一、设计思路及拓扑
在两个防火墙之间建立站点到站点VPN,使PC1可以ping通PC2
二、基础配置
按拓扑所示配置相应的接口地址并将接口加入相应的区域。(此处省略.............)
三、详细配置
IPSEC配置
[FW1-ike-proposal-10]dis th
#
ike proposal 10
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
[FW1-ike-peer-FW2]dis th
#
ike peer FW2
pre-shared-key HUAWEI@123
ike-proposal 10
remote-address 155.1.131.13
#
[FW1-acl-adv-3000]dis th
#
acl number 3000
rule 5 permit ip source 10.1.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
#
[FW1-ipsec-proposal-LAN_SET]dis th
#
ipsec proposal LAN_SET
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
[FW1-ipsec-policy-isakmp-LAN_MAP-10]dis th
#
ipsec policy LAN_MAP 10 isakmp
security acl 3000
ike-peer FW2
proposal LAN_SET
#
interface GigabitEthernet1/0/0
ipsec policy LAN_MAP
#
安全策略
[FW1-policy-security]dis th
#
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name IN_TO_OUT
source-zone trust
destination-zone untrust
action permit
rule name OUT_TO_LOCAL
source-zone untrust
destination-zone local
source-address 155.1.131.13 mask 255.255.255.255
destination-address 155.1.121.12 mask 255.255.255.255
service protocol 50
service protocol udp destination-port 500
action permit
rule name OUT_TO_IN
source-zone untrust
destination-zone trust
source-address 10.1.0.0 mask 255.255.0.0
destination-address 10.1.0.0 mask 255.255.0.0
action permit
#
防火墙2的配置与与防火墙1相同,但需更改对端地址和对端名称
四、结果验证
[FW1]dis ike sa
2024-06-26 03:16:19.490
IKE SA information :
Conn-ID Peer VPN Flag(
s) Phase RemoteType RemoteID
--------------------------------------------------------------------------------
----------------------------------------------------
3 155.1.131.13:500 RD|ST
|A v2:2 IP 155.1.131.13
2 155.1.131.13:500 RD|ST
|A v2:1 IP 155.1.131.13
Number of IKE SA : 2
--------------------------------------------------------------------------------
----------------------------------------------------
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
PC>ping 10.1.13.10
Ping 10.1.13.10: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
From 10.1.13.10: bytes=32 seq=3 ttl=126 time=31 ms
From 10.1.13.10: bytes=32 seq=4 ttl=126 time<1 ms