IPSEC VPN 站点到站点配置.docx
- 文档编号:29964437
- 上传时间:2023-08-03
- 格式:DOCX
- 页数:8
- 大小:44.48KB
IPSEC VPN 站点到站点配置.docx
《IPSEC VPN 站点到站点配置.docx》由会员分享,可在线阅读,更多相关《IPSEC VPN 站点到站点配置.docx(8页珍藏版)》请在冰豆网上搜索。
IPSECVPN站点到站点配置
实验需求
USG-1和USG-2模拟企业边缘设备,分别在2台设备上配置NAT和IPsecVPN实现2边私网可以通过VPN互相通信
实验配置
R1IP地址配置省略
USG-1配置
[USG-1]firewallzonetrust //配置trust区域
[USG-1-zone-trust]addinterfaceg0/0/0 //将接口加入trust区域
[USG-1-zone-trust]quit
[USG-1]firewallzoneuntrust //配置untrust区域
[USG-1-zone-untrust]addintg0/0/1 //将接口加入untrust区域
[USG-1-zone-untrust]quit
[USG-1]intg0/0/0
[USG-1-GigabitEthernet0/0/0]ipadd192.168.10.124
[USG-1-GigabitEthernet0/0/0]intg0/0/1
[USG-1-GigabitEthernet0/0/1]ipadd11.0.0.224
[USG-1-GigabitEthernet0/0/1]quit
[USG-1]iproute-static0.0.0.00.0.0.011.0.0.1 //配置默认路由上公网
[USG-1]nat-policyinterzonetrustuntrustoutbound
//进入trust到untrust区域out方向的策略视图
[USG-1-nat-policy-interzone-trust-untrust-outbound]policy1 //创建一个策略
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]policysource192.168.10.00.0.0.255
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]policydestination192.168.20.00.0.0.255
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]actionno-nat
//以上三条命令意思是不允许将源为192.168.10.0/24网段目标为192.168.20.0/24网段的数据包进行NAT
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]quit
[USG-1-nat-policy-interzone-trust-untrust-outbound]policy2 //创建策略2
[USG-1-nat-policy-interzone-trust-untrust-outbound-2]actionsource-nat
//允许对源IP进行NAT
[USG-1-nat-policy-interzone-trust-untrust-outbound-2]easy-ipg0/0/1
//对接口G0/0/1地址复用
[USG-1-nat-policy-interzone-trust-untrust-outbound-2]quit
[USG-1-nat-policy-interzone-trust-untrust-outbound]quit
---------------------------阶段一-----------------------------------------------------
[USG-1]ikeproposal1 //配置一个安全提议
[USG-1-ike-proposal-1]authentication-methodpre-share //配置IKE认证方式为预共享密钥
[USG-1-ike-proposal-1]authentication-algorithmsha1 //配置IKE认证算法为sha1
[USG-1-ike-proposal-1]integrity-algorithmaes-xcbc-96 //配置IKE完整性算法
[USG-1-ike-proposal-1]dhgroup2 //配置IKE密钥协商DH组
[USG-1-ike-proposal-1]quit
[USG-1]ikepeerUSG-2 //创建一个IKE对等体名字为USG-2
[USG-1-ike-peer-usg-2]pre-shared-keyabc123 //配置预共享密钥
[USG-1-ike-peer-usg-2]remote-address12.0.0.2 //配置对等体IP地址
[USG-1-ike-peer-usg-2]ike-proposal1 //调用ike安全提议
[USG-1-ike-peer-usg-2]quit
----------------------------阶段二-----------------------------------------------------
[USG-1]ipsecproposaltest //配置一个ipsec安全提议
[USG-1-ipsec-proposal-test]encapsulation-modetunnel //封装方式采用隧道
[USG-1-ipsec-proposal-test]transformesp //配置IPSEC安全协议为ESP
[USG-1-ipsec-proposal-test]espencryption-algorithmaes //配置ESP协议加密算法为aes
[USG-1-ipsec-proposal-test]espauthentication-algorithmsha1 //配置ESP协议认证算法
[USG-1-ipsec-proposal-test]quit
[USG-1]acl3000 //创建一个ACL定义感兴趣流
[USG-1-acl-adv-3000]rulepermitipsource192.168.10.00.0.0.255destination192.168.20.00.0.0.255
[USG-1]ipsecpolicymap1isakmp //创建一个安全策略,名称为map
[USG-1-ipsec-policy-isakmp-map-1]ike-peerUSG-2 //调用ike对等体
[USG-1-ipsec-policy-isakmp-map-1]proposaltest //调用IPsec安全提议
[USG-1-ipsec-policy-isakmp-map-1]securityacl3000 //配置感兴趣流
[USG-1-ipsec-policy-isakmp-map-1]quit
[USG-1]intg0/0/1
[USG-1-GigabitEthernet0/0/1]ipsecpolicymap //在外网口上调用安全策略
区域间策略配置
[USG-1]policyinterzonetrustuntrustoutbound.
//进入trust到untrust区域out方向策略视图
[USG-1-policy-interzone-trust-untrust-outbound]policy1 //创建策略
[USG-1-policy-interzone-trust-untrust-outbound-1]actionpermit
//允许trust区域所有主机访问untrust区域
[USG-1-policy-interzone-trust-untrust-outbound-1]quit
[USG-1-policy-interzone-trust-untrust-outbound]quit
[USG-1]policyinterzonetrustuntrustinbound
//进入trust区域到untrust区域的in方向策略视图
[USG-1-policy-interzone-trust-untrust-inbound]policy1
[USG-1-policy-interzone-trust-untrust-inbound-1]policysource192.168.20.00.0.0.255
[USG-1-policy-interzone-trust-untrust-inbound-1]policydestination192.168.10.00.0.0.255
[USG-1-policy-interzone-trust-untrust-inbound-1]actionpermit
//以上命令为允许数据包源地址为192.168.20.0/24网段和目标地址为192.168.10.0/24网段的流量过
[USG-1-policy-interzone-trust-untrust-inbound-1]quit
[USG-1-policy-interzone-trust-untrust-inbound]quit
[USG-1]policyinterzonelocaluntrustinbound
//进入local区域到untrust区域的in方向策略视图
[USG-1-policy-interzone-local-untrust-inbound]policy1
[USG-1-policy-interzone-local-untrust-inbound-1]policysource12.0.0.20
[USG-1-policy-interzone-local-untrust-inbound-1]policydestination11.0.0.20
[USG-1-policy-interzone-local-untrust-inbound-1]actionpermit
//允许源地址是12.0.0.2目标地址是11.0.0.2的数据包访问
USG-2配置
[USG-2]firewallzonetrust
[USG-2-zone-trust]addintg0/0/0
[USG-2-zone-trust]quit
[USG-2]firewallzoneuntrust
[USG-2-zone-untrust]addintg0/0/1
[USG-2-zone-untrust]quit
[USG-2]intg0/0/0
[USG-2-GigabitEthernet0/0/0]ipadd192.168.20.124
[USG-2-GigabitEthernet0/0/0]intg0/0/1
[USG-2-GigabitEthernet0/0/1]ipadd12.0.0.224
[USG-2-GigabitEthernet0/0/1]quit
[USG-2]iproute-static0.0.0.00.0.0.012.0.0.1
[USG-2]nat-policyinterzonetrustuntrustoutbound
[USG-2-nat-policy-interzone-trust-untrust-outbound]policy1
[USG-2-nat-policy-interzone-trust-untrust-outbound-1]policysource192.168.20.00.0.0.255
[USG-2-nat-policy-interzone-trust-untrust-outbound-1]policydestination192.168.10.00.0.0.255
[USG-2-nat-policy-interzone-trust-untrust-outbound-1]actionno-nat
[USG-2-nat-policy-interzone-trust-untrust-outbound-1]quit
[USG-2-nat-policy-interzone-trust-untrust-outbound]policy2
[USG-2-nat-policy-interzone-trust-untrust-outbound-2]actionsource-nat
[USG-2-nat-policy-interzone-trust-untrust-outbound-2]easy-ipGigabitEthernet0/0/1
[USG-2-nat-policy-interzone-trust-untrust-outbound-2]quit
[USG-2-nat-policy-interzone-trust-untrust-outbound]quit
[USG-2]ikeproposal1
[USG-2-ike-proposal-1]authentication-methodpre-share
[USG-2-ike-proposal-1]authentication-algorithmsha1
[USG-2-ike-proposal-1]integrity-algorithmaes-xcbc-96
[USG-2-ike-proposal-1]dhgroup2
[USG-2-ike-proposal-1]quit
[USG-2]ikepeerUSG-A
[USG-2-ike-peer-usg-a]pre-shared-keyabc123
[USG-2-ike-peer-usg-a]ike-proposal1
[USG-2-ike-peer-usg-a]remote-address11.0.0.2
[USG-2-ike-peer-usg-a]quit
[USG-2]ipsecproposaltest
[USG-2-ipsec-proposal-test]encapsulation-modetunnel
[USG-2-ipsec-proposal-test]transformesp
[USG-2-ipsec-proposal-test]espencryption-algorithmaes
[USG-2-ipsec-proposal-test]espauthentication-algorithmsha1
[USG-2-ipsec-proposal-test]quit
[USG-2]acl3000
[USG-2-acl-adv-3000]rulepermitipsource192.168.20.00.0.0.255destination192.168.10.00.0.0.255
[USG-2-acl-adv-3000]quit
[USG-2]ipsecpolicymap1isakmp
[USG-2-ipsec-policy-isakmp-map-1]ike-peerUSG-A
[USG-2-ipsec-policy-isakmp-map-1]proposaltest
[USG-2-ipsec-policy-isakmp-map-1]securityacl3000
[USG-2-ipsec-policy-isakmp-map-1]quit
[USG-2]intg0/0/1
[USG-2-GigabitEthernet0/0/1]ipsecpolicymap
[USG-2-GigabitEthernet0/0/1]quit
[USG-2]policyinterzonetrustuntrustoutbound
[USG-2-policy-interzone-trust-untrust-outbound]policy1
[USG-2-policy-interzone-trust-untrust-outbound-1]actionpermit
[USG-2-policy-interzone-trust-untrust-outbound-1]quit
[USG-2-policy-interzone-trust-untrust-outbound]quit
[USG-2]policyinterzonetrustuntrustinbound
[USG-2-policy-interzone-trust-untrust-inbound]policy1
[USG-2-policy-interzone-trust-untrust-inbound-1]policysource192.168.10.00.0.0.255
[USG-2-policy-interzone-trust-untrust-inbound-1]policydestination192.168.20.00.0.0.255
[USG-2-policy-interzone-trust-untrust-inbound-1]actionpermit
[USG-2-policy-interzone-trust-untrust-inbound-1]quit
[USG-2-policy-interzone-trust-untrust-inbound]quit
[USG-2]policyinterzonelocaluntrustinbound
[USG-2-policy-interzone-local-untrust-inbound]policy1
[USG-2-policy-interzone-local-untrust-inbound-1]policysource11.0.0.20
[USG-2-policy-interzone-local-untrust-inbound-1]policydestination12.0.0.20
[USG-2-policy-interzone-local-untrust-inbound-1]actionpermit
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- IPSEC VPN 站点到站点配置 站点 到站 配置