华为ipsec vpn双链路主备备份配置案例

配置就是这配置,已查官方也是这样配置,意外是完成后不通,待以后处理!

FW_A配置:

dhcp enable

ip-link check enable

ip-link name check_b

destination 2.2.2.2 interface GigabitEthernet1/0/0 mode icmp next-hop 202.38.163.2

acl number 3000

rule 5 permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255

acl number 3001

rule 5 permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255

ipsec proposal pro1

esp authentication-algorithm sha1

esp encryption-algorithm aes-128

ike proposal 10

encryption-algorithm aes-256

dh group14

authentication-algorithm sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

ike peer fenbu

pre-shared-key admin123

ike-proposal 10

ipsec policy-template temp 1

security acl 3000

ike-peer fenbu

proposal pro1

ipsec policy-template temp2 1

security acl 3001

ike-peer fenbu

proposal pro1

ipsec policy policy1 1 isakmp template temp

ipsec policy policy2 1 isakmp template temp2

interface GigabitEthernet1/0/0

undo shutdown

ip address 202.38.163.1 255.255.255.0

service-manage ping permit

ipsec policy policy1

interface GigabitEthernet1/0/1

undo shutdown

ip address 192.168.0.1 255.255.255.0

service-manage ping permit

dhcp select interface

interface GigabitEthernet1/0/2

undo shutdown

ip address 202.38.164.1 255.255.255.0

service-manage ping permit

ipsec policy policy2

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

add interface GigabitEthernet1/0/1

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/0

add interface GigabitEthernet1/0/2

firewall zone dmz

set priority 50

ip route-static 0.0.0.0 0.0.0.0 202.38.163.2 preference 10 track ip-link check_b

ip route-static 0.0.0.0 0.0.0.0 202.38.164.2 preference 20

ip route-static 172.16.0.0 255.255.255.0 202.38.163.2 preference 10 track ip-link check_b

ip route-static 172.16.0.0 255.255.255.0 202.38.164.2 preference 20

security-policy

default action permit

FW_B配置:

firewall dataplane to manageplane application-apperceive default-action drop

dhcp enable

ip-link check enable

ip-link name check_a

destination 202.38.163.1 interface GigabitEthernet1/0/0 mode icmp next-hop 2.2.2.1

acl number 3000

rule 5 permit ip source 172.16.0.0 0.0.0.255 destination 192.168.0.0 0.0.0.255

acl number 3001

rule 5 permit ip source 172.16.0.0 0.0.0.255 destination 192.168.0.0 0.0.0.255

ipsec proposal pro1

esp authentication-algorithm sha2-256

esp encryption-algorithm aes-256

ike proposal 10

encryption-algorithm aes-256

dh group14

authentication-algorithm sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

ike peer a1

pre-shared-key admin123

ike-proposal 10

remote-address 202.38.163.1

ike peer a2

pre-shared-key admin123

ike-proposal 10

remote-address 202.38.164.2

ipsec policy policy1 1 isakmp

security acl 3000

ike-peer a1

proposal pro1

ipsec policy policy2 1 isakmp

security acl 3001

ike-peer a2

proposal pro1

interface GigabitEthernet1/0/0

undo shutdown

ip address 2.2.2.2 255.255.255.0

service-manage ping permit

interface GigabitEthernet1/0/1

undo shutdown

ip address 172.16.0.1 255.255.255.0

service-manage ping permit

dhcp select interface

interface Tunnel1

ip address unnumbered interface GigabitEthernet1/0/0

tunnel-protocol ipsec

ipsec policy policy1

interface Tunnel2

ip address unnumbered interface GigabitEthernet1/0/0

tunnel-protocol ipsec

ipsec policy policy2

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

add interface GigabitEthernet1/0/1

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/0

add interface Tunnel1

add interface Tunnel2

ip route-static 0.0.0.0 0.0.0.0 2.2.2.1

ip route-static 192.168.0.0 255.255.255.0 Tunnel1 preference 10 track ip-link check_a

ip route-static 192.168.0.0 255.255.255.0 Tunnel2 preference 20

security-policy

default action permit

相关推荐
诡异森林。2 分钟前
Docker--Docker网络原理
网络·docker·容器
ALex_zry16 分钟前
Docker Macvlan网络配置实战:解决“network already exists“错误
网络·docker·php
半路_出家ren21 分钟前
流量抓取工具(wireshark)
网络·网络协议·测试工具·网络安全·wireshark·流量抓取工具
子非衣1 小时前
Windows云主机远程连接提示“出现了内部错误”
服务器·windows
Gazer_S2 小时前
【HTTP/2:信息高速公路的革命】
网络·网络协议·http
lLinkl2 小时前
项目笔记2:post请求是什么,还有什么请求
服务器·网络协议·http
李匠20242 小时前
C++ RPC以及cmake
网络·c++·网络协议·rpc
科技小E2 小时前
EasyRTC音视频实时通话嵌入式SDK,打造社交娱乐低延迟实时互动的新体验
大数据·网络
珹洺2 小时前
Linux操作系统从入门到实战(三)Linux基础指令(上)
linux·运维·服务器
再睡一夏就好2 小时前
Linux常见工具如yum、vim、gcc、gdb的基本使用,以及编译过程和动静态链接的区别
linux·服务器·c语言·c++·笔记