华为防火 Hub Spoke IPsec VdPdNd( 二 ) _小知识

文章插图
IPsec连通性测试使用PC1测试到PC2和PC3的连通性。

文章插图
Hub查看IKE SA

文章插图
Hub查看IPsec SA

文章插图

文章插图
Spoke2查看IPsec SA

文章插图
实验SW1

vlan batch 10 11 16 20 30 40 41interface Ethernet0/0/2description Link_Hub_G0/0/2port link-type accessport default vlan 11interface Ethernet0/0/10description Link_Internet_G0/0/0port link-type accessport default vlan 11interface Ethernet0/0/11description Link_Internet_G0/0/1port link-type accessport default vlan 41interface Ethernet0/0/14description Link_Spoke2_G0/0/1port link-type accessport default vlan 41interface Ethernet0/0/12description Link_Internet_G0/0/2port link-type accessport default vlan 40interface Ethernet0/0/6description Link_Spoke1_G0/0/2port link-type accessport default vlan 40interface Ethernet0/0/13description Link_Spoke2_G0/0/0port link-type accessport default vlan 30interface Ethernet0/0/22description Link_HCNP_Spoke(PC3)port link-type accessport default vlan 30复制代码

FW1(Hub)

interface g0/0/1ip address 10.1.1.10 24interface g0/0/2ip address 202.100.10.10 24undo ip route-static 0.0.0.0 0.0.0.0 202.100.1.11ip route-static 0.0.0.0 0.0.0.0 202.100.10.254// 用图形化界面配置后的结果acl number 3000rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255ike proposal 1authentication-algorithm sha2-256integrity-algorithm aes-xcbc-96 hmac-sha2-256ike peer ike48143238157exchange-mode autopre-shared-key Huawei@123ike negotiate compatibleike-proposal 1remote-id-type noneipsec proposal prop48143238157encapsulation-mode autoesp authentication-algorithm sha2-256ipsec policy-template tpl48143238157 1security acl 3000ike-peer ike48143238157alias hub_ipsecproposal prop48143238157local-address Applied-interfacesa duration traffic-based 200000000sa duration time-based 3600ipsec policy ipsec4814323820 10000 isakmp template tpl48143238157interface GigabitEthernet0/0/2ipsec policy ipsec4814323820 auto-negip service-set ISAKMP type objectservice 0 protocol udp source-port 0 to 65535 destination-port 5000security-policyrule name ipsec1source-zone localdestination-zone untrustsource-address 202.100.10.10 mask 255.255.255.255service ISAKMPservice espaction permitrule name ipsec2source-zone untrustdestination-zone localdestination-address 202.100.10.10 mask 255.255.255.255service ISAKMPservice espaction permitrule name ipsec3source-zone trustsource-zone untrustdestination-zone trustdestination-zone untrustsource-address address-set ipsecdestination-address address-set ipsecaction permit复制代码

FW2(Spoke1)

interface g0/0/1ip address 10.1.2.10 24interface g0/0/2ip address 202.100.1.10 24undo ip route-static 0.0.0.0 0.0.0.0 202.100.1.10ip route-static 0.0.0.0 0.0.0.0 202.100.1.254复制代码

AR1(Internet)

interface g0/0/0undo portswitchip address 202.100.10.254 24interface g0/0/1undo portswitchip address 202.100.2.254 24interface g0/0/2undo portswitchip address 202.100.1.254 24复制代码

AR2(Spoke2)

interface g0/0/1undo portswitchip address 202.100.2.10 24interface g0/0/0undo portswitchip address 10.1.3.10 24ip route-static 0.0.0.0 0.0.0.0 202.100.2.254ike proposal 10encryption-algorithm aes-cbc-128authentication-algorithm sha2-256ike peer hub v1exchange-mode mainpre-shared-key simple Huawei@123ike-proposal 10remote-address 202.100.10.10acl 3000rule permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.00.255ipsec proposal 10esp encryption-algorithm aes-128esp authentication-algorithm sha1ipsec policy ipsec_policy 10 isakmpsecurity acl 3000ike-peer hubproposal 10interface g0/0/1ipsec policy ipsec_policy