华为*** 基本配置

某软件开发公司在中小城市建立了分支公司，分支公司开发项目小组所在网 络地址为 172.16.10.0/24，该网络的主机可以通过 ××× 访问总公司开发数据服务器 （10.10.33.0/24）。

需求研发小组可以通过×××访问总公司研发服务器，但不能 访问Internet

R1配置

[r1]int g0/0/0

[r1-GigabitEthernet0/0/0]ip add 100.0.0.1 255.255.255.252

[r1-GigabitEthernet0/0/0]int g0/0/1

[r1-GigabitEthernet0/0/1]ip add 172.16.10.254 255.255.255.0

[r1]ip route-static 0.0.0.0 0.0.0.0 100.0.0.2

[r1]ike proposal 1

[r1-ike-proposal-1]encryption-algorithm 3

[r1-ike-proposal-1]encryption-algorithm 3des-cbc

[r1-ike-proposal-1]authentication-algorithm md5

[r1-ike-proposal-1]authentication-method pre-share

[r1-ike-proposal-1]dh group2

[r1-ike-proposal-1]q

[r1]ike peer 200.0.0.1 v1

[r1-ike-peer-200.0.0.1]pre-shared-key simple tedu

[r1-ike-peer-200.0.0.1]ike-proposal 1

[r1-ike-peer-200.0.0.1]remote-address 200.0.0.1

[r1-ike-peer-200.0.0.1]q

[r1] acl number 3000

[r1-acl-adv-3000]rule 5 permit ip source 172.16.10.0 0.0.0.255 destination 10.10.33.0 0.0.0.255

[r1-acl-adv-3000]q

[r1]ipsec proposal 1

[r1-ipsec-proposal-1]transform ah-esp

[r1-ipsec-proposal-1]q

[r1]ipsec policy yf 1 isakmp

[r1-ipsec-policy-isakmp-yf-1]security acl 3000

[r1-ipsec-policy-isakmp-yf-1]ike-peer 200.0.0.1

[r1-ipsec-policy-isakmp-yf-1]proposal 1

[r1-ipsec-policy-isakmp-yf-1]q

[r1]int g0/0/0

[r1-GigabitEthernet0/0/0]ipsec policy yf

isp 设置

[isp]interface GigabitEthernet0/0/0

[isp-GigabitEthernet0/0/0]ip address 100.0.0.2 255.255.255.252

[isp]interface GigabitEthernet0/0/0 

[isp-GigabitEthernet0/0/1] ip address 200.0.0.2 255.255.255.252

r2配置

[r2]int g0/0/0

[r2-GigabitEthernet0/0/0]ip add 200.0.0.1 255.255.255.252

[r2-GigabitEthernet0/0/0]int g0/0/1

[r2-GigabitEthernet0/0/1]ip add 10.10.33.254 255.255.255.0

[r2]ip route-static 0.0.0.0 0.0.0.0  200.0.0.2

[r2]ike proposal 1

[r2-ike-proposal-1]encryption-algorithm 3

[r2-ike-proposal-1]encryption-algorithm 3des-cbc

[r2-ike-proposal-1]authentication-algorithm md5

[r2-ike-proposal-1]authentication-method pre-share

[r2-ike-proposal-1]dh group2

[r2-ike-proposal-1]q

[r2]ike peer 200.0.0.1 v1

[r2-ike-peer-200.0.0.1]pre-shared-key simple tedu

[r2-ike-peer-200.0.0.1]ike-proposal 1

[r2-ike-peer-200.0.0.1]remote-address 100.0.0.1

[r2-ike-peer-200.0.0.1]q

[r2] acl number 3000

[r2-acl-adv-3000]rule 5 permit ip source 10.10.33.0 0.0.0.255  destination  172.16.10.0 0.0.0.255

[r2-acl-adv-3000]q

[r2]ipsec proposal 1

[r2-ipsec-proposal-1]transform ah-esp

[r2-ipsec-proposal-1]q

[r2]ipsec policy yf 1 isakmp

[r2-ipsec-policy-isakmp-yf-1]security acl 3000

[r2-ipsec-policy-isakmp-yf-1]ike-peer  100.0.0.1

[r2-ipsec-policy-isakmp-yf-1]proposal 1

[r2-ipsec-policy-isakmp-yf-1]q

[r2]int g0/0/0

[r2-GigabitEthernet0/0/0]ipsec policy yf

验证：

display ike sa

display ipsec sa

ping 10.10.33.1

访问研发服务器