Especificaciones
Este ejemplo se aplica a todas las versiones y Routers.
Requisitos de red
Como se muestra en la Figura 1-1, RouterA es la puerta de enlace del branch, y RouterB es la puerta de enlace de la sede de la empresa (Router de Cisco). La sucursal y la sede se comunican a través de la red pública.
La empresa quiere proteger los flujos de datos entre la subred de sucursal y la subred de la sede. Se puede configurar un túnel IPSec entre la puerta de enlace de la sucursal y la puerta de enlace de la sede porque se comunican a través de Internet.
Figura 1-1 Conexión en red para establecer un túnel IPSec entre el AR y el Router de Cisco en modo agresivo IKEv1
Procedimiento
Paso 1 Configurar RouterA.
# sysname RouterA //Configure the device name. # ipsec authentication sha2 compatible enable # ike local-name huawei # acl number 3000 //Specify data flows (traffic from the branch subnet to the headquarters subnet) to be protected. rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 # ipsec proposal prop1 //Configure an IPSec proposal. esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ike proposal 1 //Configure an IKE proposal. encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-cbc-128 parameter is changed to aes-128. dh group14 authentication-algorithm sha2-256 # ike peer peer1 v1 //Configure an IKE peer. exchange-mode aggressive //Configure the aggressive mode. pre-shared-key cipher %@%@W'KwGZ8`tQ8s^C8q(qC"0(;@%@%@%#%#@W4p8i~Mm5sn;9Xc&U#(cJC;.CE|qCD#jAH&/#nR%#%# //Configure the pre-shared key as huawei@1234. ike-proposal 1 local-id-type name //Configure the local ID type for IKE negotiation. In V200R008 and later versions, the name parameter is changed to fqdn. remote-name RouterB //Configure the IKE peer name. In V200R008 and later versions, the device does not support the remote-name command. This command provides teh same function as the remote-id command. remote-address 60.1.2.1 # ipsec policy policy1 10 isakmp //Configure an IPSec policy. security acl 3000 ike-peer peer1 proposal prop1 # interface GigabitEthernet0/0/1 ip address 60.1.1.1 255.255.255.0 ipsec policy policy1 //Apply the IPSec policy to the interface. # interface GigabitEthernet0/0/2 ip address 10.1.1.1 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 60.1.1.2 //Configure a static route to ensure reachability at both ends. # return
Paso 2 Configurar RouterB.
! hostname RouterB //Configure the device name. ! crypto isakmp policy 1 encryption aes 128 hash sha256 authentication pre-share group 14 crypto isakmp key huawei@1234 hostname huawei //Configure the pre-shared key as huawei@1234. ! crypto isakmp identity hostname //Set the local ID type in IKE negotiation to name. ! crypto ipsec transform-set p1 esp-sha256-hmac esp-aes 128 //Configure a security algorithm used by IPSec. ! crypto map p1 1 ipsec-isakmp //Configure an IPSec policy. set peer 60.1.1.1 set transform-set p1 match address 102 ! ! interface GigabitEthernet0/0 ip address 60.1.2.1 255.255.255.0 duplex auto speed auto crypto map p1 //Apply the IPSec policy to the interface. ! interface GigabitEthernet0/1 ip address 10.1.2.1 255.255.255.0 duplex auto speed auto ! ! ip route 0.0.0.0 0.0.0.0 60.1.2.2 //Configure a static route to ensure reachability at both ends. ! access-list 102 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 //Specify data flows (traffic from the headquarters subnet to the branch subnet) to be protected. ! end
Paso 3 Verificar la configuración
# Ping de PCA a PCB
Enlaces relacionados:
Localización de fallas usando ping
Simplificando la comprensión de los tipos de LSA de OSPF
HCIA ROUTING AND SWITCHING Configuración Básica desde la CLI
Configurar NAT y redirección para implementar dos egresos y proporcionar el servicio de web
Ejemplo de Configuración para Conectar usuarios de una Intranet a Internet con el Modo Easy IP