标签:拓扑图 tin http 模拟器 ide cap 默认路由 mod zone
F1060 GRE OVER IPSEC典型组网配置案例
本案例采用H3C HCL模拟器的F1060防火墙来模拟GRE OVER IPSEC 的典型组网配置。内网和外网在网络拓扑图中已经有了明确的标识。FW1与FW2均为各自内网的出口设备,提供NAT地址转换的服务。为了内网1和内网2能跨越外网实现通信,因为在FW1和FW2之间采用GRE ***建立隧道,同时为了保证数据传输的安全性,将ipsec嵌入到GRE ***隧道中。
1、按照网络拓扑图正确配置IP地址
2、FW1配置NAT,并配置默认路由指向ISP
3、FW2配置NAT,并配置默认路由指向ISP
4、FW1与FW2建立GRE ***隧道
5、在GRE ***隧道的基础上在嵌套IPSEC
F1060 GRE OVER IPSEC关键配置点如下所示,全部配置过程及测试结果的详情见附件:
GRE OVER IPSEC关键配置点:
FW1:
[FW1]acl advanced 3000
[FW1-acl-ipv4-adv-3000]rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
[FW1-acl-ipv4-adv-3000]quit
[FW1]ike proposal 1
[FW1-ike-proposal-1]quit
[FW1]ike keychain james
[FW1-ike-keychain-james]pre-shared-key address 123.0.0.2 255.255.255.252 key simple james
[FW1-ike-keychain-james]quit
[FW1]ike profile james
[FW1-ike-profile-james]proposal 1
[FW1-ike-profile-james]keychain james
[FW1-ike-profile-james]local-identity address 123.0.0.1
[FW1-ike-profile-james]match remote identity address 123.0.0.2 255.255.255.252
[FW1-ike-profile-james]quit
[FW1]ipsec transform-set james
[FW1-ipsec-transform-set-james]protocol esp
[FW1-ipsec-transform-set-james]encapsulation-mode tunnel
[FW1-ipsec-transform-set-james]esp authentication-algorithm md5
[FW1-ipsec-transform-set-james]esp encryption-algorithm des-cbc
[FW1-ipsec-transform-set-james]quit
[FW1]ipsec policy james 1 isakmp
[FW1-ipsec-policy-isakmp-james-1]security acl 3000
[FW1-ipsec-policy-isakmp-james-1]transform-set james
[FW1-ipsec-policy-isakmp-james-1]ike-profile james
[FW1-ipsec-policy-isakmp-james-1]remote-address 123.0.0.2
[FW1-ipsec-policy-isakmp-james-1]quit
[FW1]int Tunnel 0 mode gre
[FW1-Tunnel0]ip address 123.0.0.1 30
[FW1-Tunnel0]source 202.1.100.2
[FW1-Tunnel0]destination 202.2.100.2
[FW1-Tunnel0]ipsec apply policy james
[FW1-Tunnel0]quit
[FW1]ip route-static 172.16.1.0 255.255.255.0 123.0.0.2
[FW1]security-zone name Untrust
[FW1-security-zone-Untrust]import interface Tunnel 0
[FW1-security-zone-Untrust]quitFW2:
[FW2]acl advanced 3000
[FW2-acl-ipv4-adv-3000]rule 0 permit ip source 172.16.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[FW2-acl-ipv4-adv-3000]quit
[FW2]ike proposal 1
[FW2-ike-proposal-1]quit
[FW2]ike keychain james
[FW2-ike-keychain-james]pre-shared-key address 123.0.0.1 255.255.255.252 key simple james
[FW2-ike-keychain-james]quit
[FW2]ike profile james
[FW2-ike-profile-james]keychain james
[FW2-ike-profile-james]proposal 1
[FW2-ike-profile-james]match remote identity address 123.0.0.1 255.255.255.252
[FW2-ike-profile-james]local-identity address 123.0.0.2
[FW2-ike-profile-james]quit
[FW2]ipsec policy james 1 isakmp
[FW2-ipsec-policy-isakmp-james-1]security acl 3000
[FW2-ipsec-policy-isakmp-james-1]transform-set james
[FW2-ipsec-policy-isakmp-james-1]ike-profile james
[FW2-ipsec-policy-isakmp-james-1]remote-address 123.0.0.1
[FW2-ipsec-policy-isakmp-james-1]quit
[FW2]int Tunnel 0 mode gre
[FW2-Tunnel0]ip address 123.0.0.2 30
[FW2-Tunnel0]source 202.2.100.2
[FW2-Tunnel0]destination 202.1.100.2
[FW2-Tunnel0]ipsec apply policy james
[FW2-Tunnel0]quit
[FW2]ip route-static 192.168.1.0 255.255.255.0 123.0.0.1
[FW2]security-zone name Untrust
[FW2-security-zone-Untrust]import interface Tunnel 0
[FW2-security-zone-Untrust]quit标签:拓扑图 tin http 模拟器 ide cap 默认路由 mod zone
原文地址:https://blog.51cto.com/15047492/2561219
