SecPath1800F 主模式IpSec VPN的配置

 

SecPath1800F 主模式IpSec功能的配置

 

 

一、  组网需求：

用户需要保证两个私有网络之间通信的部分（全部）数据的安全，可以使用网络出

口设备之间做主模式的IpSec连接的方式来实现。

 

二、  组网图：

    

 

三、  配置步骤：

     适用版本 ： SecPath1800F 所有非P2P限流版本

#

acl number 3006             // 配置触IpSec VPN的数据流规则（与对端互为镜像）

 rule 0 permit ip source 172.31.1.0 0.0.0.255 destination 172.31.2.0 0.0.0.255

#

 sysname SecPath1800F

#

 firewall packet-filter default permit interzone local trust direction inbound

 firewall packet-filter default permit interzone local trust direction outbound

 firewall packet-filter default permit interzone local untrust direction inbound

 firewall packet-filter default permit interzone local untrust direction outbound

 firewall packet-filter default permit interzone local dmz direction inbound

 firewall packet-filter default permit interzone local dmz direction outbound

 firewall packet-filter default permit interzone trust untrust direction inbound

 firewall packet-filter default permit interzone trust untrust direction outbound

 firewall packet-filter default permit interzone trust dmz direction inbound

 firewall packet-filter default permit interzone trust dmz direction outbound

 firewall packet-filter default permit interzone dmz untrust direction inbound

 firewall packet-filter default permit interzone dmz untrust direction outbound

#

 bypass switch-back auto

#

 firewall mode route

#

 firewall statistic system enable        

#

ike peer ike_test                       // 定义相应的ike peer 属性

 pre-shared-key 1234

 remote-address 202.96.199.254

#

ipsec proposal proposal_test    // 定义相应的proposal属性（使用默认值）

#

ipsec policy ippo 10 isakmp      // 定义IpSec 策略并引用相应的规则、ike peer、proposal

 security acl 3006

 ike-peer ike_test

 proposal proposal_test

#

interface Aux0

 async mode flow

 link-protocol ppp

#

interface Ethernet0/0/0

#

interface Ethernet0/0/1

#

interface Ethernet1/0/0

#                                        

interface Ethernet1/0/1

 ip address 172.31.1.254 255.255.255.0  

#

interface Ethernet1/0/2

#

interface Ethernet1/0/3

 ip address 202.96.199.253 255.255.255.0

 ipsec policy ippo

#

interface Ethernet1/0/4

#

interface Ethernet1/0/5

#

interface Ethernet1/0/6

#

interface Ethernet1/0/7

#

interface Secp3/0/0

#

interface NULL0

#

interface LoopBack0 

#

firewall zone local

 set priority 100

#

firewall zone trust                 // 端口加入域

 set priority 85

 add interface Ethernet1/0/1

#

firewall zone untrust             // 端口加入域

 set priority 5

add interface Ethernet1/0/3

 

#

firewall zone dmz

 set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local dmz

#

firewall interzone trust untrust

#                                        

firewall interzone trust dmz

#

firewall interzone dmz untrust

#

aaa

 authentication-scheme default

#

 authorization-scheme default

#

 accounting-scheme default

#

 domain default

#

#

 ip route-static 0.0.0.0 0.0.0.0 202.96.199.254   // 设置相应的静态路由

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

#

return

 

 

＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃

 

#

 sysname Quidway

#

 firewall packet-filter enable

 firewall packet-filter default permit

#

 undo connection-limit enable

 connection-limit default deny

 connection-limit default amount upper-limit 50 lower-limit 20

#

 firewall statistic system enable

#

radius scheme system

#

ike peer ike_test                          // 定义相应的ike peer 属性

 pre-shared-key 1234

 remote-address 202.96.199.253

#

ipsec proposal proposal_test      // 定义相应的proposal属性（使用默认值）

#

ipsec policy ippo 10 isakmp        // 定义IpSec 策略并引用相应的规则、ike peer、proposal

 security acl 3006

 ike-peer ike_test

 proposal proposal_test

#

acl number 3006                // 配置触IpSec VPN的数据流规则（与对端互为镜像）

 rule 0 permit ip source 172.31.2.0 0.0.0.255 destination 172.31.1.0 0.0.0.255

#

interface Aux0

 async mode flow

#

interface Ethernet1/0

 ip address 202.96.199.254 255.255.255.0

 ipsec policy ippo

#

interface GigabitEthernet0/0

 ip address 172.31.2.254 255.255.255.0

#

interface GigabitEthernet0/1             

 ip address 10.35.100.196 255.255.255.248

#

interface Encrypt2/0

#

interface NULL0

#

interface LoopBack0

#

firewall zone local

 set priority 100

#

firewall zone trust

 add interface GigabitEthernet0/1

 add interface Ethernet1/0                

 set priority 85

#

firewall zone untrust

 add interface GigabitEthernet0/0

 set priority 5

#

firewall zone DMZ

 set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust          

#

 ip route-static 0.0.0.0 0.0.0.0 202.96.199.253 preference 60     // 定义静态路由

#

 snmp-agent

 snmp-agent local-engineid 000007DB7F00000100001631

 snmp-agent community read huawei

 snmp-agent sys-info version all

#

 ntp-service unicast-server 10.16.100.238

#

user-interface con 0

user-interface aux 0

user-interface vty 0

#

return

 

四、  配置关键点： 

注：当使用野蛮模式的连接时，请参考SecPath其他型号防火墙的典型配置。

    SecPath1800F 不支持GRE 方式的VPN。