华为防火墙对cisco 路由器点…

模拟器连接图：

huaweiFW1：

基本配置

interface GigabitEthernet0/0/0

 ip address 192.168.1.10 255.255.255.0

quit

interface GigabitEthernet0/0/1

 ip address 202.100.1.10 255.255.255.0

quit

firewall zone trust

 add interface GigabitEthernet0/0/0

quit

firewall zone untrust

 add interface GigabitEthernet0/0/1

quit

ip route-static 172.16.1.0 255.255.255.0 202.100.1.20

policy interzone local untrust inbound

 policy 0

  action permit

quit

quit

policy interzone trust untrust inbound

 policy 0

  action permit

quit

quit

policy interzone trust untrust outbound

 policy 0

  action permit

quit

quit

配置IPsec策略

ike proposal 10 ==创建IKE提议，并进入IKE视图

 encryption-algorithm 3des-cbc  ==指定一个供 IKE 提议使用的加密算法

默认使用的是IKE认证算法 cbc    authentication-method pre-share 

 dh group2  ===配置IKE阶段1密钥协商时所使用的参数

quit

配置IKE对等体

ike peer b

 version 1  配置版本

 pre-shared-key hcies ==配置采用预共享密钥认证时，所使用的预共享密钥

 ike-proposal 10

 remote-address 202.100.1.20

quit

ipsec proposal mypro

 esp authentication-algorithm sha1

 esp encryption-algorithm 3des

quit

ipsec policy mymap 10 isakmp

 security acl 3000

 ike-peer b                          

 proposal mypro

quit

interface GigabitEthernet0/0/1

 ipsec policy mymap

cisco7200：

interface Loopback0

 ip address 172.16.1.1 255.255.255.0

exit

interface FastEthernet0/0

 ip address 202.100.1.20 255.255.255.0

 no shut

exit

ip route 192.168.1.0 255.255.255.0 202.100.1.10

access-list 110 permit ip 172.16.1.0 0.0.0.255 192.168.1.00.0.0.255

crypto isakmp policy 10

 encryption 3des

 authentication pre-share

 group 2

exit

crypto isakmp key hcies address 202.100.1.10

crypto ipsec transform-set myset esp-3desesp-sha-hmac 

exit

crypto map mymap 10 ipsec-isakmp 

 set peer 202.100.1.10

 set transform-setmyset 

 match address 110

exit

interface FastEthernet0/0

 crypto map mymap

exit

AR1PC：

interface GigabitEthernet0/0/0

 ip address 192.168.1.1255.255.255.0 

quit

ip route-static 0.0.0.0 0.0.0.0 192.168.1.10

quit

思科查看