H3C和CISCO裝置之間的ipsec vpn 配置例項

galdys發表於2011-08-11
CISCO裝置(PIX/ASA/ROUTER):外網口ip1.1.1.1  內網伺服器:192.168.1.1
H3C secpath外網口ip2.2.2.2  內網伺服器:192.168.2.2
通過ipsec vpn,允許兩臺伺服器之間通訊
CISCO配置:

#步驟1
crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha
group 2

lifetime 86400


#步驟2

crypto ipsec transform-setMyset esp-des esp-sha-hmac
crypto map Myvpn 1 matchaddress VPN

crypto map Myvpn 1 set peer 2.2.2.2

crypto map Myvpn 1 settransform-set Myset

crypto map Myvpn interfaceoutside
crypto isakmp identity address
crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400


tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

pre-shared-key 123456

#定義感興趣流量

access-list VPN extendedpermit ip host 192.168.1.1 host 192.168.2.2




H3C的配置:

#
ike peer peermtom

pre-shared-key 123456

remote-address 1.1.1.1

local-address 2.2.2.2

#


#對應cisco的步驟1(藍色標記的引數兩邊必須一致)

ike proposal 1
authentication-algorithm sha

authentication-method pre-share

encryption-algorithm 3des-cbc

dh group2

sa duration 86400

#


#
對應cisco的步驟2(藍色標記的引數兩邊必須一致)
ipsec proposal promtom 

encapsulation-mode tunnel

transform esp

esp encryption-algorithm 3des

esp authentication-algorithm sha1

#


#

ipsec policy policymtom 10 isakmp

security acl 3333

ike-peer peermtom

proposal promtom

#


#定義感興趣流量(必須與cisco中定義的感興趣流量互為映象)

acl number 3333
rule 0 permit ip source 192.168.2.2 0destination 192.168.1.1 0

rule 5 deny ip

#


#將內網伺服器地址從nat轉換列表中去除(應儘量放在第一行)

假設防火牆上用於NAT轉換的acl為2000:
acl number 2000

rule 0 deny source 192.168.2.2 0

……


# 配置到對方內網伺服器的靜態路由

ip route-static 192.168.1.1 32  g1/0        (g1/0為防火牆外網口)


#在外網介面上應用ipsec
#int g1/0
ipsecpolicy policymtom



配置完成後,在防火牆上用以下命令檢視vpn是否建立:
dis ike sa  ;若ike協商成功,再用以下命令檢視
dis ipsec sa  ;若有輸出資訊,是否成功你一看就知道了。

相關文章