IPsec之野蛮模式---H3C设备

案例

IPsec之野蛮模式---H3C设备_第1张图片

FW1

Firewall paceket-filter default permit

Firewall zone trust

Add interface e0/1

Firewall zone untrust

Add interface e 0/4

Interface e 0/1

Ip add 192.168.10.1

Interface  e 0/4

Ip add 10.10.10.10 24

Ip route-static 0.0.0.0 0 10.10.10.1

创建加密访问控制列表:

Acl number 3000

Rule permit ip source 192.168.10.0 0.0.0.255 destnation 192.168.20.0 0.0.0.255

Rule deny ip source any de any

Acl number 3001

Rule permit ip sou 192.168.10.0 0.0.0.255 dest 192.168.30.0 0.0.0.255

Rule deny ip source any de any

Ike local-name fw1

创建IKE 安全策略

Ike peer peer1

Exchange-mode aggressive          //所谓的野蛮模式

Pre-shared-key 123456         //配置预共享密钥

Local-address 10.10.10.10

Id-type name

Remote-name fw2

Ike peer peer2

Pre-shared-key 123456

Exchange-mode aggressive

Id-type name

Local-address 10.10.10.10

Remote-name fw3

定义安全提议

Ipsec proposal tran1

Encapsulation-mode tunnel   //安全协议对IP 报文的封装模式

Transform esp      //安全协议

Esp encryption-algorithm des       //选择加密算法与认证算法

Esp authentication-algorithm md5

Ipsec proposal tran2

Encapsulation-mode tunnel

Transform esp

Esp encryption-algorithm des

Esp authentication-algorithm md5

创建安全策略

Ipsec policy policy 10 isakmp      //创建一条安全策略,协商方式为isakmp

Ike peer peer1

Proposal tran1       //配置安全策略中引用的安全提议

Security acl 3000     //配置安全策略引用的访问控制列表

Ipsec policy policy 20 isa

Ike peer peer2

Proposal tran2

Security acl 3001

应用到接口

Interface e 0/4

Ipsec policy policy

FW2

Firewall packet-filter default permit

Firewall zone trust

Add interface e 0/1

Firewall zone untrust

Add interface e 0/4

Interface e 0/4

Ip add dhcp-alloc

Interface e 0/1

Ip add 192.168.20.1 24

Ip route-static 0.0.0.0 0 20.20.20.1

Ike local-name fw2

Ike peer peer1

Id-type name

Exchange-mode a

Pre-shared-key 123456

Remote-address 10.10.10.10

Remote-name fw1

Ipsec proposal tran1

Encapsulation-mode tunnel

Transfrom esp

Esp encryption-algorithm des

Esp authentication-algorithm md5

Acl nunber 3000

Rule permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

Rule deny ip source any dest any

Ipsec pilicy policy 10 isakmp

Ike-peer peer1

Proposal tran1

Security acl 3000

Interface e 0/4

Ipsec policy policy

FW3

Firewall packet-filter default permit

Firewall zone trust

Add interface e 0/1

Firewall zone untrust

Add interface e 0/4

Interface e 0/4

Ip add dhcp-alloc

Interface e 0/1

Ip add 192.168.30.1 24

Ip route-static 0.0.0.0 0 30.30.30.1

Ike local-name fw3

Ike peer peer2

Exchange-mode agg

Id-type name

Remote-add 10.10.10.10

Remote-name fw1

Pre-shared-key 123456

Acl number 3001

Rule permit ip source 192.168.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

Rule deny ip source any dest any

Ipsec proopsal tran2

Encapsulation-mode tunnel

Transform esp

Esp encryption-algorithm des

Esp authentication-algorithm md5

Ipsec policy policy 20 isakmp

Ike-peer peer2

Proposal tran2

Security acl 3001

Interface e 0/4

Ipsec policy policy

SW4

Dhcp enable

Dhcp server ip-pool fw2

Network 20.20.20.0 mask 255.255.225.0

Dhcp server ip-pool fw3

Network 30.30.30.0 mask 255.255.255.0

Dhcp server forbidden-ip 20.20.20.1

Dhcp server forbidden-ip 30.30.30.1