注:如无特别说明,描述中的 FW1 或 MSR1 对应拓扑中设备名称末尾数字为 1 的设备,FW2 或 MSR2 对应拓扑中设备名称末尾数字为 2 的设备,以此类推;另外,同一网段中,IP 地址的主机位为其设备编号,如 FW1 的 g0/0 接口若在 1.1.1.0/24
网段,则其 IP 地址为 1.1.1.1/24
,以此类推。
**************************************************************************************************************************************实验需求:
1. FW1代表中心节点,FW2和FW3代表分支。
2. FW上使用环回口Loopback0模拟业务网段。
3. 分支分别和中心节点通信,各分支节点之间可以相互通信。
|
FW1 |
FW2 |
FW2 |
IP、路由、安全域 |
# interface LoopBack0 ip address 10.1.1.1 255.255.255.255 # interface GigabitEthernet1/0/1 port link-mode route combo enable copper ip address 2.2.2.1 255.255.255.0 ipsec apply policy ply # security-zone name Local # security-zone name Trust import interface GigabitEthernet1/0/0 import interface GigabitEthernet1/0/1 # ip route-static 10.2.2.1 32 1.1.1.2 ip route-static 10.3.3.1 32 2.2.2.3 # security-policy ip rule 0 name any action pass |
# interface LoopBack0 ip address 10.2.2.1 255.255.255.255 # interface GigabitEthernet1/0/0 port link-mode route combo enable copper ip address 1.1.1.2 255.255.255.0 ipsec apply policy ply # security-zone name Local # security-zone name Trust import interface GigabitEthernet1/0/0 import interface GigabitEthernet1/0/1 # ip route-static 0.0.0.0 0 1.1.1.1 # security-policy ip rule 0 name any action pass |
# interface LoopBack0 ip address 10.3.3.1 255.255.255.0 # interface GigabitEthernet1/0/0 port link-mode route combo enable copper ip address 2.2.2.3 255.255.255.0 ipsec apply policy ply # security-zone name Local # security-zone name Trust import interface GigabitEthernet1/0/0 import interface GigabitEthernet1/0/1 # ip route-static 0.0.0.0 0 2.2.2.1 # security-policy ip rule 0 name any action pass # |
IKE部分 |
# ike keychain k1 pre-shared-key hostname f2 key cipher $c$3$rFTHo6O4pPLOHvZEwmSFGc3gjFRY7Q75Qw== # ike keychain k2 pre-shared-key hostname f3 key cipher $c$3$lo0leXtmx41UHB7Vxok9kFeOJxZnJZ0miw== # ike profile pf keychain k1 keychain k2 dpd interval 10 on-demand exchange-mode aggressive local-identity fqdn f1 match remote identity fqdn f2 match remote identity fqdn f3 |
# ike keychain k1 pre-shared-key address 1.1.1.1 255.255.255.255 key cipher $c$3$v44JHWonfkj3w9BqDNkQ+LEIFRiUlBKUgw== # ike profile pf keychain k1 exchange-mode aggressive local-identity fqdn f2 match remote identity fqdn f1 |
# ike keychain k1 pre-shared-key address 2.2.2.1 255.255.255.255 key cipher $c$3$PKsnAPnnOgZicN73gXZd3L3ZO9OR3IuS1A== # ike profile pf keychain k1 exchange-mode aggressive local-identity fqdn f3 match remote identity fqdn f1
|
IPsec部分 |
# acl advanced 3000 rule 0 permit ip source 10.1.1.1 0 destination 10.2.2.1 0 rule 5 permit ip source 10.1.1.1 0 destination 10.3.3.1 0 rule 10 permit ip source 10.3.3.1 0 destination 10.2.2.1 0 rule 15 permit ip source 10.2.2.1 0 destination 10.3.3.1 0 # ipsec transform-set ts esp encryption-algorithm 3des-cbc esp authentication-algorithm md5 # ipsec policy-template pt 1 transform-set ts security acl 3000 ike-profile pf # ipsec policy ply 1 isakmp template pt
|
# acl advanced 3000 rule 0 permit ip source 10.2.2.1 0 destination 10.1.1.1 0 rule 5 permit ip source 10.2.2.1 0 destination 10.3.3.1 0 # ipsec transform-set ts esp encryption-algorithm 3des-cbc esp authentication-algorithm md5 # ipsec policy ply 1 isakmp transform-set ts security acl 3000 remote-address 1.1.1.1 ike-profile pf |
# acl advanced 3000 rule 0 permit ip source 10.3.3.1 0 destination 10.1.1.1 0 rule 5 permit ip source 10.3.3.1 0 destination 10.2.2.1 0 # ipsec transform-set ts esp encryption-algorithm 3des-cbc esp authentication-algorithm md5 # ipsec policy ply 1 isakmp transform-set ts security acl 3000 remote-address 2.2.2.1 ike-profile pf |
1. 分支和中心节点之间的隧道建立要通过分支来触发,即FW2向FW1发起访问,FW3向FW1发起访问。
2. 分支和分支之间建立隧道需要两边触发,即FW2向FW3发起访问,FW3向FW2发起访问。
3. 分支的感兴趣流除了目的是中心节点外,还需要包括到分支的。
FW1上的ipsec sa如下:
-------------------------------
Interface: GigabitEthernet1/0/0
-------------------------------
-----------------------------
IPsec policy: ply
Sequence number: 1
Mode: Template
-----------------------------
Tunnel id: 1
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Responder
Path MTU: 1444
Tunnel:
local address: 1.1.1.1
remote address: 1.1.1.2
Flow:
sour addr: 10.1.1.1/255.255.255.255 port: 0 protocol: ip
dest addr: 10.2.2.1/255.255.255.255 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3754823141 (0xdfce0de5)
Connection ID: 4294967298
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3562
Max received sequence-number: 4
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 1056998950 (0x3f008626)
Connection ID: 4294967299
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3562
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N
Status: Active
-----------------------------
IPsec policy: ply
Sequence number: 1
Mode: Template
-----------------------------
Tunnel id: 2
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Responder
Path MTU: 1444
Tunnel:
local address: 1.1.1.1
remote address: 1.1.1.2
Flow:
sour addr: 10.3.3.1/255.255.255.255 port: 0 protocol: ip
dest addr: 10.2.2.1/255.255.255.255 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3260450656 (0xc2568760)
Connection ID: 4294967300
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3575
Max received sequence-number: 8
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 2013923382 (0x780a0836)
Connection ID: 4294967301
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3575
Max sent sequence-number: 5
UDP encapsulation used for NAT traversal: N
Status: Active
-------------------------------
Interface: GigabitEthernet1/0/1
-------------------------------
-----------------------------
IPsec policy: ply
Sequence number: 1
Mode: Template
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Responder
Path MTU: 1444
Tunnel:
local address: 2.2.2.1
remote address: 2.2.2.3
Flow:
sour addr: 10.1.1.1/255.255.255.255 port: 0 protocol: ip
dest addr: 10.3.3.1/255.255.255.255 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 2022161426 (0x7887bc12)
Connection ID: 4294967296
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3554
Max received sequence-number: 4
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 3633752750 (0xd896aaae)
Connection ID: 4294967297
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3554
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N
Status: Active
-----------------------------
IPsec policy: ply
Sequence number: 1
Mode: Template
-----------------------------
Tunnel id: 3
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Responder
Path MTU: 1444
Tunnel:
local address: 2.2.2.1
remote address: 2.2.2.3
Flow:
sour addr: 10.2.2.1/255.255.255.255 port: 0 protocol: ip
dest addr: 10.3.3.1/255.255.255.255 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3168528224 (0xbcdbe760)
Connection ID: 4294967302
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3583
Max received sequence-number: 5
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 2761355159 (0xa496ef97)
Connection ID: 4294967303
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3583
Max sent sequence-number: 5
UDP encapsulation used for NAT traversal: N
Status: Active
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作