ICode9

精准搜索请尝试: 精确搜索
首页 > 其他分享> 文章详细

点到点IPSec ***的配置

2021-06-20 11:51:33  阅读:205  来源: 互联网

标签:配置 点到点 rule ike policy security FW1 FW2 IPSec


![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210620/1624159727381514.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) 1.IP地址、区域等基础配置 ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210620/1624159760328495.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) [FW1-GigabitEthernet1/0/0]ip add 20.1.1.1 24 [FW1-GigabitEthernet1/0/0]service-manage ping permit [FW1-GigabitEthernet1/0/1]ip add 10.1.1.1 24 [FW1-GigabitEthernet1/0/1]service-manage ping permit [FW1]firewall zone untrust [FW1-zone-untrust]add interface g1/0/0 [FW1]firewall zone trust [FW1-zone-trust]add interface g1/0/1 ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210620/1624159783136296.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) [FW2-GigabitEthernet1/0/0]ip add 20.1.1.2 24 [FW2-GigabitEthernet1/0/0]service-manage ping permit [FW2-GigabitEthernet1/0/1]ip add 10.1.2.2 24 [FW2-GigabitEthernet1/0/1]service-manage ping permit [FW2]firewall zone trust [FW2-zone-trust]add interface g1/0/1 [FW2]firewall zone untrust [FW2-zone-untrust]add interface g1/0/0 [FW1]ip route-static 0.0.0.0 0.0.0.0 20.1.1.2 [FW2]ip route-static 0.0.0.0 0.0.0.0 20.1.1.1 2.配置点到点IPSec *** (1)配置安全策略:ipsec1允许AB间互访,ipsec2允许IKE协商后的报文及加密后的报文通过 [FW1]security-policy [FW1-policy-security]rule name ipsec1 [FW1-policy-security-rule-ipsec1]source-zone trust [FW1-policy-security-rule-ipsec1]source-zone untrust [FW1-policy-security-rule-ipsec1]source-address 10.1.1.0 24 [FW1-policy-security-rule-ipsec1]source-address 10.1.2.0 24 [FW1-policy-security-rule-ipsec1]destination-zone trust [FW1-policy-security-rule-ipsec1]destination-zone untrust [FW1-policy-security-rule-ipsec1]destination-address 10.1.1.0 24 [FW1-policy-security-rule-ipsec1]destination-address 10.1.2.0 24 [FW1-policy-security-rule-ipsec1]action permit [FW1-policy-security]rule name ipsec2 [FW1-policy-security-rule-ipsec2]source-zone local untrust [FW1-policy-security-rule-ipsec2]destination-zone local untrust [FW1-policy-security-rule-ipsec2]source-address 20.1.1.1 32 [FW1-policy-security-rule-ipsec2]source-address 20.1.1.2 32 [FW1-policy-security-rule-ipsec2]destination-address 20.1.1.1 32 [FW1-policy-security-rule-ipsec2]destination-address 20.1.1.2 32 [FW1-policy-security-rule-ipsec2]action permit ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210620/1624159797736795.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) [FW2]security-policy [FW2-policy-security]rule name ipsec1 [FW2-policy-security-rule-ipsec1]source-zone trust untrust [FW2-policy-security-rule-ipsec1]destination-zone trust untrust [FW2-policy-security-rule-ipsec1]source-address 10.1.2.0 24 [FW2-policy-security-rule-ipsec1]source-address 10.1.1.0 24 [FW2-policy-security-rule-ipsec1]destination-address 10.1.1.0 24 [FW2-policy-security-rule-ipsec1]destination-address 10.1.2.0 24 [FW2-policy-security-rule-ipsec1]action permit [FW2-policy-security]rule name ipsec2 [FW2-policy-security-rule-ipsec2]source-zone local untrust [FW2-policy-security-rule-ipsec2]destination-zone local untrust [FW2-policy-security-rule-ipsec2]source-address 20.1.1.1 32 [FW2-policy-security-rule-ipsec2]source-address 20.1.1.2 32 [FW2-policy-security-rule-ipsec2]destination-address 20.1.1.1 32 [FW2-policy-security-rule-ipsec2]destination-address 20.1.1.1 32 [FW2-policy-security-rule-ipsec2]action permit ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210620/1624159823796907.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) (2)配置IPSec策略 [FW1]acl 3000 [FW1-acl-adv-3000]rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 //抓流量 [FW1]ipsec proposal propab //配置安全提议 [FW1-ipsec-proposal-propab]encapsulation-mode auto //采用自动封装模式 [FW1]ike proposal 1 //配置IKE安全提议 [FW1-ike-proposal-1]integrity-algorithm aes-xcbc-96 //IKE安全提议类型为AES [FW1]ike peer ikeab //配置IKE对等体 [FW1-ike-peer-ikeab]exchange-mode auto //对等体间信息交换的采用自动模式 [FW1-ike-peer-ikeab]pre-shared-key ABCabc@123 [FW1-ike-peer-ikeab]ike-proposal 1 [FW1-ike-peer-ikeab]remote-id-type ip [FW1-ike-peer-ikeab]remote-id 20.1.1.2 [FW1-ike-peer-ikeab]remote-address 20.1.1.2 [FW1-ike-peer-ikeab]local-id 20.1.1.1 [FW1]ipsec policy ipsecab 1 isakmp //配置防火墙ipsec安全策略 [FW1-ipsec-policy-isakmp-ipsecab-1]security acl 3000 [FW1-ipsec-policy-isakmp-ipsecab-1]ike-peer ikeab [FW1-ipsec-policy-isakmp-ipsecab-1]proposal propab [FW1-ipsec-policy-isakmp-ipsecab-1]tunnel local applied-interface [FW2]acl 3000 [FW2-acl-adv-3000]rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [FW2]ipsec proposal propba [FW2-ipsec-proposal-propba]encapsulation-mode auto [FW2]ike proposal 1 [FW2-ike-proposal-1]integrity-algorithm aes-xcbc-96 [FW2]ike peer ikeba [FW2-ike-peer-ikeba]exchange-mode auto [FW2-ike-peer-ikeba]pre-shared-key ABCabc@123 [FW2-ike-peer-ikeba]ike-proposal 1 [FW2-ike-peer-ikeba]remote-id-type ip [FW2-ike-peer-ikeba]remote-id 20.1.1.1 [FW2-ike-peer-ikeba]remote-address 20.1.1.1 [FW2-ike-peer-ikeba]local-id 20.1.1.2 [FW2]ipsec policy ipsecba 1 isakmp [FW2-ipsec-policy-isakmp-ipsecba-1]security acl 3000 [FW2-ipsec-policy-isakmp-ipsecba-1]ike-peer ikeba [FW2-ipsec-policy-isakmp-ipsecba-1]proposal propba [FW2-ipsec-policy-isakmp-ipsecba-1]tunnel local applied-interface (3)应用IPSec策略 [FW1-GigabitEthernet1/0/0]ipsec policy ipsecab [FW2-GigabitEthernet1/0/0]ipsec policy ipsecba 3.验证 ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210620/1624159847355377.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) PC1 ping PC2时在FW1出口抓包 ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210620/1624159858686798.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)

标签:配置,点到点,rule,ike,policy,security,FW1,FW2,IPSec
来源: https://blog.51cto.com/u_13699905/2928223

本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享;
2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关;
3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关;
4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除;
5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。

专注分享技术,共同学习,共同进步。侵权联系[81616952@qq.com]

Copyright (C)ICode9.com, All Rights Reserved.

ICode9版权所有