HCL】ipsec over gre配置"/>
【HCL】ipsec over gre配置
H3C要考。
配置要求:
交换机用于模拟互联网,只在端口写了IP地址。
环回口模拟两个私网,ipsec用于保护私网数据。
配置思路:
1、配置互联网静态路由。
2、配置通道口及通道口路由。
3、配置匹配私网的ACL。
4、配置ike keychain,对端地址是对端的通道口IP。
5、配置ike profile,对端地址是对端的通道口IP。
6、配置ipsec transform-set,这里采用md5认证及3des加密。
7、配置ipsec policy,应用私网ACL、ike profile和transform-set,对端地址是对端的通道口IP。
8、在通道口上应用ipsec policy。
R1配置
#
interface LoopBack0ip address 10.0.0.1 255.255.255.0
#
interface GigabitEthernet0/0port link-mode routecombo enable copperip address 100.0.0.1 255.255.255.0
#
interface Tunnel0 mode greip address 1.1.1.1 255.255.252.0source 100.0.0.1destination 200.0.0.1ipsec apply policy 1
#ip route-static 0.0.0.0 0 100.0.0.2ip route-static 20.0.0.0 24 Tunnel0
#
acl advanced 3000rule 5 permit ip source 10.0.0.0 0.0.0.255 destination 20.0.0.0 0.0.0.255
#
ipsec transform-set 1esp encryption-algorithm 3des-cbcesp authentication-algorithm md5
#
ipsec policy 1 10 isakmptransform-set 1security acl 3000remote-address 1.1.2.1ike-profile 1
#
ike profile 1keychain 1match remote identity address 1.1.2.1 255.255.255.255
#
ike keychain 1pre-shared-key address 1.1.2.1 255.255.255.255 key cipher $c$3$QpqnNYueJHKJzuuJREDThhLaMY9DyA==
R2配置
#
interface LoopBack0ip address 20.0.0.1 255.255.255.0
#
interface GigabitEthernet0/0port link-mode routecombo enable copperip address 200.0.0.1 255.255.255.0
#
interface Tunnel0 mode greip address 1.1.2.1 255.255.252.0source 200.0.0.1destination 100.0.0.1ipsec apply policy 1
#ip route-static 0.0.0.0 0 200.0.0.2ip route-static 10.0.0.0 24 Tunnel0
#
acl advanced 3000rule 5 permit ip source 20.0.0.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
#
ipsec transform-set 1esp encryption-algorithm 3des-cbcesp authentication-algorithm md5
#
ipsec policy 1 10 isakmptransform-set 1security acl 3000remote-address 1.1.1.1ike-profile 1
#
ike profile 1keychain 1match remote identity address 1.1.1.1 255.255.255.255
#
ike keychain 1pre-shared-key address 1.1.1.1 255.255.255.255 key cipher $c$3$wc4hVqyQoSHQsYUvSXPjg3HWlosJcA==
#
return
更多推荐
【HCL】ipsec over gre配置
发布评论