MSR1(分部内网侧防火墙,1.1.1.1模拟内网地址,G0/0口地址192.168.1.1/24)——(G0/0口地址192.168.1.2/24)MSR(G0/1口地址192.168.2.2/24)——(总部公网侧防火墙,2.2.2.2模拟内网地址,G0/0口地址192.168.2.1)MSR2
使用主模式通过fqdn来建立IPSec
分部内网侧防火墙MSR1配置
1、接口地址这里不再赘述
2、配置默认路由保证两个防火墙之间的loopback地址能够互通
ip route-static 0.0.0.0 0 192.168.1.2
3、配置IPSec感兴趣流,源目地址分别为本端loopback地址和对端loopback地址、
acl advanced 3000
rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0
4、配置IPSec策略
#
ipsec transform-set 1 //配置IPSec安全提议
esp encryption-algorithm 3des-cbc
esp authentication-algorithm sha1
#
ike keychain 1
pre-shared-key address 192.168.2.1 255.255.255.255 key simple 123456// 配置ike keychain,匹配对端公网防火墙公网口地址
#
ike profile 1 //配置ike profile,关联keychain,主模式,运用了fqdn
keychain 1
local-identity fqdn ra
match remote identity fqdn rb
proposal 1
#
ipsec policy 1 1 isakmp //创建IPSec策略
transform-set 1
security acl 3000
remote-address 192.168.2.1
ike-profile 1
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 192.168.1.1 255.255.255.0
ipsec apply policy 1 //在接口下应用IPSec策略
#
分部出口路由器
1.配置路由保证各点路由可达
2.在公网口配置nat outbound以及nat server
#
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip address 192.168.2.2 255.255.255.0
nat outbound
nat server protocol udp global current-interface 4500 inside 192.168.1.1 4500
nat server protocol udp global current-interface 500 inside 192.168.1.1 500 //配置nat server,其中udp 500和4500为保证IKE报文通过
#
总部公网侧防火墙FW2配置与分部内网侧FW1配置基本一致不再赘述
验证
<MSR1>ping -a 1.1.1.1 2.2.2.2
Ping 2.2.2.2 (2.2.2.2) from 1.1.1.1: 56 data bytes, press CTRL_C to break
56 bytes from 2.2.2.2: icmp_seq=0 ttl=255 time=3.045 ms
56 bytes from 2.2.2.2: icmp_seq=1 ttl=255 time=7.151 ms
56 bytes from 2.2.2.2: icmp_seq=2 ttl=255 time=1.987 ms
56 bytes from 2.2.2.2: icmp_seq=3 ttl=255 time=3.137 ms
<MSR2>ping -a 2.2.2.2 1.1.1.1
Ping 1.1.1.1 (1.1.1.1) from 2.2.2.2: 56 data bytes, press CTRL_C to break
56 bytes from 1.1.1.1: icmp_seq=0 ttl=255 time=2.000 ms
56 bytes from 1.1.1.1: icmp_seq=1 ttl=255 time=2.000 ms
56 bytes from 1.1.1.1: icmp_seq=2 ttl=255 time=3.000 ms
56 bytes from 1.1.1.1: icmp_seq=3 ttl=255 time=2.000 ms
1.想要IPSec成功建立,首先要保证各点之间路由可达,这是最基本的必要条件;
2.配置IPSec时候要注意两端参数要相对应,如对端地址要匹配,加密算法、预共享密钥等都要相同;
该配置可以达到的效果即是私网侧及公网侧均可触发建立IPSec
如果路由器替换为防火墙,添加必要的安全策略即可
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作