文章存档
我的朋友
分类: 网络与安全
2019-11-22 13:53:29
总部使用山石SG 6000的设备,分支使用华为AR121路由器。
总部山石的配置:
先配置ipsec
1. 添加vpn对端
2.配置p1提议
新建p2提议
配置IPsec vpn连接信息
然后创建网络接口,使用隧道接口
然后创建路由
最后修改防火墙策略放行访问端口
华为路由器配置:
acl number 3003
description ForVPNToKeDe
rule 5 permit ip source 192.168.32.0 0.0.0.255 destination 192.168.1.5 0
#192.168.32.0/24是分支的本地网络
acl number 3010
description To_Internet
rule 5 deny ip source 192.168.32.0 0.0.0.255 destination 192.168.1.51 0 #192.168.1.51是总部的服务器
rule 10 permit ip source 192.168.32.0 0.0.0.255
ipsec proposal ipsecp2
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
ike proposal 5
encryption-algorithm aes-256
dh group2
authentication-algorithm sha2-256
sa duration 28800
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike peer Ksdfsfui
undo version 2
exchange-mode aggressive
pre-shared-key
ike-proposal 5
local-id-type user-fqdn
remote-id-type user-fqdn
remote-id Ksdafe #跟总部的配置对应
local-id Ksdfsi #跟总部的配置对应
undo nat traversal
dpd type on-demand
dpd idle-time 10
dpd retransmit-interval 10
dpd retry-limit 5
dpd msg seq-hash-notify
remote-address 128.161.122.21 #总部公网地址
lifetime-notification-message enable
ipsec policy Ksfdsi 10 isakmp
security acl 3003 #感兴趣流量
pfs dh-group2
ike-peer Ksdfsfui
proposal ipsecp2
sa duration time-based 28800
interface GigabitEthernet0/0/4 #在出口接口调用ipsec策略
description ToInternet
tcp adjust-mss 1200
ip address 53.122.136.229 255.255.255.248
nat outbound 3010
ipsec policy Ksfdsi
ipsec authentication sha2 compatible enable #配置兼容的加密方式
配置后查看IPsec情况
dis ike sa
dis ipsec sa
总部山石的配置:
先配置ipsec
1. 添加vpn对端
2.配置p1提议
新建p2提议
配置IPsec vpn连接信息
然后创建网络接口,使用隧道接口
然后创建路由
最后修改防火墙策略放行访问端口
华为路由器配置:
acl number 3003
description ForVPNToKeDe
rule 5 permit ip source 192.168.32.0 0.0.0.255 destination 192.168.1.5 0
#192.168.32.0/24是分支的本地网络
acl number 3010
description To_Internet
rule 5 deny ip source 192.168.32.0 0.0.0.255 destination 192.168.1.51 0 #192.168.1.51是总部的服务器
rule 10 permit ip source 192.168.32.0 0.0.0.255
ipsec proposal ipsecp2
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
ike proposal 5
encryption-algorithm aes-256
dh group2
authentication-algorithm sha2-256
sa duration 28800
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike peer Ksdfsfui
undo version 2
exchange-mode aggressive
pre-shared-key
ike-proposal 5
local-id-type user-fqdn
remote-id-type user-fqdn
remote-id Ksdafe #跟总部的配置对应
local-id Ksdfsi #跟总部的配置对应
undo nat traversal
dpd type on-demand
dpd idle-time 10
dpd retransmit-interval 10
dpd retry-limit 5
dpd msg seq-hash-notify
remote-address 128.161.122.21 #总部公网地址
lifetime-notification-message enable
ipsec policy Ksfdsi 10 isakmp
security acl 3003 #感兴趣流量
pfs dh-group2
ike-peer Ksdfsfui
proposal ipsecp2
sa duration time-based 28800
interface GigabitEthernet0/0/4 #在出口接口调用ipsec策略
description ToInternet
tcp adjust-mss 1200
ip address 53.122.136.229 255.255.255.248
nat outbound 3010
ipsec policy Ksfdsi
ipsec authentication sha2 compatible enable #配置兼容的加密方式
配置后查看IPsec情况
dis ike sa
dis ipsec sa