华为防火墙基于tunnle的ipsec

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256

ike proposal 5
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#                                         
ike peer b //ipsec对端名称
 undo version 2
 pre-shared-key cisco123
 ike-proposal 5 //调用ike配置
#
ipsec profile profile2 //将peer和proposal绑定
 ike-peer b
 proposal tran1

interface Tunnel10
 ip address 169.254.10.1 255.255.255.0 //隧道接口地址
 tunnel-protocol ipsec //隧道类型
 source 223.1.1.2 //建立ipsec的本端公网iP
 destination 222.1.1.2 //建立ipsec的对端公网IP
 alias Tunnel10
 service-manage ping permit
 ipsec profile profile2 //绑定ipsec profile

## tunnel接口要配置安全域 
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface Tunnel10

安全策略根据实际情况放行

ip route-static 0.0.0.0 0.0.0.0 223.1.1.1
ip route-static 169.254.10.2 255.255.255.255 Tunnel10 //配置静态路由下一跳为tunnle
ip route-static 192.168.99.0 255.255.255.0 Tunnel10

cisco端配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
cisco router配置

crypto isakmp policy 10
 encr aes 256
 hash sha256
 authentication pre-share
 group 14
crypto isakmp key cisco123 address 223.1.1.2      
!
!
crypto ipsec transform-set ipsectran esp-aes 256 esp-sha256-hmac 
 mode tunnel
!
!
crypto ipsec profile ipsecprofile
 set transform-set ipsectran 

interface Tunnel10
 ip address 169.254.10.2 255.255.255.0
 tunnel source 222.1.1.2
 tunnel mode ipsec ipv4
 tunnel destination 223.1.1.2
 tunnel protection ipsec profile ipsecprofile

ip route 169.254.10.1 255.255.255.255 Tunnel10
ip route 192.168.98.0 255.255.255.0 Tunnel10


一个bgp配置示例