总部与二分支之间通过ipsec vpn进行连通,需要实现分支1与分支2通过总部ipsec vpn进行连通 (测试需要分支1与分支2同时进行ping去触发感兴趣流)
总部的配置
接口配置:
interface GigabitEthernet0/1
ip address 1.1.1.2 255.255.255.252
ipsec apply policy idc
ACL配置感兴趣流:
acl advanced 3005(总部与分支1的感兴趣流)
rule 1 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 //分支2访问分支1
rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 //总部与分支1访问
acl advanced 3009(总部与分支2的感兴趣流)
rule 1 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 //分支1访问分支2
rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 //总部访问分支2
共用配置:
ipsec transform-set tran1
esp encryption-algorithm des-cbc
esp authentication-algorithm md5
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm sha256
总部上分支1的配置:
ike keychain fenzhi_1
pre-shared-key hostname fenzhi_1 key cipher $c$3$17qIYFtCHXAMt5U2ljnoyIVyz4K7cEh89+oI
ike profile fenzhi_1
keychain fenzhi_1
exchange-mode aggressive
local-identity fqdn idc
match remote identity fqdn fenzhi_1
ipsec policy-template fenzhi_1 1
transform-set tran1
security acl 3005
ike-profile fenzhi_1
ipsec policy idc 1 isakmp template fenzhi_1
总部上分支2的配置:
ike keychain fenzhi_2
pre-shared-key hostname fenzhi_2 key cipher $c$3$IvFLho69ketSeD0h3YJliwxEJeXt1jHVotbb
ike profile fenzhi_2
keychain fenzhi_2
exchange-mode aggressive
local-identity fqdn idc
match remote identity fqdn fenzhi_2
proposal 1
ipsec policy-template fenzhi_2 1
transform-set tran1
security acl 3009
ike-profile fenzhi_2
ipsec policy idc 2 isakmp template fenzhi_2
分支2上的vpn配置:
interface GigabitEthernet0/0
ipsec apply policy fenzhi_2
感兴趣流:
acl advanced 3005
rule 0 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 //访问总部
rule 1 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 //访问分支1
ipsec transform-set tran1 //ipsec安全提议
esp encryption-algorithm des-cbc
esp authentication-algorithm md5
ike identity fqdn fenzhi_2 //本地fqdn标签
ike proposal 1 //ike安全提议
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm sha256
ike keychain fenzhi_2 //ike对等体
pre-shared-key address 1.1.1.2 255.255.255.252 key cipher $c$3$QRgyTxGfARrXuUD+q/wXU2IkUxzzgYJvzpIE
ike profile fenzhi_2
keychain fenzhi_2
exchange-mode aggressive
local-identity fqdn fenzhi_2
match remote identity fqdn idc
proposal 1
ipsec policy fenzhi_2 1 isakmp //ipsec安全策略
transform-set tran1
security acl 3005
remote-address 1.1.1.2
ike-profile fenzhi_2
分支1配置略
https://zhiliao.h3c.com/Theme/details/5374
暂无评论