华为 Router配置采用手工方式建立IPSec隧道

一、组网需求

1、如图所示，RouterA为企业分支网关，RouterB为企业总部网关，分支与总部通过公网建立通信。分支子网为10.1.1.0/24，总部子网为10.1.2.0/24。
企业希望对分支子网与总部子网之间相互访问的流量进行安全保护。分支与总部通过公网建立通信，可以在分支网关与总部网关之间建立一个IPSec隧道来实施安全保护。由于维护网关较少，可以考虑采用手工方式建立IPSec隧道。

2、网络拓扑

3、采用如下思路配置采用手工方式建立IPSec隧道：

配置接口的IP地址和到对端的静态路由，保证两端路由可达。
配置ACL，以定义需要IPSec保护的数据流。
配置IPSec安全提议，定义IPSec的保护方法。
配置安全策略，并引用ACL和IPSec安全提议，确定对何种数据流采取何种保护方法。
在接口上应用安全策略组，使接口具有IPSec的保护功能。

二、操作步骤

1、配置接口IP地址

1. <Huawei>system-view
2. [Huawei]sysname RouterA
3. [RouterA]interface GigabitEthernet 0/0/2
4. [RouterA-GigabitEthernet0/0/2]ip address 10.1.1.1 24
5. [RouterA-GigabitEthernet0/0/2]q
6. [RouterA]interface GigabitEthernet 0/0/1
7. [RouterA-GigabitEthernet0/0/1]ip address 202.138.163.1 24
8. [RouterA-GigabitEthernet0/0/1]q
10. <Huawei>system-view
11. [Huawei]sysname RouterB
12. [RouterB]interface GigabitEthernet 0/0/1
13. [RouterB-GigabitEthernet0/0/1]ip address 202.138.162.1 24
14. [RouterB-GigabitEthernet0/0/1]q
15. [RouterB]interface GigabitEthernet 0/0/2
16. [RouterB-GigabitEthernet0/0/2]ip address 10.1.2.1 24
17. [RouterB-GigabitEthernet0/0/2]q
19. <Huawei>system-view
20. [Huawei]sysname Internet
21. [Internet]interface GigabitEthernet 0/0/1
22. [Internet-GigabitEthernet0/0/1]ip address 202.138.163.2 24
23. [Internet-GigabitEthernet0/0/1]q
24. [Internet]interface GigabitEthernet 0/0/0
25. [Internet-GigabitEthernet0/0/0]ip address 202.138.162.2 24
26. [Internet-GigabitEthernet0/0/0]q

2、配置静态路由

[RouterA]ip route-static 202.138.162.0 255.255.255.0 202.138.163.2
[RouterA]ip route-static 10.1.2.0 255.255.255.0 202.138.163.2
[RouterB]ip route-static 202.138.163.0 255.255.255.0 202.138.162.2
[RouterB]ip route-static 10.1.1.0 255.255.255.0 202.138.162.2
[Internet]ip route-static 10.1.2.0 255.255.255.0 202.138.162.1
[Internet]ip route-static 10.1.1.0 255.255.255.0 202.138.163.1

3、在Router上配置ACL，定义各自要保护的数据流

1. [RouterA]acl number 3001
2. [RouterA-acl-adv-3001]rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
3. [RouterA-acl-adv-3001]q
5. [RouterB]acl number 3001
6. [RouterB-acl-adv-3001]rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
7. [RouterB-acl-adv-3001]q

4、在Router上创建IPSec安全提议

[RouterA]ipsec proposal  tran1
[RouterA-ipsec-proposal-tran1]esp authentication-algorithm sha1
[RouterA-ipsec-proposal-tran1]quit
[RouterB]ipsec proposal tran1
[RouterB-ipsec-proposal-tan1]esp authentication-algorithm sha1
[RouterB-ipsec-proposal-tan1]quit

查看

1. [RouterA]display ipsec proposal name tran1
3. IPSec proposal name: tran1
4. Encapsulation mode: Tunnel
5. Transform : esp-new
6. ESP protocol : Authentication SHA1-HMAC-96
7. Encryption DES

5、在Router上配置手工方式安全策略

[RouterA]ipsec policy map1 10 manual
[RouterA-ipsec-policy-manual-map1-10]security acl 3001
[RouterA-ipsec-policy-manual-map1-10]proposal tran1
[RouterA-ipsec-policy-manual-map1-10]tunnel remote 202.138.162.1
[RouterA-ipsec-policy-manual-map1-10]tunnel local 202.138.163.1
[RouterA-ipsec-policy-manual-map1-10]sa spi outbound esp 12345
[RouterA-ipsec-policy-manual-map1-10]sa spi inbound esp 54321
[RouterA-ipsec-policy-manual-map1-10]sa string-key outbound esp simple abc
[RouterA-ipsec-policy-manual-map1-10]sa string-key inbound esp simple cba
[RouterA-ipsec-policy-manual-map1-10]quit
[RouterB]ipsec policy use1 10 manual 
[RouterB-ipsec-policy-manual-use1-10]security acl 3001
[RouterB-ipsec-policy-manual-use1-10]proposal tran1 
[RouterB-ipsec-policy-manual-use1-10]tunnel remote 202.138.163.1
[RouterB-ipsec-policy-manual-use1-10]tunnel local 202.138.162.1
[RouterB-ipsec-policy-manual-use1-10]sa spi  outbound esp 54321
[RouterB-ipsec-policy-manual-use1-10]sa spi inbound esp 12345
[RouterB-ipsec-policy-manual-use1-10]sa string-key outbound esp simple cba
[RouterB-ipsec-policy-manual-use1-10]sa string-key inbound esp simple abc
[RouterB-ipsec-policy-manual-use1-10]quit

查看

1. [RouterA]display ipsec policy name map1
3. ===========================================
4. IPSec policy group: 'map1'
5. Using interface:
6. ===========================================
8. Sequence number: 10
9. Security data flow: 3001
10. Tunnel local address: 202.138.163.1
11. Tunnel remote address: 202.138.162.1
12. Qos pre-classify: Disable
13. Proposal name:tran1
14. Inbound AH setting:
15. AH SPI:
16. AH string-key:
17. AH authentication hex key:
18. Inbound ESP setting:
19. ESP SPI: 54321 (0xd431)
20. ESP string-key: cba
21. ESP encryption hex key:
22. ESP authentication hex key:
23. Outbound AH setting:
24. AH SPI:
25. AH string-key:
26. AH authentication hex key:
27. Outbound ESP setting:
28. ESP SPI: 12345 (0x3039)
29. ESP string-key: abc
30. ESP encryption hex key:
31. ESP authentication hex key:

6、在Router接口上引用安全策略组

[RouterA]interface  GigabitEthernet  0/0/1
[RouterA-GigabitEthernet0/0/1]ipsec  policy  map1
[RouterA-GigabitEthernet0/0/1]quit
[RouterB]interface GigabitEthernet 0/0/1
[RouterB-GigabitEthernet0/0/1]ipsec policy use1
[RouterB-GigabitEthernet0/0/1]quit

7、验证结果

配置成功后，在主机PC10.1.1.2上执行ping操作仍然可以ping通主机PC 10.1.2.2，执行命令display ipsec statistics esp可以查看数据包的统计信息

1. [RouterA]display ipsec sa
2. ===============================
3. Interface: GigabitEthernet0/0/1
4. Path MTU: 1500
5. ===============================
6. -----------------------------
7. IPSec policy name: 'map1'
8. Sequence number : 10
9. Acl Group : 3001
10. Acl rule : 0
11. Mode : Manual
12. -----------------------------
13. Encapsulation mode: Tunnel
14. Tunnel local : 202.138.163.1
15. Tunnel remote : 202.138.162.1
16. Qos pre-classify : Disable
18. [Outbound ESP SAs]
19. SPI: 12345 (0x3039)
20. Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
21. No duration limit for this SA
23. [Inbound ESP SAs]
24. SPI: 54321 (0xd431)
25. Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
26. No duration limit for this SA