华为防火墙IPSec实验

li工

已于 2022-11-13 19:10:45 修改

阅读量843

点赞数

分类专栏：华为学习日记文章标签：华为网络网络互联 tcp/ip

于 2022-10-31 16:40:27 首次发布

本文链接：https://blog.youkuaiyun.com/Ddfgxfgg/article/details/127618533

版权

华为学习日记专栏收录该内容

30 篇文章

订阅专栏

FW1

------------------------基本配置--------------------------------
interface GigabitEthernet1/0/1
 ip address 172.16.1.254 255.255.255.0
#
#
firewall zone trust
 add interface GigabitEthernet1/0/1
#
firewall zone untrust
 add interface GigabitEthernet1/0/0
#
#
security-policy	
 default action permit
#
----------------------------------------------------------------
#
ike proposal 1					//配置IKE提议1
 encryption-algorithm des				//配置加密算法为des
 dh group1					//配置dh算法类型为group1
 authentication-algorithm md5			//配置认证算法为md5
 authentication-method pre-share			//配置认证方式为pre-share（预共享密钥）
 integrity-algorithm hmac-sha2-256			//默认
 prf hmac-sha2-256					//默认
#
ike peer 1						//配置IKE对等体
 undo version 2					//版本强制为V1
 pre-shared-key Admin@123				//配置预共享密钥为Admin@123
 ike-proposal 1					//绑定IKE提议1
 remote-address 2.2.2.1				//配置对端公网接口为2.2.2.1
#
#
ipsec proposal 1					//配置ipsec提议 1
 esp authentication-algorithm md5			//配置认证算法为md5
 esp encryption-algorithm des				//配置加密算法为des
 encapsulation-mode tunnel 				//配置隧道转发
#
#
acl number 3000
 rule 5 permit ip source 172.16.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255		//配置高级ACL允许源地址为172.16.1.0的地址访问192.168.1.0
#
#
ipsec policy 1 5 isakmp				//配置ipsec 策略1的第五步长 为自动模式
 security acl 3000					//绑定ipsec感兴趣流acl 3000
 ike-peer 1					//绑定IKE对等体1
 proposal 1					//绑定IKE提议1


#

interface GigabitEthernet1/0/0
 ip address 1.1.1.1 255.255.255.0
 ipsec policy 1					//绑定ipsec policy 1在此接口
#
#
ip route-static 2.2.2.0 255.255.255.0 1.1.1.2		//配置到达FW2的默认路由
ip route-static 192.168.1.0 255.255.255.0 1.1.1.2		//配置目的地址为192网段的默认路由
#

#
interface GigabitEthernet0/0/0
 ip address 1.1.1.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 2.2.2.2 255.255.255.0 
#

FW2

---------------------------基本配置-------------
interface GigabitEthernet1/0/1
 ip address 192.168.1.254 255.255.255.0
#

#
firewall zone trust
 add interface GigabitEthernet1/0/1
#
firewall zone untrust
 add interface GigabitEthernet1/0/0
#

#
security-policy
 default action permit
#
-------------------------------------------------

#

ike proposal 2

 encryption-algorithm des
 dh group1
 authentication-algorithm md5
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#

#
ike peer 2
 undo version 2
 pre-shared-key Admin@123
 ike-proposal 2
 remote-address 1.1.1.1
#
#
ipsec proposal 2
 encapsulation-mode tunnel 				
 esp authentication-algorithm md5
 esp encryption-algorithm des


#
#
acl number 3000
 rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
#
ipsec policy 2 5 isakmp
 security acl 3000
 ike-peer 2
 proposal 2
#
#
interface GigabitEthernet1/0/0
 ip address 2.2.2.1 255.255.255.0
 ipsec policy 2
#
#
ip route-static 1.1.1.1 255.255.255.255 2.2.2.2
ip route-static 172.16.1.0 255.255.255.0 2.2.2.2
#