1. 技术文章
  2. eNSP模拟器—IPsec配置实验3

eNSP模拟器—IPsec配置实验3

会有一股神秘感。 提交于 2020-02-25 23:20:15

IPSec隧道模式esp封装USG5500配置

参考文章:
https://blog.51cto.com/sunjie123/1742580
https://support.huawei.com/enterprise/zh/doc/EDOC1000010139?section=j00d
https://support.huawei.com/enterprise/docinforeader!loadDocument1.action?contentId=DOC1000068086&partNo=10092#dc_fd_fw_0002

eNSP模拟器—IPsec配置实验3

USGA

# CLI_VERSION=V300R001

# Last configuration was changed at 2020/02/16 18:43:16 from console0 
#*****BEGIN****public****#
#
stp region-configuration
 region-name 10e2b2159042
 active region-configuration
#
acl number 3000
 rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 
#
ike proposal 1
 dh group2
 integrity-algorithm aes-xcbc-96
#
ike peer peer-1
 pre-shared-key %$%$|Al,DlLXANes,b2.QGi.p<3*%$%$
 ike-proposal 1
 remote-address 12.0.0.2
#
ipsec proposal secpro1
 esp authentication-algorithm sha1
 esp encryption-algorithm aes
#
ipsec policy map 1 isakmp
 security acl 3000
 ike-peer peer-1
 proposal secpro1
#
interface GigabitEthernet0/0/0
 alias GE0/MGMT
 ip address 192.168.10.1 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 11.0.0.2 255.255.255.0 
 ipsec policy map
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface NULL0
 alias NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 set priority 50
#
aaa 
 local-user admin password cipher %$%$&`e3Jsf(O&jM]:Bo)VWHpYPG%$%$
 local-user admin service-type web terminal telnet 
 local-user admin level 15 
 authentication-scheme default
 #
 authorization-scheme default
 #
 accounting-scheme default 
 #
 domain default
 #
#
nqa-jitter tag-version 1

#
 ip route-static 0.0.0.0 0.0.0.0 11.0.0.1 
#
 banner enable 
#
user-interface con 0
 authentication-mode none
user-interface vty 0 4
 authentication-mode none
 protocol inbound all
#
 slb
#
right-manager server-group
#
 sysname USGA
#
 l2tp domain suffix-separator @
#
 firewall packet-filter default permit interzone local trust direction inbound
 firewall packet-filter default permit interzone local trust direction outbound
 firewall packet-filter default permit interzone local untrust direction outbound
 firewall packet-filter default permit interzone local dmz direction outbound
#
 ip df-unreachables enable
#
 firewall ipv6 session link-state check 
 firewall ipv6 statistic system enable
#
 dns resolve  
#
 firewall statistic system enable
#
 pki ocsp response cache refresh interval 0
 pki ocsp response cache number 0
#
 undo dns proxy  
#
 license-server domain lic.huawei.com
#
 web-manager enable
#
policy interzone local untrust inbound
 policy 1 
  action permit 
  policy source 12.0.0.2 0
  policy destination 11.0.0.2 0
#
policy interzone trust untrust inbound
 policy 1 
  action permit 
  policy source 192.168.20.0 0.0.0.255
  policy destination 192.168.10.0 0.0.0.255
#
policy interzone trust untrust outbound
 policy 1 
  action permit 
#
nat-policy interzone trust untrust outbound 
 policy 1 
  action no-nat 
  policy source 192.168.10.0 0.0.0.255
  policy destination 192.168.20.0 0.0.0.255

 policy 2 
  action source-nat 
  easy-ip GigabitEthernet0/0/1
#
return
#-----END----#

USGB

# CLI_VERSION=V300R001

# Last configuration was changed at 2020/02/16 19:31:06 from console0 
#*****BEGIN****public****#
#
stp region-configuration
 region-name e81582044529
 active region-configuration
#
acl number 3000
 rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 
#
ike proposal 1
 dh group2
 integrity-algorithm aes-xcbc-96
#
ike peer usg-a
 pre-shared-key %$%$wrRP5B#K*!awqz<^I].Hp_VM%$%$
 ike-proposal 1
 remote-address 11.0.0.2
#
ipsec proposal test
 esp authentication-algorithm sha1
 esp encryption-algorithm aes
#
ipsec policy map 1 isakmp
 security acl 3000
 ike-peer usg-a
 proposal test
#
interface GigabitEthernet0/0/0
 alias GE0/MGMT
 ip address 12.0.0.2 255.255.255.0 
 ipsec policy map
#
interface GigabitEthernet0/0/1
 ip address 192.168.20.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface NULL0
 alias NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/1
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/0
#
firewall zone dmz
 set priority 50
#
aaa 
 local-user admin password cipher %$%$Q*:(3R]KUD>SWQ,h{V,0p/&z%$%$
 local-user admin service-type web terminal telnet 
 local-user admin level 15 
 authentication-scheme default
 #
 authorization-scheme default
 #
 accounting-scheme default 
 #
 domain default
 #
#
nqa-jitter tag-version 1

#
 ip route-static 0.0.0.0 0.0.0.0 12.0.0.1 
#
 banner enable 
#
user-interface con 0
 authentication-mode none
user-interface vty 0 4
 authentication-mode none
 protocol inbound all
#
 slb
#
right-manager server-group
#
 sysname USGB
#
 l2tp domain suffix-separator @
#
 firewall packet-filter default permit interzone local trust direction inbound
 firewall packet-filter default permit interzone local trust direction outbound
 firewall packet-filter default permit interzone local untrust direction outbound
 firewall packet-filter default permit interzone local dmz direction outbound
#
 ip df-unreachables enable
#
 firewall ipv6 session link-state check 
 firewall ipv6 statistic system enable
#
 dns resolve  
#
 firewall statistic system enable
#
 pki ocsp response cache refresh interval 0
 pki ocsp response cache number 0
#
 undo dns proxy  
#
 license-server domain lic.huawei.com
#
 web-manager enable
#
policy interzone local untrust inbound
 policy 1 
  action permit 
  policy source 11.0.0.2 0
  policy destination 12.0.0.2 0
#
policy interzone trust untrust inbound
 policy 1 
  action permit 
  policy source 192.168.10.0 0.0.0.255
  policy destination 192.168.20.0 0.0.0.255
#
policy interzone trust untrust outbound
 policy 1 
  action permit 
#
nat-policy interzone trust untrust outbound 
 policy 1 
  action no-nat 
  policy source 192.168.20.0 0.0.0.255
  policy destination 192.168.10.0 0.0.0.255

 policy 2 
  action source-nat 
  easy-ip GigabitEthernet0/0/0
#
return
#-----END----#

AR1


[V200R003C00]
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
 drop illegal-mac alarm
#
 set cpu-usage threshold 80 restore 75
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface GigabitEthernet0/0/0
 ip address 11.0.0.1 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 12.0.0.1 255.255.255.0 
#
interface NULL0
#
ip route-static 192.168.10.0 255.255.255.0 11.0.0.2
ip route-static 192.168.20.0 255.255.255.0 12.0.0.2
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
标签
ipsec
ensp
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!