原创
总部与分支机构之间确立点到点IPSec ***(【预共】享密钥认证)
组网需求
如『图』1所示, *** A和 *** B通过NGFW_A和NGFW_B{连接到}Internet,NGFW_A和NGFW_B公网路由可达。现需要在NGFW_A和NGFW_B之间确立IKE方式【(的)】IPSec 隧道[,使 *** A和 *** B「【(的)】用户可通过」IPSec 隧道[平安互访。
『图』1 IKE 协商方式【(的)】点到点[IPSec 隧道[举例组网『图』
数据计划
〖{<设置>}〗思绪
NGFW_A和NGFW_B【(的)】〖{<设置>}〗思绪相同。
1. 〖{<设置>}〗接口IP地址并将接口加入到平安区域。
2. 〖{<设置>}〗平安计谋。
3. 〖{<设置>}〗到对端内网【(的)】路由。
4. 〖{<设置>}〗IPSec计谋。包罗〖{<设置>}〗IPSec计谋【(的)】基本信息、〖{<设置>}〗待加密【(的)】数据流、〖{<设置>}〗『平安提议』【(的)】协商参数。
(操作步)骤
· 〖{<设置>}〗NGFW_A(总部)。
1. 〖{<设置>}〗接口IP地址。
<sysname> system-view
[sysname] sysname NGFW_A
[NGFW_A] interface GigabitEthernet 1/0/3
[NGFW_A-GigabitEthernet1/0/3] ip address 10.1.1.1 24
[NGFW_A-GigabitEthernet1/0/3] quit
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ip address 1.1.3.1 24
[NGFW_A-GigabitEthernet1/0/1] quit2. 〖{<设置>}〗接口加入响应平安区域。
[NGFW_A] firewall zone trust
[NGFW_A-zone-trust] add interface GigabitEthernet 1/0/3
[NGFW_A-zone-trust] quit
[NGFW_A] firewall zone untrust
[NGFW_A-zone-untrust] add interface GigabitEthernet 1/0/1
[NGFW_A-zone-untrust] quit3. 〖{<设置>}〗平安计谋。
a. 〖{<设置>}〗Trust域与Untrust域【(的)】平安计谋,允许封装前和解封后【(的)】报文能通过NGFW_A。
[NGFW_A] security-policy
[NGFW_A-policy-security] rule name policy_ipsec_1
[NGFW_A-policy-security-rule-policy_ipsec_1] source-zone trust
[NGFW_A-policy-security-rule-policy_ipsec_1] destination-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_1] source-address 10.1.1.0 24
[NGFW_A-policy-security-rule-policy_ipsec_1] destination-address 10.1.2.0 24
[NGFW_A-policy-security-rule-policy_ipsec_1] action permit
[NGFW_A-policy-security-rule-policy_ipsec_1] quit
[NGFW_A-policy-security] rule name policy_ipsec_2
[NGFW_A-policy-security-rule-policy_ipsec_2] source-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_2] destination-zone trust
[NGFW_A-policy-security-rule-policy_ipsec_2] source-address 10.1.2.0 24
[NGFW_A-policy-security-rule-policy_ipsec_2] destination-address 10.1.1.0 24
[NGFW_A-policy-security-rule-policy_ipsec_2] action permit
[NGFW_A-policy-security-rule-policy_ipsec_2] quitb. 〖{<设置>}〗Local域与Untrust域【(的)】平安计谋,允许IKE协商报文能正常通过NGFW_A。
[NGFW_A-policy-security] rule name policy_ipsec_3
[NGFW_A-policy-security-rule-policy_ipsec_3] source-zone local
[NGFW_A-policy-security-rule-policy_ipsec_3] destination-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_3] source-address 1.1.3.1 32
[NGFW_A-policy-security-rule-policy_ipsec_3] destination-address 1.1.5.1 32
[NGFW_A-policy-security-rule-policy_ipsec_3] action permit
[NGFW_A-policy-security-rule-policy_ipsec_3] quit
[NGFW_A-policy-security] rule name policy_ipsec_4
[NGFW_A-policy-security-rule-policy_ipsec_4] source-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_4] destination-zone local
[NGFW_A-policy-security-rule-policy_ipsec_4] source-address 1.1.5.1 32
[NGFW_A-policy-security-rule-policy_ipsec_4] destination-address 1.1.3.1 32
[NGFW_A-policy-security-rule-policy_ipsec_4] action permit
[NGFW_A-policy-security-rule-policy_ipsec_4] quit
[NGFW_A-policy-security] quit4. 〖{<设置>}〗到达对端私网【(的)】路由。假设NGFW_A通往NGFW_B侧【(的)】下一跳装备【(的)】IP地址为1.1.3.2。
[NGFW_A] ip route-static 10.1.2.0 24 1.1.3.2
5. 〖{<设置>}〗NGFW_A【(的)】IPSec 隧道[。
a. 〖{<设置>}〗接见控制列表,界说需要珍爱【(的)】数据流。
[NGFW_A] acl 3000
[NGFW_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[NGFW_A-acl-adv-3000] quitb. 〖{<设置>}〗序号为10【(的)】IKE『平安提议』。
[NGFW_A] ike proposal 10
[NGFW_A-ike-proposal-10] authentication-method pre-share
[NGFW_A-ike-proposal-10] authentication-algorithm sha2-256
[NGFW_A-ike-proposal-10] quitc. 〖{<设置>}〗IKE Peer。
,,(www.huangguan.us)是一个提供皇冠 *** APP下载、皇冠会员APP下载、皇冠体育最新登录线路、新2 皇冠网址【(的)】【(的)】体[育平台。{也只有}皇冠APP可以真正地带给你顶级体育赛事【(的)】娱乐体验感。立马一键皇冠体育开户,世界体育赛事等你欣赏。
[NGFW_A] ike peer b
[NGFW_A-ike-peer-b] ike-proposal 10
[NGFW_A-ike-peer-b] remote-address 1.1.5.1
[NGFW_A-ike-peer-b] pre-shared-key Admin@123
[NGFW_A-ike-peer-b] undo version 2
[NGFW_A-ike-peer-b] quitd. 〖{<设置>}〗名称为tran1【(的)】IPSec『平安提议』。
[NGFW_A] ipsec proposal tran1
[NGFW_A-ipsec-proposal-tran1] encapsulation-mode tunnel
[NGFW_A-ipsec-proposal-tran1] transform esp
[NGFW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[NGFW_A-ipsec-proposal-tran1] esp encryption-algorithm aes
[NGFW_A-ipsec-proposal-tran1] quite. 〖{<设置>}〗IPSec平安计谋组map1。
[NGFW_A] ipsec policy map1 10 isakmp
[NGFW_A-ipsec-policy-isakmp-map1-10] security acl 3000
[NGFW_A-ipsec-policy-isakmp-map1-10] proposal tran1
[NGFW_A-ipsec-policy-isakmp-map1-10] ike-peer b
[NGFW_A-ipsec-policy-isakmp-map1-10] quitf. 在出接口GigabitEthernet 1/0/1上应用平安计谋组map1。
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ipsec policy map1 auto-neg
[NGFW_A-GigabitEthernet1/0/1] quit· 〖{<设置>}〗NGFW_B(分支)。
1. 〖{<设置>}〗接口IP地址。
<sysname> system-view
[sysname] sysname NGFW_B
[NGFW_B] interface GigabitEthernet 1/0/3
[NGFW_B-GigabitEthernet1/0/3] ip address 10.1.2.1 24
[NGFW_B-GigabitEthernet1/0/3] quit
[NGFW_B] interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1] ip address 1.1.5.1 24
[NGFW_B-GigabitEthernet1/0/1] quit2. 〖{<设置>}〗接口加入响应平安区域。
[NGFW_B] firewall zone trust
[NGFW_B-zone-trust] add interface GigabitEthernet 1/0/3
[NGFW_B-zone-trust] quit
[NGFW_B] firewall zone untrust
[NGFW_B-zone-untrust] add interface GigabitEthernet 1/0/1
[NGFW_B-zone-untrust] quit3. 〖{<设置>}〗平安计谋。
a. 〖{<设置>}〗Trust域与Untrust域【(的)】平安计谋,允许封装前和解封后【(的)】报文能通过NGFW_B。
[NGFW_B] security-policy
[NGFW_B-policy-security] rule name policy_ipsec_1
[NGFW_B-policy-security-rule-policy_ipsec_1] source-zone trust
[NGFW_B-policy-security-rule-policy_ipsec_1] destination-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_1] source-address 10.1.2.0 24
[NGFW_B-policy-security-rule-policy_ipsec_1] destination-address 10.1.1.0 24
[NGFW_B-policy-security-rule-policy_ipsec_1] action permit
[NGFW_B-policy-security-rule-policy_ipsec_1] quit
[NGFW_B-policy-security] rule name policy_ipsec_2
[NGFW_B-policy-security-rule-policy_ipsec_2] source-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_2] destination-zone trust
[NGFW_B-policy-security-rule-policy_ipsec_2] source-address 10.1.1.0 24
[NGFW_B-policy-security-rule-policy_ipsec_2] destination-address 10.1.2.0 24
[NGFW_B-policy-security-rule-policy_ipsec_2] action permit
[NGFW_B-policy-security-rule-policy_ipsec_2] quitb. 〖{<设置>}〗Local域与Untrust域【(的)】平安计谋,允许IKE协商报文能正常通过NGFW_B。
[NGFW_B-policy-security] rule name policy_ipsec_3
[NGFW_B-policy-security-rule-policy_ipsec_3] source-zone local
[NGFW_B-policy-security-rule-policy_ipsec_3] destination-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_3] source-address 1.1.5.1 32
[NGFW_B-policy-security-rule-policy_ipsec_3] destination-address 1.1.3.1 32
[NGFW_B-policy-security-rule-policy_ipsec_3] action permit
[NGFW_B-policy-security-rule-policy_ipsec_3] quit
[NGFW_B-policy-security] rule name policy_ipsec_4
[NGFW_B-policy-security-rule-policy_ipsec_4] source-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_4] destination-zone local
[NGFW_B-policy-security-rule-policy_ipsec_4] source-address 1.1.3.1 32
[NGFW_B-policy-security-rule-policy_ipsec_4] destination-address 1.1.5.1 32
[NGFW_B-policy-security-rule-policy_ipsec_4] action permit
[NGFW_B-policy-security-rule-policy_ipsec_4] quit
[NGFW_B-policy-security] quit4. 〖{<设置>}〗到达对端私网【(的)】路由。假设NGFW_B通往NGFW_A侧【(的)】下一跳装备【(的)】IP地址为1.1.5.2。
[NGFW_B] ip route-static 10.1.1.0 24 1.1.5.2
5. 〖{<设置>}〗NGFW_B【(的)】IPSec 隧道[。
a. 〖{<设置>}〗接见控制列表,界说需要珍爱【(的)】数据流。
[NGFW_B] acl 3000
[NGFW_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[NGFW_B-acl-adv-3000] quitb. 〖{<设置>}〗序号为10【(的)】IKE『平安提议』。
[NGFW_B] ike proposal 10
[NGFW_B-ike-proposal-10] authentication-method pre-share
[NGFW_B-ike-proposal-10] authentication-algorithm sha2-256
[NGFW_B-ike-proposal-10] quitc. 〖{<设置>}〗IKE Peer。
[NGFW_B] ike peer a
[NGFW_B-ike-peer-a] ike-proposal 10
[NGFW_B-ike-peer-a] remote-address 1.1.3.1
[NGFW_B-ike-peer-a] pre-shared-key Admin@123
[NGFW_B-ike-peer-a] undo version 2
[NGFW_B-ike-peer-a] quitd. 〖{<设置>}〗名称为tran1【(的)】IPSec『平安提议』。
[NGFW_B] ipsec proposal tran1
[NGFW_B-ipsec-proposal-tran1] encapsulation-mode tunnel
[NGFW_B-ipsec-proposal-tran1] transform esp
[NGFW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[NGFW_B-ipsec-proposal-tran1] esp encryption-algorithm aes
[NGFW_B-ipsec-proposal-tran1] quite. 〖{<设置>}〗IPSec平安计谋组map1。
[NGFW_B] ipsec policy map1 10 isakmp
[NGFW_B-ipsec-policy-isakmp-map1-10] security acl 3000
[NGFW_B-ipsec-policy-isakmp-map1-10] proposal tran1
[NGFW_B-ipsec-policy-isakmp-map1-10] ike-peer a
[NGFW_B-ipsec-policy-isakmp-map1-10] quitf. 在出接口GigabitEthernet 1/0/1上应用平安计谋组map1。
[NGFW_B] interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1] ipsec policy map1 auto-neg
[NGFW_B-GigabitEthernet1/0/1] quit效果验证
1. 〖{<设置>}〗乐成后,在NGFW_A上执行display ike sa『下令』,《查看》IKE平安同盟【(的)】确立情形,【泛起以下显示说明】IKE平安同盟确立乐成。
[NGFW_A] display ike sa
current ike sa number: 2
---------------------------------------------------------------------------
conn-id peer flag phase ***
---------------------------------------------------------------------------
3 1.1.5.1 RD|ST|A v1:2 public
2 1.1.5.1 RD|ST|A v1:1 public
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
TD--DELETING NEG--NEGOTIATING D--DPD M--ACTIVE S--STANDBY
A--ALONE2. 在NGFW_A上执行display ipsec sa『下令』,《查看》IPSec平安同盟【(的)】确立情形,【泛起以下显示说明】IPSec平安同盟确立乐成。
[NGFW_A] display ipsec sa
===============================
Interface: GigabitEthernet 1/0/1
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "map1"
sequence number: 10
mode: isakmp
***: 0
-----------------------------
connection id: 3
rule number: 5
encapsulation mode: tunnel
holding time: 0d 0h 0m 12s
tunnel local : 1.1.3.1 tunnel remote: 1.1.5.1
flow source: 10.1.1.0/255.255.255.0 0/0
flow destination: 10.1.2.0/255.255.255.0 0/0
[inbound ESP SAs]
spi: 3715780278 (0xdd7a4eb6)
***: public said: 0 cpuid: 0x0000
proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256
sa remaining key duration (kilobytes/sec): 1843200/3588
max received sequence-number: 1
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 3312146193 (0xc56b5711)
***: public said: 1 cpuid: 0x0000
proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256
sa remaining key duration (kilobytes/sec): 1843200/3588
max sent sequence-number: 1
udp encapsulation used for nat traversal: N〖{<设置>}〗 剧[本
· NGFW_A(总部)【(的)】〖{<设置>}〗 剧[本
#
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ike proposal 10
authentication-algorithm sha2-256
integrity-algorithm hmac-sha2-256
#
ike peer b
pre-shared-key %$%$g6]1Md'q_QwX%A,v7]c1;md[%$%$
ike-proposal 10
undo version 2
remote-address 1.1.5.1
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
#
ipsec policy map1 10 isakmp
security acl 3000
ike-peer b
alias map1_10
proposal tran1
#
interface GigabitEthernet1/0/3
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
ip address 1.1.3.1 255.255.255.0
ipsec policy map1 auto-neg
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ip route-static 10.1.2.0 255.255.255.0 1.1.3.2
#
security-policy
rule name policy_ipsec_1
source-zone trust
destination-zone untrust
source-address 10.1.1.0 24
destination-address 10.1.2.0 24
action permit
rule name policy_ipsec_2
source-zone untrust
destination-zone trust
source-address 10.1.2.0 24
destination-address 10.1.1.0 24
action permit
rule name policy_ipsec_3
source-zone local
destination-zone untrust
source-address 1.1.3.1 32
destination-address 1.1.5.1 32
action permit
rule name policy_ipsec_4
source-zone untrust
destination-zone local
source-address 1.1.5.1 32
destination-address 1.1.3.1 32
action permit· NGFW_B(分支)【(的)】〖{<设置>}〗 剧[本
#
acl number 3000
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ike proposal 10
authentication-algorithm sha2-256
integrity-algorithm hmac-sha2-256
#
ike peer a
pre-shared-key %$%$g6]1Md'q_QwX%A,v7]c1;md[%$%$
ike-proposal 10
undo version 2
remote-address 1.1.3.1
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
#
ipsec policy map1 10 isakmp
security acl 3000
ike-peer a
proposal tran1
#
interface GigabitEthernet1/0/3
ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet1/0/1
ip address 1.1.5.1 255.255.255.0
ipsec policy map1 auto-neg
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ip route-static 10.1.1.0 255.255.255.0 1.1.5.2
#
security-policy
rule name policy_ipsec_1
source-zone trust
destination-zone untrust
source-address 10.1.2.0 24
destination-address 10.1.1.0 24
action permit
rule name policy_ipsec_2
source-zone untrust
destination-zone trust
source-address 10.1.1.0 24
destination-address 10.1.2.0 24
action permit
rule name policy_ipsec_3
source-zone local
destination-zone untrust
source-address 1.1.5.1 32
destination-address 1.1.3.1 32
action permit
rule name policy_ipsec_4
source-zone untrust
destination-zone local
source-address 1.1.3.1 32
destination-address 1.1.5.1 32
action permit
©著作权归作者所有:来自51CTO博客作者mb5fca0c87ea3a4【(的)】原创作品,如需转载,请注明出处,否则将追究法律责任
java
0
珍藏
上一篇:NAT〖{<设置>}〗—常见问题 下一篇:L3***+VRRP综合实验
环球UG官网声明:该文看法仅代表作者自己,与本平台无关。转载请注明:欧博app下载(allbet6.com):总部与分支机构之间确‘立点到’点IPSec ***(预共享密钥认证)
Allbetwww.allbetgame.us欢迎进入欧博亚洲(Allbet Game),Allbet是欧博亚洲的官方网站。欧博亚洲开放Allbet注册、Allbe代理、Allbet电脑客户端、Allbet手机版下载等业务。内容好精彩啊
欧博注册网址www.sunbet.us欢迎进入欧博网址(Allbet Gaming),欧博网址开放会员注册、代理开户、电脑客户端下载、苹果安卓下载等业务。这个不火不科学
Allbet Gamingwww.sunbet.us欢迎进入欧博平台网站(Allbet Gaming),Allbet Gaming开放欧博平台网址、欧博注册、欧博APP下载、欧博客户端下载、欧博真人游戏(百家乐)等业务。作者人很好噢
USDT支付平台菜包钱包(caibao.it)是使用TRC-20协议的Usdt第三方支付平台。免费提供Usdt钱包支付接口、Usdt自动充值接口、Usdt无需实名寄售回收。菜包Usdt钱包一键生成Usdt钱包、一键调用API接口、一键无实名出售Usdt。有新意呀
USDT无需实名菜包钱包(caibao.it)是使用TRC-20协议的Usdt第三方支付平台。免费提供Usdt钱包支付接口、Usdt自动充值接口、Usdt无需实名寄售回收。菜包Usdt钱包一键生成Usdt钱包、一键调用API接口、一键无实名出售Usdt。好文不用推广
欧博网址开户www.allbet6.com欢迎进入欧博网址(Allbet Gaming),欧博网址开放会员注册、代理开户、电脑客户端下载、苹果安卓下载等业务。马马虎虎,反正不差
作者:今古传奇作者三观很好
开始,我在这里住得还很习惯,虽然是跟女房东同住,但彼此并不怎么照面。女房东在郊外农村还买了一户小院落,每天都去种花种菜。马马虎虎,反正不差
皇冠注册平台www.huangguan.us是一个提供皇冠代理APP下载、皇冠会员APP下载、皇冠体育最新登录线路、新2皇冠网址的的体育平台。新皇冠体育官网是多年来值得广大客户信赖的平台,我们期待您的到来!哈哈,好欢乐
菜宝钱包(caibao.it)是使用TRC-20协议的Usdt第三方支付平台,Usdt收款平台、Usdt自动充提平台、usdt跑分平台。免费提供入金通道、Usdt钱包支付接口、Usdt自动充值接口、Usdt无需实名寄售回收。菜宝Usdt钱包一键生成Usdt钱包、一键调用API接口、一键无实名出售Usdt。作者三观很好