【HCL】ipsec over gre配置

HCL】ipsec over gre配置"/>

【HCL】ipsec over gre配置

H3C要考。

配置要求：

交换机用于模拟互联网，只在端口写了IP地址。

环回口模拟两个私网，ipsec用于保护私网数据。

配置思路：

1、配置互联网静态路由。

2、配置通道口及通道口路由。

3、配置匹配私网的ACL。

4、配置ike keychain，对端地址是对端的通道口IP。

5、配置ike profile，对端地址是对端的通道口IP。

6、配置ipsec transform-set，这里采用md5认证及3des加密。

7、配置ipsec policy，应用私网ACL、ike profile和transform-set，对端地址是对端的通道口IP。

8、在通道口上应用ipsec policy。

R1配置

#
interface LoopBack0ip address 10.0.0.1 255.255.255.0
#
interface GigabitEthernet0/0port link-mode routecombo enable copperip address 100.0.0.1 255.255.255.0
#
interface Tunnel0 mode greip address 1.1.1.1 255.255.252.0source 100.0.0.1destination 200.0.0.1ipsec apply policy 1
#ip route-static 0.0.0.0 0 100.0.0.2ip route-static 20.0.0.0 24 Tunnel0
#
acl advanced 3000rule 5 permit ip source 10.0.0.0 0.0.0.255 destination 20.0.0.0 0.0.0.255
#
ipsec transform-set 1esp encryption-algorithm 3des-cbcesp authentication-algorithm md5
#
ipsec policy 1 10 isakmptransform-set 1security acl 3000remote-address 1.1.2.1ike-profile 1
#
ike profile 1keychain 1match remote identity address 1.1.2.1 255.255.255.255
#
ike keychain 1pre-shared-key address 1.1.2.1 255.255.255.255 key cipher $c$3$QpqnNYueJHKJzuuJREDThhLaMY9DyA==

R2配置

#
interface LoopBack0ip address 20.0.0.1 255.255.255.0
#
interface GigabitEthernet0/0port link-mode routecombo enable copperip address 200.0.0.1 255.255.255.0
#
interface Tunnel0 mode greip address 1.1.2.1 255.255.252.0source 200.0.0.1destination 100.0.0.1ipsec apply policy 1
#ip route-static 0.0.0.0 0 200.0.0.2ip route-static 10.0.0.0 24 Tunnel0
#
acl advanced 3000rule 5 permit ip source 20.0.0.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
#
ipsec transform-set 1esp encryption-algorithm 3des-cbcesp authentication-algorithm md5
#
ipsec policy 1 10 isakmptransform-set 1security acl 3000remote-address 1.1.1.1ike-profile 1
#
ike profile 1keychain 1match remote identity address 1.1.1.1 255.255.255.255
#
ike keychain 1pre-shared-key address 1.1.1.1 255.255.255.255 key cipher $c$3$wc4hVqyQoSHQsYUvSXPjg3HWlosJcA==
#
return