h3c防火墙和路由器ipsec为皮嗯 | 您所在的位置:网站首页 › 胖子 英文 › h3c防火墙和路由器ipsec为皮嗯 |
dis current-configuration version 7.1.075, Alpha 7571 sysname H3C dhcp enable dhcp server forbidden-ip 119.0.112.2 system-working-mode standard xbar load-single password-recovery enable lpu-type f-series vlan 1 dhcp server ip-pool changsha gateway-list 119.0.112.2 network 119.0.112.0 mask 255.255.255.0 dns-list 202.202.202.202 expired day 1 hour 1 minute 10 interface GigabitEthernet0/0 port link-mode route combo enable copper ip address 222.86.86.2 255.255.255.0 interface GigabitEthernet0/1 port link-mode route combo enable copper ip address 119.0.112.2 255.255.255.0 dhcp server apply ip-pool changsha interface GigabitEthernet0/2 port link-mode route combo enable copper ip address 111.122.43.2 255.255.255.0 return 长沙分部出口路由配置:dis current-configuration version 7.1.075, Alpha 7571 sysname H3C vlan 1 interface GigabitEthernet0/0 port link-mode route combo enable copper ip address dhcp-alloc ipsec apply policy firewall interface GigabitEthernet0/1 port link-mode route combo enable copper ip address 172.16.4.1 255.255.255.0 ip route-static 0.0.0.0 0 GigabitEthernet0/0 119.0.112.2 acl advanced 3001 description to_firewall_vpn rule 0 permit ip source 172.16.4.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 10 permit icmp source 172.16.4.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 ipsec transform-set changsha_set esp encryption-algorithm 3des-cbc esp authentication-algorithm sha1 ipsec policy firewall 10 isakmp transform-set changsha_set security acl 3001 remote-address 222.86.86.1 ike-profile changsha ike identity fqdn changsha ike profile changsha keychain changsha_key exchange-mode aggressive local-identity fqdn changsha match remote identity address 222.86.86.1 255.255.255.255 proposal 1 ike proposal 1 encryption-algorithm 3des-cbc dh group2 ike keychain changsha_key pre-shared-key address 222.86.86.1 255.255.255.255 key cipher 123 return 防火墙配置:dis current-configuration version 7.1.064, Alpha 7164 sysname firewall irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 xbar load-single password-recovery enable lpu-type f-series vlan 1 interface NULL0 interface GigabitEthernet1/0/0 port link-mode route combo enable copper ip address 222.86.86.1 255.255.255.0 ipsec apply policy firewall_policy interface GigabitEthernet1/0/1 port link-mode route combo enable copper ip address 192.168.0.1 255.255.255.0 interface GigabitEthernet1/0/2 port link-mode route combo enable copper interface GigabitEthernet1/0/3 port link-mode route combo enable copper ip address 192.168.100.100 255.255.255.0 object-policy ip manage rule 0 pass security-zone name Local security-zone name Trust import interface GigabitEthernet1/0/1 import interface GigabitEthernet1/0/3 security-zone name DMZ security-zone name Untrust import interface GigabitEthernet1/0/0 security-zone name Management zone-pair security source Any destination Any packet-filter 3000 zone-pair security source Any destination Local packet-filter 3000 zone-pair security source Local destination Any packet-filter 3000 zone-pair security source Trust destination Local object-policy apply ip manage line aux 0 user-role network-admin line con 0 authentication-mode scheme user-role network-admin line vty 0 4 authentication-mode scheme user-role network-admin line vty 5 63 user-role network-operator ip route-static 0.0.0.0 0 222.86.86.2 ip route-static 192.168.20.0 24 192.168.0.2 acl advanced 3000 rule 0 permit ip rule 10 permit icmp acl advanced 3002 description lan_to_changsha rule 0 permit ip source 192.168.20.0 0.0.0.255 destination 172.16.4.0 0.0.0.255 rule 10 permit icmp source 192.168.20.0 0.0.0.255 destination 172.16.4.0 0.0.0.255 domain system aaa session-limit ftp 16 aaa session-limit telnet 16 aaa session-limit ssh 16 domain default enable system local-user admin class manage password hash admin service-type telnet terminal http https authorization-attribute user-role level-3 authorization-attribute user-role network-admin authorization-attribute user-role network-operator ipsec transform-set changsha_set esp encryption-algorithm 3des-cbc esp authentication-algorithm sha1 ipsec policy-template changsha_tmp 10 transform-set changsha_set security acl 3002 local-address 222.86.86.1 ike-profile changsha ipsec policy firewall_policy 20 isakmp template changsha_tmp ike identity address 222.86.86.1 ike profile changsha keychain changsha_key exchange-mode aggressive local-identity address 222.86.86.1 match remote identity fqdn changsha proposal 1 ike proposal 1 encryption-algorithm 3des-cbc dh group2 ike keychain changsha_key pre-shared-key hostname changsha key cipher 123 ip http enable ip https enable return 总部核 心交换机配置:dis current-configuration version 7.1.075, Alpha 7571 sysname sw vlan 1 vlan 20 interface Vlan-interface1 ip address 192.168.0.2 255.255.255.0 interface Vlan-interface20 ip address 192.168.20.1 255.255.255.0 ip route-static 0.0.0.0 0 192.168.0.1 return 所有完成后用命令防火墙和路由器上查看: dis ike sa ping通后用命令查看: dis ipsec sa brief |
CopyRight 2018-2019 实验室设备网 版权所有 |