H3C V7防火墙IPSECVPN配置(主模式配置)

需求：采用两台防火墙搭建IPSECVPN,前提条件将ip地址，域间策略，路由配置好。采用两边主模式进行配置。使得192.168.1.0/24网段和192.168.3.0/24网段能够互相访问。

拓扑图如下：

配置

FW1:

# 接口配置
interface GigabitEthernet1/0/0
 port link-mode route
 combo enable copper
 ip address 10.0.0.2 255.255.255.252
#
interface GigabitEthernet1/0/1
 port link-mode route
 combo enable copper
 ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
 port link-mode route
 combo enable copper
 ip address 192.168.2.1 255.255.255.0
# 路由配置
 ip route-static 0.0.0.0 0 10.0.0.1
# ACL匹配NAT转换
acl advanced 3000
 rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
 rule 9999 permit ip
# 3001匹配感兴趣流
acl advanced 3001
 rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

# IPSEC VPN配置
# 配置ike 安全提议，名称为1，指定加密算法和认证算法，两端需要一样
ike proposal 1
 encryption-algorithm 3des-cbc
 authentication-algorithm md5
# 配置IKE keychain,名称为FW2,指定对端地址和预定义共享密钥123456
ike keychain FW2
 pre-shared-key address 10.0.0.6 255.255.255.255 key simple 123456
# 定义IKE profile并调用keychain和proposal以及定义对端地址和本段地址
ike profile FW2
 keychain FW2
 local-identity address 10.0.0.2
 match remote identity address 10.0.0.6 255.255.255.255
 proposal 1
# 配置ipsec安全提议，采用esp协议，默认为tunnel模式，指定认证协议和加密协议
ipsec transform-set FW1
 esp encryption-algorithm 3des-cbc
 esp authentication-algorithm md5
# 配置ipsec策略，策略名称FW1,序号1，采用isakmp方式
ipsec policy FW1 1 isakmp
 transform-set FW1
 security acl 3001
 local-address 10.0.0.2
 remote-address 10.0.0.6
 ike-profile FW2
# 端口应用ipsec策略
interface GigabitEthernet1/0/0
 nat outbound 3000
 ipsec apply policy FW1

FW2:

# 接口配置
interface GigabitEthernet1/0/1
 port link-mode route
 combo enable copper
 ip address 10.0.0.6 255.255.255.252
#
interface GigabitEthernet1/0/2
 port link-mode route
 combo enable copper
 ip address 192.168.3.1 255.255.255.0
#
interface GigabitEthernet1/0/3
 port link-mode route
 combo enable copper
 ip address 192.168.4.1 255.255.255.0
# 路由配置
 ip route-static 0.0.0.0 0 10.0.0.5
# ACL匹配NAT转换
acl advanced 3000
 rule 0 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
 rule 9999 permit ip
# 匹配感兴趣流，与对端相反
acl advanced 3001
 rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
# 配置IKE 安全提议,名称1，定义加密协议和认证协议
ike proposal 1
 encryption-algorithm 3des-cbc
 authentication-algorithm md5
# 配置IKE keychain
ike keychain FW1
 pre-shared-key address 10.0.0.2 255.255.255.255 key simple 123456
# 配置ipsec安全提议，名称FW2,定义加密协议和认证协议，与对端一致
ipsec transform-set FW2
 esp encryption-algorithm 3des-cbc
 esp authentication-algorithm md5
# 配置IKE profile
ike profile FW1
 keychain FW1
 local-identity address 10.0.0.6
 match remote identity address 10.0.0.2 255.255.255.255
 proposal 1
# 配置ipsec策略，名称FW2，序号2，isakmp方式，调用安全提议，感兴趣流ACL,profile配置
ipsec policy FW2 1 isakmp
 transform-set FW2
 security acl 3001
 local-address 10.0.0.6
 remote-address 10.0.0.2
 ike-profile FW1
# 接口应用
interface GigabitEthernet1/0/1
 port link-mode route
 combo enable copper
 ip address 10.0.0.6 255.255.255.252
 nat outbound 3000
 ipsec apply policy FW2