![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsec0.png)
如图,
北京已通过MSR做为出口网关连接至互联网 (MSR810 基础配置可见视频https://www.bilibili.com/video/BV1C14y1N7zK/?spm_id_from=333.999.0.0)
青岛已通过OPNSense做为出口网关连接至互联网
现通过IPSEC VPN实现北京 10.1.1.0/24 内网 与 青岛 10.0.0.0/24 内网互通
…………………………………………………………………….
一、OPNsense配置
1、 VPN —> IPSEC —> Tunnel Setting[legacy]
点击右侧 ” + ” 添加第一阶段策略
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsecA.png)
…………………………………………………………………….
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsecB.png)
…………………………………………………………………….
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsecE.png)
…………………………………………………………………….
2、点击右侧 第一阶段策略条目 右侧 ” + ” 添加第二阶段策略
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsecC.png)
…………………………………………………………………….
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsecD.png)
…………………………………………………………………….
3、勾选启用阶段2策略,应用更改
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsecR.png)
…………………………………………………………………….
4、防火墙策略放行IPSEC in 方向流量(点击 “+” 号添加策略)
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsecz.png)
…………………………………………………………………….
5、新建策略规则默认放行IPSEC in方向所有流量,直接保存/应用即可
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsecz1.png)
…………………………………………………………………….
二、H3C MSR配置
1、配置第一阶段IKE 密匙链
#
ike keychain k1
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsecF.png)
…………………………………………………………………….
2、创建第一阶段IKE提议
#
ike proposal 10
authentication-method pre-share
authentication-algorithm md5
encryption-algorithm 3des-cbc
dh group2
#
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsecG.png)
…………………………………………………………………….
3、配置 IKE profile
#
ike profile ikepro
keychain k1
exchange-mode aggressive
local-identity fqdn beijing
match remote identity domain v4.rsrc.ink
match remote identity fqdn qingdao
match local address Dialer10
proposal 10
#
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsecI.png)
…………………………………………………………………….
4、变更ACL,rule 10 拒绝 10.1.1.0/24至 10.0.0.0/24 流量地址转换 IPSEC流量进行NAT豁免
acl 3001 为 北京内网用户访问互联网地址转换
#
acl number 3001 name s_nat
rule 10 deny ip source 10.1.1.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
rule 20 permit ip
#
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsecm.png)
…………………………………………………………………….
5、配置感兴趣流
#
acl number 3021 name ipsec
rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 10.0.0.0 0.0.0.255 logging
#
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsecn.png)
…………………………………………………………………….
6、配置转换集
#
ipsec transform-set its
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
pfs dh-group2
#
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripseco.png)
…………………………………………………………………….
7、创建ipsec 策略
#
ipsec policy ip 10 isakmp
transform-set its
security acl 3021
remote-address v4.rsrc.ink
ike-profile ikepro
#
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsecP.png)
…………………………………………………………………….
8、出接口调用IPSEC策略
#
interface Dialer10
ipsec apply policy ip
#
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsecQ.png)
…………………………………………………………………….
三、验证测试
1、opnSense 查看IPSEC 状态
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsecs.png)
…………………………………………………………………….
2、opnSense 查看安全关联数据库
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsect.png)
…………………………………………………………………….
3、opnSense 查看这全策略数据库
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsecu-2560x1293.png)
…………………………………………………………………….
4、H3C MSR查看 IKE SA
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsecv.png)
…………………………………………………………………….
5、H3C MSR 查看IPSEC SA
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsecw.png)
…………………………………………………………………….
6、H3C MSR查看 IPSEC 隧道状态
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsecX.png)
…………………………………………………………………….
7、青岛PC客户端 ping tracert 北京 客户端
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsecy.png)
…………………………………………………………………….
8、北京MSR ping tracert 青岛客户端
![](https://rsrc.ink/wp-content/uploads/2023/09/opensenseh3cmsripsecz2.png)
…………………………………………………………………….