防火墙之ipsec vpn实验
作者:互联网
防火墙之ipsec vpn命令行配置
项目介绍
分公司与总公司之间要建立安全的私网通信,且为了减少资金的投入,所以要建立点对点的ipsec vpn(专线太贵)通信。他是通过公网的流量,所以加密级别根据需要而设定。
项目拓扑
项目需求
1:分公司访问总公司的服务器采用私网ip访问,且经过ipsec加密通信
2:分公司访问运营商的服务器采用nat转换为公网对isp服务器进行访问
3:总公司实现的目标与分公司相同
配置命令
isp路由器配置:
interface GigabitEthernet0/0/0
ip address 100.1.1.2 255.255.255.0
qu
interface GigabitEthernet0/0/1
ip address 200.1.1.1 255.255.255.0
qu
interface GigabitEthernet0/0/2
ip address 150.1.1.254 255.255.255.0
qu
分公司防火墙(FW1)配置:
接口配置ip和接口划入区域的配置:
int g1/0/0
ip add 172.16.1.254 24
undo shudown
qu
interface GigabitEthernet1/0/1
undo shutdown
ip address 100.1.1.1 255.255.255.0
qu
firewall zone trust
add interface GigabitEthernet1/0/0
qu
firewall zone untrust
add interface GigabitEthernet1/0/1
qu
ip route-static 0.0.0.0 0.0.0.0 100.1.1.2
ipsec相关配置:
第一阶段:建立ike隧道
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
qu
ike peer 200.1.1.2
exchange-mode auto
pre-shared-key cisco
ike-proposal 1
remote-address 200.1.1.2
qu
第二阶段:对感兴趣流量加密
acl number 3000
rule 5 permit ip source 172.16.1.0 0.0.0.255 destination 172.16.2.0 0.0.0.255
qu
ipsec proposal ipsec_canshu
encapsulation-mode auto
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
qu
ipsec policy myset 1 isakmp
security acl 3000
ike-peer 200.1.1.2
proposal ipsec_canshu
qu
出接口调用:
interface GigabitEthernet1/0/1
ipsec policy myset
安全策略的配置:
security-policy
rule name ike //ike协商时允许local-->untrust的策略
source-zone local
destination-zone untrust
source-address 100.1.1.0 mask 255.255.255.0
destination-address 200.1.1.0 mask 255.255.255.0
action permit
qu
rule name vpn //允许vpn流量穿越防火墙的策略
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
source-address 172.16.1.0 mask 255.255.255.0
source-address 172.16.2.0 mask 255.255.255.0
destination-address 172.16.1.0 mask 255.255.255.0
destination-address 172.16.2.0 mask 255.255.255.0
action permit
qu
rule name vpn-in //允许ike协商流量从untrust-->local
source-zone untrust
destination-zone local
source-address 200.1.1.0 mask 255.255.255.0
destination-address 100.1.1.0 mask 255.255.255.0
action permit
qu
rule name shangwang //放行内网进行上网的流量
source-zone trust
destination-zone untrust
action permit
qu
qu
nat的配置
nat-policy
rule name vpn //对去往总公司的流量不做nat转换
source-zone trust
destination-zone untrust
source-address 172.16.1.0 mask 255.255.255.0
destination-address 172.16.2.0 mask 255.255.255.0
action no-nat
qu
rule name shangwang //去往公网的流量进行nat转换,采用easy-ip方式
source-zone trust
destination-zone untrust
action source-nat easy-ip
qu
qu
此时分公司防火墙配置完毕。
总公司防火墙FW2配置:
接口配置ip和接口划入区域的配置:
interface GigabitEthernet1/0/0
undo shutdown
ip address 200.1.1.2 255.255.255.0
qu
interface GigabitEthernet1/0/1
undo shutdown
ip address 172.16.2.254 255.255.255.0
qu
firewall zone trust
add interface GigabitEthernet1/0/1
qu
firewall zone untrust
add interface GigabitEthernet1/0/0
qu
ipsec相关配置:
第一阶段:建立ike隧道
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
qu
ike peer 100.1.1.1
exchange-mode auto
pre-shared-key cisco
ike-proposal 1
remote-address 100.1.1.1
qu
第二阶段:对感兴趣流量加密
acl number 3000
rule 5 permit ip source 172.16.2.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
qu
ipsec proposal ipsec_canshu
encapsulation-mode auto
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
qu
ipsec policy ipsec_policy 1 isakmp
security acl 3000
ike-peer 100.1.1.1
proposal ipsec_canshu
qu
接口调用
int g1/0/0
ipsec policy ipsec_policy
安全策略的配置:
security-policy
rule name ike
source-zone local
destination-zone untrust
source-address 200.1.1.0 mask 255.255.255.0
destination-address 100.1.1.0 mask 255.255.255.0
action permit
qu
rule name vpn
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
source-address 172.16.1.0 mask 255.255.255.0
source-address 172.16.2.0 mask 255.255.255.0
destination-address 172.16.1.0 mask 255.255.255.0
destination-address 172.16.2.0 mask 255.255.255.0
action permit
qu
rule name vpn-in
source-zone untrust
destination-zone local
source-address 100.1.1.0 mask 255.255.255.0
destination-address 200.1.1.0 mask 255.255.255.0
action permit
qu
rule name sahngwang
source-zone trust
destination-zone untrust
action permit
qu
qu
nat配置
nat-policy
rule name vpn
source-zone trust
destination-zone untrust
source-address 172.16.2.0 mask 255.255.255.0
destination-address 172.16.1.0 mask 255.255.255.0
action no-nat
qu
rule name shangwnag
source-zone trust
destination-zone untrust
action source-nat easy-ip
qu
实验结果
在client上测试公网的http服务和总公司的http服务:
在FW1出接口(g1/0/1)进行抓包检验:esp为加密的http访问总公司流量,普通的为访问公网的流量。
注意事项
值得注意的是穿越防火墙流量的安全策略配置,以及建立ike隧道流量的安全策略的放行。
标签:qu,zone,255.255,destination,防火墙,source,address,vpn,ipsec 来源: https://blog.csdn.net/qq_45817424/article/details/115404906