IPSec在企业网中的应用 案例
拓扑图:
配置R1:
inter e1
ip add 192.168.1.1 24
inter s0
ip add 192.168.10.200 24
ip route-static 0.0.0.0 0 192.168.10.1
acl 3000
rule permit ip source 192.168.1.0 0.0.0.255 dest 192.168.2.0 0.0.0.255
rule deny ip source any dest any
quit
ipsec proposal tran1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5-hmac-96
esp encryption-algorithm des
quit
ipsec policy policy1 10
ipsec policy policy1 10 isakmp
sec acl 3000
proposal tran1
tunnel local 192.168.10.200
tunnel remote 192.168.20.200
quit
ike pre-shared-key 12345 remote 192.168.20.200
inter s0
ipsec policy policy1
[R1]dis cu
Now create configuration...
Current configuration
!
version 1.74
local-user user1 service-type administrator password simple 123
sysname R1
undo pos-server addr-switch
firewall enable
aaa-enable
aaa accounting-scheme optional
!
ike pre-shared-key 12345 remote 192.168.20.200
!
acl 3000 match-order auto
rule normal permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule normal deny ip source any destination any
!
ipsec proposal tran1
!
ipsec policy policy1 10 isakmp
security acl 3000
proposal tran1
tunnel local 192.168.10.200
tunnel remote 192.168.20.200
!
controller e1 0
!
interface Aux0
async mode flow
link-protocol ppp
!
interface Ethernet0
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet1
ip address 192.168.1.1 255.255.255.0
!
interface Serial0
clock DTECLK1
link-protocol ppp
ip address 192.168.10.200 255.255.255.0
ipsec policy policy1
!
interface Serial1
link-protocol ppp
!
!
quit
ip route-static 0.0.0.0 0.0.0.0 192.168.10.1 preference 60
!
return
配置R2:
inter s0
ip add 192.168.10.1 24
inter s1
ip add 192.168.20.1 24
[R2]dis cu
Now create configuration...
Current configuration
!
version 1.74
local-user user1 service-type administrator password simple 123
sysname R2
undo pos-server addr-switch
firewall enable
aaa-enable
aaa accounting-scheme optional
!
ipsec proposal tran1
!
interface Aux0
async mode flow
link-protocol ppp
!
interface Ethernet0
ip address 192.168.100.2 255.255.255.0
!
interface Ethernet1
ip address 192.168.30.1 255.255.255.0
shutdown
!
interface Serial0
link-protocol ppp
ip address 192.168.10.1 255.255.255.0
!
interface Serial1
link-protocol ppp
ip address 192.168.20.1 255.255.255.0
!
return
配置R3:
inter e1
ip add 192.168.2.1 24
inter s1
ip add 192.168.20.200 24
ip route-static 0.0.0.0 0 192.168.20.1
acl 3000
rule permit ip source 192.168.2.0 0.0.0.255 dest 192.168.1.0 0.0.0.255
rule deny ip source any dest any
quit
ipsec proposal tran2
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5-hmac-96
esp encryption-algorithm des
quit
ipsec policy policy2 10
ipsec policy policy2 10 isakmp
sec acl 3000
proposal tran2
tunnel local 192.168.20.200
tunnel remote 192.168.10.200
quit
ike pre-shared-key 12345 remote 192.168.10.200
inter s1
ipsec policy policy2
R3]dis cu
Now create configuration...
Current configuration
!
version 1.74
local-user user1 service-type administrator password simple 123
sysname R3
firewall enable
aaa-enable
aaa accounting-scheme optional
!
ike pre-shared-key 12345 remote 192.168.10.200
!
acl 3000 match-order auto
rule normal permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule normal deny ip source any destination any
!
ipsec proposal tran2
!
ipsec policy policy2 10 isakmp
security acl 3000
proposal tran2
tunnel local 192.168.20.200
tunnel remote 192.168.10.200
!
interface Aux0
async mode flow
link-protocol ppp
!
interface Ethernet0
ip address 192.168.100.9 255.255.255.0
!
interface Ethernet1
ip address 192.168.2.1 255.255.255.0
!
interface Serial0
link-protocol ppp
!
interface Serial1
clock DTECLK1
link-protocol ppp
ip address 192.168.20.200 255.255.255.0
ipsec policy policy2
!
quit
ip route-static 0.0.0.0 0.0.0.0 192.168.20.1 preference 60
!
return