IPSEC ××× ---野蠻模式與動态獲得位址！

IPSEC  ×××   野蠻模式 與   DCHP 的結合！    [ 一 ] 、野蠻模式 二 、相關配置參數； ike local-name  id-name              名稱 ike peer peer-name                 peer 對等體的聲明； pre-shared-key  string              共享密鑰 remote-address  x.x.x.x              對端位址 exchange-mode aggressive            密鑰交換模式：野蠻模式 id-type name                      id 類型：基于名稱 remote-name id-name               對端名稱 三 、案例 拓撲： 案例說明： (1) 、案例說明： 使用到的裝置： 三台 h3c 的防火牆；一台三層交換機作為 dhcp 伺服器使用！   (2) 、實驗的目的： 實作 ××× 中 IPSEC 的野蠻模式和   (3) 、案例的說明： 内網的位址都屬于 192.168.0.0   網段 外網的位址都屬于 193.168.0.0  

配置資訊： Firewall 1: 為相應的接口配置相應的位址；

<F1>system-view

System View: return to User View with Ctrl+Z.

[F1]interface eth 0/2

[F1-Ethernet0/2]ip address 192.168.10.1 255.255.255.0

[F1-Ethernet0/2]interface eth 0/1

[F1-Ethernet0/1]ip address 193.168.10.1 255.255.255.0

[F1]firewall zone trust

[F1-zone-trust]add eth 

[F1-zone-trust]add interface eth0/1

[F1-zone-trust]add interface eth0/2

配置預設路由：

[F1]ip route-static 0.0.0.0 0 193.168.10.2

ike peer peer1                           

 exchange-mode aggressive                 

 pre-shared-key 1234                     

 id-type name                            

 remote-name fw2                         

 remote-address 192.168.20.1             

 local-address 193.168.10.1

ipsec proposal hanyu

acl number 3000                           

 rule 0 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

 rule 1 deny ip                          

acl number 3001                          

 rule 0 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255

 rule 1 deny ip    

Firwall  2 <F2>system-view [F2]interface eth 0/2 [F2-Ethernet0/2]ip address 192.168.20.1 255.255.255.0 [F2-Ethernet0/2]interface eth 0/1  [F2-Ethernet0/1]ip address dhcp-alloc          使用動态的位址獲得方式！ [F2]firewall zone trust [F2-zone-trust]add interface eth 0/1 [F2-zone-trust]add interface eth 0/2 預設路由 [F2]ip route-static 0.0.0.0 0 193.168.20.2 Firewall4 <F4>system-view [F4]interface eth 0/2 [F4-Ethernet0/2]ip address 192.168.30.1 255.255.255.0 [F4-Ethernet0/2] [F4-Ethernet0/2]interface eth 0/1 [F4-Ethernet0/1]ip address dhc    [F4-Ethernet0/1]ip address dhcp-alloc [F4-Ethernet0/1] [F4-Ethernet0/1]quit [F4]ip route  [F4]ip route-static 0.0.0.0 0 193.168.30.2 [F4]fire     [F4]firewall zone tr  [F4]firewall zone trust [F4-zone-trust]add eth [F4-zone-trust]add interface eth  [F4-zone-trust]add interface Ethernet 0/1 [F4-zone-trust]add interface Ethernet 0/2 SW   交換機的配置； <SW13>system-view Enter system view, return to user view with Ctrl+Z. [SW13]vlan 5 [SW13-vlan5]port eth [SW13-vlan5]port Ethernet 0/5 [SW13-vlan5]vlan 10 [SW13-vlan10]port ethernet 0/10 [SW13-vlan10]vlan 15 [SW13-vlan15]port ethernet 0/15 [SW13-vlan15]inter vlan 5 [SW13-Vlan-interface5]ip add 193.168.10.2 255.255.255.0 [SW13-Vlan-interface5]inter vlan 10 [SW13-Vlan-interface10]ip address 193.168.20.2 255.255.255.0 [SW13-Vlan-interface10]inter vlan 15 [SW13-Vlan-interface15]ip address 193.168.30.2 255.255.255.0 [SW13]dhcp enable [SW13]dhcp server ip-pool fw2 [SW13-dhcp-fw2]network 193.168.20.0 [SW13-dhcp-fw2]dhcp server ip-pool fw3 [SW13-dhcp-fw3]network 193.168.30.0 [SW13]dhcp server forbidden-ip 193.168.20.2 [SW13]dhcp server forbidden-ip 193.168.30.2

 詳細的配置資訊：

請檢視附件

驗證結果：