1 拓扑
拓扑讲解 fw1 10.1.1.1-----fw2 10.1.1.2 互联地址
fw1 look1 1.1.1.1
fw2 look2 2.2.2.2
这两个lookback 用来ipsec 加密的同时作为gre 的源和目的
192.168.10.0 ---192.168.20.0 这个是业务地址 都是用lookback 模拟的
2 原理
1 192.168.10.0----192.168.20.0 这个走的是gre
2 gre 查找源和目的 1.1.1.1 2.2.2.2
3 1.1.1.1-2.2.2.2 刚好是ipsec 加密的数据流
4 这个时候走的是ipsec
5 在通过公网10.1.1.1-10.1.1.2 进行走
3 细节讲解
1 基本配置 接口信息,接口所在安全域
2 ipsec 加密的1.1.1.1-2.2.2.2 一定要放通公网地址互联
3 1.1.1.1-2.2.2.2 策略也需要放通
4 最后业务数据流也需要放通
4 配置
fw1
[fw1] display current-configuration
2023-02-27 10:11:24.790
!Software Version V500R005C10SPC300
#
sysname fw1
#
l2tp domain suffix-separator @
#
ipsec sha2 compatible enable
#
undo telnet server enable
undo telnet ipv6 server enable
#
update schedule location-sdb weekly Sun 04:02
#
firewall defend action discard
#
banner enable
#
user-manage web-authentication security port 8887
undo privacy-statement english
undo privacy-statement chinese
page-setting
user-manage security version tlsv1.1 tlsv1.2
password-policy
level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
web-manager security version tlsv1.1 tlsv1.2
web-manager enable
web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
undo ips log merge enable
#
decoding uri-cache disable
#
update schedule ips-sdb daily 01:33
update schedule av-sdb daily 01:33
update schedule sa-sdb daily 01:33
update schedule cnc daily 01:33
update schedule file-reputation daily 01:33
#
ip vpn-instance default
ipv4-family
#
time-range worktime
period-range 08:00:00 to 18:00:00 working-day
#
acl number 3000
rule 1 permit ip source 1.1.1.1 0 destination 2.2.2.2 0
#
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer fw2
pre-shared-key %^%#JR&w:[YdqXnr></}zAR9`#)"N[>>@#`Ss=-UeY)<%^%#
ike-proposal 1
remote-address 10.1.1.2
#
ipsec policy 1 1 isakmp
security acl 3000
ike-peer fw2
proposal 1
#
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authorization-scheme default
accounting-scheme default
service-type internetaccess ssl-vpn l2tp ike
internet-access mode password
reference user current-domain
manager-user audit-admin
password cipher @%@%NcP9&F_/kRy@aM~{K4X8>,%3i4X,~koa)>AxkPDG'<A7,%6>@%@%
service-type web terminal
level 15
manager-user api-admin
password cipher @%@%>^4f/`y5BNz\B>K]8T_Uahz}.qi13@~pW/=@=UQcPXt6hz#a@%@%
level 15
manager-user admin
password cipher @%@%./oR4S1BB8yA}WAFO%yUXg:9*Z&[:kD9YL'lBR+2a%/Tg:<X@%@%
service-type web terminal
level 15
role system-admin
role device-admin
role device-admin(monitor)
role audit-admin
bind manager-user audit-admin role audit-admin
bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
alias GE0/METH
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
ipsec policy 1
#
interface GigabitEthernet1/0/1
undo shutdown
#
interface GigabitEthernet1/0/2
undo shutdown
#
interface GigabitEthernet1/0/3
undo shutdown
#
interface GigabitEthernet1/0/4
undo shutdown
#
interface GigabitEthernet1/0/5
undo shutdown
#
interface GigabitEthernet1/0/6
undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
interface LoopBack192
ip address 192.168.10.1 255.255.255.0
#
interface Tunnel1
ip address 100.1.1.1 255.255.255.0
tunnel-protocol gre
source 1.1.1.1
destination 2.2.2.2
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
add interface Tunnel1
#
firewall zone dmz
set priority 50
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 100.1.1.0 0.0.0.255
network 192.168.10.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.2
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
#
firewall detect ftp
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-linkif
mode proportion-of-weight
#
right-manager server-group
#
device-classification
device-group pc
device-group mobile-terminal
device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
rule name hulian
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
destination-address 10.1.1.0 mask 255.255.255.0
action permit
rule name 1.1.1.1-2.2.2.2
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 1.1.1.1 mask 255.255.255.255
source-address 2.2.2.2 mask 255.255.255.255
destination-address 1.1.1.1 mask 255.255.255.255
destination-address 2.2.2.2 mask 255.255.255.255
action permit
rule name t1
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 100.1.1.0 mask 255.255.255.0
destination-address 100.1.1.0 mask 255.255.255.0
action permit
rule name shujiuliu
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 192.168.10.0 mask 255.255.255.0
source-address 192.168.20.0 mask 255.255.255.0
destination-address 192.168.10.0 mask 255.255.255.0
destination-address 192.168.20.0 mask 255.255.255.0
action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return
fw2
[fw2-policy-security] display cu
[fw2-policy-security] display current-configuration
2023-02-27 10:12:24.420
!Software Version V500R005C10SPC300
#
sysname fw2
#
l2tp domain suffix-separator @
#
ipsec sha2 compatible enable
#
undo telnet server enable
undo telnet ipv6 server enable
#
update schedule location-sdb weekly Sun 01:40
#
firewall defend action discard
#
banner enable
#
user-manage web-authentication security port 8887
undo privacy-statement english
undo privacy-statement chinese
page-setting
user-manage security version tlsv1.1 tlsv1.2
password-policy
level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
web-manager security version tlsv1.1 tlsv1.2
web-manager enable
web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
undo ips log merge enable
#
decoding uri-cache disable
#
update schedule ips-sdb daily 05:17
update schedule av-sdb daily 05:17
update schedule sa-sdb daily 05:17
update schedule cnc daily 05:17
update schedule file-reputation daily 05:17
update schedule sa-sdb daily 05:17
update schedule cnc daily 05:17
update schedule file-reputation daily 05:17
#
ip vpn-instance default
ipv4-family
#
time-range worktime
period-range 08:00:00 to 18:00:00 working-day
#
acl number 3000
rule 1 permit ip source 2.2.2.2 0 description 1.1.1.1 0
#
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer fw1
pre-shared-key %^%#`6-oULS)g/GWw_Pb,.uMxIOmT}Yb,1Xn9nDTL]bA%^%#
ike-proposal 1
remote-address 10.1.1.1
#
ipsec policy 1 1 isakmp
security acl 3000
ike-peer fw1
proposal 1
#
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authorization-scheme default
accounting-scheme default
domain default
service-type internetaccess ssl-vpn l2tp ike
internet-access mode password
reference user current-domain
manager-user audit-admin
password cipher @%@%cxw2TR]JmY@a&tYy~qq/E^3Zj'H=&}MaX0"@*L;bStyB^3]E@%@%
service-type web terminal
level 15
manager-user api-admin
password cipher @%@%69bJC@8pNK</@$K#SwJ8oS3aT0@.S,e<gU_I\P,"q/C/S3do@%@%
level 15
manager-user admin
password cipher @%@%(ydANqCR@JlhRo5Pe!7Bcn`VZ[tt.7pouITq7[*0_AdJn`Yc@%@%
service-type web terminal
level 15
role system-admin
role device-admin
role device-admin(monitor)
role audit-admin
bind manager-user audit-admin role audit-admin
bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
alias GE0/METH
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.2 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
ipsec policy 1
#
interface GigabitEthernet1/0/1
undo shutdown
#
interface GigabitEthernet1/0/2
undo shutdown
#
interface GigabitEthernet1/0/3
undo shutdown
#
interface GigabitEthernet1/0/4
undo shutdown
#
interface GigabitEthernet1/0/5
undo shutdown
#
interface GigabitEthernet1/0/6
undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
interface LoopBack102
ip address 192.168.20.1 255.255.255.0
#
interface Tunnel1
ip address 100.1.1.2 255.255.255.0
tunnel-protocol gre
source 2.2.2.2
destination 1.1.1.1
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
add interface Tunnel1
#
firewall zone dmz
set priority 50
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 100.1.1.0 0.0.0.255
network 192.168.20.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
#
firewall detect ftp
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-linkif
mode proportion-of-weight
#
right-manager server-group
#
device-classification
device-group pc
device-group mobile-terminal
device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
rule name hulian
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
destination-address 10.1.1.0 mask 255.255.255.0
action permit
rule name 1.1.1.1-2.2.2.2
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 1.1.1.1 mask 255.255.255.255
source-address 2.2.2.2 mask 255.255.255.255
destination-address 1.1.1.1 mask 255.255.255.255
destination-address 2.2.2.2 mask 255.255.255.255
action permit
rule name t1
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 100.1.1.0 mask 255.255.255.0
destination-address 100.1.1.0 mask 255.255.255.0
action permit
rule name shujiuliu
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 192.168.10.0 mask 255.255.255.0
source-address 192.168.20.0 mask 255.255.255.0
destination-address 192.168.10.0 mask 255.255.255.0
destination-address 192.168.20.0 mask 255.255.255.0
action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return
5 总结
ipsec 配置的详解自己的理解
1 ike 安全提议
2 ike 对等体 把ike安全提议要引入ike 对等体
3 ipsec 安全提议
4 定义的数据流acl 需要加密的数据
5 ipsec 策略 一定要运用 ipsec 安全提议 ike对等体 ,acl
6 gre 隧道需要加入安全域
7 ospf 路由发布的时候只能发布 ospf 业务路由和隧道地址
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
