Huawei Ensp IPsec ***

1.先確認網路之間可以通訊

2.在AR2和AR4在配置IKE策略（也可以手動設定）

[AR2]ike proposal 1
[AR2]encryption-algorithm aes-cbc-128
[AR2]authentication-algorithm md5
[AR2]quit

[AR4]ike proposal 1
[AR4]encryption-algorithm aes-cbc-128
[AR4]authentication-algorithm md5
[AR4]quit

display ike proposal

3.定義IKE階段1的參數

[AR2]ike peer test v1
[AR2]ike-proposal 1
[AR2]pre-shared-key simple yeslab
[AR2]remate-address 34.1.1.4
[AR2]local-address 23.1.1.2
[AR2]quit

[AR4]ike peer test v1
[AR4]ike-proposal 1
[AR4]pre-shared-key simple yeslab
[AR4]remate-address 23.1.1.2
[AR4]local-address 34.1.1.2
[AR4]quit

display ike peer name test verbose

4.定義感興趣流

[AR2]acl number 3000
[AR2]rule permit gre source any destination any
[AR4]acl number 3000
[AR4]rule permit gre source any destination any

5.IPsec 安全策略

[AR2]ipsec proposal trans1
[AR2]encapsulation-mode tunnel
[AR2]transform esp
[AR2]esp encryption-algorithm des
[AR2]esp authentication-algorithm sha1

[AR4]ipsec proposal trans1
[AR4]encapsulation-mode tunnel
[AR4]transform esp
[AR4]esp encryption-algorithm des
[AR4]esp authentication-algorithm sha1

display ipsec proposal

6.關聯上述策略

[AR2]ipsec policy r2-r4
[AR2]ike-peer test
[AR2]proposal trans1
[AR2]security acl 3000

[AR4]ipsec policy r4-r2
[AR4]ike-peer test
[AR4]proposal trans1
[AR4]security acl 3000

7.在接口上套用策略

[AR2]int g0/0/1
[AR2]ipsec policy r2-r4

[AR4]int g0/0/0
[AR4]ipsec policy r4-r2

display ipsec sa