野蠻模式—基於名字的ipsec動態配置
由於網絡地址的動態改變,可以使用基於名字的ipsec配置實現虛連接。
192.168.101.90 192.168.102.100
說明:由於實驗條件有限,Internet有一臺華爲路由器代替模擬,並在其上配置DHCP服務器,使fw-2動態獲取地址以實現地址不固定仍達到通信的效果。
一、Fw-1的配置
[fw-1]inter eth0/0
[fw-1-Ethernet0/0]ip add 192.168.101.55 255.255.255.0
[fw-1-Ethernet0/0]inter eth0/4
[fw-1-Ethernet0/4]ip add 1.1.1.1 255.255.255.0
[fw-1-Ethernet0/4]quit
[fw-1]ip route 0.0.0.0 0.0.0.0 1.1.1.2 //配置一條默認路由
配置訪問控制列表,起過濾作用
[fw-1]acl number 3000
[fw-1-acl-adv-3000]rule 10 permit ip source 192.168.101.0 0.0.0.255 dest 192.168.102.0 0.0.0.255
[fw-1-acl-adv-3000]rule 20 deny ip source any dest any
配置安全提議(系統默認,可選)
[fw-1]ipsec proposal tran1
[fw-1-ipsec-proposal-tran1]encapsulation-mode tunnel
[fw-1-ipsec-proposal-tran1]transform esp
[fw-1-ipsec-proposal-tran1]esp encryption-algorithm des
[fw-1-ipsec-proposal-tran1]esp authentication-algorithm md5
配置鄰居參數
[fw-1]ike peer fw-2
[fw-1-ike-peer-fw-2]exchange-mode aggressive //啓用野蠻模式
[fw-1-ike-peer-fw-2]id-type name
[fw-1-ike-peer-fw-2]pre-shared-key simple 123456
[fw-1-ike-peer-fw-2]remote-name fw-2
[fw-1-ike-peer-fw-2]local-address 1.1.1.1
[fw-1-ike-peer-fw-2]q
[fw-1]ike local-name fw-1 //創建本地名字
配置安全策略
[fw-1]ipsec policy policy1 10 isakmp
[fw-1-ipsec-policy-isakmp-policy1-10]security acl 3000
[fw-1-ipsec-policy-isakmp-policy1-10]proposal tran1
[fw-1-ipsec-policy-isakmp-policy1-10]ike-peer fw-2
應用安全策略
[fw-1]inter eth0/4
[fw-1-Ethernet0/4]ipsec policy policy1
二、路由器配置
[Router]inter e0
[Router-Ethernet0]ip add 1.1.1.2 255.255.255.0
[Router-Ethernet0]inter e1
[Router-Ethernet1]ip add 1.1.2.1 255.255.255.0
配置DHCP服務器
[Router]dhcp enable
[Router]dhcp server ip-pool xxx
[Router-dhcp-xxx]network 1.1.2.0
[Router-dhcp-xxx]gateway-list 1.1.2.1
[Router-dhcp-xxx]dns-list 222.88.88.88
三、Fw-2的配置
[fw-2]int eth0/0
[fw-2-Ethernet0/0]ip add 192.168.102.90 ?
[fw-2-Ethernet0/0]ip add 192.168.102.90 24
[fw-2-Ethernet0/0]int eth0/4
[fw-2-Ethernet0/4]ip add dhcp-alloc //自動獲得地址
[fw-2-Ethernet0/4]quit
[fw-2]ip route 0.0.0.0 0.0.0.0 1.1.2.1 //配置一條默認路由
把端口加入區域(如系統默認已加入,可選)
[fw-2]firewall zone untrust
[fw-2-zone-untrust]add int eth0/4
[fw-2]ip route 0.0.0.0 0 1.1.2.1
設置訪問控制列表,起過濾作用
[fw-2]acl number 3000
[fw-2-acl-adv-3000]rule 10 permit ip source 192.168.102.0 0.0.0.255 destination 192.168.101.0 0.0.0.255
[fw-2-acl-adv-3000]rule 20 deny ip source any destination any
創建安全協議(如系統默認,可選)
[fw-2]ipsec proposal tran1
[fw-2-ipsec-proposal-tran1]encapsulation-mode tunnel
[fw-2-ipsec-proposal-tran1]transform esp
[fw-2-ipsec-proposal-tran1]esp authentication-algorithm md5
[fw-2-ipsec-proposal-tran1]esp encryption-algorithm des
配置鄰居參數
[fw-2]ike peer fw-1
[fw-2-ike-peer-fw-1]exchange-mode aggressive //啓用野蠻模式
[fw-2-ike-peer-fw-1]id-type name
[fw-2-ike-peer-fw-1]pre-shared-key 123456
[fw-2-ike-peer-fw-1]remote-address 1.1.1.1
[fw-2-ike-peer-fw-1]remote-name fw-1
[fw-2-ike-peer-fw-1]q
[fw-2]ike local-name fw-2 //創建本地名字
創建安全策略
[fw-2]ipsec policy policy1 10 isakmp //安全策略實爲一表格,每條策略需表序號
[fw-2-ipsec-policy-isakmp-policy1-10]security acl 3000
[fw-2-ipsec-policy-isakmp-policy1-10]proposal tran1
[fw-2-ipsec-policy-isakmp-policy1-10]ike-peer fw-1
把策略應用到端口
[fw-2]int eth0/4
[fw-2-Ethernet0/4]ipsec policy policy1
測試結果如下:![]()
可能遇到問題:第一次從fw-1 ping fw-2不通怎麼辦?
問題回答:由於防火牆是三層設備,數據以包的形式轉發,fw-2地址不固定,fw-1無法知道其ip地址,故無法通信,所以先在fw-2端ping fw-1端建立sa後,再在fw-1端ping fw-2端就通了。