SecPath F100-C-G3 一个端口一个公网ip连接2个总部ipsec,求怎么配置。SecPath F100-C-G3 一个端口一个公网ip连接2个总部ipsec,求怎么配置。
(0)
防火墙IPSec多分支互通配置
一、 组网需求:
总部对多个分支提供IPSec VPN接入,总部和分支之间先行建立IPSec隧道,分支侧与总部建立正常的IPSec VPN后,有分支侧通过总部进行中转互通的需求,则通过手工添加相应ACL,由一端分支进行触发,分支侧流量通过总部进行中转,实现IPSec互通。
设备清单:V5防火墙3台,V5交换机1台
二、 组网图:
三、 配置步骤:
Center:
#//配置IKE对等体
ike peer fw1
pre-shared-key cipher $c$3$754hAry0EnjWEqGdksbhunWYBARXLg==
remote-address 10.0.0.1
local-address 10.0.0.2
#
ike peer fw2
pre-shared-key cipher $c$3$byPkqK6aQu0KJcOKvsR5A0bTjsrnJQ==
remote-address 10.0.0.3
local-address 10.0.0.1
#//配置IPSec提议
ipsec transform-set fw1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm 3des
#
ipsec transform-set fw2
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm 3des
#//配置感兴趣流
acl number 3000 name to_FW1
rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.1 0
rule 5 permit ip source 3.3.3.3 0 destination 1.1.1.1 0
acl number 3001 name to_FW2
rule 0 permit ip source 2.2.2.2 0 destination 3.3.3.3 0
rule 5 permit ip source 1.1.1.1 0 destination 3.3.3.3 0
#//配置IPSec策略
ipsec policy center 1 isakmp
security acl 3000
ike-peer fw1
transform-set fw1
#
ipsec policy center 2 isakmp
security acl 3001
ike-peer fw2
transform-set fw2
#//配置接口
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
interface GigabitEthernet0/0
port link-mode route
ip address 10.0.0.2 255.255.255.0
ipsec policy center
#//接口加入安全域
zone name Trust id 2
priority 85
import interface GigabitEthernet0/0
#//配置到分支侧VPN内部地址路由
ip route-static 1.1.1.1 255.255.255.255 10.0.0.1
ip route-static 3.3.3.3 255.255.255.255 10.0.0.3
#
Branch1:
#//配置IKE对等体
ike peer center
pre-shared-key cipher $c$3$+4m41AS2S8FvKHzR0R077qEr21gl2A==
remote-address 10.0.0.2
local-address 10.0.0.1
#//配置IPSec提议
ipsec transform-set center
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm 3des
#//配置感兴趣流
acl number 3000
rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0
rule 5 permit ip source 1.1.1.1 0 destination 3.3.3.3 0
#//配置IPSec策略
ipsec policy 1 1 isakmp
security acl 3000
ike-peer center
transform-set center
#//配置接口
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface GigabitEthernet0/1
port link-mode route
ip address 10.0.0.1 255.255.255.0
ipsec policy 1
#//接口加入安全域
zone name Trust id 2
priority 85
import interface GigabitEthernet0/1
#//配置网关路由
ip route-static 0.0.0.0 0.0.0.0 10.0.0.2
#
Branch2:
#//配置IKE对等体
ike peer center
pre-shared-key cipher $c$3$cMb0kYdUI/oPRr73cb9nYCEYIZ+YMg==
remote-address 10.0.0.2
local-address 10.0.0.3
#//配置IPSec提议
ipsec transform-set center
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm 3des
#//配置感兴趣流
acl number 3000
rule 0 permit ip source 3.3.3.3 0 destination 2.2.2.2 0
rule 5 permit ip source 3.3.3.3 0 destination 1.1.1.1 0
#//配置ipsec策略
ipsec policy 1 1 isakmp
security acl 3000
ike-peer center
transform-set center
#//配置接口
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface GigabitEthernet0/1
port link-mode route
ip address 10.0.0.3 255.255.255.0
ipsec policy 1
#//接口加入安全域
zone name Trust id 2
priority 85
import interface GigabitEthernet0/1
#//配置网关路由
ip route-static 0.0.0.0 0.0.0.0 10.0.0.1
#
四、 验证结果:
Center:
display ike sa verbose
---------------------------------------------
connection id: 1
vpn-instance:
transmitting entity: responder
---------------------------------------------
local ip: 10.0.0.2
local id type: IPV4_ADDR
local id: 10.0.0.2
remote ip: 10.0.0.1
remote id type: IPV4_ADDR
remote id: 10.0.0.1
authentication-method: PRE_SHARED
authentication-algorithm: SHA
encryption-algorithm: DES_CBC
life duration(sec): 86400
remaining key duration(sec): 84261
exchange-mode: MAIN
diffie-hellman group: GROUP1
nat traversal: NO
---------------------------------------------
connection id: 4
vpn-instance:
transmitting entity: responder
---------------------------------------------
local ip: 10.0.0.2
local id type: IPV4_ADDR
local id: 10.0.0.2
remote ip: 10.0.0.3
remote id type: IPV4_ADDR
remote id: 10.0.0.3
authentication-method: PRE_SHARED
authentication-algorithm: SHA
encryption-algorithm: DES_CBC
life duration(sec): 86400
remaining key duration(sec): 86240
exchange-mode: MAIN
diffie-hellman group: GROUP1
nat traversal: NO
display ipsec sa
===============================
Interface: GigabitEthernet0/0
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "center"
sequence number: 1
acl version: ACL4
mode: isakmp
-----------------------------
connection id: 1
encapsulation mode: tunnel
perfect forward secrecy:
tunnel:
local address: 10.0.0.2
remote address: 10.0.0.1
flow:
sour addr: 2.2.2.2/255.255.255.255 port: 0 protocol: IP
dest addr: 1.1.1.1/255.255.255.255 port: 0 protocol: IP
[inbound ESP SAs]
spi: 714338904 (0x2a93f258)
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/1454
max sequence number received: 9
anti-replay check enable: Y
anti-replay window size: 32
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 1574221484 (0x5dd4b6ac)
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/1454
max sequence number sent: 10
udp encapsulation used for nat traversal: N
-----------------------------
IPsec policy name: "center"
sequence number: 1
acl version: ACL4
mode: isakmp
-----------------------------
connection id: 4
encapsulation mode: tunnel
perfect forward secrecy:
tunnel:
local address: 10.0.0.2
remote address: 10.0.0.1
flow:
sour addr: 3.3.3.3/255.255.255.255 port: 0 protocol: IP
dest addr: 1.1.1.1/255.255.255.255 port: 0 protocol: IP
[inbound ESP SAs]
spi: 2412168457 (0x8fc6c509)
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3479
max sequence number received: 3
anti-replay check enable: Y
anti-replay window size: 32
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 3965919098 (0xec631f7a)
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3479
max sequence number sent: 4
udp encapsulation used for nat traversal: N
===============================
Interface: GigabitEthernet0/0
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "center"
sequence number: 2
acl version: ACL4
mode: isakmp
-----------------------------
connection id: 2
encapsulation mode: tunnel
perfect forward secrecy:
tunnel:
local address: 10.0.0.2
remote address: 10.0.0.3
flow:
sour addr: 2.2.2.2/255.255.255.255 port: 0 protocol: IP
dest addr: 3.3.3.3/255.255.255.255 port: 0 protocol: IP
[inbound ESP SAs]
spi: 2065185006 (0x7b1838ee)
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3432
max sequence number received: 4
anti-replay check enable: Y
anti-replay window size: 32
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 3613849620 (0xd766f814)
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3432
max sequence number sent: 5
udp encapsulation used for nat traversal: N
-----------------------------
IPsec policy name: "center"
sequence number: 2
acl version: ACL4
mode: isakmp
-----------------------------
connection id: 3
encapsulation mode: tunnel
perfect forward secrecy:
tunnel:
local address: 10.0.0.2
remote address: 10.0.0.3
flow:
sour addr: 1.1.1.1/255.255.255.255 port: 0 protocol: IP
dest addr: 3.3.3.3/255.255.255.255 port: 0 protocol: IP
[inbound ESP SAs]
spi: 2287353061 (0x88563ce5)
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3476
max sequence number received: 4
anti-replay check enable: Y
anti-replay window size: 32
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 457680622 (0x1b47a6ee)
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3476
max sequence number sent: 4
udp encapsulation used for nat traversal: N
Branch1:
display ike sa verbose
---------------------------------------------
connection id: 1
vpn-instance:
transmitting entity: initiator
---------------------------------------------
local ip: 10.0.0.1
local id type: IPV4_ADDR
local id: 10.0.0.1
remote ip: 10.0.0.2
remote id type: IPV4_ADDR
remote id: 10.0.0.2
authentication-method: PRE_SHARED
authentication-algorithm: SHA
encryption-algorithm: DES_CBC
life duration(sec): 86400
remaining key duration(sec): 84294
exchange-mode: MAIN
diffie-hellman group: GROUP1
nat traversal: NO
display ipsec sa
===============================
Interface: GigabitEthernet0/1
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "1"
sequence number: 1
acl version: ACL4
mode: isakmp
-----------------------------
connection id: 1
encapsulation mode: tunnel
perfect forward secrecy:
tunnel:
local address: 10.0.0.1
remote address: 10.0.0.2
flow:
sour addr: 1.1.1.1/255.255.255.255 port: 0 protocol: IP
dest addr: 2.2.2.2/255.255.255.255 port: 0 protocol: IP
[inbound ESP SAs]
spi: 1574221484 (0x5dd4b6ac)
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/1489
max sequence number received: 9
anti-replay check enable: Y
anti-replay window size: 32
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 714338904 (0x2a93f258)
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/1489
max sequence number sent: 10
udp encapsulation used for nat traversal: N
-----------------------------
IPsec policy name: "1"
sequence number: 1
acl version: ACL4
mode: isakmp
-----------------------------
connection id: 2
encapsulation mode: tunnel
perfect forward secrecy:
tunnel:
local address: 10.0.0.1
remote address: 10.0.0.2
flow:
sour addr: 1.1.1.1/255.255.255.255 port: 0 protocol: IP
dest addr: 3.3.3.3/255.255.255.255 port: 0 protocol: IP
[inbound ESP SAs]
spi: 3965919098 (0xec631f7a)
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3513
max sequence number received: 3
anti-replay check enable: Y
anti-replay window size: 32
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 2412168457 (0x8fc6c509)
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3513
max sequence number sent: 4
udp encapsulation used for nat traversal: N
Branch2:
display ike sa verbose
---------------------------------------------
connection id: 4
vpn-instance:
transmitting entity: initiator
---------------------------------------------
local ip: 10.0.0.3
local id type: IPV4_ADDR
local id: 10.0.0.3
remote ip: 10.0.0.2
remote id type: IPV4_ADDR
remote id: 10.0.0.2
authentication-method: PRE_SHARED
authentication-algorithm: SHA
encryption-algorithm: DES_CBC
life duration(sec): 86400
remaining key duration(sec): 86201
exchange-mode: MAIN
diffie-hellman group: GROUP1
nat traversal: NO
display ipsec sa
===============================
Interface: GigabitEthernet0/1
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "1"
sequence number: 1
acl version: ACL4
mode: isakmp
-----------------------------
connection id: 1
encapsulation mode: tunnel
perfect forward secrecy:
tunnel:
local address: 10.0.0.3
remote address: 10.0.0.2
flow:
sour addr: 3.3.3.3/255.255.255.255 port: 0 protocol: IP
dest addr: 2.2.2.2/255.255.255.255 port: 0 protocol: IP
[inbound ESP SAs]
spi: 3613849620 (0xd766f814)
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3399
max sequence number received: 4
anti-replay check enable: Y
anti-replay window size: 32
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 2065185006 (0x7b1838ee)
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3399
max sequence number sent: 5
udp encapsulation used for nat traversal: N
-----------------------------
IPsec policy name: "1"
sequence number: 1
acl version: ACL4
mode: isakmp
-----------------------------
connection id: 2
encapsulation mode: tunnel
perfect forward secrecy:
tunnel:
local address: 10.0.0.3
remote address: 10.0.0.2
flow:
sour addr: 3.3.3.3/255.255.255.255 port: 0 protocol: IP
dest addr: 1.1.1.1/255.255.255.255 port: 0 protocol: IP
[inbound ESP SAs]
spi: 457680622 (0x1b47a6ee)
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3442
max sequence number received: 3
anti-replay check enable: Y
anti-replay window size: 32
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 2287353061 (0x88563ce5)
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3442
max sequence number sent: 5
udp encapsulation used for nat traversal: N
五、 配置关键点:
1)总部侧不推荐使用模板方式
2)总部侧需要配置精确ACL进行匹配分支侧互通流量
3)分支侧需要配置精确的ACL
4)用于转发的物理口需要加入安全域
5)总部侧如配置模板方式,需分支侧均向对端发起连接,此时总部侧IPSec SA已经建立,才能互通。
6)若中间存在nat设备,则IPSec需要配置为野蛮模式,同时配置nat穿越,两侧同时向总部进行触发动作。
(0)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论