IPsec实验演示（Huawei路由器设备配置）（华三路由器ipsec配置）

IPsec实验演示（Huawei路由器设备配置）（华三路由器ipsec配置）

一、IPsec介绍

IPsec（Internet Protocol Security）是为IP网络提供安全性的协议和服务的集合，它是VPN（Virtual Private Network，虚拟专用网）中常用的一种技术。 由于IP报文本身没有集成任何安全特性，IP数据包在公用网络如Internet中传输可能会面临被伪造、窃取或篡改的风险。通信双方通过IPsec建立一条IPsec隧道，IP数据包通过IPsec隧道进行加密传输，有效保证了数据在不安全的网络环境如Internet中传输的安全性。

二、实验目的

通过IPsec，实现PC1与PC2之间传输的数据是加密的；

三、实验拓扑

四、实验配置

（1）配置R1路由器

sy

[Huawei]sy  R1

[R1]un in en

[R1]int g0/0/0

[R1-GigabitEthernet0/0/0]ip add 192.168.10.254 24

[R1-GigabitEthernet0/0/0]int g0/0/1

[R1-GigabitEthernet0/0/1]ip add 100.1.1.1 30

[R1-GigabitEthernet0/0/1]q

[R1]ip route-static 0.0.0.0 0 100.1.1.2

#增加一条静态路由指向运营商

[R1]acl 2000

[R1-acl-basic-2000]rule 10 permit source 192.168.10.0 0.0.0.255

[R1-acl-basic-2000]int g0/0/1

[R1-GigabitEthernet0/0/1]nat outbound 2000

[R1-GigabitEthernet0/0/1]q

[R1]acl 3000

[R1-acl-adv-3000]rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192

.168.20.0 0.0.0.255

#配置高级acl

[R1]ipsec proposal 1

#配置ipsec，名称为1

[R1-ipsec-proposal-1]esp authentication-algorithm md5

#认证算法采用md5

[R1-ipsec-proposal-1]esp encryption-algorithm des

#加密算法采用des

[R1-ipsec-proposal-1]q

[R1]display ipsec proposal

[R1]ipsec policy 1 10 manual

[R1-ipsec-policy-manual-1-10]security acl 3000

[R1-ipsec-policy-manual-1-10]proposal 1

[R1-ipsec-policy-manual-1-10]tunnel local 200.1.1.1

[R1-ipsec-policy-manual-1-10]tunnel remote 100.1.1.1

[R1-ipsec-policy-manual-1-10]sa spi inbound esp 12345

[R1-ipsec-policy-manual-1-10]sa string-key inbound esp cipher 123

[R1-ipsec-policy-manual-1-10]sa spi outbound esp 54321

[R1-ipsec-policy-manual-1-10]sa string-key outbound esp cipher 123

[R1-ipsec-policy-manual-1-10]q

[R1]int g0/0/1

[R1-GigabitEthernet0/0/1]ipsec policy 1

#应用ipsec policy1到接口上

[R1-GigabitEthernet0/0/1]q

[R1]int g0/0/1

[R1-GigabitEthernet0/0/1]undo nat outbound 2000

[R1-GigabitEthernet0/0/1]q

[R1]undo acl 2000

[R1]acl 3001

[R1-acl-adv-3001]rule 10 deny ip source 192.168.20.0 0.0.0.255 destination 192.1

68.10.0 0.0.0.255

[R1-acl-adv-3001]q

[R1]int g0/0/1

[R1-GigabitEthernet0/0/1]nat out

[R1-GigabitEthernet0/0/1]nat outbound 3001

[R1-GigabitEthernet0/0/1]q

[R1]acl 3001

[R1-acl-adv-3001]rule 20 permit ip

[R1-acl-adv-3001]q

（2）配置R2路由器

sy

[Huawei]sy R2

[R2]un in en

[R2]int g0/0/0

[R2-GigabitEthernet0/0/0]ip add 192.168.20.254 24

[R2-GigabitEthernet0/0/0]int g0/0/01

[R2-GigabitEthernet0/0/1]ip add 200.1.1.1 30

[R2-GigabitEthernet0/0/1]q

[R2]ip route-static 0.0.0.0 0 200.1.1.2

[R2]acl 2000

[R2-acl-basic-2000]rule 10 permit source 192.168.20.0 0.0.0.255

[R2-acl-basic-2000]int g0/0/1

[R2-GigabitEthernet0/0/1]nat outbound 2000

[R2-GigabitEthernet0/0/1]q

[R2]acl 3000

[R2-acl-adv-3000]rule 10 permit ip source 192.168.20.0 0.0.0.255 destination 192

.168.10.0 0.0.0.255

#配置高级acl

[R2]ipsec proposal 1

#配置ipsec，名称为1

[R2-ipsec-proposal-1]esp authentication-algorithm md5

#认证算法采用md5

[R2-ipsec-proposal-1]esp encryption-algorithm des

#加密算法采用des

[R2]ipsec policy 1 10 manual

[R2-ipsec-policy-manual-1-10]security acl 3000

[R2-ipsec-policy-manual-1-10]proposal 1

[R2-ipsec-policy-manual-1-10]tunnel local 200.1.1.1

[R2-ipsec-policy-manual-1-10]tunnel remote 100.1.1.1

[R2-ipsec-policy-manual-1-10]sa spi inbound esp 12345

[R2-ipsec-policy-manual-1-10]sa string-key inbound esp cipher 123

[R2-ipsec-policy-manual-1-10]sa spi outbound esp 54321

[R2-ipsec-policy-manual-1-10]sa string-key outbound esp cipher 123

[R2-ipsec-policy-manual-1-10]q

[R2]int g0/0/1

[R2-GigabitEthernet0/0/1]ipsec policy 1

#应用ipsec policy1到接口上

[R2-GigabitEthernet0/0/1]q

[R2]int g0/0/1

[R2-GigabitEthernet0/0/1]undo nat outbound 2000

[R2-GigabitEthernet0/0/1]q

[R2]undo acl 2000

[R2]acl 3001

[R2-acl-adv-3001]rule 10 deny ip source 192.168.20.0 0.0.0.255 destination 192.1

68.10.0 0.0.0.255

[R2-acl-adv-3001]q

[R2]int g0/0/1

[R2-GigabitEthernet0/0/1]nat out

[R2-GigabitEthernet0/0/1]nat outbound 3001

[R2-GigabitEthernet0/0/1]q

[R2]acl 3001

[R2-acl-adv-3001]rule 20 permit ip

[R2-acl-adv-3001]q

（3）配置ISP路由器

sy

[Huawei]sy ISP

[ISP]un in en

[ISP]int g0/0/0

[ISP-GigabitEthernet0/0/0]ip add 100.1.1.2 30

[ISP-GigabitEthernet0/0/0]int g0/0/1

[ISP-GigabitEthernet0/0/1]ip add 200.1.1.2 30

[ISP]interface LoopBack 0

[ISP-LoopBack0]ip add 2.2.2.2 32

#创建回环接口用于模拟互联网

（4）验证

用PC1 ping PC2

抓包查看

连通，并且抓包发现已经经过加密，实验成功。

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。