1.配置需求
总部和分部各有一台防火墙部署在互联网出口,因业务需要两端内网需要通过VPN相互访问。
2.组网图
3.配置步骤
3.1两端防火墙固定IP地址上网配置参考
https://blog.csdn.net/m0_68265458/article/details/137507861?spm=1001.2014.3001.5501
3.2创建IPsec感兴趣流(总部)
[FW1]acl advanced 3999 #匹配IPSEC数据
[FW1-acl-ipv4-adv-3999]rule 0 permit ip source 192.168.10.0 0.0.0.255 destinatio
n 192.168.20.0 0.0.0.255
[FW1]acl advanced 3888 #排除IPSEC兴趣流不做NAT
[FW1-acl-ipv4-adv-3888]rule 0 deny ip source 192.168.10.0 0.0.0.255 destination
192.168.20.0 0.0.0.255
[FW1-acl-ipv4-adv-3888]rule 5 permit ip source any
3.3创建IKE安全密钥(总部)
[FW1]ike keychain 1 #地址填写分部设备公网IP
[FW1-ike-keychain-1]pre-shared-key address 198.76.26.90 key simple 123456
3.4创建IKE安全提议(总部)
[FW1]ike proposal 1 #默认即可
3.5创建IKE安全框架(总部)
[FW1]ike profile 1 #调用本端,对端,提议,密钥
[FW1-ike-profile-1]keychain 1
[FW1-ike-profile-1]local-identity address 101.88.26.34
[FW1-ike-profile-1]match remote identity address 198.76.26.90
[FW1-ike-profile-1]proposal 1
3.6创建IPsec安全提议(总部)
[FW1]ipsec transform-set 1
[FW1-ipsec-transform-set-1]esp authentication-algorithm sha1
[FW1-ipsec-transform-set-1]esp encryption-algorithm aes-cbc-128
3.7创建IPsec安全策略(总部)
[FW1]ipsec policy g1/0/3 1 isakmp
[FW1-ipsec-policy-isakmp-g1/0/3-1]transform-set 1
[FW1-ipsec-policy-isakmp-g1/0/3-1]ike-profile 1
[FW1-ipsec-policy-isakmp-g1/0/3-1]security acl 3999
[FW1-ipsec-policy-isakmp-g1/0/3-1]local-address 101.88.26.34
[FW1-ipsec-policy-isakmp-g1/0/3-1]remote-address 198.76.26.90
3.8外网接口调用策略和NAT动态转换
[FW1]int g1/0/3
[FW1-GigabitEthernet1/0/3]nat outbound 3888
[FW1-GigabitEthernet1/0/3]ipsec apply policy g1/0/3
3.9总部配置安全策略放通IPsec数据
[FW1]object-group ip address 192.168.10.0 #创建对象组
[FW1-obj-grp-ip-192.168.10.0]net subnet 192.168.10.0 24
[FW1]object-group ip address 192.168.20.0 #创建对象组
[FW1-obj-grp-ip-192.168.20.0]net subnet 192.168.20.0 24
[FW1]object-policy ip untrust-trust #创建对象策略
[FW1-object-policy-ip-untrust-trust]rule 0 pass source-ip 192.168.20.0 destinati
on-ip 192.168.10.0
[FW1]zone-pair security source untrust destination trust
[FW1-zone-pair-security-Untrust-Trust]object-policy apply ip untrust-trust
3.10总部配置安全策略放通IPsec数据
[FW1]object-policy ip untrust-local #创建对象策略
[FW1-object-policy-ip-untrust-local]rule 0 pass
[FW1]zone-pair security source untrust destination local
[FW1-zone-pair-security-Untrust-Local]ob
[FW1-zone-pair-security-Untrust-Local]object-policy apply ip untrust-local
[FW1]object-policy ip local-untrust
[FW1-object-policy-ip-local-untrust]rule 0 pass
[FW1]zone-pair security source local destination untrust
[FW1-zone-pair-security-Local-Untrust]object-policy apply ip local-untrust
3.11分部配置
与总部侧配置基本相同,IPSEC感兴趣流需要取反配置。