在H3C设备上配置IPSec VPN

全网互通实现

现在开始做IPSec VPN

H3C企业VPN解决方案

某医疗器械公司随着业务的扩大,在深圳建立分公司。公司数据业务由总公统一处理,数据的安全性尤为重要,H3C提出VPN解决方案,总公司与分公司部署H3C MSR50、MSR30路由器,配置IPSec VPN 保证数据的安全传输。

[BJ](应该先命名的)

The device is running!

############

<Huawei>

Mar 29 2014 15:25:48-05:13 Huawei %%01IFPDT/4/IF_STATE(l)[1]:Interface GigabitEth

ernet0/0/1 has turned into UP state.

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]int g0/0/0                                        //g表示千兆以太网

[Huawei-GigabitEthernet0/0/0]ip add

[Huawei-GigabitEthernet0/0/0]ip address 10.1.1.1 255.0.0.0

[Huawei-GigabitEthernet0/0/0]

Mar 29 2014 15:26:26-05:13 Huawei %%01IFNET/4/LINK_STATE(l)[2]:The line protocol

IP on the interface GigabitEthernet0/0/0 has entered the UP state.

[Huawei-GigabitEthernet0/0/0]undo shut

Info: Interface GigabitEthernet0/0/0 is not shutdown.

[Huawei-GigabitEthernet0/0/0]qui

[Huawei]int g0/0/1

[Huawei-GigabitEthernet0/0/1]ip add

[Huawei-GigabitEthernet0/0/1]ip address 20.1.1.1 255.0.0.0   //IP

[Huawei-GigabitEthernet0/0/1]

Mar 29 2014 15:26:47-05:13 Huawei %%01IFNET/4/LINK_STATE(l)[3]:The line protocol

IP on the interface GigabitEthernet0/0/1 has entered the UP state.

[Huawei-GigabitEthernet0/0/1]undo shut

Info: Interface GigabitEthernet0/0/1 is not shutdown.

[Huawei-GigabitEthernet0/0/1]qui

[Huawei]rip

[Huawei-rip-1]net

[Huawei-rip-1]network 10.0.0.0                             //RIP动态路由

[Huawei-rip-1]net

[Huawei-rip-1]network 20.0.0.0

[Huawei-rip-1]qui

[Huawei]qui

<Huawei>sa

<Huawei>save //配置到此,全网互通,能ping通,但不能远程

The current configuration will be written to the device.

Are you sure to continue? (y/n)[n]:y

It will take several minutes to save configuration file, please wait.......

Configuration file had been saved successfully

Note: The configuration file will take effect after being activated

<Huawei>

Please check whether system data has been changed, and save data in time

Configuration console time out, please press any key to log on

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]

[Huawei]ac

[Huawei]acl nu

[Huawei]acl number 3000                                            //ACL

[Huawei-acl-adv-3000]ru

[Huawei-acl-adv-3000]rule per

[Huawei-acl-adv-3000]rule permit ip sou

[Huawei-acl-adv-3000]rule permit ip source 10.0.0.0 0.255.255.255 dde

[Huawei-acl-adv-3000]rule permit ip source 10.0.0.0 0.255.255.255 de

[Huawei-acl-adv-3000]rule permit ip source 10.0.0.0 0.255.255.255 destination 40

.0.0.0 0.255.255.255

[Huawei-acl-adv-3000]ru

[Huawei-acl-adv-3000]rule de

[Huawei-acl-adv-3000]rule deny ip sou

[Huawei-acl-adv-3000]rule deny ip source an

[Huawei-acl-adv-3000]rule deny ip source any dde

[Huawei-acl-adv-3000]rule deny ip source any de

[Huawei-acl-adv-3000]rule deny ip source any destination an

[Huawei-acl-adv-3000]rule deny ip source any destination any

[Huawei-acl-adv-3000]qui

[Huawei]

[Huawei]ips

[Huawei]ipsec prop

[Huawei]ipsec proposal tran

[Huawei]ipsec proposal transform         //创建名为transform1 的传输集

[Huawei-ipsec-proposal-transform1]en

[Huawei-ipsec-proposal-transform1]encapsulation-mode tunn

[Huawei-ipsec-proposal-transform1]encapsulation-mode tunnel

//指定隧道模式

[Huawei-ipsec-proposal-transform1]

[Huawei-ipsec-proposal-transform1]tran

[Huawei-ipsec-proposal-transform1]transform es

[Huawei-ipsec-proposal-transform1]transform esp //安全协议采用ESP协议

[Huawei-ipsec-proposal-transform1]es

[Huawei-ipsec-proposal-transform1]esp en

[Huawei-ipsec-proposal-transform1]esp encryption-algorithm de

[Huawei-ipsec-proposal-transform1]esp encryption-algorithm des

//选择算法

[Huawei-ipsec-proposal-transform1]es

[Huawei-ipsec-proposal-transform1]esp au

[Huawei-ipsec-proposal-transform1]esp authentication-algorithm sh

[Huawei-ipsec-proposal-transform1]esp authentication-algorithm sha1

[Huawei-ipsec-proposal-transform1]ik

[Huawei-ipsec-proposal-transform1]ik

[Huawei-ipsec-proposal-transform1]qui

[Huawei]ik

[Huawei]ike pee

[Huawei]ike peer bj v2                                     //配置IKE对等体

[Huawei-ike-peer-bj]pre

[Huawei-ike-peer-bj]pre-shared-key bene

[Huawei-ike-peer-bj]pre-shared-key ci

[Huawei-ike-peer-bj]pre-shared-key cipher benet

[Huawei-ike-peer-bj]rem

[Huawei-ike-peer-bj]remote-address 30.1.1.2

[Huawei-ike-peer-bj]qui

[Huawei]ips

[Huawei]ipsec po

[Huawei]ipsec policy ma

[Huawei]ipsec policy map1 10 is

[Huawei]ipsec policy map1 10 isakmp  //创建一条安全策略,协商方式为isakmp

[Huawei-ipsec-policy-isakmp-map1-10]se

[Huawei-ipsec-policy-isakmp-map1-10]security ac//调用访问控制列表

[Huawei-ipsec-policy-isakmp-map1-10]security acl 3000

[Huawei-ipsec-policy-isakmp-map1-10]prop

[Huawei-ipsec-policy-isakmp-map1-10]proposal tran

[Huawei-ipsec-policy-isakmp-map1-10]proposal transform1

//调用安全协议

[Huawei-ipsec-policy-isakmp-map1-10]ik

[Huawei-ipsec-policy-isakmp-map1-10]ike-peer bj          //调用对等体

[Huawei-ipsec-policy-isakmp-map1-10]qui

[Huawei]

[Huawei]int g0/0/1                                   //在接口启用IPSec策略

[Huawei-GigabitEthernet0/0/1]ips

[Huawei-GigabitEthernet0/0/1]ipsec po

[Huawei-GigabitEthernet0/0/1]ipsec policy ma

[Huawei-GigabitEthernet0/0/1]ipsec policy map1

[Huawei-GigabitEthernet0/0/1]

[Huawei-GigabitEthernet0/0/1]qui

[Huawei]qui

<Huawei>sa

<Huawei>save                                                        //保存

The current configuration will be written to the device.

Are you sure to continue? (y/n)[n]:y                         //输入Y

It will take several minutes to save configuration file, please wait.....

Configuration file had been saved successfully

Note: The configuration file will take effect after being activated

<Huawei>

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]

[Huawei]dis

[Huawei]display ips

[Huawei]display ipsec sa                                //验证IPSec VPN

===============================

Interface: GigabitEthernet0/0/1

Path MTU: 1500

===============================

-----------------------------

IPSec policy name: "map1"                                         //名字

Sequence number  : 10                                            //序列号

Acl Group        : 3000                                           //ACL组

Acl rule         : 5                    //知道是ACL,但具体是什么就不清楚了

Mode             : ISAKMP                                 //VPN模式ISAKMP

-----------------------------

Connection ID     : 8

Encapsulation mode: Tunnel                                //隧道模式

Tunnel local      : 20.1.1.1                                //本地接口

Tunnel remote     : 30.1.1.2                               //对端接口

Flow source       : 10.0.0.0/255.0.0.0 0/0

Flow destination  : 40.0.0.0/255.0.0.0 0/0

Qos pre-classify  : Disable

[Outbound ESP SAs]

SPI: 1769755811 (0x697c54a3)

Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1

SA remaining key duration (bytes/sec): 1887436800/3570

Max sent sequence-number: 0

UDP encapsulation used for NAT traversal: N

[Inbound ESP SAs]

SPI: 26166062 (0x18f432e)

Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1

SA remaining key duration (bytes/sec): 1887436800/3570

Max received sequence-number: 0

Anti-replay window size: 32

UDP encapsulation used for NAT traversal: N

[Huawei]

[Huawei]

[Huawei]sysn

[Huawei]sysname BJ                                          //命名

[BJ]

【ISP】

The device is running!

################################################################################

##########################################################

<Huawei>

Mar 29 2014 15:25:47-05:13 Huawei %%01IFPDT/4/IF_STATE(l)[0]:Interface GigabitEth

ernet0/0/0 has turned into UP state.

<Huawei>

Mar 29 2014 15:25:47-05:13 Huawei %%01IFPDT/4/IF_STATE(l)[1]:Interface GigabitEth

ernet0/0/1 has turned into UP state.

<Huawei>SYS

Enter system view, return user view with Ctrl+Z.

[Huawei]int g0/0/0

[Huawei-GigabitEthernet0/0/0]ip add

[Huawei-GigabitEthernet0/0/0]ip address 20.1.1.2 255.0.0.0

[Huawei-GigabitEthernet0/0/0]

[Huawei-GigabitEthernet0/0/0]

Mar 29 2014 15:30:05-05:13 Huawei %%01IFNET/4/LINK_STATE(l)[2]:The line protocol

IP on the interface GigabitEthernet0/0/0 has entered the UP state.

[Huawei-GigabitEthernet0/0/0]undo shut

Info: Interface GigabitEthernet0/0/0 is not shutdown.

[Huawei-GigabitEthernet0/0/0]qui

[Huawei]int g0/0/1

[Huawei-GigabitEthernet0/0/1]ip add

[Huawei-GigabitEthernet0/0/1]ip address 30.1.1.1 255.0.0.0

[Huawei-GigabitEthernet0/0/1]

Mar 29 2014 15:30:27-05:13 Huawei %%01IFNET/4/LINK_STATE(l)[3]:The line protocol

IP on the interface GigabitEthernet0/0/1 has entered the UP state.

[Huawei-GigabitEthernet0/0/1]undo shut

Info: Interface GigabitEthernet0/0/1 is not shutdown.

[Huawei-GigabitEthernet0/0/1]rip

[Huawei-rip-1]exi                             //华为退出的命令是quite

^

Error: Unrecognized command found at ‘^‘ position.

[Huawei-rip-1]qui

[Huawei]

[Huawei]rip

[Huawei-rip-1]net

Error:Incomplete command found at ‘^‘ position.

[Huawei-rip-1]

[Huawei-rip-1]net

[Huawei-rip-1]network 20.0.0.0

[Huawei-rip-1]net

[Huawei-rip-1]network 30.0.0.0

[Huawei-rip-1]

[Huawei-rip-1]qui

[Huawei]qui

<Huawei>sa

<Huawei>save

The current configuration will be written to the device.

Are you sure to continue? (y/n)[n]:y

It will take several minutes to save configuration file, please wait.......

Configuration file had been saved successfully

Note: The configuration file will take effect after being activated

<Huawei>

Please check whether system data has been changed, and save data in time

Configuration console time out, please press any key to log on

<Huawei>

Please check whether system data has been changed, and save data in time

Configuration console time out, please press any key to log on

<Huawei>

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]sysn

[Huawei]sysname ISP

[ISP]

[SH]

The device is running!

######################

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]int g0/0/0

[Huawei-GigabitEthernet0/0/0]ip add

[Huawei-GigabitEthernet0/0/0]ip address 30.1.1.2 255.0.0.0

[Huawei-GigabitEthernet0/0/0]

Mar 29 2014 15:27:42-05:13 Huawei %%01IFNET/4/LINK_STATE(l)[2]:The line protocol

IP on the interface GigabitEthernet0/0/0 has entered the UP state.

[Huawei-GigabitEthernet0/0/0]

[Huawei-GigabitEthernet0/0/0]undo shut

Info: Interface GigabitEthernet0/0/0 is not shutdown.

[Huawei-GigabitEthernet0/0/0]qui

[Huawei]int g0/0/1

[Huawei-GigabitEthernet0/0/1]ip add

[Huawei-GigabitEthernet0/0/1]ip address 40.1.1.1 255.0.0.0

[Huawei-GigabitEthernet0/0/1]

Mar 29 2014 15:27:58-05:13 Huawei %%01IFNET/4/LINK_STATE(l)[3]:The line protocol

IP on the interface GigabitEthernet0/0/1 has entered the UP state.

[Huawei-GigabitEthernet0/0/1]und shut

Info: Interface GigabitEthernet0/0/1 is not shutdown.

[Huawei-GigabitEthernet0/0/1]undo shut

Info: Interface GigabitEthernet0/0/1 is not shutdown.

[Huawei-GigabitEthernet0/0/1]undo shut

[Huawei-GigabitEthernet0/0/1]undo shutdown

Info: Interface GigabitEthernet0/0/1 is not shutdown.

[Huawei-GigabitEthernet0/0/1]?

//这些都是?出来的命令,了解一下,没舍得删除

GigabitEthernet0/0/1 interface view commands:

arp                        <Group> arp command group

arp-fake                   ARP fake entry

arp-limit                  Limit the number of learnt ARP

arp-ping                   ARP-ping

arp-proxy                  ARP(Address Resolve Protocol) proxy configuration

command

auto                       Auto negotiates port mode

backup                     Backup  information

bandwidth                  Specify mib-referenced bandwidth of the interface

bridge                     Bridge

clear                      <Group> clear command group

combo-port                 Set combo type

ddns                       DDNS

description                Specify interface description

dhcp                       <Group> dhcp command group

dialer                     Dialer

direct-route               Direct route

discard                    Discard packets

display                    Display information

dlsw                       Specify  DLSW(Data Link Switching) configure

information

duplex                     Configure duplex operation mode

efm                        <Group> efm command group

enable                     Enable function

energy-efficient-ethernet  Energy-efficient-ethernet

eth-trunk                  Add the interface into eth-trunk

flow-control               Configure flow-control operation mode

icmp                       <Group> icmp command group

igmp                       Specify parameters for IGMP

ip                         <Group> ip command group

ipsec                      Specify IPSec(IP Security) configuration

information

ipv6                       <Group> ipv6 command group

isis                       Configure interface parameters for ISIS

llc2                       Specify LLC2(Logical Link Control Class 2)

configure information

lldp                       <Group> lldp command group

load-balance               <Group> load-balance command group

log-threshold              Set log threshold

loopback                   Configure port loopback

mdi                        Set mdi

mirror                     Specify Mirror feature

mpls                       <Group> mpls command group

mtrace                     Trace route to multicast source

mtu                        Specify Maximum Transmission Unit(MTU) of the

interface

multicast                  Multicast information

nat                        Specify NAT(Network Address Translation)

configuration information

negotiation                Set negotiation mode

ntp-service                Specify NTP(Network Time Protocol) configuration

information

ospf                       <Group> ospf command group

ospfv3                     <Group> ospfv3 command group

pim                        Specify interface parameters for PIM

ping                       <Group> ping command group

port                       <Group> port command group

port-down                  Port down

portal                     Portal authentication

pppoe-client               PPPoE Client Settings

pppoe-server               Specify PPPoE(PPP over Ethernet) server

configuration information

qinq                       802.1Q in 802.1Q

qos                        <Group> qos command group

quit                       Exit from current mode and enter prior mode

reset                      <Group> reset command group

restart                    Restart the specified interface

return                     Enter the privileged mode

rip                        <Group> rip command group

ripng                      RIPng (Routing Information Protocol next

generation)

rmon                       Specify RMON configuration

rmon-statistics            Specify RMON statistics

set                        <Group> set command group

shutdown                   Shutdown the specified interface

single-fiber               Configure port single fiber communication

speed                      Configure port speed mode

standby                    Specify interface standby configuration information

static-route               IPv4 static routes

tcp                        Transmission Control Protocol

test-aaa                   Accounts test

tracert                    <Group> tracert command group

traffic-filter             Filter packets based on acl

traffic-policy             Apply specific traffic policy

trap-threshold             <Group> trap-threshold command group

trust                      Specify trust parameters

udp-helper                 UDP Helper

undo                       Negate a command or set its defaults

urpf                       Unicast reverse path forward function

virtual-cable-test         Virtual Cable Test

vrrp                       Specify configuration information about VRRP

vrrp6                      Specify configuration information about VRRP6

web-auth-server            Bind portal server name

zone                       Specify a security zone name

[Huawei-GigabitEthernet0/0/1]

[Huawei-GigabitEthernet0/0/1]qui

[Huawei]int g0/0/1

[Huawei-GigabitEthernet0/0/1]ip add

[Huawei-GigabitEthernet0/0/1]ip address 40.1.1.1 255.0.0.0

Error: The address already exists.

[Huawei-GigabitEthernet0/0/1]undo shut

Info: Interface GigabitEthernet0/0/1 is not shutdown.

[Huawei-GigabitEthernet0/0/1]qui

[Huawei]rip

[Huawei-rip-1]net

[Huawei-rip-1]network 30.0.0.0

[Huawei-rip-1]

[Huawei-rip-1]net

[Huawei-rip-1]network 40.0.0.0

[Huawei-rip-1]

[Huawei-rip-1]qui

[Huawei]qui

<Huawei>sa

<Huawei>save

The current configuration will be written to the device.

Are you sure to continue? (y/n)[n]:y

It will take several minutes to save configuration file, please wait.......

Configuration file had been saved successfully

Note: The configuration file will take effect after being activated

<Huawei>

Please check whether system data has been changed, and save data in time

Configuration console time out, please press any key to log on

<Huawei>

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]acl nu

[Huawei]acl number 3000

[Huawei-acl-adv-3000]ru

[Huawei-acl-adv-3000]rule per

[Huawei-acl-adv-3000]rule permit

[Huawei-acl-adv-3000]rule permit ip sou

[Huawei-acl-adv-3000]rule permit ip source 40.0.0.0 0.255.255.255 de

[Huawei-acl-adv-3000]rule permit ip source 40.0.0.0 0.255.255.255 destination 10

.0.0.0 0.255.255.255

[Huawei-acl-adv-3000]ru

[Huawei-acl-adv-3000]rule de

[Huawei-acl-adv-3000]rule deny ip sou

[Huawei-acl-adv-3000]rule deny ip source an

[Huawei-acl-adv-3000]rule deny ip source any de

[Huawei-acl-adv-3000]rule deny ip source any destination an

[Huawei-acl-adv-3000]rule deny ip source any destination any

[Huawei-acl-adv-3000]qui

[Huawei]

[Huawei]ips

[Huawei]ipsec prop

[Huawei]ipsec proposal tran

[Huawei]ipsec proposal transform1

[Huawei-ipsec-proposal-transform1]

[Huawei-ipsec-proposal-transform1]en

[Huawei-ipsec-proposal-transform1]encapsulation-mode tunn

[Huawei-ipsec-proposal-transform1]encapsulation-mode tunnel

[Huawei-ipsec-proposal-transform1]tran

[Huawei-ipsec-proposal-transform1]transform es

[Huawei-ipsec-proposal-transform1]transform esp

[Huawei-ipsec-proposal-transform1]es

[Huawei-ipsec-proposal-transform1]esp en

[Huawei-ipsec-proposal-transform1]esp encryption-algorithm de

[Huawei-ipsec-proposal-transform1]esp encryption-algorithm des

[Huawei-ipsec-proposal-transform1]es

[Huawei-ipsec-proposal-transform1]esp au

[Huawei-ipsec-proposal-transform1]esp authentication-algorithm sh

[Huawei-ipsec-proposal-transform1]esp authentication-algorithm sha1

[Huawei-ipsec-proposal-transform1]qui

[Huawei]ik

[Huawei]ike pee

[Huawei]ike peer sh

Error: This IKE peer is new, please indicate the mode to finish creating it.

[Huawei]ike peer sh v2

[Huawei-ike-peer-sh]pre

[Huawei-ike-peer-sh]pre-shared-key ci

[Huawei-ike-peer-sh]pre-shared-key cipher benet

[Huawei-ike-peer-sh]

[Huawei-ike-peer-sh]reemo

[Huawei-ike-peer-sh]remo

[Huawei-ike-peer-sh]remote-address 20.1.1.1

[Huawei-ike-peer-sh]qui

[Huawei]ips

[Huawei]ipsec po

[Huawei]ipsec policy map1 10 is

[Huawei]ipsec policy map1 10 isakmp

[Huawei-ipsec-policy-isakmp-map1-10]se

[Huawei-ipsec-policy-isakmp-map1-10]security ac

[Huawei-ipsec-policy-isakmp-map1-10]security acl 3000

[Huawei-ipsec-policy-isakmp-map1-10]

[Huawei-ipsec-policy-isakmp-map1-10]pro

[Huawei-ipsec-policy-isakmp-map1-10]proposal tr

[Huawei-ipsec-policy-isakmp-map1-10]proposal transform1

[Huawei-ipsec-policy-isakmp-map1-10]

[Huawei-ipsec-policy-isakmp-map1-10]ik

[Huawei-ipsec-policy-isakmp-map1-10]ike-peer sh

[Huawei-ipsec-policy-isakmp-map1-10]

[Huawei-ipsec-policy-isakmp-map1-10]qui

[Huawei]int g0/0/0

[Huawei-GigabitEthernet0/0/0]ips

[Huawei-GigabitEthernet0/0/0]ipsec po

[Huawei-GigabitEthernet0/0/0]ipsec policy ma

[Huawei-GigabitEthernet0/0/0]ipsec policy map1

[Huawei-GigabitEthernet0/0/0]qui

[Huawei]qui

<Huawei>sa

<Huawei>save

The current configuration will be written to the device.

Are you sure to continue? (y/n)[n]:y

It will take several minutes to save configuration file, please wait......

Configuration file had been saved successfully

Note: The configuration file will take effect after being activated

<Huawei>dis

<Huawei>display ips

<Huawei>display ipsec sa

===============================

Interface: GigabitEthernet0/0/0

Path MTU: 1500

===============================

-----------------------------

IPSec policy name: "map1"

Sequence number  : 10

Acl Group        : 3000

Acl rule         : 5

Mode             : ISAKMP

-----------------------------

Connection ID     : 2

Encapsulation mode: Tunnel

Tunnel local      : 30.1.1.2

Tunnel remote     : 20.1.1.1

Flow source       : 40.0.0.0/255.0.0.0 0/0

Flow destination  : 10.0.0.0/255.0.0.0 0/0

Qos pre-classify  : Disable

[Outbound ESP SAs]

SPI: 26166062 (0x18f432e)

Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1

SA remaining key duration (bytes/sec): 1887436800/3556

Max sent sequence-number: 0

UDP encapsulation used for NAT traversal: N

[Inbound ESP SAs]

SPI: 1769755811 (0x697c54a3)

Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1

SA remaining key duration (bytes/sec): 1887436800/3556

Max received sequence-number: 0

Anti-replay window size: 32

UDP encapsulation used for NAT traversal: N

<Huawei>

<Huawei>

<Huawei>

<Huawei>sya

Error: Unrecognized command found at ‘^‘ position.

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]sysna

[Huawei]sysname SH

[SH]

在H3C设备上配置IPSec VPN

时间: 2024-08-09 22:01:08

在H3C设备上配置IPSec VPN的相关文章

H3C,华为和CISCO设备之间的ipsec vpn 配置实例

ISCO设备(PIX/ASA/ROUTER):外网口ip:1.1.1.1  内网服务器:192.168.1.1 H3C secpath:外网口ip:2.2.2.2  内网服务器:192.168.2.2通过ipsec vpn,允许两台服务器之间通讯 CISCO配置: #步骤1crypto isakmp policy 10authentication pre-shareencryption 3deshash shagroup 2lifetime 86400 #步骤2 crypto ipsec tra

Cisco路由器配置 IPsec VPN

拓扑图 实验目的: 实现R1网段:172.16.10.0/24与R2网段172.17.10.0/24通信加密. 配置思路: 路由 通过ACL设置感兴趣流 配置IKE第一阶段 配置IKE第二阶段 新建MAP,并应用于接口 配置: R1: 配置默认路由和接口IP信息 interface Loopback0  ip address 172.16.10.1 255.255.255.0  no shu exit interface FastEthernet0/0  ip address 200.1.1.1

ASA防火墙上配置IPSEC VPN和SSL VPN

二:实验要求:1:PC1属于上海分公司内网主机,PC2属于总公司主机.要求上海分公司的用户直接可以和总公司的PC2通信.(Site-to-Site IPSEC VPN实现) 2:公网上用户可以访问总公司的OA服务器PC2.(SSL VPN实现)三:配置过程:1:基本配置:ASA1(config)# int e0/1ASA1(config-if)# nameif insideINFO: Security level for "inside" set to 100 by default.A

如何在 Linux 上配置点对点 VPN

一个传统的 VPN(如 OpenVPN.PPTP)由一个 VPN 服务器和一个或多个连接到这台服务器的客户端组成.当任意两个 VPN 客户端彼此通信时,VPN 服务器需要中继它们之间的 VPN 数据流量.这样一个中心辐射型的 VPN 拓扑结构存在的问题是,当连接的客户端增多以后,VPN 服务器很容易成为一个性能上的瓶颈.从某种意义上来说,中心化的 VPN 服务器也同样成为一个单点故障的来源,也就是当 VPN 服务器出现故障的时候,整个 VPN 都将无法被任何 VPN 客户端访问. 点对点 VPN

漫谈在华为设备上配置PPPoE

本文目录 一.前言 二.PPPoE配置的主要思路 (一)PPPoE客户端的配置 (二)PPPoE服务器端的配置 三.配置查看 四.与本文相关的知识点与书籍 一.前言 在网上,与PPPoE配置相关的文章浩如烟海:与之相关的书籍更是汗牛充栋.但是,更多的文章看了让人感到一头雾水.摸不着头脑:缺少那种一看即懂的篇幅.因此,笔者觉得有必要写一篇这样的文章,作为各位学习网络工程这门技术的重要补充.当然,限于笔者的水平,如文中有不足之处,还望各位指出. 本文,主要探讨的是如何在华为设备上,用命令配置实现PP

H3C设备上新

文章以H3C s5500三层交换机(有冗余)为例 第一步,更改组号.命令:irf member 1 renumber 2 (将组号1改为组号2)选y保存 第二步,删除新交换机里原来的bin文件.命令:delete /u 按tab键找到要删除的文件名.按y保存 第三步,将交换机连接网线的对应端口加入vlan.确保计算机与交换机能够通讯. 第四步,在交换机里ftp自己的电脑IP地址.输入设定的ftp帐号及密码 第五步,在cmd命令对话框里,用dir命令显示当前文件夹列表.用get选取所需文件并上传文

关于路由设备上配置默认网关命令无效的问题

我们在网络实验中经常把路由设备当成主机来模拟,这样就会出现一个问题,当我们在给这台模拟的主机配置默认网关的时候,我们在全局模式下配置的ip defualt-gateway ip地址 不起作用,这是因为当当设备具有路由功能的时候,设备执行的是路由功能,严格意义上来讲,需要配置默认网关的仅仅是那些不具备路由功能的设备,所以我们设置默认网关,这个网关其实就是设备的所有路由功能了.而我们的路由器本身就具备路由功能,所以配置网关就不起作用了,如果一定要配置默认网关,我们可以先关闭路由器的路由功能,no i

思科设备路由器间IPsec VPN实现私网之间通信实战

1.       实验拓扑: 使用GNS3(版本号0.8.6)+c2691-advsecurityk9-mz.124-11.T2. 2.       实验需求: a)       C1可以和C2通信,实现跨互联网私网通信 b)       C1.C2可以和R2的环回口loopback0通信,实现C1.C2及可以私网通信也可以上公网 3.       实验步骤: a)       IP地址规划 R1 f0/0 12.0.0.1/24 R3 f0/0 23.0.0.3/24 f0/1 172.16.

路由器上的ipsec vpn

R1#conf t R1(config)#crypto isakmp policy 1-10000 R1(config-isakmp)#encryption 3des|des|aes R1(config-isakmp)#hash sha|md5 R1(config-isakmp)#authentication pre-share|rsa-encr|rsa-sig R1(config-isakmp)#group 1|2|5 R1(config-isakmp)#lifetime 60-86400 R