H3C IPSec 配置学习篇--

配置ike Keychain,在此处对预共享密钥进行配置，需指定对端地址。#创建一条iek协商方式的IPsec安全策略，并进入IPsec安全策略视图。#通过acl，配置感兴趣流，抓取需要通过ipsec传输的数据。#配置esp使用的加密算法为3des-cbc。#配置ike协商时使用的加密算法为3DES。#配置ike协商时使用的认证算法为SHA。#配置esp使用的认证算法为sha1。#配置ike pr

guanrencheng12345678

813人浏览 · 2025-09-06 16:49:25

guanrencheng12345678 · 2025-09-06 16:49:25 发布

system
sysname FW1
display interface brief
interface gigabitethernet 1/0/0
ip address 2.2.2.1 24
interface gigabitethernet 1/0/1
ip address 33.1.1.1 24
quit
#配置缺省路由指向外网路由器
ip route-static 0.0.0.0 0 33.1.1.2

#将接口加入防火墙区域
security-zone name trust
import interface gigabitethernet 1/0/0
security-zone name untrust
import interface gigabitethernet 1/0/1
quit
#本实验主要目的是ipsec，所以此处将全部流量放行。
security-policy ip
rule 5 name test-pass
action pass
quit
quit

#配置ike提议
ike proposal 1
#配置认证方式为预共享密钥
authentication-method pre-share
#配置ike协商时使用的认证算法为SHA
authentication-algorithm sha
#配置ike协商时使用的加密算法为3DES
encryption-algorithm 3des-cbc
quit
#配置ike Keychain,在此处对预共享密钥进行配置，需指定对端地址。
ike keychain 1
pre-shared-key address 55.1.1.2 key simple a123456789
#配置ike profile
ike profile 1
#配置本端身份信息
local-identity address 33.1.1.1
#配置所匹配的对端身份
match remote identity address 55.1.1.2
#引用ike Keychain
keychain 1
#引用porposal
proposal 1
quit

#配置ipsec安全提议
ipsec transform-set 1
#配置esp使用的认证算法为sha1
esp authentication-algorithm sha1
#配置esp使用的加密算法为3des-cbc
esp encryption-algorithm 3des-cbc
quit

#通过acl，配置感兴趣流，抓取需要通过ipsec传输的数据
acl advanced 3001
rule 5 permit ip source 2.2.2.0 0.0.0.255 destination 1.1.1.0 0.0.0.255
quit

#创建一条iek协商方式的IPsec安全策略，并进入IPsec安全策略视图。
ipsec policy 1 1 isakmp
#指定对端地址
remote 55.1.1.2
#引用感兴趣流
security acl 3001
#引用ipsec安全提议
transform-set 1
#引用ike profile
ike-profile 1
quit
#在接口视图下应用ipsec策略
interface gigabitethernet 1/0/1
ipsec apply policy 1
quit

system
sysname FW2
interface gigabitethernet 1/0/0
ip address 1.1.1.1 24
interface gigabitethernet 1/0/1
ip address 55.1.1.2 24
quit
ip route-static 0.0.0.0 0 55.1.1.1

security-zone name trust
import interface gigabitethernet 1/0/0
security-zone name untrust
import interface gigabitethernet 1/0/1
quit
security-policy ip
rule 0 name pass
action pass
quit
quit

ike proposal 1
authentication-method pre-share
encryption-algorithm 3des-cbc
authentication-algorithm sha
quit

ike keychain 1
pre-shared-key address 33.1.1.1 key simple a123456789
quit

ike profile 1
local-identity address 55.1.1.2
match remote identity address 33.1.1.1
proposal 1
keychain 1
quit

ipsec transform-set 1
esp authentication-algorithm sha1
esp encryption-algorithm 3des-cbc
quit
acl advanced 3001
rule 5 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255
quit

ipsec policy 1 1 isakmp
remote 33.1.1.1
security acl 3001
transform-set 1
ike-profile 1
quit
interface gigabitethernet 1/0/1
ipsec apply policy 1
quit
save force