华为防火墙IPSec实验记录
配置到达目的网络的静态路由,
1
2
|
[FW_A] ip route-static 192.168.22.0 24 192.168.1.1(VPN访问对方的内网路由)
[FW_A] ip route-static 0.0.0.0 0 192.168.1.1
|
在FW_A上配置IPSec策略,并在接口上应用此IPSec策略。
a定义被保护的数据流。配置高级ACL 3000,允许192.168.11.0/24网段访问192.168.22.0/24网段。
1
2
3
|
[FW_A] acl 3000
[FW_A-acl-adv-3000] rule 5 permit ip source 192.168.11.0 0.0.0.255 destination 192.168.12.0 0.0.0.255
[FW_A-acl-adv-3000] quit
|
配置IPSec安全提议。
1
2
3
4
|
[FW_A] ipsec proposal tran1
[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_A-ipsec-proposal-tran1] quit
|
配置IKE安全提议。
1
2
3
4
5
6
7
|
[FW_A] ike proposal 10
[FW_A-ike-proposal-10] authentication-method pre-share
[FW_A-ike-proposal-10] prf hmac-sha2-256
[FW_A-ike-proposal-10] encryption-algorithm aes-256
[FW_A-ike-proposal-10] dh group14
[FW_A-ike-proposal-10] integrity-algorithm hmac-sha2-256
[FW_A-ike-proposal-10] quit
|
配置IKE peer。
1
2
3
4
5
|
[FW_A] ike peer b
[FW_A-ike-peer-b] ike-proposal 10
[FW_A-ike-peer-b] remote-address 192.168.2.2(对方的公网地址)
[FW_A-ike-peer-b] pre-shared-key admin123
[FW_A-ike-peer-b] quit
|
配置IPSec策略。
1
2
3
4
5
|
[FW_A] ipsec policy map1 10 isakmp
[FW_A-ipsec-policy-isakmp-map1-10] security acl 3000
[FW_A-ipsec-policy-isakmp-map1-10] proposal tran1
[FW_A-ipsec-policy-isakmp-map1-10] ike-peer b
[FW_A-ipsec-policy-isakmp-map1-10] quit
|
在接口GigabitEthernet 1/0/1上应用IPSec策略组map1。
1
2
3
|
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] ipsec policy map1
[FW_A-GigabitEthernet1/0/1] quit
|
结果验证
配置完成后需要进行ping去触发隧道建立
命令 dis ike sa查看隧道建立是否成功