站点到站点VPN

最新推荐文章于 2024-07-18 12:00:06 发布

earthtoearth

最新推荐文章于 2024-07-18 12:00:06 发布

阅读量815

点赞数 14

分类专栏：防火墙安全实验配置文章标签：网络安全网络

本文链接：https://blog.csdn.net/earthtoearth/article/details/139982370

版权

防火墙安全实验配置专栏收录该内容

34 篇文章 0 订阅 ¥19.90 ¥99.00

订阅专栏

超级会员免费看

一、设计思路及拓扑

在两个防火墙之间建立站点到站点VPN，使PC1可以ping通PC2

二、基础配置

按拓扑所示配置相应的接口地址并将接口加入相应的区域。（此处省略.............）

三、详细配置

IPSEC配置

[FW1-ike-proposal-10]dis th
#
ike proposal 10
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#

[FW1-ike-peer-FW2]dis th
#
ike peer FW2
pre-shared-key HUAWEI@123
ike-proposal 10
remote-address 155.1.131.13
#

[FW1-acl-adv-3000]dis th
#
acl number 3000
rule 5 permit ip source 10.1.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
#

[FW1-ipsec-proposal-LAN_SET]dis th
#
ipsec proposal LAN_SET
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#

[FW1-ipsec-policy-isakmp-LAN_MAP-10]dis th
#
ipsec policy LAN_MAP 10 isakmp
security acl 3000
ike-peer FW2
proposal LAN_SET
#

interface GigabitEthernet1/0/0
ipsec policy LAN_MAP
#

安全策略

[FW1-policy-security]dis th
#
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name IN_TO_OUT
source-zone trust
destination-zone untrust
action permit
rule name OUT_TO_LOCAL
source-zone untrust
destination-zone local
source-address 155.1.131.13 mask 255.255.255.255
destination-address 155.1.121.12 mask 255.255.255.255
service protocol 50
service protocol udp destination-port 500
action permit
rule name OUT_TO_IN
source-zone untrust
destination-zone trust
source-address 10.1.0.0 mask 255.255.0.0
destination-address 10.1.0.0 mask 255.255.0.0
action permit
#

防火墙2的配置与与防火墙1相同，但需更改对端地址和对端名称

四、结果验证

[FW1]dis ike sa
2024-06-26 03:16:19.490

IKE SA information :
Conn-ID Peer VPN Flag(
s) Phase RemoteType RemoteID
--------------------------------------------------------------------------------
----------------------------------------------------
3 155.1.131.13:500 RD|ST
|A v2:2 IP 155.1.131.13
2 155.1.131.13:500 RD|ST
|A v2:1 IP 155.1.131.13

Number of IKE SA : 2
--------------------------------------------------------------------------------
----------------------------------------------------

Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING

PC>ping 10.1.13.10

Ping 10.1.13.10: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
From 10.1.13.10: bytes=32 seq=3 ttl=126 time=31 ms
From 10.1.13.10: bytes=32 seq=4 ttl=126 time<1 ms