一、实验目的和拓扑
在FW1和FW2之间建立两条IPsecVPN链路冗余备份,其中FW2通过tunnel1和tunnel2口与FW1进行连接,主备路由采用路由优先级进行控制,后期可通过IPlink检测连通性的方式进行检测
二、基础配置
(一)按拓扑图所示配置相应接口地址(此处省略)
(二)在R1/R2/R3上启用ospf,并宣告路由155.1.0.0和150.1.0.0(此处省略)
(三)在防火墙上将端口加入155网段端口加入trust,将10网段加入untrust区域(此处省略)
三、详细配置
(一)在FW1上配置静态路由用于主备路由选择,在FW2上配置静态路由
[FW1]ip route-static 0.0.0.0 0 155.1.121.1
[FW1]ip route-static 0.0.0.0 0 155.1.121.2 preference 66
[FW2]ip route-static 0.0.0.0 0 155.1.133.3
[FW2]ip route-static 10.1.0.0 16 Tunnel 1
[FW2]ip route-static 10.1.0.0 16 Tunnel 2 preference 66
(二)配置IPsec
FW1配置
acl number 3000
rule 5 permit ip source 10.1.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
#
ipsec proposal LAN_SET
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal 10
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer FW2
pre-shared-key HUAWEI
ike-proposal 10
remote-address 155.1.133.13
#
ipsec policy LAN_MAP1 10 isakmp
security acl 3000
ike-peer FW2
proposal LAN_SET
ipsec policy LAN_MAP2 10 isakmp
security acl 3000
ike-peer FW2
proposal LAN_SET
#
#
interface GigabitEthernet1/0/1
ipsec policy LAN_MAP1
#
interface GigabitEthernet1/0/2
ipsec policy LAN_MAP2
FW2配置
acl number 3000
rule 5 permit ip source 10.1.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
#
ipsec proposal LAN_SET
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike proposal 10
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer FW1-A
pre-shared-key HUAWEI
ike-proposal 10
remote-address 155.1.121.12
ike peer FW1-B
pre-shared-key HUAWEI
ike-proposal 10
remote-address 155.1.122.12
#
ipsec policy LAN_MAP1 10 isakmp
security acl 3000
ike-peer FW1-A
proposal LAN_SET
ipsec policy LAN_MAP2 10 isakmp
security acl 3000
ike-peer FW1-B
proposal LAN_SET
端口配置
interface Tunnel1
ip address unnumbered interface GigabitEthernet1/0/0
tunnel-protocol ipsec
ipsec policy LAN_MAP1
#
interface Tunnel2
ip address unnumbered interface GigabitEthernet1/0/0
tunnel-protocol ipsec
ipsec policy LAN_MAP2
(三)安全策略
[FW1-policy-security]dis th
#
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name IN_TO_OUT
source-zone trust
destination-zone untrust
action permit
rule name OUT_TO_LOCAL
source-zone untrust
destination-zone local
service protocol 50
service protocol udp destination-port 500
action permit
rule name OUT_TO_IN
source-zone untrust
destination-zone trust
source-address 10.1.0.0 mask 255.255.0.0
destination-address 10.1.0.0 mask 255.255.0.0
action permit
#
[FW2-policy-security]dis th
#
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name IN_TO_DMZ
source-zone trust
destination-zone dmz
action permit
rule name OUT_TO_DMZ
source-zone untrust
destination-zone dmz
service protocol 50
service protocol udp destination-port 500
action permit
rule name DMZ_TO_IN
source-zone dmz
destination-zone trust
source-address 10.1.0.0 mask 255.255.0.0
destination-address 10.1.0.0 mask 255.255.0.0
action permit
#
四、结果验证
PC>ping 10.1.13.10
Ping 10.1.13.10: 32 data bytes, Press Ctrl_C to break
From 10.1.13.10: bytes=32 seq=1 ttl=126 time=62 ms
[FW2]dis ike sa
IKE SA information :
Conn-ID Peer VPN Flag(
s) Phase RemoteType RemoteID
--------------------------------------------------------------------------------
----------------------------------------------------
2 155.1.121.12:500 RD|ST
|A v2:2 IP 155.1.121.12
1 155.1.121.12:500 RD|ST
|A v2:1 IP 155.1.121.12
Number of IKE SA : 2
--------------------------------------------------------------------------------
----------------------------------------------------