华为ipsec vpn双链路主备备份配置案例

配置就是这配置，已查官方也是这样配置，意外是完成后不通，待以后处理！

FW_A配置：

dhcp enable

ip-link check enable

ip-link name check_b

destination 2.2.2.2 interface GigabitEthernet1/0/0 mode icmp next-hop 202.38.163.2

acl number 3000

rule 5 permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255

acl number 3001

rule 5 permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255

ipsec proposal pro1

esp authentication-algorithm sha1

esp encryption-algorithm aes-128

ike proposal 10

encryption-algorithm aes-256

dh group14

authentication-algorithm sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

ike peer fenbu

pre-shared-key admin123

ike-proposal 10

ipsec policy-template temp 1

security acl 3000

ike-peer fenbu

proposal pro1

ipsec policy-template temp2 1

security acl 3001

ike-peer fenbu

proposal pro1

ipsec policy policy1 1 isakmp template temp

ipsec policy policy2 1 isakmp template temp2

interface GigabitEthernet1/0/0

undo shutdown

ip address 202.38.163.1 255.255.255.0

service-manage ping permit

ipsec policy policy1

interface GigabitEthernet1/0/1

undo shutdown

ip address 192.168.0.1 255.255.255.0

service-manage ping permit

dhcp select interface

interface GigabitEthernet1/0/2

undo shutdown

ip address 202.38.164.1 255.255.255.0

service-manage ping permit

ipsec policy policy2

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

add interface GigabitEthernet1/0/1

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/0

add interface GigabitEthernet1/0/2

firewall zone dmz

set priority 50

ip route-static 0.0.0.0 0.0.0.0 202.38.163.2 preference 10 track ip-link check_b

ip route-static 0.0.0.0 0.0.0.0 202.38.164.2 preference 20

ip route-static 172.16.0.0 255.255.255.0 202.38.163.2 preference 10 track ip-link check_b

ip route-static 172.16.0.0 255.255.255.0 202.38.164.2 preference 20

security-policy

default action permit

FW_B配置：

firewall dataplane to manageplane application-apperceive default-action drop

dhcp enable

ip-link check enable

ip-link name check_a

destination 202.38.163.1 interface GigabitEthernet1/0/0 mode icmp next-hop 2.2.2.1

acl number 3000

rule 5 permit ip source 172.16.0.0 0.0.0.255 destination 192.168.0.0 0.0.0.255

acl number 3001

rule 5 permit ip source 172.16.0.0 0.0.0.255 destination 192.168.0.0 0.0.0.255

ipsec proposal pro1

esp authentication-algorithm sha2-256

esp encryption-algorithm aes-256

ike proposal 10

encryption-algorithm aes-256

dh group14

authentication-algorithm sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

ike peer a1

pre-shared-key admin123

ike-proposal 10

remote-address 202.38.163.1

ike peer a2

pre-shared-key admin123

ike-proposal 10

remote-address 202.38.164.2

ipsec policy policy1 1 isakmp

security acl 3000

ike-peer a1

proposal pro1

ipsec policy policy2 1 isakmp

security acl 3001

ike-peer a2

proposal pro1

interface GigabitEthernet1/0/0

undo shutdown

ip address 2.2.2.2 255.255.255.0

service-manage ping permit

interface GigabitEthernet1/0/1

undo shutdown

ip address 172.16.0.1 255.255.255.0

service-manage ping permit

dhcp select interface

interface Tunnel1

ip address unnumbered interface GigabitEthernet1/0/0

tunnel-protocol ipsec

ipsec policy policy1

interface Tunnel2

ip address unnumbered interface GigabitEthernet1/0/0

tunnel-protocol ipsec

ipsec policy policy2

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

add interface GigabitEthernet1/0/1

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/0

add interface Tunnel1

add interface Tunnel2

ip route-static 0.0.0.0 0.0.0.0 2.2.2.1

ip route-static 192.168.0.0 255.255.255.0 Tunnel1 preference 10 track ip-link check_a

ip route-static 192.168.0.0 255.255.255.0 Tunnel2 preference 20

security-policy

default action permit