topology
First of all, the basic network is done
configuration
Headquarters:
[zongbu]acl number 3000 //Create an ACl for the stream of interest
[zongbu-acl-adv-3000]rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 //Configuration allows 192.168.1.0 network segment to access 192.168.2.0 network segment
[zongbu]ipsec proposal huawei //Create a new security proposal named huawei
[zongbu-ipsec-proposal-huawei]esp authentication-algorithm sha1 //Set encryption method sha1, default MD5
[zongbu]ipsec policy huawei 10 manual //Configure the ipsec policy, the policy name is huawei, the number is 10, and the mode is manual configuration mode
[zongbu-ipsec-policy-manual-huawei-10]security acl 3000 //Match the flow of interest, which is to let this data (data from 192.168.1.0 accessing 192.168.2.0) go through VPN
[zongbu-ipsec-policy-manual-huawei-10]proposal huawei //Refer to the proposal named huawei
[zongbu-ipsec-policy-manual-huawei-10]tunnel local 192.168.12.1 //local tunnel address
[zongbu-ipsec-policy-manual-huawei-10]tunnel remote 192.168.23.3 //Peer tunnel address
[zongbu-ipsec-policy-manual-huawei-10]sa spi inbound esp 54321 //SA spi inbound direction, SPI is 54321, the inbound SPI of the local end must be consistent with the outbound SPI of the remote end
[zongbu-ipsec-policy-manual-huawei-10]sa string-key inbound esp cipher huawei //Security association key, the inbound direction is encrypted huawei, the local inbound key must be the same as the remote outbound key
[zongbu-ipsec-policy-manual-huawei-10]sa spi outbound esp 12345 //In the outbound direction of the security association, the SPI is 12345. The outbound SPI of the local end must be consistent with the inbound SPI of the remote end
[zongbu-ipsec-policy-manual-huawei-10]sa string-key outbound esp cipher huawei123//Security association key, the outbound direction is encrypted huawei, the inbound key of the local end must be consistent with the outbound key of the remote end
[huawei]interface GigabitEthernet0/0/0 //Enter port 0/0/0
[zongbu-GigabitEthernet0/0/0]ipsec policy huawei //apply on the port
branch:
[fenzhi]acl number 3000
[fenzhi-acl-adv-3000]rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[fenzhi] ipsec proposal huawei
[fenzhi-ipsec-proposal-huawei]esp authentication-algorithm sha1
[fenzhi] ipsec policy huawei 10 manual
[fenzhi-ipsec-policy-manual-huawei-10]security acl 3000
[fenzhi-ipsec-policy-manual-huawei-10] proposal huawei
[fenzhi-ipsec-policy-manual-huawei-10]tunnel local 192.168.23.3
[fenzhi-ipsec-policy-manual-huawei-10]tunnel remote 192.168.12.1
[fenzhi-ipsec-policy-manual-huawei-10]sa spi inbound esp 12345
[fenzhi-ipsec-policy-manual-huawei-10]sa string-key inbound esp cipher huawei123
[fenzhi-ipsec-policy-manual-huawei-10]sa spi outbound esp 54321
[fenzhi-ipsec-policy-manual-huawei-10]sa string-key outbound esp cipher huawei
[fenzhi]interface GigabitEthernet0/0/1
[fenzhi-GigabitEthernet0/0/0] ipsec policy huawei
Final effect: PC1 pings PC2