IPSec隧道模式esp封裝USG5500配置
參考文章:
https://blog.51cto.com/sunjie123/1742580
https://support.huawei.com/enterprise/zh/doc/EDOC1000010139?section=j00d
https://support.huawei.com/enterprise/docinforeader!loadDocument1.action?contentId=DOC1000068086&partNo=10092#dc_fd_fw_0002
USGA
# CLI_VERSION=V300R001
# Last configuration was changed at 2020/02/16 18:43:16 from console0
#*****BEGIN****public****#
#
stp region-configuration
region-name 10e2b2159042
active region-configuration
#
acl number 3000
rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
#
ike proposal 1
dh group2
integrity-algorithm aes-xcbc-96
#
ike peer peer-1
pre-shared-key %$%$|Al,DlLXANes,b2.QGi.p<3*%$%$
ike-proposal 1
remote-address 12.0.0.2
#
ipsec proposal secpro1
esp authentication-algorithm sha1
esp encryption-algorithm aes
#
ipsec policy map 1 isakmp
security acl 3000
ike-peer peer-1
proposal secpro1
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 192.168.10.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 11.0.0.2 255.255.255.0
ipsec policy map
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface NULL0
alias NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/1
#
firewall zone dmz
set priority 50
#
aaa
local-user admin password cipher %$%$&`e3Jsf(O&jM]:Bo)VWHpYPG%$%$
local-user admin service-type web terminal telnet
local-user admin level 15
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
nqa-jitter tag-version 1
#
ip route-static 0.0.0.0 0.0.0.0 11.0.0.1
#
banner enable
#
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode none
protocol inbound all
#
slb
#
right-manager server-group
#
sysname USGA
#
l2tp domain suffix-separator @
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction outbound
#
ip df-unreachables enable
#
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dns resolve
#
firewall statistic system enable
#
pki ocsp response cache refresh interval 0
pki ocsp response cache number 0
#
undo dns proxy
#
license-server domain lic.huawei.com
#
web-manager enable
#
policy interzone local untrust inbound
policy 1
action permit
policy source 12.0.0.2 0
policy destination 11.0.0.2 0
#
policy interzone trust untrust inbound
policy 1
action permit
policy source 192.168.20.0 0.0.0.255
policy destination 192.168.10.0 0.0.0.255
#
policy interzone trust untrust outbound
policy 1
action permit
#
nat-policy interzone trust untrust outbound
policy 1
action no-nat
policy source 192.168.10.0 0.0.0.255
policy destination 192.168.20.0 0.0.0.255
policy 2
action source-nat
easy-ip GigabitEthernet0/0/1
#
return
#-----END----#USGB
# CLI_VERSION=V300R001
# Last configuration was changed at 2020/02/16 19:31:06 from console0
#*****BEGIN****public****#
#
stp region-configuration
region-name e81582044529
active region-configuration
#
acl number 3000
rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
#
ike proposal 1
dh group2
integrity-algorithm aes-xcbc-96
#
ike peer usg-a
pre-shared-key %$%$wrRP5B#K*!awqz<^I].Hp_VM%$%$
ike-proposal 1
remote-address 11.0.0.2
#
ipsec proposal test
esp authentication-algorithm sha1
esp encryption-algorithm aes
#
ipsec policy map 1 isakmp
security acl 3000
ike-peer usg-a
proposal test
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 12.0.0.2 255.255.255.0
ipsec policy map
#
interface GigabitEthernet0/0/1
ip address 192.168.20.1 255.255.255.0
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface NULL0
alias NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
#
firewall zone dmz
set priority 50
#
aaa
local-user admin password cipher %$%$Q*:(3R]KUD>SWQ,h{V,0p/&z%$%$
local-user admin service-type web terminal telnet
local-user admin level 15
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
nqa-jitter tag-version 1
#
ip route-static 0.0.0.0 0.0.0.0 12.0.0.1
#
banner enable
#
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode none
protocol inbound all
#
slb
#
right-manager server-group
#
sysname USGB
#
l2tp domain suffix-separator @
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction outbound
#
ip df-unreachables enable
#
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dns resolve
#
firewall statistic system enable
#
pki ocsp response cache refresh interval 0
pki ocsp response cache number 0
#
undo dns proxy
#
license-server domain lic.huawei.com
#
web-manager enable
#
policy interzone local untrust inbound
policy 1
action permit
policy source 11.0.0.2 0
policy destination 12.0.0.2 0
#
policy interzone trust untrust inbound
policy 1
action permit
policy source 192.168.10.0 0.0.0.255
policy destination 192.168.20.0 0.0.0.255
#
policy interzone trust untrust outbound
policy 1
action permit
#
nat-policy interzone trust untrust outbound
policy 1
action no-nat
policy source 192.168.20.0 0.0.0.255
policy destination 192.168.10.0 0.0.0.255
policy 2
action source-nat
easy-ip GigabitEthernet0/0/0
#
return
#-----END----#AR1
[V200R003C00]
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface GigabitEthernet0/0/0
ip address 11.0.0.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 12.0.0.1 255.255.255.0
#
interface NULL0
#
ip route-static 192.168.10.0 255.255.255.0 11.0.0.2
ip route-static 192.168.20.0 255.255.255.0 12.0.0.2
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return