参考配置:
https://support.huawei.com/enterprise/zh/doc/EDOC1000010139?section=j00d
https://blog.51cto.com/sunjie123/1742580
主要内容:
IPSec手动模式、USG、隧道模式、ESP封装
FW1
# CLI_VERSION=V300R001
# Last configuration was changed at 2020/02/17 14:19:44 from console0
#*****BEGIN****public****#
#
stp region-configuration
region-name 60e1a215e041
active region-configuration
#
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha1
esp encryption-algorithm aes
#
ipsec policy map1 10 manual
security acl 3000
proposal tran1
tunnel local 202.38.163.1
tunnel remote 202.38.169.1
sa spi inbound esp 54321
sa string-key inbound esp %$%$-v5#1[=d)0K2("J.N*I:t,#w%$%$
sa spi outbound esp 12345
sa string-key outbound esp %$%$VCe/VT,L92z}lnRy`)l1tZQH%$%$
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 202.38.163.1 255.255.255.0
ipsec policy map1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface NULL0
alias NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/1
#
firewall zone dmz
set priority 50
#
aaa
local-user admin password cipher %$%$u`NO*pI,w:h]ko~YT0I4s8/&%$%$
local-user admin service-type web terminal telnet
local-user admin level 15
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
nqa-jitter tag-version 1
#
ip route-static 10.1.2.0 255.255.255.0 202.38.163.2
ip route-static 202.38.169.0 255.255.255.0 202.38.163.2
#
banner enable
#
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode none
protocol inbound all
#
slb
#
right-manager server-group
#
sysname SRG
#
l2tp domain suffix-separator @
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction outbound
#
ip df-unreachables enable
#
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dns resolve
#
firewall statistic system enable
#
pki ocsp response cache refresh interval 0
pki ocsp response cache number 0
#
undo dns proxy
#
license-server domain lic.huawei.com
#
web-manager enable
#
policy interzone local untrust inbound
policy 0
policy 1
action permit
policy source 202.38.169.1 0
policy destination 202.38.163.1 0
#
policy interzone trust untrust inbound
policy 1
action permit
policy source 10.1.2.0 0.0.0.255
policy destination 10.1.1.0 0.0.0.255
#
policy interzone trust untrust outbound
policy 1
action permit
#
nat-policy interzone trust untrust outbound
policy 0
action no-nat
policy source 10.1.1.0 0.0.0.255
policy destination 10.1.2.0 0.0.0.255
policy 2
action source-nat
easy-ip GigabitEthernet0/0/1
#
return
#-----END----#
FW2
# CLI_VERSION=V300R001
# Last configuration was changed at 2020/02/17 14:19:58 from console0
#*****BEGIN****public****#
#
stp region-configuration
region-name 30eca215b04c
active region-configuration
#
acl number 3000
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha1
esp encryption-algorithm aes
#
ipsec policy map1 10 manual
security acl 3000
proposal tran1
tunnel local 202.38.169.1
tunnel remote 202.38.163.1
sa spi inbound esp 12345
sa string-key inbound esp %$%$zc/wOGx70T.01dE+u2.CtSJA%$%$
sa spi outbound esp 54321
sa string-key outbound esp %$%$hGs:OnV~@-lyspEH6@gFtri`%$%$
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 202.38.169.1 255.255.255.0
ipsec policy map1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface NULL0
alias NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/1
#
firewall zone dmz
set priority 50
#
aaa
local-user admin password cipher %$%$)`V/Xz'4Q/O`<1W{:DiOs90'%$%$
local-user admin service-type web terminal telnet
local-user admin level 15
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
nqa-jitter tag-version 1
#
ip route-static 10.1.1.0 255.255.255.0 202.38.169.2
ip route-static 202.38.163.0 255.255.255.0 202.38.169.2
#
banner enable
#
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode none
protocol inbound all
#
slb
#
right-manager server-group
#
sysname SRG
#
l2tp domain suffix-separator @
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction outbound
#
ip df-unreachables enable
#
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dns resolve
#
firewall statistic system enable
#
pki ocsp response cache refresh interval 0
pki ocsp response cache number 0
#
undo dns proxy
#
license-server domain lic.huawei.com
#
web-manager enable
#
policy interzone local untrust inbound
policy 1
action permit
policy source 202.38.163.1 0
policy destination 202.38.169.1 0
#
policy interzone trust untrust inbound
policy 1
action permit
policy source 10.1.1.0 0.0.0.255
policy destination 10.1.2.0 0.0.0.255
#
policy interzone trust untrust outbound
policy 1
action permit
#
nat-policy interzone trust untrust outbound
policy 1
action no-nat
policy source 10.1.2.0 0.0.0.255
policy destination 10.1.1.0 0.0.0.255
policy 2
action source-nat
easy-ip GigabitEthernet0/0/1
#
return
#-----END----#
AR1
[V200R003C00]
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface GigabitEthernet0/0/0
ip address 202.38.163.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 202.38.169.2 255.255.255.0
#
interface NULL0
#
ip route-static 10.1.1.0 255.255.255.0 202.38.163.1
ip route-static 10.1.2.0 255.255.255.0 202.38.169.1
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
来源:51CTO
作者:Alyoyojie
链接:https://blog.51cto.com/antivirusjo/2471661