USG3030和H3C防火墙做IPSEC对接

发布时间:  2012-07-19 浏览次数:  151 下载次数:  0
问题描述
USG3030 – H3C F100-A
H3Cipsec配置命令基本和USG3030差不多,以下是配置参考,另外H3C配置区别以及需要注意的地方用红色标出
告警信息
处理过程
USG3030配置:
ike proposal 10
 authentication-algorithm md5
#
ike peer a
 pre-shared-key abade
 ike-proposal 10
 remote-address 221.224.132.2            
#
ipsec proposal tran1
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ipsec policy map 10 isakmp
 security acl 3502
 ike-peer a
 proposal tran1
#
interface Virtual-Template1
 ppp authentication-mode chap
 ip address 10.10.1.1 255.255.255.0
 remote address pool 1
#
interface GigabitEthernet0/0
 ip address 180.213.1.130 255.255.255.248
 undo ip fast-forwarding qff         (关闭快转)
 ipsec policy map
#
interface GigabitEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 undo ip fast-forwarding qff           (关闭快转)
 
acl number 3501
 rule 5 deny ip source 192.168.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255  (把ipsec流量排除)
 rule 10 permit ip source 192.168.0.0 0.0.0.255
 
firewall interzone trust untrust
nat outbound 3501 address-group 1
 
H3C配置:
 
ike proposal 10    (ike proposal 不需要在ike peer 里应用,会自动查找)
 authentication-algorithm md5
#
ike peer a
 pre-shared-key abade
 remote-address 180.213.1.130
#
ipsec proposal 10
#
ipsec proposal tran1
 esp authentication-algorithm sha1       
 esp encryption-algorithm 3des
#
ipsec policy map1 10 isakmp
 security acl 3500
 ike-peer a
 proposal tran1
interface Ethernet1/0                    
ip address 221.224.132.2 255.255.255.248
 firewall packet-filter 3002 inbound   
 firewall packet-filter qiantai outbound
 nat outbound nat      (nat outbound是运用在接口,另外要把IPSEC流量排除)
ipsec policy map1
 
acl name  nat
 rule 5 deny source abc destination bcd  (把ipsec流量排除)
 rule 10 permit
object address abc 192.168.1.0 255.255.255.0
 object address bcd 192.168.0.0 255.255.255.0
根因
建议与总结

END