An example of Huawei routers implementing private network communication between headquarters and branches through IPsec

Enterprise 2023-07-12 02:43:38 views: null

 

Background of user needs

Yulin headquarters and Xi'an branch have applied for two public network IPs, and now need to build IPsecPN to realize private network intercommunication, that is, 192.168.1.0 accesses 192.168.2.0; (CSDN reasons, keywords cannot be typed)

Headquarters and branches 192.168.1.0-192.168.2.0 need to access the public network for testing 12.12.12.12;

 

Network topology map

 

Configuration idea

Configure IP addresses in the headquarters and branches respectively, open up the intranet, and set the default route to the public network;

Realize the Internet access requirements of intranet users, using NAT conversion;

Create IPsec at both ends, call, and finally realize the access branch;

 

Experimental code process

The public network code is too simple and will not be shown, just configure the IP address according to the diagram

YL Headquarters

<Huawei>
<Huawei>sy
[Huawei]undo  info-center enable 
[Huawei]sysname YL

[YL]dhcp enable 
Info: The operation may take a few seconds. Please wait for a moment.done.

[YL]interface GigabitEthernet 0/0/1
[YL-GigabitEthernet0/0/1]ip address  192.168.1.1 24
[YL-GigabitEthernet0/0/1]dhcp  select interface 
[YL-GigabitEthernet0/0/1]quit

[YL]interface GigabitEthernet 0/0/0
[YL-GigabitEthernet0/0/0]ip ad
[YL-GigabitEthernet0/0/0]ip address  1.1.1.1 24
[YL-GigabitEthernet0/0/0]quit
[YL]
[YL]
[YL]

[YL-acl-adv-3000]rule  deny  ip destination 192.168.2.0 0.0.0.255
[YL-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255
[YL-acl-adv-3000]quit
[YL]
[YL]
[YL]int
[YL]interface g
[YL]interface GigabitEthernet 0/0/0
[YL-GigabitEthernet0/0/0]nat outbound 3000
[YL-GigabitEthernet0/0/0]quit
[YL]
[YL]ip route-static 0.0.0.0 0 1.1.1.2 


[YL]acl 3001 
[YL-acl-adv-3001]rule  permit ip source  192.168.1.0 0.0.0.255 destination  192.168.2.0 0.0.0.255
[YL]ipsec  proposal  yl
[YL-ipsec-proposal-yl]esp authentication-algorithm sha2-256
[YL-ipsec-proposal-yl]esp encryption-algorithm aes-128
[YL-ipsec-proposal-yl]quit

[YL]ipsec policy yl 10 manual 
[YL-ipsec-policy-manual-yl-10]security acl 3001
[YL-ipsec-policy-manual-yl-10]proposal  yl
[YL-ipsec-policy-manual-yl-10]tunnel local 1.1.1.1
[YL-ipsec-policy-manual-yl-10]tunnel  remote  2.2.2.1
[YL-ipsec-policy-manual-yl-10]sa spi inbound esp 12345
[YL-ipsec-policy-manual-yl-10]sa spi outbound esp  54321
[YL-ipsec-policy-manual-yl-10]sa string-key inbound esp cipher huawei.com
[YL-ipsec-policy-manual-yl-10]sa string-key outbound esp cipher huawei.com
[YL-ipsec-policy-manual-yl-10]quit
[YL]interface GigabitEthernet 0/0/0
[YL-GigabitEthernet0/0/0]ipsec policy yl
[YL-GigabitEthernet0/0/0]quit

XIAN branch

<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname XIAN
[XIAN]dhc enable //开启DHCP
Info: The operation may take a few seconds. Please wait for a moment.done.
[XIAN]un
[XIAN]undo  in en 
Info: Information center is disabled.

[XIAN]interface GigabitEthernet 0/0/0
[XIAN-GigabitEthernet0/0/0]ip ad
[XIAN-GigabitEthernet0/0/0]ip address  2.2.2.1 24
[XIAN-GigabitEthernet0/0/0]quit

[XIAN]interface GigabitEthernet 0/0/1
[XIAN-GigabitEthernet0/0/1]ip address 192.168.2.1 24
[XIAN-GigabitEthernet0/0/1]dhcp  select interface 
[XIAN-GigabitEthernet0/0/1]quit
[XIAN]

[XIAN]acl 3000 //为私网用户开启NAT转换,使其可以访问公网,也就是图中loopback地址,12.12.12.12
[XIAN-acl-adv-3000]rule  deny ip destination 192.168.1.0 0.0.0.255 //访问私网192.168.1.0不进行NAT转换
[XIAN-acl-adv-3000]rule  permit ip source  192.168.2.0 0.0.0.255//允许192.168.1.0 私网访问互联网
[XIAN-acl-adv-3000]quit

[XIAN]interface GigabitEthernet 0/0/0 
[XIAN-GigabitEthernet0/0/0]nat outbound  3000 //出口调用策略
[XIAN-GigabitEthernet0/0/0]quit

[XIAN]ip route-static 0.0.0.0 0 2.2.2.2 //默认路由到公网
[XIAN]



[XIAN]
[XIAN]
[XIAN]acl 3001
[XIAN-acl-adv-3001]rule  permit ip source  192.168.2.0 0.0.0.255 destination  192.168.1.0 0.0.0.255 //定义需要保护的数据
[XIAN-acl-adv-3001]quit

[XIAN]ipsec  proposal xian //创建安全提议,名称“xian”
[XIAN-ipsec-proposal-xian]esp encryption-algorithm aes-128
[XIAN-ipsec-proposal-xian]esp authentication-algorithm  sha2-256
[XIAN-ipsec-proposal-xian]quit

[XIAN]ipsec policy xian 10 manual //创建IPsec策略,名称xian,编号10
[XIAN-ipsec-policy-manual-xian-10]security  acl 3001 //调用安全策略
[XIAN-ipsec-policy-manual-xian-10]proposal xian //调用安全提议
[XIAN-ipsec-policy-manual-xian-10]tunnel  remote 1.1.1.1 //设置隧道终点IP
[XIAN-ipsec-policy-manual-xian-10]tunnel local  2.2.2.1 //设置隧道起点IP 
[XIAN-ipsec-policy-manual-xian-10]sa spi inbound  esp 54321 //SPI密钥,和总部密钥相反
[XIAN-ipsec-policy-manual-xian-10]sa  spi  outbound  esp 12345//SPI密钥,和总部密钥相反

[XIAN-ipsec-policy-manual-xian-10]sa string-key  inbound  esp cipher huawei.com
[XIAN-ipsec-policy-manual-xian-10]sa string-key  outbound  esp  cipher  huawei.com
[XIAN-ipsec-policy-manual-xian-10]quit

[XIAN]interface GigabitEthernet 0/0/0 //出口下调用IPsec策略
[XIAN-GigabitEthernet0/0/0]ipsec  policy xian
[XIAN-GigabitEthernet0/0/0]quit
[XIAN]

test

 packet capture test

 

Guess you like

Origin blog.csdn.net/NeverGUM/article/details/113839751
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com