点到点IPSec ***的配置
![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210620/1624159727381514.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
1.IP地址、区域等基础配置
![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210620/1624159760328495.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
[FW1-GigabitEthernet1/0/0]ip add 20.1.1.1 24
[FW1-GigabitEthernet1/0/0]service-manage ping permit
[FW1-GigabitEthernet1/0/1]ip add 10.1.1.1 24
[FW1-GigabitEthernet1/0/1]service-manage ping permit
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface g1/0/0
[FW1]firewall zone trust
[FW1-zone-trust]add interface g1/0/1
![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210620/1624159783136296.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
[FW2-GigabitEthernet1/0/0]ip add 20.1.1.2 24
[FW2-GigabitEthernet1/0/0]service-manage ping permit
[FW2-GigabitEthernet1/0/1]ip add 10.1.2.2 24
[FW2-GigabitEthernet1/0/1]service-manage ping permit
[FW2]firewall zone trust
[FW2-zone-trust]add interface g1/0/1
[FW2]firewall zone untrust
[FW2-zone-untrust]add interface g1/0/0
[FW1]ip route-static 0.0.0.0 0.0.0.0 20.1.1.2
[FW2]ip route-static 0.0.0.0 0.0.0.0 20.1.1.1
2.配置点到点IPSec ***
(1)配置安全策略:ipsec1允许AB间互访,ipsec2允许IKE协商后的报文及加密后的报文通过
[FW1]security-policy
[FW1-policy-security]rule name ipsec1
[FW1-policy-security-rule-ipsec1]source-zone trust
[FW1-policy-security-rule-ipsec1]source-zone untrust
[FW1-policy-security-rule-ipsec1]source-address 10.1.1.0 24
[FW1-policy-security-rule-ipsec1]source-address 10.1.2.0 24
[FW1-policy-security-rule-ipsec1]destination-zone trust
[FW1-policy-security-rule-ipsec1]destination-zone untrust
[FW1-policy-security-rule-ipsec1]destination-address 10.1.1.0 24
[FW1-policy-security-rule-ipsec1]destination-address 10.1.2.0 24
[FW1-policy-security-rule-ipsec1]action permit
[FW1-policy-security]rule name ipsec2
[FW1-policy-security-rule-ipsec2]source-zone local untrust
[FW1-policy-security-rule-ipsec2]destination-zone local untrust
[FW1-policy-security-rule-ipsec2]source-address 20.1.1.1 32
[FW1-policy-security-rule-ipsec2]source-address 20.1.1.2 32
[FW1-policy-security-rule-ipsec2]destination-address 20.1.1.1 32
[FW1-policy-security-rule-ipsec2]destination-address 20.1.1.2 32
[FW1-policy-security-rule-ipsec2]action permit
![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210620/1624159797736795.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
[FW2]security-policy
[FW2-policy-security]rule name ipsec1
[FW2-policy-security-rule-ipsec1]source-zone trust untrust
[FW2-policy-security-rule-ipsec1]destination-zone trust untrust
[FW2-policy-security-rule-ipsec1]source-address 10.1.2.0 24
[FW2-policy-security-rule-ipsec1]source-address 10.1.1.0 24
[FW2-policy-security-rule-ipsec1]destination-address 10.1.1.0 24
[FW2-policy-security-rule-ipsec1]destination-address 10.1.2.0 24
[FW2-policy-security-rule-ipsec1]action permit
[FW2-policy-security]rule name ipsec2
[FW2-policy-security-rule-ipsec2]source-zone local untrust
[FW2-policy-security-rule-ipsec2]destination-zone local untrust
[FW2-policy-security-rule-ipsec2]source-address 20.1.1.1 32
[FW2-policy-security-rule-ipsec2]source-address 20.1.1.2 32
[FW2-policy-security-rule-ipsec2]destination-address 20.1.1.1 32
[FW2-policy-security-rule-ipsec2]destination-address 20.1.1.1 32
[FW2-policy-security-rule-ipsec2]action permit
![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210620/1624159823796907.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
(2)配置IPSec策略
[FW1]acl 3000
[FW1-acl-adv-3000]rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 //抓流量
[FW1]ipsec proposal propab //配置安全提议
[FW1-ipsec-proposal-propab]encapsulation-mode auto //采用自动封装模式
[FW1]ike proposal 1 //配置IKE安全提议
[FW1-ike-proposal-1]integrity-algorithm aes-xcbc-96 //IKE安全提议类型为AES
[FW1]ike peer ikeab //配置IKE对等体
[FW1-ike-peer-ikeab]exchange-mode auto //对等体间信息交换的采用自动模式
[FW1-ike-peer-ikeab]pre-shared-key ABCabc@123
[FW1-ike-peer-ikeab]ike-proposal 1
[FW1-ike-peer-ikeab]remote-id-type ip
[FW1-ike-peer-ikeab]remote-id 20.1.1.2
[FW1-ike-peer-ikeab]remote-address 20.1.1.2
[FW1-ike-peer-ikeab]local-id 20.1.1.1
[FW1]ipsec policy ipsecab 1 isakmp //配置防火墙ipsec安全策略
[FW1-ipsec-policy-isakmp-ipsecab-1]security acl 3000
[FW1-ipsec-policy-isakmp-ipsecab-1]ike-peer ikeab
[FW1-ipsec-policy-isakmp-ipsecab-1]proposal propab
[FW1-ipsec-policy-isakmp-ipsecab-1]tunnel local applied-interface
[FW2]acl 3000
[FW2-acl-adv-3000]rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[FW2]ipsec proposal propba
[FW2-ipsec-proposal-propba]encapsulation-mode auto
[FW2]ike proposal 1
[FW2-ike-proposal-1]integrity-algorithm aes-xcbc-96
[FW2]ike peer ikeba
[FW2-ike-peer-ikeba]exchange-mode auto
[FW2-ike-peer-ikeba]pre-shared-key ABCabc@123
[FW2-ike-peer-ikeba]ike-proposal 1
[FW2-ike-peer-ikeba]remote-id-type ip
[FW2-ike-peer-ikeba]remote-id 20.1.1.1
[FW2-ike-peer-ikeba]remote-address 20.1.1.1
[FW2-ike-peer-ikeba]local-id 20.1.1.2
[FW2]ipsec policy ipsecba 1 isakmp
[FW2-ipsec-policy-isakmp-ipsecba-1]security acl 3000
[FW2-ipsec-policy-isakmp-ipsecba-1]ike-peer ikeba
[FW2-ipsec-policy-isakmp-ipsecba-1]proposal propba
[FW2-ipsec-policy-isakmp-ipsecba-1]tunnel local applied-interface
(3)应用IPSec策略
[FW1-GigabitEthernet1/0/0]ipsec policy ipsecab
[FW2-GigabitEthernet1/0/0]ipsec policy ipsecba
3.验证
![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210620/1624159847355377.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
PC1 ping PC2时在FW1出口抓包
![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210620/1624159858686798.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)