Table of contents
1. The experimental topology is shown in the figure
1. The experimental topology is shown in the figure
2. Demand
Headquarters and branches are connected through IPSec VPN
Headquarters and branches can access the extranet
3. Demand analysis
This experiment needs to realize both VPN connection and external network connection, so two acls need to be written, which are respectively used as the matching of ipsec interest flow and external network traffic. The difficulty of this experiment lies in the configuration of IPSec VPN, the configuration of IPSec VPN It is complicated, and the parameters on both sides of the VPN are inconsistent, which will cause the VPN to fail to be established
4.ipsec configuration order
Configure the ACL for the flow of interest to match the traffic destined for the private network of the branch
create ike proposal
In the ike proposal view, you can configure Authentication method, Authentication algorithm, Encryption algorithm, and DH algorithm (DH algorithm is a public key algorithm. The two communicating parties exchange some data without transmitting the key to calculate the shared secret key. key, the Diffie-Hellman group set at both ends of the IPSec tunnel must be the same, otherwise the IKE negotiation cannot pass) and other parameters. These parameters have default values, as shown in the figure
create ike peers
Configure the negotiation mode as the main mode/aggressive mode (the default main mode) call ike proposal to set the pre-shared key In the main mode, configure the local and peer public network addresses
create ipsec proposal
Configure protection protocol (default is ESP)
Configure working mode (default is tunnel mode)
Configure the authentication algorithm
Configure encryption algorithm
Note: The above parameters have default values, as shown in the figure
create ipsec policy
call acl
Designated ike peer
call ipsec proposal
App Security Policy
Apply ipsec policy on the public network interface
5. IPSec configuration
Configuration of R1
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 192.168.1.2 24
[Huawei-GigabitEthernet0/0/0]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 1.1.1.1 24
[Huawei-GigabitEthernet0/0/1]quit
[Huawei]ip route-static 0.0.0.0 0 1.1.1.2
//Create acl 3000, reject IPSec vpn traffic, and allow other traffic
[Huawei]acl 3000
[Huawei-acl-adv-3000]rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192
.168.2.0 0.0.0.255
[Huawei-acl-adv-3000]rule 5 permit ip
[Huawei-acl-adv-3000]quit
//Create acl 3001 to match the traffic going to the private network of the branch
[Huawei]acl 3001
[Huawei-acl-adv-3001]rule permit ip source 192.168.1.0 0.0.0.255 destination 192
.168.2.0 0.0.0.255
[Huawei-acl-adv-3001]quit
//Create ike proposal
[Huawei]ike proposal 1
[Huawei-ike-proposal-1]authentication-method pre-share
[Huawei-ike-proposal-1]authentication-algorithm sha1
[Huawei-ike-proposal-1]encryption-algorithm des-cbc
[Huawei-ike-proposal-1]dh group14
[Huawei-ike-proposal-1]quit
//create ike peer
[Huawei]ike peer to_fen v2
[Huawei-ike-peer-to_fen]ike-proposal 1
[Huawei-ike-peer-to_fen]pre-shared-key cipher 123
[Huawei-ike-peer-to_fen]local-address 1.1.1.1
[Huawei-ike-peer-to_fen]remote-address 1.1.2.3
[Huawei-ike-peer-to_fen]quit
//Create ipsec proposal
[Huawei]ipsec proposal 1
[Huawei-ipsec-proposal-1]transform esp
[Huawei-ipsec-proposal-1]esp authentication-algorithm sha2-256
[Huawei-ipsec-proposal-1]esp encryption-algorithm 3des
[Huawei-ipsec-proposal-1]quit
//Create ipsec policy
[Huawei]ipsec policy to_fen 1 isakmp
[Huawei-ipsec-policy-isakmp-to_fen-1]security acl 3001
[Huawei-ipsec-policy-isakmp-to_fen-1]ike-peer to_fen
[Huawei-ipsec-policy-isakmp-to_fen-1]proposal 1
[Huawei-ipsec-policy-isakmp-to_fen-1]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ipsec policy to_fen
[Huawei-GigabitEthernet0/0/1]nat outbound 3000
R2 configuration (R2 only needs to configure the corresponding ip)
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 1.1.1.2 24
[Huawei-GigabitEthernet0/0/0]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 1.1.2.2 24
Configuration of R3
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 1.1.2.3 24
[Huawei-GigabitEthernet0/0/0]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 192.168.2.2 24
[Huawei-GigabitEthernet0/0/1]quit
[Huawei]ip route-static 0.0.0.0 0 1.1.2.2
[Huawei]acl 3000
[Huawei-acl-adv-3000]rule 0 deny ip source 192.168.2.0 0.0.0.255 destination 19
2.168.1.0 0.0.0.255
[Huawei-acl-adv-3000]rule 5 permit ip
[Huawei-acl-adv-3000]quit
[Huawei]acl 3001
[Huawei-acl-adv-3001]rule permit ip source 192.168.2.0 0.0.0.255 destination 19
2.168.1.0 0.0.0.255
[Huawei-acl-adv-3001]quit
[Huawei]ike proposal 1
[Huawei-ike-proposal-1]authentication-method pre-share
[Huawei-ike-proposal-1]authentication-algorithm sha1
[Huawei-ike-proposal-1]encryption-algorithm des
[Huawei-ike-proposal-1]encryption-algorithm des-cbc
[Huawei-ike-proposal-1]dh group14
[Huawei-ike-proposal-1]quit
[Huawei]ike peer to_zong v2
[Huawei-ike-peer-to_zong]ike-proposal 1
[Huawei-ike-peer-to_zong]pre-shared-key cipher 123
[Huawei-ike-peer-to_zong]local-address 1.1.2.3
[Huawei-ike-peer-to_zong]remote-address 1.1.1.1
[Huawei-ike-peer-to_zong]quit
[Huawei]ipsec proposal 1
[Huawei-ipsec-proposal-1]transform esp
[Huawei-ipsec-proposal-1]esp authentication-algorithm sha2
[Huawei-ipsec-proposal-1]esp authentication-algorithm sha2-256
[Huawei-ipsec-proposal-1]esp encryption-algorithm 3des
[Huawei-ipsec-proposal-1]quit
[Huawei]ipsec policy to_zong 1 isakmp
[Huawei-ipsec-policy-isakmp-to_zong-1]security acl 3001
[Huawei-ipsec-policy-isakmp-to_zong-1]ike-peer to_zong
[Huawei-ipsec-policy-isakmp-to_zong-1]proposal 1
[Huawei-ipsec-policy-isakmp-to_zong-1]quit
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ipsec policy to_zong
[Huawei-GigabitEthernet0/0/0]nat outbound 3000