H3C Cisco IPSec 对接

H3C Cisco IPSec 对接

华3配置

 system-view
[RouterA] acl advanced 3101
[RouterA-acl-ipv4-adv-3101] rule permit ip source 3.3.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[RouterA-acl-ipv4-adv-3101] quit
[RouterA] ip route-static 3.3.3.0 255.255.255.0  12.1.1.2   # 配置到达Host B所在子网的静态路由。12.1.1.2为本例中的直连下一跳地址，实际使用中请以具体组网情况为准。

[RouterA] ipsec transform-set tran1      # 创建IPsec安全提议tran1。
[RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel   # 配置安全协议对IP报文的封装形式为隧道模式。
[RouterA-ipsec-transform-set-tran1] protocol esp          # 配置采用的安全协议为ESP。
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm 3des-cbc            # 配置ESP协议采用的加密算法为3des-cbc ，认证算法为md5 。
[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm md5 
[RouterA-ipsec-transform-set-tran1] pfs dh-group2
[RouterA-ipsec-transform-set-tran1] quit

[RouterA] ike keychain keychain1         # 创建并配置IKE keychain，名称为keychain1。
[RouterA-ike-keychain-keychain1] pre-shared-key address 12.1.1.1 255.255.255.0 key simple 123456     # 配置与IP地址为12.1.1.1的对端使用的预共享密钥为明文123456。
[RouterA-ike-keychain-keychain1] quit

ike proposal 10
 encryption-algorithm 3des-cbc
 dh group2
 authentication-algorithm md5
#

[RouterA] ike profile profile1              # 创建并配置IKE profile，名称为profile1。
[RouterA-ike-profile-profile1] keychain keychain1
[RouterA-ike-profile-profile1] match remote identity address 12.1.1.1 255.255.255.0
[RouterA-ike-profile-profile1] quit



[RouterA] ipsec policy map1 10 isakmp            # 创建一条IKE协商方式的IPsec安全策略，名称为map1，序列号为10。
[RouterA-ipsec-policy-isakmp-map1-10] security acl 3101          # 指定引用ACL 3101。
[RouterA-ipsec-policy-isakmp-map1-10] transform-set tran1         # 指定引用的安全提议为tran1。
[RouterA-ipsec-policy-isakmp-map1-10] local-address 23.1.1.3    # 指定IPsec隧道的本端IP地址为23.1.1.3，对端IP地址为12.1.1.1。
[RouterA-ipsec-policy-isakmp-map1-10] remote-addres 12.1.1.1
[RouterA-ipsec-policy-isakmp-map1-10] ike-profile profile1      # 指定引用的IKE profile为profile1。
[RouterA-ipsec-policy-isakmp-map1-10] quit


[RouterA] interface gigabitethernet 1/0/2       # 在接口GigabitEthernet1/0/2上应用安全策略map1。
[RouterA-GigabitEthernet1/0/2] ip address 23.1.1.3 255.255.255.0
[RouterA-GigabitEthernet1/0/2] ipsec apply policy map1
[RouterA-GigabitEthernet1/0/2] quit

思科配置

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 6 123456 address 23.1.1.3 255.255.255.0     //秘钥为 123456  对端地址为23.1.1.3 

crypto ipsec transform-set  esp-3des esp-md5-hmac 
 mode tunnel

crypto map map1 10 ipsec-isakmp 
 set peer 23.1.1.3
 set transform-set  
 match address 110

access-list 110 permit ip 192.168.1.0 0.0.0.255 host 3.3.3.3

interface GigabitEthernet0/1
 ip address 12.1.1.1 255.255.255.0
 crypto map map1