网关与网关之间采用手工方式建立保护IPv4报文的IPsec隧道-摩杜云开发者社区

<FW1>dis cu

version 7.1.064, ESS 1185P21

sysname FW1

password-recovery enable

vlan 1

irf-port

interface NULL0

interface GigabitEthernet1/0

port link-mode route

ip address 10.1.12.2 255.255.255.0

manage ping inbound

manage ping outbound

ipsec apply policy map1

interface GigabitEthernet2/0

port link-mode route

interface GigabitEthernet3/0

port link-mode route

ip address 10.1.1.1 255.255.255.0

manage ping inbound

manage ping outbound

interface GigabitEthernet4/0

port link-mode route

interface GigabitEthernet5/0

port link-mode route

interface GigabitEthernet6/0

port link-mode route

interface GigabitEthernet7/0

port link-mode route

interface GigabitEthernet8/0

port link-mode route

security-zone name Local

security-zone name Trust

import interface GigabitEthernet3/0

security-zone name DMZ

security-zone name Untrust

import interface GigabitEthernet1/0

security-zone name Management

scheduler logfile size 16

line class aux

user-role network-operator

line class console

authentication-mode scheme

user-role network-admin

line class vty

user-role network-operator

line aux 0

authentication-mode none

user-role network-admin

user-role network-operator

line con 0

user-role network-admin

line vty 0 63

authentication-mode scheme

user-role network-admin

user-role network-operator

ip route-static 0.0.0.0 0 10.1.12.1

info-center loghost 127.0.0.1 port 3301 format default

info-center source CFGLOG loghost level informational

performance-management

ssh server enable

acl advanced 3101

rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

domain system

aaa session-limit ftp 16

aaa session-limit telnet 16

aaa session-limit ssh 16

domain default enable system

role name level-0

description Predefined level-0 role

role name level-1

description Predefined level-1 role

role name level-2

description Predefined level-2 role

role name level-3

description Predefined level-3 role

role name level-4

description Predefined level-4 role

role name level-5

description Predefined level-5 role

role name level-6

description Predefined level-6 role

role name level-7

description Predefined level-7 role

role name level-8

description Predefined level-8 role

role name level-9

description Predefined level-9 role

role name level-10

description Predefined level-10 role

role name level-11

description Predefined level-11 role

role name level-12

description Predefined level-12 role

role name level-13

description Predefined level-13 role

role name level-14

description Predefined level-14 role

user-group system

local-user admin class manage

password hash $h$6$UbIhNnPevyKUwfpm$LqR3+yg1IjNct39MkOR0H0iQXLkYB3jMqM4vbAeoXOhbabIIFnjJPEGR00YiYA1Sz4LiY3FmEdru2fOLMb1shQ==

service-type ssh terminal https

authorization-attribute user-role network-admin

ipsec transform-set tran1

esp encryption-algorithm aes-cbc-128

esp authentication-algorithm sha1

ipsec policy map1 10 isakmp

transform-set tran1

security acl 3101

local-address 10.1.12.2

remote-address 10.1.13.3

ike-profile profile1

ike profile profile1

keychain keychain1

match remote identity address 10.1.13.3 255.255.255.0

ike keychain keychain1

pre-shared-key address 10.1.13.3 255.255.255.0 key cipher $c$3$7fkgwuc4YRQ2dMAkAAgweXBy7JblDNtRwUP26vEUSg==

ip https enable

security-policy ip

rule 10 name ipseclocalout

action pass

source-zone local

destination-zone untrust

source-ip-host 10.1.12.2

destination-ip-host 10.1.13.3

rule 20 name ipsecin

source-zone untrust

destination-zone local

source-ip-host 10.1.13.3

destination-ip-host 10.1.12.2

rule 30 name trust-to-untrust

action pass

source-zone trust

destination-zone untrust

source-ip-subnet 10.1.1.0 255.255.255.0

destination-ip-subnet 10.1.2.0 255.255.255.0

rule 40 name untrust-to-trust

action pass

source-zone untrust

destination-zone trust

source-ip-subnet 10.1.2.0 255.255.255.0

destination-ip-subnet 10.1.1.0 255.255.255.0

return

<FW1>