H3C MSR 2630 与HUAWEI AR1220C-S ipsec vpn 野蛮模式对接

对接背景： 前海办公区 路由器 H3C MSR 2630     公网IP  113.105.103.165   内网对接网段  192.168.16.0/24

沙井工厂    路由器 HUAWEI AR 1220  没有公网IP    ADSL 拨号 NAT上网  内网网段 10.255.254.0/24

废话不说，直接上配置 

H3C路由器

1、建立IPSEC 和IKE的加密方式   

#
ipsec transform-set QHSJ
esp encryption-algorithm 3des-cbc
esp authentication-algorithm sha1
#
ipsec policy-template QHSJ 65535
transform-set QHSJ
ike-profile QHSJ
sa duration time-based 3600
sa duration traffic-based 1843200
#


2、建立 IPSEC policy 

#
ike profile QHSJ
keychain QHSJ
exchange-mode aggressive
local-identity address 113.105.103.165
match remote identity address 0.0.0.0 0.0.0.0
proposal 65535
#
ike proposal 65535
encryption-algorithm aes-cbc-128
dh group14
authentication-algorithm sha256
#
ipsec policy QHSJ 65535 isakmp template QHSJ
#
#设置IKE的共享密钥
ike keychain QHSJ
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$bfLOzAajDzMJqehtg6PwVT9ABrT1kW2qPKg2
#
注：因为路由器不同品牌，必须配置感兴趣流保护
#
acl advanced 3000
rule 5 deny ip source 192.168.16.0 0.0.0.255 destination 10.255.254.0 0.0.0.255
rule 1000 permit ip
#

然后再到路由器的外网接口赋予Policy 
#
interface GigabitEthernet0/3
port link-mode route
description Multiple_Line
ip address 113.105.103.165 255.255.255.128
nat outbound 3000
ipsec apply policy QHSJ

#
静态路由自己指，这里不写了



华为路由器

#
ipsec proposal branch_p1
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal default
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike proposal 1
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer branch_p1
undo version 2
exchange-mode aggressive
pre-shared-key cipher %^%#k[&6K=34->s/zW+9|idQ#9Z16)qR_NR^xk$Nf\7W%^%#
ike-proposal 1
remote-address 113.105.103.165
#

acl name b_GigabitEthernet0/0/11_1 3999
rule 6 permit ip source 10.255.254.0 0.0.0.255 destination 192.168.16.0 0.0.0.255
#
ipsec policy branch_p 1 isakmp
security acl 3999
ike-peer branch_p1
proposal branch_p1
#

同样需要设置兴趣流保护
acl number 3000
rule 5 deny ip source 10.255.254.0 0.0.0.255 destination 192.168.16.0 0.0.0.255
rule 1000 permit ip



#最后在华为路由器端口上赋予策略
interface GigabitEthernet0/0/11
description CHinanet
ip address 192.168.1.100 255.255.255.0
nat outbound 3000
ipsec policy branch_p



先测display ike sa  
    display ipsec sa 
    display ipsec sta

如果input/output  数据正常，那就OK了

最后文章来自于一命命运悲惨的工作师的原创，鼓励一下 
下面为配置
HUAWEI AR 1220C-S-无公网IP
H3C MSR2630-XS 有公网IP