终端线不能用网线代替.这是两种东西 初始密码,你打电话800-810-0504问下网管 希望对你有帮助.
实验目的: 理解H3C典型的IPSEC配置方法
实验拓扑: FW1与PC1位于总部,FW2与PC2位于分部
FW1 FW2作为网关通过ISP互联,之间建立IPSEC隧道,
实现PC1PC2内网互通
实验配置:
PC1 192.168.1.2/24/192.168.1.1
PC2 192.168.2.2/24/192.168.2.1
ISP配置:
sysname ISP
interface GigabitEthernet0/0
ip address 12.0.0.2 255.255.255.252
interface GigabitEthernet0/1
ip address 23.0.0.2 255.255.255.252
FW1配置:
sysname FW1
interface GigabitEthernet1/0/0
ip address 12.0.0.1 255.255.255.252
interface GigabitEthernet1/0/2
ip address 192.168.1.1 255.255.255.0
security-zone name Trust
import interface GigabitEthernet1/0/2
security-zone name Untrust
import interface GigabitEthernet1/0/0
security-policy ip
rule 0 name 2-fw2
action pass
//配置接口IP地址,加入对应区域,放行所有流量
ip route-static 0.0.0.0 0 12.0.0.2
ip route-static 192.168.2.0 24 23.0.0.1
//配置默认路由和IPSEC的明细路由
acl advanced 3000
rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 10 permit ip
// 配置用于NAT的acl
//拒绝感兴趣流量本段内网地址192.168.1.0/24,对端为192.168.2.0/24
acl advanced 3001
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
//配置用于IPSEC的acl 3001 匹配感兴趣流
//IKE 阶段
ike keychain 2-fw2
pre-shared-key address 23.0.0.1 32 key simple h3c
//创建ike keychain,作为与对端的认证,地址为对端地址,协商密码需要两端一致
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm md5
//创建ike proposal 设置加解密类型
ike profile 2-fw2
keychain 2-fw2
local-identity address 12.0.0.1
match remote identity address 23.0.0.1 30
match local address GigabitEthernet1/0/0
proposal 1
//创建ike profile,与对端协商,将前面的keychain 和proposal,
//以及配置本段地址和对端地址进行调用
//IPSEC 阶段:
ipsec transform-set 2-fw2
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
//配置transform 加解密
ipsec policy 2-fw2 10 isakmp
transform-set 2-fw2
security acl 3001
local-address 12.0.0.1
remote-address 23.0.0.1
ike-profile 2-fw2
//配置ipsec策略,策略名称2-FW2 ,10代表第一条策略,
//调用transform和acl,配置两端地址,再调用第一阶段ike-profile
interface GigabitEthernet1/0/0
ipsec apply policy 2-fw2
nat outbound 3000
//在接口调用策略和nat
FW2配置: (配置说明同上,严格对应一致配置)
sysname FW2
interface GigabitEthernet1/0/0
ip address 23.0.0.1 255.255.255.252
interface GigabitEthernet1/0/2
ip address 192.168.2.1 255.255.255.0
security-zone name Trust
import interface GigabitEthernet1/0/2
security-zone name Untrust
import interface GigabitEthernet1/0/0
security-policy ip
rule 0 name 2-fw1
action pass
ip route-static 0.0.0.0 0 23.0.0.2
ip route-static 192.168.1.0 24 23.0.0.1
acl advanced 3000
rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 10 permit ip
acl advanced 3001
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
ike keychain 2-fw1
pre-shared-key address 12.0.0.1 32 key simple h3c
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm md5
ike profile 2-fw1
keychain 2-fw1
local-identity address 23.0.0.1
match remote identity address 12.0.0.1 32
match local address GigabitEthernet1/0/0
proposal 1
ipsec transform-set 2-fw1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
ipsec policy 2-fw1 10 isakmp
transform-set 2-fw1
security acl 3001
local-address 23.0.0.1
remote-address 12.0.0.1
ike-profile 2-fw1
interface GigabitEthernet1/0/0
ipsec apply policy 2-fw1
nat outbound 3000
配置完成后测试内网PC互通正常,在防火墙上检查IKE和IPSEC的sa 正常
Dis ike sa
Dis ipsec sa
恢复出厂设置即可。在路由器后面难找氧研里细有一个RES的小孔,用细点小棍按下去即可,最好长按素江常零修及听率交30秒。不过现在很多路由器RES设置成小黑凸点了,就更容易了。
恢复出厂设置后,打开浏览器输入192.168.1.1或者192.168.0.1,然后进入输账号密码,一般默认都是admin,不过不来自同路由器可能不一样。怎么办呢?
把路由器反过来看底部,一般贴有默认账号密歌码,输入即可重新登录设置。