1.防火墙区域配置
![图片[1]-8.9 防火墙IPSEC-VPN-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片1-1.png)
#FW1配置
firewall zone trust
add interface GigabitEthernet1/0/1
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
#FW2配置
firewall zone trust
add interface GigabitEthernet1/0/1
firewall zone untrust
add interface GigabitEthernet1/0/02.配置内网-外网路由
#FW1
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
ip route-static 172.16.1.0 24 172.16.14.4
#FW2
ip route-static 0.0.0.0 0.0.0.0 33.1.1.1
ip route-static 172.17.1.0 24 172.17.35.5
#R4
ip route-static 0.0.0.0 0.0.0.0 172.16.14.1
#R5
ip route-static 0.0.0.0 0.0.0.0 172.17.35.33.配置安全策略
#FW1
#IKE协商流量策略
security-policy
rule name ike_l_2_u
source-zone local
destination-zone untrust
source-address 12.1.1.12 32
destination-address 33.1.1.33 32
action permit
rule name ike_u_2_l
source-zone untrust
destination-zone local
source-address 33.1.1.33 32
destination-address 12.1.1.12 32
action permit
#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
source-zone trust
destination-zone untrust
source-address 172.16.0.0 16
destination-address 172.17.0.0 16
action permit
rule name ipsec_un_2_t
source-zone untrust
destination-zone trust
source-address 172.17.0.0 16
destination-address 172.16.0.0 16
action permit
#FW2
#IKE协商流量策略
security-policy
rule name ike_l_2_u
source-zone local
destination-zone untrust
source-address 33.1.1.33 32
destination-address 12.1.1.12 32
action permit
rule name ike_u_2_l
source-zone untrust
destination-zone local
source-address 12.1.1.12 32
destination-address 33.1.1.33 32
action permit
#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
source-zone trust
destination-zone untrust
source-address 172.17.0.0 16
destination-address 172.16.0.0 16
action permit
rule name ipsec_un_2_t
source-zone untrust
destination-zone trust
source-address 172.16.0.0 16
destination-address 172.17.0.0 16
action permit 4.配置感兴趣流
#FW1
acl number 3001
rule 10 permit ip source 172.16.0.0 0.0.255.255 destination 172.17.0.0 0.0.255.255
#FW2
acl number 3001
rule 10 permit ip source 172.17.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.2555.配置IKE proposal
#FW1
ike proposal 5
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#FW2
ike proposal 5
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-2566.配置IKE Peer
#FW1
ike peer fw3
#禁用IKEv2版本
undo version 2
exchange-mode main
pre-shared-key Admin@1234
ike-proposal 5
remote-address 33.1.1.33
#FW2
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main
pre-shared-key Admin@1234
ike-proposal 5
remote-address 12.1.1.127.配置IPSEC proposal
#FW1
ipsec proposal pps01
transform ah-esp
ah authentication-algorithm sha2-256
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#FW2
ipsec proposal pps01
transform ah-esp
ah authentication-algorithm sha2-256
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-2568.配置IPSEC 策略
#FW1
ipsec policy pl01 10 isakmp
security acl 3001
ike-peer fw3
proposal pps01
#FW2
ipsec policy pl01 10 isakmp
security acl 3001
ike-peer fw1
proposal pps019.接口调用IPSEC 策略
#FW1
interface GigabitEthernet1/0/0
ipsec policy pl01
#FW2
interface GigabitEthernet1/0/0
ipsec policy pl01![图片[2]-8.9 防火墙IPSEC-VPN-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片2-1-1024x301.png)
#查看ike sa
display ike sa
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
2 33.1.1.33:500 RD|ST|A v1:2 IP 33.1.1.33
1 33.1.1.33:500 RD|ST|A v1:1 IP 33.1.1.33
Number of IKE SA : 2
#查看ipsec sa
display ipsec sa
ipsec sa information:
===============================
Interface: GigabitEthernet1/0/0
===============================
-----------------------------
IPSec policy name: "pl01"
Sequence number : 10
Acl group : 3001
Acl rule : 10
Mode : ISAKMP
-----------------------------
Connection ID : 2
Encapsulation mode: Tunnel
Holding time : 0d 0h 6m 54s
Tunnel local : 12.1.1.12:500
Tunnel remote : 33.1.1.33:500
Flow source : 172.16.0.0/255.255.0.0 0/0-65535
Flow destination : 172.17.0.0/255.255.0.0 0/0-65535
[Outbound ESP SAs]
SPI: 188122458 (0xb36855a)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/3186
Max sent sequence-number: 5
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 4/240
[Outbound AH SAs]
SPI: 186085998 (0xb17726e)
Proposal: AH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/3186
Max sent sequence-number: 5
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 4/240
[Inbound AH SAs]
SPI: 195410595 (0xba5baa3)
Proposal: AH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/3186
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 3/180
Anti-replay : Enable
Anti-replay window size: 1024
[Inbound ESP SAs]
SPI: 185773610 (0xb12ae2a)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/3186
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 3/180
Anti-replay : Enable
Anti-replay window size: 1024 © 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容