华为防火墙,主备链路备份cd 出口: 7.7.7.4 8.8.8.8 bj 出口 6.6.6.2546.0 to 7.0```bash ip-link check enableip-link name TO-bj destination 6.6.6.254 interface GigabitEthernet 0/0/1 next-hop 7.7.7.1 quitip route-static 192.168.7.0 255.255.255.0 7.7.7.1 preference 10 track ip-link TO-bjip route-static 192.168.7.0 255.255.255.0 8.8.8.1 preference 20ip route-static 6.6.6.254 255.255.255.255 7.7.7.1 preference 10 track ip-link TO-bjip route-static 6.6.6.254 255.255.255.255 8.8.8.1 preference 20acl 3101rule 5 permit ip source 192.168.6.0 0.0.0.255 destination 192.168.7.0 0.0.0.255 quit ipsec proposal tran-bj encapsulation-mode tunnel transform esp esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 quit ike proposal 10 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 quit ike peer bj ike-proposal 10pre-shared-key alsjdflajsld remote-address 6.6.6.254 quit ipsec policy ipsec-CD-BJ 10 isakmp security acl 3101proposal tran-bj ike-peer bj quit ipsec policy ipsec-CD-BJ1 10 isakmp security acl 3101proposal tran-bj ike-peer bj quit interface GigabitEthernet 0/0/1 ipsec policy ipsec-CD-BJ interface GigabitEthernet 0/0/3 ipsec policy ipsec-CD-BJ1
分支
[FW_B] interface tunnel 1[FW_B-Tunnel1] ip address unnumbered interface GigabitEthernet 0/0/1[FW_B-Tunnel1] tunnel-protocol ipsec[FW_B-Tunnel1] quit[FW_B] interface tunnel 2[FW_B-Tunnel2] ip address unnumbered interface GigabitEthernet 0/0/1[FW_B-Tunnel2] tunnel-protocol ipsec[FW_B-Tunnel2] quit[FW_B] firewall zone untrust[FW_B-zone-untrust] add interface GigabitEthernet 0/0/1[FW_B-zone-untrust] add interface Tunnel 1[FW_B-zone-untrust] add interface Tunnel 2ip-link check enableip-link name To-cd destination 7.7.7.4 interface GigabitEthernet 0/0/1 next-hop 6.6.6.253 quitip route-static 192.168.6.0 24 Tunnel 1 preference 10 track ip-link To-cdip route-static 192.168.6.0 24 Tunnel 2 preference 20 ip route-static 7.7.7.4 32 6.6.6.253ip route-static 8.8.8.8 32 6.6.6.253 acl 3101rule 5 permit ip source 192.168.7.0 0.0.0.255 destination 192.168.6.0 0.0.0.255 quit ipsec proposal tran-cd encapsulation-mode tunnel transform esp esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 quit ike proposal 10 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 quit ike peer cd1 ike-proposal 10pre-shared-key asdfasfaasd remote-address 7.7.7.4 quit ike peer cd2 ike-proposal 10pre-shared-key asdfasdfasdf remote-address 8.8.8.8 quit ipsec policy BJ-CD 10 isakmp security acl 3101proposal tran-cd ike-peer cd1 quit ipsec policy BJ-CD1 10 isakmp security acl 3101proposal tran-cd ike-peer cd2 quit interface Tunnel 1ipsec policy BJ-CD interface Tunnel 2ipsec policy BJ-CD1 说明: 分支可以采用tunnel接口的模式,也可以直接和总部,分别直接建立vpn连接, 分支和总部建立多条ipsec通道,通过nqa或者iplink 实现路由联动切换,从而实现VPN隧道的自动切换
dis ipsec sa policy policyname sequence-number eg:dis ipsec sa policy ipsec441953 2diagnose ipsec data-flow tcp source-ip 10.3.3.2 destination-ip 10.3.3.1 source-port 1111 destination-port 2222
推荐本站淘宝优惠价购买喜欢的宝贝:
本文链接:https://www.hqyman.cn/post/8437.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
打赏
微信支付宝扫一扫,打赏作者吧~
休息一下~~