分享一种华为路由器通过IPsec实现总部和分支私网

用户需求背景

榆林总部和西安分支现申请了两个公网IP，现在需要搭建IPsecPN实现私网互通，即192.168.1.0 访问192.168.2.0；

总部和分支192.168.1.0-192.168.2.0需要访问公网，用于测试12.12.12.12；

网络拓补图

配置思路

在总部和分支分别配置IP地址，打通内网，并设置去公网的默认路由；

内网用户上网需求实现，使用NAT转换；

两端分别创建IPsec，调用，最后实现访问分支；

实验代码过程

公网代码过于简单，不予展示，只需按图示配置IP地址即可

YL总部

sy
[Huawei]undoinfo-centerenable
[Huawei]sysnameYL

[YL]dhcpenable
Info:Theoperationmaytakeafewseconds.Pleasewaitforamoment.done.

[YL]interfaceGigabitEthernet0/0/1
[YL-GigabitEthernet0/0/1]ipaddress192.168.1.124
[YL-GigabitEthernet0/0/1]dhcpselectinterface
[YL-GigabitEthernet0/0/1]quit

[YL]interfaceGigabitEthernet0/0/0
[YL-GigabitEthernet0/0/0]ipad
[YL-GigabitEthernet0/0/0]ipaddress1.1.1.124
[YL-GigabitEthernet0/0/0]quit
[YL]
[YL]
[YL]

[YL-acl-adv-3000]ruledenyipdestination192.168.2.00.0.0.255
[YL-acl-adv-3000]rulepermitipsource192.168.1.00.0.0.255
[YL-acl-adv-3000]quit
[YL]
[YL]
[YL]int
[YL]interfaceg
[YL]interfaceGigabitEthernet0/0/0
[YL-GigabitEthernet0/0/0]natoutbound3000
[YL-GigabitEthernet0/0/0]quit
[YL]
[YL]iproute-static0.0.0.001.1.1.2


[YL]acl3001
[YL-acl-adv-3001]rulepermitipsource192.168.1.00.0.0.255destination192.168.2.00.0.0.255
[YL]ipsecproposalyl
[YL-ipsec-proposal-yl]espauthentication-algorithmsha2-256
[YL-ipsec-proposal-yl]espencryption-algorithmaes-128
[YL-ipsec-proposal-yl]quit

[YL]ipsecpolicyyl10manual
[YL-ipsec-policy-manual-yl-10]securityacl3001
[YL-ipsec-policy-manual-yl-10]proposalyl
[YL-ipsec-policy-manual-yl-10]tunnellocal1.1.1.1
[YL-ipsec-policy-manual-yl-10]tunnelremote2.2.2.1
[YL-ipsec-policy-manual-yl-10]saspiinboundesp12345
[YL-ipsec-policy-manual-yl-10]saspioutboundesp54321
[YL-ipsec-policy-manual-yl-10]sastring-keyinboundespcipherhuawei.com
[YL-ipsec-policy-manual-yl-10]sastring-keyoutboundespcipherhuawei.com
[YL-ipsec-policy-manual-yl-10]quit
[YL]interfaceGigabitEthernet0/0/0
[YL-GigabitEthernet0/0/0]ipsecpolicyyl
[YL-GigabitEthernet0/0/0]quit

XIAN分支

sy
Entersystemview,returnuserviewwithCtrl+Z.
[Huawei]sysnameXIAN
[XIAN]dhcenable//开启DHCP
Info:Theoperationmaytakeafewseconds.Pleasewaitforamoment.done.
[XIAN]un
[XIAN]undoinen
Info:Informationcenterisdisabled.

[XIAN]interfaceGigabitEthernet0/0/0
[XIAN-GigabitEthernet0/0/0]ipad
[XIAN-GigabitEthernet0/0/0]ipaddress2.2.2.124
[XIAN-GigabitEthernet0/0/0]quit

[XIAN]interfaceGigabitEthernet0/0/1
[XIAN-GigabitEthernet0/0/1]ipaddress192.168.2.124
[XIAN-GigabitEthernet0/0/1]dhcpselectinterface
[XIAN-GigabitEthernet0/0/1]quit
[XIAN]

[XIAN]acl3000//为私网用户开启NAT转换，使其可以访问公网，也就是图中loopback地址，12.12.12.12
[XIAN-acl-adv-3000]ruledenyipdestination192.168.1.00.0.0.255//访问私网192.168.1.0不进行NAT转换
[XIAN-acl-adv-3000]rulepermitipsource192.168.2.00.0.0.255//允许192.168.1.0私网访问互联网
[XIAN-acl-adv-3000]quit

[XIAN]interfaceGigabitEthernet0/0/0
[XIAN-GigabitEthernet0/0/0]natoutbound3000//出口调用策略
[XIAN-GigabitEthernet0/0/0]quit

[XIAN]iproute-static0.0.0.002.2.2.2//默认路由到公网
[XIAN]



[XIAN]
[XIAN]
[XIAN]acl3001
[XIAN-acl-adv-3001]rulepermitipsource192.168.2.00.0.0.255destination192.168.1.00.0.0.255//定义需要保护的数据
[XIAN-acl-adv-3001]quit

[XIAN]ipsecproposalxian//创建安全提议，名称“xian”
[XIAN-ipsec-proposal-xian]espencryption-algorithmaes-128
[XIAN-ipsec-proposal-xian]espauthentication-algorithmsha2-256
[XIAN-ipsec-proposal-xian]quit

[XIAN]ipsecpolicyxian10manual//创建IPsec策略，名称xian,编号10
[XIAN-ipsec-policy-manual-xian-10]securityacl3001//调用安全策略
[XIAN-ipsec-policy-manual-xian-10]proposalxian//调用安全提议
[XIAN-ipsec-policy-manual-xian-10]tunnelremote1.1.1.1//设置隧道终点IP
[XIAN-ipsec-policy-manual-xian-10]tunnellocal2.2.2.1//设置隧道起点IP
[XIAN-ipsec-policy-manual-xian-10]saspiinboundesp54321//SPI密钥，和总部密钥相反
[XIAN-ipsec-policy-manual-xian-10]saspioutboundesp12345//SPI密钥，和总部密钥相反

[XIAN-ipsec-policy-manual-xian-10]sastring-keyinboundespcipherhuawei.com
[XIAN-ipsec-policy-manual-xian-10]sastring-keyoutboundespcipherhuawei.com
[XIAN-ipsec-policy-manual-xian-10]quit

[XIAN]interfaceGigabitEthernet0/0/0//出口下调用IPsec策略
[XIAN-GigabitEthernet0/0/0]ipsecpolicyxian
[XIAN-GigabitEthernet0/0/0]quit
[XIAN]

测试

抓包测试

审核编辑：刘清