eNSP模拟器—IPsec配置实验4

北慕城南 提交于 2020-02-25 23:43:52

参考配置:
https://support.huawei.com/enterprise/zh/doc/EDOC1000010139?section=j00d
https://blog.51cto.com/sunjie123/1742580

主要内容:
IPSec手动模式、USG、隧道模式、ESP封装

eNSP模拟器—IPsec配置实验4

FW1

# CLI_VERSION=V300R001

# Last configuration was changed at 2020/02/17 14:19:44 from console0 
#*****BEGIN****public****#
#
stp region-configuration
 region-name 60e1a215e041
 active region-configuration
#
acl number 3000
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 
#
ipsec proposal tran1
 esp authentication-algorithm sha1
 esp encryption-algorithm aes
#
ipsec policy map1 10 manual
 security acl 3000
 proposal tran1
 tunnel local 202.38.163.1
 tunnel remote 202.38.169.1
 sa spi inbound esp 54321
 sa string-key inbound esp %$%$-v5#1[=d)0K2("J.N*I:t,#w%$%$
 sa spi outbound esp 12345
 sa string-key outbound esp %$%$VCe/VT,L92z}lnRy`)l1tZQH%$%$
#
interface GigabitEthernet0/0/0
 alias GE0/MGMT
 ip address 10.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 202.38.163.1 255.255.255.0 
 ipsec policy map1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface NULL0
 alias NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 set priority 50
#
aaa 
 local-user admin password cipher %$%$u`NO*pI,w:h]ko~YT0I4s8/&%$%$
 local-user admin service-type web terminal telnet 
 local-user admin level 15 
 authentication-scheme default
 #
 authorization-scheme default
 #
 accounting-scheme default 
 #
 domain default
 #
#
nqa-jitter tag-version 1

#
 ip route-static 10.1.2.0 255.255.255.0 202.38.163.2 
 ip route-static 202.38.169.0 255.255.255.0 202.38.163.2 
#
 banner enable 
#
user-interface con 0
 authentication-mode none
user-interface vty 0 4
 authentication-mode none
 protocol inbound all
#
 slb
#
right-manager server-group
#
 sysname SRG
#
 l2tp domain suffix-separator @
#
 firewall packet-filter default permit interzone local trust direction inbound
 firewall packet-filter default permit interzone local trust direction outbound
 firewall packet-filter default permit interzone local untrust direction outbound
 firewall packet-filter default permit interzone local dmz direction outbound
#
 ip df-unreachables enable
#
 firewall ipv6 session link-state check 
 firewall ipv6 statistic system enable
#
 dns resolve  
#
 firewall statistic system enable
#
 pki ocsp response cache refresh interval 0
 pki ocsp response cache number 0
#
 undo dns proxy  
#
 license-server domain lic.huawei.com
#
 web-manager enable
#
policy interzone local untrust inbound
 policy 0 

 policy 1 
  action permit 
  policy source 202.38.169.1 0
  policy destination 202.38.163.1 0
#
policy interzone trust untrust inbound
 policy 1 
  action permit 
  policy source 10.1.2.0 0.0.0.255
  policy destination 10.1.1.0 0.0.0.255
#
policy interzone trust untrust outbound
 policy 1 
  action permit 
#
nat-policy interzone trust untrust outbound 
 policy 0 
  action no-nat 
  policy source 10.1.1.0 0.0.0.255
  policy destination 10.1.2.0 0.0.0.255

 policy 2 
  action source-nat 
  easy-ip GigabitEthernet0/0/1
#
return
#-----END----#

FW2

# CLI_VERSION=V300R001

# Last configuration was changed at 2020/02/17 14:19:58 from console0 
#*****BEGIN****public****#
#
stp region-configuration
 region-name 30eca215b04c
 active region-configuration
#
acl number 3000
 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 
#
ipsec proposal tran1
 esp authentication-algorithm sha1
 esp encryption-algorithm aes
#
ipsec policy map1 10 manual
 security acl 3000
 proposal tran1
 tunnel local 202.38.169.1
 tunnel remote 202.38.163.1
 sa spi inbound esp 12345
 sa string-key inbound esp %$%$zc/wOGx70T.01dE+u2.CtSJA%$%$
 sa spi outbound esp 54321
 sa string-key outbound esp %$%$hGs:OnV~@-lyspEH6@gFtri`%$%$
#
interface GigabitEthernet0/0/0
 alias GE0/MGMT
 ip address 10.1.2.1 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 202.38.169.1 255.255.255.0 
 ipsec policy map1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface NULL0
 alias NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 set priority 50
#
aaa 
 local-user admin password cipher %$%$)`V/Xz'4Q/O`<1W{:DiOs90'%$%$
 local-user admin service-type web terminal telnet 
 local-user admin level 15 
 authentication-scheme default
 #
 authorization-scheme default
 #
 accounting-scheme default 
 #
 domain default
 #
#
nqa-jitter tag-version 1

#
 ip route-static 10.1.1.0 255.255.255.0 202.38.169.2 
 ip route-static 202.38.163.0 255.255.255.0 202.38.169.2 
#
 banner enable 
#
user-interface con 0
 authentication-mode none
user-interface vty 0 4
 authentication-mode none
 protocol inbound all
#
 slb
#
right-manager server-group
#
 sysname SRG
#
 l2tp domain suffix-separator @
#
 firewall packet-filter default permit interzone local trust direction inbound
 firewall packet-filter default permit interzone local trust direction outbound
 firewall packet-filter default permit interzone local untrust direction outbound
 firewall packet-filter default permit interzone local dmz direction outbound
#
 ip df-unreachables enable
#
 firewall ipv6 session link-state check 
 firewall ipv6 statistic system enable
#
 dns resolve  
#
 firewall statistic system enable
#
 pki ocsp response cache refresh interval 0
 pki ocsp response cache number 0
#
 undo dns proxy  
#
 license-server domain lic.huawei.com
#
 web-manager enable
#
policy interzone local untrust inbound
 policy 1 
  action permit 
  policy source 202.38.163.1 0
  policy destination 202.38.169.1 0
#
policy interzone trust untrust inbound
 policy 1 
  action permit 
  policy source 10.1.1.0 0.0.0.255
  policy destination 10.1.2.0 0.0.0.255
#
policy interzone trust untrust outbound
 policy 1 
  action permit 
#
nat-policy interzone trust untrust outbound 
 policy 1 
  action no-nat 
  policy source 10.1.2.0 0.0.0.255
  policy destination 10.1.1.0 0.0.0.255

 policy 2 
  action source-nat 
  easy-ip GigabitEthernet0/0/1
#
return
#-----END----#

AR1


[V200R003C00]
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
 drop illegal-mac alarm
#
 set cpu-usage threshold 80 restore 75
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface GigabitEthernet0/0/0
 ip address 202.38.163.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 202.38.169.2 255.255.255.0 
#
interface NULL0
#
ip route-static 10.1.1.0 255.255.255.0 202.38.163.1
ip route-static 10.1.2.0 255.255.255.0 202.38.169.1
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!