防火墙v7 ipsec vpn中心点与分支配置
- 1关注
- 1收藏,1911浏览
最佳答案
总部采用MSR36路由器,分支采用MSR20路由器
总部与分支建立野蛮模式IPSec VPN
MSR36 代表总部,GE0/1 IP地址17.1.1.2/24,Loopback 0 IP地址2.2.2.2/32代表PC-B;
MSR20 代表分支,E0/1 IP地址17.1.1.1/24,Loopback 0 IP地址1.1.1.1代表PC-A;
1 配置总部路由器:
配置Loopback 0,代表PC-B:
[H3C]interface LoopBack 0
[H3C-LoopBack0] ip address 2.2.2.2 255.255.255.255
配置IKE本地标识:
[H3C] ike identity fqdn nxjt
配置IKE Keychain,配置总部与分支之间协商IKE采用的预共享密钥。若分支无公网IP地址时,这里需要采用Name的方式,分支Name需要与分支侧设置的一致:
[H3C]ike keychain sqgc
[H3C-ike-keychain-sqgc] pre-shared-key hostname sqgc key simple 123
配置两个分支对应的IKE Profile,调用配置的IKE Keychain,采用野蛮模式,并分别匹配对端配置的IKE Name:
[H3C]ike profile sqgc] keychain sqgc
[H3C-ike-profile-sqgc] exchange-mode aggressive
[H3C-ike-profile-sqgc] local-identity fqdn nxjt
[H3C-ike-profile-sqgc] match remote identity fqdn sqgc
配置IPSEC 安全提议,采用隧道模式,认证算法使用MD5,加密算法使用Des-cbc:
[H3C]ipsec transform-set sqgc
[H3C-ipsec-transform-set-sqgc] encapsulation-mode tunnel
[H3C-ipsec-transform-set-sqgc] esp encryption-algorithm des-cbc
[H3C-ipsec-transform-set-sqgc] esp authentication-algorithm md5
配置ipsec策略模版:
[H3C]ipsec policy-template sqgc 1
[H3C-ipsec-policy-template-sqgc-1] transform-set sqgc
[H3C-ipsec-policy-template-sqgc-1] ike-profile sqgc
[H3C-ipsec-policy-template-sqgc-1] local-address 17.1.1.2
配置ipsec 策略,并调用策略模版:
[H3C]ipsec policy nxjt 1 isakmp template sqgc
配置到分支网段静态路由:
[H3C]ip route-static 1.1.1.1 32 17.1.1.1
在外网接口上应用ipsec策略:
[H3C]interface GigabitEthernet0/1
[H3C-GigabitEthernet0/1] ip address 17.1.1.2 255.255.255.252
[H3C-GigabitEthernet0/1] nat outbound
[H3C-GigabitEthernet0/1] ipsec apply policy nxjt
2 配置分支路由:
配置Loopback 0,代表PC-A:
[H3C]interface LoopBack 0
[H3C-LoopBack0] ip address 1.1.1.1 255.255.255.255
配置IKE本地标识:
[H3C]ike local-name sqgc
配置安全acl,匹配感兴趣数据流:
[H3C]acl number 3001
[H3C-acl-adv-3001] rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0
配置IKE Peer,采用野蛮模式,并开启Nat穿越
[H3C]ike peer nxjt
[H3C-ike-peer-nxjt] exchange-mode aggressive
[H3C-ike-peer-nxjt] pre-shared-key simple 123
[H3C-ike-peer-nxjt] id-type name
[H3C-ike-peer-nxjt] remote-name nxjt
[H3C-ike-peer-nxjt] remote-address 17.1.1.2
[H3C-ike-peer-nxjt] nat traversal
配置IPSec安全提议,采用隧道模式,认证算法使用MD5,加密算法使用Des-cbc,与总部配置保持一致:
[H3C]ipsec transform-set nxjt
[H3C-ipsec-transform-set-nxjt] transform esp
[H3C-ipsec-transform-set-nxjt] esp authentication-algorithm md5
[H3C-ipsec-transform-set-nxjt] esp encryption-algorithm des
配置IPSec策略,调用IKE Peer、安全acl及IPSec 安全策略:
[H3C]ipsec policy nxjt 1
[H3C-ipsec-policy-isakmp-nxjt-1] ike-peer nxjt
[H3C-ipsec-policy-isakmp-nxjt-1] security acl 3001
[H3C-ipsec-policy-isakmp-nxjt-1]transform-set default
接口上应用IPSec策略:
[H3C]int e0/1
[H3C-Ethernet0/1] ip address 17.1.1.1 255.255.255.0
[H3C-Ethernet0/1] nat outbound
[H3C-Ethernet0/1] ipsec no-nat-process enable
[H3C-Ethernet0/1] ipsec policy nxjt
配置到总部网段静态路由:
[H3C]ip route-static 2.2.2.2 255.255.255.255 17.1.1.2
测试结果:
从分支路由器带源地址1.1.1.1去ping总部2.2.2.2,尝试建立ipsec:
[H3C]ping -a 1.1.1.1 2.2.2.2
PING 2.2.2.2: 56 data bytes, press CTRL_C to break
Request time out
Reply from 2.2.2.2: bytes=56 Sequence=1 ttl=255 time=3 ms
Reply from 2.2.2.2: bytes=56 Sequence=2 ttl=255 time=3 ms
Reply from 2.2.2.2: bytes=56 Sequence=3 ttl=255 time=3 ms
Reply from 2.2.2.2: bytes=56 Sequence=4 ttl=255 time=3 ms
--- 2.2.2.2 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 3/3/3 ms
分支路由器dis ike sa/dis ipsec sa:
分支路由器可以看到ike协商的两个阶段都正常建立起来:
[H3C]dis ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------------
36 17.1.1.2 RD|ST 1 IPSEC
37 17.1.1.2 RD|ST 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT RK—REKEY
[H3C]dis ipsec sa
===============================
Interface: Ethernet0/1
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "nxjt"
sequence number: 1
acl version: ACL4
mode: isakmp
-----------------------------
PFS: N, DH group: none
tunnel:
local address: 17.1.1.1
remote address: 17.1.1.2
flow:
sour addr: 1.1.1.1/255.255.255.255 port: 0 protocol: IP
dest addr: 2.2.2.2/255.255.255.255 port: 0 protocol: IP
总部路由器dis ike sa,
[H3C]dis ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
27 17.1.1.1 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING
1 IKE Peer中调用Proposal时,需要注意V5和V7版本的默认参数:
V5:
[H3C]dis ike proposal
priority authentication authentication encryption Diffie-Hellman duration
method algorithm algorithm group (seconds)
---------------------------------------------------------------------------
1 PRE_SHARED MD5 3DES_CBC MODP_768 86400
default PRE_SHARED SHA DES_CBC MODP_768 86400
V7:
[H3C]dis ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
1 PRE-SHARED-KEY MD5 3DES-CBC Group 1 86400
default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400
MODP_768 与Group 1是一样的,只是表示方式不同。
2 组网中两台设备互联接口均配置了Nat功能,所以在V5设备中需开启Nat穿越功能,V7设备默认支持Nat穿越,无需配置,设备上也没有去配置的命令。
3 V5设备在出口上配置nat转换时,需要将建立IPSec的感兴趣数据流先Deny掉,确保源地址1.1.1.1能够正确进入IPSec的数据封装程序。或在该接口上开启ipsec no-nat-process enable,该命令在V5设备较早的版本中可能没有。
- 2020-12-22回答
- 评论(0)
- 举报
-
(0)
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论