IPSec(IP Security)協議:IPSec 協議不是一個單獨的協議,它給出了IP 網絡上數據安全的一整套體系結構。包括AH(Authentication Header)、ESP(Encapsulating Security Payload)、IKE(Internet Key Exchange)等協議。
創建安全策略,可以採用手工或者自動協商配置兩種方式
配置步驟:
1.acl訪問控制
2. 創建安全提議、使用DES 加密,採用傳輸模式
3.創建安全策略,使用IKE 協商方式,並配置IKE 預設認證字。
4.在接口上配置IP 地址,應用安全策略組。
案例1:
配置步驟:
firewall-1:
基本配置:
ip address 192.168.10.1 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 1.1.10.1 preference 60
acl配置:
acl number 3000
rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 20 deny ip source any destination any
rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 20 deny ip source any destination any
安全提議1
ipsec proposal ipsec1 encapsulation-mode tunnel esp authentication-algorithm md5 esp encryption-algorithm des 安全提議2 ipsec proposal ipsec2 encapsulation-mode tunnel esp authentication-algorithm md5 esp encryption-algorithm des ike名稱
ike設置
ipsec policy policy1 10 isakmp sec acl 3000 proposal ipsec1 ipsec policy policy1 20 isakmp sec acl 3001 proposal ipsec2 interface ethernet0/2 ipsec policy policy1
firewall-2:
基本設置:
interface ethernet0/0
ip address 1.1.20.100 255.255.255.0
設置acl:
acl number 3000
rule 10 permit ip source 192.168.20.0 0.0.0.255 dest 192.168.10.0 0.0.0.255
rule 20 deny ip source any dest any
安全提議:
ipsec propo ipsec
encapsulation-mode tunnel
transform esp
ike名稱:
ike local-name fw2
ike設置:
ike peer peer1
exchange-mode aggressive
pre-shared-key simple 123
remote-address 1.1.10.1
安全策略:
ipsec policy policy2 10 isakmp
ike-peer peer1
應用到接口:
interface ethernet0/0
firewall-3:
基本設置:
interface ethernet0/1
ip address 1.1.30.100 255.255.255.0
設置acl:
acl number 3000
rule 10 permit ip source 192.168.30.0 0.0.0.255 dest 192.168.10.0 0.0.0.255
rule 20 deny ip source any dest any
安全提議:
ipsec propo ipsec1
encapsulation-mode tunnel
ike名稱:
ike local-name fw3
ike設置:
ike peer peer2
exchange-mode aggressive
pre-shared-key simple 123
remote-address 1.1.10.1
安全策略:
ipsec policy policy3 10 isakmp
ike-peer peer1
應用到接口:
interface ethernet0/1
三層交換機:
interface ethernet0/0
ip address 1.1.20.1 255.255.255.0
interface ethernet0/1
ip address 1.1.30.1 255.255.255.0
interface ethernet0/2
ip address 1.1.10.1 255.255.255.0