avatar

目录
ipsec vpn配置手册(华为版)

上最终效果图:

这个为ping包我们发现已经被加密了。并且内网ip也转为了公网ip出口。(感觉有点像防火墙的snat)

那么首先看一下网络拓扑。

具体配置如下,PC1和PC2的配置自己配就行,只要能ping通各自网关。

R1配置如下:

shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
[acl过滤配置]

acl number 3101

rule 5 permit ip source 10.1.100.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

[ipsec]

ipsec proposal tran1

ike peer spub v1

pre-shared-key simple huawei

remote-address 202.138.162.1

ipsec policy map1 10 isakmp

security acl 3101

ike-peer spub

proposal tran1

#

interface GigabitEthernet0/0/0

ip address 10.1.100.254 255.255.255.0

#

interface GigabitEthernet0/0/1

ip address 202.138.163.1 255.255.255.0

ipsec policy map1

#

[去往目标网段的静态]

ip route-static 192.168.1.0 255.255.255.0 202.138.163.254

ip route-static 202.138.162.0 255.255.255.0 202.138.163.254

R3配置类似:

shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#

acl number 3101

rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 10.1.100.0 0.0.0.255
#

ipsec proposal tran1

#

ike peer spua v1

pre-shared-key simple huawei

remote-address 202.138.163.1

#

ipsec policy use1 10 isakmp

security acl 3101

ike-peer spua

proposal tran1

#

interface GigabitEthernet0/0/0

ip address 202.138.162.1 255.255.255.0

ipsec policy use1

#

interface GigabitEthernet0/0/1

ip address 192.168.1.254 255.255.255.0

#

ip route-static 10.1.100.0 255.255.255.0 202.138.163.254

ip route-static 202.138.163.0 255.255.255.0 202.138.162.254

#

差点还忘了R2,简单说一下吧,R2的接口配置就是上面的图,各自配254地址就可以,让R3成为R1和R2两个的网关。然后在R2上配置到PC1和PC2的静态路由即可。最终在配置ipsec之前测试一下PC1和PC2的联通性,要联通才可以哦。

打赏
  • 微信
    微信
  • 支付宝
    支付宝