-proposal-bj]esp au[Huawei-ipsec-proposal-bj]esp authentication-algorithm md5
(3)、配置手动IPSec安全策略
R1的配置:
[Huawei]ipsec policy chengdu 10 manual \\配置IPSec策略chengdu,方式为手动[Huawei-ipsec-policy-manual-chendu-10]security acl 3000 \\ 保护acl 3000的流量[Huawei-ipsec-policy-manual-chendu-10]proposal cd \\采用IPSec提议cd[Huawei-ipsec-policy-manual-chendu-10]tunnel local 100.1.1.1 \\配置隧道本地地址[Huawei-ipsec-policy-manual-chendu-10]tunnel remote 200.1.1.1 \\配置隧道远端地址[Huawei-ipsec-policy-manual-chendu-10]sa spi inbound esp 54321 \\配置入方向SA编号54321[Huawei-ipsec-policy-manual-chendu-10]sa string-key inbound esp cipher kiki\\配置入方向SA的认证密钥为qing[Huawei-ipsec-policy-manual-chendu-10]sa spi outbound esp 12345 \\配置出方向SA编号12345[Huawei-ipsec-policy-manual-chendu-10]sa string-key outbound esp cipher kiki \\配置出方向SA的认证密钥为qing
R2的配置:
[Huawei]ipsec policy beijing 10 manual [Huawei-ipsec-policy-manual-beijing-10]security acl 3000[Huawei-ipsec-policy-manual-beijing-10]proposal bj[Huawei-ipsec-policy-manual-beijing-10]tunnel local 200.1.1.1[Huawei-ipsec-policy-manual-beijing-10]tunnel remote 100.1.1.1[Huawei-ipsec-policy-manual-beijing-10]sa spi inbound esp 12345[Huawei-ipsec-policy-manual-beijing-10]sa string-key inbound esp cipher kiki[Huawei-ipsec-policy-manual-beijing-10]sa spi outbound esp 54321[Huawei-ipsec-policy-manual-beijing-10]sa string-key outbound esp cipher kiki
特别注意:R1的入口方向对应就是R2的出口方向
同理,R2的入口方向对应就是R1的出口方向
(4)、在接口应用安全策略
R1的配置:
[Huawei]int g0/0/1[Huawei-GigabitEthernet0/0/1]ipsec policy chengdu
R2的配置:
[Huawei]int g0/0/1[Huawei-GigabitEthernet0/0/1]ipsec policy beijing
6、ACL的配置:
R1的配置:
[Huawei]acl 3001[Huawei-acl-adv-3001]rule 20 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 \\不允许192.168.10.0这个网段是通过地址转化,而是直接走隧道。[Huawei-acl-adv-3001]rule 25 permit ip[Huawei-acl-adv-3001]quit[Huawei]int g0/0/1[Huawei-GigabitEthernet0/0/1]nat outbound 3001
R2的配置:
[Huawei]acl 3001[Huawei-acl-adv-3001]rule 20 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255[Huawei-acl-adv-3001]rule 25 permit ip[Huawei-acl-adv-3001]quit[Huawei]int g0/0/1[Huawei-GigabitEthernet0/0/1]nat outbound 3001
实验结果: