一端V7防火墙,一端V3防火墙。两端地址固定,ipsec主模式对接。
V7
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 222.72.136.19 255.255.255.0
nat outbound 3333
ipsec apply policy ipsec
#
acl advanced 3009
rule 3 permit ip source 192.168.0.0 0.0.0.255 destination 192.168.10.33 0
#
ipsec transform-set ipsec
esp encryption-algorithm des-cbc
esp authentication-algorithm md5
#
ipsec policy ipsec 10 isakmp
transform-set ipsec
security acl 3009
local-address 222.72.136.19
remote-address 222.188.87.30
ike-profile ipsec
#
ike profile ipsec
keychain ipsec
local-identity address 222.72.136.19
match remote identity address 222.188.87.30 255.255.255.255
match local address GigabitEthernet1/0/0
proposal 10
#
ike proposal 10
authentication-algorithm md5
#
ike keychain ipsec
match local address GigabitEthernet1/0/0
pre-shared-key address 222.188.87.30 255.255.255.255 key simple password
#
ip route-static 192.168.10.33 32 222.72.136.1
放通安全策略
在NAT的ACL 3333 里将ipsec的流量deny掉
V3
ike proposal 1
authentication-algorithm md5
#
ike peer 304
pre-shared-key Sh123456
remote-address 222.72.136.19
#
ipsec proposal 1
#
ipsec policy 1 1 isakmp
security acl 3001
ike-peer 304
proposal 1
#
acl number 3001
rule 3 permit ip source 192.168.10.33 0 destination 192.168.0.0 0.0.0.255
#
interface Ethernet1/0
ip address 222.188.87.30 255.255.255.252
nat outbound 3002
ipsec policy 1
#
ip route-static 192.168.0.0 255.255.255.0 222.72.136.19 preference 60
#
firewall zone untrust
add interface Ethernet1/0
set priority 5
#
firewall interzone untrust local
在nat的acl 3002中将ipsec的流量deny掉
ipsec建立成功后信息
V7防火墙成功后显示
Connection-ID Remote Flag DOI
------------------------------------------------------------------
8 222.188.87.30 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
-------------------------------
Interface: GigabitEthernet1/0/0
-------------------------------
-----------------------------
IPsec policy: ipsec
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1444
Tunnel:
local address: 222.72.136.19
remote address: 222.188.87.30
Flow:
sour addr: 192.168.0.0/255.255.255.0 port: 0 protocol: ip
dest addr: 192.168.10.33/255.255.255.255 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 2455731241 (0x925f7c29)
Connection ID: 4294967296
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3043
Max received sequence-number: 4
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 1861584833 (0x6ef587c1)
Connection ID: 4294967297
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3043
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N
Status: Active
V3防火墙成功后显示
Total IKE phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
6988 222.72.136.19 RD 1 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
===============================
Interface: Ethernet1/0
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "1"
sequence number: 1
mode: isakmp
-----------------------------
Created by: "Host"
connection id: 16
encapsulation mode: tunnel
perfect forward secrecy: None
tunnel:
local address: 222.188.87.30
remote address: 222.72.136.19
flow: (8 times matched)
sour addr: 192.168.10.33/255.255.255.255 port: 0 protocol: IP
dest addr: 192.168.0.0/255.255.255.0 port: 0 protocol: IP
[inbound ESP SAs]
spi: 1861584833 (0x6ef587c1)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa key duration (bytes/sec): 1887436800/3600
1、V3防火墙默认接口是全通的,安全策略通过包过滤来实现
2、V7和V3的防火墙nat的acl里要把ipsec的流量deny掉
3、V7防火墙要放通外网口到local以及内网口到外网口的安全策略
4、配置中未配置的参数采用默认值
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作