ipsec vpn 旁路nat,使用ike密钥交换

2024-01-01 17:34:10

实现总部和分部PC互通

ipsec vpn 旁路nat,使用ike密钥交换

互联网路由器:

system
interface GigabitEthernet0/0/0
 ip address 1.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
 ip address 2.2.2.2 255.255.255.0

AR1:

system
sysname AR1
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2   #上互联网的路由,配置到对端公网IP路由
ike proposal 10   #配置ike提议
 encryption-algorithm aes-cbc-128 #使用aes算法加密
 authentication-algorithm md5 #使用md5验证
 dh group5 #密钥交换使用dh
 authentication-method pre-share #使用预共享密钥验证身份
#
ike peer AR1 v1 #配置ike peer
 exchange-mode main #使用主模式
 pre-shared-key cipher admin@123 #配置预共享密钥admin@123
 ike-proposal 10 #把刚才配置的ike提案加上来
 remote-address 2.2.2.1 #与2.2.2.1建立ike的peer
#
ipsec proposal 10 #配置ipasec的提案
 transform esp  #使用esp封装
 encapsulation-mode tunnel #使用隧道模式封装
 esp authentication-algorithm md5 #使用MD5进行数据完整性验证
 esp encryption-algorithm aes-192 #使用aes进行数据加密
#
acl number 3000  #配置感兴趣流
 rule 5 permit ip source 10.1.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
 rule 10 permit ip source 10.1.20.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
 rule 15 permit ip source 10.1.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
 rule 20 permit ip source 10.1.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
 
 acl name nat 3001  配置NAT的ACL
 rule 5 deny ip source 10.1.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255  #让访问192.168.10.0的绕过NAT地址转换
 rule 6 deny ip source 10.1.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 #同上
 rule 7 deny ip source 10.1.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255  #同上
 rule 8 deny ip source 10.1.20.0 0.0.0.255 destination 192.168.20.0 0.0.0.255  #同上
 rule 10 permit ip source 10.1.10.0 0.0.0.255  #NAT转换
 rule 20 permit ip source 10.1.20.0 0.0.0.255  #NAT转换
#
ipsec policy hcip 10 isakmp #配置ipsec策略
 security acl 3000 #应用感兴趣流
 ike-peer AR1 #应用ike peer
 proposal 10 #应用ipsec提案
#
 
interface GigabitEthernet0/0/0
 ip address 1.1.1.1 255.255.255.0
 ipsec policy hcip #接口应用ipsec策略
 nat outbound 3001 #NAT转换
interface g0/0/1
 ip address 10.1.100.2 255.255.255.0
ip route-static 10.1.10.0 24 10.1.100.1 #到达本端主机的路由,(去往对端主机有默认路由去)
ip route-static 10.1.20.0 24 10.1.100.1 #到达本端主机的路由,(去往对端主机有默认路由去)

SW1:

system
sysname SW1
#
vlan batch 10 20 100
interface Vlanif10
 ip address 10.1.10.254 255.255.255.0
#
interface Vlanif20
 ip address 10.1.20.254 255.255.255.0
#
interface Vlanif100
 ip address 10.1.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 100
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 20
#
ip route-static 192.168.10.0 255.255.255.0 10.1.100.2  #去往对端主机的路由
ip route-static 192.168.20.0 255.255.255.0 10.1.100.2 #去往对端主机的路由
ip route-static 0.0.0.0 0.0.0.0 10.1.100.2 #上互联网的路由

AR2:

sys
sysname AR2
ip route-static 0.0.0.0 0.0.0.0 2.2.2.2  #上互联网的路由,配置到对端公网IP路由
ike proposal 20 #配置ike提议
 
 encryption-algorithm aes-cbc-128 #使用aes算法加密
 authentication-algorithm md5 #使用md5验证
 dh group5  #密钥交换使用dh
 authentication-method pre-share #使用预共享密钥验证身份
#
ike peer AR2 v1 #配置ike peer
 exchange-mode main #使用主模式
 pre-shared-key cipher admin@123 #配置预共享密钥admin@123
 ike-proposal 20 #把刚才配置的ike提案加上来
 remote-address 1.1.1.1  #与1.1.1.1建立ike的peer
#
ipsec proposal 20 #配置ipasec的提案
 transform esp #使用esp封装
 encapsulation-mode tunnel #使用隧道模式封装
 esp authentication-algorithm md5 #使用MD5进行数据完整性验证
 esp encryption-algorithm aes-192 #使用aes进行数据加密
#
acl number 3000   #配置感兴趣流
 rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 10.1.10.0 0.0.0.255
 rule 10 permit ip source 192.168.20.0 0.0.0.255 destination 10.1.20.0 0.0.0.255
 rule 15 permit ip source 192.168.20.0 0.0.0.255 destination 10.1.10.0 0.0.0.255
 rule 20 permit ip source 192.168.10.0 0.0.0.255 destination 10.1.20.0 0.0.0.255
 
acl name nat 3001  配置NAT的ACL
 rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 10.1.10.0 0.0.0.255  #让访问10.1.10.0的绕过NAT地址转换
 rule 6 deny ip source 192.168.20.0 0.0.0.255 destination 10.1.10.0 0.0.0.255 #同上
 rule 7 deny ip source 192.168.10.0 0.0.0.255 destination 10.1.20.0 0.0.0.255 #同上
 rule 8 deny ip source 192.168.20.0 0.0.0.255 destination 10.1.20.0 0.0.0.255 #同上
 rule 10 permit ip source 192.168.10.0 0.0.0.255 #NAT转换
 rule 20 permit ip source 192.168.20.0 0.0.0.255 #NAT转换
#
ipsec policy hcip2 20 isakmp #配置ipsec策略
 security acl 3000 #应用感兴趣流
 ike-peer AR2 #应用ike peer
 proposal 20 #应用ipsec提案
#
 
interface GigabitEthernet0/0/0
 ip address 2.2.2.1 255.255.255.0
 ipsec policy hcip2 #接口应用ipsec策略
 nat outbound 3001 #NAT转换
 
interface g0/0/1
 ip address 10.1.200.2 255.255.255.0
ip route-static 192.168.10.1 24 10.1.200.1 #到达本端主机的路由,(去往对端主机有默认路由去)
ip route-static 192.168.20.1 24 10.1.200.1 #到达本端主机的路由,(去往对端主机有默认路由去)

SW2:

sys
sysname SW2
#
vlan batch 10 20 100
interface Vlanif10
 ip address 192.168.10.254 255.255.255.0
#
interface Vlanif20
 ip address 192.168.20.254 255.255.255.0
#
interface Vlanif100
 ip address 10.1.200.1 255.255.255.0
 
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 100
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 20
ip route-static 10.1.10.0 255.255.255.0 10.1.200.2  #去往对端主机的路由
ip route-static 10.1.20.0 255.255.255.0 10.1.200.2 #去往对端主机的路由

验证:
ipsec vpn 旁路nat,使用ike密钥交换
ipsec vpn 旁路nat,使用ike密钥交换

转载请注明来源

上一篇:three.js 数学方法之Matrix4


下一篇:nat转换技术,且用且珍惜