华为ipsec vpn双链路主备备份配置案例

配置就是这配置,已查官方也是这样配置,意外是完成后不通,待以后处理!

FW_A配置:

dhcp enable

ip-link check enable

ip-link name check_b

destination 2.2.2.2 interface GigabitEthernet1/0/0 mode icmp next-hop 202.38.163.2

acl number 3000

rule 5 permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255

acl number 3001

rule 5 permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255

ipsec proposal pro1

esp authentication-algorithm sha1

esp encryption-algorithm aes-128

ike proposal 10

encryption-algorithm aes-256

dh group14

authentication-algorithm sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

ike peer fenbu

pre-shared-key admin123

ike-proposal 10

ipsec policy-template temp 1

security acl 3000

ike-peer fenbu

proposal pro1

ipsec policy-template temp2 1

security acl 3001

ike-peer fenbu

proposal pro1

ipsec policy policy1 1 isakmp template temp

ipsec policy policy2 1 isakmp template temp2

interface GigabitEthernet1/0/0

undo shutdown

ip address 202.38.163.1 255.255.255.0

service-manage ping permit

ipsec policy policy1

interface GigabitEthernet1/0/1

undo shutdown

ip address 192.168.0.1 255.255.255.0

service-manage ping permit

dhcp select interface

interface GigabitEthernet1/0/2

undo shutdown

ip address 202.38.164.1 255.255.255.0

service-manage ping permit

ipsec policy policy2

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

add interface GigabitEthernet1/0/1

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/0

add interface GigabitEthernet1/0/2

firewall zone dmz

set priority 50

ip route-static 0.0.0.0 0.0.0.0 202.38.163.2 preference 10 track ip-link check_b

ip route-static 0.0.0.0 0.0.0.0 202.38.164.2 preference 20

ip route-static 172.16.0.0 255.255.255.0 202.38.163.2 preference 10 track ip-link check_b

ip route-static 172.16.0.0 255.255.255.0 202.38.164.2 preference 20

security-policy

default action permit

FW_B配置:

firewall dataplane to manageplane application-apperceive default-action drop

dhcp enable

ip-link check enable

ip-link name check_a

destination 202.38.163.1 interface GigabitEthernet1/0/0 mode icmp next-hop 2.2.2.1

acl number 3000

rule 5 permit ip source 172.16.0.0 0.0.0.255 destination 192.168.0.0 0.0.0.255

acl number 3001

rule 5 permit ip source 172.16.0.0 0.0.0.255 destination 192.168.0.0 0.0.0.255

ipsec proposal pro1

esp authentication-algorithm sha2-256

esp encryption-algorithm aes-256

ike proposal 10

encryption-algorithm aes-256

dh group14

authentication-algorithm sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

ike peer a1

pre-shared-key admin123

ike-proposal 10

remote-address 202.38.163.1

ike peer a2

pre-shared-key admin123

ike-proposal 10

remote-address 202.38.164.2

ipsec policy policy1 1 isakmp

security acl 3000

ike-peer a1

proposal pro1

ipsec policy policy2 1 isakmp

security acl 3001

ike-peer a2

proposal pro1

interface GigabitEthernet1/0/0

undo shutdown

ip address 2.2.2.2 255.255.255.0

service-manage ping permit

interface GigabitEthernet1/0/1

undo shutdown

ip address 172.16.0.1 255.255.255.0

service-manage ping permit

dhcp select interface

interface Tunnel1

ip address unnumbered interface GigabitEthernet1/0/0

tunnel-protocol ipsec

ipsec policy policy1

interface Tunnel2

ip address unnumbered interface GigabitEthernet1/0/0

tunnel-protocol ipsec

ipsec policy policy2

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

add interface GigabitEthernet1/0/1

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/0

add interface Tunnel1

add interface Tunnel2

ip route-static 0.0.0.0 0.0.0.0 2.2.2.1

ip route-static 192.168.0.0 255.255.255.0 Tunnel1 preference 10 track ip-link check_a

ip route-static 192.168.0.0 255.255.255.0 Tunnel2 preference 20

security-policy

default action permit

相关推荐
PcVue China2 小时前
PcVue + SQL Grid : 释放数据的无限潜力
大数据·服务器·数据库·sql·科技·安全·oracle
长安11082 小时前
前后端、网关、协议方面补充
网络
舞动CPU4 小时前
linux c/c++最高效的计时方法
linux·运维·服务器
钰@5 小时前
小程序开发者工具的network选项卡中有某域名的接口请求,但是在charles中抓不到该接口
运维·服务器·小程序
wanhengwangluo5 小时前
云服务器和物理服务器的区别有哪些?
运维·服务器
hzyyyyyyyu5 小时前
隧道技术-tcp封装icmp出网
网络·网络协议·tcp/ip
南猿北者6 小时前
docker Network(网络)
网络·docker·容器
Hacker_Nightrain7 小时前
网络安全CTF比赛规则
网络·安全·web安全
扣得君7 小时前
C++20 Coroutine Echo Server
运维·服务器·c++20
网络安全指导员8 小时前
恶意PDF文档分析记录
网络·安全·web安全·pdf