three ipsec vpn from f1000 to aliyun

2024-08-05

因为f1000网口只能配置一条ipsec apply policy idc-to-aliyun,所以需要用不同序号区别不同线路。另外huawei usg6000e和h3c f1000配置步骤基本类似,但是huawei usg6000e配置不同的ipsec policy时,在web界面可以选择同一个以太口,ipsec policy名称可以自己匹配。

1、h3c ipsec vpn like huawei usg6000e
display ipsec sa
display ike sa
display ip routing-table
display acl 3000
display ipsec policy
display ipsec transform-set
2、f1000配置公网IP,阿里云开通ipsec网关

3、firewall zone untrust
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 1.1.1.1 255.255.255.240
dns server 114.114.114.114
tcp mss 1300
ip last-hop hold
nat outbound 3005
nat static enable
ipsec apply policy idc-to-aliyun
gateway 1.1.1.14

4、ipsec policy idc-to-aliyun 10 isakmp
transform-set idc-to-aliyun_IPv4_10
security acl 3010
local-address 1.1.1.8
remote-address 2.2.2.2
ike-profile idc-to-aliyun_IPv4_10

ipsec policy idc-to-aliyun 11 isakmp
transform-set idc-to-aliyun_IPv4_11
security acl 3010
local-address 1.1.1.8
remote-address 3.3.3.3
ike-profile idc-to-aliyun_IPv4_11

ipsec policy idc-to-aliyun 12 isakmp
transform-set idc-to-aliyun_IPv4_12
security acl 3010
local-address 1.1.1.8
remote-address 3.3.3.3
ike-profile idc-to-aliyun_IPv4_12

5、acl advanced 3010
rule 15 permit ip source 10.28.28.0 0.0.1.255 destination 172.16.0.0 0.0.255.255

6、3transform-set
display ipsec transform-set
ipsec transform-set idc-to-aliyun_IPv4_10
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha256
pfs dh-group2
#
ipsec transform-set idc-to-aliyun_IPv4_11
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha256
pfs dh-group2
#
ipsec transform-set idc-to-aliyun_IPv4_12
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha256
pfs dh-group2

7、ike profile idc-to-aliyun_IPv4_10
ike profile idc-to-aliyun_IPv4_10
keychain idc-to-aliyun_IPv4_10
local-identity address 1.1.1.8
match remote identity address 2.2.2.2 255.255.255.255
match local address GigabitEthernet1/0/0
proposal 2

ike profile idc-to-aliyun_IPv4_11
ike profile idc-to-aliyun_IPv4_11
keychain idc-to-aliyun_IPv4_10
local-identity address 1.1.1.8
match remote identity address 2.2.2.2 255.255.255.255
match local address GigabitEthernet1/0/0
proposal 2

ike profile idc-to-aliyun_IPv4_11
ike profile idc-to-aliyun_IPv4_11
keychain idc-to-aliyun_IPv4_10
local-identity address 1.1.1.8
match remote identity address 3.3.3.3 255.255.255.255
match local address GigabitEthernet1/0/0
proposal 2

8、dis ike proposal
1 PRE-SHARED-KEY SHA1 AES-CBC-256 Group 2 86400
2 PRE-SHARED-KEY SHA256 AES-CBC-256 Group 2 86400

分类:网络 | 标签: |

相关日志

评论被关闭!