H3C Comware V7 IpsecVpn

今天使用H3C MSR36-10路由器,OS是H3C Comware V7版本,配置了一下Ipsec Vpn,命令变化还不小,还好参考官方文档配置成功了,原V5平台的不多叙述。
官方文档地址:http://www.h3c.com.cn/Service/Document_Center/Routers/Catalog/MSR/MSR_5600/Command/Command_Manual/H3C_MSR_CR(V7)-6W103/11/201405/828589_30005_0.htm
具体路由器配置如下:

[Branch-MSR-3610]dis cu
#
 version 7.1.059, Release 0304
#
 sysname Branch-MSR-3610
#
 telnet server enable
#
 password-recovery enable
#
vlan 1
#
controller Cellular0/0
#
controller Cellular0/1
#
interface Aux0
#
interface NULL0
#
interface GigabitEthernet0/0
 port link-mode route
 description TO_waiwang-WAN
 combo enable copper
 ip address 113.97.129.10 255.255.255.0
 ipsec apply policy Branch
#
interface GigabitEthernet0/1
 port link-mode route
 description TO_neiwang-LAN
 ip address 100.44.4.2 255.255.255.0
#
interface GigabitEthernet0/2
 port link-mode route
#
 scheduler logfile size 16
#
line class aux
 user-role network-admin
#
line class tty
 user-role network-operator
#
line class vty
 user-role network-operator
#
line aux 0
 user-role network-admin
#
line vty 0 4
 authentication-mode scheme
 user-role network-operator
#
line vty 5 63
 user-role network-operator
#
 ip route-static 0.0.0.0 0 113.97.129.1
#
acl advanced 3000
 rule 10 permit ip source 100.44.4.0 0.0.0.255 destination 100.10.10.0 0.0.0.255
#
acl advanced 3900
 rule 10 deny ip source 100.44.4.0 0.0.0.255 destination 100.10.10.0 0.0.0.255
#              
domain system
#
 domain default enable system
#
role name level-0
 description Predefined level-0 role
#
role name level-1
 description Predefined level-1 role
#
role name level-2
 description Predefined level-2 role
#
role name level-3
 description Predefined level-3 role
#
role name level-4
 description Predefined level-4 role
#
role name level-5
 description Predefined level-5 role
#
role name level-6
 description Predefined level-6 role
#
role name level-7
 description Predefined level-7 role
#
role name level-8
 description Predefined level-8 role
#
role name level-9
 description Predefined level-9 role
#
role name level-10
 description Predefined level-10 role
#
role name level-11
 description Predefined level-11 role
#
role name level-12
 description Predefined level-12 role
#
role name level-13
 description Predefined level-13 role
#              
role name level-14
 description Predefined level-14 role
#
user-group system
#
local-user admin class manage
 password hash $h$6$DtT6MTV8L+TWencT$y+nCFfRsb6Gu7d0Rc85tpaWqaq3tdv4viPurrm+4ak5zQ6obmHYg==
 service-type telnet
 authorization-attribute user-role network-admin
 authorization-attribute user-role network-operator
#
ipsec transform-set Branch
 esp encryption-algorithm des-cbc 
 esp authentication-algorithm md5 
 pfs dh-group1
#
ipsec policy Branch 10 isakmp
 transform-set Branch
 security acl 3000 
 remote-address 114.202.132.212
 ike-profile Branch
#
ike profile Branch   ###没有了IKE PEER 配置,换成了 ike profile
 keychain Branch
 proposal 10 
#
ike proposal 10
 authentication-algorithm md5
#
ike keychain Branch    ###没有了IKE PEER 配置,换成了 ike keychain
 pre-shared-key address 114.202.132.212 255.255.255.255 key cipher $c$3$OraBlcTfbc1IXFPE4INI98rq
#
return

查看IKE IPSEC 是否建立成功

[Branch-MSR-3610]dis ike sa
    Connection-ID   Remote                Flag         DOI    
------------------------------------------------------------------
    3604            114.202.132.212       RD           IPsec  
Flags:
RD--READY RL--REPLACED FD-FADING

[Branch-MSR-3610]dis ipsec sa 
-------------------------------
Interface: GigabitEthernet0/0
-------------------------------
  -----------------------------
  IPsec policy: Branch
  Sequence number: 10
  Mode: ISAKMP
  -----------------------------
    Tunnel id: 0
    Encapsulation mode: tunnel
    Perfect forward secrecy: dh-group1
    Inside VPN: 
    Path MTU: 1443
    Tunnel:
        local  address: 113.97.129.10
        remote address: 114.202.132.212
    Flow:
        sour addr: 100.44.4.0/255.255.255.0  port: 0  protocol: ip
        dest addr: 100.10.10.0/255.255.255.0  port: 0  protocol: ip
    [Inbound ESP SAs]
      SPI: 2247051525 (0x85ef4905)
      Connection ID: 4294967296
      Transform set:  ESP-ENCRYPT-DES-CBC ESP-AUTH-MD5
      SA duration (kilobytes/sec): 1843200/3600
      SA remaining duration (kilobytes/sec): 1833773/3456
      Max received sequence-number: 16699
      Anti-replay check enable: Y
      Anti-replay window size: 64
      UDP encapsulation used for NAT traversal: N
      Status: Active
    [Outbound ESP SAs]
      SPI: 4091890288 (0xf3e54a70)
      Connection ID: 4294967297
      Transform set:  ESP-ENCRYPT-DES-CBC ESP-AUTH-MD5
      SA duration (kilobytes/sec): 1843200/3600
      SA remaining duration (kilobytes/sec): 1837001/3456
      Max sent sequence-number: 16332
      UDP encapsulation used for NAT traversal: N
      Status: Active

连接成功!

发表评论