点到点IPSec VPN配置(点到点法式方程的距离)

网友投稿 442 2022-09-21


点到点IPSec VPN配置(点到点法式方程的距离)

配置相关接口IP地址及区域

[FW1-GigabitEthernet1/0/0]ip add 10.1.1.1 24

[FW1-GigabitEthernet1/0/0]service-manage ping permit

[FW1-GigabitEthernet1/0/6]ip add 20.1.1.1 24

[FW1-GigabitEthernet1/0/6]service-manage ping permit

[FW1]firewall zone trust

[FW1-zone-trust]add interface GigabitEthernet 1/0/0

[FW1]firewall zone untrust

[FW1-zone-untrust]add interface GigabitEthernet 1/0/6

[FW2-GigabitEthernet1/0/0]ip add 10.1.2.1 24

[FW2-GigabitEthernet1/0/0]service-manage ping permit

[FW2-GigabitEthernet1/0/6]ip add 20.1.1.2 24

[FW2-GigabitEthernet1/0/6]service-manage ping permit

[FW2]firewall zone trust

[FW2-zone-trust]add interface GigabitEthernet 1/0/0

[FW2]firewall zone untrust

[FW2-zone-untrust]add interface GigabitEthernet 1/0/6

在防火墙上配置到对端的路由

[FW1]ip route-static 10.1.2.0 24 20.1.1.2

[FW2]ip route-static 10.1.1.0 24 20.1.1.1

配置安全策略(配置ipsec1和ipsec2,允许网络AB间互访;配置ipsec3和ipsec4,允许IKE协商后的报文及加密后的报文通过)

[FW1]security-policy

[FW1-policy-security]rule name ipsec1

[FW1-policy-security-rule-ipsec1]source-zone trust

[FW1-policy-security-rule-ipsec1]destination-zone untrust

[FW1-policy-security-rule-ipsec1]source-address 10.1.1.0 mask 255.255.255.0

[FW1-policy-security-rule-ipsec1]destination-address 10.1.2.0 mask 255.255.255.0

[FW1-policy-security-rule-ipsec1]action permit

[FW1-policy-security]rule name ipsec2

[FW1-policy-security-rule-ipsec2]source-zone untrust

[FW1-policy-security-rule-ipsec2]destination-zone trust

[FW1-policy-security-rule-ipsec2]source-address 10.1.2.0 mask 255.255.255.0

[FW1-policy-security-rule-ipsec2]destination-address 10.1.1.0 mask 255.255.255.0

[FW1-policy-security-rule-ipsec2]action permit

[FW1-policy-security]rule name ipsec3

[FW1-policy-security-rule-ipsec3]source-zone local

[FW1-policy-security-rule-ipsec3]destination-zone untrust

[FW1-policy-security-rule-ipsec3]source-address 20.1.1.1 mask 255.255.255.255

[FW1-policy-security-rule-ipsec3]destination-address 20.1.1.2 mask 255.255.255.255

[FW1-policy-security-rule-ipsec3]action permit

[FW1-policy-security]rule name ipsec4

[FW1-policy-security-rule-ipsec4]source-zone untrust

[FW1-policy-security-rule-ipsec4]destination-zone local

[FW1-policy-security-rule-ipsec4]source-address 20.1.1.2 mask 255.255.255.255

[FW1-policy-security-rule-ipsec4]destination-address 20.1.1.1 mask 255.255.255.255

[FW1-policy-security-rule-ipsec4]action permit

[FW2]security-policy

[FW2-policy-security]rule name ipsec1

[FW2-policy-security-rule-ipsec1]source-zone trust

[FW2-policy-security-rule-ipsec1]destination-zone untrust

[FW2-policy-security-rule-ipsec1]source-address 10.1.2.0 mask 255.255.255.0

[FW2-policy-security-rule-ipsec1]destination-address 10.1.1.0 mask 255.255.255.0

[FW2-policy-security-rule-ipsec1]action permit

[FW2-policy-security]rule name ipsec2

[FW2-policy-security-rule-ipsec2]source-zone untrust

[FW2-policy-security-rule-ipsec2]destination-zone trust

[FW2-policy-security-rule-ipsec2]source-address 10.1.1.0 mask 255.255.255.0

[FW2-policy-security-rule-ipsec2]destination-address 10.1.2.0 mask 255.255.255.0

[FW2-policy-security-rule-ipsec2]action permit

[FW2-policy-security]rule name ipsec3

[FW2-policy-security-rule-ipsec3]source-zone local

[FW2-policy-security-rule-ipsec3]destination-zone untrust

[FW2-policy-security-rule-ipsec3]source-address 20.1.1.2 mask 255.255.255.255

[FW2-policy-security-rule-ipsec3]destination-address 20.1.1.1 mask 255.255.255.255

[FW2-policy-security-rule-ipsec3]action permit

[FW2-policy-security]rule name ipsec4

[FW2-policy-security-rule-ipsec4]source-zone untrust

[FW2-policy-security-rule-ipsec4]destination-zone local

[FW2-policy-security-rule-ipsec4]source-address 20.1.1.1 mask 255.255.255.255

[FW2-policy-security-rule-ipsec4]destination-address 20.1.1.2 mask 255.255.255.255

[FW2-policy-security-rule-ipsec4]action permit

PC1和PC2已经连通

FW1和FW2已经连通

配置IPSec策略

[FW1]acl 3000

[FW1-acl-adv-3000]rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255  //抓取流量

[FW1]ipsec proposal propAB //配置防火墙ipsec安全提议

[FW1-ipsec-proposal-propAB]encapsulation-mode  auto  //使用自动模式

[FW1]ike proposal 1  //配置IKE安全提议

[FW1-ike-proposal-1]integrity-algorithm aes-xcbc-96  //ike安全提议类型为aes

[FW1]ike peer ikeAB   //配置IKE对等体

[FW1-ike-peer-ikeAB]exchange-mode auto  //ike对等体信息交换模式为自动模式

[FW1-ike-peer-ikeAB]pre-shared-key ABCabc@123

[FW1-ike-peer-ikeAB]ike-proposal 1

[FW1-ike-peer-ikeAB]remote-id-type ip

[FW1-ike-peer-ikeAB]remote-id 20.1.1.2

[FW1-ike-peer-ikeAB]local-id 20.1.1.1

[FW1-ike-peer-ikeAB]remote-address 20.1.1.2  //ike对端IP地址

[FW1]ipsec policy ipsecAB 1 isakmp  //配置防火墙ipsec安全策略

[FW1-ipsec-policy-isakmp-ipsecAB-1]security  acl 3000

[FW1-ipsec-policy-isakmp-ipsecAB-1]ike-peer ikeAB

[FW1-ipsec-policy-isakmp-ipsecAB-1]proposal propAB

[FW1-ipsec-policy-isakmp-ipsecAB-1]tunnel local applied-interface

[FW2]acl 3000

[FW2-acl-adv-3000]rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

[FW2]ipsec proposal propBA

[FW2-ipsec-proposal-propBA]encapsulation-mode auto

[FW2]ike proposal 1

[FW2-ike-proposal-1]integrity-algorithm aes-xcbc-96

[FW2]ike peer ikeBA

[FW2-ike-peer-ikeBA]exchange-mode auto

[FW2-ike-peer-ikeBA]pre-shared-key ABCabc@123

[FW2-ike-peer-ikeBA]ike-proposal 1

[FW2-ike-peer-ikeBA]remote-id-type ip

[FW2-ike-peer-ikeBA]remote-id 20.1.1.1

[FW2-ike-peer-ikeBA]local-id 20.1.1.2

[FW2-ike-peer-ikeBA]remote-address 20.1.1.1

[FW2]ipsec policy ipsecBA 1 isakmp

[FW2-ipsec-policy-isakmp-ipsecBA-1]security acl 3000

[FW2-ipsec-policy-isakmp-ipsecBA-1]ike-peer ikeBA

[FW2-ipsec-policy-isakmp-ipsecBA-1]proposal propBA

[FW2-ipsec-policy-isakmp-ipsecBA-1]tunnel local applied-interface

应用IPSec策略

[FW1-GigabitEthernet1/0/6]ipsec policy ipsecAB

[FW2-GigabitEthernet1/0/6]ipsec policy ipsecBA

验证

PC1 ping PC2时在FW1的G1/0/6口抓包


版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。

上一篇:@feignclient名字冲突的解决方案
下一篇:5、小型企业无线网部署(案例1)从客户需求来分析、规划、部署(网络规划设计方案PPT)
相关文章

 发表评论

暂时没有评论,来抢沙发吧~