一、网络拓扑
实验思路:在IPSEC服务与客户端之间建立IPSEC通道,其中服务端IP地址固定,客户端IP地址不固定
二、基本配置
(一)按拓扑所示配置接口地址(此处省略)
(二)按拓扑所示配置防火墙区域接口、安全策略等(此处省略)
三、详细配置
(一)路由器端口拨号服务端设置
[R1-aaa]local-user USER password cipher HUAWEI
[R1-aaa]local-user USER service-type ppp
[R1]int Virtual-Template1
[R1-Virtual-Template1]dis th
[V200R003C00]
#
interface Virtual-Template1
ppp authentication-mode chap
remote address 155.1.131.13
ip address unnumbered interface GigabitEthernet0/0/1
#
[R1-GigabitEthernet0/0/1]dis th
[V200R003C00]
#
interface GigabitEthernet0/0/1
pppoe-server bind Virtual-Template 1
ip address 155.1.131.1 255.255.255.0
#
(二)防火墙端口拨号服务端、IPSEC拨号客户端设置
拨号接口设置
[FW2-Dialer1]DIS TH
#
interface Dialer1
link-protocol ppp
ppp chap user USER
ppp chap password cipher HUAWEI
mtu 1492
ip address ppp-negotiate
dialer user TEST
dialer bundle 1
ipsec policy LAN_MAP
#
[FW2-GigabitEthernet1/0/0]pppoe-client dial-bundle-number 1
[FW2-zone-untrust]dis th
#
firewall zone untrust
add interface Dialer1
#
[FW2]ip route-static 0.0.0.0 0 Dialer 1
(三)防火墙IPSEC拨号服务端设置
[FW1-ike-peer-ALL]dis this
#
ike peer ALL
pre-shared-key HUAWEI@123
ike-proposal 10
#
[FW1-ipsec-policy-templet-DY_MAP-10]DIS TH
#
ipsec policy-template DY_MAP 10
security acl 3000
ike-peer ALL
proposal LAN_SET
#
[FW1]ipsec policy LAN_MAP 10 isakmp template DY_MAP
[FW1-GigabitEthernet1/0/0]ipsec policy LAN_MAP
上述设置情况下仅能通过PC2发起(IPSEC拨号分支)发起才能建立IPSEC
[FW2-ipsec-policy-isakmp-LAN_MAP-10]dis th
2024-06-27 03:03:24.350
#
ipsec policy LAN_MAP 10 isakmp
security acl 3000
ike-peer FW1
proposal LAN_SET
sa trigger-mode auto
#
在IPSEC拨号分支端的IPSEC策略上添加如上命令,使没有流量同样能够建立IPSEC
四、结果验证
[FW1]dis ike sa
IKE SA information :
Conn-ID Peer VPN Flag(
s) Phase RemoteType RemoteID
--------------------------------------------------------------------------------
----------------------------------------------------
6 155.1.131.13:500 RD|A
v2:2 IP 155.1.131.13
5 155.1.131.13:500 RD|A
v2:1 IP 155.1.131.13
Number of IKE SA : 2
--------------------------------------------------------------------------------
----------------------------------------------------