文章目录
- 实验要求
- 实验配置
实验要求
- 配置 IPsec VPN 采用自动方式
- 同时要满足上网和VPN两种需求
- 使用NAT进行地址映射
- 认证方法和加密算法自行配置采用安全的方法
实验配置
R1:
#基本配置 sy sy R1 dhcp enable acl 3001 rule 1 deny ip des 192.168.3.0 0.0.0.255 rule 2 permit ip inter g0/0/0 ip ad 192.168.1.254 24 dhcp select inter inter g0/0/1 nat outbound 3001 ip ad 12.1.1.1 24 ip route-s 0.0.0.0 0 12.1.1.2 #VPN配置 sy acl 3000 rule 1 permit ip source 192.168.1.0 0.0.0.255 des 192.168.3.0 0.0.0.255 ipsec proposal To-shanghai esp auth sha2-256 esp encry aes-256 ike proposal 1 authentication-algorithm md5 encry aes-cbc-256 dh group2 ike peer shanghai v1 exchange-mode main pre-shared-key cipher huawei ike-proposal 1 local-address 12.1.1.1 remote-address 23.1.1.3 ipsec policy beijing-VPN 1 isakmp security acl 3000 proposal To-shanghai ike-peer shanghai inter g0/0/1 ipsec policy beijing-VPNR2:
sy sy ISP inter g0/0/0 ip ad 12.1.1.2 24 inter g0/0/1 ip ad 23.1.1.2 24 inter loop 0 ip add 2.2.2.2 32 qR3:
#基本配置 sy sy R3 dhcp enable acl 3001 rule 1 deny ip des 192.168.1.0 0.0.0.255 rule 2 permit ip inter g0/0/0 ip ad 192.168.3.254 24 dhcp select inter inter g0/0/1 nat outbound 3001 ip ad 23.1.1.3 24 ip route-s 0.0.0.0 0 23.1.1.2 #VPN配置 sy acl 3000 rule 1 permit ip source 192.168.3.0 0.0.0.255 des 192.168.1.0 0.0.0.255 ipsec proposal To-beijing esp auth sha2-256 esp encry aes-256 ike proposal 1 authentication-algorithm md5 encry aes-cbc-256 dh group2 ike peer beijing v1 exchange-mode main pre-shared-key cipher huawei ike-proposal 1 local-address 23.1.1.3 remote-address 12.1.1.1 ipsec policy shanghai-VPN 1 isakmp security acl 3000 proposal To-beijing ike-peer beijing inter g0/0/1 ipsec policy shanghai-VPN
Author:DC
