SecPath 1000F防火墙 IPSec VPN保护多条数据流的
典型配置
用户需要从分部想通过IPSec VPN访问总部不同的网段
二、 组网图
三、 典型配置
防火墙SecPath 10F最终配置
<10F>dis cu
#
sysname 10F
#
ike local-name
#
firewall packet-filter enable
firewall packet-filter default permit
#
firewall statistic system enable
#
radius scheme system
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
#
ike peer beijing //定义IKE PEER
exchange-mode aggressive //定义为野蛮模式
pre-shared-key huawei //预共享密钥为huawei
id-type name //ID类型为名字
remote-name beijing //对端名字为beijing
remote-address 1.0.0.1 //对端地址为1.0.0.1
#
ipsec proposal p1 //定义安全提议
#
ipsec policy policy1 1 isakmp //定义安全策略 policy1第一条规则
security acl 3001 //定义触发的数据流 3001
ike-peer beijing //采用的IKE PEER
proposal p1 //采用的安全提议
#
ipsec policy policy1 2 isakmp //定义安全策略 policy1第二条规则
security acl 3002 //定义触发的数据流 3002
ike-peer beijing //采用的IKE PEER
proposal p1 //采用的安全提议
#
acl number 3001
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.2
55
acl number 3002
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.2
55
#
#
interface Ethernet1/0
ip address 192.168.1.1 255.255.255.0
#
interface Ethernet2/0
ip address 1.0.0.2 255.255.255.0
ipsec policy policy1
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet1/0
add interface Ethernet2/0
set priority 85
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 Ethernet 2/0 preference 60
#
user-interface con 0
user-interface vty 0 4
authentication-mode scheme
#
return
防火墙SecPath 1000F最终配置
<secpath 1000>dis cu
#
sysname secpath 1000F
#
ike local-name
#
ike peer wuhan //定义IKE PEER
exchange-mode aggressive //定义为野蛮模式
pre-shared-key huawei //预共享密钥为huawei
id-type name //ID类型为名字
remote-name wuhan //对端名字为beijing
#
ipsec proposal p1 //定义安全提议
#
ipsec policy policy1 1 isakmp //定义安全策略 policy1第一条规则
security acl 3002 //定义触发的数据流 3002
ike-peer wuhan //采用的IKE PEER
proposal p1 //采用的安全提议
#
ipsec policy policy1 2 isakmp //定义安全策略 policy1第二条规则
security acl 3003 //定义触发的数据流 30023
ike-peer wuhan //采用的IKE PEER
proposal p1 //采用的安全提议
#
interface Aux0
#
interface GigabitEthernet0/0
description neiwang
#
interface GigabitEthernet0/1
description waiwang
ip address 1.0.0.1 255.255.255.0
ipsec policy policy1
#
interface Encrypt2/0
#
interface NULL0
#
interface LoopBack1
ip address 192.168.2.1 255.255.255.0
#
interface LoopBack2
ip address 192.168.3.1 255.255.255.0
#
acl number 3002
rule 0 permit ip source 192.168.2.1 0.0.0.255 destination 192.168.1.1 0.0.0.255
acl number 3003
rule 1 permit ip source 192.168.3.1 0.0.0.255 destination 192.168.1.1 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 1.0.0.2 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode none
user privilege level 3
#
return
<secpath 1000>
四、 配置关键点和关键命令
1、在VRP3.4-R1606以前版本必须这样配置:
ipsec policy policy1 1 isakmp //定义安全策略 policy1第一条规则
ipsec policy policy1 2 isakmp //定义安全策略 policy1第二条规则
在定义保护多条数据流建立VPN的时,需将每条数据流都用ACL定义然后将其分别应用到安全策略的第一条规则和第二条规则。
2、在VRP3.4-R1606及以后版本可以在ACL里面定义多条rule:
acl number 3002
rule 0 permit ip source 192.168.2.1 0.0.0.255 destination 192.168.1.1 0.0.0.255
rule 1 permit ip source 192.168.3.1 0.0.0.255 destination 192.168.1.1 0.0.0.255
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作