1、网络拓扑图
2、核心配置
1)nat过程中的acl列表,必须要禁止两个内网的网路能够互通
2)ipsec配置
3、详细配置
R1
<r1>display current-configuration
[V200R003C00]
#
sysname r1
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
acl number 3000
rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 10 permit ip source 192.168.1.0 0.0.0.255
acl number 3001
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
ipsec proposal beijing
#
ipsec policy gd 1 manual
security acl 3001
proposal beijing
tunnel local 10.1.1.2
tunnel remote 20.1.1.2
sa spi inbound esp 12345
sa string-key inbound esp cipher %$%$M'c)7iN]$W^pjD*<p_I(,.2n%$%$
sa spi outbound esp 54321
sa string-key outbound esp cipher %$%$M'c)7iN]$W^pjD*<p_I(,.2n%$%$
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.1.1.2 255.255.255.0
ipsec policy gd
nat outbound 3000
#
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#
user-interface con 0
authentication-mode password
idle-timeout 0 0
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
<r1>
R2
<r2>display current-configuration
[V200R003C00]
#
sysname r2
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 20.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
user-interface con 0
authentication-mode password
idle-timeout 0 0
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
<r2>
R3
<r3>display current-configuration
[V200R003C00]
#
sysname r3
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
acl number 3000
rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 192.1.1.0 0.0.0.255
rule 10 permit ip source 192.168.2.0 0.0.0.255
acl number 3001
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec proposal nanjing
#
ipsec policy tj 1 manual
security acl 3001
proposal nanjing
tunnel local 20.1.1.2
tunnel remote 10.1.1.2
sa spi inbound esp 54321
sa string-key inbound esp cipher %$%$M'c)7iN]$W^pjD*<p_I(,.2n%$%$
sa spi outbound esp 12345
sa string-key outbound esp cipher %$%$M'c)7iN]$W^pjD*<p_I(,.2n%$%$
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 20.1.1.2 255.255.255.0
ipsec policy tj
nat outbound 3000
#
interface GigabitEthernet0/0/1
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 20.1.1.1
#
user-interface con 0
authentication-mode password
idle-timeout 0 0
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
<r3>