企业分支机构通过IPsec VPN接入企业总部网络配置举例

2026年01月19日/ 浏览 10

首页 公司动态 文章详情

说明:本文以H3C网络设备为例,介绍总部采用IPsec安全策略模板方式与分支建立保护IPv4报文的IPsec隧道配置方法。

1.组网需求

企业分支通过IPsec VPN接入企业总部,有如下具体需求:

总部网关Device A和各分支网关Device B、Device C之间建立IPsec隧道,对总部网络4.4.4.0/24分别与分支网络5.5.5.0/24和6.6.6.0/24之间的数据进行安全保护。使用IKE协商方式建立IPsec SA,采用ESP安全协议,DES加密算法,HMAC-SHA-1-96认证算法。IKE协商采用预共享密钥认证方式、3DES加密算法、HMAC-SHA1认证算法。总部网关Device A采用IKE安全策略模板方式,分支网关Device B和DeviceC采用IKE安全策略方式。

2.组网图

IPsec安全策略模板方式配置组网图如下:

3.配置总部侧 Device A

(1)配置接口IP地址

# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下:

<DeviceA> system-view [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0 [DeviceA-GigabitEthernet1/0/1] quit

GE1/0/2 接口的配置方法同上。

(2)配置静态路由

本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。

# 根据组网图中规划的信息,配置静态路由,本举例假设到达对端网关设备和分支网络的下一跳IP地址为1.1.1.2。

[DeviceA] ip route-static 2.2.2.2 24 1.1.1.2 [DeviceA] ip route-static 3.3.3.3 24 1.1.1.2 [DeviceA] ip route-static 5.5.5.0 255.255.255.0 1.1.1.2 [DeviceA] ip route-static 6.6.6.0 255.255.255.0 1.1.1.2

(3)配置接口加入安全域

# 根据组网图中规划的信息,将接口加入对应的安全域:

[DeviceA] security-zone name untrust [DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1 [DeviceA-security-zone-Untrust] quit [DeviceA] security-zone name trust [DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2 [DeviceA-security-zone-Trust] quit

(4)配置安全策略

1) 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道

# 配置名称为 ipseclocalout1 的安全策规则,使Device A可以向Device B发送IPsec隧道协商报文,具体配置步骤如下:

[DeviceA] security-policy ip [DeviceA-security-policy-ip] rule name ipseclocalout1 [DeviceA-security-policy-ip-1-ipseclocalout1] source-zone local [DeviceA-security-policy-ip-1-ipseclocalout1] destination-zone untrust [DeviceA-security-policy-ip-1-ipseclocalout1] source-ip-host 1.1.1.1 [DeviceA-security-policy-ip-1-ipseclocalout1] destination-ip-host 2.2.2.2 [DeviceA-security-policy-ip-1-ipseclocalout1] action pass [DeviceA-security-policy-ip-1-ipseclocalout1] quit

# 配置名称为ipseclocalin1的安全策略规则,使Device A可以接收和处理来自Device B的IPsec隧道协商报文,具体配置步骤如下:

[DeviceA-security-policy-ip] rule name ipseclocalin1 [DeviceA-security-policy-ip-2-ipseclocalin1] source-zone untrust [DeviceA-security-policy-ip-2-ipseclocalin1] destination-zone local [DeviceA-security-policy-ip-2-ipseclocalin1] source-ip-host 2.2.2.2 [DeviceA-security-policy-ip-2-ipseclocalin1] destination-ip-host 1.1.1.1 [DeviceA-security-policy-ip-2-ipseclocalin1] action pass [DeviceA-security-policy-ip-2-ipseclocalin1] quit

# 配置名称为ipseclocalout2的安全策规则,使Device A可以向Device C发送IPsec隧道协商报文,具体配置步骤如下:

[DeviceA-security-policy-ip] rule name ipseclocalout2 [DeviceA-security-policy-ip-3-ipseclocalout2] source-zone local [DeviceA-security-policy-ip-3-ipseclocalout2] destination-zone untrust [DeviceA-security-policy-ip-3-ipseclocalout2] source-ip-host 1.1.1.1 [DeviceA-security-policy-ip-3-ipseclocalout2] destination-ip-host 3.3.3.3 [DeviceA-security-policy-ip-3-ipseclocalout2] action pass [DeviceA-security-policy-ip-3-ipseclocalout2] quit

# 配置名称为ipseclocalin2的安全策略规则,使Device A可以接收和处理来自Device C的IPsec隧道协商报文,具体配置步骤如下:

[DeviceA-security-policy-ip] rule name ipseclocalin2 [DeviceA-security-policy-ip-4-ipseclocalin2] source-zone untrust [DeviceA-security-policy-ip-4-ipseclocalin2] destination-zone local [DeviceA-security-policy-ip-4-ipseclocalin2] source-ip-host 3.3.3.3 [DeviceA-security-policy-ip-4-ipseclocalin2] destination-ip-host 1.1.1.1 [DeviceA-security-policy-ip-4-ipseclocalin2] action pass [DeviceA-security-policy-ip-4-ipseclocalin2] quit

2)配置安全策略放行Host A与Host B、Host C之间的流量

# 配置名称为 trust-untrust 的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下:

[DeviceA-security-policy-ip] rule name trust-untrust [DeviceA-security-policy-ip-5-trust-untrust] source-zone trust [DeviceA-security-policy-ip-5-trust-untrust] destination-zone untrust [DeviceA-security-policy-ip-5-trust-untrust] source-ip-subnet 4.4.4.0 24 [DeviceA-security-policy-ip-5-trust-untrust] destination-ip-subnet 5.5.5.0 24 [DeviceA-security-policy-ip-5-trust-untrust] action pass [DeviceA-security-policy-ip-5-trust-untrust] quit

# 配置名称为untrust-trust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下:

[DeviceA-security-policy-ip] rule name untrust-trust [DeviceA-security-policy-ip-6-untrust-trust] source-zone untrust [DeviceA-security-policy-ip-6-untrust-trust] destination-zone trust [DeviceA-security-policy-ip-6-untrust-trust] source-ip-subnet 5.5.5.0 24 [DeviceA-security-policy-ip-6-untrust-trust] destination-ip-subnet 4.4.4.0 24 [DeviceA-security-policy-ip-6-untrust-trust] action pass [DeviceA-security-policy-ip-6-untrust-trust] quit

# 配置名称为trust-untrust的安全策略规则,使Host A访问Host C的报文可通,具体配置步骤如下:

[DeviceA-security-policy-ip] rule name trust-untrust [DeviceA-security-policy-ip-7-trust-untrust] source-zone trust [DeviceA-security-policy-ip-7-trust-untrust] destination-zone untrust [DeviceA-security-policy-ip-7-trust-untrust] source-ip-subnet 4.4.4.0 24 [DeviceA-security-policy-ip-7-trust-untrust] destination-ip-subnet 6.6.6.0 24 [DeviceA-security-policy-ip-7-trust-untrust] action pass [DeviceA-security-policy-ip-7-trust-untrust] quit

# 配置名称为untrust-trust的安全策略规则,使Host C访问Host A的报文可通,具体配置步骤如下:

[DeviceA-security-policy-ip] rule name untrust-trust [DeviceA-security-policy-ip-8-untrust-trust] source-zone untrust [DeviceA-security-policy-ip-8-untrust-trust] destination-zone trust [DeviceA-security-policy-ip-8-untrust-trust] source-ip-subnet 6.6.6.0 24 [DeviceA-security-policy-ip-8-untrust-trust] destination-ip-subnet 4.4.4.0 24 [DeviceA-security-policy-ip-8-untrust-trust] action pass [DeviceA-security-policy-ip-8-untrust-trust] quit [DeviceA-security-policy-ip] quit

(5)配置 IPsec 安全提议,协商封装报文使用的各种安全协议

# 创建 IPsec 安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下:

[DeviceA] ipsec transform-set tran1 [DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel [DeviceA-ipsec-transform-set-tran1] protocol esp [DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc [DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [DeviceA-ipsec-transform-set-tran1] quit

(6)配置IKE keychain,约定通信双方使用的密钥信息

# 创建并配置名为key1的IKE keychain,指定与地址为2.2.2.2的对端使用的预共享密钥为明文123。

[DeviceA] ike keychain key1 [DeviceA-ike-keychain-key1] pre-shared-key address 2.2.2.2 key simple 123 [DeviceA-ike-keychain-key1] quit

# 创建并配置名为key2的IKE keychain,指定与地址为3.3.3.3的对端使用的预共享密钥为明文456。

[DeviceA] ike keychain key2 [DeviceA-ike-keychain-key2] pre-shared-key address 3.3.3.3 key simple 456 [DeviceA-ike-keychain-key2] quit

(7)配置IKE profile,约定建立IKE SA所需的安全参数

[DeviceA] ike profile profile1 [DeviceA-ike-profile-profile1] keychain key1 [DeviceA-ike-profile-profile1] keychain key2 [DeviceA-ike-profile-profile1] match remote identity address 2.2.2.2 255.255.255.0 [DeviceA-ike-profile-profile1] match remote identity address 3.3.3.3 255.255.255.0 [DeviceA-ike-profile-profile1] quit

(8)配置IPsec安全策略模板,用于创建IPsec安全策略

# 创建并配置名为temp1的IPsec安全策略模板,引用安全提议tran1

[DeviceA] ipsec policy-template temp1 1 [DeviceA-ipsec-policy-template-temp1-1] transform-set tran1 [DeviceA-ipsec-policy-template-temp1-1] ike-profile profile1

(9)引用安全策略模板temp1创建一条IKE协商方式的安全策略policy1,建立IPsec隧道,保护需要防护的数据流

[DeviceA] ipsec policy map1 10 isakmp template temp1

(10)配置IKE提议,定义双方进行IKE协商所需的安全参数

# 创建并配置IKE提议1,指定使用预共享密钥认证方式、3DES加密算法、HMAC-SHA1认证算法。

[DeviceA] ike proposal 1 [DeviceA-ike-proposal-1] encryption-algorithm 3des-cbc [DeviceA-ike-proposal-1] authentication-algorithm sha [DeviceA-ike-proposal-1] authentication-method pre-share [DeviceA-ike-proposal-1] quit

(11)在接口下引用IPsec安全策略,对接口上的流量进行保护

[DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] ipsec apply policy map1 [DeviceA-GigabitEthernet1/0/1] quit

4.配置分支机构侧Device B

(1)配置接口IP地址

# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下:

<DeviceB> system-view [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] ip address 2.2.2.2 255.255.255.0 [DeviceB-GigabitEthernet1/0/1] quit

GE1/0/2接口的配置方法与上面相同。

(2)配置静态路由

# 根据组网图中规划的信息,配置静态路由,本举例假设到达对端网关设备和总部网络的下一跳IP地址为2.2.2.3。

[DeviceB] ip route-static 4.4.4.0 24 2.2.2.3 [DeviceB] ip route-static 1.1.1.1 24 2.2.2.3

(3)配置接口加入安全域

# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下:

[DeviceB] security-zone name untrust [DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1 [DeviceB-security-zone-Untrust] quit [DeviceB] security-zone name trust [DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2 [DeviceB-security-zone-Trust] quit

(4)配置安全策略

1)配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。

# 配置名称为ipseclocalout的安全策规则,使Device B可以向Device A发送IPsec隧道协商报文,具体配置步骤如下:

[DeviceB] security-policy ip [DeviceB-security-policy-ip] rule name ipseclocalout [DeviceB-security-policy-ip-1-ipseclocalout] source-zone local [DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust [DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.2 [DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1 [DeviceB-security-policy-ip-1-ipseclocalout] action pass [DeviceB-security-policy-ip-1-ipseclocalout] quit

# 配置名称为ipseclocalin的安全策略规则,使Device B可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下:

[DeviceB-security-policy-ip] rule name ipseclocalin [DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust [DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local [DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1 [DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.2 [DeviceB-security-policy-ip-2-ipseclocalin] action pass [DeviceB-security-policy-ip-2-ipseclocalin] quit

2)配置安全策略放行Host B与Host A之间的流量

# 配置名称为trust-untrust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下:

[DeviceB-security-policy-ip] rule name trust-untrust [DeviceB-security-policy-ip-3-trust-untrust] source-zone trust [DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust [DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 5.5.5.0 24 [DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 4.4.4.0 24 [DeviceB-security-policy-ip-3-trust-untrust] action pass [DeviceB-security-policy-ip-3-trust-untrust] quit

# 配置名称为untrust-trust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下:

[DeviceB-security-policy-ip] rule name untrust-trust [DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust [DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust [DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 4.4.4.0 24 [DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 5.5.5.0 24 [DeviceB-security-policy-ip-4-untrust-trust] action pass [DeviceB-security-policy-ip-4-untrust-trust] quit [DeviceB-security-policy-ip] quit

(5) 配置ACL,定义需要保护的数据流

# 配置IPv4高级ACL 3000,定义要保护由子网5.5.5.0/24去往子网4.4.4.0/24的数据流。

[DeviceB] acl advanced 3000 [DeviceB-acl-ipv4-adv-3000] rule permit ip source 5.5.5.0 0.0.0.255 destination 4.4.4.0 0.0.0.255 [DeviceB-acl-ipv4-adv-3000] quit

(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议

# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下:

[DeviceB] ipsec transform-set tran1 [DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel [DeviceB-ipsec-transform-set-tran1] protocol esp [DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc [DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [DeviceB-ipsec-transform-set-tran1] quit

(7)配置IKE keychain,约定通信双方使用的密钥信息

# 创建并配置名为key1的IKE keychain,指定与地址为1.1.1.1的对端使用的预共享密钥为明文123。

[DeviceB] ike keychain key1 [DeviceB-ike-keychain-key1] pre-shared-key address 1.1.1.1 key simple 123 [DeviceB-ike-keychain-key1] quit

(8)配置IKE profile,约定建立IKE SA所需的安全参数

[DeviceB] ike profile profile1 [DeviceB-ike-profile-profile1] keychain key1 [DeviceB-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0 [DeviceB-ike-profile-profile1] quit

(9)配置ISAKMP方式的安全策略,建立IPsec隧道,保护需要防护的数据流

# 创建并配置名为map1的IPsec安全策略,引用安全提议tran1,引用ACL 3000,并指定IPsec隧道的对端地址为1.1.1.1。

[DeviceB] ipsec policy map1 10 isakmp [DeviceB-ipsec-policy-isakmp-map1-10] transform-set tran1 [DeviceB-ipsec-policy-isakmp-map1-10] security acl 3000 [DeviceB-ipsec-policy-isakmp-map1-10] local-address 2.2.2.2 [DeviceB-ipsec-policy-isakmp-map1-10] remote-address 1.1.1.1 [DeviceB-ipsec-policy-isakmp-map1-10] ike-profile profile1 [DeviceB-ipsec-policy-isakmp-map1-10] quit

(10)配置IKE提议,定义双方进行IKE协商所需的安全参数

# 创建并配置IKE提议1,指定预共享密钥认证方式、3DES加密算法、HMAC-SHA1认证算法。

[DeviceB] ike proposal 1 [DeviceB-ike-proposal-1] encryption-algorithm 3des-cbc [DeviceB-ike-proposal-1] authentication-algorithm sha [DeviceB-ike-proposal-1] authentication-method pre-share [DeviceB-ike-proposal-1] quit

(11)在接口上应用IPsec安全策略,对接口上的流量进行保护

[DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] ipsec apply policy map1 [DeviceB-GigabitEthernet1/0/1] quit

5.配置分支机构侧Device C

(1)配置接口IP地址

# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下:

<DeviceC> system-view [DeviceC] interface gigabitethernet 1/0/1 [DeviceC-GigabitEthernet1/0/1] ip address 3.3.3.3 255.255.255.0 [DeviceC-GigabitEthernet1/0/1] quit

(2)配置静态路由

# 请根据组网图中规划的信息,配置静态路由,本举例假设到达对端网关设备和总部网络的下一跳IP地址为3.3.3.4。

[DeviceC] ip route-static 4.4.4.0 24 3.3.3.4 [DeviceC] ip route-static 1.1.1.1 24 3.3.3.4

(3)配置接口加入安全域

# 根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下:

[DeviceC] security-zone name untrust [DeviceC-security-zone-Untrust] import interface gigabitethernet 1/0/1 [DeviceC-security-zone-Untrust] quit [DeviceC] security-zone name trust [DeviceC-security-zone-Trust] import interface gigabitethernet 1/0/2 [DeviceC-security-zone-Trust] quit

(4)配置安全策略

1)配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。

# 配置名称为ipseclocalout的安全策规则,使Device C可以向Device A发送IPsec隧道协商报文,具体配置步骤如下:

[DeviceC] security-policy ip [DeviceC-security-policy-ip] rule name ipseclocalout [DeviceC-security-policy-ip-1-ipseclocalout] source-zone local [DeviceC-security-policy-ip-1-ipseclocalout] destination-zone untrust [DeviceC-security-policy-ip-1-ipseclocalout] source-ip-host 3.3.3.3 [DeviceC-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1 [DeviceC-security-policy-ip-1-ipseclocalout] action pass [DeviceC-security-policy-ip-1-ipseclocalout] quit

# 配置名称为ipseclocalin的安全策略规则,使Device C可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下:

[DeviceC-security-policy-ip] rule name ipseclocalin [DeviceC-security-policy-ip-2-ipseclocalin] source-zone untrust [DeviceC-security-policy-ip-2-ipseclocalin] destination-zone local [DeviceC-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1 [DeviceC-security-policy-ip-2-ipseclocalin] destination-ip-host 3.3.3.3 [DeviceC-security-policy-ip-2-ipseclocalin] action pass [DeviceC-security-policy-ip-2-ipseclocalin] quit

2)配置安全策略放行Host C与Host A之间的流量

# 配置名称为trust-untrust的安全策略规则,使Host C访问Host A的报文可通,具体配置步骤如下:

[DeviceC-security-policy-ip] rule name trust-untrust [DeviceC-security-policy-ip-3-trust-untrust] source-zone trust [DeviceC-security-policy-ip-3-trust-untrust] destination-zone untrust [DeviceC-security-policy-ip-3-trust-untrust] source-ip-subnet 6.6.6.0 24 [DeviceC-security-policy-ip-3-trust-untrust] destination-ip-subnet 4.4.4.0 24 [DeviceC-security-policy-ip-3-trust-untrust] action pass [DeviceC-security-policy-ip-3-trust-untrust] quit

# 配置名称为untrust-trust的安全策略规则,使Host A访问Host C的报文可通,具体配置步骤如下:

[DeviceC-security-policy-ip] rule name untrust-trust [DeviceC-security-policy-ip-4-untrust-trust] source-zone untrust [DeviceC-security-policy-ip-4-untrust-trust] destination-zone trust [DeviceC-security-policy-ip-4-untrust-trust] source-ip-subnet 4.4.4.0 24 [DeviceC-security-policy-ip-4-untrust-trust] destination-ip-subnet 6.6.6.0 24 [DeviceC-security-policy-ip-4-untrust-trust] action pass [DeviceC-security-policy-ip-4-untrust-trust] quit

(5)配置ACL,定义需要保护的数据流

# 配置IPv4高级ACL 3000,定义要保护由子网6.6.6.0/24去往子网4.4.4.0/24的数据流。

[DeviceC] acl advanced 3000 [DeviceC-acl-ipv4-adv-3000] rule permit ip source 6.6.6.0 0.0.0.255 destination 4.4.4.0 0.0.0.255 [DeviceC-acl-ipv4-adv-3000] quit

(6)配置IPsec安全提议,协商封装报文使用的各种安全协议

# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下:

[DeviceC] ipsec transform-set tran1 [DeviceC-ipsec-transform-set-tran1] encapsulation-mode tunnel [DeviceC-ipsec-transform-set-tran1] protocol esp [DeviceC-ipsec-transform-set-tran1] esp encryption-algorithm des [DeviceC-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [DeviceC-ipsec-transform-set-tran1] quit

(7)配置IKE keychain,约定通信双方使用的密钥信息

# 创建并配置名为key1的IKE keychain,指定与地址为1.1.1.1的对端使用的预共享密钥为明文456。

[DeviceC] ike keychain key1 [DeviceC-ike-keychain-key1] pre-shared-key address 1.1.1.1 key simple 456 [DeviceC-ike-keychain-key1] quit

(8)配置IKE profile,约定建立IKE SA所需的安全参数

[DeviceC] ike profile profile1 [DeviceC-ike-profile-profile1] keychain key1 [DeviceC-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0 [DeviceC-ike-profile-profile1] quit

(9)配置ISAKMP方式的安全策略,建立IPsec隧道,保护需要防护的数据流

# 创建并配置名为map1的IPsec安全策略,引用安全提议tran1,引用ACL 3000,并指定IPsec隧道的对端地址为1.1.1.1。

[DeviceC] ipsec policy map1 10 isakmp [DeviceC-ipsec-policy-isakmp-map1-10] transform-set tran1 [DeviceC-ipsec-policy-isakmp-map1-10] security acl 3000 [DeviceC-ipsec-policy-isakmp-map1-10] local-address 3.3.3.3 [DeviceC-ipsec-policy-isakmp-map1-10] remote-address 1.1.1.1 [DeviceC-ipsec-policy-isakmp-map1-10] ike-profile profile1 [DeviceC-ipsec-policy-isakmp-map1-10] quit

(10)在接口上应用IPsec安全策略,对接口上的流量进行保护

[DeviceC] interface gigabitethernet 1/0/1 [DeviceC-GigabitEthernet1/0/1] ipsec apply policy map1 [DeviceC-GigabitEthernet1/0/1] quit

6.验证配置结果

# 以上配置完成后,当分支子网5.5.5.0/24向总部网络4.4.4.0/24发起数据连接时,将触发Device B和Device A之间进行IKE协商。IKE成功协商出IPsec SA后,企业总部与分支子网之间的数据流传输将受到IPsec SA的保护。

# 可通过如下显示信息查看到Device A上IKE第一阶段协商成功后生成的IKE SA。

[DeviceA] display ike sa Connection-ID Remote Flag DOI ------------------------------------------------------------------ 1 2.2.2.2/500 RD IPsec Flags: RD--READY RL--REPLACED FD-FADING RK-REKEY

# 可通过如下显示信息查看到Device A上协商生成的IPsec SA。

[DeviceA] display ipsec sa ------------------------------- Interface: GigabitEthernet1/0/1 ------------------------------- ----------------------------- IPsec policy: map1 Sequence number: 10 Mode: Template ----------------------------- Tunnel id: 0 Encapsulation mode: tunnel Perfect Forward Secrecy: Inside VPN: Extended Sequence Numbers enable: N Traffic Flow Confidentiality enable: N Transmitting entity: Initiator Path MTU: 1463 Tunnel: local address/port: 1.1.1.1/500 remote address/port: 2.2.2.2/500 Flow: sour addr: 4.4.4.0/255.255.255.0 port: 0 protocol: ip dest addr: 5.5.5.0/255.255.255.0 port: 0 protocol: ip [Inbound ESP SAs] SPI: 1014286405 (0x3c74c845) Connection ID: 1 Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843199/3590 Max received sequence-number: 4 Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for NAT traversal: N Status: Active [Outbound ESP SAs] SPI: 4011716027 (0xef1dedbb) Connection ID: 2 Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843199/3590 Max sent sequence-number: 4 UDP encapsulation used for NAT traversal: N Status: Active

picture loss