联系我们

  • 北京市西城区北三环中路29号
  • zwyx@sinoyunet.com

华为AR路由器 USG防火墙配置ipsec-vpn 点到多点

发布时间:2019-01-10
总部路由1
acl number 3000  =nat的
 rule 5 deny ip source 10.10.200.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
 rule 10 deny ip source 10.10.200.0 0.0.0.255 destination 10.10.20.0 0.0.0.255
 rule 15 permit ip source 10.10.200.0 0.0.0.255
acl number 3001  =vpn的
 rule 5 permit ip source 10.10.200.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
 rule 10 permit ip source 10.10.200.0 0.0.0.255 destination 10.10.20.0 0.0.0.255
ipsec proposal aa
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-128
ike proposal 1
 encryption-algorithm aes-cbc-128
ike peer aa v1  =去分支路由1
 pre-shared-key cipher admin123
 ike-proposal 1
 dpd type periodic
 dpd idle-time 10
 remote-address 202.10.1.2
ike peer bb v1  =去分支路由2
 pre-shared-key cipher admin123
 ike-proposal 1
 dpd type periodic
 dpd idle-time 10
 remote-address 202.10.2.2
ipsec policy ipsec-vpn  10 isakmp =去分支路由1
 security acl 3001
 ike-peer aa
 proposal aa
ipsec policy ipsec  20 isakmp =去分支路由2
 security acl 3001
 ike-peer bb
 proposal aa
interface GigabitEthernet 0/0
 ip address 203.10.1.2 255.255.255.0
 ipsec policy ipsec-vpn
 nat outbound 3000
interface GigabitEthernet 0/1
 ip address 10.10.200.1 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 203.10.1.1
return
分支路由1
acl number 3000  =nat的
 rule 5 deny ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
 rule 10 permit ip source 10.10.10.0 0.0.0.255
acl number 3001  =vpn的
 rule 5 permit ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
ipsec proposal  aa
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-128
ike proposal  1
 encryption-algorithm aes-cbc-128
ike peer  aa v1
 pre-shared-key cipher admin123
 ike-proposal  1
 dpd type periodic
 dpd idle-time 10
 remote-address 203.10.1.2
ipsec policy ipsec-vpn 1 isakmp
 security acl 3001
 ike-peer  aa
 proposal  aa
interface GigabitEthernet 0/0
 ip address 202.10.1.2 255.255.255.0
 ipsec policy ipsec-vpn
 nat outbound 3000
interface GigabitEthernet 0/1
 ip address 10.10.10.1 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 202.10.1.1
return
分支路由2
配置跟分支路由1一样只是外网ip不同,此处省略配置。。
总部路由配置
[V200R007C00SPC900]
acl name nat 3000
 rule  5 deny ip source 192.168.0.0  0.0.255.255 destination 10.0.0.0  0.0.255.255
 rule 10 permit ip
acl number 3998
 rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 10.0.0.0  0.0.255.255
acl number 3999
 rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 10.0.0.0  0.0.255.255
ipsec proposal  ipsec1
 esp authentication-algorithm sha1
 esp encryption-algorithm aes-192
ipsec proposal  ipsec2
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
ike proposal 1
 encryption-algorithm aes-cbc-192
 dh group2
 authentication-algorithm sha1
 prf hmac-sha2-256
ike proposal 2
 encryption-algorithm des-cbc
 dh group2
 authentication-algorithm sha1
 prf hmac-sha2-256
ike peer  ipsec1 v1
 exchange-mode aggressive
 pre-shared-key cipher admin123
 ike-proposal 1
 remote-address 116.62.16.200
ike peer  ipsec2 v1
 exchange-mode aggressive
 pre-shared-key cipher admin123
 ike-proposal 3
 nat traversal
 remote-address 120.26.9.191
ipsec policy  ipsec 1 isakmp
 security acl 3999
 ike-peer  ipsec1
 proposal  ipsec1
ipsec policy  ipsec 2 isakmp
 security acl 3998
 ike-peer  ipsec2
 proposal  ipsec2
interface GigabitEthernet0/0/0
 ip address 202.127.114.250 255.255.255.248
 nat outbound 3000
 ipsec policy  ipsec
interface GigabitEthernet0/0/1
 ip address 192.168.200.1 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 202.127.114.249
ip route-static 192.168.0.0 255.255.0.0 192.168.200.2