{"id":1325,"date":"2022-09-01T12:52:40","date_gmt":"2022-09-01T04:52:40","guid":{"rendered":"https:\/\/b.yesiyu.top\/?p=1325"},"modified":"2022-09-01T12:52:40","modified_gmt":"2022-09-01T04:52:40","slug":"h3c-v7%e9%98%b2%e7%81%ab%e5%a2%99ipsec%e9%85%8d%e7%bd%ae-%e4%b8%a4%e7%ab%af%e5%af%b9%e7%ad%89%e6%a8%a1%e5%bc%8f","status":"publish","type":"post","link":"https:\/\/b.yesiyu.top\/?p=1325","title":{"rendered":"H3C V7\u9632\u706b\u5899ipsec\u914d\u7f6e-\u4e24\u7aef\u5bf9\u7b49\u6a21\u5f0f"},"content":{"rendered":"
\n

H3C V7\u9632\u706b\u5899ipsec\u914d\u7f6e<\/h1>\n

\u62d3\u6251\u56fe<\/h2>\n

\u7b80\u5355\u793a\u610f\u56fe\u4e24\u7aef\u56fa\u5b9aip\u914d\u7f6e<\/p>\n

\"\"<\/p>\n<\/div>\n

<\/div>\n
<\/div>\n
\n
FW-A\u914d\u7f6e\uff1a<\/div>\n
# \u914d\u7f6eacl\u672c\u6bb5\u5185\u7f51\u5730\u5740192.168.0.0\/24,\u5bf9\u7aef\u4e3a192.168.1.0\/24<\/span>\r\n# acl 3000\u7528\u4e8enat\u8fc7\u6ee4\uff0c\u62d2\u7edd\u611f\u5174\u8da3\u6d41\u91cf<\/span>\r\nacl advanced 3000<\/span>\r\nrule 5<\/span> deny ip<\/span> soure  192.168<\/span>.0.0 0.0<\/span>.0.255 destination 192.168<\/span>.1.0 0.0<\/span>.0.255\r\nrule 10<\/span> permit ip<\/span>\r\n# acl 3001 \u5339\u914d\u611f\u5174\u8da3\u6d41\u91cf<\/span>\r\nacl advanced 3000<\/span>\r\nrule 5<\/span> permit ip<\/span> soure  192.168<\/span>.0.0 0.0<\/span>.0.255 destination 192.168<\/span>.1.0 0.0<\/span>.0.255\r\n\r\n<\/code><\/pre>\n
IKE \u9636\u6bb5<\/p>\n
# 1.\u521b\u5efaike keychain,\u4f5c\u4e3a\u4e0e\u5bf9\u7aef\u7684\u8ba4\u8bc1\uff0c\u5730\u5740\u4e3a\u5bf9\u7aef\u5730\u5740\uff0c\u534f\u5546\u5bc6\u7801\u9700\u8981\u4e24\u7aef\u4e00\u81f4<\/span>\r\nike keychain CJ\r\npre-shared-key address 218.17<\/span>.21.25 255.255<\/span>.255.255 key simple 12345678<\/span>\r\n# 2.\u521b\u5efaike proposal \u8bbe\u7f6e\u52a0\u89e3\u5bc6\u7c7b\u578b<\/span>\r\nike proposal 1<\/span>\r\n encryption-algorithm 3des-cbc\r\n authentication-algorithm md5\r\n# 3.\u521b\u5efaike profile,\u4e0e\u5bf9\u7aef\u534f\u5546\uff0c\u5c06\u524d\u9762\u7684keychain \u548cproposal,\u4ee5\u53ca\u914d\u7f6e\u672c\u6bb5\u5730\u5740\u548c\u5bf9\u7aef\u5730\u5740\u8fdb\u884c\u8c03\u7528<\/span>\r\nike profile CJ\r\n keychain CJ\r\n local-identity address 183.62<\/span>.141.212\r\n match remote identity address 218.17<\/span>.21.25 255.255<\/span>.255.255\r\n match local<\/span> address GigabitEthernet1\/0\/0\r\n proposal 1<\/span><\/code><\/pre>\n
IPSEC \u9636\u6bb5\uff1a<\/p>\n
# \u914d\u7f6etransform \u52a0\u89e3\u5bc6<\/span>\r\nipsec transform-set JT\r\n esp encryption-algorithm 3des-cbc \r\n esp authentication-algorithm md5\r\n\r\n# \u914d\u7f6eipsec\u7b56\u7565\uff0c\u7b56\u7565\u540d\u79f0ipsec-cj ,1\u4ee3\u8868\u7b2c\u4e00\u6761\u7b56\u7565\uff0c\u8c03\u7528transform\u548cacl,\u914d\u7f6e\u4e24\u7aef\u5730\u5740\uff0c\u518d\u8c03\u7528\u7b2c\u4e00\u9636\u6bb5ike-profile<\/span>\r\nipsec policy ipsec-cj 1<\/span> isakmp\r\n transform-set JT \r\n security acl 3001<\/span>\r\n local-address 183.62<\/span>.141.242\r\n remote-address 218.17<\/span>.21.2\r\n description TO_CJ\r\n ike-profile CJ\r\n\r\n<\/code><\/pre>\n
\u5728\u63a5\u53e3\u8c03\u7528\u7b56\u7565\u548cnat<\/p>\n
interface GigabitEthernet1\/0\/0\r\nip<\/span> address 183.62<\/span>.141.212 255.255<\/span>.255.252\r\nipsec apply policy ipsec-cj\r\nnat outbound 3000<\/span><\/code><\/pre>\n
FW-B\u914d\u7f6e\uff1a
\n\u4e24\u7aef\u914d\u7f6e\u662f\u76f8\u5bf9\u7684\u3002<\/p>\n
# \u914d\u7f6eacl\u672c\u6bb5\u5185\u7f51\u5730\u5740192.168.1.0\/24,\u5bf9\u7aef\u4e3a192.168.0.0\/24<\/span>\r\n# acl 3000\u7528\u4e8enat\u8fc7\u6ee4\uff0c\u62d2\u7edd\u611f\u5174\u8da3\u6d41\u91cf<\/span>\r\nacl advanced 3000<\/span>\r\nrule 5<\/span> deny ip<\/span> soure  192.168<\/span>.1.0 0.0<\/span>.0.255 destination 192.168<\/span>.0.0 0.0<\/span>.0.255\r\nrule 10<\/span> permit ip<\/span>\r\n# acl 3001 \u5339\u914d\u611f\u5174\u8da3\u6d41\u91cf<\/span>\r\nacl advanced 3000<\/span>\r\nrule 5<\/span> permit ip<\/span> soure  192.168<\/span>.1.0 0.0<\/span>.0.255 destination 192.168<\/span>.0.0 0.0<\/span>.0.255\r\n\r\n<\/code><\/pre>\n
IKE \u9636\u6bb5<\/p>\n
# 1.\u521b\u5efaike keychain,\u4f5c\u4e3a\u4e0e\u5bf9\u7aef\u7684\u8ba4\u8bc1\uff0c\u5730\u5740\u4e3a\u5bf9\u7aef\u5730\u5740\uff0c\u534f\u5546\u5bc6\u7801\u9700\u8981\u4e24\u7aef\u4e00\u81f4<\/span>\r\nike keychain JT\r\npre-shared-key address 183.62<\/span>.141.212 255.255<\/span>.255.255 key simple 12345678<\/span>\r\n# 2.\u521b\u5efaike proposal \u8bbe\u7f6e\u52a0\u89e3\u5bc6\u7c7b\u578b<\/span>\r\nike proposal 1<\/span>\r\n encryption-algorithm 3des-cbc\r\n authentication-algorithm md5\r\n# 3.\u521b\u5efaike profile,\u4e0e\u5bf9\u7aef\u534f\u5546\uff0c\u5c06\u524d\u9762\u7684keychain \u548cproposal,\u4ee5\u53ca\u914d\u7f6e\u672c\u6bb5\u5730\u5740\u548c\u5bf9\u7aef\u5730\u5740\u8fdb\u884c\u8c03\u7528<\/span>\r\nike profile JT\r\n keychain JT\r\n local-identity address  218.17<\/span>.21.25 \r\n match remote identity address 183.62<\/span>.141.212 255.255<\/span>.255.255\r\n match local<\/span> address GigabitEthernet1\/0\/0\r\n proposal 1<\/span><\/code><\/pre>\n
IPSEC \u9636\u6bb5\uff1a<\/p>\n
# \u914d\u7f6etransform \u52a0\u89e3\u5bc6<\/span>\r\nipsec transform-set CJ\r\n esp encryption-algorithm 3des-cbc \r\n esp authentication-algorithm md5\r\n\r\n# \u914d\u7f6eipsec\u7b56\u7565\uff0c\u7b56\u7565\u540d\u79f0ipsec-jt ,1\u4ee3\u8868\u7b2c\u4e00\u6761\u7b56\u7565\uff0c\u8c03\u7528transform\u548cacl,\u914d\u7f6e\u4e24\u7aef\u5730\u5740\uff0c\u518d\u8c03\u7528\u7b2c\u4e00\u9636\u6bb5ike-profile<\/span>\r\nipsec policy ipsec-jt 1<\/span> isakmp\r\n transform-set JT \r\n security acl 3001<\/span>\r\n local-address 218.17<\/span>.21.25\r\n remote-address 183.62<\/span>.141.212\r\n description TO_JT\r\n ike-profile JT\r\n\r\n<\/code><\/pre>\n
\u5728\u63a5\u53e3\u8c03\u7528\u7b56\u7565\u548cnat<\/p>\n
interface GigabitEthernet1\/0\/0\r\nip<\/span> address 218.17<\/span>.21.25 255.255<\/span>.255.252\r\nipsec apply policy ipsec-jt\r\nnat outbound 3000<\/span><\/code><\/pre>\n
\u6700\u540e\u5728\u4e24\u7aef\u5185\u7f51\u7ec8\u7aefping\u6d4b\u8bd5\u5bf9\u7aef\u7ec8\u7aef\u3002<\/p>\n
\u67e5\u8be2ike\u3001ipsec\u4fe1\u606f\u4f20\u8f93<\/p>\n
# \u67e5\u8be2sa\u5efa\u7acb\u60c5\u51b5<\/span>\r\ndis ike sa\r\n# \u67e5\u8be2sa\u6d41\u91cf<\/span>\r\ndis ike sa verbpse\r\n# \u67e5\u8be2ipsec\u9636\u6bb5\u4fe1\u606f<\/span>\r\ndis ipsec policy\r\n\r\n<\/code><\/pre>\n<\/div>\n
\u70b9\u70b9\u6ef4\u6ef4\uff0c\u79ef\u5c11\u6210\u591a\uff0c\u7ec8\u6709\u4e00\u65e5\u80fd\u53d1\u6325\u7528\u5904\u3002<\/div>\n","protected":false},"excerpt":{"rendered":"
H3C V7\u9632\u706b\u5899ipsec\u914d\u7f6e \u62d3\u6251\u56fe \u7b80\u5355\u793a\u610f\u56fe\u4e24\u7aef\u56fa\u5b9aip\u914d\u7f6e FW-A\u914d\u7f6e\uff1a # \u914d\u7f6eacl\u672c\u6bb5\u5185\u7f51\u5730 … <\/p>\n
\u7ee7\u7eed\u9605\u8bfb\u201cH3C V7\u9632\u706b\u5899ipsec\u914d\u7f6e-\u4e24\u7aef\u5bf9\u7b49\u6a21\u5f0f\u201d<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1325","post","type-post","status-publish","format-standard","hentry","category-1"],"_links":{"self":[{"href":"https:\/\/b.yesiyu.top\/index.php?rest_route=\/wp\/v2\/posts\/1325","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/b.yesiyu.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/b.yesiyu.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/b.yesiyu.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/b.yesiyu.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1325"}],"version-history":[{"count":2,"href":"https:\/\/b.yesiyu.top\/index.php?rest_route=\/wp\/v2\/posts\/1325\/revisions"}],"predecessor-version":[{"id":1329,"href":"https:\/\/b.yesiyu.top\/index.php?rest_route=\/wp\/v2\/posts\/1325\/revisions\/1329"}],"wp:attachment":[{"href":"https:\/\/b.yesiyu.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1325"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/b.yesiyu.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1325"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/b.yesiyu.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1325"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}