H3CIPV6之ipsec+IKE野蛮模式典型组网配置案例

R1组网说明：本案例采用H3CHCL模拟器来模拟IPV6IPSECIKE+蛮模式典型组网配置。为了确保数据的传输安全，在R1与R2之间建立IPSECVPF隧道采用野蛮模式。最后R1与R2之间采用OSPFV3路由协议互联。配置思路：1、按照网络拓扑图正确配置 IP地址2、 R1与R2之间运行OSPFV3路由协议3、 R1与R2采用IPSECIKE野蛮模式建立VPN隧道。配置过程：第一阶段调试（基础网络配置）：SW1：<H3C>sysSystemView:returntoUserViewwithCtrl+Z.[H3C]sysnameSW1[SW1]intloopback0[SW1-LoopBackO]ipaddress3.3.3.332[SW1-LoopBackO]quit[SW1]ospfv31[SW1-ospfv3-1]import-routedirect[SW1-ospfv3-1]router-id3.3.3.3[SW1-ospfv3-1]quit[SW1]intgi1/0/1[SW1-GigabitEthernet1/0/1]portlink-moderoute[SW1-GigabitEthernet1/0/1]des<connecttoR2>[SW1-GigabitEthernet1/0/1]ipv6address3::264[SW1-GigabitEthernet1/0/1]ospfv31area0[SW1-GigabitEthernet1/0/1]quitR1：<H3C>sysSystemView:returntoUserViewwithCtrl+Z.[H3C]sysnameR1[R1]intloopback0[R1-LoopBack0]ipaddress1.1.1.132[R1-LoopBack0]quit[R1]ospfv31[R1-ospfv3-1]router-id1.1.1.1[R1-ospfv3-1]import-routedirect[R1-ospfv3-1]quit[R1]intgi0/0[R1-GigabitEthernet0/0]ipv6address1::164[R1-GigabitEthernet0/0]ospfv31area0[R1-GigabitEthernet0/0]quit[R1]ints1/0[R1-Serial1/0]des<connecttoR2>[R1-Serial1/0]ipv6address2::164[R1-Serial1/0]ospfv31area0[R1-Serial1/0]quitR2：<H3C>sysSystemView:returntoUserViewwithCtrl+Z.[H3C]sysnameR2[R2]intloopback0[R2-LoopBack0]ipaddress2.2.2.232[R2-LoopBack0]quit[R2]ospfv31[R2-ospfv3-1]import-routedirect[R2-ospfv3-1]router-id2.2.2.2[R2-ospfv3-1]quit[R2]ints1/0[R2-Serial1/0]des<connecttoR1>[R2-Serial1/0]ipv6address2::264[R2-Serial1/0]ospfv31area0[R2-Serial1/0]quit[R2]intgi0/0[R2-GigabitEthernet0/0]des<connecttoSW1>[R2-GigabitEthernet0/0]ipv6address3::164[R2-GigabitEthernet0/0]ospfv31area0[R2-GigabitEthernet0/0]quit第一阶段测试：物理机填写IP地址:第二阶段调试（IPSEC+IKE予蛮模式关键配置点）：[R1]aclipv6advaneed3000[R1-acl-ipv6-adv-3000]rule0permitipv6source1::/64destination3::/64[R1-acl-ipv6-adv-3000]quit[R1]ikeidentityfqdnr1[R1]ikeproposal1[R1-ike-proposal-1]quit[R1]ikekeychainjames[R1-ike-keychain-james]pre-shared-keyaddressipv62::264keysimplejames[R1-ike-keychain-james]quit[R1]ikeprofilejames[R1-ike-profile-james]keychainjames[R1-ike-profile-james]proposal1[R1-ike-profile-james]matchremoteidentityaddressipv62::2[R1-ike-profile-james]exchange-modeaggressive[R1-ike-profile-james]quit[R1]ipsectransform-setjames[R1-ipsec-transform-set-james]protocolesp[R1-ipsec-transform-set-james]encapsulation-modetunnel[R1-ipsec-transform-set-james]espauthentication-algorithmmd5[R1-ipsec-transform-set-james]espencryption-algorithmdes-cbc[R1-ipsec-transform-set-james]quit[R1]ipsecipv6-policyjames1isakmp[R1-ipsec-ipv6-policy-isakmp-james-1]securityaclipv63000[R1-ipsec-ipv6-policy-isakmp-james-1]transform-setjames[R1-ipsec-ipv6-policy-isakmp-james-1]ike-profilejames[R1-ipsec-ipv6-policy-isakmp-james-1]remote-addressipv62::2[R1-ipsec-ipv6-policy-isakmp-james-1]quit[R1]ints1/0[R1-Serial1/0]ipsecapplyipv6-policyjames[R1-Serial1/0]quitR2：[R2]aclipv6advanced3000[R2-acl-ipv6-adv-3000]rule0permitipv6source3::/64destination1::/64[R2-acl-ipv6-adv-3000]quit[R2]ikeidentityfqdnr2[R2]ikeproposal1[R2-ike-proposal-1]quit[R2]ikekeychainjames[R2-ike-keychain-james]pre-shared-keyhostnamer1keysimplejames[R2-ike-keychain-james]quit[R2]ipsectransform-setjames[R2-ipsec-transform-set-james]protocolesp[R2-ipsec-transform-set-james]encapsulation-modetunnel[R2-ipsec-transform-set-james]espauthentication-algorithmmd5[R2-ipsec-transform-set-james]espencryption-algorithmdes-cbc[R2-ipsec-transform-set-james]quit[R2]ikeprofilejames[R2-ike-profile-james]keychainjames[R2-ike-profile-james]proposal1[R2-ike-profile-james]matchremoteidentityfqdnr1[R2-ike-profile-james]exchange-modeaggressive[R2-ike-profile-james]quit[R2]ipsecipv6-policy-templatejames1[R2-ipsec-ipv6-policy-template-james-1]securityaclipv63000[R2-ipsec-ipv6-policy-template-james-1]ike-profilejames[R2-ipsec-ipv6-policy-template-james-1]transform-setjames[R2-ipsec-ipv6-policy-template-james-1]quit[R2]ipsecipv6-policyjames1isakmptemplatejames[R2]ints1/0[R2-Serial1/0]ipsecapplyipv6-policyjames[R2-Serial1/0]quit第二阶段测试：查看R1的IPSEC显示信息:[Rl]disipsectunnelTunnelID：0Sta七口日：ActivePerfectforwardaecrecy:Inaidevpn-instanc已=S真SFI:QU^QUD^；230707375 [ESP]inbound： 2239B5553 [ESF]Tunnel:Localaddress：2;：1remoteaddress;2;;2Flow:souraddr:1::port:0prorecal:ipv6descaddr:3:：port:0protocol:ipvft[Rl]查看R2的IPSEC显示信息:[R2]disipsecipv6-policyIPsecEolxcy:jamesInterface:Seriall/OSequencenumber:1Mode:TemplacePolicytemplatename:james[R2]|[R2]dlsipsecipv6-policy-templaceIPsecPolicyTexnplare:jam.esSequencenumber:1TrafficFlowConfidentiality:DisabledSecuritydataflow:3000Selectormode:standardLocaladdress:IKEprofile:JamesIKEv2profile:Remoteaddress:Transformset:JamesIPsecSAlocalduration(timebased.):IPsecSAlocalduration(trafficbased):SAidletime![R2]|TOC\o"1-5"\h\z[RZjaisipsecuransrorm-seu ■IPsectransformsec:james HState:complete ■Encapsulationmode:tunnel ■ESN:Disabled HPFS： .Transform:ESP HESPprotocol:Integrity;MD5 .Encryption:DE5-CBC ■[R2]|[R2]disIpseqvurmelTunnelID;QSeamus:ActivePerfectCoryraxdsecrecy:Insidevpn-insvance:SA"5Sfl；outbound：2239S5SS3 {0x0cl59b±51} [ESP]inbound: 2907B7375 {0itll551D2f) [ESP]Tunnel：localaddress;2;;2remoEeaddress:2::1Flow:sour耳口口匚；3;：/6^port;;0prorocol:ipv-&desLaddr:1!:/6^portiQprotocol:ipv^[R2]|[R3]disikema匚口口nection-ID RemoteFlagDOI12：：1Flags:RD―EtEADYRL--ELEPLACEDFD-FADING[R2]|RDRE-REKEVIF^ec物理机依然可以PING通SW1:\_IKbL*-!iL_2 S5B0O^-Mfl5-GE_3Q<SWl>tFefc2414:24:SS:5«-62□SOSW1SHELL；S/BEELLLOGIS:Censelalegged二血fzamccnO・<S«1><SW1><3W1><5wi>pmoIDVfi1：52Pijig6(5€da:凰bycGfl)3n2--->1:i2rpeens7TRLZtabre