SecPath1800F 主模式IpSec功能的配置
一、 组网需求:
用户需要保证两个私有网络之间通信的部分(全部)数据的安全,可以使用网络出
口设备之间做主模式的IpSec连接的方式来实现。
二、 组网图:
三、 配置步骤:
适用版本 : SecPath1800F 所有非P2P限流版本
#
acl number 3006 // 配置触IpSec VPN的数据流规则(与对端互为镜像)
rule 0 permit ip source 172.31.1.0 0.0.0.255 destination 172.31.2.0 0.0.0.255
#
sysname SecPath1800F
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
#
bypass switch-back auto
#
firewall mode route
#
firewall statistic system enable
#
ike peer ike_test // 定义相应的ike peer 属性
pre-shared-key 1234
remote-address 202.96.199.254
#
ipsec proposal proposal_test // 定义相应的proposal属性(使用默认值)
#
ipsec policy ippo 10 isakmp // 定义IpSec 策略并引用相应的规则、ike peer、proposal
security acl 3006
ike-peer ike_test
proposal proposal_test
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Ethernet1/0/0
#
interface Ethernet1/0/1
ip address 172.31.1.254 255.255.255.0
#
interface Ethernet1/0/2
#
interface Ethernet1/0/3
ip address 202.96.199.253 255.255.255.0
ipsec policy ippo
#
interface Ethernet1/0/4
#
interface Ethernet1/0/5
#
interface Ethernet1/0/6
#
interface Ethernet1/0/7
#
interface Secp3/0/0
#
interface NULL0
#
interface LoopBack0
#
firewall zone local
set priority 100
#
firewall zone trust // 端口加入域
set priority 85
add interface Ethernet1/0/1
#
firewall zone untrust // 端口加入域
set priority 5
add interface Ethernet1/0/3
#
firewall zone dmz
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local dmz
#
firewall interzone trust untrust
#
firewall interzone trust dmz
#
firewall interzone dmz untrust
#
aaa
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
ip route-static 0.0.0.0 0.0.0.0 202.96.199.254 // 设置相应的静态路由
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
#
return
####################################
#
sysname Quidway
#
firewall packet-filter enable
firewall packet-filter default permit
#
undo connection-limit enable
connection-limit default deny
connection-limit default amount upper-limit 50 lower-limit 20
#
firewall statistic system enable
#
radius scheme system
#
ike peer ike_test // 定义相应的ike peer 属性
pre-shared-key 1234
remote-address 202.96.199.253
#
ipsec proposal proposal_test // 定义相应的proposal属性(使用默认值)
#
ipsec policy ippo 10 isakmp // 定义IpSec 策略并引用相应的规则、ike peer、proposal
security acl 3006
ike-peer ike_test
proposal proposal_test
#
acl number 3006 // 配置触IpSec VPN的数据流规则(与对端互为镜像)
rule 0 permit ip source 172.31.2.0 0.0.0.255 destination 172.31.1.0 0.0.0.255
#
interface Aux0
async mode flow
#
interface Ethernet1/0
ip address 202.96.199.254 255.255.255.0
ipsec policy ippo
#
interface GigabitEthernet0/0
ip address 172.31.2.254 255.255.255.0
#
interface GigabitEthernet0/1
ip address 10.35.100.196 255.255.255.248
#
interface Encrypt2/0
#
interface NULL0
#
interface LoopBack0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface GigabitEthernet0/1
add interface Ethernet1/0
set priority 85
#
firewall zone untrust
add interface GigabitEthernet0/0
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 202.96.199.253 preference 60 // 定义静态路由
#
snmp-agent
snmp-agent local-engineid 000007DB7F00000100001631
snmp-agent community read huawei
snmp-agent sys-info version all
#
ntp-service unicast-server 10.16.100.238
#
user-interface con 0
user-interface aux 0
user-interface vty 0
#
return
四、 配置关键点:
注:当使用野蛮模式的连接时,请参考SecPath其他型号防火墙的典型配置。
SecPath1800F 不支持GRE 方式的VPN。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作