8.13 DSVPN

DSVPN配置

图片[1]-8.13 DSVPN-大赛人网

1)配置安全区域

#FW1
firewall zone trust
 add interface GigabitEthernet1/0/1

firewall zone untrust
 add interface GigabitEthernet1/0/0

#FW2
firewall zone trust
 add interface GigabitEthernet1/0/1

firewall zone untrust
 add interface GigabitEthernet1/0/0

#FW3
firewall zone trust
 add interface GigabitEthernet1/0/1

firewall zone untrust
 add interface GigabitEthernet1/0/0

2)内网配置路由

#FW1
ospf 1
area 0

interface GigabitEthernet1/0/1
 ospf enable 1 area 0.0.0.0

#FW2
ospf 1
area 0

interface GigabitEthernet1/0/1
 ospf enable 1 area 0.0.0.0

#FW3
ospf 1
area 0

interface GigabitEthernet1/0/1
 ospf enable 1 area 0.0.0.0

#R1
ospf 1
area 0

interface GigabitEthernet0/0/1
 ospf enable 1 area 0.0.0.0

interface GigabitEthernet0/0/0
 ospf enable 1 area 0.0.0.0

#R2
ospf 1
area 0

interface GigabitEthernet0/0/1
 ospf enable 1 area 0.0.0.0

interface GigabitEthernet0/0/0
 ospf enable 1 area 0.0.0.0

#R3
ospf 1
area 0

interface GigabitEthernet0/0/1
 ospf enable 1 area 0.0.0.0

interface GigabitEthernet0/0/0
 ospf enable 1 area 0.0.0.0

3)外网配置路由

#FW1
ip route-static 0.0.0.0 0.0.0.0 100.1.1.2
#FW2
ip route-static 0.0.0.0 0.0.0.0 101.1.1.2

#FW3
ip route-static 0.0.0.0 0.0.0.0 102.1.1.2

#R1
ip route-static 0.0.0.0 0.0.0.0 172.20.0.1

#R2
ip route-static 0.0.0.0 0.0.0.0 172.21.0.1

#R3
ip route-static 0.0.0.0 0.0.0.0 172.22.0.1

4)配置NAT

(1)区域安全策略
#FW1
security-policy
 rule name t_2_un_internet
  source-zone trust
  destination-zone untrust
  source-address 172.20.0.0 mask 255.255.0.0
  action permit

#FW2
security-policy
 rule name t_2_un_internet
  source-zone trust
  destination-zone untrust
  source-address 172.21.0.0 mask 255.255.0.0
  action permit

#FW3
security-policy
 rule name t_2_un_internet
  source-zone trust
  destination-zone untrust
  source-address 172.22.0.0 mask 255.255.0.0
  action permit

(2)NAT安全策略
#FW1
nat-policy
 rule name internet—cess
  source-zone trust
  destination-zone untrust
  source-address 172.20.0.0 mask 255.255.0.0
  action source-nat easy-ip

#FW2
nat-policy
 rule name internet—cess
  source-zone trust
  destination-zone untrust
  source-address 172.21.0.0 mask 255.255.0.0
  action source-nat easy-ip

#FW3
nat-policy
 rule name internet—cess
  source-zone trust
  destination-zone untrust
  source-address 172.22.0.0 mask 255.255.0.0
  action source-nat easy-ip

5)DSVPN配置-隧道tunnel接口

(1)创建DSVPN MGRE隧道tunnel接口
#FW1
interface Tunnel0
 ip address 10.100.1.1 255.255.255.0
 tunnel-protocol gre p2mp
 service-manage all permit
source GigabitEthernet 1/0/0

#FW2
interface Tunnel0
 ip address 10.100.1.2 255.255.255.0
 tunnel-protocol gre p2mp
 service-manage all permit
source GigabitEthernet 1/0/0

#FW3
interface Tunnel0
 ip address 10.100.1.3 255.255.255.0
 tunnel-protocol gre p2mp
 service-manage all permit
source GigabitEthernet 1/0/0

(2)配置DSVPN MGRE隧道tunnel接口安全区域
#FW1
firewall zone trust
 add interface Tunnel0

#FW2
firewall zone trust
 add interface Tunnel0

#FW2
firewall zone trust
 add interface Tunnel0

6)DSVPN配置-隧道接口NHRP
#FW1(总部)
interface Tunnel0
  nhrp network-id 100
nhrp entry multicast dynamic

#FW2
interface Tunnel0
 nhrp network-id 100
 nhrp entry 10.100.1.1 100.1.1.1 register


#FW3
interface Tunnel0
 nhrp network-id 100
 nhrp entry 10.100.1.1 100.1.1.1 register
#总部外网地址和隧道内网地址

6)DSVPN配置-隧道接口OSPF

#FW1
interface Tunnel0
ospf network-type p2mp
 ospf enable 1 area 0.0.0.0

#FW2
interface Tunnel0
ospf network-type p2mp
 ospf enable 1 area 0.0.0.0

#FW3
interface Tunnel0
ospf network-type p2mp
 ospf enable 1 area 0.0.0.0

7)配置DSVPN安全策略

#FW1
security-policy
rule name dsvpn_internet_in
  destination-zone local
  action permit

 rule name dsvpn_internet_out
  source-zone local
  action permit

#FW2
security-policy
rule name dsvpn_internet_in
  destination-zone local
  action permit

 rule name dsvpn_internet_out
  source-zone local
  action permit

#FW3
security-policy
rule name dsvpn_internet_in
  destination-zone local
  action permit

 rule name dsvpn_internet_out
  source-zone local
  action permit

#FW1查看NHRP邻居(分支FW2\FW3只能看见hub)
display nhrp peer all 
---------------------------------------------------------------------------------- 
Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type            Flag         
---------------------------------------------------------------------------------- 
10.100.1.3      32    102.1.1.1       10.100.1.3      registered      up|unique    
---------------------------------------------------------------------------------- 
Tunnel interface: Tunnel0
Created time    : 00:03:58
Expire time     : 01:59:06
HostName        : FW3
HostEsn         : 768A1A54D6D438D298FBFD12FC5AAF67
---------------------------------------------------------------------------------- 
Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type            Flag         
---------------------------------------------------------------------------------- 
10.100.1.2      32    101.1.1.1       10.100.1.2      registered      up|unique    
---------------------------------------------------------------------------------- 
Tunnel interface: Tunnel0
Created time    : 00:03:38
Expire time     : 01:59:26
HostName        : FW2
HostEsn         : 7BE85FE688B6343592D636FC2D7A8C58
#DSVPN 默认情况下 OSPF 路由协议对接, HUB-SPOKE 之间建立OSPF 邻居关系, SPOKE 之间不建立邻居关系。

6.DSVPN流量优化(NHRP重定向-捷径)

#FW1
interface Tunnel 0
nhrp redirect

#FW2
interface Tunnel 0
nhrp shortcut

#FW3
interface Tunnel 0
nhrp shortcut

7.DSVPN隧道保护

#FW1\FW2\FW3
#ike proposal
ike proposal 1
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256

#ike peer
ike peer 1
 undo version 2
 pre-shared-key Admin@1234
 ike-proposal 1

#ipsec proposal
ipsec proposal 1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256

#ipsec profile
ipsec profile dsvpn
 ike-peer 1
 proposal 1

#tunnel接口调用ipsec profile 
interface Tunnel0
ipsec profile dsvpn
© 版权声明
THE END
喜欢就支持一下吧
点赞15 分享
评论 抢沙发
头像
欢迎您留下宝贵的见解!
提交
头像

昵称

取消
昵称

    请登录后查看评论内容