SecPath系列防火墙实现分支间互访的典型配置
一、 组网需求:
某局点在组建IPSEC VPN是有以下两点需求:
1. 分支都是通过ADSL接入与中心建立野蛮IPSEC,分支与分支间需要互访,不启用动态路由;
2. 分支启动后能够自动与中心建立VPN,这样便于中心远程维护分支。
二、 组网图
SecPath100F/1000F:Version 3.40, Release 1604以上。
三、 配置信息
1. 中心的主要配置
#
sysname zhongxin
#
ike local-name zhongxin
#
firewall packet-filter enable
firewall packet-filter default permit
#
nat address-group 1 202.38.1.10 202.38.1.11
#
ike dpd 1
#
ike peer fenzhi1
exchange-mode aggressive
pre-shared-key 123
id-type name
remote-name fenzhi1
local-address 202.38.1.1
nat traversal
dpd 1
#
ike peer fenzhi2
exchange-mode aggressive
pre-shared-key 123
id-type name
remote-name fenzhi2
local-address 202.38.1.1
nat traversal
dpd 1
#
ipsec proposal 1
#
ipsec policy-template fenzhi1 1
ike-peer fenzhi1
proposal 1
#
ipsec policy-template fenzhi2 1
ike-peer fenzhi2
proposal 1
#
ipsec policy pol1 1 isakmp template fenzhi1
#
ipsec policy pol1 2 isakmp template fenzhi2
#
acl number 3000
rule 0 deny ip source 192.168.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255
rule 1 permit ip
#
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/1
ip address 202.38.1.1 255.255.255.0
nat outbound 3000 address-group 1
ipsec policy pol1
#
interface GigabitEthernet1/0
loopback
ip address 192.168.100.1 255.255.255.0
#
interface LoopBack0
ip address 192.168.99.1 255.255.255.255
#
firewall zone trust
add interface GigabitEthernet0/0
add interface GigabitEthernet1/0
set priority 85
#
firewall zone untrust
add interface GigabitEthernet0/1
set priority 5
firewall interzone DMZ untrust
#
info-center loghost source LoopBack0
info-center loghost 192.168.1.101
#
ip route-static 0.0.0.0 0.0.0.0 202.38.1.2 preference 60
ip route-static 192.168.2.0 255.255.255.0 202.38.1.2 preference 60
ip route-static 192.168.3.0 255.255.255.0 202.38.1.2 preference 60
ip route-static 192.168.99.0 255.255.255.0 202.38.1.2 preference 60
#
2. 分支1的主要配置
#
sysname fenzhi1
#
info-center loghost source LoopBack0 //配置发送日志的源端口
info-center loghost 192.168.1.101 //配置日志主机的地址
#
ike local-name fenzhi1
#
firewall packet-filter enable
firewall packet-filter default permit
#
ike dpd 1
#
ike peer zhongxin
exchange-mode aggressive
pre-shared-key 123
id-type name
remote-name zhongxin
remote-address 202.38.1.1
nat traversal
dpd 1
#
ipsec proposal 1
#
ipsec policy pol1 1 isakmp
security acl 3000
ike-peer zhongxin
proposal 1
#
acl number 3000 //定义保护数据流,目的地址包含其他分支的私网地址
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
rule 1 permit ip source 192.168.99.2 0 destination 192.168.0.0 0.0.255.255
rulit ip source 192.168.20.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
rule 3 deny ip
acl number 3001
rule 0 deny ip source 192.168.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255
rule 1 permit ip
#
interface Ethernet0/0
loopback
ip address 192.168.2.1 255.255.255.0
#
interface Ethernet0/1
loopback
ip address 192.168.20.1 255.255.255.0
#
interface Ethernet1/0
ip address 202.38.2.1 255.255.255.0
nat outbound 3001
ipsec policy pol1
#
interface LoopBack0
ip address 192.168.99.2 255.255.255.255
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
set priority 85
#
firewall zone untrust
add interface Ethernet1/0
set priority 5
#
ip route-static 0.0.0.0 0.0.0.0 202.38.2.2 preference 60
#
3. 分支2的主要配置
#
sysname fenzhi2
#
ike local-name fenzhi2
#
firewall packet-filter enable
firewall packet-filter default permit
#
ike dpd 1
#
ike peer zhongxin
exchange-mode aggressive
pre-shared-key 123
id-type name
remote-name zhongxin
remote-address 202.38.1.1
nat traversal
dpd 1
#
ipsec proposal 1
#
ipsec policy pol1 1 isakmp
security acl 3000
ike-peer zhongxin
proposal 1
#
acl number 3000 //定义保护数据流,目的地址包含其他分支的私网地址
rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
rule 1 permit ip source 192.168.99.3 0 destination 192.168.0.0 0.0.255.255
rule 2 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
rule 3 deny ip
acl number 3001
rule 0 deny ip source 192.168.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255
rule 1 permit ip
#
interface Ethernet0/0
loopback
ip address 192.168.3.1 255.255.255.0
#
interface Ethernet0/1
loopback
ip address 192.168.30.1 255.255.255.0
#
interface Ethernet1/0
ip address 202.38.3.1 255.255.255.0
nat outbound 3001
ipsec policy pol1
#
interface LoopBack0
ip address 192.168.99.3 255.255.255.255
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
set priority 85
#
firewall zone untrust
add interface Ethernet1/0
set priority 5
#
info-center loghost source LoopBack0 //配置发送日志的源端口
info-center loghost 192.168.99.101 //配置日志主机的地址
#
ip route-static 0.0.0.0 0.0.0.0 202.38.3.2 preference 60
#
四、 配置关键点
如果分支设备支持BIMS功能,也可以实现自动建立IPSEC的功能!
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作