本地园区和DC与华为云对接BGP Over IPSec典型配置
<p><img src="data/attachment/forum/202511/28/164818zrgq9z9ngg2sn940.png" alt="11111.png" title="11111.png" /></p><pre><code>!(data/attachment/forum/202511/28/164810mxoxkz0vtd0vdqg6.png "11111.png")
华为防火墙配置:
ike proposal 10
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer HWCloud
pre-shared-key Huawei@123
ike-proposal 10
remote-address 200.200.2.1
#
ipsec proposal 10
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ipsec profile HWCloud
ike-peer HWCloud
proposal 10
#
interface Tunnel1
ip address 172.33.33.1 255.255.255.252
tunnel-protocol ipsec
source 100.100.1.1
destination 200.200.2.1
service-manage ping permit
ipsec profile HWCloud
#
bgp 65000
router-id 1.1.1.1
peer 172.33.33.2 as-number 65001
peer 172.33.33.2 connect-interface Tunnel1
#
ipv4-family unicast
undo synchronization
peer 172.33.33.2 enable
#
华为云端AR 1000v配置:
ike proposal 10
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer HW-FW
version 2
pre-shared-key cipher Huawei@123
ike-proposal 10
remote-address 100.100.1.1
rsa encryption-padding oaep
rsa signature-padding pss
undo local-id-preference certificate enable
ikev2 authentication sign-hash sha2-256
#
ipsec proposal 10
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ipsec profile HW-FW
ike-peer HW-FW
proposal 10
#
interface Tunnel0/0/0
ip address 172.33.33.2 255.255.255.252
tunnel-protocol ipsec
source 200.200.2.1
destination 100.100.1.1
ipsec profile HW-FW
#
bgp 65001
router-id 2.2.2.2
peer 172.33.33.1 as-number 65000
peer 172.33.33.1 connect-interface Tunnel0/0/0
#
ipv4-family unicast
undo synchronization
peer 172.33.33.1 enable
#
dis ike sa
2025-11-21 14:37:44.500
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
-----------------------------------------------------------------------------------------------------------------------------------
16777234 200.200.2.1:500 RD|A v2:2 IP 200.200.2.1
16777229 200.200.2.1:500 RD|ST|A v2:1 IP 200.200.2.1
Number of IKE SA : 2
-----------------------------------------------------------------------------------------------------------------------------------
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
dis ipsec sa
2025-11-21 14:37:46.040
ipsec sa information:
===============================
Interface: Tunnel1
===============================
-----------------------------
IPSec profile name: "HWCloud"
Mode : PROF-ISAKMP
-----------------------------
Connection ID : 16777234
Encapsulation mode: Tunnel
Holding time : 0d 3h 22m 8s
Tunnel local : 100.100.1.1:500
Tunnel remote : 200.200.2.1:500
Flow source : 0.0.0.0/0.0.0.0 0/0-65535
Flow destination : 0.0.0.0/0.0.0.0 0/0-65535
SPI: 8848734 (0x87055e)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485759/1476
Max sent sequence-number: 32
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 31/1960
SPI: 190890265 (0xb60c119)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485759/1476
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 30/1830
Anti-replay : Enable
Anti-replay window size: 1024
#
dis bgp pe
2025-11-21 14:37:17.890
BGP local router ID : 1.1.1.1
Local AS number : 65000
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
172.33.33.2 4 65001 8 10 0 00:06:22 Established 0
</code></pre>
页:
[1]