前往小程序,Get更优阅读体验!
立即前往
首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >H3C-×××的配置

H3C-×××的配置

作者头像
py3study
发布2020-01-10 11:29:05
3370
发布2020-01-10 11:29:05
举报
文章被收录于专栏:python3

H3C-×××的配置

拓扑图

  1. 配置IP地址 <R1>system-view [R1]interface e0/1 [R1-Ethernet0/1]ip address 192.168.100.254 255.255.255.0 [R1]interface e0/0 [R1-Ethernet0/0]ip address 192.168.13.1 255.255.255.0 <R2>system-view [R2]interface e0/1 [R2-Ethernet0/1]ip address 192.168.200.254 255.255.255.0 [R2]interface e0/0 [R2-Ethernet0/0]ip address 192.168.23.2 255.255.255.0 <R3>system-view [R3]interface e0/0 [R3-Ethernet0/0]ip address 192.168.13.3 255.255.255.0 [R3]interface e0/1 [R3-Ethernet0/1]ip address 192.168.23.3 255.255.255.0 PC1的设置

PC2的设置

  1. 配置手工方式的Tunnel [R1]acl 3000 [R1-acl-3000]rule permit ip source 192.168.100.1 0.0.0.255 destination 192.168.200.2 0.0.0.255 [R1-acl-3000]rule deny ip source any destination any [R1-acl-3000]quit //创建访问规则 [R1]ipsec proposal trans1 [R1-ipsec-proposal-trans1]encapsulation-mode tunnel [R1-ipsec-proposal-trans1]transform esp-new [R1-ipsec-proposal-trans1]esp-new authentication md5-hmac-96 [R1-ipsec-proposal-trans1]esp-new encryption-algorithm des [R1-ipsec-proposal-trans1]quit //创建提议,以及对提议的加密、认证方式 [R1]ipsec policy p1 100 manual [R1-ipsec-policy-p1-100]security acl 3000 [R1-ipsec-policy-p1-100]proposal trans1 [R1-ipsec-policy-p1-100]tunnel local 192.168.13.1 [R1-ipsec-policy-p1-100]tunnel remote 192.168.23.2 [R1-ipsec-policy-p1-100]sa inbound esp spi 123456 [R1-ipsec-policy-p1-100]sa inbound esp string-key asdf [R1-ipsec-policy-p1-100]sa outbound esp spi 654321 [R1-ipsec-policy-p1-100]sa outbound esp string-key fdsa [R1-ipsec-policy-pl -100]quit //创建策略,包含上述提议,该策略将应用于Tunnel中,需要注意的是Tunnel两端的路由器策略配置,R1中的tunnel local地址是R2的tunnel remote, inbound是R2的outbound。 [R1]interface e0/0 [R1-Ethernet0/0]ipsec policy p1 //在出口上应用策略 [R2]acl 3001 [R2-acl-3001]rule permit ip source 192.168.200.2 0.0.0.255 destination 192.168.100.1 0.0.0.255 [R2-acl-3001]rule deny ip source any destination any [R2-acl-3001]quit //创建访问规则 [R2]ipsec proposal trans2 [R2-ipsec-proposal-trans2]encapsulation-mode tunnel [R2-ipsec-proposal-trans2]transform esp-new [R2-ipsec-proposal-trans2]esp-new authentication md5-hmac-96 [R2-ipsec-proposal-trans2]esp-new encryption-algorithm des [R2-ipsec-proposal-trans2]quit //创建提议,以及对提议的加密、认证方式 [R2]ipsec policy p2 200 manual [R2-ipsec-policy-p2-200]security acl 3001 [R2-ipsec-policy-p2-200]proposal trans2 [R2-ipsec-policy-p2-200]tunnel local 192.168.23.2 [R2-ipsec-policy-p2-200]tunnel remote 192.168.13.1 [R2-ipsec-policy-p2-200]sa inbound esp spi 654321 [R2-ipsec-policy-p2-200]sa inbound esp string-key fdsa [R2-ipsec-policy-p2-200]sa outbound esp spi 123456 [R2-ipsec-policy-p2-200]sa outbound esp string-key asdf [R2-ipsec-policy-p2-200]quit [R2]interface e0/0 [R2-Ethernet0/0]ipsec policy p2
  2. 在Tunnel两端的路由器上各添加一条默认路由,是内网地址能够和外部连接。 ip route-static 0.0.0.0 0.0.0.0 192.168.13.3 preference 60   //R1上的默认路由 ip route-static 0.0.0.0 0.0.0.0 192.168.23.3 preference 60   //R2上的默认路由
  3. 查看Tunnel状态,以及PC1和PC2之间的连通性。 ipsec policy name: p1  ipsec policy sequence: 100  negotiation mode: manual  security acl: 3000  local address: 192.168.13.1  remote address: 192.168.23.2  proposal name: trans1  esp(inbound) setting:    esp spi: 654321 (0x9fbf1)    esp string-key: fdsa    esp encryption-hex:    esp authen-hex:  esp(outbound) setting:    esp spi: 123456 (0x1e240)    esp string-key: asdf    esp encryption-hex:    esp authen-hex:  OutBound SA has been established.  InBound SA has been established. //路由器R1端的Tunnel状态 ipsec policy name: p2 ipsec policy sequence: 200 negotiation mode: manual security acl: 3001 local address: 192.168.23.2 remote address: 192.168.13.1 proposal name: trans2 esp(inbound) setting:  esp spi: 123456 (0x1e240)  esp string-key: asdf  esp encryption-hex:  esp authen-hex: esp(outbound) setting:  esp spi: 654321 (0x9fbf1)  esp string-key: fdsa  esp encryption-hex:  esp authen-hex: OutBound SA has been established. InBound SA has been established. //路由器R2端的Tunnel状态 //在PC1上pingPC2 正在 Ping 192.168.200.2 具有 32 字节的数据: 来自 192.168.200.2 的回复: 字节=32 时间=3ms TTL=254 来自 192.168.200.2 的回复: 字节=32 时间=9ms TTL=254 来自 192.168.200.2 的回复: 字节=32 时间=3ms TTL=254 来自 192.168.200.2 的回复: 字节=32 时间=3ms TTL=254 来自 192.168.200.2 的回复: 字节=32 时间=9ms TTL=254
  4. 配置自动方式的Tunnel。 [R1]ipsec policy p3 300 isakmp [R1-ipsec-policy-p3-300]security acl 3000 [R1-ipsec-policy-p3-300]proposal trans1 [R1-ipsec-policy-p3-300]tunnel local 192.168.13.1 [R1-ipsec-policy-p3-300]tunnel remote 192.168.23.2 [R1-ipsec-policy-p3-300]quit [R1]ike pre-shared-key 12345 remote 192.168.23.2 [R1]interface e0/0 [R1-Ethernet0/0]ipsec policy p3 //提议和手工方式一样,策略修改为自动方式的,而且共享密钥的设置,Tunnel两端要一致。 [R2]ipsec policy p4 400 isakmp [R2-ipsec-policy-p4-400]security acl 3001 [R2-ipsec-policy-p4-400]proposal trans2 [R2-ipsec-policy-p4-400]tunnel local 192.168.23.2 [R2-ipsec-policy-p4-400]tunnel remote 192.168.13.1 [R2-ipsec-policy-p4-400]quit [R2]ike pre-shared-key 12345 remote 192.168.13.1 [R2]interface e0/0 [R2-Ethernet0/0]ipsec policy p4
  5. Tunnel状态以及PC1和PC2之间的连通性。 ipsec policy name: p3 ipsec policy sequence: 300 negotiation mode: isakmp security acl: 3000 remote address 0: 192.168.23.2 Proposal name: trans1 ipsec sa duration: 3600 seconds ipsec sa duration: 1843200 kilobytes OutBound SA has been established. InBound SA has been established. //路由器R1端的Tunnel状态 ipsec policy name: p4 ipsec policy sequence: 400 negotiation mode: isakmp security acl: 3001 remote address 0:192.168.13.1 Proposal name: trans2 ipsec sa duration: 3600 seconds ipsec sa duration: 1843200 kilobytes OutBound SA has been established. InBound SA has been established. //路由器R2端的Tunnel状态 正在 Ping 192.168.200.2 具有 32 字节的数据: 来自 192.168.200.2 的回复: 字节=32 时间=3ms TTL=254 来自 192.168.200.2 的回复: 字节=32 时间=9ms TTL=254 来自 192.168.200.2 的回复: 字节=32 时间=3ms TTL=254 来自 192.168.200.2 的回复: 字节=32 时间=3ms TTL=254 //从PC1 ping PC2的情况
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2019/08/17 ,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 作者个人站点/博客 前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体同步曝光计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
目录
  • H3C-×××的配置
相关产品与服务
全站加速网络
全站加速网络(Enterprise Content Delivery Network,以下简称 ECDN)为您提供稳定高效的网络加速服务,适用于动静混合、纯动态、跨国、上传等多种加速场景。ECDN 网络资源丰富,同时融合静态缓存、智能路由、协议优化、多路传输、抗抖动等自研技术,加速效果更加显著;接入便捷,功能配置灵活多样,可满足您个性化的业务需求。
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档