three ipsec policy to aliyun on usg6510e
2024-08-05华为usg6510e配置ipsec
1、firewall zone trust
set priority 85
add interface GigabitEthernet0/0/2
add interface GigabitEthernet0/0/3
add interface GigabitEthernet0/0/4
add interface GigabitEthernet0/0/5
add interface GigabitEthernet0/0/6
add interface GigabitEthernet0/0/7
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/1
add interface GigabitEthernet0/0/8
add interface GigabitEthernet0/0/9
#
2、interface GigabitEthernet0/0/1
undo shutdown
ip address 1.1.1.1 255.255.255.252
gateway 1.1.1.14
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage telnet permit
ipsec policy ipsec1671928314
3、security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
source-address 10.3.0.0 mask 255.255.255.0
action permit
rule name policy_sec_2
source-zone untrust
destination-zone local
action permit
4、nat-policy
rule name policy_nat_1
source-zone trust
egress-interface GigabitEthernet0/0/0
source-address 10.3.0.0 mask 255.255.255.0
action source-nat easy-ip
rule name GuideNat1721111794432
egress-interface GigabitEthernet0/0/1
action source-nat easy-ip
5、ipsec policy ipsec1671928314 1 isakmp
security acl 3000
pfs dh-group14
ike-peer ike167192831601
proposal prop16719283160
anti-replay enable
tunnel local applied-interface
undo policy enable
alias idc-to-qd
sa trigger-mode auto
sa duration traffic-based 5242880
sa duration time-based 3600
ipsec policy ipsec1671928314 2 isakmp
security acl 3001
pfs dh-group14
ike-peer ike167193124246
proposal prop16719312424
anti-replay enable
tunnel local applied-interface
alias idc-to-bj-1
sa trigger-mode auto
sa duration traffic-based 5242880
sa duration time-based 3600
ipsec policy ipsec1671928314 3 isakmp
security acl 3002
pfs dh-group14
ike-peer ike167221818422
proposal prop16722181842
anti-replay enable
tunnel local applied-interface
alias idc-to-tx
sa trigger-mode auto
sa duration traffic-based 5242880
sa duration time-based 3600
6、acl number 3000
rule 5 permit ip source address-set idc-net10 destination address-set qd-172.16
acl number 3001
rule 5 permit ip source address-set office-10 destination address-set bj-172.21
acl number 3002
rule 5 permit ip source address-set office-10 destination address-set tx-172.20
7、ike peer ike167192831601
exchange-mode auto
pre-shared-key %^%#Y}3o>C)VW9gD{SD5AJ]$''\,:m%@zC.#Q-%w"]I-%^%#
ike-proposal 1
local-id-type fqdn
remote-id-type fqdn
remote-id qd-vpn
local-id USG6500E
dpd type periodic
remote-address 2.2.2.2
rsa encryption-padding oaep
rsa signature-padding pss
local-id-preference certificate enable
ikev2 authentication sign-hash sha2-256
ike peer ike167193124246
undo version 1
exchange-mode auto
pre-shared-key %^%#p)`u#.0VU%UFl\STwQ\T;oe4&[N5YB"$PcTJod{5%^%#
ike-proposal 2
local-id-type fqdn
remote-id-type fqdn
remote-id bj-vpn
local-id USG6500E
dpd type periodic
remote-address 3.3.3.3
rsa encryption-padding oaep
rsa signature-padding pss
local-id-preference certificate enable
ikev2 authentication sign-hash sha2-256
ike peer ike167221818422
undo version 1
exchange-mode auto
pre-shared-key %^%#^PL^TF@c7UT2tT3P[Wm3yW^+Tq5|$Q
相关日志