华为防火墙点对点IPsec隧道

huaweiFW1

基础配置：

sysname huaweiFW1

interface GigabitEthernet0/0/1
 ip address 192.168.1.10 255.255.255.0
quit
interface GigabitEthernet0/0/0
 ip address 202.100.1.10 255.255.255.0
quit
firewall zone trust
 add interface GigabitEthernet0/0/1
quit
firewall zone untrust
 add interface GigabitEthernet0/0/0
quit

配置区域访问权限：允许trust与untrust，untrust与local互相访问

policy interzone local untrust inbound
 policy 0
  action permit

quit

quit
policy interzone trust untrust inbound
 policy 1
  action permit
quit

quit
policy interzone trust untrust outbound
 policy 1
  action permit

quit

quit

定义要保护的数据

acl number 3000
 rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255

quit

配置IKE安全提议

ike proposal 10
authentication-method pre-share
authentication-algorithm sha1
integrity-algorithm hmac-sha1-96
encryption-algorithm 3des-cbc

配置IPsec安全提议，名字为mypro

ipsec proposal mypro
esp authentication-algorithm sha1
esp encryption-algorithm 3des
quit

配置IKE peer，为b

ike peer b
pre-share-ked hcies
ike-proposal 10
remote-address 202.100.1.20
quit

配置安全策略：mymap

ipsec policy mymap 10 isakmp
 security acl 3000
 ike-peer b
 proposal mypro

quit

在接口上引用安全策略：

interface GigabitEthernet0/0/0
 ipsec policy mymap

 

huaweiFW2

基础配置：

sysname huaweiFW1

interface GigabitEthernet0/0/1
ip address 172.16.1.10 255.255.255.0
quit
interface GigabitEthernet0/0/0
ip address 202.100.1.20 255.255.255.0
quit
firewall zone trust
add interface GigabitEthernet0/0/1
quit
firewall zone untrust
add interface GigabitEthernet0/0/0
quit

配置区域访问权限：允许trust与untrust，untrust与local互相访问

policy interzone local untrust inbound
policy 0
action permit

quit

quit
policy interzone trust untrust inbound
policy 1
action permit
quit

quit
policy interzone trust untrust outbound
policy 1
action permit

quit

quit

定义要保护的数据

acl number 3000
rule 5 permit ip source 172.16.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

quit

配置IKE安全提议

ike proposal 10
authentication-method pre-share
authentication-algorithm sha1
integrity-algorithm hmac-sha1-96
encryption-algorithm 3des-cbc

配置IPsec安全提议，名字为mypro

ipsec proposal mypro
esp authentication-algorithm sha1
esp encryption-algorithm 3des
quit

配置IKE peer，为b

ike peer a
pre-share-ked hcies
ike-proposal 10
remote-address 202.100.1.20
quit

配置安全策略：mymap

ipsec policy mymap 10 isakmp
security acl 3000
ike-peer a
proposal mypro

quit

在接口上引用安全策略：

interface GigabitEthernet0/0/0
ipsec policy mymap

AR1

 interface GigabitEthernet0/0/0
 ip address 192.168.1.1 255.255.255.0

quit

ip route-static 0.0.0.0 0.0.0.0 192.168.1.10
AR2

interface GigabitEthernet0/0/0
ip address 172.16.1.1 255.255.255.0

quit

ip route-static 0.0.0.0 0.0.0.0 172.16.1.10

查看AR1，端口，及路由

查看AR2端口及路由：

huaweiFW1端口及路由

huaweiFW2端口及路由

查看IKE信息

查看IPsec信息

查看IPsec状态


查看IPsec SA信息