IPSec experiment configuration 【一】

Experimental requirements

Configure PC1 ~ PC2 to be reachable.
Configure ACL to match packets from source IP 192.168.1.0 to 192.168.2.0 for authentication.
Configure SA establishment mode to be manually configured

Experimental topology

Experimental configuration

AR1

ip route-static 12.0.0.0 255.255.255.0 11.0.0.2
ip route-static 192.168.2.0 255.255.255.0 12.0.0.2
[Huawei]acl 3001
[Huawei-acl-adv-3001]rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 1
92.168.2.0 0.0.0.255
[Huawei]ipsec proposal tran1
[Huawei-ipsec-proposal-tran1]esp authentication-algorithm sha1
[Huawei-ipsec-proposal-tran1]quit
[Huawei]ipsec policy P1 10 manual   //manual代表手动配置SA
[Huawei-ipsec-policy-manual-P1-10]security acl 3001
[Huawei-ipsec-policy-manual-P1-10]proposal tran1
[Huawei-ipsec-policy-manual-P1-10]tunnel remote 12.0.0.2
[Huawei-ipsec-policy-manual-P1-10]tunnel local 11.0.0.1
[Huawei-ipsec-policy-manual-P1-10]sa spi outbound esp 54321   //密钥队
[Huawei-ipsec-policy-manual-P1-10]sa spi inbound esp 12345
[Huawei-ipsec-policy-manual-P1-10]sa string-key outbound esp simple huawei  //simple为明文密码
[Huawei-ipsec-policy-manual-P1-10]sa string-key inbound esp simple huawei
[Huawei-ipsec-policy-manual-P1-10]quit
[Huawei]inter g0/0/1
[Huawei-GigabitEthernet0/0/1]ipsec policy P1
[Huawei-GigabitEthernet0/0/1]quit

AR3

<Huawei>u  t  m 
<Huawei>system-view 
[Huawei]inter g0/0/0
[Huawei]inter g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 11.0.0.2 24
[Huawei-GigabitEthernet0/0/0]inter g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 12.0.0.1 24
[Huawei-GigabitEthernet0/0/1]quit
[Huawei]ip route-static 192.168.1.0 24 11.0.0.1
[Huawei]ip route-static 192.168.2.0 24 12.0.0.2

AR2

#配置路由可达
<Huawei>u t m 
<Huawei>system-view 
[Huawei]inter g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 12.0.0.2 24
[Huawei-GigabitEthernet0/0/1]inter g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 192.168.2.254 24
[Huawei-GigabitEthernet0/0/0]quit
[Huawei]ip route-static 11.0.0.0 24 12.0.0.1
[Huawei]ip route-static 192.168.1.0 24 11.0.0.1
#配置ACL
[Huawei]acl 3002
[Huawei-acl-adv-3002]rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 1
92.168.1.0 0.0.0.255
[Huawei-acl-adv-3002]quit
[Huawei]ipsec proposal tran1
[Huawei-ipsec-proposal-tran1]esp authentication-algorithm sha1
[Huawei-ipsec-proposal-tran1]quit
[Huawei]ipsec policy P1 10 manual 
[Huawei-ipsec-policy-manual-P1-10]security acl 3002
[Huawei-ipsec-policy-manual-P1-10]proposal tran1
[Huawei-ipsec-policy-manual-P1-10]tunnel remote 11.0.0.1
[Huawei-ipsec-policy-manual-P1-10]tunnel local 12.0.0.2
[Huawei-ipsec-policy-manual-P1-10]sa spi outbound esp 12345
[Huawei-ipsec-policy-manual-P1-10]sa spi inbound esp 54321
[Huawei-ipsec-policy-manual-P1-10]sa string-key outbound  esp simple huawei
[Huawei-ipsec-policy-manual-P1-10]sa string-key inbound esp simple huawei
[Huawei-ipsec-policy-manual-P1-10]quit
[Huawei]inter g0/0/1
[Huawei-GigabitEthernet0/0/1]ipsec policy P1
[Huawei-GigabitEthernet0/0/1]quit

[Huawei]disp ipsec policy

Capture

The packet capture from PC2 ping PC1 is shown in the figure

before the VPN tunnel is not configured, the source IP and the destination IP are intranet IPs, and the protocol type is ICMP protocol, and packet capture can be obtained.