您的位置: 首页  >  文章  >  H3C V7 系列设备IPsec *** 配置

H3C V7 系列设备IPsec *** 配置

分类: 文章 2025-01-31 12:33:10

 

H3C V7 系列设备IPsec *** 配置

配置思路:

 

采用如下思路配置采用IKE协商方式建立IPSec隧道:

 

1.配置接口的IP地址和到对端的静态路由,保证两端路由可达。

 

2.配置ACL,以定义需要IPSec保护的数据流。

 

3.配置IPSec安全提议,定义IPSec的保护方法。

 

4.配置IKE对等体,定义对等体间IKE协商时的属性。

 

5.配置安全策略,并引用ACL、IPSec安全提议和IKE对等体,确定对何种数据流采用何种保护方法。

 

6.在接口,上应用安全策略组,使接口具有IPSec的保护功能。

 

 

1.R1设备配置

设置MSR r1路由器IPSEC v*n
# 第一步配置必要的路由

 ip route-static 2.2.2.0 24 1.1.1.2
 ip route-static 10.0.2.0 24 1.1.1.2
#

# 配置一个访问控制列表,定义由子网10.0.1.0/24去子网10.0.2.0/24的数据流。

<R1>system-view

[R1]acl advanced 3000

[R1-acl-ipv4-adv-3000]rule 0 permit ip source 10.0.1.0 0.0.0.255 destination 10.0.2.0 0.0.0.255

[R1-acl-ipv4-adv-3000]quit

#配置公网口NAT要关联的ACl 3001,作用是把IPSec感兴趣流从NAT转换的数据流deny掉,防止IPSec数据流被NAT优先转换

[R1]acl advanced 3001

[R1-acl-ipv4-adv-3001]rule 0 deny ip source 10.0.1.0 0.0.0.255 destination 10.0.2.0 0.0.0.255

[R1-acl-ipv4-adv-3001]rule 1 permit ip

[R1-acl-adv-3001]quit

# 创建一条IKE提议1,指定IKE提议使用的认证算法为MD5,加密算法为3des-cbc

 [R1]ike proposal 1

[R1-ike-proposal-1]authentication-algorithm md5   

[R1-ike-proposal-1]encryption-algorithm 3des-cbc    

[R1-ike-proposal-1]quit

#创建并配置IKE keychain,名称为r1。

[R1]ike keychain r1

#配置对端IP地址为2.2.2.2,使用的预共享**为明文123456

[R1-ike-keychain-r1]pre-shared-key address 2.2.2.2 255.255.255.0 key simple 123456 

[R1-ike-keychain-r1]quit

# 创建并配置IKE profile,名称为r1,引用上面配置的keychain r1,配置本地地址为本端的公网接口地址1.1.1.1,对端地址为对端公网接口地址2.2.2.2,引用之前配置IKE提议1

[R1]ike profile r1 

[R1-ike-profile-r1]keychain r1      

[R1-ike-profile-r1]local-identity address 1.1.1.1

[R1-ike-profile-r1]match remote identity address 2.2.2.2 255.255.255.0

[R1-ike-profile-r1]proposal 1     

[R1-ike-profile-r1]quit

# 配置IPsec安全提议r1,ESP协议采用的加密算法为3des-cbc,认证算法为md5

[R1]ipsec transform-set r1

[R1-ipsec-transform-set-r1]encapsulation-mode tunnel

[R1-ipsec-transform-set-r1]esp encryption-algorithm 3des-cbc   

[R1-ipsec-transform-set-r1]esp authentication-algorithm md5  

[R1-ipsec-transform-set-v5]quit

#创建IPsec安全策略,名称为r1,***为1,设置对端地址为对端公网地址2.2.2.2,引用之前创建的ACL3000,引用之前创建的IKE profile r1,引用之前的IPSec安全提议r1

[R1]ipsec policy r1 1 isakmp

[R1-ipsec-policy-isakmp-r1-1]remote-address 2.2.2.2

[R1-ipsec-policy-isakmp-r1-1]security acl 3000   

[R1-ipsec-policy-isakmp-r1-1]transform-set r1     

[R1-ipsec-policy-isakmp-r1-1]ike-profile r1 

[R1-ipsec-policy-isakmp-r1-1]quit

#设置外网口做NAT转换的时候关联ACL 3001 (如果之前已经在外网口配置了 nat outbound,需要先undo掉),并将IPSec安全策略r1应用在外网接口

[R1]interface GigabitEthernet 0/1

[R1-GigabitEthernet0/1]undo nat outbound 

[R1-GigabitEthernet0/1]nat outbound 3001

[R1-GigabitEthernet0/1]ipsec apply policy r1

[R1-GigabitEthernet0/1]quit

2.R2设备配置

设置MSR R2路由器IPSEC v*n
# 第一步配置必要的路由

 ip route-static 1.1.1.0 24 2.2.2.2
 ip route-static 10.0.1.0 24 2.2.2.2
#

# 配置一个访问控制列表,定义由子网10.0.2.0/24去子网10.0.1.0/24的数据流。

<R2>system-view

[R2]acl advanced 3000

[R2-acl-ipv4-adv-3000]rule 0 permit ip source 10.0.2.0 0.0.0.255 destination 10.0.1.0 0.0.0.255

[R2-acl-ipv4-adv-3000]quit

#配置公网口NAT要关联的ACl 3001,作用是把IPSec感兴趣流从NAT转换的数据流deny掉,防止IPSec数据流被NAT优先转换

[R2]acl advanced 3001

[R2-acl-ipv4-adv-3001]rule 0 deny ip source 10.0.2.0 0.0.0.255 destination 10.0.1.0 0.0.0.255

[R2-acl-ipv4-adv-3001]rule 1 permit ip

[R2-acl-adv-3001]quit

# 创建一条IKE提议1,指定IKE提议使用的认证算法为MD5,加密算法为3des-cbc

 [R2]ike proposal 1

[R2-ike-proposal-1]authentication-algorithm md5   

[R2-ike-proposal-1]encryption-algorithm 3des-cbc    

[R2-ike-proposal-1]quit

#创建并配置IKE keychain,名称为r2。

[R2]ike keychain r2

#配置对端IP地址为1.1.1.1,使用的预共享**为明文123456

[R2-ike-keychain-r2]pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456 

[R2-ike-keychain-r2]quit

# 创建并配置IKE profile,名称为r2,引用上面配置的keychain r2,配置本地地址为本端的公网接口地址2.2.2.2,对端地址为对端公网接口地址1.1.1.1,引用之前配置IKE提议1

[R2]ike profile r2 

[R2-ike-profile-r2]keychain r2      

[R2-ike-profile-r2]local-identity address 2.2.2.2

[R2-ike-profile-r2]match remote identity address 1.1.1.1 255.255.255.0

[R2-ike-profile-r2]proposal 1     

[R2-ike-profile-r2]quit

# 配置IPsec安全提议r2,ESP协议采用的加密算法为3des-cbc,认证算法为md5

[R2]ipsec transform-set r2

[R2-ipsec-transform-set-r2]encapsulation-mode tunnel

[R2-ipsec-transform-set-r2]esp encryption-algorithm 3des-cbc   

[R2-ipsec-transform-set-r2]esp authentication-algorithm md5  

[R2-ipsec-transform-set-r5]quit

#创建IPsec安全策略,名称为r2,***为1,设置对端地址为对端公网地址1.1.1.1,引用之前创建的ACL3000,引用之前创建的IKE profile r2,引用之前的IPSec安全提议r2

[R2]ipsec policy r2 1 isakmp

[R2-ipsec-policy-isakmp-r2-1]remote-address 2.2.2.2

[R2-ipsec-policy-isakmp-r2-1]security acl 3000   

[R2-ipsec-policy-isakmp-r2-1]transform-set r2     

[R2-ipsec-policy-isakmp-r2-1]ike-profile r2 

[R2-ipsec-policy-isakmp-r2-1]quit

#设置外网口做NAT转换的时候关联ACL 3001 (如果之前已经在外网口配置了 nat outbound,需要先undo掉),并将IPSec安全策略r2应用在外网接口

[R2]interface GigabitEthernet 0/1

[R2-GigabitEthernet0/1]undo nat outbound 

[R2-GigabitEthernet0/1]nat outbound 3001

[R2-GigabitEthernet0/1]ipsec apply policy r2

[R2-GigabitEthernet0/1]quit
配置文件:

<R1>dis cu
#
 version 7.1.075, Alpha 7571
#
 sysname R1
#
 system-working-mode standard
 xbar load-single
 password-recovery enable
 lpu-type f-series
#
vlan 1
#
interface Serial1/0
#
interface Serial2/0
#
interface Serial3/0
#
interface Serial4/0
#
interface NULL0
#
interface GigabitEthernet0/0
 port link-mode route
 combo enable copper
#
interface GigabitEthernet0/1
 port link-mode route
 combo enable copper
 ip address 1.1.1.1 255.255.255.0
 nat outbound 3001
 ipsec apply policy r1
#
interface GigabitEthernet0/2
 port link-mode route
 combo enable copper
 ip address 10.0.1.1 255.255.255.0
#
interface GigabitEthernet5/0
 port link-mode route
 combo enable copper
#
interface GigabitEthernet5/1
 port link-mode route
 combo enable copper
#
interface GigabitEthernet6/0
 port link-mode route
 combo enable copper
#
interface GigabitEthernet6/1
 port link-mode route
 combo enable copper
#
 scheduler logfile size 16
#
line class aux
 user-role network-operator
#
line class console
 user-role network-admin
#
line class tty
 user-role network-operator
#
line class vty
 user-role network-operator
#
line aux 0
 user-role network-operator
#
line con 0
 user-role network-admin
#
line vty 0 63
 user-role network-operator
#
 ip route-static 2.2.2.0 24 1.1.1.2
 ip route-static 10.0.2.0 24 1.1.1.2
#
acl advanced 3000
 rule 0 permit ip source 10.0.1.0 0.0.0.255 destination 10.0.2.0 0.0.0.255
#
acl advanced 3001
 rule 0 deny ip source 10.0.1.0 0.0.0.255 destination 10.0.2.0 0.0.0.255
 rule 1 permit ip
#
domain name system
#
 domain default enable system
#
role name level-0
 description Predefined level-0 role
#
role name level-1
 description Predefined level-1 role
#
role name level-2
 description Predefined level-2 role
#
role name level-3
 description Predefined level-3 role
#
role name level-4
 description Predefined level-4 role
#
role name level-5
 description Predefined level-5 role
#
role name level-6
 description Predefined level-6 role
#
role name level-7
 description Predefined level-7 role
#
role name level-8
 description Predefined level-8 role
#
role name level-9
 description Predefined level-9 role
#
role name level-10
 description Predefined level-10 role
#
role name level-11
 description Predefined level-11 role
#
role name level-12
 description Predefined level-12 role
#
role name level-13
 description Predefined level-13 role
#
role name level-14
 description Predefined level-14 role
#
user-group system
#
ipsec transform-set r1
 esp encryption-algorithm 3des-cbc
 esp authentication-algorithm md5
#
ipsec policy r1 1 isakmp
 transform-set r1
 security acl 3000
 remote-address 2.2.2.1
 ike-profile r1
#
ike profile r1
 keychain r1
 local-identity address 1.1.1.1
 match remote identity address 2.2.2.1 255.255.255.0
 proposal 1
#
ike proposal 1
 encryption-algorithm 3des-cbc
 authentication-algorithm md5
#
ike keychain r1
 pre-shared-key address 2.2.2.1 255.255.255.0 key cipher $c$3$lTDBhQoHTIk+cTbWgbGYpK4qXeHUn/G4iQ==
#
return
<R1>
<R2>dis cu
#
 version 7.1.075, Alpha 7571
#
 sysname R2
#
 system-working-mode standard
 xbar load-single
 password-recovery enable
 lpu-type f-series
#
vlan 1
#
interface Serial1/0
#
interface Serial2/0
#
interface Serial3/0
#
interface Serial4/0
#
interface NULL0
#
interface GigabitEthernet0/0
 port link-mode route
 combo enable copper
 ip address 10.0.2.1 255.255.255.0
#
interface GigabitEthernet0/1
 port link-mode route
 combo enable copper
 ip address 2.2.2.1 255.255.255.0
 nat outbound 3001
 ipsec apply policy r2
#
interface GigabitEthernet0/2
 port link-mode route
 combo enable copper
#
interface GigabitEthernet5/0
 port link-mode route
 combo enable copper
#
interface GigabitEthernet5/1
 port link-mode route
 combo enable copper
#
interface GigabitEthernet6/0
 port link-mode route
 combo enable copper
#
interface GigabitEthernet6/1
 port link-mode route
 combo enable copper
#
 scheduler logfile size 16
#
line class aux
 user-role network-operator
#
line class console
 user-role network-admin
#
line class tty
 user-role network-operator
#
line class vty
 user-role network-operator
#
line aux 0
 user-role network-operator
#
line con 0
 user-role network-admin
#
line vty 0 63
 user-role network-operator
#
 ip route-static 1.1.1.0 24 2.2.2.2
 ip route-static 10.0.1.0 24 2.2.2.2
#
acl advanced 3000
 rule 0 permit ip source 10.0.2.0 0.0.0.255 destination 10.0.1.0 0.0.0.255
#
acl advanced 3001
 rule 0 deny ip source 10.0.2.0 0.0.0.255 destination 10.0.1.0 0.0.0.255
 rule 1 permit ip
#
domain name system
#
 domain default enable system
#
role name level-0
 description Predefined level-0 role
#
role name level-1
 description Predefined level-1 role
#
role name level-2
 description Predefined level-2 role
#
role name level-3
 description Predefined level-3 role
#
role name level-4
 description Predefined level-4 role
#
role name level-5
 description Predefined level-5 role
#
role name level-6
 description Predefined level-6 role
#
role name level-7
 description Predefined level-7 role
#
role name level-8
 description Predefined level-8 role
#
role name level-9
 description Predefined level-9 role
#
role name level-10
 description Predefined level-10 role
#
role name level-11
 description Predefined level-11 role
#
role name level-12
 description Predefined level-12 role
#
role name level-13
 description Predefined level-13 role
#
role name level-14
 description Predefined level-14 role
#
user-group system
#
ipsec transform-set r2
 esp encryption-algorithm 3des-cbc
 esp authentication-algorithm md5
#
ipsec policy r2 1 isakmp
 transform-set r2
 security acl 3000
 remote-address 1.1.1.1
 ike-profile r2
#
ike profile r2
 keychain r2
 local-identity address 2.2.2.2
 match remote identity address 1.1.1.1 255.255.255.0
 proposal 1
#
ike proposal 1
 encryption-algorithm 3des-cbc
 authentication-algorithm md5
#
ike keychain r2
 pre-shared-key address 1.1.1.1 255.255.255.0 key cipher $c$3$lckysoFu2yiKf1tV9ppZIoeItFJxyNR0EA==
#
return
<R2>
 

 

相关推荐