• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 全部
  • 全部
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
高级搜索

V7设备与Juniper防火墙做ipsec

2019-11-28 发表
  • 0关注
  • 0收藏,281浏览
程咪 九段
粉丝:20人 关注:1人

问题描述

V7设备与Juniper防火墙做ipsec

解决方法

功能需求:

总部双出口,分支为Juniper防火墙,为了保证总部于分支的局域网可以正常互通,同时,也要保证数据传输的安全性,需要使用ipsec VPN来实现该功能

组网信息及描述:

总部存在172.16.0.0/16的网段,分支存在192.168.0.0/16的网段,两端通过固定地址建立ipsec VPN

 

配置步骤:

1 步:我司设备主要配置
#
controller Cellular0/0
#
controller Cellular0/1
#
interface Aux0
#
interface Ethernet1/0
 port link-mode route
#
interface Ethernet1/0.1
 ip policy-based-route 1
#
interface Ethernet1/0.2
 ip address 172.16.2.1 255.255.255.0
 vlan-type dot1q vid 2
 ip policy-based-route 1
#
interface Ethernet1/0.3
 ip address 172.16.3.1 255.255.255.0
 vlan-type dot1q vid 3
 ip policy-based-route 1
#
interface Ethernet1/0.4
 ip address 172.16.4.1 255.255.255.0
 vlan-type dot1q vid 4
 ip policy-based-route 1
#
interface Ethernet1/0.5
 ip address 172.16.5.1 255.255.255.0
 vlan-type dot1q vid 5
 ip policy-based-route 1
#
interface Ethernet1/1
 port link-mode route
#
interface Ethernet1/1.1
 ip policy-based-route 1
#
interface Ethernet1/1.2
 ip policy-based-route 1
#
interface Ethernet1/1.6
 ip address 172.16.6.1 255.255.255.0
 vlan-type dot1q vid 6
 ip policy-based-route 1
#
interface Ethernet1/2
 port link-mode route
#
interface Ethernet1/2.7
 ip address 172.16.7.1 255.255.255.0
 vlan-type dot1q vid 7
 ip policy-based-route 1
#
interface Ethernet1/3
 port link-mode route
#
interface Virtual-Template1
 ppp authentication-mode chap domain system
 remote address pool 7
 ip address 172.16.10.1 255.255.255.0
#
interface NULL0
#
interface LoopBack0        
#
interface GigabitEthernet0/1
 port link-mode route
 ip address 219.133.71.196 255.255.255.248
 nat outbound 3006
 ipsec apply policy JJS               //
绑定ipsec策略
#
 ip route-static 0.0.0.0 0 Dialer1     //
此路由作为备份
 ip route-static 0.0.0.0 0 219.133.71.193 preference 50          //
默认路由优先走固定地址接口
 ip route-static 119.147.92.158 32 219.133.71.193
#
acl advanced 3005       //
配置ipsec的感兴趣流
 rule 0 permit ip source 172.16.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255
#
acl advanced 3006         //
配置地址转换acl,禁止ipsec感兴趣流量进行抵制转换
 rule 0 deny ip source 172.16.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255   
 rule 5 permit ip

#
ipsec transform-set JJS          //
创建ipsec安全提议
 esp encryption-algorithm 3des-cbc
 esp authentication-algorithm sha1
 pfs dh-group2
#
ipsec policy JJS 10 isakmp          //
创建ipsec策略
 transform-set JJS
 security acl 3005
 local-address 219.133.71.196
 remote-address 119.147.92.158
 ike-profile JJS
 sa duration time-based 3600
#
ike profile JJS         //
创建ipsec  profile
 keychain JJS
 local-identity address 219.133.71.196
 match remote identity address 119.147.92.158 255.255.255.255
 proposal 1
#
ike proposal 1          //
创建ike  proposal
 encryption-algorithm 3des-cbc
 dh group2
 authentication-algorithm md5
 sa duration 28800
#
ike keychain JJS            //
创建ike  kenchain
 pre-shared-key address 119.147.92.158 255.255.255.255 key cipher $c$3$YsnapP3lxP/mnLekI3KOLxuzakii9rW6NQ==
#             
return

2 步:Juniper配置

1、创建ike  proposal

http://kms.h3c.com/uploadfile/20151103/141255774001127153738.png

2、创建ike对等体,使用主模式对接

http://kms.h3c.com/uploadfile/20151103/141338268401743939179.png

3、创建ike对等体的预共享密钥

 

http://kms.h3c.com/uploadfile/20151103/141418984401214721836.png

4、在ike对等体中指定对端公网地址

http://kms.h3c.com/uploadfile/20151103/14153852880398378782.png

5、配置ipsec  proposal

http://kms.h3c.com/uploadfile/20151103/14165370520175210814.png

6、配置ipsec策略,使用dh-group2

http://kms.h3c.com/uploadfile/20151103/14175222080571428251.png

7、创建ipsec策略,绑定ike对等体和ipsec模版

 

http://kms.h3c.com/uploadfile/20151103/141850939201243951793.png

8、创建ipsec感兴趣流量

  
return
http://kms.h3c.com/uploadfile/20151103/142038438801132151374.png

9、将ipsec策略调用到相应的域间策略上,两个方向都需要调用。

http://kms.h3c.com/uploadfile/20151103/14212597200793358628.png

http://kms.h3c.com/uploadfile/20151103/14223801280244386356.png

 

 

3 步:结果验证

 
[H3C-JJS]disp ike sa
    Connection-ID   Remote                Flag         DOI   
------------------------------------------------------------------
    3741            119.147.92.158        RD           IPsec 
Flags:
RD--READY RL--REPLACED FD-FADING
[H3C-JJS]disp ips sa
-------------------------------
Interface: GigabitEthernet0/1
-------------------------------

  -----------------------------
  IPsec policy: JJS
  Sequence number: 10
  Mode: ISAKMP
  -----------------------------
    Tunnel id: 0
    Encapsulation mode: tunnel
    Perfect forward secrecy: dh-group2
    Inside VPN:
    Path MTU: 1443
    Tunnel:
        local  address: 219.133.71.196
        remote address: 119.147.92.158
    Flow:
        sour addr: 172.16.0.0/255.255.0.0  port: 0  protocol: ip
        dest addr: 192.168.0.0/255.255.0.0  port: 0  protocol: ip

    [Inbound ESP SAs]
      SPI: 3719319854 (0xddb0512e)
      Connection ID: 7743826034786
      Transform set:  ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1
      SA duration (kilobytes/sec): 1843200/28800
      SA remaining duration (kilobytes/sec): 1843200/2206
      Max received sequence-number: 0
      Anti-replay check enable: Y
      Anti-replay window size: 64
      UDP encapsulation used for NAT traversal: N
      Status: Active

    [Outbound ESP SAs]
      SPI: 159650169 (0x09841179)
      Connection ID: 11343008628835
      Transform set:  ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1
      SA duration (kilobytes/sec): 1843200/28800
      SA remaining duration (kilobytes/sec): 1839651/2206
      Max sent sequence-number: 55990
      UDP encapsulation used for NAT traversal: N
      Status: Active

1 步:我司设备主要配置


#
policy-based-route 1 permit node 1
 if-match acl 3002
 apply output-interface Dialer1
#
policy-based-route 1 permit node 2
 if-match acl 3003               //
创建空节点,使内网互访的流量不走策略路由
#
policy-based-route 1 permit node 3
 if-match acl 3004                  //
创建空节点,使ipsec互访的流量不走策略路由
#
policy-based-route 1 permit node 4
 if-match acl 3001
 apply output-interface Dialer1
#
controller Cellular0/0
#
controller Cellular0/1
#
interface Aux0
#
interface Dialer1      //
配置拨号
 ppp chap password cipher $c$3$wfoaPwdpecAprIG9fHN700HiHoIG3KIlgtVk
 ppp chap user 075506566013@163.gd
 ppp pap local-user 075506566013@163.gd password cipher $c$3$WWO/uBLpX90iMJRESCyeJKLNv3dsxAyNUl+1
 dialer bundle enable
 dialer-group 1
 dialer timer idle 0
 dialer timer autodial 60
 ip address ppp-negotiate
 nat outbound 3001
#
interface Ethernet1/0
 port link-mode route
#
interface Ethernet1/0.1
 ip policy-based-route 1
#
interface Ethernet1/0.2
 ip address 172.16.2.1 255.255.255.0
 vlan-type dot1q vid 2
 ip policy-based-route 1
#
interface Ethernet1/0.3
 ip address 172.16.3.1 255.255.255.0
 vlan-type dot1q vid 3
 ip policy-based-route 1
#
interface Ethernet1/0.4
 ip address 172.16.4.1 255.255.255.0
 vlan-type dot1q vid 4
 ip policy-based-route 1
#
interface Ethernet1/0.5
 ip address 172.16.5.1 255.255.255.0
 vlan-type dot1q vid 5
 ip policy-based-route 1
#
interface Ethernet1/1
 port link-mode route
#
interface Ethernet1/1.1
 ip policy-based-route 1
#
interface Ethernet1/1.2
 ip policy-based-route 1
#
interface Ethernet1/1.6
 ip address 172.16.6.1 255.255.255.0
 vlan-type dot1q vid 6
 ip policy-based-route 1
#
interface Ethernet1/2
 port link-mode route
#
interface Ethernet1/2.7
 ip address 172.16.7.1 255.255.255.0
 vlan-type dot1q vid 7
 ip policy-based-route 1
#
interface Ethernet1/3
 port link-mode route
#
interface Virtual-Template1
 ppp authentication-mode chap domain system
 remote address pool 7
 ip address 172.16.10.1 255.255.255.0
#
interface NULL0
#
interface LoopBack0
#
interface GigabitEthernet0/0        //0
口为拨号上网接口
 port link-mode route
 combo enable copper
 tcp mss 1460
 pppoe-client dial-bundle-number 1         
#
interface GigabitEthernet0/1
 port link-mode route
 mtu 1400
 ip address 219.133.71.196 255.255.255.248
 tcp mss 1024
 nat outbound 3006
 nat server protocol tcp global 219.133.71.196 1521 inside 172.16.7.53 1521
 nat server protocol tcp global 219.133.71.196 8081 inside 172.16.2.218 8081
 nat server protocol tcp global 219.133.71.196 33099 inside 172.16.6.121 3389
 ipsec apply policy JJS               //
绑定ipsec策略
#
interface GigabitEthernet0/2
 port link-mode route
#
 scheduler logfile size 16
#
line class aux
 user-role network-admin
#
line class tty
 user-role network-operator
#
line class vty
 user-role network-operator
#
line aux 0
 user-role network-admin
#
line vty 0 4
 authentication-mode scheme
 user-role network-operator
#
line vty 5 63
 user-role network-operator
#
 ip route-static 0.0.0.0 0 Dialer1     //
此路由作为备份
 ip route-static 0.0.0.0 0 219.133.71.193 preference 50          //
默认路由优先走固定地址接口
 ip route-static 119.147.92.158 32 219.133.71.193
#
acl advanced 3001
 rule 0 permit ip source 172.16.0.0 0.0.255.255
 rule 10 permit icmp
#
acl advanced 3002
 rule 1 permit ip destination 119.147.92.139 0
 rule 3 permit ip destination 119.147.92.141 0
 rule 5 permit ip destination 119.147.92.142 0
 rule 7 permit ip destination 119.147.92.146 0
 rule 9 permit ip destination 119.147.92.148 0
 rule 11 permit ip destination 119.147.92.149 0
 rule 13 permit ip destination 119.147.92.150 0
 rule 15 permit ip destination 119.147.92.154 0
#
acl advanced 3003
 rule 0 permit ip source 172.16.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
 rule 5 permit ip destination 119.147.92.0 0.0.0.255
 rule 10 deny ip source 172.16.7.53 0 destination 172.16.0.0 0.0.255.255
 rule 15 permit ip source 172.16.7.53 0
 rule 20 deny ip source 172.16.2.218 0 destination 172.16.0.0 0.0.255.255
 rule 25 permit ip source 172.16.2.218 0
 rule 30 deny ip source 172.16.6.121 0 destination 172.16.0.0 0.0.255.255
 rule 35 permit ip source 172.16.6.121 0
#
acl advanced 3004
 rule 5 permit ip destination 172.16.10.0 0.0.0.255
 rule 10 permit ip source 172.16.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255
#
acl advanced 3005       //
配置ipsec的感兴趣流
 rule 0 permit ip source 172.16.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255
#
acl advanced 3006         //
配置地址转换acl,禁止ipsec感兴趣流量进行抵制转换
 rule 0 deny ip source 172.16.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255   
 rule 5 permit ip

#
ipsec transform-set JJS          //
创建ipsec安全提议
 esp encryption-algorithm 3des-cbc
 esp authentication-algorithm sha1
 pfs dh-group2
#
ipsec policy JJS 10 isakmp          //
创建ipsec策略
 transform-set JJS
 security acl 3005
 local-address 219.133.71.196
 remote-address 119.147.92.158
 ike-profile JJS
 sa duration time-based 3600
#
l2tp-group 1 mode lns
 allow l2tp virtual-template 1
 undo tunnel authentication
 tunnel name LNS
#
 l2tp enable
#
ike profile JJS         //
创建ipsec  profile
 keychain JJS
 local-identity address 219.133.71.196
 match remote identity address 119.147.92.158 255.255.255.255
 proposal 1
#
ike proposal 1          //
创建ike  proposal
 encryption-algorithm 3des-cbc
 dh group2
 authentication-algorithm md5
 sa duration 28800
#
ike keychain JJS            //
黄建ike  kenchain
 pre-shared-key address 119.147.92.158 255.255.255.255 key cipher $c$3$YsnapP3lxP/mnLekI3KOLxuzakii9rW6NQ==
#             
return

2 步:Juniper配置

1、创建ike  proposal


2、创建ike对等体,使用主模式对接


3、创建ike对等体的预共享密钥


4、在ike对等体中指定对端公网地址


5、配置ipsec  proposal


6、配置ipsec策略,使用dh-group2


7、创建ipsec策略,绑定ike对等体和ipsec模版


8、创建ipsec感兴趣流量

 

9、将ipsec策略调用到相应的域间策略上,两个方向都需要调用。



3 步:结果验证

 
[H3C-JJS]disp ike sa
    Connection-ID   Remote                Flag         DOI   
------------------------------------------------------------------
    3741            119.147.92.158        RD           IPsec 
Flags:
RD--READY RL--REPLACED FD-FADING
[H3C-JJS]disp ips sa
-------------------------------
Interface: GigabitEthernet0/1
-------------------------------

  -----------------------------
  IPsec policy: JJS
  Sequence number: 10
  Mode: ISAKMP
  -----------------------------
    Tunnel id: 0
    Encapsulation mode: tunnel
    Perfect forward secrecy: dh-group2
    Inside VPN:
    Path MTU: 1443
    Tunnel:
        local  address: 219.133.71.196
        remote address: 119.147.92.158
    Flow:
        sour addr: 172.16.0.0/255.255.0.0  port: 0  protocol: ip
        dest addr: 192.168.0.0/255.255.0.0  port: 0  protocol: ip

    [Inbound ESP SAs]
      SPI: 3719319854 (0xddb0512e)
      Connection ID: 7743826034786
      Transform set:  ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1
      SA duration (kilobytes/sec): 1843200/28800
      SA remaining duration (kilobytes/sec): 1843200/2206
      Max received sequence-number: 0
      Anti-replay check enable: Y
      Anti-replay window size: 64
      UDP encapsulation used for NAT traversal: N
      Status: Active

    [Outbound ESP SAs]
      SPI: 159650169 (0x09841179)
      Connection ID: 11343008628835
      Transform set:  ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1
      SA duration (kilobytes/sec): 1843200/28800
      SA remaining duration (kilobytes/sec): 1839651/2206
      Max sent sequence-number: 55990
      UDP encapsulation used for NAT traversal: N
      Status: Active

 

 

 

0 个评论

该案例暂时没有网友评论

编辑评论

举报

×

侵犯我的权益 >
对根叔知了社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔知了社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明

提出建议

    +
<

亲~登录后才可以操作哦!

确定

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作