Huawei Router: IPSec Technology

The topology

R1 Configured according to topology IP Address

It is omitted here .

R2 To configure

[R2]ip route-static 0.0.0.0 0 10.10.10.2       # Add a route , Make two public networks IP Interworking 
[R2]acl 3000
[R2-acl-adv-3000]rule permit ip source 192.168.11.0 0.0.0.255 destination 192.16
8.12.0 0.0.0.255

 establish ipsec Your security proposal 
[R2]ipsec proposal pokes
[R2-ipsec-proposal-pokes]q
[R2]dis ipsec proposal name pokes   # Let's have a look at 

IPSec proposal name: pokes                            
 Encapsulation mode: Tunnel      # Encapsulation  
 Transform         : esp-new     # Transport level 
 ESP protocol      : Authentication MD5-HMAC-96    # Authentication algorithm 
                     Encryption     DES            # encryption algorithm 

 Create security policy 
[R2]ipse	
[R2]ipsec policy zhpr 10 manual   # Create a manual security policy zhpr 10
[R2-ipsec-policy-manual-zhpr-10]security acl 3000   # call acl
[R2-ipsec-policy-manual-zhpr-10]proposal pokes      # Call security proposal 
[R2-ipsec-policy-manual-zhpr-10]tunnel local 10.10.10.1    # Specify the tunnel source address 
[R2-ipsec-policy-manual-zhpr-10]tunnel remote 10.10.20.1   # Specify the tunnel destination address 
[R2-ipsec-policy-manual-zhpr-10]sa spi inbound esp 123456  # Set the security index of the security federation SPI
[R2-ipsec-policy-manual-zhpr-10]sa string-key inbound esp simple 234567    # Set the authentication key of the security federation 
[R2-ipsec-policy-manual-zhpr-10]sa spi outbound esp 123456
[R2-ipsec-policy-manual-zhpr-10]sa string-key outbound esp simple 234567

 Interface policy Strategy 
[R2]in g0/0/0   # Public network exit 
[R2-GigabitEthernet0/0/0]ipsec policy zhpr


[R2]dis ipsec policy brief    # see ipsec Interface information 

Number of policies group : 1
Number of policies       : 1
 
Policy name           Mode     ACL   Peer name   Local address    Remote address
--------------------------------------------------------------------------------
zhpr-10               manual   3000             10.10.10.1       10.10.20.1
[R2]

matters needing attention ：

• sa spi inbound esp 123456 To be connected with the opposite end outbound bring into correspondence with .
• sa string-key inbound esp simple 234567 To be connected with the opposite end outbound bring into correspondence with .

It is recommended to copy and paste after configuring one end , Change the source address and destination address when pasting .

R3 To configure

[R3]ip route-static 0.0.0.0 0 10.10.20.2
[R3]acl 3000
[R3-acl-adv-3000]rule permit ip source 192.168.12.0 0.0.0.255 destination 192.16
8.11.0 0.0.0.255

[R2]ipse	
[R2]ipsec policy zhpr 10 manual

[R3-ipsec-policy-manual-zhpr-10] security acl 3000
[R3-ipsec-policy-manual-zhpr-10] proposal pokes
[R3-ipsec-policy-manual-zhpr-10] tunnel local 10.10.20.1
[R3-ipsec-policy-manual-zhpr-10] tunnel remote 10.10.10.1
[R3-ipsec-policy-manual-zhpr-10] sa spi inbound esp 123456
[R3-ipsec-policy-manual-zhpr-10] sa string-key inbound esp simple 234567
[R3-ipsec-policy-manual-zhpr-10] sa spi outbound esp 123456
[R3-ipsec-policy-manual-zhpr-10] sa string-key outbound esp simple 234567
[R3-ipsec-policy-manual-zhpr-10]q

[R3]in g0/0/0
[R3-GigabitEthernet0/0/0]ips	
[R3-GigabitEthernet0/0/0]ipsec po	
[R3-GigabitEthernet0/0/0]ipsec policy zhpr

[R3]dis ipsec policy brief

Number of policies group : 1
Number of policies       : 1
 
Policy name           Mode     ACL   Peer name   Local address    Remote address
--------------------------------------------------------------------------------
zhpr-10               manual   3000             10.10.20.1       10.10.10.1

test result

PC>ping 192.168.12.1

Ping 192.168.12.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.12.1: bytes=32 seq=2 ttl=127 time=15 ms
From 192.168.12.1: bytes=32 seq=3 ttl=127 time=16 ms
From 192.168.12.1: bytes=32 seq=4 ttl=127 time=31 ms
From 192.168.12.1: bytes=32 seq=5 ttl=127 time=16 ms

--- 192.168.12.1 ping statistics ---
  5 packet(s) transmitted
  4 packet(s) received
  20.00% packet loss
  round-trip min/avg/max = 0/19/31 ms

PC>

PC>ping 192.168.11.1

Ping 192.168.11.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.11.1: bytes=32 seq=2 ttl=127 time=16 ms
From 192.168.11.1: bytes=32 seq=3 ttl=127 time=15 ms
From 192.168.11.1: bytes=32 seq=4 ttl=127 time=32 ms
From 192.168.11.1: bytes=32 seq=5 ttl=127 time=31 ms

--- 192.168.11.1 ping statistics ---
  5 packet(s) transmitted
  4 packet(s) received
  20.00% packet loss
  round-trip min/avg/max = 0/23/32 ms

PC>

In fact, during the generation process , build ipset They are all realized by purchasing hardware equipment , And it's powerful , Using a router is a bit low.