H3C-VPN Configuration
Topology
Configure IP addresses
<R1> system-view
[R1] interface e0/1
[R1-Ethernet0/1] ip address 192.168.100.254 255.255.255.0
[R1] interface e0/0
[R1-Ethernet0/0] ip address 192.168.13.1 255.255.255.0
<R2> system-view
[R2] interface e0/1
[R2-Ethernet0/1] ip address 192.168.200.254 255.255.255.0
[R2] interface e0/0
[R2-Ethernet0/0] ip address 192.168.23.2 255.255.255.0
<R3> system-view
[R3] interface e0/0
[R3-Ethernet0/0] ip address 192.168.13.3 255.255.255.0
[R3] interface e0/1
[R3-Ethernet0/1] ip address 192.168.23.3 255.255.255.0
PC1 settings
PC2 settings
Configure Manual Tunnel
[R1] acl 3000
[R1-acl-3000] rule permit ip source 192.168.100.1 0.0.0.255 destination 192.168.200.2 0.0.0.255
[R1-acl-3000] rule deny ip source any destination any
[R1-acl-3000] quit
// Create an access rule
[R1] ipsec proposal trans1
[R1-ipsec-proposal-trans1] encapsulation-mode tunnel
[R1-ipsec-proposal-trans1] transform esp-new
[R1-ipsec-proposal-trans1] esp-new authentication md5-hmac-96
[R1-ipsec-proposal-trans1] esp-new encryption-algorithm des
[R1-ipsec-proposal-trans1] quit
// Create a proposal and encrypt and authenticate the proposal
[R1] ipsec policy p1 100 manual
[R1-ipsec-policy-p1-100] security acl 3000
[R1-ipsec-policy-p1-100] proposal trans1
[R1-ipsec-policy-p1-100] tunnel local 192.168.13.1
[R1-ipsec-policy-p1-100] tunnel remote 192.168.23.2
[R1-ipsec-policy-p1-100] sa inbound esp spi 123456
[R1-ipsec-policy-p1-100] sa inbound esp string-key asdf
[R1-ipsec-policy-p1-100] sa outbound esp spi 654321
[R1-ipsec-policy-p1-100] sa outbound esp string-key fdsa
[R1-ipsec-policy-pl-100] quit
// Create a policy that includes the preceding proposal. This policy will be applied to Tunnel. Note that the router policy configuration at both ends of Tunnel is used. The tunnel local address in R1 is the tunnel remote address of R2, inbound is the outbound of R2.
[R1] interface e0/0
[R1-Ethernet0/0] ipsec policy p1
// Apply the policy on the egress
[R2] acl 3001
[R2-acl-3001] rule permit ip source 192.168.200.2 0.0.0.255 destination 192.168.100.1 0.0.0.255
[R2-acl-3001] rule deny ip source any destination any
[R2-acl-3001] quit
// Create an access rule
[R2] ipsec proposal trans2
[R2-ipsec-proposal-trans2] encapsulation-mode tunnel
[R2-ipsec-proposal-trans2] transform esp-new
[R2-ipsec-proposal-trans2] esp-new authentication md5-hmac-96
[R2-ipsec-proposal-trans2] esp-new encryption-algorithm des
[R2-ipsec-proposal-trans2] quit
// Create a proposal and encrypt and authenticate the proposal
[R2] ipsec policy p2 200 manual
[R2-ipsec-policy-p2-200] security acl 3001
[R2-ipsec-policy-p2-200] proposal trans2
[R2-ipsec-policy-p2-200] tunnel local 192.168.23.2
[R2-ipsec-policy-p2-200] tunnel remote 192.168.13.1
[R2-ipsec-policy-p2-200] sa inbound esp spi 654321
[R2-ipsec-policy-p2-200] sa inbound esp string-key fdsa
[R2-ipsec-policy-p2-200] sa outbound esp spi 123456
[R2-ipsec-policy-p2-200] sa outbound esp string-key asdf
[R2-ipsec-policy-p2-200] quit
[R2] interface e0/0
[R2-Ethernet0/0] ipsec policy p2
Add a default route to the vrouters at both ends of Tunnel, which means that the Intranet address can be connected to the external network.
Ip route-static 0.0.0.0 0.0.0.0 192.168.13.3 preference 60 // The default route on R1
Ip route-static 0.0.0.0 0.0.0.0 192.168.23.3 preference 60 // default route on R2
View the Tunnel status and the connectivity between PC1 and pc2.
Ipsec policy name: p1
Ipsec policy sequence: 100
Negotiation mode: manual
Security acl: 3000
Local address: 192.168.13.1
Remote address: 192.168.23.2
Proposal name: trans1
Esp (inbound) setting:
Esp spi: 654321 (0x9fbf1)
Esp string-key: fdsa
Esp encryption-hex:
Esp authen-hex:
Esp (outbound) setting:
Esp spi: 123456 (0x1e240)
Esp string-key: asdf
Esp encryption-hex:
Esp authen-hex:
OutBound SA has been established.
InBound SA has been established.
// Tunnel status of router R1
Ipsec policy name: p2
Ipsec policy sequence: 200
Negotiation mode: manual
Security acl: 3001
Local address: 192.168.23.2
Remote address: 192.168.13.1
Proposal name: trans2
Esp (inbound) setting:
Esp spi: 123456 (0x1e240)
Esp string-key: asdf
Esp encryption-hex:
Esp authen-hex:
Esp (outbound) setting:
Esp spi: 654321 (0x9fbf1)
Esp string-key: fdsa
Esp encryption-hex:
Esp authen-hex:
OutBound SA has been established.
InBound SA has been established.
// Tunnel status of vror2 R2
// PingPC2 on PC1
Pinging 192.168.200.2 with 32 bytes of data:
Reply from 192.168.200.2: byte = 32 time = 3 ms TTL = 254
Reply from 192.168.200.2: byte = 32 time = 9 ms TTL = 254
Reply from 192.168.200.2: byte = 32 time = 3 ms TTL = 254
Reply from 192.168.200.2: byte = 32 time = 3 ms TTL = 254
Reply from 192.168.200.2: byte = 32 time = 9 ms TTL = 254
Configure Automatic Tunnel.
[R1] ipsec policy p3 300 isakmp
[R1-ipsec-policy-p3-300] security acl 3000
[R1-ipsec-policy-p3-300] proposal trans1
[R1-ipsec-policy-p3-300] tunnel local 192.168.13.1
[R1-ipsec-policy-p3-300] tunnel remote 192.168.23.2
[R1-ipsec-policy-p3-300] quit
[R1] ike pre-shared-key 12345 remote 192.168.23.2
[R1] interface e0/0
[R1-Ethernet0/0] ipsec policy p3
// It is proposed that the policy be modified to the automatic mode, and the setting of the shared key should be consistent at both ends of the Tunnel.
[R2] ipsec policy p4 400 isakmp
[R2-ipsec-policy-p4-400] security acl 3001
[R2-ipsec-policy-p4-400] proposal trans2
[R2-ipsec-policy-p4-400] tunnel local 192.168.23.2
[R2-ipsec-policy-p4-400] tunnel remote 192.168.13.1
[R2-ipsec-policy-p4-400] quit
[R2] ike pre-shared-key 12345 remote 192.168.13.1
[R2] interface e0/0
[R2-Ethernet0/0] ipsec policy p4
Tunnel status and connectivity between PC1 and pc2.
Ipsec policy name: p3
Ipsec policy sequence: 300
Negotiation mode: isakmp
Security acl: 3000
Remote address 0: 192.168.23.2
Proposal name: trans1
Ipsec sa duration: 3600 seconds
Ipsec sa duration: 1843200 kilobytes
OutBound SA has been established.
InBound SA has been established.
// Tunnel status of router R1
Ipsec policy name: p4
Ipsec policy sequence: 400
Negotiation mode: isakmp
Security acl: 3001
Remote address 0: 192.168.13.1
Proposal name: trans2
Ipsec sa duration: 3600 seconds
Ipsec sa duration: 1843200 kilobytes
OutBound SA has been established.
InBound SA has been established.
// Tunnel status of vror2 R2
Pinging 192.168.200.2 with 32 bytes of data:
Reply from 192.168.200.2: byte = 32 time = 3 ms TTL = 254
Reply from 192.168.200.2: byte = 32 time = 9 ms TTL = 254
Reply from 192.168.200.2: byte = 32 time = 3 ms TTL = 254
Reply from 192.168.200.2: byte = 32 time = 3 ms TTL = 254
// Ping PC2 from PC1
Author: "Computer Communication zone"