华为点到点IPSec 虚拟专用网配置
配置相关接口IP地址及区域
[FW1-GigabitEthernet1/0/0]ip add 10.1.1.1 24
[FW1-GigabitEthernet1/0/0]service-manage ping permit
[FW1-GigabitEthernet1/0/6]ip add 20.1.1.1 24
[FW1-GigabitEthernet1/0/6]service-manage ping permit
[FW1]firewall zone trust
[FW1-zone-trust]add interface GigabitEthernet 1/0/0
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface GigabitEthernet 1/0/6
[FW2-GigabitEthernet1/0/0]ip add 10.1.2.1 24
[FW2-GigabitEthernet1/0/0]service-manage ping permit
[FW2-GigabitEthernet1/0/6]ip add 20.1.1.2 24
[FW2-GigabitEthernet1/0/6]service-manage ping permit
[FW2]firewall zone trust
[FW2-zone-trust]add interface GigabitEthernet 1/0/0
[FW2]firewall zone untrust
[FW2-zone-untrust]add interface GigabitEthernet 1/0/6
在防火墙上配置到对端的路由
[FW1]ip route-static 10.1.2.0 24 20.1.1.2
[FW2]ip route-static 10.1.1.0 24 20.1.1.1
配置安全策略(配置ipsec1和ipsec2,允许网络AB间互访;配置ipsec3和ipsec4,允许IKE协商后的报文及加密后的报文通过)
[FW1]security-policy
[FW1-policy-security]rule name ipsec1
[FW1-policy-security-rule-ipsec1]source-zone trust
[FW1-policy-security-rule-ipsec1]destination-zone untrust
[FW1-policy-security-rule-ipsec1]source-address 10.1.1.0 mask 255.255.255.0
[FW1-policy-security-rule-ipsec1]destination-address 10.1.2.0 mask 255.255.255.0
[FW1-policy-security-rule-ipsec1]action permit
[FW1-policy-security]rule name ipsec2
[FW1-policy-security-rule-ipsec2]source-zone untrust
[FW1-policy-security-rule-ipsec2]destination-zone trust
[FW1-policy-security-rule-ipsec2]source-address 10.1.2.0 mask 255.255.255.0
[FW1-policy-security-rule-ipsec2]destination-address 10.1.1.0 mask 255.255.255.0
[FW1-policy-security-rule-ipsec2]action permit
[FW1-policy-security]rule name ipsec3
[FW1-policy-security-rule-ipsec3]source-zone local
[FW1-policy-security-rule-ipsec3]destination-zone untrust
[FW1-policy-security-rule-ipsec3]source-address 20.1.1.1 mask 255.255.255.255
[FW1-policy-security-rule-ipsec3]destination-address 20.1.1.2 mask 255.255.255.255
[FW1-policy-security-rule-ipsec3]action permit
[FW1-policy-security]rule name ipsec4
[FW1-policy-security-rule-ipsec4]source-zone untrust
[FW1-policy-security-rule-ipsec4]destination-zone local
[FW1-policy-security-rule-ipsec4]source-address 20.1.1.2 mask 255.255.255.255
[FW1-policy-security-rule-ipsec4]destination-address 20.1.1.1 mask 255.255.255.255
[FW1-policy-security-rule-ipsec4]action permit
[FW2]security-policy
[FW2-policy-security]rule name ipsec1
[FW2-policy-security-rule-ipsec1]source-zone trust
[FW2-policy-security-rule-ipsec1]destination-zone untrust
[FW2-policy-security-rule-ipsec1]source-address 10.1.2.0 mask 255.255.255.0
[FW2-policy-security-rule-ipsec1]destination-address 10.1.1.0 mask 255.255.255.0
[FW2-policy-security-rule-ipsec1]action permit
[FW2-policy-security]rule name ipsec2
[FW2-policy-security-rule-ipsec2]source-zone untrust
[FW2-policy-security-rule-ipsec2]destination-zone trust
[FW2-policy-security-rule-ipsec2]source-address 10.1.1.0 mask 255.255.255.0
[FW2-policy-security-rule-ipsec2]destination-address 10.1.2.0 mask 255.255.255.0
[FW2-policy-security-rule-ipsec2]action permit
[FW2-policy-security]rule name ipsec3
[FW2-policy-security-rule-ipsec3]source-zone local
[FW2-policy-security-rule-ipsec3]destination-zone untrust
[FW2-policy-security-rule-ipsec3]source-address 20.1.1.2 mask 255.255.255.255
[FW2-policy-security-rule-ipsec3]destination-address 20.1.1.1 mask 255.255.255.255
[FW2-policy-security-rule-ipsec3]action permit
[FW2-policy-security]rule name ipsec4
[FW2-policy-security-rule-ipsec4]source-zone untrust
[FW2-policy-security-rule-ipsec4]destination-zone local
[FW2-policy-security-rule-ipsec4]source-address 20.1.1.1 mask 255.255.255.255
[FW2-policy-security-rule-ipsec4]destination-address 20.1.1.2 mask 255.255.255.255
[FW2-policy-security-rule-ipsec4]action permit
PC1和PC2已经连通
FW1和FW2已经连通
配置IPSec策略
[FW1]acl 3000
[FW1-acl-adv-3000]rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 //抓取流量
[FW1]ipsec proposal propAB //配置防火墙ipsec安全提议
[FW1-ipsec-proposal-propAB]encapsulation-mode auto //使用自动模式
[FW1]ike proposal 1 //配置IKE安全提议
[FW1-ike-proposal-1]integrity-algorithm aes-xcbc-96 //ike安全提议类型为aes
[FW1]ike peer ikeAB //配置IKE对等体
[FW1-ike-peer-ikeAB]exchange-mode auto //ike对等体信息交换模式为自动模式
[FW1-ike-peer-ikeAB]pre-shared-key ABCabc@123
[FW1-ike-peer-ikeAB]ike-proposal 1
[FW1-ike-peer-ikeAB]remote-id-type ip
[FW1-ike-peer-ikeAB]remote-id 20.1.1.2
[FW1-ike-peer-ikeAB]local-id 20.1.1.1
[FW1-ike-peer-ikeAB]remote-address 20.1.1.2 //ike对端IP地址
[FW1]ipsec policy ipsecAB 1 isakmp //配置防火墙ipsec安全策略
[FW1-ipsec-policy-isakmp-ipsecAB-1]security acl 3000
[FW1-ipsec-policy-isakmp-ipsecAB-1]ike-peer ikeAB
[FW1-ipsec-policy-isakmp-ipsecAB-1]proposal propAB
[FW1-ipsec-policy-isakmp-ipsecAB-1]tunnel local applied-interface
[FW2]acl 3000
[FW2-acl-adv-3000]rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[FW2]ipsec proposal propBA
[FW2-ipsec-proposal-propBA]encapsulation-mode auto
[FW2]ike proposal 1
[FW2-ike-proposal-1]integrity-algorithm aes-xcbc-96
[FW2]ike peer ikeBA
[FW2-ike-peer-ikeBA]exchange-mode auto
[FW2-ike-peer-ikeBA]pre-shared-key ABCabc@123
[FW2-ike-peer-ikeBA]ike-proposal 1
[FW2-ike-peer-ikeBA]remote-id-type ip
[FW2-ike-peer-ikeBA]remote-id 20.1.1.1
[FW2-ike-peer-ikeBA]local-id 20.1.1.2
[FW2-ike-peer-ikeBA]remote-address 20.1.1.1
[FW2]ipsec policy ipsecBA 1 isakmp
[FW2-ipsec-policy-isakmp-ipsecBA-1]security acl 3000
[FW2-ipsec-policy-isakmp-ipsecBA-1]ike-peer ikeBA
[FW2-ipsec-policy-isakmp-ipsecBA-1]proposal propBA
[FW2-ipsec-policy-isakmp-ipsecBA-1]tunnel local applied-interface
应用IPSec策略
[FW1-GigabitEthernet1/0/6]ipsec policy ipsecAB
[FW2-GigabitEthernet1/0/6]ipsec policy ipsecBA
验证
PC1 ping PC2时在FW1的G1/0/6口抓包
华为点到点IPSec 虚拟专用网配置相关推荐
- eNSP之IPsec 虚拟专用网配置
eNSP之IPsec 虚拟专用网配置 VPN的定义 1.互联网存在各种安全隐患 - 网上传输的数据有被窃听的风险- 网上传输的数据有被篡改的危险- 通信双方有被冒充的风险 2.VPN (Virtual ...
- 华为设备IPsec简单配置
IPsec VPN 一.IPsec是什么? 1.1 定义 1.2 封装模式(传输模式.隧道模式) 1.3 安全协议(AH.ESP) 1.4 秘钥交换协议(IKE) 二.IPsec有什么用? 2.1 通 ...
- 华为路由器 IPSec VPN 配置
需求: 通过 IPSecVPN 实现上海与成都内网互通 拓扑图如下: 一.首先完成网络配置 1.R1 路由器设置 <Huawei>sys [Huawei]sys R1 [R1]un in ...
- IPSec虚拟专用网原理及基础配置实例
一.虚拟专用网相关概念. 1.虚拟专用网的定义 虚拟专用网:英文全称是"(Virtual Private Network)",翻译过来就是"虚拟专用网络".虚拟 ...
- 安全设备-华为防火墙NAT环境配置IPSec
华为防火墙NAT环境配置IPSec 本实验主要实现NAT穿透 实验环境 实验拓扑图: 模拟器:eNSP 设备型号:AR2240.S3700.USG6000VUSG6000V 默认配置口为0口 默认用户 ...
- 玩转华为ENSP模拟器系列 | 配置基于路由的IPSec VdPdNd(采用预共享密钥认证)
素材来源:华为防火墙配置指南 一边学习一边整理试验笔记,并与大家分享,侵权即删,谢谢支持! 附上汇总贴:玩转华为ENSP模拟器系列 | 合集_COCOgsta的博客-CSDN博客_华为模拟器实验 目标 ...
- IPSec隧道配置案例(手动模式)
IPSec有点难需要掌握他的逻辑及框架然后就简单了 网络攻城狮眼里的烟花! IPSec VPN 配置案例 要求 拓扑 配置 基础配置 IPSec VPN配置 分析原因 解决方法 IPSec VPN I ...
- GRE over IPSec 隧道配置案例
我也想要一个美女老师教我学习网络. GRE over IPSec 配置案例 要求 拓扑 配置 基础配置 GRE VPN配置 配置路由 IPSec配置 GRE over IPSec 技术背景 工作流程 ...
- Cisco ASA防火墙实现IPSec 虚拟专用网,可跟做!!!
通过博文CIsco路由器实现IPSec 虚拟专用网原理及配置详解已经初步了解IPSec 虚拟专用网的原理以及如何在Cisco的路由器上实现IPSec 虚拟专用网技术.千万不要以为在CIsco路由器可以 ...
最新文章
- Javascript的数据结构与算法(一)
- C# Socket编程(3)编码和解码
- ThreadLocal的第二种用法 part2
- Spring MVC:带有CNVR卷的REST应用程序。 1个
- python利用什么来写模块-Python模块的制作方法实例分析
- 朴素贝叶斯分类器的python实现
- 库克看下!华为MatePad 11月25日发布:剑指苹果
- 如何将列表分成大小均匀的块?
- 面试题--------7、Files的常用方法
- Sequence Diagram时序图 - 应该是最简洁有力的业务了
- python 服务端判断客户端异常断开
- 什么是信用评分分析?
- 计算机等级考试二级C语言考试环境VS2010学习版以及免费题库
- Linux下7z压缩解压软件区别
- 原码,反码,补码是什么?
- 【2021.12.25】ctf逆向中常见加密算法和编码识别
- read和fread有什么区别
- 早上喝水较健康 喝法有学问!
- java基础小记_[Java教程]Java基础学习小记
- 开源作品——CMSIS-DAP调试器