Background of user needs
Yulin headquarters and Xi'an branch have applied for two public network IPs, and now need to build IPsecPN to realize private network intercommunication, that is, 192.168.1.0 accesses 192.168.2.0; (CSDN reasons, keywords cannot be typed)
Headquarters and branches 192.168.1.0-192.168.2.0 need to access the public network for testing 12.12.12.12;
Network topology map
Configuration idea
Configure IP addresses in the headquarters and branches respectively, open up the intranet, and set the default route to the public network;
Realize the Internet access requirements of intranet users, using NAT conversion;
Create IPsec at both ends, call, and finally realize the access branch;
Experimental code process
The public network code is too simple and will not be shown, just configure the IP address according to the diagram
YL Headquarters
<Huawei>
<Huawei>sy
[Huawei]undo info-center enable
[Huawei]sysname YL
[YL]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[YL]interface GigabitEthernet 0/0/1
[YL-GigabitEthernet0/0/1]ip address 192.168.1.1 24
[YL-GigabitEthernet0/0/1]dhcp select interface
[YL-GigabitEthernet0/0/1]quit
[YL]interface GigabitEthernet 0/0/0
[YL-GigabitEthernet0/0/0]ip ad
[YL-GigabitEthernet0/0/0]ip address 1.1.1.1 24
[YL-GigabitEthernet0/0/0]quit
[YL]
[YL]
[YL]
[YL-acl-adv-3000]rule deny ip destination 192.168.2.0 0.0.0.255
[YL-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255
[YL-acl-adv-3000]quit
[YL]
[YL]
[YL]int
[YL]interface g
[YL]interface GigabitEthernet 0/0/0
[YL-GigabitEthernet0/0/0]nat outbound 3000
[YL-GigabitEthernet0/0/0]quit
[YL]
[YL]ip route-static 0.0.0.0 0 1.1.1.2
[YL]acl 3001
[YL-acl-adv-3001]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[YL]ipsec proposal yl
[YL-ipsec-proposal-yl]esp authentication-algorithm sha2-256
[YL-ipsec-proposal-yl]esp encryption-algorithm aes-128
[YL-ipsec-proposal-yl]quit
[YL]ipsec policy yl 10 manual
[YL-ipsec-policy-manual-yl-10]security acl 3001
[YL-ipsec-policy-manual-yl-10]proposal yl
[YL-ipsec-policy-manual-yl-10]tunnel local 1.1.1.1
[YL-ipsec-policy-manual-yl-10]tunnel remote 2.2.2.1
[YL-ipsec-policy-manual-yl-10]sa spi inbound esp 12345
[YL-ipsec-policy-manual-yl-10]sa spi outbound esp 54321
[YL-ipsec-policy-manual-yl-10]sa string-key inbound esp cipher huawei.com
[YL-ipsec-policy-manual-yl-10]sa string-key outbound esp cipher huawei.com
[YL-ipsec-policy-manual-yl-10]quit
[YL]interface GigabitEthernet 0/0/0
[YL-GigabitEthernet0/0/0]ipsec policy yl
[YL-GigabitEthernet0/0/0]quit
XIAN branch
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname XIAN
[XIAN]dhc enable //开启DHCP
Info: The operation may take a few seconds. Please wait for a moment.done.
[XIAN]un
[XIAN]undo in en
Info: Information center is disabled.
[XIAN]interface GigabitEthernet 0/0/0
[XIAN-GigabitEthernet0/0/0]ip ad
[XIAN-GigabitEthernet0/0/0]ip address 2.2.2.1 24
[XIAN-GigabitEthernet0/0/0]quit
[XIAN]interface GigabitEthernet 0/0/1
[XIAN-GigabitEthernet0/0/1]ip address 192.168.2.1 24
[XIAN-GigabitEthernet0/0/1]dhcp select interface
[XIAN-GigabitEthernet0/0/1]quit
[XIAN]
[XIAN]acl 3000 //为私网用户开启NAT转换,使其可以访问公网,也就是图中loopback地址,12.12.12.12
[XIAN-acl-adv-3000]rule deny ip destination 192.168.1.0 0.0.0.255 //访问私网192.168.1.0不进行NAT转换
[XIAN-acl-adv-3000]rule permit ip source 192.168.2.0 0.0.0.255//允许192.168.1.0 私网访问互联网
[XIAN-acl-adv-3000]quit
[XIAN]interface GigabitEthernet 0/0/0
[XIAN-GigabitEthernet0/0/0]nat outbound 3000 //出口调用策略
[XIAN-GigabitEthernet0/0/0]quit
[XIAN]ip route-static 0.0.0.0 0 2.2.2.2 //默认路由到公网
[XIAN]
[XIAN]
[XIAN]
[XIAN]acl 3001
[XIAN-acl-adv-3001]rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 //定义需要保护的数据
[XIAN-acl-adv-3001]quit
[XIAN]ipsec proposal xian //创建安全提议,名称“xian”
[XIAN-ipsec-proposal-xian]esp encryption-algorithm aes-128
[XIAN-ipsec-proposal-xian]esp authentication-algorithm sha2-256
[XIAN-ipsec-proposal-xian]quit
[XIAN]ipsec policy xian 10 manual //创建IPsec策略,名称xian,编号10
[XIAN-ipsec-policy-manual-xian-10]security acl 3001 //调用安全策略
[XIAN-ipsec-policy-manual-xian-10]proposal xian //调用安全提议
[XIAN-ipsec-policy-manual-xian-10]tunnel remote 1.1.1.1 //设置隧道终点IP
[XIAN-ipsec-policy-manual-xian-10]tunnel local 2.2.2.1 //设置隧道起点IP
[XIAN-ipsec-policy-manual-xian-10]sa spi inbound esp 54321 //SPI密钥,和总部密钥相反
[XIAN-ipsec-policy-manual-xian-10]sa spi outbound esp 12345//SPI密钥,和总部密钥相反
[XIAN-ipsec-policy-manual-xian-10]sa string-key inbound esp cipher huawei.com
[XIAN-ipsec-policy-manual-xian-10]sa string-key outbound esp cipher huawei.com
[XIAN-ipsec-policy-manual-xian-10]quit
[XIAN]interface GigabitEthernet 0/0/0 //出口下调用IPsec策略
[XIAN-GigabitEthernet0/0/0]ipsec policy xian
[XIAN-GigabitEthernet0/0/0]quit
[XIAN]
test
packet capture test