IPSec是安全联网的长期方向。它通过端对端的安全性来提供主动的保护以防止专用网与 Internet 的***。在通信中,只有发送方和接收方才是唯一必须了解 IPSec 保护的计算机。在 Windows 系列操作系统中,IPSec 提供了一种能力以保护工作组、局域网计算机、域客户端和服务器、分支机构(物理上为远程机构)、Extranet 以及漫游客户端之间的通信。IPSec 基于端对端的安全模式,在源 IP 和目标 IP 地址之间建立信任和安全性。它是网络层的安全机制,通过对网络层包信息的保护,上层应用程序即使没有实现安全性,也能够自动从网络层提供的安全性中获益。这打消了人们对×××安全性的顾虑,使得××× 得以广泛应用。IPSec的工作方式有传输方式和隧道方式。而且IPsec的工作模式有两种手动配置和自动协商。
【实验拓扑】
【实验配置】
交换机基本配置:
<SW1>dis cu
#
sysname SW1
#
radius scheme system
server-type huawei
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
domain system
radius-scheme system
access-limit disable
state active
vlan-assignment-mode integer
idle-cut disable
self-service-url disable
messenger time disable
domain default enable system
#
local-server nas-ip 127.0.0.1 key huawei
#
vlan 1
#
vlan 10
#
vlan 20
#
vlan 30
#
interface Vlan-interface1
#
interface Aux0/0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
#
interface Ethernet0/5
#
interface Ethernet0/6
#
interface Ethernet0/7
#
interface Ethernet0/8
#
interface Ethernet0/9
#
interface Ethernet0/10
port access vlan 10
#
interface Ethernet0/11
#
interface Ethernet0/12
#
interface Ethernet0/13
#
interface Ethernet0/14
#
interface Ethernet0/15
#
interface Ethernet0/16
#
interface Ethernet0/17
#
interface Ethernet0/18
#
interface Ethernet0/19
#
interface Ethernet0/20
port access vlan 20
#
interface Ethernet0/21
#
interface Ethernet0/22
port access vlan 30
#
interface Ethernet0/23
#
interface Ethernet0/24
port link-type trunk
port trunk permit vlan all
#
interface NULL0
#
user-interface aux 0
user-interface vty 0 4
#
return
手动:
dis cu
#
sysname R1
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!<>
service-type telnet terminal
level 3
service-type ftp
#
ipsec proposal tran1
#
ipsec policy policy1 10 manual
security acl 3000
proposal tran1
tunnel local 1.1.1.1
tunnel remote 1.1.2.1
sa spi inbound esp 54321
sa string-key inbound esp dcba
sa spi outbound esp 12345
sa string-key outbound esp abcd
#
acl number 3000 match-order auto
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
interface Aux0
async mode flow
#
interface Ethernet0/0
loopback
ip address 192.168.1.1 255.255.255.0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
ip address 1.1.1.1 255.255.255.0
ipsec policy policy1
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
set priority 85
#
firewall zone untrust
add interface Ethernet0/4
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[R2]dis cu
#
sysname R2
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!<>
service-type telnet terminal
level 3
service-type ftp
#
ipsec proposal tran1
#
ipsec policy policy1 10 manual
security acl 3000
proposal tran1
tunnel local 1.1.2.1
tunnel remote 1.1.1.1
sa spi inbound esp 12345
sa string-key inbound esp abcd
sa spi outbound esp 54321
sa string-key outbound esp dcba
#
acl number 3000 match-order auto
rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 20 deny ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
loopback
ip address 192.168.2.1 255.255.255.0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
ip address 1.1.2.1 255.255.255.0
ipsec policy policy1
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
set priority 85
#
firewall zone untrust
add interface Ethernet0/4
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 1.1.2.2 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
自动:
dis cu
#
sysname R1
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!<>
service-type telnet terminal
level 3
service-type ftp
#
ike peer fw3
pre-shared-key 1234567
remote-address 1.1.3.1
#
ipsec proposal tran1
#
ipsec proposal tran2
#
ipsec policy policy1 11 isakmp
security acl 3001
ike-peer fw3
proposal tran2
#
ipsec policy policy1 10 manual
security acl 3000
proposal tran1
tunnel local 1.1.1.1
tunnel remote 1.1.2.1
sa spi inbound esp 54321
sa string-key inbound esp dcba
sa spi outbound esp 12345
sa string-key outbound esp abcd
#
acl number 3000 match-order auto
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
acl number 3001 match-order auto
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 20 deny ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
loopback
ip address 192.168.1.1 255.255.255.0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
ip address 1.1.1.1 255.255.255.0
ipsec policy policy1
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
set priority 85
#
firewall zone untrust
add interface Ethernet0/4
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[R3]dis cu
#
sysname R3
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!<>
service-type telnet terminal
level 3
service-type ftp
#
ike peer fw11
pre-shared-key 1234567
remote-address 1.1.1.1
#
ipsec proposal tran2
#
ipsec policy policy1 11 isakmp
security acl 3000
ike-peer fw11
proposal tran2
#
acl number 3000 match-order auto
rule 10 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 20 deny ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
loopback
ip address 192.168.3.1 255.255.255.0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
ip address 1.1.3.1 255.255.255.0
ipsec policy policy1
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
set priority 85
#
firewall zone untrust
add interface Ethernet0/4
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 1.1.3.2 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
【测试】
自动:
手动:
转载于:https://blog.51cto.com/7608691/1275835
1012
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
