H3CF100-S-GIPSEC案例-USB迷|专注于互联网分享

H3CF100-S-GIPSEC案例

2024年5月21日发(作者：姬莘莘)

H3C F100-S-G案例：

点对点ipsec

总部一台F100-S-G,分部一台F100-S-G。

总部内网网段10.10.10.0/24,10.0.0.0/24

两端外网口为固定地址

F100-S-G-分部配置：

acl number 3001 用于匹配IPSEC 保护流

description Protect-Vpndata

rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 10.10.10.0 0.0.0.255

rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 10.0.0.0 0.0.0.255

rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 10.0.0.0 0.0.0.255

rule 15 permit ip source 192.168.2.0 0.0.0.255 destination 10.10.10.0 0.0.0.255

acl number 3002

此条ACL作用在nat outbound 保证在访问对端内网同时访问互联网

description Nat-Deny-Vpn

rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 10.10.10.0 0.0.0.255

rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 10.0.0.0 0.0.0.255

rule 10 deny ip source 192.168.2.0 0.0.0.255 destination 10.10.10.0 0.0.0.255

rule 15 deny ip source 192.168.2.0 0.0.0.255 destination 10.0.0.0 0.0.0.255

rule 20 permit ip

分部IPSEC配置

ike peer peer

pre-shared-key cipher $c$3$V27Lx8P8XlcjEBdTwsA93xbVHc7XYA==

remote-address 1.1.1.1 总部地址为1.1.1.1