华为ipsec vpn双链路主备备份配置案例

配置就是这配置,已查官方也是这样配置,意外是完成后不通,待以后处理!

FW_A配置:

dhcp enable

ip-link check enable

ip-link name check_b

destination 2.2.2.2 interface GigabitEthernet1/0/0 mode icmp next-hop 202.38.163.2

acl number 3000

rule 5 permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255

acl number 3001

rule 5 permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255

ipsec proposal pro1

esp authentication-algorithm sha1

esp encryption-algorithm aes-128

ike proposal 10

encryption-algorithm aes-256

dh group14

authentication-algorithm sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

ike peer fenbu

pre-shared-key admin123

ike-proposal 10

ipsec policy-template temp 1

security acl 3000

ike-peer fenbu

proposal pro1

ipsec policy-template temp2 1

security acl 3001

ike-peer fenbu

proposal pro1

ipsec policy policy1 1 isakmp template temp

ipsec policy policy2 1 isakmp template temp2

interface GigabitEthernet1/0/0

undo shutdown

ip address 202.38.163.1 255.255.255.0

service-manage ping permit

ipsec policy policy1

interface GigabitEthernet1/0/1

undo shutdown

ip address 192.168.0.1 255.255.255.0

service-manage ping permit

dhcp select interface

interface GigabitEthernet1/0/2

undo shutdown

ip address 202.38.164.1 255.255.255.0

service-manage ping permit

ipsec policy policy2

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

add interface GigabitEthernet1/0/1

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/0

add interface GigabitEthernet1/0/2

firewall zone dmz

set priority 50

ip route-static 0.0.0.0 0.0.0.0 202.38.163.2 preference 10 track ip-link check_b

ip route-static 0.0.0.0 0.0.0.0 202.38.164.2 preference 20

ip route-static 172.16.0.0 255.255.255.0 202.38.163.2 preference 10 track ip-link check_b

ip route-static 172.16.0.0 255.255.255.0 202.38.164.2 preference 20

security-policy

default action permit

FW_B配置:

firewall dataplane to manageplane application-apperceive default-action drop

dhcp enable

ip-link check enable

ip-link name check_a

destination 202.38.163.1 interface GigabitEthernet1/0/0 mode icmp next-hop 2.2.2.1

acl number 3000

rule 5 permit ip source 172.16.0.0 0.0.0.255 destination 192.168.0.0 0.0.0.255

acl number 3001

rule 5 permit ip source 172.16.0.0 0.0.0.255 destination 192.168.0.0 0.0.0.255

ipsec proposal pro1

esp authentication-algorithm sha2-256

esp encryption-algorithm aes-256

ike proposal 10

encryption-algorithm aes-256

dh group14

authentication-algorithm sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

ike peer a1

pre-shared-key admin123

ike-proposal 10

remote-address 202.38.163.1

ike peer a2

pre-shared-key admin123

ike-proposal 10

remote-address 202.38.164.2

ipsec policy policy1 1 isakmp

security acl 3000

ike-peer a1

proposal pro1

ipsec policy policy2 1 isakmp

security acl 3001

ike-peer a2

proposal pro1

interface GigabitEthernet1/0/0

undo shutdown

ip address 2.2.2.2 255.255.255.0

service-manage ping permit

interface GigabitEthernet1/0/1

undo shutdown

ip address 172.16.0.1 255.255.255.0

service-manage ping permit

dhcp select interface

interface Tunnel1

ip address unnumbered interface GigabitEthernet1/0/0

tunnel-protocol ipsec

ipsec policy policy1

interface Tunnel2

ip address unnumbered interface GigabitEthernet1/0/0

tunnel-protocol ipsec

ipsec policy policy2

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

add interface GigabitEthernet1/0/1

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/0

add interface Tunnel1

add interface Tunnel2

ip route-static 0.0.0.0 0.0.0.0 2.2.2.1

ip route-static 192.168.0.0 255.255.255.0 Tunnel1 preference 10 track ip-link check_a

ip route-static 192.168.0.0 255.255.255.0 Tunnel2 preference 20

security-policy

default action permit

相关推荐
低头不见2 小时前
tcp的粘包拆包问题,如何解决?
网络·网络协议·tcp/ip
lilye662 小时前
程序化广告行业(55/89):DMP与DSP对接及数据统计原理剖析
java·服务器·前端
SKYDROID云卓小助手3 小时前
三轴云台之相机技术篇
运维·服务器·网络·数码相机·音视频
yuzhangfeng5 小时前
【云计算物理网络】从传统网络到SDN:云计算的网络演进之路
网络·云计算
TDengine (老段)6 小时前
TDengine 中的关联查询
大数据·javascript·网络·物联网·时序数据库·tdengine·iotdb
zhu12893035566 小时前
网络安全的现状与防护措施
网络·安全·web安全
wirepuller_king8 小时前
创建Linux虚拟环境并远程连接,finalshell自定义壁纸
linux·运维·服务器
zhu12893035568 小时前
网络安全与防护策略
网络·安全·web安全
Yan-英杰8 小时前
【百日精通JAVA | SQL篇 | 第二篇】数据库操作
服务器·数据库·sql
沫夕残雪8 小时前
HTTP,请求响应报头,以及抓包工具的讨论
网络·vscode·网络协议·http