模板方式配置多站点思路

模板方式配置多站点思路

模板方式配置多站点思路

第一步：基本配置

FW1防火墙的配置

# sysname FW1 # interface GigabitEthernet0/0/0 ip address 202.1.1.1 255.255.255.0 service-manage ping permit # interface GigabitEthernet1/0/0 ip address 192.168.1.254 255.255.255.0 service-manage ping permit # ip route-static 0.0.0.0 0.0.0.0 202.1.1.254 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/0 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/0 # security-policy default action permit #

FW2路由器的配置

# sysname FW2 # interface GigabitEthernet0/0/0 ip address 101.1.1.1 255.255.255.0 service-manage ping permit # interface GigabitEthernet1/0/0 ip address 192.168.2.254 255.255.255.0 service-manage ping permit # ip route-static 0.0.0.0 0.0.0.0 101.1.1.254 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/0 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/0 # security-policy default action permit #

FW3路由器的配置

# sysname FW3 # interface GigabitEthernet0/0/0 ip address 60.1.1.1 255.255.255.0 service-manage ping permit # interface GigabitEthernet1/0/0 ip address 192.168.3.254 255.255.255.0 service-manage ping permit # ip route-static 0.0.0.0 0.0.0.0 60.1.1.254 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/0 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/0 # security-policy default action permit #

internet的配置

# interface GigabitEthernet0/0/0 ip address 202.1.1.254 255.255.255.0 # interface GigabitEthernet0/0/1 ip address 101.1.1.254 255.255.255.0 #

检查如下：检查FW1和PC1的通信

ping 192.168.1.1 PING 192.168.1.1: 56 data bytes, press CTRL_C to break Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=128 time=40 ms Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=128 time=60 ms Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=128 time=40 ms Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=128 time=60 ms Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=128 time=50 ms --- 192.168.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 40/50/60 ms

检查FW2和PC2的通信

[FW2]ping 192.168.2.2 PING 192.168.2.2: 56 data bytes, press CTRL_C to break Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=128 time=45 ms Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=128 time=53 ms Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=128 time=51 ms Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=128 time=52 ms Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=128 time=32 ms --- 192.168.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 32/46/53 ms

检查FW3和PC3的通信

[FW3]ping 192.168.3.3 PING 192.168.3.3: 56 data bytes, press CTRL_C to break Request time out Reply from 192.168.3.3: bytes=56 Sequence=2 ttl=128 time=47 ms Reply from 192.168.3.3: bytes=56 Sequence=3 ttl=128 time=42 ms Reply from 192.168.3.3: bytes=56 Sequence=4 ttl=128 time=36 ms Reply from 192.168.3.3: bytes=56 Sequence=5 ttl=128 time=27 ms --- 192.168.3.3 ping statistics --- 5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 27/38/47 ms

检查FW1和FW2的通信

ping 101.1.1.1 PING 101.1.1.1: 56 data bytes, press CTRL_C to break Reply from 101.1.1.1: bytes=56 Sequence=1 ttl=254 time=30 ms Reply from 101.1.1.1: bytes=56 Sequence=2 ttl=254 time=20 ms Reply from 101.1.1.1: bytes=56 Sequence=3 ttl=254 time=40 ms Reply from 101.1.1.1: bytes=56 Sequence=4 ttl=254 time=20 ms Reply from 101.1.1.1: bytes=56 Sequence=5 ttl=254 time=30 ms --- 101.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 20/28/40 ms

检查FW1和FW3的通信

[FW1]ping 60.1.1.1 PING 60.1.1.1: 56 data bytes, press CTRL_C to break Reply from 60.1.1.1: bytes=56 Sequence=1 ttl=254 time=15 ms Reply from 60.1.1.1: bytes=56 Sequence=2 ttl=254 time=11 ms Reply from 60.1.1.1: bytes=56 Sequence=3 ttl=254 time=8 ms Reply from 60.1.1.1: bytes=56 Sequence=4 ttl=254 time=9 ms Reply from 60.1.1.1: bytes=56 Sequence=5 ttl=254 time=8 ms --- 60.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 8/10/15 ms

检查PC1和PC2的通信

PC>ping 192.168.2.2 Ping 192.168.2.2: 32 data bytes, Press Ctrl_C to break Request timeout! Request timeout! Request timeout! Request timeout! Request timeout! --- 192.168.2.2 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss

检查PC1和PC3的通信

PC>ping 192.168.3.3 Ping 192.168.3.3: 32 data bytes, Press Ctrl_C to break Request timeout! Request timeout! Request timeout! Request timeout! Request timeout! --- 192.168.3.3 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss

第二步：IPSEC 阶段一配置

IKE安全提议

在FW1和FW2和FW3分别配置如下

ike proposal 10 注意：安全提议是有默认配置，可以修改 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 IKEv1中不用这个参数 IKEv2中使用这个参数 prf hmac-sha2-256 #

检查：

[FW1]display ike proposal 2020-03-14 14:25:22.420 Number of IKE Proposals: 2 ------------------------------------------- IKE Proposal: 10 Authentication Method : PRE_SHARED Authentication Algorithm : SHA2-256 Encryption Algorithm : AES-256 Diffie-Hellman Group : MODP-2048 SA Duration(Seconds) : 86400 Integrity Algorithm : HMAC-SHA2-256 Prf Algorithm : HMAC-SHA2-256 -------------------------------------------

配置IKE对等体（PEER）

FW1配置 注意: 模板方式不需要配置remote-address 也可以配置网段，也可以不配置

ike peer yuanduan -----------取名 pre-shared-key Huawei@123---------------如果采用预共享方式，配置密钥 ike-proposal 10 -----------------------------调用安全提议 undo version 2-------------------------------关闭V2版本，默认就是V2版本 FW2和FW3的配置 ike peer fw1 pre-shared-key Huawei@123 ike-proposal 10 undo version 2 remote-address 202.1.1.1

检查如下：

[FW1]display ike peer brief 2020-03-14 14:31:19.910 Current ike peer number: 1 --------------------------------------------------------------------------- Peer name Version Exchange-mode Proposal Id-type RemoteAddr --------------------------------------------------------------------------- yuanduan v1 main 10 IP

第三步：IPSEC阶段二配置

配置感兴趣流（就是实际通信点）

FW1:

acl number 3000 rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 FW2 acl number 3000 rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 FW3 acl number 3000 rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

注意：IKEV1感兴趣流要互为镜像，必须是相互匹配的，不是包含或者不一样的，都不能协商成功

IPSEC安全提议

在FW1和FW2和FW3配置

ipsec proposal 10 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256

检查：

[FW1]display ipsec proposal 2020-03-14 14:33:58.850 Number of proposals: 1 IPSec proposal name: 10 Encapsulation mode: Tunnel Transform : esp-new ESP protocol : Authentication SHA2-HMAC-256 Encryption AES-256 [FW1]

配置IPSEC安全策略

FW1

# ipsec policy-template 10 10 第一个10是名称 第二个10是序号 security acl 3000-----------------------调用感兴趣流 ike-peer fw2---------------------------调用IKE PEER proposal 10---------------------------调用IPSEC安全 # ipsec policy ipsec_policy 10 isakmp template 10

FW2和FW3的配置

ipsec policy ipsec_policy 10 isakmp 后面接isakmp的话是自动方式 security acl 3000 -----------------------调用感兴趣流 ike-peer fw1 ---------------------------调用IKE PEER alias ipsec_policy_10 proposal 10 ---------------------------调用IPSEC安全

物理接口调用

在FW1和FW2和FW3上配置

interface GigabitEthernet0/0/0 ipsec policy ipsec_policy

放行安全策略

FW1的配置

# security-policy rule name ipsec1 source-zone local destination-zone untrust source-address 202.1.1.0 mask 255.255.255.0 action permit rule name ipsec2 source-zone untrust destination-zone local destination-address 202.1.1.0 mask 255.255.255.0 action permit rule name ipsec3 source-zone trust destination-zone untrust source-address 192.168.1.0 mask 255.255.255.0 destination-address 192.168.2.0 mask 255.255.255.0 destination-address 192.168.3.0 mask 255.255.255.0 action permit rule name ipsec4 source-zone untrust destination-zone trust source-address 192.168.3.0 mask 255.255.255.0 source-address 192.168.2.0 mask 255.255.255.0 destination-address 192.168.1.0 mask 255.255.255.0 action permit #

FW2的配置

# security-policy rule name ipsec1 source-zone local destination-zone untrust destination-address 202.1.1.0 mask 255.255.255.0 action permit rule name ipsec2 source-zone untrust destination-zone local source-address 202.1.1.0 mask 255.255.255.0 action permit rule name ipsec3 source-zone trust destination-zone untrust source-address 192.168.2.0 mask 255.255.255.0 destination-address 192.168.1.0 mask 255.255.255.0 action permit rule name ipsec4 source-zone untrust destination-zone trust source-address 192.168.1.0 mask 255.255.255.0 destination-address 192.168.2.0 mask 255.255.255.0 action permit #

FW3的配置

# security-policy rule name ipsec1 source-zone local destination-zone untrust destination-address 202.1.1.0 mask 255.255.255.0 action permit rule name ipsec2 source-zone untrust destination-zone local source-address 202.1.1.0 mask 255.255.255.0 action permit rule name ipsec3 source-zone trust destination-zone untrust source-address 192.168.3.0 mask 255.255.255.0 destination-address 192.168.1.0 mask 255.255.255.0 action permit rule name ipsec4 source-zone untrust destination-zone trust source-address 192.168.1.0 mask 255.255.255.0 destination-address 192.168.3.0 mask 255.255.255.0 action permit #

测试如下：在PC2上pingPC1

PC>ping 192.168.1.1 Ping 192.168.1.1: 32 data bytes, Press Ctrl_C to break From 192.168.1.1: bytes=32 seq=1 ttl=126 time=94 ms From 192.168.1.1: bytes=32 seq=2 ttl=126 time=78 ms From 192.168.1.1: bytes=32 seq=3 ttl=126 time=94 ms From 192.168.1.1: bytes=32 seq=4 ttl=126 time=78 ms From 192.168.1.1: bytes=32 seq=5 ttl=126 time=62 ms --- 192.168.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 62/81/94 ms PC>

在PC3上pingPC1

PC>ping 192.168.1.1 Ping 192.168.1.1: 32 data bytes, Press Ctrl_C to break From 192.168.1.1: bytes=32 seq=1 ttl=126 time=62 ms From 192.168.1.1: bytes=32 seq=2 ttl=126 time=78 ms From 192.168.1.1: bytes=32 seq=3 ttl=126 time=94 ms From 192.168.1.1: bytes=32 seq=4 ttl=126 time=63 ms From 192.168.1.1: bytes=32 seq=5 ttl=126 time=62 ms --- 192.168.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 62/71/94 ms

在FW1上面查看ike sa

[FW1]display ike sa 2020-03-15 05:22:58.390 IKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID ------------------------------------------------------------------------------------------------------------------------------------ 2 101.1.1.1:500 RD|A v1:2 IP 101.1.1.1 1 101.1.1.1:500 RD|A v1:1 IP 101.1.1.1 4 60.1.1.1:500 RD|A v1:2 IP 60.1.1.1 3 60.1.1.1:500 RD|A v1:1 IP 60.1.1.1 Number of IKE SA : 4 ------------------------------------------------------------------------------------------------------------------------------------ Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING

在FW1上面查看ipsec sa

[FW1]display ipsec sa 2020-03-15 05:23:01.660 ipsec sa information: =============================== Interface: GigabitEthernet0/0/0 =============================== ----------------------------- IPSec policy name: "ipsec_policy" Sequence number : 10 Acl group : 3000 Acl rule : 5 Mode : Template ----------------------------- Connection ID : 2 Encapsulation mode: Tunnel Holding time : 0d 0h 35m 23s Tunnel local : 202.1.1.1:500 Tunnel remote : 101.1.1.1:500 Flow source : 192.168.1.0/255.255.255.0 0/0-65535 Flow destination : 192.168.2.0/255.255.255.0 0/0-65535 [Outbound ESP SAs] SPI: 187921672 (0xb337508) Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128 SA remaining key duration (kilobytes/sec): 10485760/1476 Max sent sequence-number: 17 UDP encapsulation used for NAT traversal: N SA encrypted packets (number/bytes): 16/960 [Inbound ESP SAs] SPI: 197430515 (0xbc48cf3) Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128 SA remaining key duration (kilobytes/sec): 10485759/1476 Max received sequence-number: 1 UDP encapsulation used for NAT traversal: N SA decrypted packets (number/bytes): 19/1140 Anti-replay : Enable Anti-replay window size: 1024 ----------------------------- IPSec policy name: "ipsec_policy" Sequence number : 10 Acl group : 3000 Acl rule : 10 Mode : Template ----------------------------- Connection ID : 4 Encapsulation mode: Tunnel Holding time : 0d 0h 35m 10s Tunnel local : 202.1.1.1:500 Tunnel remote : 60.1.1.1:500 Flow source : 192.168.1.0/255.255.255.0 0/0-65535 Flow destination : 192.168.3.0/255.255.255.0 0/0-65535 [Outbound ESP SAs] SPI: 197283812 (0xbc24fe4) Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128 SA remaining key duration (kilobytes/sec): 10485760/1489 Max sent sequence-number: 14 UDP encapsulation used for NAT traversal: N SA encrypted packets (number/bytes): 13/780 [Inbound ESP SAs] SPI: 187509375 (0xb2d2a7f) Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128 SA remaining key duration (kilobytes/sec): 10485760/1489 Max received sequence-number: 1 UDP encapsulation used for NAT traversal: N SA decrypted packets (number/bytes): 14/840 Anti-replay : Enable Anti-replay window size: 1024

在FW1上面查看ipsec加密解密情况

[FW1]display ipsec statistics 2020-03-15 05:23:12.690 IPSec statistics information: Number of IPSec tunnels: 2 Number of standby IPSec tunnels: 0 the security packet statistics: input/output security packets: 33/29 input/output security bytes: 1980/1740 input/output dropped security packets: 0/0 the encrypt packet statistics: send chip: 29, recv chip: 29, send err: 0 local cpu: 29, other cpu: 0, recv other cpu: 0 intact packet: 29, first slice: 0, after slice: 0 the decrypt packet statistics: send chip: 33, recv chip: 33, send err: 0 local cpu: 33, other cpu: 0, recv other cpu: 0 reass first slice: 0, after slice: 0 dropped security packet detail: can not find SA: 0, wrong SA: 0 authentication: 0, replay: 0 front recheck: 0, after recheck: 0 change cpu enc: 0, dec change cpu: 0 fib search: 0, output l3: 0 flow err: 0, slice err: 0, byte limit: 0 slave drop: 0 negotiate about packet statistics: IKE fwd packet ok: 10, err: 0 IKE ctrl packet inbound ok: 10, outbound ok: 8 SoftExpr: 0, HardExpr: 0, DPDOper: 0 trigger ok: 0, switch sa: 2, sync sa: 0 recv IKE nat keepalive: 0, IKE input: 0 [FW1]

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。