点到点IPSec ***的配置

![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210620/1624159727381514.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) 1.IP地址、区域等基础配置 ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210620/1624159760328495.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) [FW1-GigabitEthernet1/0/0]ip add 20.1.1.1 24 [FW1-GigabitEthernet1/0/0]service-manage ping permit [FW1-GigabitEthernet1/0/1]ip add 10.1.1.1 24 [FW1-GigabitEthernet1/0/1]service-manage ping permit [FW1]firewall zone untrust [FW1-zone-untrust]add interface g1/0/0 [FW1]firewall zone trust [FW1-zone-trust]add interface g1/0/1 ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210620/1624159783136296.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) [FW2-GigabitEthernet1/0/0]ip add 20.1.1.2 24 [FW2-GigabitEthernet1/0/0]service-manage ping permit [FW2-GigabitEthernet1/0/1]ip add 10.1.2.2 24 [FW2-GigabitEthernet1/0/1]service-manage ping permit [FW2]firewall zone trust [FW2-zone-trust]add interface g1/0/1 [FW2]firewall zone untrust [FW2-zone-untrust]add interface g1/0/0 [FW1]ip route-static 0.0.0.0 0.0.0.0 20.1.1.2 [FW2]ip route-static 0.0.0.0 0.0.0.0 20.1.1.1 2.配置点到点IPSec *** (1)配置安全策略:ipsec1允许AB间互访,ipsec2允许IKE协商后的报文及加密后的报文通过 [FW1]security-policy [FW1-policy-security]rule name ipsec1 [FW1-policy-security-rule-ipsec1]source-zone trust [FW1-policy-security-rule-ipsec1]source-zone untrust [FW1-policy-security-rule-ipsec1]source-address 10.1.1.0 24 [FW1-policy-security-rule-ipsec1]source-address 10.1.2.0 24 [FW1-policy-security-rule-ipsec1]destination-zone trust [FW1-policy-security-rule-ipsec1]destination-zone untrust [FW1-policy-security-rule-ipsec1]destination-address 10.1.1.0 24 [FW1-policy-security-rule-ipsec1]destination-address 10.1.2.0 24 [FW1-policy-security-rule-ipsec1]action permit [FW1-policy-security]rule name ipsec2 [FW1-policy-security-rule-ipsec2]source-zone local untrust [FW1-policy-security-rule-ipsec2]destination-zone local untrust [FW1-policy-security-rule-ipsec2]source-address 20.1.1.1 32 [FW1-policy-security-rule-ipsec2]source-address 20.1.1.2 32 [FW1-policy-security-rule-ipsec2]destination-address 20.1.1.1 32 [FW1-policy-security-rule-ipsec2]destination-address 20.1.1.2 32 [FW1-policy-security-rule-ipsec2]action permit ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210620/1624159797736795.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) [FW2]security-policy [FW2-policy-security]rule name ipsec1 [FW2-policy-security-rule-ipsec1]source-zone trust untrust [FW2-policy-security-rule-ipsec1]destination-zone trust untrust [FW2-policy-security-rule-ipsec1]source-address 10.1.2.0 24 [FW2-policy-security-rule-ipsec1]source-address 10.1.1.0 24 [FW2-policy-security-rule-ipsec1]destination-address 10.1.1.0 24 [FW2-policy-security-rule-ipsec1]destination-address 10.1.2.0 24 [FW2-policy-security-rule-ipsec1]action permit [FW2-policy-security]rule name ipsec2 [FW2-policy-security-rule-ipsec2]source-zone local untrust [FW2-policy-security-rule-ipsec2]destination-zone local untrust [FW2-policy-security-rule-ipsec2]source-address 20.1.1.1 32 [FW2-policy-security-rule-ipsec2]source-address 20.1.1.2 32 [FW2-policy-security-rule-ipsec2]destination-address 20.1.1.1 32 [FW2-policy-security-rule-ipsec2]destination-address 20.1.1.1 32 [FW2-policy-security-rule-ipsec2]action permit ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210620/1624159823796907.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) (2)配置IPSec策略 [FW1]acl 3000 [FW1-acl-adv-3000]rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 //抓流量 [FW1]ipsec proposal propab //配置安全提议 [FW1-ipsec-proposal-propab]encapsulation-mode auto //采用自动封装模式 [FW1]ike proposal 1 //配置IKE安全提议 [FW1-ike-proposal-1]integrity-algorithm aes-xcbc-96 //IKE安全提议类型为AES [FW1]ike peer ikeab //配置IKE对等体 [FW1-ike-peer-ikeab]exchange-mode auto //对等体间信息交换的采用自动模式 [FW1-ike-peer-ikeab]pre-shared-key ABCabc@123 [FW1-ike-peer-ikeab]ike-proposal 1 [FW1-ike-peer-ikeab]remote-id-type ip [FW1-ike-peer-ikeab]remote-id 20.1.1.2 [FW1-ike-peer-ikeab]remote-address 20.1.1.2 [FW1-ike-peer-ikeab]local-id 20.1.1.1 [FW1]ipsec policy ipsecab 1 isakmp //配置防火墙ipsec安全策略 [FW1-ipsec-policy-isakmp-ipsecab-1]security acl 3000 [FW1-ipsec-policy-isakmp-ipsecab-1]ike-peer ikeab [FW1-ipsec-policy-isakmp-ipsecab-1]proposal propab [FW1-ipsec-policy-isakmp-ipsecab-1]tunnel local applied-interface [FW2]acl 3000 [FW2-acl-adv-3000]rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [FW2]ipsec proposal propba [FW2-ipsec-proposal-propba]encapsulation-mode auto [FW2]ike proposal 1 [FW2-ike-proposal-1]integrity-algorithm aes-xcbc-96 [FW2]ike peer ikeba [FW2-ike-peer-ikeba]exchange-mode auto [FW2-ike-peer-ikeba]pre-shared-key ABCabc@123 [FW2-ike-peer-ikeba]ike-proposal 1 [FW2-ike-peer-ikeba]remote-id-type ip [FW2-ike-peer-ikeba]remote-id 20.1.1.1 [FW2-ike-peer-ikeba]remote-address 20.1.1.1 [FW2-ike-peer-ikeba]local-id 20.1.1.2 [FW2]ipsec policy ipsecba 1 isakmp [FW2-ipsec-policy-isakmp-ipsecba-1]security acl 3000 [FW2-ipsec-policy-isakmp-ipsecba-1]ike-peer ikeba [FW2-ipsec-policy-isakmp-ipsecba-1]proposal propba [FW2-ipsec-policy-isakmp-ipsecba-1]tunnel local applied-interface (3)应用IPSec策略 [FW1-GigabitEthernet1/0/0]ipsec policy ipsecab [FW2-GigabitEthernet1/0/0]ipsec policy ipsecba 3.验证 ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210620/1624159847355377.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) PC1 ping PC2时在FW1出口抓包 ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210620/1624159858686798.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
上一篇:双点双向路由引入案例


下一篇:策略路由,路由策略