原理介紹:IPSec是一種開放標準的框架結構,通過使用加密的安全服務以確保在 Internet 協議網絡層上進行保密而安全的通訊。它通過端對端的安全性來提供主動的保護以防止專用網絡與 Internet 的***。
實驗要求:某公司總部在北京,分別在上海和廣州設有分部,實現北京和廣州、北京與上海的內部網絡的互相訪問,並且保證通信的安全性。實現ipsec主模式下的***通道的建立
拓撲圖:
ISP的配置:
int eth1/0
ip add 1.1.1.1 24
int eth2/0
ip add1.1.2.1 24
int eth3/0
ip add1.1.3.1 24
firewall zone trust
add int eth1/0
add int eth2/0
add int eth3/0
FW1配置:
int eth0/4
ip add 1.1.1.2 24
int eth0/0
ip add192.168.1.1 24
firewall zone trust
add int eth0/0
quit
firewall zone untrust
add int eth0/4
quit
ip route-static 0.0.0.0 0 1.1.1.1
acl number 3000 match-order auto 控制列表
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 20 deny ip source any destination any
quit
ipsec proposal tran1安全提議
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
quit
ike peer FW2安全策略
local-address 1.1.1.2
remote-address 1.1.2.2
pre-shared-key simple 135983
quit
ipsec policy policy1 10 isakmp
security acl 3000
proposal tran1
ike-peer FW2
quit
acl number 3001 match-order auto 控制列表
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 20 deny ip source any destination any
quit
ipsec proposal tran2安全提議
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
quit
ike peer FW3安全策略
local-address 1.1.1.2
remote-address 1.1.3.2
pre-shared-key simple 135983
quit
ipsec policy policy1 20 isakmp
security acl 3001
proposal tran2
ike-peer FW3
quit
int eth0/4 應用到接口
ipsec policy policy1
quit
FW2配置
int eth0/4
ip add1.1.2.2 24
int eth0/0
ip add192.168.2.1 24
firewall zone trust
add int eth 0/0
quit
firewall zone untrust
add int eth 0/4
quit
ip route-static 0.0.0.0 0 1.1.2.1
acl number 3000 match-order auto 控制列表
rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 20 deny ip source any destination any
quit
ipsec proposal tran1安全提議
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
quit
ike peer FW1安全策略
local-address 1.1.2.2
remote-address 1.1.1.2
pre-shared-key simple 135983
quit
ipsec policy policy1 10 isakmp
security acl 3000
proposal tran1
ike-peer FW1
quit
int eth0/4 應用到接口
ipsec policy policy1
quit
FW3配置
int eth0/4
ip add1.1.3.2 24
int eth0/0
ip add192.168.3.1 24
firewall zone trust
add int eth 0/0
quit
firewall zone untrust
add int eth 0/4
quit
ip route-static 0.0.0.0 0 1.1.3.1
acl number 3001 match-order auto 控制列表
rule 10 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 20 deny ip source any destination any
quit
ipsec proposal tran2安全提議
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
quit
ike peer FW1安全策略
local-address 1.1.3.2
remote-address 1.1.1.2
pre-shared-key simple 135983
quit
ipsec policy policy1 20 isakmp
security acl 3001
proposal tran2
ike-peer FW1
quit
int eth0/4 應用到接口
ipsec policy policy1
quit
測試
打開兩臺PC,一臺接入北京總部,一臺接入廣州分部
PC1:192.168.1.2 255.255.255.0 192.168.1.1
PC2:192.168.2.2 255.255.255.0 192.168.2.1
PC3:192.168.3.2 255.255.255.0 192.168.3.1
PC1 ping PC2和PC3
PC2 ping PC1
PC3 ping PC1
實驗完成!