IPSEC

 pc1 192.168.1.2/24

 pc2 192.168.2.2/24

r2

 

r3

 

 r1

 

r2

[Huawei]sy    
[Huawei]sysname R2
[R2]
[R2]
[R2]
[R2]
[R2]
[R2]
[R2]
[R2]ike p    
[R2]ike peer
[R2]ike proposal 1
[R2-ike-proposal-1]en    
[R2-ike-proposal-1]encryption-algorithm aes    
[R2-ike-proposal-1]encryption-algorithm aes-cbc-128
[R2-ike-proposal-1]au    
[R2-ike-proposal-1]authentication-method
[R2-ike-proposal-1]authentication-algorithm a    
[R2-ike-proposal-1]authentication-algorithm s    
[R2-ike-proposal-1]authentication-algorithm sha1
[R2-ike-proposal-1]dh    
[R2-ike-proposal-1]dh g    
[R2-ike-proposal-1]dh group1
[R2-ike-proposal-1]dh group2
[R2-ike-proposal-1]au    
[R2-ike-proposal-1]authentication-algorithm
[R2-ike-proposal-1]authentication-method p    
[R2-ike-proposal-1]authentication-method pre-share 
[R2-ike-proposal-1]sa    
[R2-ike-proposal-1]sa d    
[R2-ike-proposal-1]sa duration ?
  INTEGER<60-604800>  Value of time(in seconds), default is 86400
[R2-ike-proposal-1]sa duration     
[R2-ike-proposal-1]qu
[R2]ike    
[R2]ike p    
[R2]ike peer
[R2]ike proposal 2
[R2-ike-proposal-2]au    
[R2-ike-proposal-2]authentication-algorithm
[R2-ike-proposal-2]authentication-methodp    
[R2-ike-proposal-2]authentication-method p    
[R2-ike-proposal-2]authentication-method pre-share 
[R2-ike-proposal-2]qu
[R2]ike    
[R2]ike p    
[R2]ike peer jjj
Error: This IKE peer is new, please indicate the mode to finish creating it.
[R2]ike peer jjj v    
[R2]ike peer jjj v1
[R2-ike-peer-jjj]pre    
[R2-ike-peer-jjj]pre-shared-key ?
  cipher  Pre-shared-key with cipher text
  simple  Pre-shared-key with plain text
[R2-ike-peer-jjj]pre-shared-key c    
[R2-ike-peer-jjj]pre-shared-key cipher key123
[R2-ike-peer-jjj]ex    
[R2-ike-peer-jjj]exchange-mode ma    
[R2-ike-peer-jjj]exchange-mode main 
[R2-ike-peer-jjj]dis th
[V200R003C00]
#
ike peer jjj v1
 pre-shared-key cipher %$%$CEen2)&z`/OU}T3`bc`N,.2n%$%$
#
return
[R2-ike-peer-jjj]pe    
[R2-ike-peer-jjj]re    
[R2-ike-peer-jjj]re-authentication
[R2-ike-peer-jjj]remote-address
[R2-ike-peer-jjj]dis th    
[R2-ike-peer-jjj]re    
[R2-ike-peer-jjj]re-authentication
[R2-ike-peer-jjj]remote-address 100.1.13.1
[R2-ike-peer-jjj]ike    
[R2-ike-peer-jjj]ike-proposal 1
[R2-ike-peer-jjj]qu
[R2]ip    
[R2]ips    
[R2]ipsec por    
[R2]ipsec por
[R2]ipsec pro    
[R2]ipsec profile
[R2]ipsec proposal jjj
[R2-ipsec-proposal-jjj]en    
[R2-ipsec-proposal-jjj]encapsulation-mode ?
  transport  Only the payload of IP packet is protected(transport mode)
  tunnel     The entire IP packet is protected(tunnel mode)
[R2-ipsec-proposal-jjj]encapsulation-mode t    
[R2-ipsec-proposal-jjj]encapsulation-mode transport
[R2-ipsec-proposal-jjj]encapsulation-mode tunnel
[R2-ipsec-proposal-jjj]es    
[R2-ipsec-proposal-jjj]esp e    
[R2-ipsec-proposal-jjj]esp encryption-algorithm a    
[R2-ipsec-proposal-jjj]esp encryption-algorithm aes-128
[R2-ipsec-proposal-jjj]esp    
[R2-ipsec-proposal-jjj]esp a    
[R2-ipsec-proposal-jjj]esp authentication-algorithm sh    
[R2-ipsec-proposal-jjj]esp authentication-algorithm sha1
[R2-ipsec-proposal-jjj]qu
[R2]acr    
[R2]ac    
[R2]acl 3000
[R2-acl-adv-3000]ru    
[R2-acl-adv-3000]rule p    
[R2-acl-adv-3000]rule permit i    
[R2-acl-adv-3000]rule permit ip so    
[R2-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255de    
[R2-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255       
[R2-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 de    
[R2-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168
.2.0 0.0.0.55
[R2-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168
.2.0 0.0.0.255
[R2-acl-adv-3000]qu
[R2]ips    
[R2]ipsec po    
[R2]ipsec policy
[R2]ipsec policy jjj 1 is    
[R2]ipsec policy jjj 1 isakmp ?
  template  Use security policy template to establish the IPSec SA
       Please press ENTER to execute command 
[R2]ipsec policy jjj 1 isakmp 
[R2-ipsec-policy-isakmp-jjj-1]pre    
[R2-ipsec-policy-isakmp-jjj-1]pro    
[R2-ipsec-policy-isakmp-jjj-1]proposal jjj
[R2-ipsec-policy-isakmp-jjj-1]ike    
[R2-ipsec-policy-isakmp-jjj-1]ike-peer jjj
[R2-ipsec-policy-isakmp-jjj-1]?
ipsec-policy-isakmp interface view commands:
  arp-ping  ARP-ping
  backup    Backup  information
  clear     Clear
  dialer    Dialer
  display   Display information
  ike-peer  Specify IKE peer
  ipsec     Specify IPSec(IP Security) configuration information
  mtrace    Trace route to multicast source
  pfs       Use perfect forward security(PFS) in IKE phase 2 negotiation
  ping       ping command group
  proposal  Config IPSec security proposal
  qos       QoS configuration
  quit      Exit from current mode and enter prior mode
  reset     reset command group
  return    Enter the privileged mode
  route     Route
  sa        Specify the parameters of security association(SA)
  security  Specify the packets to be protected by this policy
  test-aaa  Accounts test
  tracert   tracert command group
  tunnel    Specify IPSec tunnel parameters
  undo      Negate a command or set its defaults
[R2-ipsec-policy-isakmp-jjj-1]se    
[R2-ipsec-policy-isakmp-jjj-1]security a    
[R2-ipsec-policy-isakmp-jjj-1]security acl 3000
[R2-ipsec-policy-isakmp-jjj-1]dis th
[V200R003C00]
#
ipsec policy jjj 1 isakmp
 security acl 3000
 ike-peer jjj
 proposal jjj
#
return
[R2-ipsec-policy-isakmp-jjj-1]pfs    
[R2-ipsec-policy-isakmp-jjj-1]pfs dg    
[R2-ipsec-policy-isakmp-jjj-1]pfs dh    
[R2-ipsec-policy-isakmp-jjj-1]pfs dh-group2
[R2-ipsec-policy-isakmp-jjj-1]dis th
[V200R003C00]
#
ipsec policy jjj 1 isakmp
 security acl 3000
 pfs dh-group2
 ike-peer jjj
 proposal jjj
#
return
[R2-ipsec-policy-isakmp-jjj-1]qu
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip    
[R2-GigabitEthernet0/0/0]ipsec
[R2-GigabitEthernet0/0/0]ipv6
[R2-GigabitEthernet0/0/0]ipse    
[R2-GigabitEthernet0/0/0]ipsec po    
[R2-GigabitEthernet0/0/0]ipsec policy jjj
 

r3

Huawei-ike-proposal-1]dh g    
[Huawei-ike-proposal-1]dh group2
[Huawei-ike-proposal-1]qu
[Huawei]ikepe    
[Huawei]ike pe    
[Huawei]ike peer jjj
Error: This IKE peer is new, please indicate the mode to finish creating it.
[Huawei]ike peer jjj v1
[Huawei-ike-peer-jjj]pre    
[Huawei-ike-peer-jjj]pre-shared-key c    
[Huawei-ike-peer-jjj]pre-shared-key cipher key123
[Huawei-ike-peer-jjj]re    
[Huawei-ike-peer-jjj]re-authentication
[Huawei-ike-peer-jjj]remote-address 100.1.12.1
[Huawei-ike-peer-jjj]ike    
[Huawei-ike-peer-jjj]ike-proposal 1
[Huawei-ike-peer-jjj]qu
[Huawei]ips    
[Huawei]ipsec p    
[Huawei]ipsec policy
[Huawei]ipsec pro    
[Huawei]ipsec profile
[Huawei]ipsec proposal jjj
[Huawei-ipsec-proposal-jjj]en    
[Huawei-ipsec-proposal-jjj]encapsulation-mode t    
[Huawei-ipsec-proposal-jjj]encapsulation-mode transport
[Huawei-ipsec-proposal-jjj]e    
[Huawei-ipsec-proposal-jjj]e    
[Huawei-ipsec-proposal-jjj]encapsulation-mode
[Huawei-ipsec-proposal-jjj]esp au    
[Huawei-ipsec-proposal-jjj]esp authentication-algorithm s    
[Huawei-ipsec-proposal-jjj]esp authentication-algorithm sha1
[Huawei-ipsec-proposal-jjj]es    
[Huawei-ipsec-proposal-jjj]esp e    
[Huawei-ipsec-proposal-jjj]esp encryption-algorithm e    
[Huawei-ipsec-proposal-jjj]esp encryption-algorithm e
[Huawei-ipsec-proposal-jjj]esp encryption-algorithm a    
[Huawei-ipsec-proposal-jjj]esp encryption-algorithm aes-128
[Huawei-ipsec-proposal-jjj]dis    
[Huawei-ipsec-proposal-jjj]display t    
[Huawei-ipsec-proposal-jjj]display this
[V200R003C00]
#
ipsec proposal jjj
 encapsulation-mode transport
 esp authentication-algorithm sha1
 esp encryption-algorithm aes-128
#
return
[Huawei-ipsec-proposal-jjj]qu
[Huawei]acl    
[Huawei]acl 3000
[Huawei-acl-adv-3000]ru    
[Huawei-acl-adv-3000]rule p    
[Huawei-acl-adv-3000]rule permit ip    
[Huawei-acl-adv-3000]rule permit ip s    
[Huawei-acl-adv-3000]rule permit ip source 192.168.2.0 0.0.0.255 d    
[Huawei-acl-adv-3000]rule permit ip source 192.168.2.0 0.0.0.255 destination192.
168.1.0 0.0.0.255
                                                                 ^
Error:Too many parameters found at '^' position.
[Huawei-acl-adv-3000]qu
[Huawei]ip    
[Huawei]ipsec p    
[Huawei]ipsec profile jjj 1is    
[Huawei]ipsec profile jjj 1 is    
[Huawei]ipsec profile jjj 1     
[Huawei]ipsec profile jjj 1 is    
[Huawei]ipsec profile jjj 1 is
[Huawei]ipsec profile jjj 1 isa    
[Huawei]ipsec profile jjj 1 is    
[Huawei]ipsec profile jjj 1 isak    
[Huawei]ipsec profile jjj 1 isakmp
                          ^
Error:Too many parameters found at '^' position.
[Huawei]ipsec profile jjj 1 is    
[Huawei]ipsec profile jjj 1 isakmp
                          ^
Error:Too many parameters found at '^' position.
[Huawei]ip    
[Huawei]ips    
[Huawei]ipsec p    
[Huawei]ipsec policy jjj 1 i    
[Huawei]ipsec policy jjj 1 isakmp 
[Huawei-ipsec-policy-isakmp-jjj-1]ips    
[Huawei-ipsec-policy-isakmp-jjj-1]pr    
[Huawei-ipsec-policy-isakmp-jjj-1]proposal jjj
[Huawei-ipsec-policy-isakmp-jjj-1]ike    
[Huawei-ipsec-policy-isakmp-jjj-1]ike-peer jjj
[Huawei-ipsec-policy-isakmp-jjj-1]se    
[Huawei-ipsec-policy-isakmp-jjj-1]security a    
[Huawei-ipsec-policy-isakmp-jjj-1]security acl 3000
[Huawei-ipsec-policy-isakmp-jjj-1]p    
[Huawei-ipsec-policy-isakmp-jjj-1]pfs d    
[Huawei-ipsec-policy-isakmp-jjj-1]pfs dh-group2
[Huawei-ipsec-policy-isakmp-jjj-1]qu
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ips    
[Huawei-GigabitEthernet0/0/0]ipsec p    
[Huawei-GigabitEthernet0/0/0]ipsec policy jjj
Error: The IPSec policy does not specify an acl with rule configured.
[Huawei-GigabitEthernet0/0/0]ip    
[Huawei-GigabitEthernet0/0/0]ips    
[Huawei-GigabitEthernet0/0/0]ipsec p    
[Huawei-GigabitEthernet0/0/0]ipsec policy jjj
Error: The IPSec policy does not specify an acl with rule configured.
[Huawei-GigabitEthernet0/0/0]dis this    
[Huawei-GigabitEthernet0/0/0]dis this
[V200R003C00]
#
interface GigabitEthernet0/0/0
 ip address 100.1.13.1 255.255.255.0 
#
return
[Huawei-GigabitEthernet0/0/0]ipsec policy jjj
Error: The IPSec policy does not specify an acl with rule configured.
[Huawei-GigabitEthernet0/0/0]qu
[Huawei]ip    
[Huawei]ips    
[Huawei]ipsec p    
[Huawei]ipsec policy1
              ^
Error: Unrecognized command found at '^' position.
[Huawei]ipsec policy 1
                       ^
Error:Incomplete command found at '^' position.
[Huawei]ipsec policy 1 jjj
                       ^
Error: Wrong parameter found at '^' position.
[Huawei]ipsec policy  jjj
                          ^
Error:Incomplete command found at '^' position.
[Huawei]ike p    
[Huawei]ike proposal
[Huawei]ike peer jjj
[Huawei-ike-peer-jjj]dis th
[V200R003C00]
#
ike peer jjj v1
 pre-shared-key cipher %$%$CEen2)&z`/OU}T3`bc`N,.2n%$%$
 ike-proposal 1
 remote-address 100.1.12.1
#
return
[Huawei-ike-peer-jjj]qu
[Huawei]ips    
[Huawei]ipsec p    
[Huawei]ipsec policy
[Huawei]ipsec policy-template
[Huawei]ipsec profile
[Huawei]ipsec proposal jjj
[Huawei-ipsec-proposal-jjj]dis    
[Huawei-ipsec-proposal-jjj]display th
[V200R003C00]
#
ipsec proposal jjj
 encapsulation-mode transport
 esp authentication-algorithm sha1
 esp encryption-algorithm aes-128
#
return
[Huawei-ipsec-proposal-jjj]qu
[Huawei]acl    
[Huawei]acl 3000
[Huawei-acl-adv-3000]ru    
[Huawei-acl-adv-3000]rule p    
[Huawei-acl-adv-3000]dis th
[V200R003C00]
#
acl number 3000  
#
return
[Huawei-acl-adv-3000]ru    
[Huawei-acl-adv-3000]rule p    
[Huawei-acl-adv-3000]rule permit ip    
[Huawei-acl-adv-3000]rule permit ips    
[Huawei-acl-adv-3000]rule permit ip      
[Huawei-acl-adv-3000]rule permit ip s    
[Huawei-acl-adv-3000]rule permit ip source 192.168.2.0 0.0.0.255 d    
[Huawei-acl-adv-3000]rule permit ip source 192.168.2.0 0.0.0.255 destination 192
.168.1.0 0.0.0.255
[Huawei-acl-adv-3000]dis th
[V200R003C00]
#
acl number 3000  
 rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
 
#
return
[Huawei-acl-adv-3000]qu
[Huawei]ip    
[Huawei]ipsec p    
[Huawei]ipsec profile jjj    
[Huawei]ipsec profile    
[Huawei]ipsec pro    
[Huawei]ipsec profile
[Huawei]ipsec proposal
[Huawei]ipsec profile
[Huawei]ipsec proposal
[Huawei]ipsec po    
[Huawei]ipsec policy jjj
                         ^
Error:Incomplete command found at '^' position.
[Huawei]ipsec policy jjj 1 is    
[Huawei]ipsec policy jjj 1 isakmp 
[Huawei-ipsec-policy-isakmp-jjj-1]dis th
[V200R003C00]
#
ipsec policy jjj 1 isakmp
 security acl 3000
 pfs dh-group2
 ike-peer jjj
 proposal jjj
#
return
[Huawei-ipsec-policy-isakmp-jjj-1]qu
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip    
[Huawei-GigabitEthernet0/0/0]ips    
[Huawei-GigabitEthernet0/0/0]ipsec p    
[Huawei-GigabitEthernet0/0/0]ipsec policy jjj