H3C 路由器 IPSec VPN 配置文档
一、路由器基础配置
查看路由器版本信息
<jifangA> show version
H3C Comware Software, Version 7.1.064, Release 6749P30
Copyright (c) 2004-2024 New H3C Technologies Co., Ltd. All rights reserved.
H3C MSR2600 uptime is 0 weeks, 6 days, 8 hours, 6 minutes
Last reboot reason : Power on
Boot image: flash:/msr26x1a-cmw710-boot-r6749p30.bin
Boot image version: 7.1.064P80, Release 6749P30
Compiled Sep 03 2024 15:00:00
System image: flash:/msr26x1a-cmw710-system-r6749p30.bin
System image version: 7.1.064, Release 6749P30
Compiled Sep 03 2024 15:00:00
Feature image(s) list:
flash:/msr26x1a-cmw710-security-r6749p30.bin, version: 7.1.064
Compiled Sep 03 2024 15:00:00
flash:/msr26x1a-cmw710-voice-r6749p30.bin, version: 7.1.064
Compiled Sep 03 2024 15:00:00
flash:/msr26x1a-cmw710-data-r6749p30.bin, version: 7.1.064
Compiled Sep 03 2024 15:00:00
CPU ID: 0xc
1G bytes DDR3 SDRAM Memory
512M bytes Flash Memory
PCB Version:Ver.B
CPLD Version: 1.0
Basic BootWare Version: 1.03
Extended BootWare Version: 1.031. IP 地址相关配置
1. VLAN 配置 IP
# 进入系统视图(也称为全局配置模式,在此模式下可以配置系统级参数)
<jifangA> system-view
# 配置系统名称
[jifangA] hostname jifangA
# 配置VLAN接口1(通常用于管理VLAN,实际网络应根据规划使用特定VLAN)
[jifangA] interface Vlan-interface 1
# 为VLAN接口1配置IP地址(192.168.120.1/24)
[jifangA-Vlan-interface1] ip address 192.168.120.1 24
# 显示VLAN接口1的IP配置信息(用于验证配置)
[jifangA-Vlan-interface1] display ip interface vlan-interface 1
Vlan-interface1 current state: UP
Line protocol current state: UP
Internet address is 192.168.120.1/24 Primary
Broadcast address: 192.168.120.1.255
The Maximum Transmit Unit: 1500 bytes
input packets : 0, bytes : 0, multicasts : 0
output packets : 0, bytes : 0, multicasts : 0
TTL invalid packet number: 0
ICMP packet input number: 18
Echo reply: 14
Unreachable: 0
Source quench: 0
Routing redirect: 0
Echo request: 4
Router advert: 0
Router solicit: 0
Time exceed: 0
IP header bad: 0
Timestamp request: 0
Timestamp reply: 0
Information request: 0
Information reply: 0
Netmask request: 0
Netmask reply: 0
Unknown type: 0 2. 接口配置公网地址
# 退出当前接口视图,返回上级视图
[jifangA-Vlan-interface1] quit
# 进入千兆以太网接口0/0的配置视图(通常用于连接外网)
[jifangA] interface GigabitEthernet0/0
# 将接口模式设置为路由模式(而非交换模式)
[jifangA-GigabitEthernet0/0] port link-mode route
# 配置公网IP地址(1.1.1.1/24)
[jifangA-GigabitEthernet0/0] ip address 1.1.1.1 255.255.255.0
# 设置TCP最大分段大小为1024字节(优化TCP传输)
[jifangA-GigabitEthernet0/0] tcp mss 1024
# 启用NAT出站转换,使用编号为3112的ACL规则
[jifangA-GigabitEthernet0/0] nat outbound 3111
# 应用名为"IPSEC"的IPSec策略到该接口
[jifangA-GigabitEthernet0/0] ipsec apply policy IPSEC
# 启用IPSec免NAT处理(避免IPSec流量被NAT修改)
[jifangA-GigabitEthernet0/0] ipsec no-nat-process enable
# 配置静态默认路由(0.0.0.0/0),下一跳地址应为运营商提供的网关地址(示例中的X需要替换为实际值)
[jifangA-GigabitEthernet0/0] ip route-static 0.0.0.0 0 1.1.1.X
# 禁用DHCP服务(防止设备作为DHCP服务器分配IP)
[jifangA-GigabitEthernet0/0] undo dhcp enable
[jifangA-GigabitEthernet0/0] quit3. DHCP 配置
# 全局开启 DHCP 服务
[jifangA] dhcp enable
# 删除默认自带的配置项
[jifangA] undo dhcp server ip-pool lan1
# 再次新建
[jifangA] dhcp server ip-pool lan1
# 配置网关
[jifangA-dhcp-pool-lan1] gateway-list 192.168.120.1
# 网段和子网掩码
[jifangA-dhcp-pool-lan1] network 192.168.120.0 mask 255.255.255.0
# 地址池
[jifangA-dhcp-pool-lan1] address range 192.168.120.10 10.169.3.254
# DNS服务器地址
[jifangA-dhcp-pool-lan1] dns-list 192.168.120.1
# 进入 vlan1 接口
[jifangA-dhcp-pool-lan1] interface Vlan-interface1
# 接口上启用DHCP服务
[jifangA-Vlan-interface1] dhcp select server
[jifangA-dhcp-pool-lan1] display dhcp server pool # 查看配置
Pool name: lan1
Network: 192.168.120.0 mask 255.255.255.0
address range 192.168.120.10 to 10.169.1.254
dns-list 192.168.120.1
expired day 1 hour 0 minute 0 second 0
gateway-list 192.168.120.1
[jifangA-dhcp-pool-lan1] display dhcp server ip-in-use # 查看分配的地址
IP address Client identifier/ Lease expiration Type
Hardware address
192.168.120.10 016c-1ff7-1352-a9 Jan 2 01:20:33 2011 Auto(C) 2. 远程协议 SSH 配置
1. 启用 ssh 协议
# 配置 5 个虚拟终端(0-4)用于远程登录
[jifangA] line vty 0 4
# 将认证模式设置为 AAA(认证、授权、计费)
[jifangA-line-vty0-4] authentication-mode scheme
# 仅允许 SSH 协议接入(禁用 Telnet,提高安全性)
[jifangA-line-vty0-4] protocol inbound ssh
# 赋予登录用户最高管理员权限
[jifangA-line-vty0-4] user-role network-admin
[jifangA-line-vty0-4] quit2. 创建管理用户
# 创建管理类新用户
[jifangA] local-user tianxiang class manage
New local user added.
# 启用密码控制类功能
[jifangA-luser-manage-tianxiang] password-control enable
# 再次进入配置用户视图
[jifangA] local-user tianxiang class manage
# 禁用密码老化功能(密码不会自动过期)
[jifangA-luser-manage-tianxiang] undo password-control aging enable
# 禁用密码历史功能(用户可以重复使用旧密码)
[jifangA-luser-manage-tianxiang] undo password-control history enable
# 设置密码最小长度为 6 个字符
[jifangA-luser-manage-tianxiang] password-control length 6
# 登录尝试次数超过 10 次后锁定 10 分钟
[jifangA-luser-manage-tianxiang] password-control login-attempt 10 exceed lock-time 10
# 禁用密码更新间隔(密码不会自动提示更新)
[jifangA-luser-manage-tianxiang] password-control update-interval 0
# 禁用登录空闲时间限制
[jifangA-luser-manage-tianxiang] password-control login idle-time 0
# 设置明文密码(生产环境建议使用 cipher 加密)
[jifangA-luser-manage-tianxiang]password simple TianTian888
Updating user information. Please wait... ...
# 允许用户通过 SSH 登录
[jifangA-luser-manage-tianxiang] service-type ssh
# 赋予用户管理员角色
[jifangA-luser-manage-tianxiang] authorization-attribute user-role network-admin
[jifangA-luser-manage-tianxiang] quit
# 启用 ssh 相关服务
[jifangA] ssh server enable # 全局启用 SSH 服务
[jifangA] sftp server enable # 启用 SFTP 文件传输功能(可选)3. WEB 控制台相关配置
# 关闭 http 访问
[jifangA] no ip http enable
# 开启 HTTPS 访问
[jifangA] ip https enable
# 修改 HTTPS 访问端口
[jifangA] ip https port 8443
# 配置用户访问 Web 界面
[jifangA]local-user tianxiang
[jifangA-luser-manage-tianxiang] service-type https
[jifangA-luser-manage-tianxiang] password simple TianTian888
[jifangA-luser-manage-tianxiang] quit4. NTP 时间同步配置
[jifangA]dns server 223.5.5.5 # 配置主 DNS 服务器
[jifangA]dns server 114.114.114.114 # 配置备 DNS 服务器
[jifangA]ping www.baidu.com # 测试 ping
[jifangA]ntp-service enable # 开启 ntp 同步
[jifangA]ntp-service unicast-server ntp.aliyun.com # 配置阿里云时间服务器
[jifangA]clock timezone Beijing add 08:00:00 # 设置北京时间东八区
[jifangA]display ntp-service status # 查看状态
[jifangA]display clock二、IPSEC VPN 隧道配置
1. ACL 规则策略配置
机房A:内网地址 192.168.120/24
机房B:内网地址 192.168.130/24
当前配置为:机房A
<jifangA> system-view # 进入全局配置模式
#-----------配置 ACL 定义兴趣流-----------
[jifangA] acl number 3111
# 添加描述信息
[jifangA-acl-ipv4-adv-3111] description to Nat-To-Internet # 去往互联网任何网络
# 去往jifangB 130 内网拒绝掉
[jifangA-acl-ipv4-adv-3111] rule 5 deny ip source 192.168.120.0 0.0.0.255 destination 192.168.130.0 0.0.0.255
# 然后所有其他地址 NAT 出公网
[jifangA-acl-ipv4-adv-3111] rule 250 permit ip source 192.168.120.0 0.0.0.255
[jifangA-acl-ipv4-adv-3111] quit
# 添加第二个 ACL 策略
[jifangA] acl number 3112
# 允许本地机房A内网,去往机房B内网
[jifangA-acl-ipv4-adv-3112] description to jifangB # 去往机房B内网
[jifangA-acl-ipv4-adv-3112] rule 5 permit ip source 192.168.120.0 0.0.0.255 destination 192.168.130.0 0.0.0.255 # 去往jifangA 120 内网地址允许2. IPSEC 转换集配置
# 创建 IPSec 转换集(定义加密参数),以后的 IPSEC 可以复用
[jifangA] ipsec transform-set TRANSFORM
# 加密算法:AES-128
[jifangA-ipsec-transform-set-TRANSFORM] esp encryption-algorithm aes-cbc-128
# 认证算法:sha256
[jifangA-ipsec-transform-set-TRANSFORM] esp authentication-algorithm sha256
# 保留了 pfs dh-group2实现完全前向保密
[jifangA-ipsec-transform-set-TRANSFORM] pfs dh-group2
[jifangA-ipsec-transform-set-TRANSFORM] quit3. IPSec策略配置
# 注意:检查确认IPSec策略编号 10 未被其他策略使用
[jifangA] display current-configuration | include "ipsec policy"
# 创建 IPSEC 10
[jifangA] ipsec policy IPSEC 10 isakmp
# 使用转换集
[jifangA-ipsec-policy-isakmp-IPSEC-10] transform-set TRANSFORM
# 使用对应的机房 B 专用的 ACL 策略
[jifangA-ipsec-policy-isakmp-IPSEC-10] security acl 3312
# 本地公网 IP
[jifangA-ipsec-policy-isakmp-IPSEC-10] local-address 1.1.1.1
# 对端机房 B 公网 IP
[jifangA-ipsec-policy-isakmp-IPSEC-10] remote-address 2.2.2.2
# 指定未来要创建的 ike 策略
[jifangA-ipsec-policy-isakmp-IPSEC-10] ike-profile jifangB
[jifangA-ipsec-policy-isakmp-IPSEC-10] quit4. IKE Profile 策略配置
# 创建策略
[jifangA] ike profile jifangB
# 指定未来要创建的密钥链
[jifangA-ike-profile-jifangB] keychain jifangB
# 本地公网 IP
[jifangA-ike-profile-jifangB] local-identity address 1.1.1.1
# 对端公网 IP
[jifangA-ike-profile-jifangB] match remote identity address 2.2.2.2
# 指定未来要创建的协商模版
[jifangA-ike-profile-jifangB] proposal 10
[jifangA-ike-profile-jifangB] quit5. IKE 协议协商参数模版
# 检查有没有已存在的
[jifangA] display current-configuration | include "ike proposal"
[jifangA] ike proposal 10
[jifangA-ike-proposal-10] encryption-algorithm 3des-cbc
[jifangA-ike-proposal-10] dh group2
[jifangA-ike-proposal-10] authentication-algorithm md5
[jifangA-ike-proposal-10] sa duration 28800
[jifangA-ike-proposal-10] quit6. IKE 密钥链配置
# 和上面 profile 阶段中创建的 keychain 进行一一对应
[jifangA] ike keychain jifangB
# 本地公网 IP
[jifangA-ike-keychain-jifangB] match local address 1.1.1.1
# 对端 IP 和加密密码,自己定义,两端一致即可
[jifangA-ike-keychain-jifangB] pre-shared-key address 2.2.2.2 key simple tianxiang
[jifangA-ike-keychain-jifangB] quit7. IPSEC 策略接口应用
一般来说新路由器会配置,而配置过的路由器不会再配置这一项了
# 检查公网IP在哪个接口上
[jifangA]display interface brief | include "1.1.1.1"
GE0/0 UP UP 1.1.1.1 Single_Line1
# 进入 GE0/0 接口
[jifangA]interface ge0/0
# 应用 IPSEC 策略到该接口
[jifangA-GigabitEthernet0/0] ipsec apply policy IPSEC
# 匹配到 IPsec 的流量,不会再去参与 NAT 检查或转换,表示为走自己对应的 ACL 策略
[jifangA-GigabitEthernet0/0] ipsec no-nat-process enable
[jifangA-GigabitEthernet0/0] quit8. 保存
# 退出到用户视图
[jifangA-GigabitEthernet0/0] return
# 保存配置到启动文件
<jifangA> save force9. 对端配置
过程一模一样,只是公网 IP 和内网 IP 反过来即可
10. 检查验证
1. 首先 ping 测试
# 测试连通性(带源 ping 测试)
<jifangA> ping -a 192.168.120.1 192.168.130.1
<jifangA> ping -a 192.168.130.1 192.168.120.12. 查看 IKE 状态
<jifangA> display ike sa
Connection-ID Local Remote Flag DOI
------------------------------------------------------------------------------------
95 1.1.1.1 2.2.2.2/500 RD IPsec
License:
CC BY 4.0