IPSEC野蛮模式实验.docx

IPSEC 野蛮模式实验 华为IPSEC-VPN-1-采用野蛮方式建立IPsec 安全隧道 一：企业组网需求： 1， 某公司有两个子公司分别在上海和广州，要求通过VPN实现公司之间相互通信！ 2， 实验环境如下：要求192.168.1.0/24网段的员工分别与172.168.0/24，10.1.1.0/24的员工通信! 3， 本实验要求采用野蛮方式建立IPsec 安全隧道 第一步：IP地址配置省略，指默认路由 AR1ip route-static 0.0.0.0 0.0.0.0 12.1.1.2 AR3ip route-static 0.0.0.0 0.0.0.0 23.1.1.2 AR4ip route-static 0.0.0.0 0.0.0.0 24.1.1.2 第二步：使用ACL抓感兴趣流量 R1acl number 3001 R1-acl-adv-3001rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 172.168.1.0 0.0.0.255 AR1acl number 3002 AR1-acl-adv-3002rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 R3acl number 3001 R3-acl-adv-3001rule 5 permit IP source 172.168.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 AR4acl number 3002 AR4-acl-adv-3001rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 第三步：配置安全提议zhu1和zhu2 AR1ipsec proposal zhu1 AR1-ipsec-proposal-zhu1encapsulation-mode tunnel AR1-ipsec-proposal-zhu1transform esp AR1-ipsec-proposal-zhu1esp authentication-algorithm md5 AR1-ipsec-proposal-zhu1esp encryption-algorithm des AR1ipsec proposal zhu2 AR1-ipsec-proposal-zhu1encapsulation-mode tunnel AR1-ipsec-proposal-zhu1transform esp AR1-ipsec-proposal-zhu1esp authentication-algorithm md5 AR1-ipsec-proposal-zhu1esp encryption-algorithm des 第四步： AR1ike local-name fw1 AR1ike peer peer-1 v1 AR1-ike-peer-peer-1exchange-mode aggressive AR1-ike-peer-peer-1pre-shared-key simple 12345 AR1-ike-peer-peer-1local-id-type name AR1-ike-peer-peer-1local-address 12.1.1.1 AR1-ike-peer-peer-1remote-name fw2 AR1ike peer peer-2 v1 AR1-ike-peer-peer-2exchange-mode aggressive AR1-ike-peer-peer-2pre-shared-key simple 12345 AR1-ike-peer-peer-2local-id-type name AR1-ike-peer-peer-2local-address 12.1.1.1 AR1-ike-peer-peer-2remote-name fw3 第五步： AR1ipsec policy policy1 10 isakmp AR1-ipsec-policy-isakmp-policy1-10sec acl 3001 AR1-ipsec-policy-isakmp-policy1-10proposal zhu1 AR1-ipsec-policy-isakmp-policy1-10ike peer peer-1 AR1-ike-peer-peer-1quit AR1ipsec policy policy1 20 isakmp AR1-ipsec-policy-isakmp-policy1-20security acl 3002 AR1-ipsec-policy-isakmp-policy1-20proposal zhu2 AR1-ipsec-policy-isakmp-policy1-20ike peer peer-2 AR1-ike-peer-peer-2quit 第六步：在接口应用策略 AR1interface GigabitEthernet 0/0/0 AR1-GigabitEthernet0/0/0ipsec policy policy1 AR1-GigabitEthernet0/0/0quit 错误的提示，不为什么不让配置是ENSP版的问题么？ 报错文本： AR1interface GigabitEthernet 0/0/0 AR1-GigabitEthernet0/0/0ipsec policy policy1 Error: The IPSec policy does not configure an IKE peer. 第七步： AR3ipsec proposal zhu AR3-ipsec-proposal-zhuencapsulation-mode tunnel AR3-ipsec-proposal-zhutransform esp AR3-ipsec-proposal-zhuesp authentication-algorithm md5 AR3-ipsec-proposal-zhuesp encryption-algorithm des AR3-ipsec-proposal-zhuquit AR3ike peer peer-1 v1 AR3-ike-peer-peer-1exchange-mode aggressive AR3-ike-peer-peer-1pre-shared-key simple 12345 AR3-ike-peer-peer-1local-id-type name AR3-ike-peer-peer-1remote-name fw1 AR3-ike-peer-peer-1remote-address 12.1.1.1 AR3-ike-peer-peer-1quit AR3ipsec policy policy2 10 isakmp AR3-ipsec-policy-isakmp-policy2-10security acl 3001 AR3-ipsec-policy-isakmp-policy2-10proposal zhu AR3-ipsec-policy-isakmp-policy2-10ike peer-1 AR3interface GigabitEthernet 0/0/1 AR3-GigabitEthernet0/0/1ipsec policy policy2 AR3-GigabitEthernet0/0/1quit 第八步：AR4路由器上的所有配置 ipsec proposal zhu-4 encapsulation-mode tunnel transform esp esp authentication-algorithm md5 esp encryption-algorithm des quit ike local-name fw3 ike peer peer-2 v1 exchange-mode aggressive pre-shared-key simple 12345 local-id-type name remote-name fw1 remote-address 12.1.1.1 quit ipsec policy policy4 20 isakmp security acl 3002 proposal zhu-4 ike peer-2 quit interface GigabitEthernet 0/0/2 ipsec policy policy4 quit