IPSec VPN实验练习

上张贴CrossGrave发表回复

场景说明:A区域和B区域通过防火墙互联, 防火墙单机部署, 中间交换机模拟互联网,两端防火墙通过建立IPSec VPN隧道打通私网互访,并提供加密功能,形成负载场景。防火墙与内部交换机之间运行OSPF。

防火墙配置:

sysname FW-1
#这里配置DPD,用于感知IPSEC VPN故障后,删除IPSEC SA和IKE SA
ike dpd type periodic
ike dpd idle-time 10
ike dpd retransmit-interval 2
ike dpd msg seq-notify-hash
#定义感兴趣流
acl number 3000 
 rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
#创建IPSEC安全提议
ipsec proposal A
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256
#创建IKE安全提议
ike proposal 1
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#创建IKE对等体
ike peer A
 pre-shared-key %^%#<Yz_-9h[45BY|K2f]LdRYB}-#L4"I-'|me#AROx&%^%#
 ike-proposal 1
 remote-address 100.1.2.1
#创建IPSEC策略
ipsec policy A 1 isakmp
 security acl 3000
 ike-peer A
 proposal A
 sa trigger-mode auto //配置IPSEC隧道触发方式为自动触发
 route inject dynamic //配置根据感兴趣流自动注入unr路由
#
interface GigabitEthernet1/0/0
 undo shutdown
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 100.0.0.2 255.255.255.252
 service-manage ping permit
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 10.0.11.1 255.255.255.252
 ospf network-type p2p
 service-manage ping permit
#
interface GigabitEthernet1/0/3
 undo shutdown
#
interface GigabitEthernet1/0/4
 undo shutdown
 ip address 10.0.12.1 255.255.255.252
 ospf network-type p2p
 service-manage ping permit
#
interface Tunnel0
 ip address 100.1.1.1 255.255.255.255
 tunnel-protocol ipsec
 ipsec policy A
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/4
 add interface GigabitEthernet1/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/1
 add interface Tunnel0
#
firewall zone dmz
 set priority 50
#
ospf 1
 default-route-advertise
 import-route unr
 area 0.0.0.0
  network 10.0.11.0 0.0.0.3
  network 10.0.12.0 0.0.0.3
  network 100.1.1.1 0.0.0.0
#
ip route-static 0.0.0.0 0.0.0.0 100.0.0.1
#
security-policy
 rule name Trust_Untrust_Permit
  source-zone trust
  destination-zone untrust
  action permit
 rule name Untrust&Local_IPSec_Permit
  source-zone local
  source-zone untrust
  destination-zone local
  destination-zone untrust
  source-address 100.0.0.0 mask 255.255.255.252
  source-address 100.0.0.4 mask 255.255.255.252
  source-address 100.1.1.0 mask 255.255.255.0
  source-address 100.1.2.0 mask 255.255.255.0
  source-address 200.0.0.0 mask 255.255.255.252
  source-address 200.0.0.4 mask 255.255.255.252
  source-address 200.1.1.0 mask 255.255.255.0
  source-address 200.1.2.0 mask 255.255.255.0
  destination-address 100.0.0.0 mask 255.255.255.252
  destination-address 100.0.0.4 mask 255.255.255.252
  destination-address 100.1.1.0 mask 255.255.255.0
  destination-address 100.1.2.0 mask 255.255.255.0
  destination-address 200.0.0.0 mask 255.255.255.252
  destination-address 200.0.0.4 mask 255.255.255.252
  destination-address 200.1.1.0 mask 255.255.255.0
  destination-address 200.1.2.0 mask 255.255.255.0
  action permit
 rule name Untrust_Trust_Permit
  source-zone untrust
  destination-zone trust
  source-address 192.168.20.0 mask 255.255.255.0
  destination-address 192.168.10.0 mask 255.255.255.0
  action permit
#
return

发表评论

您的电子邮箱地址不会被公开。

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据