IPSec实验配置【一】

实验要求

配置PC1~PC2的路由可达
配置ACL匹配源IP192.168.1.0到192.168.2.0的数据包进行认证
配置SA建立方式为手工配置

实验拓扑

实验配置

AR1

ip route-static 12.0.0.0 255.255.255.0 11.0.0.2
ip route-static 192.168.2.0 255.255.255.0 12.0.0.2
[Huawei]acl 3001
[Huawei-acl-adv-3001]rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 1
92.168.2.0 0.0.0.255
[Huawei]ipsec proposal tran1
[Huawei-ipsec-proposal-tran1]esp authentication-algorithm sha1
[Huawei-ipsec-proposal-tran1]quit
[Huawei]ipsec policy P1 10 manual   //manual代表手动配置SA
[Huawei-ipsec-policy-manual-P1-10]security acl 3001
[Huawei-ipsec-policy-manual-P1-10]proposal tran1
[Huawei-ipsec-policy-manual-P1-10]tunnel remote 12.0.0.2
[Huawei-ipsec-policy-manual-P1-10]tunnel local 11.0.0.1
[Huawei-ipsec-policy-manual-P1-10]sa spi outbound esp 54321   //密钥队
[Huawei-ipsec-policy-manual-P1-10]sa spi inbound esp 12345
[Huawei-ipsec-policy-manual-P1-10]sa string-key outbound esp simple huawei  //simple为明文密码
[Huawei-ipsec-policy-manual-P1-10]sa string-key inbound esp simple huawei
[Huawei-ipsec-policy-manual-P1-10]quit
[Huawei]inter g0/0/1
[Huawei-GigabitEthernet0/0/1]ipsec policy P1
[Huawei-GigabitEthernet0/0/1]quit

AR3

<Huawei>u  t  m 
<Huawei>system-view 
[Huawei]inter g0/0/0
[Huawei]inter g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 11.0.0.2 24
[Huawei-GigabitEthernet0/0/0]inter g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 12.0.0.1 24
[Huawei-GigabitEthernet0/0/1]quit
[Huawei]ip route-static 192.168.1.0 24 11.0.0.1
[Huawei]ip route-static 192.168.2.0 24 12.0.0.2

AR2

#配置路由可达
<Huawei>u t m 
<Huawei>system-view 
[Huawei]inter g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 12.0.0.2 24
[Huawei-GigabitEthernet0/0/1]inter g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 192.168.2.254 24
[Huawei-GigabitEthernet0/0/0]quit
[Huawei]ip route-static 11.0.0.0 24 12.0.0.1
[Huawei]ip route-static 192.168.1.0 24 11.0.0.1
#配置ACL
[Huawei]acl 3002
[Huawei-acl-adv-3002]rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 1
92.168.1.0 0.0.0.255
[Huawei-acl-adv-3002]quit
[Huawei]ipsec proposal tran1
[Huawei-ipsec-proposal-tran1]esp authentication-algorithm sha1
[Huawei-ipsec-proposal-tran1]quit
[Huawei]ipsec policy P1 10 manual 
[Huawei-ipsec-policy-manual-P1-10]security acl 3002
[Huawei-ipsec-policy-manual-P1-10]proposal tran1
[Huawei-ipsec-policy-manual-P1-10]tunnel remote 11.0.0.1
[Huawei-ipsec-policy-manual-P1-10]tunnel local 12.0.0.2
[Huawei-ipsec-policy-manual-P1-10]sa spi outbound esp 12345
[Huawei-ipsec-policy-manual-P1-10]sa spi inbound esp 54321
[Huawei-ipsec-policy-manual-P1-10]sa string-key outbound  esp simple huawei
[Huawei-ipsec-policy-manual-P1-10]sa string-key inbound esp simple huawei
[Huawei-ipsec-policy-manual-P1-10]quit
[Huawei]inter g0/0/1
[Huawei-GigabitEthernet0/0/1]ipsec policy P1
[Huawei-GigabitEthernet0/0/1]quit

[Huawei]disp ipsec policy

抓包

从PC2 ping PC1的报文抓取如图

在未配置VPN隧道前，源IP与目标IP是内网IP，且协议类型是ICMP协议，抓包是可以获取到的，