實例一
例:一個公司的總部與分公司之間通過internet連接起來。實現1.0與2.0,3.0之間互相ping通。
手工的配置:
配置防火牆F2:
配置端口信息:
interface Ethernet0/4
ip add192.168.2.1 24
interface Ethernet0/1
ip add 192.168.20.200 24
quit
將端口加入區域信任:
firewall zone trust
add interface Ethernet0/1
add interface Ethernet0/4
quit
配置默認路由:
ip route 0.0.0.0 192.168.20.1
做流量的篩選:
acl 3000
rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule deny ip source any dest any 拒絕其他的
quit
做安全提議:
ipsec propo tran1
enca tun 採用隧道方式封裝
transform esp-new 採用的安全協議是esp
esp-new authentication-algorithm md5 採用的驗證方式md5-hmac-96
esp encryption-algorithm des 採用des進行加密
quit
把安全提議和流量篩選創建ipsec策略:
ipsec policy policy10 20 isakmp
security acl 3000 引用訪問列表
proposal tran1 引用安全提議
ike-peer f1
quit
設置本端與對端的地址:
ike peer f2
local-address 192.168.20.200
remote-address 192.168.10.200
設置SPI:
sa outbound esp spi 12345 出去的是12345
sa inboud esp spi 54321 進來的是54321
設置密鑰:
sa outbound esp string-key abcdefg 出去的鑰匙是abcdefg
sa inboumd esp stri qazwsx 進來的鑰匙是qazwsx
把策略表放在出口:
int e1
ipsec policy policy10
quit
查看配置信息:(F2)<F2>dis cu
#
sysname F2
#
firewall packet-filter enable
firewall packet-filter default permit
#
local-user user1
password simple 123
service-type telnet
level 3
#
ike peer f1
pre-shared-key 123456
remote-address 192.168.10.200
local-address 192.168.20.200
#
ipsec proposal tran1
#
ipsec policy policy10 20 isakmp
security acl 3000
ike-peer f1
proposal tran1
#
acl number 3000
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 1 deny ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 192.168.100.42 255.255.255.0
#
interface Ethernet0/1
ip address 192.168.20.200 255.255.255.0
ipsec policy policy10
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
ip address 192.168.2.1 255.255.255.0
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.1 preference 60
#
配置防火牆F4:(基本與防火牆F2相同)
interface Ethernet0/1
ip add 192.168.30.200 24
shut
undo shut
interface Ethernet0/2
ip add 192.168.3.1 24
firewall zone trust
add interface Ethernet0/1
add interface Ethernet0/2
quit
ip route 0.0.0.0 192.168.30.1
acl 3000
rule permit ip source 192.168.3.0 0.0.0.255 dest 192.168.1.0 0.0.0.255
rule deny ip source any dest any
quit
ipsec proposal tran2
encap tunnel
transform esp
esp authen md5
esp enc des
quit
ipsec policy policy10 30 isakmp
sec acl 3000
proposal tran2
ike-peer f2
quit
ike peer f2
local-address 192.168.30.200
remote-address 192.168.10.200
sa in esp spi 12345
sa in esp strin abcdefg
sa out esp spi 54321
sa out esp strin qazwsx
quit
int e1
ipsec policy policy10
查看配置信息:(F4)[F4]dis cu
#
sysname F4
#
level 3
service-type ftp
local-user user1
password simple 123
service-type telnet
level 3
#
ike peer route
pre-shared-key 123456
remote-address 192.168.10.200
local-address 192.168.30.200
#
ipsec proposal tran1
#
ipsec policy policy10 20 isakmp
security acl 3000
ike-peer route
proposal tran1
#
acl number 3000
rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 1 deny ip
#
nterface Ethernet0/0
ip address 192.168.100.44 255.255.255.0
#
interface Ethernet0/1
ip address 192.168.30.200 255.255.255.0
ipsec policy policy10
#
interface Ethernet0/2
ip address 192.168.3.1 255.255.255.0
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 192.168.30.1 preference 60
#
配置路由器R13:
int s1
ip add 192.168.10.1 24
int e1
ip add 192.168.20.1 24
shut
undo shut
int s0
ip add 192.168.30.1 24
查看配置信息:(R13)[R13]dis cu
Now create configuration...
Current configuration
!
version 1.74
local-user user1 service-type administrator password simple 123
sysname R13
firewall enable
aaa-enable
aaa accounting-scheme optional
!
interface Aux0
async mode flow
link-protocol ppp
!
interface Ethernet0
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet1
ip address 192.168.30.1 255.255.255.0
!
interface Serial0
link-protocol ppp
!
interface Serial1
clock DTECLK1
link-protocol ppp
ip address 192.168.10.1 255.255.255.0
!
return
R1的配置:
配置本地ip地址:
int e1
ip add 192.68.1.1 24
int s1
ip add 192.168.10.200 24
quit
配置訪空列表允許1.0網段訪問2.0網段:
acl 3000
rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule deny ip source any destination any
quit
配置訪空列表允許1.0網段訪問3.0網段:
acl 3001
rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule deny ip source any destination any
quit
配置名爲tran1的ipsec協議:
ipsec proposal tran1
配置報文封裝類型:
encapsulation-mode tunnel
配置安全協議:
transfrom esp-new
配置esp協議的認證算法:
esp-new authentication-algorithm md5
配置esp協議的加密算法:
esp-new encryption-algorithm des
quit
配置名爲tran2的ipsec協議:
ipsec proposal tran2
配置報文封裝類型:
encapsulation-mode tunnel
配置安全協議:
transfrom esp-new
配置esp協議的認證算法:
esp-new authentication-algorithm md5
配置esp協議的加密算法:
esp-new encryption-algorithm des
quit
配置ipsec策略:
ipsec policy policy10 20 isakmp
security acl 3000
proposal tran1
tunnel remote 192.168.20.200
tunnel local 192.168.10.200
quit
ipsec policy policy10 30 isakmp
引用acl訪空列表:
security acl 3001
proposal tran2
tunnel remote 192.168.30.200
tunnel local 192.168.10.200
quit
協商密匙指定對方地址:
ike pre-shared-key 123456 remote 192.168.20.200
ike pre-shared-key 123456 remote 192.168.30.200
設置默認路由:
ip route-static 0.0.0.0 0.0.0.0 192.168.10.1
int s1
ipsec policy policy10
查看配置信息:(R1)
[R1]dis cu
Now create configuration...
Current configuration
!
version 1.74
local-user user1 service-type administrator password simple 123
sysname R1
undo pos-server addr-switch
firewall enable
aaa-enable
aaa accounting-scheme optional
!
ike pre-shared-key 123456 remote 192.168.30.200
ike pre-shared-key 123456 remote 192.168.20.200
!
acl 3000 match-order auto
rule normal permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule normal deny ip source any destination any
!
acl 3001 match-order auto
rule normal permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule normal deny ip source any destination any
!
ike proposal 20
!
ipsec proposal tran2
!
ipsec proposal tran1
!
ipsec policy policy10 20 isakmp
security acl 3000
proposal tran1
tunnel local 192.168.10.200
tunnel remote 192.168.20.200
!
ipsec policy policy10 30 isakmp
security acl 3001
proposal tran2
tunnel local 192.168.10.200
tunnel remote 192.168.30.200
!
controller e1 0
!
interface Aux0
async mode flow
link-protocol ppp
!
interface Ethernet0
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet1
ip address 192.168.1.1 255.255.255.0
!
interface Serial0
link-protocol ppp
!
interface Serial1
link-protocol ppp
ip address 192.168.10.200 255.255.255.0
ipsec policy policy10
!
quit
ip route-static 0.0.0.0 0.0.0.0 192.168.10.1 preference 60
ip route-static 192.168.2.0 255.255.255.0 192.168.20.200 preference 60
!
return
測試:
PC3與R1,PC1之間的測試:
PC2與R1,PC1之間的測試:
PC1與R3,PC2之間的測試: