H3C IPSec配置指南

265次阅读
没有评论
H3C IPSec配置指南

RAAA:

ip route-static 0.0.0.0 0 200.XX.1.2
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm sha256
quit
ike keychain 1
pre-shared-key address 200.XX.2.1 key simple 123
pre-shared-key address 200.XX.3.1 key simple 123
pre-shared-key address 200.XX.4.1 key simple 123
quit
ike profile 1
local-identity address 200.XX.1.1 //本机IP地址
proposal 1  //添加配置文件
keychain 1  //添加密钥对文件
match  remote identity address 200.XX.2.1  //添加对端IP
match  remote identity address 200.XX.3.1  //添加对端IP
match  remote identity address 200.XX.4.1  //添加对端IP
ipsec transform-set 1    //创建为1的安全提议
encapsulation-mode tunnel  //选择隧道封装模式
protocol esp   //协商封装协议
esp authentication-algorithm sha256   //协商认证算法
esp  encryption-algorithm 3des-cbc  //协商加密算法
quit
acl advanced 3000
rule 0 permit ip source 192.XX.20.0 0.0.0.255 destinatio
n 192.XX.22.0 0.0.0.255
rule 5 permit ip source 192.XX.20.0 0.0.0.255 destinatio
n 192.XX.32.0 0.0.0.255
rule 10 permit ip source 192.XX.20.0 0.0.0.255 destinatio
n 192.XX.42.0 0.0.0.255
quit
ipsec policy 1 10 isakmp  //创建密钥管理策略,进入策略配置模式
security acl 3000
ike-profile 1
transform-set 1
remote-address 200.XX.2.1
remote-address 200.XX.3.1
remote-address 200.XX.4.1
quit
interface GigabitEthernet 0/2
undo nat outbound 2000
ipsec apply policy 1

RBBA:

ip route-static 0.0.0.0 0 200.XX.2.2
ike proposal 2
encryption-algorithm 3des-cbc
authentication-algorithm sha256
quit
ike keychain 2
pre-shared-key address 200.XX.1.1 key simple 123
pre-shared-key address 200.XX.3.1 key simple 123
pre-shared-key address 200.XX.4.1 key simple 123
quit
ike profile 2
local-identity address 200.XX.2.1 //本机IP地址
proposal 2  //添加配置文件
keychain 2  //添加密钥对文件
match  remote identity address 200.XX.1.1  //添加对端IP
match  remote identity address 200.XX.3.1  //添加对端IP
match  remote identity address 200.XX.4.1  //添加对端IP
quit
ipsec transform-set 2    //创建为2的安全提议
encapsulation-mode tunnel  //选择隧道封装模式
protocol esp   //协商封装协议
esp authentication-algorithm sha256   //协商认证算法
esp  encryption-algorithm 3des-cbc  //协商加密算法
quit
acl advanced 3000
rule 0 permit ip source 192.XX.22.0 0.0.0.255 destinatio
n 192.XX.20.0 0.0.0.255
rule 5 permit ip source 192.XX.22.0 0.0.0.255 destinatio
n 192.XX.32.0 0.0.0.255
rule 10 permit ip source 192.XX.22.0 0.0.0.255 destinatio
n 192.XX.42.0 0.0.0.255
quit
ipsec policy 2 10 isakmp  //创建密钥管理策略,进入策略配置模式
security acl 3000
ike-profile 2
transform-set 2
remote-address 200.XX.1.1
remote-address 200.XX.3.1
remote-address 200.XX.4.1
quit
interface GigabitEthernet 0/2
undo nat outbound 2000
ipsec apply policy 2

RCCA:

ip route-static 0.0.0.0 0 200.XX.3.2
ike proposal 3
encryption-algorithm 3des-cbc
authentication-algorithm sha256
quit
ike keychain 3
pre-shared-key address 200.XX.1.1 key simple 123
pre-shared-key address 200.XX.2.1 key simple 123
pre-shared-key address 200.XX.4.1 key simple 123
quit
ike profile 3
local-identity address 200.XX.3.1 //本机IP地址
proposal 3  //添加配置文件
keychain 3  //添加密钥对文件
match  remote identity address 200.XX.1.1  //添加对端IP
match  remote identity address 200.XX.2.1  //添加对端IP
match  remote identity address 200.XX.4.1  //添加对端IP
quit
ipsec transform-set 3    //创建为3的安全提议
encapsulation-mode tunnel  //选择隧道封装模式
protocol esp   //协商封装协议
esp authentication-algorithm sha256   //协商认证算法
esp  encryption-algorithm 3des-cbc  //协商加密算法
quit
acl advanced 3000
rule 0 permit ip source 192.XX.32.0 0.0.0.255 destinatio
n 192.XX.20.0 0.0.0.255
rule 5 permit ip source 192.XX.32.0 0.0.0.255 destinatio
n 192.XX.22.0 0.0.0.255
rule 10 permit ip source 192.XX.32.0 0.0.0.255 destinatio
n 192.XX.42.0 0.0.0.255
quit
ipsec policy 3 10 isakmp  //创建密钥管理策略,进入策略配置模式
security acl 3000
ike-profile 3
transform-set 3
remote-address 200.XX.1.1
remote-address 200.XX.2.1
remote-address 200.XX.4.1
quit
interface GigabitEthernet 0/1
undo nat outbound 2000
ipsec apply policy 3

RDDA:

ip route-static 0.0.0.0 0 200.XX.4.2
ike proposal 4
encryption-algorithm 3des-cbc
authentication-algorithm sha256
quit
ike keychain 4
pre-shared-key address 200.XX.2.1 key simple 123
pre-shared-key address 200.XX.3.1 key simple 123
pre-shared-key address 200.XX.4.1 key simple 123
quit
ike profile 4
local-identity address 200.XX.4.1 //本机IP地址
proposal 4  //添加配置文件
keychain 4  //添加密钥对文件
match  remote identity address 200.XX.1.1  //添加对端IP
match  remote identity address 200.XX.2.1  //添加对端IP
match  remote identity address 200.XX.3.1  //添加对端IP
ipsec transform-set 4    //创建为4的安全提议
encapsulation-mode tunnel  //选择隧道封装模式
protocol esp   //协商封装协议
esp authentication-algorithm sha256   //协商认证算法
esp  encryption-algorithm 3des-cbc  //协商加密算法
quit
acl advanced 3000
rule 0 permit ip source 192.XX.42.0 0.0.0.255 destinatio
n 192.XX.20.0 0.0.0.255
rule 5 permit ip source 192.XX.42.0 0.0.0.255 destinatio
n 192.XX.22.0 0.0.0.255
rule 10 permit ip source 192.XX.42.0 0.0.0.255 destinatio
n 192.XX.32.0 0.0.0.255
quit
ipsec policy 4 10 isakmp  //创建密钥管理策略,进入策略配置模式
security acl 3000
ike-profile 4
transform-set 4
remote-address 200.XX.1.1
remote-address 200.XX.2.1
remote-address 200.XX.3.1
quit
interface GigabitEthernet 0/2
undo nat outbound 2000
ipsec apply policy 4
正文完
H3C
发表至: H3C
2024-12-11
 3
admin
版权声明:本站原创文章,由 admin 于2024-12-11发表,共计4364字。
转载说明:除特殊说明外本站文章皆由CC-4.0协议发布,转载请注明出处。
评论(没有评论)

近期文章

近期评论