网络拓扑图
方法1:手工静态IPSEC隧道配置
1.配置两边PC的地址
湖南地区的PC1:192.168.10.1/24
深圳地区的PC2:192.168.20.1/24
PC>ipconfig
Link local IPv6 address...........: fe80::5689:98ff:fe9e:3b7d
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.10.1
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.10.254
Physical address..................: 54-89-98-9E-3B-7D
DNS server........................:
PC>
PC>ipconfig
Link local IPv6 address...........: fe80::5689:98ff:fe55:5ed6
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.20.1
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.20.254
Physical address..................: 54-89-98-55-5E-D6
DNS server........................:
PC>2.配置两边出口路由的接口地址
湖南地区的AR1配置
g0/0/0:192.168.10.254/24
g0/0/1:100.1.1.1/30
默认路由指向运营商AR3的g0/0/0
配置acl匹配10网段,出口路由器上的出接口应用nat,是的湖南地区的PC可以访问互联网,配完可以用PC1ping一下2.2.2.2
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname AR1
[AR1]interface gigabitether 0/0/0
[AR1-GigabitEthernet0/0/0]ip address 192.168.10.254 24
[AR1-GigabitEthernet0/0/0]quit
[AR1]interface gigabitether 0/0/1
[AR1-GigabitEthernet0/0/1]ip address 100.1.1.1 30
[AR1-GigabitEthernet0/0/1]quit
[AR1]
[AR1]ip route-static 0.0.0.0 0 100.1.1.2
[AR1]acl 2000
[AR1-acl-basic-2000]rule 10 permit source 192.168.10.0 0.0.0.255
[AR1-acl-basic-2000]quit
[AR1]interface gigabitether 0/0/1
[AR1-GigabitEthernet0/0/1]nat outbound 2000
[AR1-GigabitEthernet0/0/1]quit
[AR1]深圳地区的AR2配置
g0/0/1:192.168.20.254/24
g0/0/0:200.1.1.1/30
默认路由指向运营商AR3的g0/0/1
配置acl匹配20网段,出口路由器上的出接口应用nat,是的深圳地区的PC可以访问互联网,配完可以用PC2ping一下2.2.2.2
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname AR2
[AR2]interface gigabitether 0/0/0
[AR2-GigabitEthernet0/0/0]ip address 200.1.1.1 30
[AR2-GigabitEthernet0/0/0]quit
[AR2]interface gigabitether 0/0/1
[AR2-GigabitEthernet0/0/1]ip address 192.168.20.254 24
[AR2-GigabitEthernet0/0/1]quit
[AR2]
[AR1]ip route-static 0.0.0.0 0 200.1.1.2
[AR2]acl 2000
[AR2-acl-basic-2000]rule 20 permit source 192.168.20.0 0.0.0.255
[AR2-acl-basic-2000]quit
[AR2]interface gigabitether 0/0/0
[AR2-GigabitEthernet0/0/0]nat outbound 2000
[AR2-GigabitEthernet0/0/0]quit
[AR2]配置AR3路由器的接口地址
AR3是用来模拟运营商的,还有一个2.2.2.2的地址用来测试互联网的,实际当中你是不知道互联网的具体地址的,公网IP那么多
g0/0/0 100.1.1.2/30
g0/0/1 200.1.1.2/30
虚拟口le0:2.2.2.2/32模拟互联网地址
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname AR3
[AR3]interface gigabitether 0/0/0
[AR3-GigabitEthernet0/0/0]ip address 100.1.1.2 30
[AR3-GigabitEthernet0/0/0]quit
[AR3]interface gigabitether 0/0/1
[AR3-GigabitEthernet0/0/1]ip address 200.1.1.2 30
[AR3-GigabitEthernet0/0/1]quit
[AR3]interface LoopBack 0
[AR3-LoopBack0]ip address 2.2.2.2 32
[AR3-LoopBack0]quit
[AR3]测试接口连通性
PC1ping出口路由器两个地址以及互联网模拟2.2.2.2
PC>ping 192.168.10.254
Ping 192.168.10.254: 32 data bytes, Press Ctrl_C to break
From 192.168.10.254: bytes=32 seq=1 ttl=255 time=31 ms
From 192.168.10.254: bytes=32 seq=2 ttl=255 time=16 ms
From 192.168.10.254: bytes=32 seq=3 ttl=255 time<1 ms
From 192.168.10.254: bytes=32 seq=4 ttl=255 time=16 ms
From 192.168.10.254: bytes=32 seq=5 ttl=255 time=15 ms
--- 192.168.10.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 0/15/31 ms
PC>ping 100.1.1.1
Ping 100.1.1.1: 32 data bytes, Press Ctrl_C to break
From 100.1.1.1: bytes=32 seq=1 ttl=255 time=16 ms
From 100.1.1.1: bytes=32 seq=2 ttl=255 time=15 ms
From 100.1.1.1: bytes=32 seq=3 ttl=255 time<1 ms
From 100.1.1.1: bytes=32 seq=4 ttl=255 time<1 ms
From 100.1.1.1: bytes=32 seq=5 ttl=255 time<1 ms
--- 100.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 0/6/16 ms
PC>
PC>ping 2.2.2.2
Ping 2.2.2.2: 32 data bytes, Press Ctrl_C to break
From 2.2.2.2: bytes=32 seq=1 ttl=254 time=16 ms
From 2.2.2.2: bytes=32 seq=2 ttl=254 time=31 ms
From 2.2.2.2: bytes=32 seq=3 ttl=254 time=15 ms
From 2.2.2.2: bytes=32 seq=4 ttl=254 time=16 ms
From 2.2.2.2: bytes=32 seq=5 ttl=254 time=31 ms
--- 2.2.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 15/21/31 msPC2ping 出口路由器两个地址以及互联网模拟2.2.2.2
PC>ping 192.168.20.254
Ping 192.168.20.254: 32 data bytes, Press Ctrl_C to break
From 192.168.20.254: bytes=32 seq=1 ttl=255 time=46 ms
From 192.168.20.254: bytes=32 seq=2 ttl=255 time=16 ms
From 192.168.20.254: bytes=32 seq=3 ttl=255 time=16 ms
From 192.168.20.254: bytes=32 seq=4 ttl=255 time=15 ms
From 192.168.20.254: bytes=32 seq=5 ttl=255 time=16 ms
--- 192.168.20.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 15/21/46 ms
PC>ping 200.1.1.1
Ping 200.1.1.1: 32 data bytes, Press Ctrl_C to break
From 200.1.1.1: bytes=32 seq=1 ttl=255 time<1 ms
From 200.1.1.1: bytes=32 seq=2 ttl=255 time<1 ms
From 200.1.1.1: bytes=32 seq=3 ttl=255 time=16 ms
From 200.1.1.1: bytes=32 seq=4 ttl=255 time=15 ms
From 200.1.1.1: bytes=32 seq=5 ttl=255 time=16 ms
--- 200.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 0/9/16 ms
PC>
PC>ping 2.2.2.2
Ping 2.2.2.2: 32 data bytes, Press Ctrl_C to break
From 2.2.2.2: bytes=32 seq=1 ttl=254 time=16 ms
From 2.2.2.2: bytes=32 seq=2 ttl=254 time=31 ms
From 2.2.2.2: bytes=32 seq=3 ttl=254 time=15 ms
From 2.2.2.2: bytes=32 seq=4 ttl=254 time=16 ms
From 2.2.2.2: bytes=32 seq=5 ttl=254 time=31 ms
--- 2.2.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 15/21/31 ms3.配置IPSec
现在两边公司的PC都可以访问互联网了,但是两边的私网不通的,湖南地区的10网段和深圳地区的20网段PC
第一步,匹配需要保护的流量
也就是打隧道的流量,湖南私网10网段的地址到达深圳总部的私网20网段,有源有目的所以得用高级ACL匹配
AR1配置
匹配湖南到深圳的流量
[AR1]acl 3000
[AR1-acl-adv-3000]rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 19
2.168.20.0 0.0.0.255
[AR1-acl-adv-3000]quitAR2配置
匹配深圳到湖南的流量
[AR2]acl 3000
[AR2-acl-adv-3000]rule 20 permit ip source 192.168.20.0 0.0.0.255 destination 19
2.168.10.0 0.0.0.255
[AR2-acl-adv-3000]quit
[AR2]第二步,配置IPSec提议
AR1配置
配置提议名称:如hunan
认证算法:如md5
加密算法:如des
可以用display ipsec proposal查看详情信息
[AR1]ipsec proposal hunan
[AR1-ipsec-proposal-hunan]esp authentication-algorithm md5
[AR1-ipsec-proposal-hunan]esp encryption-algorithm des
[AR1-ipsec-proposal-hunan]quit
[AR1]display ipsec proposal
Number of proposals: 1
IPSec proposal name: hunan
Encapsulation mode: Tunnel
Transform : esp-new
ESP protocol : Authentication MD5-HMAC-96
Encryption DES
[AR1]AR2配置
配置提议名称:如shenzhen
认证算法:如md5
加密算法:如des
可以用display ipsec proposal查看详情信息
[AR2]ipsec proposal shenzhen
[AR2-ipsec-proposal-shenzhen]esp authentication-algorithm md5
[AR2-ipsec-proposal-shenzhen]esp encryption-algorithm des
[AR2-ipsec-proposal-shenzhen]quit
[AR2]display ipsec proposal
Number of proposals: 1
IPSec proposal name: shenzhen
Encapsulation mode: Tunnel
Transform : esp-new
ESP protocol : Authentication MD5-HMAC-96
Encryption DES
[AR2]第三步,IPSec手动方式安全策略
自动的配置更复杂
AR1配置
策略名字叫hn,manual手动方式
安全acl3000
提议用前面配号的hunan
本地地址100.1.1.1,远端地址200.1.1.1
入方向SA编号54321,认证秘钥monster
出方向SA编号12345,认证秘钥monster
[AR1]ipsec policy hn 10 manual
[AR1-ipsec-policy-manual-hunan-10]security acl 3000
[AR1-ipsec-policy-manual-hunan-10]proposal hunan
[AR1-ipsec-policy-manual-hunan-10]tunnel local 100.1.1.1
[AR1-ipsec-policy-manual-hunan-10]tunnel remote 200.1.1.1
[AR1-ipsec-policy-manual-hunan-10]sa spi inbound esp 54321
[AR1-ipsec-policy-manual-hunan-10]sa string-key inbound esp cipher monster
[AR1-ipsec-policy-manual-hunan-10]sa spi outbound esp 123456
[AR1-ipsec-policy-manual-hunan-10]sa string-key outbound esp cipher monster
[AR1-ipsec-policy-manual-hunan-10]quit
[AR1]AR2配置
和AR1相反
安全策略名叫sz
安全流量匹配acl3000
本地地址200.1.1.1,远端地址100.1.1.1
入方向SA编号12345,认证秘钥monster
出方向SA编号54321,认证秘钥monster
[AR2]ipsec policy sz 10 manual
[AR2-ipsec-policy-manual-shenzhen-10]security acl 3000
[AR2-ipsec-policy-manual-shenzhen-10]proposal shenzhen
[AR2-ipsec-policy-manual-shenzhen-10]tunnel local 200.1.1.1
[AR2-ipsec-policy-manual-shenzhen-10]tunnel remote 100.1.1.1
[AR2-ipsec-policy-manual-shenzhen-10]sa spi inbound esp 12345
[AR2-ipsec-policy-manual-shenzhen-10]sa string-key inbound esp cipher monster
[AR2-ipsec-policy-manual-shenzhen-10]sa spi outbound esp 54321
[AR2-ipsec-policy-manual-shenzhen-10]sa string-key outbound esp cipher monster
[AR2-ipsec-policy-manual-shenzhen-10]quit
[AR2]第四步,接口上应用IPSec策略
AR1配置
应用ipsec策略叫hunan的
[AR1]interface gigabitether 0/0/1
[AR1-GigabitEthernet0/0/1]ipsec policy hn
[AR1-GigabitEthernet0/0/1]quit
[AR1]AR2配置
应用ipsec策略叫shenzhen的
[AR2]interface gigabitether 0/0/0
[AR2-GigabitEthernet0/0/0]ipsec policy sz
[AR2-GigabitEthernet0/0/0]quit
[AR2]4.配置静态路由
配完ipsec策略发现两边的私网地址还是不能互通,因为前面配置nat匹配了acl2000,需要排除去往深圳总部的流量,先把之前配置的删掉
AR1配置
进入接口删除nat,然后再把acl 2000 删掉
然后重新创建高级ACL3001,3000已经备用掉了,创建了两条规则,拒绝10到20,其它都允许(意思就是访问总部的私网地址就不做nat)
[AR1]interface gigabitether 0/0/1
[AR1-GigabitEthernet0/0/1]undo nat outbound 2000
[AR1-GigabitEthernet0/0/1]quit
[AR1]undo acl 2000
[AR1]acl 3001
[AR1-acl-adv-3001]rule 10 deny ip source 192.168.10.0 0.0.0.255 destination 192.
168.20.0 0.0.0.255
[AR1-acl-adv-3001]rule 20 permit ip
[AR1-acl-adv-3001]quit
[AR1]interface gigabitether 0/0/1
[AR1-GigabitEthernet0/0/1]nat outbound 3001
[AR1-GigabitEthernet0/0/1]quit
[AR1]AR2配置
删除nat,再删除acl2000
然后重新创建高级ACL3001,3000已经备用掉了,创建了两条规则,拒绝20到10,其它都允许
[AR2]interface gigabitether 0/0/0
[AR2-GigabitEthernet0/0/0]undo nat outbound 2000
[AR2-GigabitEthernet0/0/0]quit
[AR2]undo acl 2000
[AR2]acl 3001
[AR2-acl-adv-3001]rule 10 deny ip source 192.168.20.0 0.0.0.255 destination 192.
168.10.0 0.0.0.255
[AR2-acl-adv-3001]rule 20 permit ip
[AR2-acl-adv-3001]quit
[AR2]interface gigabitether 0/0/0
[AR2-GigabitEthernet0/0/0]nat outbound 3001
[AR2-GigabitEthernet0/0/0]quit
[AR2]验证两边私网是否相通
PC1,访问互联网和深圳地区私网都通
PC>ping 2.2.2.2
Ping 2.2.2.2: 32 data bytes, Press Ctrl_C to break
From 2.2.2.2: bytes=32 seq=1 ttl=254 time<1 ms
From 2.2.2.2: bytes=32 seq=2 ttl=254 time=16 ms
From 2.2.2.2: bytes=32 seq=3 ttl=254 time=15 ms
From 2.2.2.2: bytes=32 seq=4 ttl=254 time=32 ms
From 2.2.2.2: bytes=32 seq=5 ttl=254 time=31 ms
--- 2.2.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 0/18/32 ms
PC>ping 192.168.20.1
Ping 192.168.20.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.20.1: bytes=32 seq=2 ttl=127 time=31 ms
From 192.168.20.1: bytes=32 seq=3 ttl=127 time=32 ms
From 192.168.20.1: bytes=32 seq=4 ttl=127 time=31 ms
From 192.168.20.1: bytes=32 seq=5 ttl=127 time=47 ms
--- 192.168.20.1 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 0/35/47 ms
PC>PC2,访问互联网和湖南地区私网都通
PC>ping 2.2.2.2
Ping 2.2.2.2: 32 data bytes, Press Ctrl_C to break
From 2.2.2.2: bytes=32 seq=1 ttl=254 time=15 ms
From 2.2.2.2: bytes=32 seq=2 ttl=254 time=32 ms
From 2.2.2.2: bytes=32 seq=3 ttl=254 time=15 ms
From 2.2.2.2: bytes=32 seq=4 ttl=254 time=32 ms
From 2.2.2.2: bytes=32 seq=5 ttl=254 time=31 ms
--- 2.2.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 15/25/32 ms
PC>ping 192.168.10.1
Ping 192.168.10.1: 32 data bytes, Press Ctrl_C to break
From 192.168.10.1: bytes=32 seq=1 ttl=127 time=31 ms
From 192.168.10.1: bytes=32 seq=2 ttl=127 time=31 ms
From 192.168.10.1: bytes=32 seq=3 ttl=127 time=31 ms
From 192.168.10.1: bytes=32 seq=4 ttl=127 time=32 ms
From 192.168.10.1: bytes=32 seq=5 ttl=127 time=31 ms
--- 192.168.10.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/31/32 ms
PC>方法2:自动IPSEC隧道
比手动多了两个步骤,在第二部加入IKE的安全提议和IKE的对等体设置,其它和静态一样的
策略:manual表示手动,isakmp表示自动
评论区