成功配置华为IPSec

第一步：配置设备名称、接口IP和静态路由

<Huawei>sys

[Huawei]sysn R1

[R1]int g0/0/1        

[R1-GigabitEthernet0/0/1]ip address 168.1.1.1 16

[R1-GigabitEthernet0/0/1]int g0/0/0

[R1-GigabitEthernet0/0/0]ip add 172.22.1.100 16

[R1-GigabitEthernet0/0/0]quit

[R1]ip route-static 172.22.2.0 24 168.1.1.2

[R2]ip route-static 167.1.0.0 16 168.1.1.2

 

<Huawei>sys

[Huawei]sysn R2

[R2]int g0/0/1

[R2-GigabitEthernet0/0/1]ip add 167.1.1.2 16

[R2-GigabitEthernet0/0/1]int g0/0/2

[R2-GigabitEthernet0/0/2]ip add 168.1.1.2 16

[R2-GigabitEthernet0/0/2]quit

[R2]ip route-static 172.22.2.0 24 167.1.1.1

[R2]ip route-static 172.22.1.0 24 168.1.1.1

 

<Huawei>sys

[Huawei]sysn R3

[R3]int g0/0/0        

[R3-GigabitEthernet0/0/0]ip address 172.22.2.100 24

[R3-GigabitEthernet0/0/0]int g0/0/2

[R3-GigabitEthernet0/0/2]ip address 167.1.1.1 16

[R3-GigabitEthernet0/0/2]quit

[R3]ip route-static 172.22.1.0 24 167.1.1.2

[R3]ip route-static 168.1.0.0 16 167.1.1.2

第二步：配置R1、R3的ACL保护数据流

[R1]acl 3101

[R1-acl-adv-3101]rule 5 permit ip source 172.22.2.0 0.0.0.255 destination 172.22.1.0 0.0.0.255

 

[R2]acl 3101

[R3-acl-adv-3101]rule 5 permit ip source 172.22.1.0 0.0.0.255 destination 172.22.2.0 0.0.0.255

第三步：配置R1、R3的IPSect安全协议

[R1]ipsec proposal tran1

[R1-ipsec-proposal-tran1]esp authentication-algorithm sha2-256

//配置认证算法

[R1-ipsec-proposal-tran1]esp encryption-algorithm aes-128

//配置加密算法

 

[R3]ipsec proposal tran1

[R3-ipsec-proposal-tran1]esp authentication-algorithm sha2-256

[R3-ipsec-proposal-tran1]esp encryption-algorithm aes-128

第四步：配置R1、R2的IKE对等体

1、配置IKE安全提议

[R1]ike proposal 5

[R1-ike-proposal-5]encryption-algorithm ?

  3des-cbc     168 bits 3DES-CBC

  aes-cbc-128  Use AES-128

  aes-cbc-192  Use AES-192

  aes-cbc-256  Use AES-256

  des-cbc      56 bits DES-CBC

[R1-ike-proposal-5]encryption-algorithm aes-cbc-192

 

[R1-ike-proposal-5]authentication-algorithm ?

  aes-xcbc-mac-96  Select aes-xcbc-mac-96 as the hash algorithm

  md5              Select MD5 as the hash algorithm

  sha1             Select SHA as the hash algorithm

  sm3              Select sm3 as the hash algorithm

[R1-ike-proposal-5]authentication-algorithm sha1

 

[R3]ike proposal 5

[R3-ike-proposal-5]encryption-algorithm aes-cbc-128

[R3-ike-proposal-5]authentication-algorithm sha1

[R3-ike-proposal-5]dh group14

 

 

2、配置IKE对等体，并根据默认配置，配置预共享密钥和对端ID

[R1]ike peer spub v1      //创建对等体名称为spub 的V1版本

[R1-ike-peer-spub]ike-proposal 5   //配置协议

[R1-ike-peer-spub]pre-shared-key cipher huawei  //配置预共享密钥

[R1-ike-peer-spub]remote-address 167.1.1.1     //配置对端ID

[R1-ike-peer-spub]

 

[R3]ike peer spua v1   //创建对等体名称为spua的v1版本

[R3-ike-peer-spua]ike-proposal 5

[R3-ike-peer-spua]pre-shared-key cipher huawei

[R3-ike-peer-spua]remote-address  168.1.1.1

[R3-ike-peer-spua]

第五步：分别在R1、R3上创建安全策略

[R1]ipsec policy map1 10 isakmp      //创建名为map1安全策略

[R1-ipsec-policy-isakmp-map1-10]

[R1-ipsec-policy-isakmp-map1-10]ike-peer spub

[R1-ipsec-policy-isakmp-map1-10]proposal tran1

[R1-ipsec-policy-isakmp-map1-10]security acl 3101

[R1-ipsec-policy-isakmp-map1-10]quit

[R1]

[R3]ipsec policy use1 10 isakmp

[R3-ipsec-policy-isakmp-use1-10]ike-peer spua

[R3-ipsec-policy-isakmp-use1-10]proposal tran1

[R3-ipsec-policy-isakmp-use1-10]security acl 3101

[R3-ipsec-policy-isakmp-use1-10]quit

[R3]

第六步：在R1、R3相应的接口上应用各自的安全策略组，使接口具有IPSec的保护功能。

[R1]int g0/0/1

[R1-GigabitEthernet0/0/1]

[R1-GigabitEthernet0/0/1]ipsec policy map1    //应用map1安全策略

[R1-GigabitEthernet0/0/1]quit

 

[R3]int g0/0/2

[R3-GigabitEthernet0/0/2]ipsec policy use1   //应用use1安全策略

[R3-GigabitEthernet0/0/2]quit

第七步：测试配置结果

display ipsec statistics esp

display ipsec statistics ah

display ike sa

<R1>dis ike sa

    Conn-ID  Peer            VPN   Flag(s)                Phase 

  ---------------------------------------------------------------

       55    167.1.1.1       0     RD                     2    

       53    167.1.1.1       0     RD                     1    

 

  Flag Description:

  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT

  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP

 

以下是R1、R3完整的配置信息

<R1>dis cu
[V200R003C00]
#
 sysname R1
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
 drop illegal-mac alarm
#
 undo info-center enable
#
 set cpu-usage threshold 80 restore 75
#
acl number 3101  
 rule 5 permit ip source 172.22.2.0 0.0.0.255 destination 172.22.1.0 0.0.0.255 
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-128
#
ike proposal 5
 encryption-algorithm aes-cbc-128
 dh group14
#
ike peer spub v1
 pre-shared-key cipher %$%$}H"z!S,^u*;l(AQmOU4+,.2n%$%$
 ike-proposal 5
 remote-address 167.1.1.1
#
ipsec policy map1 10 isakmp
 security acl 3101
 ike-peer spub
 proposal tran1
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ip address 172.22.1.100 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 168.1.1.1 255.255.0.0 
 ipsec policy map1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 167.1.0.0 255.255.0.0 168.1.1.2
ip route-static 172.22.2.0 255.255.255.0 168.1.1.2
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
<R1>
<R3>dis cu
[V200R003C00]
#
 sysname R3
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
 drop illegal-mac alarm
#
 undo info-center enable
#
 set cpu-usage threshold 80 restore 75
#
acl number 3101  
 rule 5 permit ip source 172.22.1.0 0.0.0.255 destination 172.22.2.0 0.0.0.255 
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-128
#
ike proposal 5
 encryption-algorithm aes-cbc-128
 dh group14
#
ike peer spua v1
 pre-shared-key cipher %$%$}H"z!S,^u*;l(AQmOU4+,.2n%$%$
 ike-proposal 5
 remote-address 168.1.1.1
#
ipsec policy use1 10 isakmp
 security acl 3101
 ike-peer spua
 proposal tran1
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ip address 172.22.2.100 255.255.255.0 
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
 ip address 167.1.1.1 255.255.0.0 
 ipsec policy use1
#
interface NULL0
#
ip route-static 168.1.0.0 255.255.0.0 167.1.1.2
ip route-static 172.22.1.0 255.255.255.0 167.1.1.2
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
<R3>