华为ipsec vpn双链路主备备份配置案例

news2025/11/4 10:37:30

在这里插入图片描述

配置就是这配置，已查官方也是这样配置，意外是完成后不通，待以后处理！

FW_A配置：

dhcp enable

ip-link check enable
ip-link name check_b
destination 2.2.2.2 interface GigabitEthernet1/0/0 mode icmp next-hop 202.38.163.2

acl number 3000
rule 5 permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255
acl number 3001
rule 5 permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255

ipsec proposal pro1
esp authentication-algorithm sha1
esp encryption-algorithm aes-128

ike proposal 10
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256

ike peer fenbu
pre-shared-key admin123
ike-proposal 10

ipsec policy-template temp 1
security acl 3000
ike-peer fenbu
proposal pro1

ipsec policy-template temp2 1
security acl 3001
ike-peer fenbu
proposal pro1

ipsec policy policy1 1 isakmp template temp
ipsec policy policy2 1 isakmp template temp2

interface GigabitEthernet1/0/0
undo shutdown
ip address 202.38.163.1 255.255.255.0
service-manage ping permit
ipsec policy policy1

interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.0.1 255.255.255.0
service-manage ping permit
dhcp select interface

interface GigabitEthernet1/0/2
undo shutdown
ip address 202.38.164.1 255.255.255.0
service-manage ping permit
ipsec policy policy2

firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/1

firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/2

firewall zone dmz
set priority 50

ip route-static 0.0.0.0 0.0.0.0 202.38.163.2 preference 10 track ip-link check_b
ip route-static 0.0.0.0 0.0.0.0 202.38.164.2 preference 20
ip route-static 172.16.0.0 255.255.255.0 202.38.163.2 preference 10 track ip-link check_b
ip route-static 172.16.0.0 255.255.255.0 202.38.164.2 preference 20

security-policy
default action permit

FW_B配置：

firewall dataplane to manageplane application-apperceive default-action drop

dhcp enable

ip-link check enable
ip-link name check_a
destination 202.38.163.1 interface GigabitEthernet1/0/0 mode icmp next-hop 2.2.2.1

acl number 3000
rule 5 permit ip source 172.16.0.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
acl number 3001
rule 5 permit ip source 172.16.0.0 0.0.0.255 destination 192.168.0.0 0.0.0.255

ipsec proposal pro1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256

ike proposal 10
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256

ike peer a1
pre-shared-key admin123
ike-proposal 10
remote-address 202.38.163.1

ike peer a2
pre-shared-key admin123
ike-proposal 10
remote-address 202.38.164.2

ipsec policy policy1 1 isakmp
security acl 3000
ike-peer a1
proposal pro1

ipsec policy policy2 1 isakmp
security acl 3001
ike-peer a2
proposal pro1

interface GigabitEthernet1/0/0
undo shutdown
ip address 2.2.2.2 255.255.255.0
service-manage ping permit

interface GigabitEthernet1/0/1
undo shutdown
ip address 172.16.0.1 255.255.255.0
service-manage ping permit
dhcp select interface

interface Tunnel1
ip address unnumbered interface GigabitEthernet1/0/0
tunnel-protocol ipsec
ipsec policy policy1

interface Tunnel2
ip address unnumbered interface GigabitEthernet1/0/0
tunnel-protocol ipsec
ipsec policy policy2

firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/1

firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
add interface Tunnel1
add interface Tunnel2

ip route-static 0.0.0.0 0.0.0.0 2.2.2.1
ip route-static 192.168.0.0 255.255.255.0 Tunnel1 preference 10 track ip-link check_a
ip route-static 192.168.0.0 255.255.255.0 Tunnel2 preference 20

security-policy
default action permit

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：http://www.coloradmin.cn/o/1194795.html

如若内容造成侵权/违法违规/事实不符，请联系多彩编程网进行投诉反馈，一经查实，立即删除！