分享一种华为路由器通过IPsec实现总部和分支私网通信实例
描述
用户需求背景
榆林总部和西安分支现申请了两个公网IP,现在需要搭建IPsecPN实现私网互通,即192.168.1.0 访问192.168.2.0;
总部和分支192.168.1.0-192.168.2.0需要访问公网,用于测试12.12.12.12;
网络拓补图
配置思路
在总部和分支分别配置IP地址,打通内网,并设置去公网的默认路由;
内网用户上网需求实现,使用NAT转换;
两端分别创建IPsec,调用,最后实现访问分支;
实验代码过程
公网代码过于简单,不予展示,只需按图示配置IP地址即可
YL总部
sy [Huawei]undo info-center enable [Huawei]sysname YL [YL]dhcp enable Info: The operation may take a few seconds. Please wait for a moment.done. [YL]interface GigabitEthernet 0/0/1 [YL-GigabitEthernet0/0/1]ip address 192.168.1.1 24 [YL-GigabitEthernet0/0/1]dhcp select interface [YL-GigabitEthernet0/0/1]quit [YL]interface GigabitEthernet 0/0/0 [YL-GigabitEthernet0/0/0]ip ad [YL-GigabitEthernet0/0/0]ip address 1.1.1.1 24 [YL-GigabitEthernet0/0/0]quit [YL] [YL] [YL] [YL-acl-adv-3000]rule deny ip destination 192.168.2.0 0.0.0.255 [YL-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 [YL-acl-adv-3000]quit [YL] [YL] [YL]int [YL]interface g [YL]interface GigabitEthernet 0/0/0 [YL-GigabitEthernet0/0/0]nat outbound 3000 [YL-GigabitEthernet0/0/0]quit [YL] [YL]ip route-static 0.0.0.0 0 1.1.1.2 [YL]acl 3001 [YL-acl-adv-3001]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 [YL]ipsec proposal yl [YL-ipsec-proposal-yl]esp authentication-algorithm sha2-256 [YL-ipsec-proposal-yl]esp encryption-algorithm aes-128 [YL-ipsec-proposal-yl]quit [YL]ipsec policy yl 10 manual [YL-ipsec-policy-manual-yl-10]security acl 3001 [YL-ipsec-policy-manual-yl-10]proposal yl [YL-ipsec-policy-manual-yl-10]tunnel local 1.1.1.1 [YL-ipsec-policy-manual-yl-10]tunnel remote 2.2.2.1 [YL-ipsec-policy-manual-yl-10]sa spi inbound esp 12345 [YL-ipsec-policy-manual-yl-10]sa spi outbound esp 54321 [YL-ipsec-policy-manual-yl-10]sa string-key inbound esp cipher huawei.com [YL-ipsec-policy-manual-yl-10]sa string-key outbound esp cipher huawei.com [YL-ipsec-policy-manual-yl-10]quit [YL]interface GigabitEthernet 0/0/0 [YL-GigabitEthernet0/0/0]ipsec policy yl [YL-GigabitEthernet0/0/0]quit
XIAN分支
sy Enter system view, return user view with Ctrl+Z. [Huawei]sysname XIAN [XIAN]dhc enable //开启DHCP Info: The operation may take a few seconds. Please wait for a moment.done. [XIAN]un [XIAN]undo in en Info: Information center is disabled. [XIAN]interface GigabitEthernet 0/0/0 [XIAN-GigabitEthernet0/0/0]ip ad [XIAN-GigabitEthernet0/0/0]ip address 2.2.2.1 24 [XIAN-GigabitEthernet0/0/0]quit [XIAN]interface GigabitEthernet 0/0/1 [XIAN-GigabitEthernet0/0/1]ip address 192.168.2.1 24 [XIAN-GigabitEthernet0/0/1]dhcp select interface [XIAN-GigabitEthernet0/0/1]quit [XIAN] [XIAN]acl 3000 //为私网用户开启NAT转换,使其可以访问公网,也就是图中loopback地址,12.12.12.12 [XIAN-acl-adv-3000]rule deny ip destination 192.168.1.0 0.0.0.255 //访问私网192.168.1.0不进行NAT转换 [XIAN-acl-adv-3000]rule permit ip source 192.168.2.0 0.0.0.255//允许192.168.1.0 私网访问互联网 [XIAN-acl-adv-3000]quit [XIAN]interface GigabitEthernet 0/0/0 [XIAN-GigabitEthernet0/0/0]nat outbound 3000 //出口调用策略 [XIAN-GigabitEthernet0/0/0]quit [XIAN]ip route-static 0.0.0.0 0 2.2.2.2 //默认路由到公网 [XIAN] [XIAN] [XIAN] [XIAN]acl 3001 [XIAN-acl-adv-3001]rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 //定义需要保护的数据 [XIAN-acl-adv-3001]quit [XIAN]ipsec proposal xian //创建安全提议,名称“xian” [XIAN-ipsec-proposal-xian]esp encryption-algorithm aes-128 [XIAN-ipsec-proposal-xian]esp authentication-algorithm sha2-256 [XIAN-ipsec-proposal-xian]quit [XIAN]ipsec policy xian 10 manual //创建IPsec策略,名称xian,编号10 [XIAN-ipsec-policy-manual-xian-10]security acl 3001 //调用安全策略 [XIAN-ipsec-policy-manual-xian-10]proposal xian //调用安全提议 [XIAN-ipsec-policy-manual-xian-10]tunnel remote 1.1.1.1 //设置隧道终点IP [XIAN-ipsec-policy-manual-xian-10]tunnel local 2.2.2.1 //设置隧道起点IP [XIAN-ipsec-policy-manual-xian-10]sa spi inbound esp 54321 //SPI密钥,和总部密钥相反 [XIAN-ipsec-policy-manual-xian-10]sa spi outbound esp 12345//SPI密钥,和总部密钥相反 [XIAN-ipsec-policy-manual-xian-10]sa string-key inbound esp cipher huawei.com [XIAN-ipsec-policy-manual-xian-10]sa string-key outbound esp cipher huawei.com [XIAN-ipsec-policy-manual-xian-10]quit [XIAN]interface GigabitEthernet 0/0/0 //出口下调用IPsec策略 [XIAN-GigabitEthernet0/0/0]ipsec policy xian [XIAN-GigabitEthernet0/0/0]quit [XIAN]
测试
抓包测试
审核编辑:刘清
声明:本文内容及配图由入驻作者撰写或者入驻合作网站授权转载。文章观点仅代表作者本人,不代表电子发烧友网立场。文章及其配图仅供工程师学习之用,如有内容侵权或者其他违规问题,请联系本站处理。
举报投诉
-
InRouter与Juniper SRX如何建立IPSec隧道配置?2024-07-25 0
-
华为路由器配置实例2009-05-25 0
-
华为路由器交换机VLAN配置实例2009-05-25 0
-
华为和思科路由器的互联配置2009-05-25 0
-
华为路由器配置手册2014-11-07 0
-
IPsec的基础知识2018-08-09 0
-
什么是4G工业路由器?4G工业路由器的应用有哪些?2020-01-27 0
-
工业路由器和交换机有什么区别2020-06-19 0
-
请问路由器的桥接该如何设置?2020-11-30 0
-
介绍一种基于SoC的IPSec协议实现技术2021-05-26 0
-
一种低延时片上网络路由器的设计与实现2013-06-25 1029
-
路由器上配置IPSec_VPN的方法2016-04-12 1213
-
实战技术分享|爱陆通5G/4G工业路由器与华为USG6300 搭建IPSEC VPN2020-03-23 3324
-
工业级别的无线全网通路由器怎么用2022-03-08 1599
全部0条评论
快来发表一下你的评论吧 !
