LOGIN.

管理员登陆入口 ^_^!

您好,欢迎访问网站!
  [查看权限]

欢迎加入QQ群!

595998749
2017年04月15日 00:44:44

IPSEC VPN 点到多点配置(华为)

图片1.png

总部为静态IP地址,分支为动态拨号获得IP地址不稳定。搭建IPSEC VPN

 

总部USG-1配置

[USG-1]firewall zone trust

[USG-1-zone-trust]add int g0/0/0

[USG-1-zone-trust]quit

[USG-1]firewall zon untrust

[USG-1-zone-untrust]add int g0/0/1

[USG-1-zone-untrust]quit

[USG-1]ip route-static 0.0.0.0 0.0.0.0 11.0.0.1

[USG-1]int g0/0/1

[USG-1-GigabitEthernet0/0/1]ip add 11.0.0.2 24

[USG-1-GigabitEthernet0/0/1]int g0/0/0

[USG-1-GigabitEthernet0/0/0]ip add 192.168.10.1 24

[USG-1-GigabitEthernet0/0/0]quit

------------------------阶段一----------------------------

[USG-1]ike proposal 1             //配置一个安全提议

[USG-1-ike-proposal-1]authentication-method pre-share

//配置IKE认证方式为预共享密钥

[USG-1-ike-proposal-1]authentication-algorithm sha1

//配置IKE认证算法为sha1

[USG-1-ike-proposal-1]integrity-algorithm aes-xcbc-96

//配置IKE完整性算法

[USG-1-ike-proposal-1]dh group2

//配置IKE密钥协商DH

[USG-1-ike-proposal-1]quit

[USG-1]ike peer usg-n    //创建一个IKE对等体名字为usg-n

[USG-1-ike-peer-usg-n]ike-proposal 1     //调用ike安全提议

[USG-1-ike-peer-usg-n]pre-shared-key abc123      //配置预共享密钥

[USG-1-ike-peer-usg-n]quit

注意:由于对端地址不是固定的所以不需要指定对端地址

------------------------阶段二-----------------------------

[USG-1]ipsec proposal test          //配置一个ipsec安全提议

[USG-1-ipsec-proposal-test]encapsulation-mode tunnel     //封装方式采用隧道

[USG-1-ipsec-proposal-test]transform esp    //配置IPSEC安全协议为ESP

[USG-1-ipsec-proposal-test]esp authentication-algorithm sha1  

//配置ESP协议认证算法

[USG-1-ipsec-proposal-test]esp encryption-algorithm aes

//配置ESP协议加密算法为aes

[USG-1-ipsec-proposal-test]quit

[USG-1]acl 3000           //创建一个ACL定义感兴趣流

[USG-1-acl-adv-3000]rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

[USG-1-acl-adv-3000]quit

-------------------------配置策略模板-----------------------------

[USG-1]ipsec policy-template tem 1         //创建一个策略模板

[USG-1-ipsec-policy-template-tem-1]ike-peer usg-n   //调用ike对等体

[USG-1-ipsec-policy-template-tem-1]proposal test      //调用IPsec安全提议

[USG-1-ipsec-policy-template-tem-1]security acl 3000    //配置感兴趣流

[USG-1-ipsec-policy-template-tem-1]quit

[USG-1]ipsec policy map 1 isakmp template tem    

//创建一个策略叫map然后和配置模板关联起来

[USG-1]int g0/0/1

[USG-1-GigabitEthernet0/0/1]ipsec policy map    //接口下调用策略

[USG-1-GigabitEthernet0/0/1]quit

 

区域间策略配置

[USG-1]policy interzone trust untrust outbound

[USG-1-policy-interzone-trust-untrust-outbound]policy 1

[USG-1-policy-interzone-trust-untrust-outbound-1]action permit

[USG-1-policy-interzone-trust-untrust-outbound-1]quit

[USG-1-policy-interzone-trust-untrust-outbound]quit

[USG-1]policy interzone trust untrust inbound

[USG-1-policy-interzone-trust-untrust-inbound]policy 1

[USG-1-policy-interzone-trust-untrust-inbound-1]policy source 192.168.20.0 0.0.0.255

[USG-1-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.10.0 0.0.0.255

[USG-1-policy-interzone-trust-untrust-inbound-1]action permit

[USG-1-policy-interzone-trust-untrust-inbound-1]quit

[USG-1-policy-interzone-trust-untrust-inbound]quit

[USG-1]policy interzone local untrust inbound

[USG-1-policy-interzone-local-untrust-inbound]policy 1

[USG-1-policy-interzone-local-untrust-inbound-1]policy destination 11.0.0.2 0          //允许任何人访问目标为11.0.0.2

[USG-1-policy-interzone-local-untrust-inbound-1]action permit

[USG-1-policy-interzone-local-untrust-inbound-1]quit

[USG-1-policy-interzone-local-untrust-inbound]quit

 

 

分支配置

[USG-2]firewall zone trust

[USG-2-zone-trust]add int g0/0/0

[USG-2-zone-trust]quit

[USG-2]firewall zone untrust

[USG-2-zone-untrust]add int g0/0/1

[USG-2-zone-untrust]quit

[USG-2]int g0/0/0

[USG-2-GigabitEthernet0/0/0]ip add 192.168.20.1 24

[USG-2-GigabitEthernet0/0/0]int g0/0/1

[USG-2-GigabitEthernet0/0/1]ip add 12.0.0.2 24

[USG-2-GigabitEthernet0/0/1]quit

[USG-2]ip route-static 0.0.0.0 0.0.0.0 12.0.0.1

----------------------------阶段一-----------------------------

[USG-2]ike proposal 1

[USG-2-ike-proposal-1]authentication-method pre-share

[USG-2-ike-proposal-1]authentication-algorithm sha1

[USG-2-ike-proposal-1]integrity-algorithm aes-xcbc-96

[USG-2-ike-proposal-1]dh group2

[USG-2-ike-proposal-1]quit

[USG-2]ike peer usg-1

[USG-2-ike-peer-usg-1]ike-proposal 1

[USG-2-ike-peer-usg-1]pre-shared-key abc123

[USG-2-ike-peer-usg-1]remote-address 11.0.0.2

[USG-2-ike-peer-usg-1]quit

----------------------------阶段二--------------------------------

[USG-2]ipsec proposal test

[USG-2-ipsec-proposal-test]encapsulation-mode tunnel

[USG-2-ipsec-proposal-test]transform esp

[USG-2-ipsec-proposal-test]esp authentication-algorithm sha1

[USG-2-ipsec-proposal-test]esp encryption-algorithm aes

[USG-2-ipsec-proposal-test]quit

[USG-2]acl 3000

[USG-2-acl-adv-3000]rule permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

[USG-2-acl-adv-3000]quit

-----------------------------配置安全策略-------------------------------

[USG-2]ipsec policy map 1 isakmp

[USG-2-ipsec-policy-isakmp-map-1]ike-peer usg-1

[USG-2-ipsec-policy-isakmp-map-1]proposal test

[USG-2-ipsec-policy-isakmp-map-1]security acl 3000

[USG-2-ipsec-policy-isakmp-map-1]quit

[USG-2]int g0/0/1

[USG-2-GigabitEthernet0/0/1]ipsec policy map auto-neg

//如果不加auto-neg的话,只有分支主动触发流量隧道才会建立否则总公司不能和分支通信。加了auto-neg的话隧道则会自动建立

[USG-2-GigabitEthernet0/0/1]quit

[USG-2]policy interzone trust untrust outbound

[USG-2-policy-interzone-trust-untrust-outbound]policy 1

[USG-2-policy-interzone-trust-untrust-outbound-1]action permit

[USG-2-policy-interzone-trust-untrust-outbound-1]quit

[USG-2-policy-interzone-trust-untrust-outbound]quit

[USG-2]policy interzone trust untrust inbound

[USG-2-policy-interzone-trust-untrust-inbound]policy 1

[USG-2-policy-interzone-trust-untrust-inbound-1]policy source 192.168.10.0 0.0.0.255

[USG-2-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.20.0 0.0.0.255

[USG-2-policy-interzone-trust-untrust-inbound-1]action permit

[USG-2-policy-interzone-trust-untrust-inbound-1]quit

[USG-2-policy-interzone-trust-untrust-inbound]quit

[USG-2]policy interzone local untrust inbound

[USG-2-policy-interzone-local-untrust-inbound]policy 1

[USG-2-policy-interzone-local-untrust-inbound-1]policy source 11.0.0.2 0

[USG-2-policy-interzone-local-untrust-inbound-1]action permit


« 上一篇 下一篇 »

发表评论:

名称(*)
邮箱
网址
验证码(*)
正文(*)
◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。