IPSEC 野蛮模式试验

本文格式为Word版，下载可任意编辑——IPSEC野蛮模式试验华为IPSEC-VPN-1-采用野蛮方式建立IPsec安全隧道

一：企业组网需求：

1，某公司（总部在北京）有两个子公司分别在上海和广州，要求通过VPN

实现公司之间相互通信！

2，试验环境如下：要求192.168.1.0/24网段的员工分别与172.168..0/24，

10.1.1.0/24的员工通信!（中间的为公网）3，本试验要求采用野蛮方式建立IPsec安全隧道

第一步：IP地址配置省略，指默认路由

[AR1]iproute-static0.0.0.00.0.0.012.1.1.2[AR3]iproute-static0.0.0.00.0.0.023.1.1.2[AR4]iproute-static0.0.0.00.0.0.024.1.1.2

其次步：使用ACL抓感兴趣流量

[R1]aclnumber3001

[R1-acl-adv-3001]rule5permitipsource192.168.1.00.0.0.255destination172.168.1.00.0.0.255[AR1]aclnumber3002

[AR1-acl-adv-3002]rule5permitipsource192.168.1.00.0.0.255destination10.1.1.00.0.0.255

[R3]aclnumber3001

[R3-acl-adv-3001]rule5permitIPsource172.168.1.00.0.0.255destination192.168.1.00.0.0.255

[AR4]aclnumber3002[AR4-acl-adv-3001]rule5permitipsource10.1.1.00.0.0.255destination192.168.1.00.0.0.255

第三步：配置安全提议zhu1和zhu2[AR1]ipsecproposalzhu1

[AR1-ipsec-proposal-zhu1]encapsulation-modetunnel[AR1-ipsec-proposal-zhu1]transformesp

[AR1-ipsec-proposal-zhu1]espauthentication-algorithmmd5[AR1-ipsec-proposal-zhu1]espencryption-algorithmdes

[AR1]ipsecproposalzhu2

[AR1-ipsec-proposal-zhu1]encapsulation-modetunnel[AR1-ipsec-proposal-zhu1]transformesp

[AR1-ipsec-proposal-zhu1]espauthentication-algorithmmd5[AR1-ipsec-proposal-zhu1]espencryption-algorithmdes

第四步：

[AR1]ikelocal-namefw1[AR1]ikepeerpeer-1v1

[AR1-ike-peer-peer-1]exchange-modeaggressive[AR1-ike-peer-peer-1]pre-shared-keysimple12345[AR1-ike-peer-peer-1]local-id-typename[AR1-ike-peer-peer-1]local-address12.1.1.1[AR1-ike-peer-peer-1]remote-namefw2

[AR1]ikepeerpeer-2v1

[AR1-ike-peer-peer-2]exchange-modeaggressive[AR1-ike-peer-peer-2]pre-shared-keysimple12345[AR1-ike-peer-peer-2]local-id-typename[AR1-ike-peer-peer-2]local-address12.1.1.1[AR1-ike-peer-peer-2]remote-namefw3

第五步：

[AR1]ipsecpolicypolicy110isakmp

[AR1-ipsec-policy-isakmp-policy1-10]secacl3001[AR1-ipsec-policy-isakmp-policy1-10]proposalzhu1[AR1-ipsec-policy-isakmp-policy1-10]ikepeerpeer-1[AR1-ike-peer-peer-1]quit

[AR1]ipsecpolicypolicy120isakmp

[AR1-ipsec-policy-isakmp-policy1-20]securityacl3002[AR1-ipsec-policy-isakmp-policy1-20]proposalzhu2[AR1-ipsec-policy-isakmp-policy1-20]ikepeerpeer-2[AR1-ike-peer-peer-2]quit

第六步：在接口应用策略

[AR1]interfaceGigabitEthernet0/0/0

[AR1-GigabitEthernet0/0/0]ipsecpolicypolicy1[AR1-GigabitEthernet0/0/0]quit

错误的提醒，不为什么不让配置是ENSP版的问题么？

报错文本：

[AR1]interfaceGigabitEthernet0/0/0

[AR1-GigabitEthernet0/0/0]ipsecpolicypolicy1

Error:TheIPSecpolicydoesnotconfigureanIKEpeer.

第七步：

[AR3]ipsecproposalzhu

[AR3-ipsec-proposal-zhu]encapsulation-modetunnel[AR3-ipsec-proposal-zhu]transformesp

[AR3-ipsec-proposal-zhu]espauthentication-algorithmmd5[AR3-ipsec-proposal-zhu]espencryption-algorithmdes[AR3-ipsec-proposal-zhu]quit

[AR3]ikepeerpeer-1v1

[AR3-ike-peer-peer-1]exchange-modeaggressive[AR3-ike-peer-peer-1]pre-shared-keysimple12345[AR3-ike-peer-peer-1]local-id-typename[AR3-ike-peer-peer-1]remote-namefw1

[AR3-ike-peer-peer-1]remote-address12.1.1.1[AR3-ike-peer-peer-1]quit

[AR3]ipsecpolicypolicy210isakmp

[AR3-ipsec-policy-isakmp-policy2-10]securityacl3001[AR3-ipsec-policy-isakmp-policy2-10]proposalzhu[AR3-ipsec-policy-isakmp-policy2-10]ikepeer-1[AR3]interfaceGigabitEthernet0/0/1

[AR3-GigabitEthernet0/0/1]ipsecpolicypolicy2[AR3-GigabitEthernet0/0/1]quit

第八步：AR4路由器上的所有配置ipsecproposalzhu-4

encapsulation-modetunneltransformesp

espauthentication-algorithmmd5espencryption-algorithmdesquit

ikelocal-namefw3ikepeerpeer-2v1

exchange-modeaggressivepre-shared-keysimple12345local-id-typenameremote-namefw1

remote-