ipsec的手工配置安全策略相關實驗
一、實驗設備:
3臺PC,3臺H3C SecPath F100-C防火牆,1臺華爲Quidway S3526交換機,網線若干。
二、實驗拓撲:
三、 實驗說明:
1、要求在FW-1與FW-2、FW-1與FW-3之間建立×××,實現內網通訊(即PC1與PC2能通訊、PC1能與PC3通訊)。
四、 實驗步驟具體配置:
FW-1:
system-view
interface Ethernet0/1
ip add 1.1.1.1 24
interface Ethernet0/2
ip add 192.168.1.1 24
quit
firewall zone trust
add interface Ethernet0/2
quit
firewall zone untrust
add interface Ethernet0/1
quit
ip route-static 0.0.0.0 0 1.1.1.2
acl number 3000
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 20 deny ip source any destination any
quit
acl number 3001
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 20 deny ip source any destination any
quit
ipsec proposal zhu-1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
quit
ipsec proposal zhu-2
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
display ipsec proposal
quit
ipsec policy policy1 10 manual
sec acl 3000
proposal zhu-1
tunnel local 1.1.1.1
tunnel remote 2.1.1.1
sa spi outbound esp 12345
sa spi inbound esp 54321
sa string-key outbound esp zzu
sa string-key inbound esp zzdx
quit
ipsec policy policy1 20 manual
sec acl 3001
proposal zhu-2
tunnel local 1.1.1.1
tunnel remote 3.1.1.1
sa spi outbound esp 123456
sa spi inbound esp 654321
sa string-key outbound esp abcbef
sa string-key inbound esp qazwsx
quit
interface Ethernet0/1
ipsec policy policy1
quit
FW-2:
system-view
interface Ethernet0/1
ip add 2.1.1.1 24
interface Ethernet0/2
ip add 192.168.2.1 24
quit
firewall zone trust
add interface Ethernet0/2
quit
firewall zone untrust
add interface Ethernet0/1
quit
ip route-static 0.0.0.0 0 2.1.1.2
acl number 3000
rule 10 permit ip source 192.168.2.0 0.0.0.255 dest 192.168.1.0 0.0.0.255
rule 20 deny ip source any dest any
quit
ipsec propo zhu
enca tunnel
trans esp
es auth md5
esp enc des
quit
ipsec policy policy2 10 manual
sec acl 3000
propo zhu
tun lo 2.1.1.1
tun remo 1.1.1.1
sa spi inbo esp 12345
sa string inbo esp zzu
sa spi outbo esp 54321
sa str outbo esp zzdx
quit
inter Ethernet0/1
ipsec poli policy2
FW-3:
system-view
firewall zone trust
add interface Ethernet0/2
quit
firewall zone untrust
add interface Ethernet0/1
interface Ethernet0/1
ip add 3.1.1.1 24
interface Ethernet0/2
ip add 192.168.3.1 24
quit
ip route-static 0.0.0.0 0 3.1.1.2
acl number 3001
rule 10 permit ip source 192.168.3.0 0.0.0.255 dest 192.168.1.0 0.0.0.255
rule 20 deny ip source any dest any
quit
ipsec propo zhu-11
enca tunnel
trans esp
es auth md5
esp enc des
quit
ipsec policy policy3 20 manual
sec acl 3001
propo zhu-11
tun lo 3.1.1.1
tun remo 1.1.1.1
sa spi inbo esp 123456
sa string inbo esp abcbef
sa spi outbo esp 654321
sa str outbo esp qazwsx
quit
inter Ethernet0/1
ipsec poli policy3
quit
SW:
system-view
vlan 3
vlan 7
vlan 10
quit
interface Vlan-interface3
ip address 2.1.1.2 255.255.255.0
interface Vlan-interface7
ip address 3.1.1.2 255.255.255.0
interface Vlan-interface10
ip address 1.1.1.2 255.255.255.0
quit
interface Ethernet0/1
port access vlan 10
interface Ethernet0/3
port access vlan 3
interface Ethernet0/7
port access vlan 7
測試:
1、PC1與PC2之間:
2.、PC1與PC3之間