拓扑
本实验介绍总部和分支机构的出口网关同时为NAT设备时,建立IPSec隧道,使总部和分支可以互访,总部和分支均可以访问公网。
一、路由器的作用使FW1和FW2之间路由可达,配置如下:
interface GigabitEthernet0/0/0
ip address 220.163.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 220.163.200.1 255.255.255.0
二、FW1配置如下:
1、配置接口IP地址。
interface GigabitEthernet0/0/0
ip address 192.168.10.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 220.163.100.2 255.255.255.0
2、将接口加入相应的安全区域。
firewall zone trust
add interface GigabitEthernet0/0/0
#
firewall zone untrust
add interface GigabitEthernet0/0/1
3、开启域间包过滤,这里为了实验方便,开放所有域间包过滤,实际当中请根据要求开放相应的域间策略
firewall packet-filter default permit all
4、配置静态路由
ip route-static 0.0.0.0 0.0.0.0 220.163.100.1
5、定义被保护的数据流。
acl number 3000
rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
6、配置IPSec安全提议tran1。
ipsec proposal tran1
esp authentication-algorithm sha1
esp encryption-algorithm aes
7、配置IKE安全提议。
ike proposal 10
authentication-method pre-share
authentication-algorithm sha1
8、配置IKE Peer。
ike peer c
pre-shared-key ccieh3c.com
ike-proposal 10
remote-address 220.163.200.2
9、配置IPSec安全策略。
ipsec policy map1 10 isakmp
security acl 3000
ike-peer c
proposal tran1
10、在接口GigabitEthernet 0/0/1上应用IPSec策略map1。
interface GigabitEthernet0/0/1
ip address 220.163.100.2 255.255.255.0
ipsec policy map1
11、配置NAT,定义用于NAT的数据流,先deny掉需要IPSec加密的数据流,再定义用于NAT的数据流,这里需要deny的数据流必须和IPSec加密的数据流严格一致。
nat-policy interzone trust untrust outbound
policy 1
action no-nat
policy source 192.168.10.0 0.0.0.255
policy destination 192.168.20.0 0.0.0.255
policy 2
action source-nat
easy-ip GigabitEthernet0/0/1
二、FW2的配置如下:
1、配置接口IP地址。
interface GigabitEthernet0/0/0
ip address 192.168.20.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 220.163.200.2 255.255.255.0
2、将接口加入相应的安全区域。
firewall zone trust
add interface GigabitEthernet0/0/0
#
firewall zone untrust
add interface GigabitEthernet0/0/1
3、开启域间包过滤,这里为了实验方便,开放所有域间包过滤,实际当中请根据要求开放相应的域间策略
firewall packet-filter default permit all
4、配置静态路由
ip route-static 0.0.0.0 0.0.0.0 220.163.200.1
5、定义被保护的数据流。
acl number 3000
rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
6、配置IPSec安全提议tran1。
ipsec proposal tran1
esp authentication-algorithm sha1
esp encryption-algorithm aes
7、配置IKE安全提议。
ike proposal 10
authentication-method pre-share
authentication-algorithm sha1
8、配置IKE Peer。
ike peer c
pre-shared-key ccieh3c.com
ike-proposal 10
remote-address 220.163.100.2
9、配置IPSec安全策略。
ipsec policy map1 10 isakmp
security acl 3000
ike-peer c
proposal tran1
10、在接口GigabitEthernet 0/0/1上应用IPSec策略map1。
interface GigabitEthernet0/0/1
ip address 220.163.200.2 255.255.255.0
ipsec policy map1
11、配置NAT,定义用于NAT的数据流,先deny掉需要IPSec加密的数据流,再定义用于NAT的数据流,这里需要deny的数据流必须和IPSec加密的数据流严格一致。
nat-policy interzone trust untrust outbound
policy 1
action no-nat
policy source 192.168.20.0 0.0.0.255
policy destination 192.168.10.0 0.0.0.255
policy 2
action source-nat
easy-ip GigabitEthernet0/0/1
三、验证结果
1、FW1上可以查看到对应的IKE SA。
dis ike sa
23:30:22 2014/03/19
current ike sa number: 2
—————————————————————————–
conn-id peer flag phase ***
—————————————————————————–
40001 220.163.200.2 RD|ST v2:2 public
1 220.163.200.2 RD|ST
v2:1 public
flag meaning
RD–READY ST–STAYALIVE RL–REPLACED FD–FADING
TO–TIMEOUT TD–DELETING NEG–NEGOTIATING D–DPD
2、FW2上也可以查看到对应的IKE SA。
dis ike sa
23:31:10 2014/03/19
current ike sa number: 2
—————————————————————————–
conn-id peer flag phase ***
—————————————————————————–
40001 220.163.100.2 RD v2:2 public
1 220.163.100.2 RD v2:1 public
flag meaning
RD–READY ST–STAYALIVE RL–REPLACED FD–FADING
TO–TIMEOUT TD–DELETING NEG–NEGOTIATING D–DPD
3、FW1上查看IPSEC SA。
dis ipsec sa
23:33:03 2014/03/19
===============================
Interface: GigabitEthernet0/0/1
path MTU: 1500
===============================
—————————–
IPsec policy name: “map1”
sequence number: 10
mode: isakmp
***: public
—————————–
connection id: 40001
rule number: 5
encapsulation mode: tunnel
holding time: 0d 0h 23m 33s
tunnel local : 220.163.100.2 tunnel remote: 220.163.200.2
flow source: 192.168.10.0-192.168.10.255 0-65535 0
flow destination: 192.168.20.0-192.168.20.255 0-65535 0
[inbound ESP SAs]
spi: 2133279372 (0x7f27428c)
***: public said: 0 cpuid: 0x0000
proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887277260/2187
max received sequence-number: 2659
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 3334597115 (0xc6c1e9fb)
***: public said: 1 cpuid: 0x0000
proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887277200/2187
max sent sequence-number: 2661
udp encapsulation used for nat traversal: N
4、FW2上查看IPSEC SA。
dis ipsec sa
23:34:06 2014/03/19
===============================
Interface: GigabitEthernet0/0/1
path MTU: 1500
===============================
—————————–
IPsec policy name: “map1”
sequence number: 10
mode: isakmp
***: public
—————————–
connection id: 40001
rule number: 5
encapsulation mode: tunnel
holding time: 0d 0h 24m 36s
tunnel local : 220.163.200.2 tunnel remote: 220.163.100.2
flow source: 192.168.20.0-192.168.20.255 0-65535 0
flow destination: 192.168.10.0-192.168.10.255 0-65535 0
[inbound ESP SAs]
spi: 3334597115 (0xc6c1e9fb)
***: public said: 0 cpuid: 0x0000
proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887270000/2124
max received sequence-number: 2780
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 2133279372 (0x7f27428c)
***: public said: 1 cpuid: 0x0000
proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887270060/2124
max sent sequence-number: 2780
udp encapsulation used for nat traversal: N
5、二台PC的互ping的情况。
PC>ping 192.168.20.20
Ping 192.168.20.20: 32 data bytes, Press Ctrl_C to break
From 192.168.20.20: bytes=32 seq=1 ttl=126 time=31 ms
From 192.168.20.20: bytes=32 seq=2 ttl=126 time=31 ms
From 192.168.20.20: bytes=32 seq=3 ttl=126 time=32 ms
From 192.168.20.20: bytes=32 seq=4 ttl=126 time=78 ms
From 192.168.20.20: bytes=32 seq=5 ttl=126 time=94 ms
— 192.168.20.20 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/53/94 ms
PC>ping 192.168.10.10
Ping 192.168.10.10: 32 data bytes, Press Ctrl_C to break
From 192.168.10.10: bytes=32 seq=1 ttl=126 time=32 ms
From 192.168.10.10: bytes=32 seq=2 ttl=126 time=62 ms
From 192.168.10.10: bytes=32 seq=3 ttl=126 time=63 ms
From 192.168.10.10: bytes=32 seq=4 ttl=126 time=47 ms
From 192.168.10.10: bytes=32 seq=5 ttl=126 time=62 ms
— 192.168.10.10 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 32/53/63 ms
本文转载于公众号:网络之路博客