拓扑图:
说明:图中的路由器均由防火墙代替。
需求分析:
通过建立ipsec的隧道,实现北京总部和上海分公司以及郑州分公司的内网的互相访问,并对传输的数据进行加密,保证通信的安全性。
实验步骤
一:北京总部的配置
F1
[F1]dis cu
ike local-name f1
#
firewall packet-filter enable 开启包过滤的功能
firewall packet-filter default permit 默认的为允许
#
ike peer peer1 指定peer的 对等体
exchange-mode aggressive 配置ipsec 为野蛮模式
pre-shared-key 123456 配置预共享的密钥
id-type name 配置为名字的方式
remote-name f2
#
ike peer peer2指定peer的 对等体
exchange-mode aggressive配置ipsec 为野蛮模式
pre-shared-key 654321 配置预共享的密
id-type name配置为名字的方式
remote-name f3
#
ipsec proposal tran1 安全提议tran1
#
ipsec proposal tran2 安全提议tran2
#
ipsec policy policy1 10 isakmp 安全策略
security acl 3000 引用acl规则
ike-peer peer1 指定ike的对等体
proposal tran1引用协商
#
ipsec policy policy1 20 isakmp安全策略
security acl 3001引用acl规则
ike-peer peer2指定ike的对等体
proposal tran2引用协商
#
acl number 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 1 deny ip so any de any
acl number 3001
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 1 deny ip so  any de any
#
interface Ethernet0/0
ip address 192.168.1.254 255.255.255.0
#
interface Ethernet0/3
ip address 202.196.10.100 255.255.255.0
ipsec policy policy1 在接口上应用相应的规则
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/3
add interface Ethernet0/4
set priority 85
ip route-static 0.0.0.0 0.0.0.0 202.196.10.1 preference 60 默认的路由
[F1]dis ipsec proposal 查看安全提议
IPsec proposal name: tran2
encapsulation mode: tunnel
transform: esp-new
ESP protocol: authentication md5-hmac-96, encryption des
IPsec proposal name: tran1
encapsulation mode: tunnel
transform: esp-new
ESP protocol: authentication md5-hmac-96, encryption des
[F1]dis ipsec tunnel 查看隧道的信息
------------------------------------------------
Connection ID : 3
Perfect forward secrecy: None
SA's SPI :
Inbound : 855708328 (0x330112a8) [ESP]
Outbound : 3269242184 (0xc2dcad48) [ESP]
Tunnel :
Local Address: 202.196.10.100 Remote Address : 202.196.20.2
Flow : (26 times matched)
Sour Addr : 192.168.1.0/255.255.255.0 Port: 0 Protocol : IP
Dest Addr : 192.168.2.0/255.255.255.0 Port: 0 Protocol : IP
------------------------------------------------
Connection ID : 4
Perfect forward secrecy: None
SA's SPI :
Inbound : 796132552 (0x2f7404c8) [ESP]
Outbound : 2229133607 (0x84dde127) [ESP]
Tunnel :
Local Address: 202.196.10.100 Remote Address : 202.196.30.2
Flow : (22 times matched)
Sour Addr : 192.168.1.0/255.255.255.0 Port: 0 Protocol : IP
Dest Addr : 192.168.3.0/255.255.255.0 Port: 0 Protocol : IP
##################################
二:上海分公司的配置
FR2
[F2]dis cu
#
sysname F2
#
ike local-name f2
#
firewall packet-filter enable
firewall packet-filter default permit
#
domain system
#
ike peer peer1
exchange-mode aggressive
pre-shared-key 123456
id-type name
remote-name f1
remote-address 202.196.10.100 需要指定远程的ip地址
#
ipsec proposal tran1
#
ipsec policy policy1 10 isakmp
security acl 3000
ike-peer peer1
proposal tran1
#
acl number 3000
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 1 deny ip
#
interface Ethernet0/0
ip address 192.168.2.254 255.255.255.0
#
interface Ethernet0/3
ip address dhcp-alloc
ipsec policy policy1
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/3
add interface Ethernet0/4
set priority 85
ip route-static 0.0.0.0 0.0.0.0 202.196.20.1 preference 60
[F2] dis ip
[F2] dis ipsec proposal
IPsec安全提议名称: tran1
封装模式: 隧道模式
转换方式: esp-new
ESP协议: 验证 md5-hmac-96, des算法加密
[F2] dis ipsec policy
===========================================
安全策略组: "policy1"
接口: {Ethernet0/3}
===========================================
-----------------------------
安全策略库: "policy1"
序列号: 10
模式: isakmp
-----------------------------
保护的数据流: 3000
数据流保护方式: 标准
IKE网关: peer1
完善的前向安全性(PFS) : None
安全提议名称: tran1
安全联盟的生存周期: 3600 秒
安全联盟的生存周期: 1843200 千字节
[F2] dis ipsec tunnel
------------------------------------------------
Ipsec 隧道的连接号 : 3
前向安全特性: None
SA的SPI :
入方向 : 3269242184 (0xc2dcad48) [ESP]
出方向 : 855708328 (0x330112a8) [ESP]
隧道 :
本地地址: 202.196.20.2 对端地址 : 202.196.10.100
传输流 : (匹配了22次)
源端地址: 192.168.2.0/255.255.255.0 源端端口号: 0 协议: IP
目的地址: 192.168.1.0/255.255.255.0 目的端口号: 0 协议: IP
[F2]
三:郑州分公司的配置
Fr3
[F3]dis cu
#
sysname F3
#
ike local-name f3
#
firewall packet-filter enable
firewall packet-filter default permit
#
ike peer peer2
exchange-mode aggressive
pre-shared-key 654321
id-type name
remote-name f1
remote-address 202.196.10.100 需要指定远端的ip地址
#
ipsec proposal tran2
#
ipsec policy policy1 20 isakmp
security acl 3001
ike-peer peer2
proposal tran2
#
acl number 3001
rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 1 deny ip
interface Ethernet0/0
ip address 192.168.3.254 255.255.255.0
#
interface Ethernet0/3
ip address dhcp-alloc
ipsec policy policy1
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/3
add interface Ethernet0/4
set priority 85
#
ip route-static 0.0.0.0 0.0.0.0 202.196.30.1 preference 60
#
[F3]dis ipsec policy
===========================================
IPsec Policy Group: "policy1"
Using interface: {Ethernet0/3}
===========================================
-----------------------------
IPsec policy name: "policy1"
sequence number: 20
mode: isakmp
-----------------------------
security data flow : 3001
selector mode: standard
ike-peer name: peer2
perfect forward secrecy: None
proposal name: tran2
IPsec sa local duration(time based): 3600 seconds
IPsec sa local duration(traffic based): 1843200 kilobytes
[F3]dis ipsec proposal
IPsec proposal name: tran2
encapsulation mode: tunnel
transform: esp-new
ESP protocol: authentication md5-hmac-96, encryption des
[F3]dis ipsec tunnel
------------------------------------------------
Connection ID : 3
Perfect forward secrecy: None
SA's SPI :
Inbound : 2229133607 (0x84dde127) [ESP]
Outbound : 796132552 (0x2f7404c8) [ESP]
Tunnel :
Local Address: 202.196.30.2 Remote Address : 202.196.10.100
Flow : (14 times matched)
Sour Addr : 192.168.3.0/255.255.255.0 Port: 0 Protocol : IP
Dest Addr : 192.168.1.0/255.255.255.0 Port: 0 Protocol : IP
[F3]dis ipsec tunnel
------------------------------------------------
Connection ID : 3
Perfect forward secrecy: None
SA's SPI :
Inbound : 2229133607 (0x84dde127) [ESP]
Outbound : 796132552 (0x2f7404c8) [ESP]
Tunnel :
Local Address: 202.196.30.2 Remote Address : 202.196.10.100
Flow : (14 times matched)
Sour Addr : 192.168.3.0/255.255.255.0 Port: 0 Protocol : IP
Dest Addr : 192.168.1.0/255.255.255.0 Port: 0 Protocol : IP
[F3]
四:网络中的3层SW的配置
[SW13]dis cu
sysname SW13
dhcp server ip-pool shanghai
network 202.196.20.0 mask 255.255.255.0
#
dhcp server ip-pool zhengzhou
network 202.196.30.0 mask 255.255.255.0
#
vlan 1
#
vlan 10
#
vlan 20
#
vlan 30
#
interface Vlan-interface1
ip address 192.168.100.33 255.255.255.0
#
interface Vlan-interface10
ip address 202.196.10.1 255.255.255.0
#
interface Vlan-interface20
ip address 202.196.20.1 255.255.255.0
#
interface Vlan-interface30
ip address 202.196.30.1 255.255.255.0
interface Ethernet0/6
port access vlan 10
interface Ethernet0/12
port access vlan 20
#
interface Ethernet0/18
port access vlan 30
#
i
#
dhcp server forbidden-ip 202.196.20.1
dhcp server forbidden-ip 202.196.30.1
#
[SW13]dis dhcp server ip-in-use all 查看dhcp服务器的状态
Global pool:
IP address Hardware address Lease expiration Type
202.196.20.2 3ce5-a67f-374b Mar 29 2012 18:31:43 PM Auto:COMMITTED
202.196.30.2 3ce5-a6ce-1895 Mar 29 2012 19:52:32 PM Auto:COMMITTED
五:测试:
北京到上海分公司
北京到郑州分公司