华为ipsec vpn双链路主备备份配置案例

配置就是这配置,已查官方也是这样配置,意外是完成后不通,待以后处理!

FW_A配置:

dhcp enable

ip-link check enable

ip-link name check_b

destination 2.2.2.2 interface GigabitEthernet1/0/0 mode icmp next-hop 202.38.163.2

acl number 3000

rule 5 permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255

acl number 3001

rule 5 permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255

ipsec proposal pro1

esp authentication-algorithm sha1

esp encryption-algorithm aes-128

ike proposal 10

encryption-algorithm aes-256

dh group14

authentication-algorithm sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

ike peer fenbu

pre-shared-key admin123

ike-proposal 10

ipsec policy-template temp 1

security acl 3000

ike-peer fenbu

proposal pro1

ipsec policy-template temp2 1

security acl 3001

ike-peer fenbu

proposal pro1

ipsec policy policy1 1 isakmp template temp

ipsec policy policy2 1 isakmp template temp2

interface GigabitEthernet1/0/0

undo shutdown

ip address 202.38.163.1 255.255.255.0

service-manage ping permit

ipsec policy policy1

interface GigabitEthernet1/0/1

undo shutdown

ip address 192.168.0.1 255.255.255.0

service-manage ping permit

dhcp select interface

interface GigabitEthernet1/0/2

undo shutdown

ip address 202.38.164.1 255.255.255.0

service-manage ping permit

ipsec policy policy2

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

add interface GigabitEthernet1/0/1

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/0

add interface GigabitEthernet1/0/2

firewall zone dmz

set priority 50

ip route-static 0.0.0.0 0.0.0.0 202.38.163.2 preference 10 track ip-link check_b

ip route-static 0.0.0.0 0.0.0.0 202.38.164.2 preference 20

ip route-static 172.16.0.0 255.255.255.0 202.38.163.2 preference 10 track ip-link check_b

ip route-static 172.16.0.0 255.255.255.0 202.38.164.2 preference 20

security-policy

default action permit

FW_B配置:

firewall dataplane to manageplane application-apperceive default-action drop

dhcp enable

ip-link check enable

ip-link name check_a

destination 202.38.163.1 interface GigabitEthernet1/0/0 mode icmp next-hop 2.2.2.1

acl number 3000

rule 5 permit ip source 172.16.0.0 0.0.0.255 destination 192.168.0.0 0.0.0.255

acl number 3001

rule 5 permit ip source 172.16.0.0 0.0.0.255 destination 192.168.0.0 0.0.0.255

ipsec proposal pro1

esp authentication-algorithm sha2-256

esp encryption-algorithm aes-256

ike proposal 10

encryption-algorithm aes-256

dh group14

authentication-algorithm sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

ike peer a1

pre-shared-key admin123

ike-proposal 10

remote-address 202.38.163.1

ike peer a2

pre-shared-key admin123

ike-proposal 10

remote-address 202.38.164.2

ipsec policy policy1 1 isakmp

security acl 3000

ike-peer a1

proposal pro1

ipsec policy policy2 1 isakmp

security acl 3001

ike-peer a2

proposal pro1

interface GigabitEthernet1/0/0

undo shutdown

ip address 2.2.2.2 255.255.255.0

service-manage ping permit

interface GigabitEthernet1/0/1

undo shutdown

ip address 172.16.0.1 255.255.255.0

service-manage ping permit

dhcp select interface

interface Tunnel1

ip address unnumbered interface GigabitEthernet1/0/0

tunnel-protocol ipsec

ipsec policy policy1

interface Tunnel2

ip address unnumbered interface GigabitEthernet1/0/0

tunnel-protocol ipsec

ipsec policy policy2

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

add interface GigabitEthernet1/0/1

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/0

add interface Tunnel1

add interface Tunnel2

ip route-static 0.0.0.0 0.0.0.0 2.2.2.1

ip route-static 192.168.0.0 255.255.255.0 Tunnel1 preference 10 track ip-link check_a

ip route-static 192.168.0.0 255.255.255.0 Tunnel2 preference 20

security-policy

default action permit

相关推荐
Championship.23.243 小时前
Linux 3.0 锁机制与故障排查详解
linux·运维·服务器
风123456789~5 小时前
【Linux专栏】ls 排除某个文件
linux·运维·服务器
IpdataCloud5 小时前
担心IP暴露隐私?用安全IP查询工具自查,三步配置网络出口
网络·tcp/ip·安全·ip
xy34536 小时前
wireshark 如何捕获信息
网络·测试工具·渗透测试·wireshark
其实防守也摸鱼6 小时前
运维--学习阶段问题解答(1)(自测)
linux·运维·服务器·数据库·学习·自动化·命令模式
玖玥拾7 小时前
C# 语言进阶(十五)C# 游戏服务端 MySQL 数据库
服务器·开发语言·网络·数据库·mysql·c#
土星云SaturnCloud7 小时前
边缘计算驱动绿氢生产过程智能寻优:电解槽级实时优化技术解析
服务器·人工智能·ai·边缘计算
爱吃大芒果9 小时前
复刻 HarmonyKit 工具箱:基于新版 @kit 开发本地工具 App
华为·harmonyos
Web极客码9 小时前
突破并发瓶颈:云端高性能架构如何赋能海外 AI Agent 矩阵的高效产出
服务器·人工智能·架构
一个有温度的技术博主9 小时前
【VulnHub 实战】DC-1 靶机渗透测试笔记(一):信息收集与主机发现
服务器·网络·笔记