防火墙gre over ipsec实验

 PC1 配置

pc2配置

 路由器配置

int g0/0/0
ip address 1.1.1.254 255.255.255.0 
int g0/0/1
ip address 2.2.2.254 255.255.255.0 

防火墙配置fw1

关闭提示
undo info-center enable
 
配置接口ip
int g1/0/1
ip add 192.168.10.254 24
service-manage ping permit
int g1/0/2
ip add 1.1.1.1 24
service-manage ping permit
 
区域添加接口
firewall zone trust 
add int g1/0/1
firewall zone untrust 
add int g1/0/2
 

建立隧道配置
interface Tunnel1
 ip address 10.1.2.3 255.255.255.0
 tunnel-protocol gre
 source 1.1.1.1
 destination 2.2.2.2

将tunel1 加入dmz区域
firewall zone dmz
 add interface Tunnel1

配置路由
ip route-static 172.16.0.0 24 Tunnel1




 
定义需要被保护数据流
acl number 3001
rule 5 permit ip source 1.1.1.1 0 destination 2.2.2.2 0
 
定义ike安全提议
ike proposal 1
 
配置ike对等体
ike peer to_fw2
ike-proposal 1
undo version 2
pre-share-key liyan520
remote-address 2.2.2.2
 
ipsec 自动协商（数据安全传输）
ipsec proposal a
transform esp
encapsulation-mode tunnel
esp authentication-algorithm sha1
esp encryption-algorithm 3des
 
 
配置ipsec安全策略
ipsec policy p1 1 isakmp
security acl 3001
ike-peer to_fw2
proposal a
 
在接口上下发ipsec安全策略
int g1/0/2
ipsec policy p1
 
 
配置防火墙安全策略
security-policy
 rule name t_to_d
  source-zone dmz
  source-zone trust
  destination-zone dmz
  destination-zone trust
  service icmp
  action permit
 rule name lo_to_u
  source-zone local
  source-zone untrust
  destination-zone local
  destination-zone untrust
  service esp
  service gre
  action permit

防火墙配置fw2

关闭提示
undo info-center enable
 
配置接口ip
int g1/0/1
ip add 172.16.0.254 24
service-manage ping permit
int g1/0/2
ip add 2.2.2.2 24
service-manage ping permit
 
区域添加接口
firewall zone trust 
add int g1/0/1
firewall zone untrust 
add int g1/0/2
 

建立隧道配置
interface Tunnel1
 ip address 100.1.2.3 255.255.255.0
 tunnel-protocol gre
 source 2.2.2.2
 destination 1.1.1.1

将tunel1 加入dmz区域
firewall zone dmz
 add interface Tunnel1

配置路由
ip route-static 192.168.10.0 24 Tunnel1




 
定义需要被保护数据流
acl number 3001
rule 5 permit ip source 2.2.2.2 0 destination 1.1.1.1 0
 
定义ike安全提议
ike proposal 1
 
配置ike对等体
ike peer to_fw1
ike-proposal 1
undo version 2
pre-share-key liyan520
remote-address 1.1.1.1
 
ipsec 自动协商（数据安全传输）
ipsec proposal a
transform esp
encapsulation-mode tunnel
esp authentication-algorithm sha1
esp encryption-algorithm 3des
 
 
配置ipsec安全策略
ipsec policy p1 1 isakmp
security acl 3001
ike-peer to_fw1
proposal a
 
在接口上下发ipsec安全策略
int g1/0/2
ipsec policy p1
 
 
配置防火墙安全策略
security-policy
 rule name t_to_d
  source-zone dmz
  source-zone trust
  destination-zone dmz
  destination-zone trust
  service icmp
  action permit
 rule name lo_to_u
  source-zone local
  source-zone untrust
  destination-zone local
  destination-zone untrust
  service esp
  service gre
  action permit

 根据下图配置安全策略（注意）

 验证