实例一
例:一个公司的总部与分公司之间通过internet连接起来。实现1.0与2.0,3.0之间互相ping通。
手工的配置:
配置防火墙F2:
配置端口信息:
interface Ethernet0/4
ip add192.168.2.1 24
interface Ethernet0/1
ip add 192.168.20.200 24
quit
将端口加入区域信任:
firewall zone trust
add interface Ethernet0/1
add interface Ethernet0/4
quit
配置默认路由:
ip route 0.0.0.0 192.168.20.1
做流量的筛选:
acl 3000
rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule deny ip source any dest any 拒绝其他的
quit
做安全提议:
ipsec propo tran1
enca tun 采用隧道方式封装
transform esp-new 采用的安全协议是esp
esp-new authentication-algorithm md5 采用的验证方式md5-hmac-96
esp encryption-algorithm des 采用des进行加密
quit
把安全提议和流量筛选创建ipsec策略:
ipsec policy policy10 20 isakmp
security acl 3000 引用访问列表
proposal tran1 引用安全提议
ike-peer f1
quit
设置本端与对端的地址:
ike peer f2
local-address 192.168.20.200
remote-address 192.168.10.200
设置SPI:
sa outbound esp spi 12345 出去的是12345
sa inboud esp spi 54321 进来的是54321
设置密钥:
sa outbound esp string-key abcdefg 出去的钥匙是abcdefg
sa inboumd esp stri qazwsx 进来的钥匙是qazwsx
把策略表放在出口:
int e1
ipsec policy policy10
quit
查看配置信息:(F2)#
sysname F2
#
firewall packet-filter enable
firewall packet-filter default permit
#
local-user user1
password simple 123
service-type telnet
level 3
#
ike peer f1
pre-shared-key 123456
remote-address 192.168.10.200
local-address 192.168.20.200
#
ipsec proposal tran1
#
ipsec policy policy10 20 isakmp
security acl 3000
ike-peer f1
proposal tran1
#
acl number 3000
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 1 deny ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 192.168.100.42 255.255.255.0
#
interface Ethernet0/1
ip address 192.168.20.200 255.255.255.0
ipsec policy policy10
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
ip address 192.168.2.1 255.255.255.0
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.1 preference 60
#
配置防火墙F4:(基本与防火墙F2相同)
interface Ethernet0/1
ip add 192.168.30.200 24
shut
undo shut
interface Ethernet0/2
ip add 192.168.3.1 24
firewall zone trust
add interface Ethernet0/1
add interface Ethernet0/2
quit
ip route 0.0.0.0 192.168.30.1
acl 3000
rule permit ip source 192.168.3.0 0.0.0.255 dest 192.168.1.0 0.0.0.255
rule deny ip source any dest any
quit
ipsec proposal tran2
encap tunnel
transform esp
esp authen md5
esp enc des
quit
ipsec policy policy10 30 isakmp
sec acl 3000
proposal tran2
ike-peer f2
quit
ike peer f2
local-address 192.168.30.200
remote-address 192.168.10.200
sa in esp spi 12345
sa in esp strin abcdefg
sa out esp spi 54321
sa out esp strin qazwsx
quit
int e1
ipsec policy policy10
查看配置信息:(F4)[F4]dis cu
#
sysname F4
#
level 3
service-type ftp
local-user user1
password simple 123
service-type telnet
level 3
#
ike peer route
pre-shared-key 123456
remote-address 192.168.10.200
local-address 192.168.30.200
#
ipsec proposal tran1
#
ipsec policy policy10 20 isakmp
security acl 3000
ike-peer route
proposal tran1
#
acl number 3000
rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 1 deny ip
#
nterface Ethernet0/0
ip address 192.168.100.44 255.255.255.0
#
interface Ethernet0/1
ip address 192.168.30.200 255.255.255.0
ipsec policy policy10
#
interface Ethernet0/2
ip address 192.168.3.1 255.255.255.0
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 192.168.30.1 preference 60
#
配置路由器R13:
int s1
ip add 192.168.10.1 24
int e1
ip add 192.168.20.1 24
shut
undo shut
int s0
ip add 192.168.30.1 24
查看配置信息:(R13)[R13]dis cu
Now create configuration...
Current configuration
!
version 1.74
local-user user1 service-type administrator password simple 123
sysname R13
firewall enable
aaa-enable
aaa accounting-scheme optional
!
interface Aux0
async mode flow
link-protocol ppp
!
interface Ethernet0
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet1
ip address 192.168.30.1 255.255.255.0
!
interface Serial0
link-protocol ppp
!
interface Serial1
clock DTECLK1
link-protocol ppp
ip address 192.168.10.1 255.255.255.0
!
return
R1的配置:
配置本地ip地址:
int e1
ip add 192.68.1.1 24
int s1
ip add 192.168.10.200 24
quit
配置访空列表允许1.0网段访问2.0网段:
acl 3000
rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule deny ip source any destination any
quit
配置访空列表允许1.0网段访问3.0网段:
acl 3001
rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule deny ip source any destination any
quit
配置名为tran1的ipsec协议:
ipsec proposal tran1
配置报文封装类型:
encapsulation-mode tunnel
配置安全协议:
transfrom esp-new
配置esp协议的认证算法:
esp-new authentication-algorithm md5
配置esp协议的加密算法:
esp-new encryption-algorithm des
quit
配置名为tran2的ipsec协议:
ipsec proposal tran2
配置报文封装类型:
encapsulation-mode tunnel
配置安全协议:
transfrom esp-new
配置esp协议的认证算法:
esp-new authentication-algorithm md5
配置esp协议的加密算法:
esp-new encryption-algorithm des
quit
配置ipsec策略:
ipsec policy policy10 20 isakmp
security acl 3000
proposal tran1
tunnel remote 192.168.20.200
tunnel local 192.168.10.200
quit
ipsec policy policy10 30 isakmp
引用acl访空列表:
security acl 3001
proposal tran2
tunnel remote 192.168.30.200
tunnel local 192.168.10.200
quit
协商密匙指定对方地址:
ike pre-shared-key 123456 remote 192.168.20.200
ike pre-shared-key 123456 remote 192.168.30.200
设置默认路由:
ip route-static 0.0.0.0 0.0.0.0 192.168.10.1
int s1
ipsec policy policy10
查看配置信息:(R1)
[R1]dis cu
Now create configuration...
Current configuration
!
version 1.74
local-user user1 service-type administrator password simple 123
sysname R1
undo pos-server addr-switch
firewall enable
aaa-enable
aaa accounting-scheme optional
!
ike pre-shared-key 123456 remote 192.168.30.200
ike pre-shared-key 123456 remote 192.168.20.200
!
acl 3000 match-order auto
rule normal permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule normal deny ip source any destination any
!
acl 3001 match-order auto
rule normal permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule normal deny ip source any destination any
!
ike proposal 20
!
ipsec proposal tran2
!
ipsec proposal tran1
!
ipsec policy policy10 20 isakmp
security acl 3000
proposal tran1
tunnel local 192.168.10.200
tunnel remote 192.168.20.200
!
ipsec policy policy10 30 isakmp
security acl 3001
proposal tran2
tunnel local 192.168.10.200
tunnel remote 192.168.30.200
!
controller e1 0
!
interface Aux0
async mode flow
link-protocol ppp
!
interface Ethernet0
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet1
ip address 192.168.1.1 255.255.255.0
!
interface Serial0
link-protocol ppp
!
interface Serial1
link-protocol ppp
ip address 192.168.10.200 255.255.255.0
ipsec policy policy10
!
quit
ip route-static 0.0.0.0 0.0.0.0 192.168.10.1 preference 60
ip route-static 192.168.2.0 255.255.255.0 192.168.20.200 preference 60
!
return
测试:
PC3与R1,PC1之间的测试:
PC2与R1,PC1之间的测试:
PC1与R3,PC2之间的测试: