H3C ***

IPsec ***:(命令截圖見QQ收藏)

R1上的配置：

定義保護的流量

[R1]acl advanced 3001

[R1-acl-ipv4-adv-3001]rule permit ip source 192.168.1.1 0 destination 172.16.1.1 0

定義參數IKE階段，可以選擇默認參數

[R1]ike proposal 1

[R1-ike-proposal-1]encryption-algorithm 3des-cbc

[R1-ike-proposal-1]authentication-algorithm md5

[R1-ike-proposal-1]authentication-method pre-share(默認就有)

[R1-ike-proposal-1]dh group2

[R1-ike-proposal-1]quit

定義對端地址。共享密鑰

[R1]ike keychain 1

[R1-ike-keychain-1]pre-shared-key address 23.1.1.3 24 key simple 123

[R1-ike-keychain-1]quit

將密鑰加入profile

[R1]ike profile 1

[R1-ike-profile-1]keychain 1

[R1-ike-profile-1]match remote identity address 23.1.1.3 24

[R1-ike-profile-1]proposal 1

[R1-ike-profile-1]quit

定義IKE第二階段

[R1]ipsec transform-set 1

[R1-ipsec-transform-set-1]encapsulation-mode tunnel

[R1-ipsec-transform-set-1]protocol esp

[R1-ipsec-transform-set-1]esp encryption-algorithm 3des-cbc

[R1-ipsec-transform-set-1]esp authentication-algorithm md5

[R1-ipsec-transform-set-1]quit

注意：

當使用協議爲ah-esp時，還需要多指定一條命令 ah authentication-algorithm  md5

定義安全策略

[R1]ipsec policy H3C 10 isakmp

[R1-ipsec-policy-isakmp-map1-10]transform-set 1

[R1-ipsec-policy-isakmp-map1-10]security acl 3001

[R1-ipsec-policy-isakmp-map1-10]local-address 12.1.1.1

[R1-ipsec-policy-isakmp-map1-10]remote-address 23.1.1.3

[R1-ipsec-policy-isakmp-map1-10]ike-profile 1

[R1-ipsec-policy-isakmp-map1-10]quit

接口應用

[R1]int g0/0

[R1-GigabitEthernet0/0]ipsec apply policy H3C

查看命令：

<R1>dis ipsec sa brief

IPsec over GRE ***：

R3上配置：

[R3]acl advanced 3001

[R3-acl-ipv4-adv-3001]rule permit ip source 192.168.1.1 0 destination 172.16.1.1 0

[R3]int Tunnel 1 mode gre

[R3-Tunnel1]ip add 13.1.1.3 24

[R3-Tunnel1]source  23.1.1.3

[R3-Tunnel1]destination 12.1.1.1

[R3]ike proposal 1

[R3-ike-proposal-1]encryption-algorithm 3des-cbc

[R3-ike-proposal-1]authentication-algorithm md5

[R3-ike-proposal-1]authentication-method pre-share(默認就有)

[R3-ike-proposal-1]dh group2

[R3-ike-proposal-1]quit

[R3]ike keychain 1

[R3-ike-keychain-1]pre-shared-key address 13.1.1.1 24 key simple 123

[R3-ike-keychain-1]quit

[R3]ike profile 1

[R3-ike-profile-1]keychain 1

[R3-ike-profile-1]match remote identity address 13.1.1.1 24

[R3-ike-profile-1]proposal 1

[R3-ike-profile-1]quit

[R3]ipsec transform-set 1

[R3-ipsec-transform-set-1]encapsulation-mode tunnel

[R3-ipsec-transform-set-1]protocol esp

[R3-ipsec-transform-set-1]esp encryption-algorithm 3des-cbc

[R3-ipsec-transform-set-1]esp authentication-algorithm md5

[R3-ipsec-transform-set-1]quit

[R3]ipsec policy H3C 10 isakmp

[R3-ipsec-policy-isakmp-map1-10]transform-set 1

[R3-ipsec-policy-isakmp-map1-10]security acl 3001

[R3-ipsec-policy-isakmp-map1-10]local-address 13.1.1.3 

[R3-ipsec-policy-isakmp-map1-10]remote-address 13.1.1.1

[R3-ipsec-policy-isakmp-map1-10]ike-profile 1

[R3-ipsec-policy-isakmp-map1-10]quit

[R3]int Tunnel 1

[R3-Tunnel1]ipsec apply policy  1

[R3-Tunnel1]quit

[R3]ip route-static 192.168.1.1 32 Tunnel 1

[R3]ip route-static 0.0.0.0 0 23.1.1.2

查看命令：

<R1>dis ipsec sa brief

L2TP: