关于MSR3600系列路由器的IPSEC、IKEV2组网配置问题
- 0关注
- 0收藏,63浏览
以下是参考典型案例格式,针对总公司、分公司 1(固定 IP)、分公司 2(动态 IP)的 H3C MSR 3600 设备配置 IKEv2 IPsec 的命令,外网接口均为GigabitEthernet 0/27:
一、总公司设备配置(外网 IP:59.45.1.1,内网:10.101.0.0/16)
1. 配置接口 IP 地址
cli
<H3C> system-view
[H3C] sysname HQ
[HQ] interface GigabitEthernet 0/27
[HQ-GigabitEthernet0/27] ip address 59.45.1.1 255.255.255.0 // 外网固定IP
[HQ-GigabitEthernet0/27] undo shutdown
[HQ-GigabitEthernet0/27] quit
[HQ] interface Vlan-interface 1 // 内网网关接口(根据实际调整)
[HQ-Vlan-interface1] ip address 10.101.0.254 255.255.0.0
[HQ-Vlan-interface1] undo shutdown
[HQ-Vlan-interface1] quit
2. 配置 ACL 定义受保护数据流(总公司↔分公司 1、分公司 2)
cli
// 总公司↔分公司1的数据流
[HQ] acl advanced 3101
[HQ-acl-ipv4-adv-3101] rule permit ip source 10.101.0.0 0.0.255.255 destination 10.20.0.0 0.0.255.255
[HQ-acl-ipv4-adv-3101] quit
// 总公司↔分公司2的数据流
[HQ] acl advanced 3102
[HQ-acl-ipv4-adv-3102] rule permit ip source 10.101.0.0 0.0.255.255 destination 10.200.0.0 0.0.255.255
[HQ-acl-ipv4-adv-3102] quit
3. 创建 IPsec 安全提议
cli
[HQ] ipsec transform-set tran1
[HQ-ipsec-transform-set-tran1] encapsulation-mode tunnel // 隧道模式
[HQ-ipsec-transform-set-tran1] protocol esp // 采用ESP协议
[HQ-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-256 // 加密算法
[HQ-ipsec-transform-set-tran1] esp authentication-algorithm sha256 // 认证算法
[HQ-ipsec-transform-set-tran1] quit
4. 配置 IKEv2 keychain(预共享密钥管理)
cli
[HQ] ikev2 keychain keychain1
// 分公司1的对端配置(固定IP:60.20.1.2)
[HQ-ikev2-keychain-keychain1] peer peer_branch1
[HQ-ikev2-keychain-keychain1-peer-peer_branch1] address 60.20.1.2 32 // 对端IP(32位掩码精确匹配)
[HQ-ikev2-keychain-keychain1-peer-peer_branch1] identity address 60.20.1.2 // 对端身份标识
[HQ-ikev2-keychain-keychain1-peer-peer_branch1] pre-shared-key cipher example@123 // 预共享密钥
[HQ-ikev2-keychain-keychain1-peer-peer_branch1] quit
// 分公司2的对端配置(动态IP,匹配任意地址)
[HQ-ikev2-keychain-keychain1] peer peer_branch2
[HQ-ikev2-keychain-keychain1-peer-peer_branch2] address 0.0.0.0 0 // 动态IP,匹配所有地址
[HQ-ikev2-keychain-keychain1-peer-peer_branch2] identity fqdn ***.*** // 动态IP用FQDN标识(分公司2需对应配置)
[HQ-ikev2-keychain-keychain1-peer-peer_branch2] pre-shared-key cipher example@123 // 统一预共享密钥
[HQ-ikev2-keychain-keychain1-peer-peer_branch2] quit
[HQ-ikev2-keychain-keychain1] quit
5. 创建 IKEv2 profile(关联 keychain 和认证方式)
cli
[HQ] ikev2 profile profile1
[HQ-ikev2-profile-profile1] authentication-method local pre-share // 本端预共享密钥认证
[HQ-ikev2-profile-profile1] authentication-method remote pre-share // 对端预共享密钥认证
[HQ-ikev2-profile-profile1] keychain keychain1 // 引用keychain
// 匹配分公司1身份(IP地址)
[HQ-ikev2-profile-profile1] match remote identity address 60.20.1.2 32
// 匹配分公司2身份(FQDN)
[HQ-ikev2-profile-profile1] match remote identity fqdn ***.***
[HQ-ikev2-profile-profile1] quit
6. 创建 IPsec 策略(关联 ACL、提议、IKEv2 profile)
cli
// 与分公司1的IPsec策略(固定IP对固定IP)
[HQ] ipsec policy policy_branch1 10 isakmp
[HQ-ipsec-policy-isakmp-policy_branch1-10] remote-address 60.20.1.2 // 分公司1外网IP
[HQ-ipsec-policy-isakmp-policy_branch1-10] security acl 3101 // 引用分公司1的ACL
[HQ-ipsec-policy-isakmp-policy_branch1-10] transform-set tran1 // 引用安全提议
[HQ-ipsec-policy-isakmp-policy_branch1-10] ikev2-profile profile1 // 引用IKEv2 profile
[HQ-ipsec-policy-isakmp-policy_branch1-10] quit
// 与分公司2的IPsec策略(固定IP对动态IP)
[HQ] ipsec policy policy_branch2 20 isakmp
[HQ-ipsec-policy-isakmp-policy_branch2-20] security acl 3102 // 引用分公司2的ACL
[HQ-ipsec-policy-isakmp-policy_branch2-20] transform-set tran1
[HQ-ipsec-policy-isakmp-policy_branch2-20] ikev2-profile profile1
[HQ-ipsec-policy-isakmp-policy_branch2-20] quit // 动态IP不指定remote-address
7. 在外网接口应用 IPsec 策略
cli
[HQ] interface GigabitEthernet 0/27
[HQ-GigabitEthernet0/27] ipsec apply policy policy_branch1
[HQ-GigabitEthernet0/27] ipsec apply policy policy_branch2
[HQ-GigabitEthernet0/27] quit
8. 配置静态路由(指向分公司内网)
cli
[HQ] ip route-static 10.20.0.0 255.255.0.0 GigabitEthernet 0/27 60.20.1.2 // 分公司1内网
[HQ] ip route-static 10.200.0.0 255.255.0.0 GigabitEthernet 0/27 // 分公司2内网(动态IP无需指定下一跳)
二、分公司 1 设备配置(外网 IP:60.20.1.2,内网:10.20.0.0/16)
1. 配置接口 IP 地址
cli
<H3C> system-view
[H3C] sysname Branch1
[Branch1] interface GigabitEthernet 0/27
[Branch1-GigabitEthernet0/27] ip address 60.20.1.2 255.255.255.0
[Branch1-GigabitEthernet0/27] undo shutdown
[Branch1-GigabitEthernet0/27] quit
[Branch1] interface Vlan-interface 1
[Branch1-Vlan-interface1] ip address 10.20.0.254 255.255.0.0
[Branch1-Vlan-interface1] undo shutdown
[Branch1-Vlan-interface1] quit
2. 配置 ACL 定义受保护数据流(分公司 1↔总公司)
cli
[Branch1] acl advanced 3101
[Branch1-acl-ipv4-adv-3101] rule permit ip source 10.20.0.0 0.0.255.255 destination 10.101.0.0 0.0.255.255
[Branch1-acl-ipv4-adv-3101] quit
3. 创建 IPsec 安全提议(与总公司一致)
cli
[Branch1] ipsec transform-set tran1
[Branch1-ipsec-transform-set-tran1] encapsulation-mode tunne
[该消息未完整显示,消息长度超出了限制]
该消息未完整显示,消息长度超出了限制,我如何能看到后面的命令?
十分感谢!但是后续的命令超出限制,我看部到了。能给补充一下吗!谢谢!!!
三、分公司 2 设备配置(动态 IP,内网:10.200.0.0/16) 1. 配置接口 IP 地址(外网动态获取) cli <H3C> system-view [H3C] sysname Branch2 [Branch2] interface GigabitEthernet 0/27 [Branch2-GigabitEthernet0/27] ip address dhcp-alloc // 动态获取外网IP [Branch2-GigabitEthernet0/27] undo shutdown [Branch2-GigabitEthernet0/27] quit [Branch2] interface Vlan-interface 1 [Branch2-Vlan-interface1] ip address 10.200.0.254 255.255.0.0 [Branch2-Vlan-interface1] undo shutdown [Branch2-Vlan-interface1] quit 2. 配置 ACL 定义受保护数据流(分公司 2↔总公司) cli [Branch2] acl advanced 3101 [Branch2-acl-ipv4-adv-3101] rule permit ip source 10.200.0.0 0.0.255.255 destination 10.101.0.0 0.0.255.255 [Branch2-acl-ipv4-adv-3101] quit 3. 创建 IPsec 安全提议(与总公司一致) cli [Branch2] ipsec transform-set tran1 [Branch2-ipsec-transform-set-tran1] encapsulation-mode tunnel [Branch2-ipsec-transform-set-tran1] protocol esp [Branch2-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-256 [Branch2-ipsec-transform-set-tran1] esp authentication-algorithm sha256 [Branch2-ipsec-transform-set-tran1] quit 4. 配置 IKEv2 keychain(匹配总公司身份) cli [Branch2] ikev2 keychain keychain1 [Branch2-ikev2-keychain-keychain1] peer peer_hq [Branch2-ikev2-keychain-keychain1-peer-peer_hq] address 59.45.1.1 32 // 总公司外网IP [Branch2-ikev2-keychain-keychain1-peer-peer_hq] identity address 59.45.1.1 // 总公司身份标识 [Branch2-ikev2-keychain-keychain1-peer-peer_hq] pre-shared-key cipher example@123 [Branch2-ikev2-keychain-keychain1-peer-peer_hq] quit [Branch2-ikev2-keychain-keychain1] quit 5. 创建 IKEv2 profile(指定本端 FQDN 身份) cli [Branch2] ikev2 profile profile1 [Branch2-ikev2-profile-profile1] authentication-method local pre-share [Branch2-ikev2-profile-profile1] authentication-method remote pre-share [Branch2-ikev2-profile-profile1] keychain keychain1 [Branch2-ikev2-profile-profile1] local-identity fqdn ***.*** // 与总公司匹配的FQDN [Branch2-ikev2-profile-profile1] match remote identity address 59.45.1.1 32 // 匹配总公司身份 [Branch2-ikev2-profile-profile1] quit 6. 创建 IPsec 策略(主动指向总公司) cli [Branch2] ipsec policy policy_hq 10 isakmp [Branch2-ipsec-policy-isakmp-policy_hq-10] remote-address 59.45.1.1 // 总公司固定IP(必须指定以主动发起) [Branch2-ipsec-policy-isakmp-policy_hq-10] security acl 3101 [Branch2-ipsec-policy-isakmp-policy_hq-10] transform-set tran1 [Branch2-ipsec-policy-isakmp-policy_hq-10] ikev2-profile profile1 [Branch2-ipsec-policy-isakmp-policy_hq-10] quit 7. 在外网接口应用 IPsec 策略 cli [Branch2] interface GigabitEthernet 0/27 [Branch2-GigabitEthernet0/27] ipsec apply policy policy_hq [Branch2-GigabitEthernet0/27] quit 8. 配置路由(默认路由 + 指向总公司内网) cli [Branch2] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 0/27 // 默认路由(通过DHCP获取网关) [Branch2] ip route-static 10.101.0.0 255.255.0.0 GigabitEthernet 0/27 59.45.1.1 // 总公司内网 验证命令 查看 IKEv2 会话:display ikev2 sa 查看 IPsec 安全联盟:display ipsec sa 测试连通性:ping 对端内网IP(如总公司 ping 10.20.0.1 或 10.200.0.1)
三、分公司 2 设备配置(动态 IP,内网:10.200.0.0/16) 1. 配置接口 IP 地址(外网动态获取) cli <H3C> system-view [H3C] sysname Branch2 [Branch2] interface GigabitEthernet 0/27 [Branch2-GigabitEthernet0/27] ip address dhcp-alloc // 动态获取外网IP [Branch2-GigabitEthernet0/27] undo shutdown [Branch2-GigabitEthernet0/27] quit [Branch2] interface Vlan-interface 1 [Branch2-Vlan-interface1] ip address 10.200.0.254 255.255.0.0 [Branch2-Vlan-interface1] undo shutdown [Branch2-Vlan-interface1] quit 2. 配置 ACL 定义受保护数据流(分公司 2↔总公司) cli [Branch2] acl advanced 3101 [Branch2-acl-ipv4-adv-3101] rule permit ip source 10.200.0.0 0.0.255.255 destination 10.101.0.0 0.0.255.255 [Branch2-acl-ipv4-adv-3101] quit 3. 创建 IPsec 安全提议(与总公司一致) cli [Branch2] ipsec transform-set tran1 [Branch2-ipsec-transform-set-tran1] encapsulation-mode tunnel [Branch2-ipsec-transform-set-tran1] protocol esp [Branch2-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-256 [Branch2-ipsec-transform-set-tran1] esp authentication-algorithm sha256 [Branch2-ipsec-transform-set-tran1] quit 4. 配置 IKEv2 keychain(匹配总公司身份) cli [Branch2] ikev2 keychain keychain1 [Branch2-ikev2-keychain-keychain1] peer peer_hq [Branch2-ikev2-keychain-keychain1-peer-peer_hq] address 59.45.1.1 32 // 总公司外网IP [Branch2-ikev2-keychain-keychain1-peer-peer_hq] identity address 59.45.1.1 // 总公司身份标识 [Branch2-ikev2-keychain-keychain1-peer-peer_hq] pre-shared-key cipher example@123 [Branch2-ikev2-keychain-keychain1-peer-peer_hq] quit [Branch2-ikev2-keychain-keychain1] quit 5. 创建 IKEv2 profile(指定本端 FQDN 身份) cli [Branch2] ikev2 profile profile1 [Branch2-ikev2-profile-profile1] authentication-method local pre-share [Branch2-ikev2-profile-profile1] authentication-method remote pre-share [Branch2-ikev2-profile-profile1] keychain keychain1 [Branch2-ikev2-profile-profile1] local-identity fqdn ***.*** // 与总公司匹配的FQDN [Branch2-ikev2-profile-profile1] match remote identity address 59.45.1.1 32 // 匹配总公司身份 [Branch2-ikev2-profile-profile1] quit 6. 创建 IPsec 策略(主动指向总公司) cli [Branch2] ipsec policy policy_hq 10 isakmp [Branch2-ipsec-policy-isakmp-policy_hq-10] remote-address 59.45.1.1 // 总公司固定IP(必须指定以主动发起) [Branch2-ipsec-policy-isakmp-policy_hq-10] security acl 3101 [Branch2-ipsec-policy-isakmp-policy_hq-10] transform-set tran1 [Branch2-ipsec-policy-isakmp-policy_hq-10] ikev2-profile profile1 [Branch2-ipsec-policy-isakmp-policy_hq-10] quit 7. 在外网接口应用 IPsec 策略 cli [Branch2] interface GigabitEthernet 0/27 [Branch2-GigabitEthernet0/27] ipsec apply policy policy_hq [Branch2-GigabitEthernet0/27] quit 8. 配置路由(默认路由 + 指向总公司内网) cli [Branch2] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 0/27 // 默认路由(通过DHCP获取网关) [Branch2] ip route-static 10.101.0.0 255.255.0.0 GigabitEthernet 0/27 59.45.1.1 // 总公司内网 验证命令 查看 IKEv2 会话:display ikev2 sa 查看 IPsec 安全联盟:display ipsec sa 测试连通性:ping 对端内网IP(如总公司 ping 10.20.0.1 或 10.200.0.1)
麻烦你把公司1的配置完整的发给我一下。谢谢!!
分公司1 的配置不完整,步骤有缺失。。。
Unsupported critical payload: 0 Invalid IKE SPI: 0 Invalid major version: 0 Invalid syntax: 72 Invalid message ID: 0 Invalid SPI: 0 No proposal chosen: 115 Invalid KE payload: 198 Authentication failed: 0 Single pair required: 0 TS unacceptable: 0 Invalid selectors: 0 Temporary failure: 0 No child SA: 0 Unknown other notify: 0 No enough resource: 0 Enqueue error: 0 No IKEv2 SA: 172 Packet error: 9 Other error: 0 Retransmit timeout: 0 DPD detect error: 0 Del child for IPsec message: 0 Del child for deleting IKEv2 SA: 0 Del child for receiving delete message: 0
仍无法访问啊
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
仍无法访问啊