DSVPN配置
![图片[1]-8.13 DSVPN-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片60-1024x693.png)
1)配置安全区域
#FW1
firewall zone trust
add interface GigabitEthernet1/0/1
firewall zone untrust
add interface GigabitEthernet1/0/0
#FW2
firewall zone trust
add interface GigabitEthernet1/0/1
firewall zone untrust
add interface GigabitEthernet1/0/0
#FW3
firewall zone trust
add interface GigabitEthernet1/0/1
firewall zone untrust
add interface GigabitEthernet1/0/0
2)内网配置路由
#FW1
ospf 1
area 0
interface GigabitEthernet1/0/1
ospf enable 1 area 0.0.0.0
#FW2
ospf 1
area 0
interface GigabitEthernet1/0/1
ospf enable 1 area 0.0.0.0
#FW3
ospf 1
area 0
interface GigabitEthernet1/0/1
ospf enable 1 area 0.0.0.0
#R1
ospf 1
area 0
interface GigabitEthernet0/0/1
ospf enable 1 area 0.0.0.0
interface GigabitEthernet0/0/0
ospf enable 1 area 0.0.0.0
#R2
ospf 1
area 0
interface GigabitEthernet0/0/1
ospf enable 1 area 0.0.0.0
interface GigabitEthernet0/0/0
ospf enable 1 area 0.0.0.0
#R3
ospf 1
area 0
interface GigabitEthernet0/0/1
ospf enable 1 area 0.0.0.0
interface GigabitEthernet0/0/0
ospf enable 1 area 0.0.0.0
3)外网配置路由
#FW1
ip route-static 0.0.0.0 0.0.0.0 100.1.1.2
#FW2
ip route-static 0.0.0.0 0.0.0.0 101.1.1.2
#FW3
ip route-static 0.0.0.0 0.0.0.0 102.1.1.2
#R1
ip route-static 0.0.0.0 0.0.0.0 172.20.0.1
#R2
ip route-static 0.0.0.0 0.0.0.0 172.21.0.1
#R3
ip route-static 0.0.0.0 0.0.0.0 172.22.0.1
4)配置NAT
(1)区域安全策略
#FW1
security-policy
rule name t_2_un_internet
source-zone trust
destination-zone untrust
source-address 172.20.0.0 mask 255.255.0.0
action permit
#FW2
security-policy
rule name t_2_un_internet
source-zone trust
destination-zone untrust
source-address 172.21.0.0 mask 255.255.0.0
action permit
#FW3
security-policy
rule name t_2_un_internet
source-zone trust
destination-zone untrust
source-address 172.22.0.0 mask 255.255.0.0
action permit
(2)NAT安全策略
#FW1
nat-policy
rule name internet—cess
source-zone trust
destination-zone untrust
source-address 172.20.0.0 mask 255.255.0.0
action source-nat easy-ip
#FW2
nat-policy
rule name internet—cess
source-zone trust
destination-zone untrust
source-address 172.21.0.0 mask 255.255.0.0
action source-nat easy-ip
#FW3
nat-policy
rule name internet—cess
source-zone trust
destination-zone untrust
source-address 172.22.0.0 mask 255.255.0.0
action source-nat easy-ip
5)DSVPN配置-隧道tunnel接口
(1)创建DSVPN MGRE隧道tunnel接口
#FW1
interface Tunnel0
ip address 10.100.1.1 255.255.255.0
tunnel-protocol gre p2mp
service-manage all permit
source GigabitEthernet 1/0/0
#FW2
interface Tunnel0
ip address 10.100.1.2 255.255.255.0
tunnel-protocol gre p2mp
service-manage all permit
source GigabitEthernet 1/0/0
#FW3
interface Tunnel0
ip address 10.100.1.3 255.255.255.0
tunnel-protocol gre p2mp
service-manage all permit
source GigabitEthernet 1/0/0
(2)配置DSVPN MGRE隧道tunnel接口安全区域
#FW1
firewall zone trust
add interface Tunnel0
#FW2
firewall zone trust
add interface Tunnel0
#FW2
firewall zone trust
add interface Tunnel0
6)DSVPN配置-隧道接口NHRP
#FW1(总部)
interface Tunnel0
nhrp network-id 100
nhrp entry multicast dynamic
#FW2
interface Tunnel0
nhrp network-id 100
nhrp entry 10.100.1.1 100.1.1.1 register
#FW3
interface Tunnel0
nhrp network-id 100
nhrp entry 10.100.1.1 100.1.1.1 register
#总部外网地址和隧道内网地址
6)DSVPN配置-隧道接口OSPF
#FW1
interface Tunnel0
ospf network-type p2mp
ospf enable 1 area 0.0.0.0
#FW2
interface Tunnel0
ospf network-type p2mp
ospf enable 1 area 0.0.0.0
#FW3
interface Tunnel0
ospf network-type p2mp
ospf enable 1 area 0.0.0.0
7)配置DSVPN安全策略
#FW1
security-policy
rule name dsvpn_internet_in
destination-zone local
action permit
rule name dsvpn_internet_out
source-zone local
action permit
#FW2
security-policy
rule name dsvpn_internet_in
destination-zone local
action permit
rule name dsvpn_internet_out
source-zone local
action permit
#FW3
security-policy
rule name dsvpn_internet_in
destination-zone local
action permit
rule name dsvpn_internet_out
source-zone local
action permit
#FW1查看NHRP邻居(分支FW2\FW3只能看见hub)
display nhrp peer all
----------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
----------------------------------------------------------------------------------
10.100.1.3 32 102.1.1.1 10.100.1.3 registered up|unique
----------------------------------------------------------------------------------
Tunnel interface: Tunnel0
Created time : 00:03:58
Expire time : 01:59:06
HostName : FW3
HostEsn : 768A1A54D6D438D298FBFD12FC5AAF67
----------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
----------------------------------------------------------------------------------
10.100.1.2 32 101.1.1.1 10.100.1.2 registered up|unique
----------------------------------------------------------------------------------
Tunnel interface: Tunnel0
Created time : 00:03:38
Expire time : 01:59:26
HostName : FW2
HostEsn : 7BE85FE688B6343592D636FC2D7A8C58
#DSVPN 默认情况下 OSPF 路由协议对接, HUB-SPOKE 之间建立OSPF 邻居关系, SPOKE 之间不建立邻居关系。
6.DSVPN流量优化(NHRP重定向-捷径)
#FW1
interface Tunnel 0
nhrp redirect
#FW2
interface Tunnel 0
nhrp shortcut
#FW3
interface Tunnel 0
nhrp shortcut
7.DSVPN隧道保护
#FW1\FW2\FW3
#ike proposal
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#ike peer
ike peer 1
undo version 2
pre-shared-key Admin@1234
ike-proposal 1
#ipsec proposal
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#ipsec profile
ipsec profile dsvpn
ike-peer 1
proposal 1
#tunnel接口调用ipsec profile
interface Tunnel0
ipsec profile dsvpn
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容