8.10 防火墙IPSEC-NAT

1.防火墙IPSEC-NAT配置

1)防火墙区域配置
#FW1配置
firewall zone trust
 add interface GigabitEthernet1/0/1

firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/0

#FW2配置
firewall zone trust
add interface GigabitEthernet1/0/1

firewall zone untrust
 add interface GigabitEthernet1/0/0

2)配置内网-外网路由
#FW1
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
ip route-static 172.16.1.0 24 172.16.14.4

#FW2
ip route-static 0.0.0.0 0.0.0.0 33.1.1.1
ip route-static 172.17.1.0 24 172.17.35.5

#R4
ip route-static 0.0.0.0 0.0.0.0 172.16.14.1

#R5
ip route-static 0.0.0.0 0.0.0.0 172.17.35.3

3)配置安全策略
#FW1
#IKE协商流量策略
security-policy
 rule name ike_l_2_u
  source-zone local
  destination-zone untrust
  source-address 12.1.1.12 32
  destination-address 33.1.1.33 32
  action permit

rule name ike_u_2_l
  source-zone untrust
  destination-zone local
  source-address 33.1.1.33 32
  destination-address 12.1.1.12 32
  action permit

#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
  source-zone trust
  destination-zone untrust
  source-address 172.16.0.0 16
  destination-address 172.17.0.0 16
  action permit

 rule name ipsec_un_2_t
  source-zone untrust
  destination-zone trust
  source-address 172.17.0.0 16
  destination-address 172.16.0.0 16
  action permit 

#FW2
#IKE协商流量策略
security-policy
 rule name ike_l_2_u
  source-zone local
  destination-zone untrust
  source-address 33.1.1.33 32
  destination-address 12.1.1.12 32
  action permit

rule name ike_u_2_l
  source-zone untrust
  destination-zone local
  source-address 12.1.1.12 32
  destination-address 33.1.1.33 32
  action permit

#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
  source-zone trust
  destination-zone untrust
  source-address 172.17.0.0 16
  destination-address 172.16.0.0 16
  action permit

 rule name ipsec_un_2_t
  source-zone untrust
  destination-zone trust
  source-address 172.16.0.0 16
  destination-address 172.17.0.0 16
  action permit 

4)配置感兴趣流
#FW1
acl number 3001
 rule 10 permit ip source 172.16.0.0 0.0.255.255 destination 172.17.0.0 0.0.255.255

#FW2
acl number 3001
 rule 10 permit ip source 172.17.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255

5)配置IKE proposal
#FW1
ike proposal 5
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256

#FW2
ike proposal 5
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256

6)配置IKE Peer
#FW1
ike peer fw3
#禁用IKEv2版本 
undo version 2
exchange-mode main 
pre-shared-key Admin@1234
ike-proposal 5
remote-address 33.1.1.33

#FW2
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main 
pre-shared-key Admin@1234
ike-proposal 5
remote-address 12.1.1.12

7)配置IPSEC proposal
#FW1
ipsec proposal pps01
 transform ah-esp
 ah authentication-algorithm sha2-256
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256

#FW2
ipsec proposal pps01
 transform ah-esp
 ah authentication-algorithm sha2-256
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256

8)配置IPSEC 策略
#FW1
ipsec policy pl01 10 isakmp
 security acl 3001
 ike-peer fw3
 proposal pps01

#FW2
ipsec policy pl01 10 isakmp
 security acl 3001
 ike-peer fw1
 proposal pps01

9)接口调用IPSEC 策略
#FW1
interface GigabitEthernet1/0/0
 ipsec policy pl01

#FW2
interface GigabitEthernet1/0/0
 ipsec policy pl01

10)配置前往internet安全策略
security-policy
 rule name t_2_internet                   
  source-zone trust                       
  destination-zone untrust                
  source-address 172.16.0.0 mask 255.255.0.0
  action permit  

11)配置NAT策略
 nat-policy
 rule name access_2_internet
  source-zone trust
  destination-zone untrust
  source-address 172.16.0.0 mask 255.255.0.0
  action source-nat easy-ip

 rule name ipsec_flow_no_nat
  source-zone trust
  destination-zone untrust
  source-address 172.16.0.0 mask 255.255.0.0
  destination-address 172.17.0.0 mask 255.255.0.0
  action no-nat

#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet

2.防火墙IPSEC无固定IP场景

图片[1]-8.10 防火墙IPSEC-NAT-大赛人网
1)安全区域配置
firewall zone trust
 add interface GigabitEthernet1/0/1

firewall zone untrust
 add interface GigabitEthernet1/0/0

2)配置路由
#R6
ip route-static 0.0.0.0 0.0.0.0 172.18.36.3

#FW3
ip route-static 172.18.1.0 24 172.18.36.6
ip route-static 0.0.0.0 0.0.0.0 103.1.1.1

3)配置模板ipsec 
(1)FW1(固定IP)
#IKE协商流量策略
security-policy
 rule name ike_l_2_u
  source-zone local
  destination-zone untrust
  source-address 12.1.1.12 32
  action permit

rule name ike_u_2_l
  source-zone untrust
  destination-zone local
  destination-address 12.1.1.12 32
  action permit

#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
  source-zone trust
  destination-zone untrust
  source-address 172.16.0.0 16
  destination-address 172.17.0.0 16
destination-address 172.18.0.0 16
  action permit

 rule name ipsec_un_2_t
  source-zone untrust
  destination-zone trust
  source-address 172.17.0.0 16
source-address 172.18.0.0 16
  destination-address 172.16.0.0 16
  action permit 

#配置前往internet安全策略
security-policy
 rule name t_2_internet                   
  source-zone trust                       
  destination-zone untrust                
  source-address 172.16.0.0 mask 255.255.0.0
  action permit  

#配置NAT策略
 nat-policy
 rule name access_2_internet
  source-zone trust
  destination-zone untrust
  source-address 172.16.0.0 mask 255.255.0.0
  action source-nat easy-ip

 rule name ipsec_flow_no_nat
  source-zone trust
  destination-zone untrust
  source-address 172.16.0.0 mask 255.255.0.0
  destination-address 172.17.0.0 mask 255.255.0.0
destination-address 172.18.0.0 mask 255.255.0.0
  action no-nat

#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet

#FW1配置感兴趣流
acl number 3001
 rule 10 permit ip source 172.16.0.0 0.0.255.255 destination 172.17.0.0 0.0.255.255
rule 20 permit ip source 172.16.0.0 0.0.255.255 destination 172.18.0.0 0.0.255.255

#FW1配置IKE proposal
ike proposal 5
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256

#FW1配置IKE Peer
ike peer branch
#禁用IKEv2版本 
undo version 2
exchange-mode main 
pre-shared-key Admin@1234
ike-proposal 5

#FW1配置IPSEC proposal
ipsec proposal pps01
 transform ah-esp
 ah authentication-algorithm sha2-256
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256

#FW1配置IPSEC 策略模板
ipsec policy-template branch_tem 10
 security acl 3001
 ike-peer branch
 proposal pps01

#从模板中复制策略
ipsec policy pl02 5 isakmp template branch_tem

#FW1接口调用IPSEC 策略
interface GigabitEthernet1/0/0
 ipsec policy pl02

(2)FW2(不固定IP)
#FW2IKE协商流量策略
security-policy
 rule name ike_l_2_u
  source-zone local
  destination-zone untrust
  destination-address 12.1.1.12 32
  action permit

rule name ike_u_2_l
  source-zone untrust
  destination-zone local
  source-address 12.1.1.12 32
  action permit

#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
  source-zone trust
  destination-zone untrust
  source-address 172.17.0.0 16
  destination-address 172.16.0.0 16
  action permit

 rule name ipsec_un_2_t
  source-zone untrust
  destination-zone trust
  source-address 172.16.0.0 16
  destination-address 172.17.0.0 16
  action permit 

#配置前往internet安全策略
security-policy
 rule name t_2_internet                   
  source-zone trust                       
  destination-zone untrust                
  source-address 172.17.0.0 mask 255.255.0.0
  action permit  

#配置NAT策略
 nat-policy
 rule name ipsec_flow_no_nat
  source-zone trust
  destination-zone untrust
  source-address 172.17.0.0 mask 255.255.0.0
  destination-address 172.16.0.0 mask 255.255.0.0
  action no-nat

 rule name access_2_internet
  source-zone trust
  destination-zone untrust
  source-address 172.17.0.0 mask 255.255.0.0
  action source-nat easy-ip



#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet

#FW2配置感兴趣流
acl number 3001
 rule 10 permit ip source 172.17.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255


#FW2配置IKE proposal
ike proposal 5
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256

#FW2配置IKE Peer
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main 
pre-shared-key Admin@1234
ike-proposal 5
remote-address 12.1.1.12

#FW2配置IPSEC proposal
ipsec proposal pps01
 transform ah-esp
 ah authentication-algorithm sha2-256
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256

#FW2配置IPSEC 策略
ipsec policy pl01 10 isakmp
 security acl 3001
 ike-peer fw1
 proposal pps01

#FW2接口调用IPSEC 策略
interface GigabitEthernet1/0/0
ipsec policy pl01

(3)FW3(不固定IP)
#FW3IKE协商流量策略
security-policy
 rule name ike_l_2_u
  source-zone local
  destination-zone untrust
  destination-address 12.1.1.12 32
  action permit

rule name ike_u_2_l
  source-zone untrust
  destination-zone local
  source-address 12.1.1.12 32
  action permit

#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
  source-zone trust
  destination-zone untrust
  source-address 172.18.0.0 16
  destination-address 172.16.0.0 16
  action permit

 rule name ipsec_un_2_t
  source-zone untrust
  destination-zone trust
  source-address 172.16.0.0 16
  destination-address 172.18.0.0 16
  action permit 

#配置前往internet安全策略
security-policy
 rule name t_2_internet                   
  source-zone trust                       
  destination-zone untrust                
  source-address 172.18.0.0 mask 255.255.0.0
  action permit  

#配置NAT策略
 nat-policy
 rule name ipsec_flow_no_nat
  source-zone trust
  destination-zone untrust
  source-address 172.18.0.0 mask 255.255.0.0
  destination-address 172.16.0.0 mask 255.255.0.0
  action no-nat

 rule name access_2_internet
  source-zone trust
  destination-zone untrust
  source-address 172.18.0.0 mask 255.255.0.0
  action source-nat easy-ip
#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet

#FW3配置感兴趣流
acl number 3001
 rule 10 permit ip source 172.18.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255

#FW3配置IKE proposal
ike proposal 5
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256

#FW3配置IKE Peer
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main 
pre-shared-key Admin@1234
ike-proposal 5
remote-address 12.1.1.12

#FW3配置IPSEC proposal
ipsec proposal pps01
 transform ah-esp
 ah authentication-algorithm sha2-256
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256

#FW3配置IPSEC 策略
ipsec policy pl01 10 isakmp
 security acl 3001
 ike-peer fw1
 proposal pps01

#FW3接口调用IPSEC 策略
interface GigabitEthernet1/0/0
ipsec policy pl01

3.分支使用防火墙拨号

图片[2]-8.10 防火墙IPSEC-NAT-大赛人网
1)FW4配置安全区域
firewall zone trust
 add interface GigabitEthernet1/0/1

firewall zone untrust
add interface GigabitEthernet1/0/0

2)配置路由
#R7
ip route-static 0.0.0.0 0.0.0.0 172.19.47.4

#FW4
ip route-static 172.19.1.0 24 172.19.47.7

3)R2拨号配置,创建拨号服务器
#R2创建拨号地址池
ip pool hz
 network 104.1.1.0 mask 255.255.255.0

#R2创建拨号用户
aaa
local-user abc123 password cipher Admin@1234
local-user abc123 service-type ppp

#R2创建拨号模板
interface Virtual-Template1
 ppp authentication-mode chap 
 remote address pool hz
 ip address 104.1.1.1 255.255.255.0 

#R2将拨号模板配置在接口上
interface GigabitEthernet2/0/0
 pppoe-server bind Virtual-Template 1

4)FW4拨号配置
#创建拨号接口
interface Dialer1
 link-protocol ppp
 ppp chap user abc123
 ppp chap password cipher Admin@1234
 ip address ppp-negotiate
 dialer user abc123
 dialer bundle 1
 dialer-group 1

#添加PPPOE拨号规则
dialer-rule 1 ip permit 

#将拨号接口添加到接口
interface GigabitEthernet1/0/0
 pppoe-client dial-bundle-number 1

#查看接口信息
display ip interface brief 
Interface                         IP Address/Mask      Physical   Protocol  
Dialer1                           104.1.1.254/32       up         up(s)    

#将拨号接口添加到安全区域
firewall zone untrust
 add interface Dialer 1

4.防火墙拨号网络进行IPSEC连接
1)FW1配置(固定IP)
#IKE协商流量策略
security-policy
 rule name ike_l_2_u
  source-zone local
  destination-zone untrust
  source-address 12.1.1.12 32
  action permit

rule name ike_u_2_l
  source-zone untrust
  destination-zone local
  destination-address 12.1.1.12 32
  action permit

#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
  source-zone trust
  destination-zone untrust
  source-address 172.16.0.0 16
  destination-address 172.17.0.0 16
  destination-address 172.18.0.0 16
 destination-address 172.19.0.0 16
  action permit

 rule name ipsec_un_2_t
  source-zone untrust
  destination-zone trust
  source-address 172.17.0.0 16
 source-address 172.18.0.0 16
 source-address 172.19.0.0 16
  destination-address 172.16.0.0 16
  action permit 

#配置前往internet安全策略
security-policy
 rule name t_2_internet                   
  source-zone trust                       
  destination-zone untrust                
  source-address 172.16.0.0 mask 255.255.0.0
  action permit  

#配置NAT策略
 nat-policy
  rule name ipsec_flow_no_nat
  source-zone trust
  destination-zone untrust
  source-address 172.16.0.0 mask 255.255.0.0
  destination-address 172.17.0.0 mask 255.255.0.0
  destination-address 172.18.0.0 mask 255.255.0.0
  destination-address 172.19.0.0 mask 255.255.0.0
  action no-nat
 rule name access_2_internet
  source-zone trust
  destination-zone untrust
  source-address 172.16.0.0 mask 255.255.0.0
  action source-nat easy-ip

#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet

#配置感兴趣流
acl number 3001
 rule 10 permit ip source 172.16.0.0 0.0.255.255 destination 172.17.0.0 0.0.255.255
 rule 20 permit ip source 172.16.0.0 0.0.255.255 destination 172.18.0.0 0.0.255.255
 rule 30 permit ip source 172.16.0.0 0.0.255.255 destination 172.19.0.0 0.0.255.255

#FW1配置IKE proposal
ike proposal 5
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256

#FW1配置IKE Peer
ike peer branch
#禁用IKEv2版本 
undo version 2
exchange-mode main 
pre-shared-key Admin@1234
ike-proposal 5

#FW1配置IPSEC proposal
ipsec proposal pps01
 transform ah-esp
 ah authentication-algorithm sha2-256
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256

#FW1配置IPSEC 策略模板
ipsec policy-template branch_tem 10
 security acl 3001
 ike-peer branch
 proposal pps01

#从模板中复制策略
ipsec policy pl02 5 isakmp template branch_tem

#FW1接口调用IPSEC 策略
interface GigabitEthernet1/0/0
 ipsec policy pl02

2)FW2(不固定IP)
#FW2IKE协商流量策略
security-policy
 rule name ike_l_2_u
  source-zone local
  destination-zone untrust
  destination-address 12.1.1.12 32
  action permit

rule name ike_u_2_l
  source-zone untrust
  destination-zone local
  source-address 12.1.1.12 32
  action permit

#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
  source-zone trust
  destination-zone untrust
  source-address 172.17.0.0 16
  destination-address 172.16.0.0 16
  action permit

 rule name ipsec_un_2_t
  source-zone untrust
  destination-zone trust
  source-address 172.16.0.0 16
  destination-address 172.17.0.0 16
  action permit 

#配置前往internet安全策略
security-policy
 rule name t_2_internet                   
  source-zone trust                       
  destination-zone untrust                
  source-address 172.17.0.0 mask 255.255.0.0
  action permit  

#配置NAT策略
 nat-policy
 rule name ipsec_flow_no_nat
  source-zone trust
  destination-zone untrust
  source-address 172.17.0.0 mask 255.255.0.0
  destination-address 172.16.0.0 mask 255.255.0.0
  action no-nat

 rule name access_2_internet
  source-zone trust
  destination-zone untrust
  source-address 172.17.0.0 mask 255.255.0.0
  action source-nat easy-ip



#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet

#FW2配置感兴趣流
acl number 3001
 rule 10 permit ip source 172.17.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255


#FW2配置IKE proposal
ike proposal 5
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256

#FW2配置IKE Peer
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main 
pre-shared-key Admin@1234
ike-proposal 5
remote-address 12.1.1.12

#FW2配置IPSEC proposal
ipsec proposal pps01
 transform ah-esp
 ah authentication-algorithm sha2-256
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256

#FW2配置IPSEC 策略
ipsec policy pl01 10 isakmp
 security acl 3001
 ike-peer fw1
 proposal pps01

#FW2接口调用IPSEC 策略
interface GigabitEthernet1/0/0
ipsec policy pl01

3)FW3(不固定IP)
#FW3IKE协商流量策略
security-policy
 rule name ike_l_2_u
  source-zone local
  destination-zone untrust
  destination-address 12.1.1.12 32
  action permit

rule name ike_u_2_l
  source-zone untrust
  destination-zone local
  source-address 12.1.1.12 32
  action permit

#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
  source-zone trust
  destination-zone untrust
  source-address 172.18.0.0 16
  destination-address 172.16.0.0 16
  action permit

 rule name ipsec_un_2_t
  source-zone untrust
  destination-zone trust
  source-address 172.16.0.0 16
  destination-address 172.18.0.0 16
  action permit 

#配置前往internet安全策略
security-policy
 rule name t_2_internet                   
  source-zone trust                       
  destination-zone untrust                
  source-address 172.18.0.0 mask 255.255.0.0
  action permit  

#配置NAT策略
 nat-policy
 rule name ipsec_flow_no_nat
  source-zone trust
  destination-zone untrust
  source-address 172.18.0.0 mask 255.255.0.0
  destination-address 172.16.0.0 mask 255.255.0.0
  action no-nat

 rule name access_2_internet
  source-zone trust
  destination-zone untrust
  source-address 172.18.0.0 mask 255.255.0.0
  action source-nat easy-ip
#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet

#FW3配置感兴趣流
acl number 3001
 rule 10 permit ip source 172.18.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255

#FW3配置IKE proposal
ike proposal 5
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256

#FW3配置IKE Peer
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main 
pre-shared-key Admin@1234
ike-proposal 5
remote-address 12.1.1.12

#FW3配置IPSEC proposal
ipsec proposal pps01
 transform ah-esp
 ah authentication-algorithm sha2-256
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256

#FW3配置IPSEC 策略
ipsec policy pl01 10 isakmp
 security acl 3001
 ike-peer fw1
 proposal pps01

#FW3接口调用IPSEC 策略
interface GigabitEthernet1/0/0
ipsec policy pl01

4)FW4配置(拨号)
#FW4IKE协商流量策略
security-policy
 rule name ike_l_2_u
  source-zone local
  destination-zone untrust
  destination-address 12.1.1.12 32
  action permit

rule name ike_u_2_l
  source-zone untrust
  destination-zone local
  source-address 12.1.1.12 32
  action permit

#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
  source-zone trust
  destination-zone untrust
  source-address 172.19.0.0 16
  destination-address 172.16.0.0 16
  action permit

 rule name ipsec_un_2_t
  source-zone untrust
  destination-zone trust
  source-address 172.16.0.0 16
  destination-address 172.19.0.0 16
  action permit 

#配置前往internet安全策略
security-policy
 rule name t_2_internet                   
  source-zone trust                       
  destination-zone untrust                
  source-address 172.19.0.0 mask 255.255.0.0
  action permit  

#配置NAT策略
 nat-policy
 rule name ipsec_flow_no_nat
  source-zone trust
  destination-zone untrust
  source-address 172.19.0.0 mask 255.255.0.0
  destination-address 172.16.0.0 mask 255.255.0.0
  action no-nat

 rule name access_2_internet
  source-zone trust
  destination-zone untrust
  source-address 172.19.0.0 mask 255.255.0.0
  action source-nat easy-ip

#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet

#FW4配置感兴趣流
acl number 3001
 rule 10 permit ip source 172.19.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255

#FW4配置IKE proposal
ike proposal 5
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256

#FW4配置IKE Peer
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main 
pre-shared-key Admin@1234
ike-proposal 5
remote-address 12.1.1.12

#FW4配置IPSEC proposal
ipsec proposal pps01
 transform ah-esp
 ah authentication-algorithm sha2-256
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256

#FW4配置IPSEC 策略
ipsec policy pl01 10 isakmp
 security acl 3001
 ike-peer fw1
 proposal pps01

#FW4接口调用IPSEC 策略
interface Dialer1
ipsec policy pl01

#将拨号接口设置成为默认路由出口
ip route-static 0.0.0.0 0.0.0.0 Dialer 1
© 版权声明
THE END
喜欢就支持一下吧
点赞14 分享
评论 抢沙发
头像
欢迎您留下宝贵的见解!
提交
头像

昵称

取消
昵称

    请登录后查看评论内容