华为 防火墙 ipsec-VPN
来源:互联网 发布:java实现链表反转 编辑:程序博客网 时间:2024/06/03 06:09
华为 防火墙 ipsec-VPN
实验拓扑:
实验要求:
1. 通过vpn技术pc1能和pc2建立通信
2. Pc1 能够访问外网
实验文档:
Usg1
[SRG]sy
[SRG]sysname usg1
[usg1]int g0/0/0
[usg1-GigabitEthernet0/0/0]ip add 192.168.10.1 24
[usg1-GigabitEthernet0/0/0]int g0/0/1
[usg1-GigabitEthernet0/0/1]ip add 11.0.0.2 24
[usg1]firewall zone trust
[usg1-zone-trust]add interface g0/0/0
[usg1]firewall zone untrust
[usg1-zone-untrust]add interface g0/0/1
[usg1]ip route-static 0.0.0.0 0.0.0.0 11.0.0.1
做策略使得可以和usg2通信(想要做vpn首先外网口之间可以通信)
[usg1]policy interzone local untrust inbound
[usg1-policy-interzone-local-untrust-inbound]policy 1
[usg1-policy-interzone-local-untrust-inbound-1]policy source 12.0.0.2 0
[usg1-policy-interzone-local-untrust-inbound-1]policy destination 11.0.0.2 0
[usg1-policy-interzone-local-untrust-inbound-1]action permit
做感兴趣流
[usg1]acl number 3000
[usg1-acl-adv-3000]rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
五元组:
[usg1]ike proposal 10
[usg1-ike-proposal-10]dh group2 dh算法
[usg1-ike-proposal-10]authentication-method pre-share 域共享密钥算法
[usg1-ike-proposal-10]integrity-algorithm aes-xcbc-96 数据加密算法
[usg1-ike-proposal-10]authentication-algorithm md5 数据认证算法
[usg1-ike-proposal-10]sa duration 1200 生存周期
设置域共享密钥
[usg1]ike peer b
[usg1-ike-peer-b]pre-shared-key abc123 设置密码
[usg1-ike-peer-b]ike-proposal 10 调用五元组
[usg1-ike-peer-b]remote-address 12.0.0.2 自己的邻居
阶段二的传输集:
[usg1]ipsec proposal test 传输集名字
[usg1-ipsec-proposal-test]esp authentication-algorithm sha1 数据认证算法
[usg1-ipsec-proposal-test]esp encryption-algorithm aes 数据加密算法
策略图:
[usg1]ipsec policy bmap 10 isakmp
[usg1-ipsec-policy-isakmp-bmap-10]security acl 3000 调用感兴趣流
[usg1-ipsec-policy-isakmp-bmap-10]ike-peer b 调用域共享密钥
[usg1-ipsec-policy-isakmp-bmap-10]proposal test 调用传输集
应用到出口:
[usg1]int g0/0/1 应用到接口
[usg1-GigabitEthernet0/0/1] ipsec policy bmap
允许对方的私网数据可以到达本端私网
[usg1]policy interzone trust untrust inbound
[usg1-policy-interzone-trust-untrust-inbound]policy 1
[usg1-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.10.0 0
[usg1-policy-interzone-trust-untrust-inbound-1]action permit
允许本端的私网数据可以出去
[usg1]policy interzone trust untrust outbound
[usg1-policy-interzone-trust-untrust-outbound]policy 1
[usg1-policy-interzone-trust-untrust-outbound-1]policy source 192.168.10.0 0.0.0
[usg1-policy-interzone-trust-untrust-outbound-1]action permit
R1:
[Huawei]sy
[Huawei]sysname r1
[r1]int g0/0/0
[r1-GigabitEthernet0/0/0]ip add 11.0.0.1 24
[r1-GigabitEthernet0/0/0]int g0/0/1
[r1-GigabitEthernet0/0/1]ip add 12.0.0.1 24
Usg2:
[SRG]sy
[SRG]sysname usg2
18:32:52 2017/10/14
[usg2]int g0/0/1
[usg2-GigabitEthernet0/0/1]ip add 12.0.0.2 24
[usg2-GigabitEthernet0/0/1]int g0/0/0
[usg2-GigabitEthernet0/0/0]ip add 192.168.20.1 24
[usg2]firewall zone trust
[usg2-zone-trust]add interface g0/0/0
[usg2]firewall zone untrust
[usg2-zone-untrust]add interface g0/0/1
[usg2]ip route-static 0.0.0.0 0.0.0.0 12.0.0.1
做策略使得可以和usg1通信
[usg2]policy interzone local untrust inbound
[usg2-policy-interzone-local-untrust-inbound]policy 1
[usg2-policy-interzone-local-untrust-inbound-1]policy source
11.0.0.2 0
[usg2-policy-interzone-local-untrust-inbound-1]policy destination 12.0.0.2 0
[usg2-policy-interzone-local-untrust-inbound-1]action per
[usg2]acl number 3000
[usg2-acl-adv-3000]rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
[usg2]ike proposal 10
[usg2-ike-proposal-10]dh group2
[usg2-ike-proposal-10]authentication-method pre-share
[usg2-ike-proposal-10]integrity-algorithm aes-xcbc-96
[usg2-ike-proposal-10]authentication-algorithm md5
[usg2-ike-proposal-10]sa duration 1200
[usg2]ike peer b
[usg2-ike-peer-b]pre-shared-key abc123
[usg2-ike-peer-b]ike-proposal 10
[usg2-ike-peer-b]remote-address 11.0.0.2
[usg2]ipsec proposal test
[usg2-ipsec-proposal-test]esp authentication-algorithm sha1
[usg2-ipsec-proposal-test]esp encryption-algorithm aes
[usg2]ipsec policy bmap 10 isakmp
[usg2-ipsec-policy-isakmp-bmap-10]security acl 3000
[usg2-ipsec-policy-isakmp-bmap-10]ike-peer b
[usg2-ipsec-policy-isakmp-bmap-10]proposal test
[usg2]int g0/0/1
[usg2-GigabitEthernet0/0/1]ipsec policy bmap
[usg2]policy interzone trust untrust inbound
[usg2-policy-interzone-trust-untrust-inbound]policy 1
[usg2-policy-interzone-trust-untrust-inbound-1]policy source 192.168.10.0 0.0.0.255
[usg2-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.20.0 0.0.0.255
[usg2-policy-interzone-trust-untrust-inbound-1]action permit
[usg2]policy interzone trust untrust outbound
[usg2-policy-interzone-trust-untrust-outbound-1]policy source 192.168.20.0 0.0.0.255
[usg2-policy-interzone-trust-untrust-outbound-1]policy destination 192.168.10.0 0.0.0.255
[usg2-policy-interzone-trust-untrust-outbound-1]action permit
测试:首先VPN能建立的前提是外网口可以通信:
VPN测试:
测试PC1 能不能和pc2通信如果能够通信说明VPN就建立完成了
Pc1 ping pc2
Pc2 pingp c1
PC1 能够访问外网配置:
NAT豁免和NAT上网策略
[usg1]nat-policy interzone trust untrust outbound
[usg1-nat-policy-interzone-trust-untrust-outbound]policy 1
[usg1-nat-policy-interzone-trust-untrust-outbound-1]action no-nat
[usg1-nat-policy-interzone-trust-untrust-outbound-1]policy destination 192.168.20.0 0.0.0.255
[usg1-nat-policy-interzone-trust-untrust-outbound-1]policy 2
[usg1-nat-policy-interzone-trust-untrust-outbound-2]action source-nat
[usg1-nat-policy-interzone-trust-untrust-outbound-2]policy source 192.168.10.0 0.0.0.255
[usg1-nat-policy-interzone-trust-untrust-outbound-2]easy-ip GigabitEthernet0/0/1
测试:
- 华为 防火墙 ipsec-VPN
- 防火墙IPSEC VPN实现
- 华为 Secpath 1000F 防火墙 IPsec VPN NAT穿越模板方式
- 华为防火墙点对点IPsec隧道
- 华为防火墙VPN
- 华为 AR系列路由器实现IPSec vpn
- 华为AR 路由器IPSEC VPN配置
- 【华为实验】eNSP模拟IPsec VPN
- 华为防火墙VPN-GRE配置
- Juniper防火墙路由模式IPSEC vpn和策略模式IPSEC vpn配置
- Juniper SSG20-SH防火墙实现拨号远程IPSEC Xauth VPN
- IPSEC VPN
- IPsec VPN
- IPSec vpn
- IPSEC VPN
- IPSec VPN
- ipsec vpn
- VPN篇(5.2)-06. IPsec VPN 星状拓扑 ❀ 飞塔 (Fortinet) 防火墙
- nagios3.5.1 server端源码编译安装方式
- python处理字符串(2)
- HTTP
- Javascript学习笔记(二)
- unity android真机调试
- 华为 防火墙 ipsec-VPN
- Matlab 编程 Project Euler Problem 21 Amicable numbers
- bash shell 常用快捷键
- android UI-简单布局
- hdu2534(规律)
- Java基础知识入门
- 2017美团秋招面试
- flex
- SPOJ