用戶需求背景
榆林總部和西安分支現(xiàn)申請了兩個公網(wǎng)IP,現(xiàn)在需要搭建IPsecPN實現(xiàn)私網(wǎng)互通,即192.168.1.0 訪問192.168.2.0;
總部和分支192.168.1.0-192.168.2.0需要訪問公網(wǎng),用于測試12.12.12.12;
網(wǎng)絡拓補圖
配置思路
在總部和分支分別配置IP地址,打通內(nèi)網(wǎng),并設置去公網(wǎng)的默認路由;
內(nèi)網(wǎng)用戶上網(wǎng)需求實現(xiàn),使用NAT轉(zhuǎn)換;
兩端分別創(chuàng)建IPsec,調(diào)用,最后實現(xiàn)訪問分支;
實驗代碼過程
公網(wǎng)代碼過于簡單,不予展示,只需按圖示配置IP地址即可
YL總部
sy [Huawei]undoinfo-centerenable [Huawei]sysnameYL [YL]dhcpenable Info:Theoperationmaytakeafewseconds.Pleasewaitforamoment.done. [YL]interfaceGigabitEthernet0/0/1 [YL-GigabitEthernet0/0/1]ipaddress192.168.1.124 [YL-GigabitEthernet0/0/1]dhcpselectinterface [YL-GigabitEthernet0/0/1]quit [YL]interfaceGigabitEthernet0/0/0 [YL-GigabitEthernet0/0/0]ipad [YL-GigabitEthernet0/0/0]ipaddress1.1.1.124 [YL-GigabitEthernet0/0/0]quit [YL] [YL] [YL] [YL-acl-adv-3000]ruledenyipdestination192.168.2.00.0.0.255 [YL-acl-adv-3000]rulepermitipsource192.168.1.00.0.0.255 [YL-acl-adv-3000]quit [YL] [YL] [YL]int [YL]interfaceg [YL]interfaceGigabitEthernet0/0/0 [YL-GigabitEthernet0/0/0]natoutbound3000 [YL-GigabitEthernet0/0/0]quit [YL] [YL]iproute-static0.0.0.001.1.1.2 [YL]acl3001 [YL-acl-adv-3001]rulepermitipsource192.168.1.00.0.0.255destination192.168.2.00.0.0.255 [YL]ipsecproposalyl [YL-ipsec-proposal-yl]espauthentication-algorithmsha2-256 [YL-ipsec-proposal-yl]espencryption-algorithmaes-128 [YL-ipsec-proposal-yl]quit [YL]ipsecpolicyyl10manual [YL-ipsec-policy-manual-yl-10]securityacl3001 [YL-ipsec-policy-manual-yl-10]proposalyl [YL-ipsec-policy-manual-yl-10]tunnellocal1.1.1.1 [YL-ipsec-policy-manual-yl-10]tunnelremote2.2.2.1 [YL-ipsec-policy-manual-yl-10]saspiinboundesp12345 [YL-ipsec-policy-manual-yl-10]saspioutboundesp54321 [YL-ipsec-policy-manual-yl-10]sastring-keyinboundespcipherhuawei.com [YL-ipsec-policy-manual-yl-10]sastring-keyoutboundespcipherhuawei.com [YL-ipsec-policy-manual-yl-10]quit [YL]interfaceGigabitEthernet0/0/0 [YL-GigabitEthernet0/0/0]ipsecpolicyyl [YL-GigabitEthernet0/0/0]quit
XIAN分支
sy Entersystemview,returnuserviewwithCtrl+Z. [Huawei]sysnameXIAN [XIAN]dhcenable//開啟DHCP Info:Theoperationmaytakeafewseconds.Pleasewaitforamoment.done. [XIAN]un [XIAN]undoinen Info:Informationcenterisdisabled. [XIAN]interfaceGigabitEthernet0/0/0 [XIAN-GigabitEthernet0/0/0]ipad [XIAN-GigabitEthernet0/0/0]ipaddress2.2.2.124 [XIAN-GigabitEthernet0/0/0]quit [XIAN]interfaceGigabitEthernet0/0/1 [XIAN-GigabitEthernet0/0/1]ipaddress192.168.2.124 [XIAN-GigabitEthernet0/0/1]dhcpselectinterface [XIAN-GigabitEthernet0/0/1]quit [XIAN] [XIAN]acl3000//為私網(wǎng)用戶開啟NAT轉(zhuǎn)換,使其可以訪問公網(wǎng),也就是圖中l(wèi)oopback地址,12.12.12.12 [XIAN-acl-adv-3000]ruledenyipdestination192.168.1.00.0.0.255//訪問私網(wǎng)192.168.1.0不進行NAT轉(zhuǎn)換 [XIAN-acl-adv-3000]rulepermitipsource192.168.2.00.0.0.255//允許192.168.1.0私網(wǎng)訪問互聯(lián)網(wǎng) [XIAN-acl-adv-3000]quit [XIAN]interfaceGigabitEthernet0/0/0 [XIAN-GigabitEthernet0/0/0]natoutbound3000//出口調(diào)用策略 [XIAN-GigabitEthernet0/0/0]quit [XIAN]iproute-static0.0.0.002.2.2.2//默認路由到公網(wǎng) [XIAN] [XIAN] [XIAN] [XIAN]acl3001 [XIAN-acl-adv-3001]rulepermitipsource192.168.2.00.0.0.255destination192.168.1.00.0.0.255//定義需要保護的數(shù)據(jù) [XIAN-acl-adv-3001]quit [XIAN]ipsecproposalxian//創(chuàng)建安全提議,名稱“xian” [XIAN-ipsec-proposal-xian]espencryption-algorithmaes-128 [XIAN-ipsec-proposal-xian]espauthentication-algorithmsha2-256 [XIAN-ipsec-proposal-xian]quit [XIAN]ipsecpolicyxian10manual//創(chuàng)建IPsec策略,名稱xian,編號10 [XIAN-ipsec-policy-manual-xian-10]securityacl3001//調(diào)用安全策略 [XIAN-ipsec-policy-manual-xian-10]proposalxian//調(diào)用安全提議 [XIAN-ipsec-policy-manual-xian-10]tunnelremote1.1.1.1//設置隧道終點IP [XIAN-ipsec-policy-manual-xian-10]tunnellocal2.2.2.1//設置隧道起點IP [XIAN-ipsec-policy-manual-xian-10]saspiinboundesp54321//SPI密鑰,和總部密鑰相反 [XIAN-ipsec-policy-manual-xian-10]saspioutboundesp12345//SPI密鑰,和總部密鑰相反 [XIAN-ipsec-policy-manual-xian-10]sastring-keyinboundespcipherhuawei.com [XIAN-ipsec-policy-manual-xian-10]sastring-keyoutboundespcipherhuawei.com [XIAN-ipsec-policy-manual-xian-10]quit [XIAN]interfaceGigabitEthernet0/0/0//出口下調(diào)用IPsec策略 [XIAN-GigabitEthernet0/0/0]ipsecpolicyxian [XIAN-GigabitEthernet0/0/0]quit [XIAN]
測試
抓包測試
審核編輯:劉清
-
轉(zhuǎn)換器
+關注
關注
27文章
8695瀏覽量
147093 -
互聯(lián)網(wǎng)
+關注
關注
54文章
11148瀏覽量
103243 -
路由器
+關注
關注
22文章
3728瀏覽量
113708 -
NAT系統(tǒng)
+關注
關注
0文章
6瀏覽量
5067
原文標題:華為路由器通過IPsec實現(xiàn)總部和分支私網(wǎng)通信實例
文章出處:【微信號:網(wǎng)絡技術干貨圈,微信公眾號:網(wǎng)絡技術干貨圈】歡迎添加關注!文章轉(zhuǎn)載請注明出處。
發(fā)布評論請先 登錄
相關推薦
評論