IPsec+***

原理介紹：IPSec是一種開放標準的框架結構，通過使用加密的安全服務以確保在 Internet 協議網絡層上進行保密而安全的通訊。它通過端對端的安全性來提供主動的保護以防止專用網絡與 Internet 的***。

實驗要求：某公司總部在北京，分別在上海和廣州設有分部，實現北京和廣州、北京與上海的內部網絡的互相訪問，並且保證通信的安全性。實現ipsec主模式下的***通道的建立

拓撲圖：

ISP的配置：

int eth1/0

ip add 1.1.1.1 24

int eth2/0

ip add1.1.2.1 24

int eth3/0

ip add1.1.3.1 24

firewall zone trust

add int eth1/0

add int eth2/0

add int eth3/0

FW1配置：

int eth0/4

ip add 1.1.1.2 24

int eth0/0

ip add192.168.1.1 24

firewall zone trust

add int eth0/0

quit

firewall zone untrust

add int eth0/4

quit

ip route-static 0.0.0.0 0 1.1.1.1

acl number 3000 match-order auto 控制列表

rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

rule 20 deny ip source any destination any

quit

ipsec proposal tran1安全提議

encapsulation-mode tunnel

transform esp

esp authentication-algorithm md5

esp encryption-algorithm des

quit

ike peer FW2安全策略

local-address 1.1.1.2

remote-address 1.1.2.2

pre-shared-key simple 135983

quit

ipsec policy policy1 10 isakmp

security acl 3000

proposal tran1

ike-peer FW2

quit

acl number 3001 match-order auto 控制列表

rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

rule 20 deny ip source any destination any

quit

ipsec proposal tran2安全提議

encapsulation-mode tunnel

transform esp

esp authentication-algorithm md5

esp encryption-algorithm des

quit

ike peer FW3安全策略

local-address 1.1.1.2

remote-address 1.1.3.2

pre-shared-key simple 135983

quit

ipsec policy policy1 20 isakmp

security acl 3001

proposal tran2

ike-peer FW3

quit

int eth0/4 應用到接口

ipsec policy policy1

quit

FW2配置

int eth0/4

ip add1.1.2.2 24

int eth0/0

ip add192.168.2.1 24

firewall zone trust

add int eth 0/0

quit

firewall zone untrust

add int eth 0/4

quit

ip route-static 0.0.0.0 0 1.1.2.1

acl number 3000 match-order auto 控制列表

rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

rule 20 deny ip source any destination any

quit

ipsec proposal tran1安全提議

encapsulation-mode tunnel

transform esp

esp authentication-algorithm md5

esp encryption-algorithm des

quit

ike peer FW1安全策略

local-address 1.1.2.2

remote-address 1.1.1.2

pre-shared-key simple 135983

quit

ipsec policy policy1 10 isakmp

security acl 3000

proposal tran1

ike-peer FW1

quit

int eth0/4 應用到接口

ipsec policy policy1

quit

FW3配置

int eth0/4

ip add1.1.3.2 24

int eth0/0

ip add192.168.3.1 24

firewall zone trust

add int eth 0/0

quit

firewall zone untrust

add int eth 0/4

quit

ip route-static 0.0.0.0 0 1.1.3.1

acl number 3001 match-order auto 控制列表

rule 10 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

rule 20 deny ip source any destination any

quit

ipsec proposal tran2安全提議

encapsulation-mode tunnel

transform esp

esp authentication-algorithm md5

esp encryption-algorithm des

quit

ike peer FW1安全策略

local-address 1.1.3.2

remote-address 1.1.1.2

pre-shared-key simple 135983

quit

ipsec policy policy1 20 isakmp

security acl 3001

proposal tran2

ike-peer FW1

quit

int eth0/4 應用到接口

ipsec policy policy1

quit

測試

打開兩臺PC,一臺接入北京總部，一臺接入廣州分部

PC1：192.168.1.2 255.255.255.0 192.168.1.1

PC2：192.168.2.2 255.255.255.0 192.168.2.1

PC3：192.168.3.2 255.255.255.0 192.168.3.1

PC1 ping PC2和PC3

PC2 ping PC1

PC3 ping PC1

實驗完成！

SQL優化-20231016

linux系統MBR丟失及恢復

我的友情鏈接

靜態路由

linux系統目錄結構

linux系統優化

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結