HQY 一个和谐有爱的空间

华为防火墙，主备链路备份cd 出口： 7.7.7.4	8.8.8.8
bj 出口	6.6.6.2546.0  to 7.0```bash
ip-link check enableip-link name TO-bj
destination 6.6.6.254 interface GigabitEthernet 0/0/1 next-hop 7.7.7.1
quitip route-static 192.168.7.0 255.255.255.0 7.7.7.1 preference 10 track ip-link TO-bjip route-static 192.168.7.0 255.255.255.0 8.8.8.1 preference 20ip route-static 6.6.6.254 255.255.255.255 7.7.7.1 preference 10 track ip-link TO-bjip route-static 6.6.6.254 255.255.255.255 8.8.8.1 preference 20acl 3101rule 5 permit ip source 192.168.6.0 0.0.0.255 destination 192.168.7.0 0.0.0.255
quit

ipsec  proposal tran-bj
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
quit

ike proposal 10
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
quit

ike peer bj
ike-proposal 10pre-shared-key alsjdflajsld
remote-address 6.6.6.254
quit

ipsec policy ipsec-CD-BJ 10 isakmp 
security acl 3101proposal tran-bj
ike-peer bj
quit
ipsec policy ipsec-CD-BJ1 10 isakmp 
security acl 3101proposal tran-bj
ike-peer bj
quit

interface GigabitEthernet 0/0/1
ipsec policy ipsec-CD-BJ
interface GigabitEthernet 0/0/3
ipsec policy ipsec-CD-BJ1

分支

[FW_B] interface tunnel 1[FW_B-Tunnel1] ip address unnumbered interface GigabitEthernet 0/0/1[FW_B-Tunnel1] tunnel-protocol ipsec[FW_B-Tunnel1] quit[FW_B] interface tunnel 2[FW_B-Tunnel2] ip address unnumbered interface GigabitEthernet 0/0/1[FW_B-Tunnel2] tunnel-protocol ipsec[FW_B-Tunnel2] quit[FW_B] firewall zone untrust[FW_B-zone-untrust] add interface GigabitEthernet 0/0/1[FW_B-zone-untrust] add interface Tunnel 1[FW_B-zone-untrust] add interface Tunnel 2ip-link check enableip-link name To-cd
destination 7.7.7.4 interface GigabitEthernet 0/0/1 next-hop 6.6.6.253
quitip route-static 192.168.6.0 24 Tunnel 1 preference 10 track ip-link To-cdip route-static 192.168.6.0 24 Tunnel 2 preference 20 ip route-static 7.7.7.4 32 6.6.6.253ip route-static 8.8.8.8 32 6.6.6.253

acl 3101rule 5 permit ip source 192.168.7.0 0.0.0.255 destination 192.168.6.0 0.0.0.255
quit

ipsec  proposal tran-cd
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
quit

ike proposal 10
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
quit

ike peer cd1
ike-proposal 10pre-shared-key asdfasfaasd
remote-address 7.7.7.4
quit

ike peer cd2
ike-proposal 10pre-shared-key asdfasdfasdf
remote-address 8.8.8.8
quit

ipsec policy BJ-CD 10 isakmp
security acl 3101proposal tran-cd
ike-peer cd1
quit
ipsec policy BJ-CD1 10 isakmp
security acl 3101proposal tran-cd
ike-peer cd2
quit

interface Tunnel 1ipsec policy BJ-CD
interface Tunnel 2ipsec policy BJ-CD1


说明：
分支可以采用tunnel接口的模式，也可以直接和总部，分别直接建立vpn连接，
分支和总部建立多条ipsec通道，通过nqa或者iplink 实现路由联动切换，从而实现VPN隧道的自动切换

dis ipsec sa policy policyname sequence-number
eg:dis ipsec sa policy ipsec441953 2diagnose ipsec data-flow tcp source-ip 10.3.3.2 destination-ip  10.3.3.1 source-port 1111 destination-port 2222

推荐本站淘宝优惠价购买喜欢的宝贝:

本文链接：https://hqyman.cn/post/8437.html 非本站原创文章欢迎转载，原创文章需保留本站地址！

休息一下~~