USG防火墙手工协商SA构建 IPsec 虚拟专用网络_第1张图片

防火墙上做默认路由指向R1,R1不做任何路由来模拟Internet,FW1可以ping通FW2。

1、 根据拓扑配置防火墙基本配置
FW1的基本配置

interface GigabitEthernet0/0/0
ip address 192.168.1.254 255.255.255.0
#配置接口地址
interface GigabitEthernet0/0/1
ip address 200.1.1.1 255.255.255.0

firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
#把相应接口加入到区域
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/1

ip route-static 0.0.0.0 0.0.0.0 200.1.1.2

FW2的基本配置

interface GigabitEthernet0/0/0
ip address 200.1.2.1 255.255.255.0

interface GigabitEthernet0/0/1
ip address 192.168.2.254 255.255.255.0

firewall zone trust
set priority 85
add interface GigabitEthernet0/0/1

firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0

ip route-static 0.0.0.0 0.0.0.0 200.1.2.2

2、 手工协商ipsec 配置
FW1配置
定义感兴趣流
acl number 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
配置安全提议
ipsec proposal 1
transform esp 封装协议ESP
encapsulation-mode tunnel 隧道模式为tunnel
esp authentication-algorithm md5 认证方式为MD5
esp encryption-algorithm des 加密方式为DES

配置安全策略手工方式
ipsec policy p1 10 manual
security acl 3000
proposal 1
tunnel local 200.1.1.1 隧道源头
tunnel remote 200.1.2.1 隧道目的地
sa spi inbound esp 12345
定义安全关联inbound方向的SPI 索引号为12345
sa string-key inbound esp huawei123
定义inbound方向的安全密钥为huawei123
sa spi outbound esp 45678
sa string-key outbound esp huawei456
应用策略到接口
[FW1]interface g0/0/1
[FW1-GigabitEthernet0/0/1]ipsec policy p1

FW2
acl number 3000
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

ipsec proposal 1
transform esp
encapsulation-mode tunnel
esp authentication-algorithm md5
esp encryption-algorithm des

ipsec policy p1 10 manual
security acl 3000
proposal 1
tunnel local 200.1.2.1
tunnel remote 200.1.1.1
sa spi outbound esp 12345
sa string-key outbound esp huawei123
sa spi inbound esp 45678
sa string-key inbound esp huawei456

[FW2]interface g0/0/0
[FW2-GigabitEthernet0/0/1]ipsec policy p1

3、 放行防火墙相应流量
两个防火墙配置相同
放行local untrust inbound的ESP的流量
policy interzone local untrust inbound
policy 1
action permit
policy service service-set esp

放行 trust untrust 区域的inbound的ICMP的流量
policy interzone trust untrust inbound
policy 1
action permit
policy service service-set icmp

放行 trust untrust 区域的outbound的ICMP的流量
policy interzone trust untrust outbound
policy 1
action permit
policy service service-set icmp

4、 两PC的流量是否连通


我的课程首页http://edu.51cto.com/lecturer/1025688.html
加群学习讨论:32307012