华为IPSEC-×××-典型配置举例2-采用IKE 方式自动协商建立IPsec 安全隧道
一:企业组网需求:
1, 某公司(总部在北京)有两个子公司分别在上海和广州,要求通过×××实现公司之间相互通信!
2, 实验环境如下:要求192.168.1.0/24网段的员工分别与192.168.2.0/24,192.168.3.0/24的员工通信!(中间的为公网)
3, 本实验要求采用IKE 方式自动协商建立IPsec 安全隧道
二:企业组网简化实验拓扑图:
![]()
三:企业组网实现步骤:
(1),基础配置实现公网互通:
①:配置fw-1:
firewall zone trust
add interface Ethernet 0/2
quit
firewall zone untrust
add interface Ethernet 0/1
quit
interface Ethernet0/2
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/1
ip address 1.1.1.1 255.255.255.0
quit
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 preference 60
②:配置fw-2:
firewall zone trust
add interface Ethernet 0/2
quit
firewall zone untrust
add interface Ethernet 0/1
quit
interface Ethernet0/2
ip address 192.168.2.1 255.255.255.0
interface Ethernet0/1
ip address 2.1.1.1 255.255.255.0
quit
ip route-static 0.0.0.0 0.0.0.0 2.1.1.2 preference 60
③:配置fw-3:
firewall zone trust
add interface Ethernet 0/2
quit
firewall zone untrust
add interface Ethernet 0/1
quit
interface Ethernet0/2
ip address 192.168.3.1 255.255.255.0
quit
interface Ethernet0/1
ip address 3.1.1.1 255.255.255.0
quit
ip route-static 0.0.0.0 0.0.0.0 3.1.1.2 preference 60
④:配置sw中间交换机:
vlan 3
vlan 7
vlan 10
quit
interface Vlan-interface3
ip address 2.1.1.2 255.255.255.0
quit
interface Vlan-interface7
ip address 3.1.1.2 255.255.255.0
quit
interface Vlan-interface10
ip address 1.1.1.2 255.255.255.0
#
interface Ethernet0/1
port access vlan 10
#
interface Ethernet0/3
port access vlan 3
#
interface Ethernet0/7
port access vlan 7
(2),配置fw-1:
acl number 3000
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 20 deny ip source any destination any
quit
acl number 3001
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 20 deny ip source any destination any
quit
#定义安全提议zhu-1。
ipsec proposal zhu-1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
display ipsec proposal
quit
#定义安全提议zhu-2。
ipsec proposal zhu-2
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
display ipsec proposal
quit
ike peer peer-1
local-address 1.1.1.1
remote-address 2.1.1.1
pre-shared-key simple 12345
quit
ike peer peer-2
local-address 1.1.1.1
remote-address 3.1.1.1
pre-shared-key simple 123456
quit
ipsec policy policy1 10 isakmp
sec acl 3000
proposal zhu-1
ike-peer peer-1
quit
#定义安全策略policy1的20号策略。
ipsec policy policy1 20 isakmp
sec acl 3001
proposal zhu-2
ike-peer peer-2
quit
#在接口e/1应用安全策略policy1。
interface Ethernet0/1
ipsec policy policy1
quit
#查看ipsec的安全联盟,安全策略,安全提议。
dis ipsec sa
dis ipsec policy
display ipsec proposal
(3),配置fw-2:
acl number 3000
rule 10 permit ip source 192.168.2.0 0.0.0.255 dest 192.168.1.0 0.0.0.255
rule 20 deny ip source any dest any
quit
#定义安全提议zhu。
ipsec propo zhu
enca tunnel
trans esp
es auth md5
esp enc des
quit
#定义IKE的peer-1.
ike peer peer-1
local-address 2.1.1.1
remote-address 1.1.1.1
pre-shared-key simple 12345
quit
#定义安全策略policy2策略。
ipsec policy policy2 10 isakmp
sec acl 3000
propo zhu
ike-peer peer-1
quit
#在接口e/1应用安全策略policy2。
inter Ethernet0/1
ipsec poli policy2
quit
#查看ipsec的安全联盟,安全策略,安全提议。
dis ipsec sa
dis ipsec policy
display ipsec proposal
(4),配置fw-3:
#定义ACL实现对数据流的过滤。
acl number 3000
rule 10 permit ip source 192.168.3.0 0.0.0.255 dest 192.168.1.0 0.0.0.255
rule 20 deny ip source any dest any
quit
#定义安全提议zhu-3。
ipsec propo zhu-3
enca tunnel
trans esp
es auth md5
esp enc des
quit
#定义IKE的peer-2.
ike peer peer-2
local-address 3.1.1.1
remote-address 1.1.1.1
pre-shared-key simple 123456
quit
#定义安全策略policy3策略。
ipsec policy policy3 20 isakmp
sec acl 3001
propo zhu-3
ike-peer peer-2
quit
#在接口e/1应用安全策略policy3。
inter Ethernet0/1
ipsec poli policy3
quit
#查看ipsec的安全联盟,安全策略,安全提议。
dis ipsec sa
dis ipsec policy
display ipsec proposal
(5),客户端测试通信情况:
![]()
192.168.2.100客户端ping测试192.168.1.100,应用以后ipsec以后可以通信。
![]()
192.168.1.100客户端ping测试192.168.3.100,应用以后ipsec以后可以通信。
![]()
192.168.3.100客户端ping测试192.168.1.100,应用以后ipsec以后可以通信。
![]()
附录信息如下:
查看fw-1,fw-2.fw-3的ipsec信息和当前配置:
请下载附件!!!!!
