ipsec ***在企业网中的应用

最新推荐文章于 2023-09-03 16:55:14 发布

转载最新推荐文章于 2023-09-03 16:55:14 发布 · 909 阅读

0 ·

本内容遵循CC 4.0 BY-SA版权协议

原文链接：http://blog.51cto.com/blackhwak/1347790

标签

#shell #网络 #数据结构与算法

本文介绍了一种基于IPSec协议的虚拟专用网络(VPN)配置方法，并通过具体实验环境展示了如何在H3C防火墙及华为交换机上实现IPSec隧道的搭建。包括配置ACL、IPSec提议、策略及安全联盟等关键步骤。

开发板推荐：天空星STM32F407VET6开发板

超高性价比 STM32主控 | 超高主频 | 一板兼容百芯 | 比赛神器 | 沉金彩色丝印

点击查看

IPSEC ×××在企业网中的应用

实验环境：VM wareworkstation 10

三台h3c的FW100C防火墙

华为三层交换机s3526一台

拓扑图如下：

简介：ipsec是一种标准，一种协议集，他是实现***的一种方式，较其他***方式而言，PSec全称为Internet Protocol Securit，用以提供公用和专用网络的端对端加密和验证服务。

传输模式：有传输和隧道两种工作模式

AH：认证头协议用以保证数据包的完整性和真实性，防止***截断数据包或向网络中插入伪造的数据包。考虑到计算效率，AH没有采用数字签名而是采用了安全哈希算法来对数据包进行保护。AH没有对用户数据进行加密。当需要身份验证而不需要机密性的时候，使用AH协议时最好的选择。

ESP是封装安全载荷,ESP属于IPSec的一种协议，ESP提供机密性、数据起源验证、无连接的完整性、抗重播服务和有限业务流机密性。ESP本身是一个IP协议，协议号是50。

配置，首先必须保证拓扑图的联通性，具体的配置步骤我们以三台交换机中的一台为例（受文章字数的限制），三台防火墙的配置基本上是一样的

<H3C>sys

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C]sysname fw-3

[fw-3]firewall packet-filter default permit

[fw-3]int eth0/0

[fw-3-Ethernet0/0]ip add 192.168.3.1 24

[fw-3-Ethernet0/0]loopback

[fw-3-Ethernet0/0]

[fw-3-Ethernet0/0]int eth0/4

[fw-3-Ethernet0/4]ip add 3.3.3.1 24

[fw-3-Ethernet0/4]q

[fw-3]firewall zone trust

[fw-3-zone-trust]add in

[fw-3-zone-trust]add interface eth0/0

[fw-3-zone-trust]q

[fw-3]firewall zone untrust

[fw-3-zone-untrust]add i

[fw-3-zone-untrust]add in

[fw-3-zone-untrust]add interface eth0/4

[fw-3-zone-untrust]q

[fw-3]ip route-static 0.0.0.0 0 3.3.3.2

单独三层交换机的配置（模拟因特网）：

Press ENTER to get started.

%Jan 1 16:00:27 2014 Quidway SHELL/5/LOGIN: Console login from Aux0/0

<Quidway>system-view

Enter system view, return to user view with Ctrl+Z.

[Quidway]vl

[Quidway]vlan 10

[Quidway-vlan10]port eth0/10

[Quidway-vlan10]vlan 20

[Quidway-vlan20]port eth0/20

[Quidway-vlan20]vlan 30

[Quidway-vlan30]port eth0/24

[Quidway-vlan30]

[Quidway-vlan30]q

[Quidway]int v

[Quidway]int Vlan-interface 10

[Quidway-Vlan-interface10]ip add 1.1.1.2 255.0.0.0

[Quidway-Vlan-interface10]

%Jan 1 16:04:43 2014 Quidway L2INF/5/PORT LINK STATUS CHANGE:

Ethernet0/18: turns into UP state

[Quidway-Vlan-interface10]ping 1.1.1.1

PING 1.1.1.1: 56 data bytes, press CTRL_C to break

Reply from 1.1.1.1: bytes=56 Sequence=1 ttl=255 time = 12 ms

Reply from 1.1.1.1: bytes=56 Sequence=2 ttl=255 time = 4 ms

Reply from 1.1.1.1: bytes=56 Sequence=3 ttl=255 time = 4 ms

Reply from 1.1.1.1: bytes=56 Sequence=4 ttl=255 time = 3 ms

Reply from 1.1.1.1: bytes=56 Sequence=5 ttl=255 time = 4 ms

--- 1.1.1.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 3/5/12 ms

[Quidway-Vlan-interface10]q

[Quidway]int Vlan-interface 20

[Quidway-Vlan-interface20]ip add

[Quidway-Vlan-interface20]ip address 2.2.2.2 255.255.255.0

[Quidway-Vlan-interface20]

[Quidway-Vlan-interface20]ping 2.2.2.1

PING 2.2.2.1: 56 data bytes, press CTRL_C to break

Reply from 2.2.2.1: bytes=56 Sequence=1 ttl=255 time = 15 ms

Reply from 2.2.2.1: bytes=56 Sequence=2 ttl=255 time = 5 ms

Reply from 2.2.2.1: bytes=56 Sequence=3 ttl=255 time = 5 ms

Reply from 2.2.2.1: bytes=56 Sequence=4 ttl=255 time = 4 ms

Reply from 2.2.2.1: bytes=56 Sequence=5 ttl=255 time = 4 ms

--- 2.2.2.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 4/6/15 ms

[Quidway-Vlan-interface20]q

[Quidway]int v

[Quidway]int Vlan-interface 30

[Quidway-Vlan-interface30]ip add

[Quidway-Vlan-interface30]ip address 3.3.3.2 255.255.255.0

[Quidway-Vlan-interface30]

[Quidway-Vlan-interface30]ping 3.3.3.1

PING 3.3.3.1: 56 data bytes, press CTRL_C to break

Reply from 3.3.3.1: bytes=56 Sequence=1 ttl=255 time = 13 ms

Reply from 3.3.3.1: bytes=56 Sequence=2 ttl=255 time = 5 ms

Reply from 3.3.3.1: bytes=56 Sequence=3 ttl=255 time = 5 ms

Reply from 3.3.3.1: bytes=56 Sequence=4 ttl=255 time = 5 ms

Reply from 3.3.3.1: bytes=56 Sequence=5 ttl=255 time = 9 ms

--- 3.3.3.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 5/7/13 ms

主要步骤，第一步，流的筛选

第二步，开始安全提议---

1，提议名称，2，选择封装协议tunnel，3，选择一个安全的传输协议，4，安全协议的验证类型，5，协议的加密方式

第三步，基于流和提议，产生策略---》

1.策略的表名，2.表中的规则编号，3，编号的类型（手动还是自动），4.匹配的具体表格，5.安全提议（先前创建），6.定义隧道的开头，7.定义隧道的结束

第四步，创建sa，9,安全联盟的类型，10.选择进出口，11.封装的协议类型，12,。封装的协议号，13，sa的秘钥字段，14，应用的进出口。15，封装协议，协议的秘钥

下面我们以具体的两条***链路为展示他的具体过程：

%Jan 1 16:42:26:307 2014 fw-1 SHELL/4/LOGIN: Console login from con0

<fw-1>

<fw-1>ping 3.3.3.2

PING 3.3.3.2: 56 data bytes, press CTRL_C to break

Reply from 3.3.3.2: bytes=56 Sequence=1 ttl=255 time=7 ms

Reply from 3.3.3.2: bytes=56 Sequence=2 ttl=255 time=5 ms

Reply from 3.3.3.2: bytes=56 Sequence=3 ttl=255 time=5 ms

Reply from 3.3.3.2: bytes=56 Sequence=4 ttl=255 time=5 ms

Reply from 3.3.3.2: bytes=56 Sequence=5 ttl=255 time=5 ms

--- 3.3.3.2 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 5/5/7 ms

<fw-1>ping 2.2.2.2

PING 2.2.2.2: 56 data bytes, press CTRL_C to break

Reply from 2.2.2.2: bytes=56 Sequence=1 ttl=255 time=12 ms

Reply from 2.2.2.2: bytes=56 Sequence=2 ttl=255 time=5 ms

Reply from 2.2.2.2: bytes=56 Sequence=3 ttl=255 time=5 ms

Reply from 2.2.2.2: bytes=56 Sequence=4 ttl=255 time=5 ms

Reply from 2.2.2.2: bytes=56 Sequence=5 ttl=255 time=5 ms

--- 2.2.2.2 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 5/6/12 ms

<fw-1>system-view

System View: return to User View with Ctrl+Z.

[fw-1]acl number ?

INTEGER<1000-1999> Specify an interface-based acl

INTEGER<2000-2999> Specify a basic acl

INTEGER<3000-3999> Specify an advanced acl

INTEGER<4000-4999> Specify an ethernet frame header acl

[fw-1]acl number 3000

[fw-1]acl number 3000 match-order a

[fw-1]acl number 3000 match-order auto

[fw-1-acl-adv-3000]rule 10 p

[fw-1-acl-adv-3000]rule 10 permit ip source 192.168.4.0 0.0.0.255 de

[fw-1-acl-adv-3000]rule 10 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

[fw-1-acl-adv-3000]

%Jan 1 16:55:10:086 2014 fw-1 SEC/4/STREAM:streamAlarmType(1032)=(70)abnormal ICMP packet ratio;srcZoneName(1034)=;srcIPAddr(1017)=;destZoneName(1035)=;destIPAddr(1019)=;currSpeed(1025)=;currSessNum(1033)=;tcpRatio(1036)=;udpRatio(1037)=;icmpRatio(1038)=100%

%Jan 1 16:55:10:089 2014 fw-1 SEC/4/STREAM:streamAlarmType(1032)=(68)abnormal TCP packet ratio;srcZoneName(1034)=;srcIPAddr(1017)=;destZoneName(1035)=;destIPAddr(1019)=;currSpeed(1025)=;currSessNum(1033)=;tcpRatio(1036)=0%;udpRatio(1037)=;icmpRatio(1038)=

[fw-1-acl-adv-3000]

[fw-1-acl-adv-3000]rule 20 deny ip source any de

[fw-1-acl-adv-3000]rule 20 deny ip source any destination any

[fw-1-acl-adv-3000]quit

[fw-1]ipsec p

[fw-1]ipsec proposal tran1

[fw-1-ipsec-proposal-tran1]en

[fw-1-ipsec-proposal-tran1]encapsulation-mode ?

transport Only the payload of IP packet is protected(transport mode)

tunnel The entire IP packet is protected(tunnel mode)

[fw-1-ipsec-proposal-tran1]encapsulation-mode tunnel

[fw-1-ipsec-proposal-tran1]tran

[fw-1-ipsec-proposal-tran1]transform ?

ah AH protocol defined in RFC2402

ah-esp ESP protocol first, then AH protocol

esp ESP protocol defined in RFC2406

[fw-1-ipsec-proposal-tran1]transform esp

[fw-1-ipsec-proposal-tran1]esp ?

authentication-algorithm Specify the IPSec authentication algorithm

encryption-algorithm Specify the IPSec encryption algorithm

[fw-1-ipsec-proposal-tran1]esp au

[fw-1-ipsec-proposal-tran1]esp authentication-algorithm ?

md5 Use HMAC-MD5-96

sha1 Use HMAC-SHA-1-96

[fw-1-ipsec-proposal-tran1]esp authentication-algorithm md5

[fw-1-ipsec-proposal-tran1]esp en

[fw-1-ipsec-proposal-tran1]esp encryption-algorithm ?

3des Use triple DES

aes Use AES

des Use DES

[fw-1-ipsec-proposal-tran1]esp encryption-algorithm des

[fw-1-ipsec-proposal-tran1]q

fw-1]dis cu

sysname fw-1

firewall packet-filter enable

firewall packet-filter default permit

insulate

firewall statistic system enable

radius scheme system

server-type extended

domain system

local-user admin

password cipher .]@USE=B,53Q=^Q`MAF4<1!!

service-type telnet terminal

level 3

service-type ftp

ipsec proposal tran1

acl number 3000 match-order auto

rule 10 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

rule 20 deny ip

interface Aux0

async mode flow

interface Ethernet0/0

ip address 192.168.4.1 255.255.255.0

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

ip address 1.1.1.1 255.255.255.0

interface Encrypt1/0

interface NULL0

firewall zone local

set priority 100

firewall zone trust

add interface Ethernet0/0

set priority 85

firewall zone untrust

add interface Ethernet0/4

set priority 5

firewall zone DMZ

set priority 50

firewall interzone local trust

firewall interzone local untrust

firewall interzone local DMZ

firewall interzone trust untrust

firewall interzone trust DMZ

firewall interzone DMZ untrust

FTP server enable

ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 preference 60

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

[fw-1-ipsec-proposal-tran1]dis ipsec pro

IPsec proposal name: tran1

encapsulation mode: tunnel

transform: esp-new

ESP protocol: authentication md5-hmac-96, encryption des

[fw-1-ipsec-proposal-tran1]q

[fw-1]ipsec po

[fw-1]ipsec policy

[fw-1]ipsec policy policy1 10

This IPSec policy/sequence combination is new; please indicate the mode to finish creating it.

[fw-1]ipsec policy policy1 10

This IPSec policy/sequence combination is new; please indicate the mode to finish creating it.

[fw-1]ipsec policy policy1 10 ?

isakmp Use IKE to establish the IPSec SA

manual Use Manual security associations

<cr>

[fw-1]ipsec policy policy1 10 m

[fw-1]ipsec policy policy1 10 manual

[fw-1-ipsec-policy-manual-policy1-10]sec

[fw-1-ipsec-policy-manual-policy1-10]security acl 3000

[fw-1-ipsec-policy-manual-policy1-10]pro

[fw-1-ipsec-policy-manual-policy1-10]proposal tran1

[fw-1-ipsec-policy-manual-policy1-10]tunnel ?

local Specify the IP address of IPSec tunnel local peer

remote Specify the IP address of IPSec tunnel remote peer

[fw-1-ipsec-policy-manual-policy1-10]tunnel local 1.1.1.1

[fw-1-ipsec-policy-manual-policy1-10]tunnel remote 2.2.2.2

[fw-1-ipsec-policy-manual-policy1-10]undo tunnel remote 2.2.2.2

[fw-1-ipsec-policy-manual-policy1-10]tunnel remote 2.2.2.1

[fw-1-ipsec-policy-manual-policy1-10]sa ?

authentication-hex Specify the authentication key of manual SA with

hexadecimal format

encryption-hex Specify the encryption key of manual SA with hexadecimal

format

spi Specify the SPI parameter of manual SA

string-key Specify the key of manual SA with string format

[fw-1-ipsec-policy-manual-policy1-10]sa spi ?

inbound Specify parameters of inbound manual SA

outbound Specify parameters of outbound manual SA

[fw-1-ipsec-policy-manual-policy1-10]sa spi ou

[fw-1-ipsec-policy-manual-policy1-10]sa spi outbound ?

ah Specify the parameters of SA using AH protocol

esp Specify the parameters of SA using ESP protocol

[fw-1-ipsec-policy-manual-policy1-10]sa spi outbound esp ?

INTEGER<256-4294967295> The value of security parameter index(SPI)

[fw-1-ipsec-policy-manual-policy1-10]sa spi outbound esp 12345

[fw-1-ipsec-policy-manual-policy1-10]sa au

[fw-1-ipsec-policy-manual-policy1-10]sa authentication-hex ?

inbound Specify parameters of inbound manual SA

outbound Specify parameters of outbound manual SA

[fw-1-ipsec-policy-manual-policy1-10]sa authentication-hex out

[fw-1-ipsec-policy-manual-policy1-10]sa authentication-hex outbound ?

ah Specify the parameters of SA using AH protocol

esp Specify the parameters of SA using ESP protocol

[fw-1-ipsec-policy-manual-policy1-10]sa authentication-hex outbound esp ?

HEX-string Hexadecimal string for key(16 bytes for MD5 or 20 bytes for SHA)

[fw-1-ipsec-policy-manual-policy1-10]sa authentication-hex outbound esp ?

HEX-string Hexadecimal string for key(16 bytes for MD5 or 20 bytes for SHA)

[fw-1-ipsec-policy-manual-policy1-10]sa s

[fw-1-ipsec-policy-manual-policy1-10]sa st

[fw-1-ipsec-policy-manual-policy1-10]sa string-key o

[fw-1-ipsec-policy-manual-policy1-10]sa string-key outbound esp ?

TEXT This is an any length from 1 to 255 character string key

[fw-1-ipsec-policy-manual-policy1-10]sa string-key outbound esp abcdefg

[fw-1-ipsec-policy-manual-policy1-10]sa spi in

[fw-1-ipsec-policy-manual-policy1-10]sa spi inbound esp 654321

[fw-1-ipsec-policy-manual-policy1-10]sa st

[fw-1-ipsec-policy-manual-policy1-10]sa string-key in

[fw-1-ipsec-policy-manual-policy1-10]sa string-key inbound esp qaws

[fw-1-ipsec-policy-manual-policy1-10]

[fw-1-ipsec-policy-manual-policy1-10]q

[fw-1]dis ipsec policy

===========================================

IPsec Policy Group: "policy1"

Using interface: {}

===========================================

-----------------------------

IPsec policy name: "policy1"

sequence number: 10

mode: manual

-----------------------------

security data flow : 3000

selector mode: standard

tunnel local address: 1.1.1.1

tunnel remote address: 2.2.2.1

proposal name:tran1

inbound AH setting:

AH spi:

AH string-key:

AH authentication hex key:

inbound ESP setting:

ESP spi: 654321 (0x9fbf1)

ESP string-key: qaws

ESP encryption hex key:

---- More ----

<fw-2>

%Jan 1 17:50:08:829 2014 fw-2 SHELL/4/LOGIN: Console login from con0

<fw-2>

<fw-2>acl nu

<fw-2>acl num

<fw-2>sys

<fw-2>system-view

System View: return to User View with Ctrl+Z.

[fw-2]acl nu

[fw-2]acl number 3000 ma

[fw-2]acl number 3000 match-order au

[fw-2]acl number 3000 match-order auto

[fw-2-acl-adv-3000]rule 10 ip se

[fw-2-acl-adv-3000]rule 10 ip s

[fw-2-acl-adv-3000]rule 10 p

[fw-2-acl-adv-3000]rule 10 permit ip s

[fw-2-acl-adv-3000]rule 10 permit ip source 192.168.2.0 0.0.0.255 de

[fw-2-acl-adv-3000]rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.4.0 0.0.0.255

[fw-2-acl-adv-3000]rule 20 de

[fw-2-acl-adv-3000]rule 20 deny ip s

[fw-2-acl-adv-3000]rule 20 deny ip source an

[fw-2-acl-adv-3000]rule 20 deny ip source any de

[fw-2-acl-adv-3000]rule 20 deny ip source any destination any

[fw-2-acl-adv-3000]

[fw-2-acl-adv-3000]q

[fw-2]ipsec pro

[fw-2]ipsec proposal tran1

[fw-2-ipsec-proposal-tran1]en

[fw-2-ipsec-proposal-tran1]encapsulation-mode t

[fw-2-ipsec-proposal-tran1]encapsulation-mode tunnel

[fw-2-ipsec-proposal-tran1]tr

[fw-2-ipsec-proposal-tran1]trans

[fw-2-ipsec-proposal-tran1]transform esp

[fw-2-ipsec-proposal-tran1]esp au

[fw-2-ipsec-proposal-tran1]esp authentication-algorithm

[fw-2-ipsec-proposal-tran1]esp authentication-algorithm md5

[fw-2-ipsec-proposal-tran1]esp en

[fw-2-ipsec-proposal-tran1]esp encryption-algorithm des

[fw-2-ipsec-proposal-tran1]

[fw-2-ipsec-proposal-tran1]q

[fw-2]ipsec pol

[fw-2]ipsec policy policy1 10 ma

[fw-2]ipsec policy policy1 10 manual

[fw-2-ipsec-policy-manual-policy1-10]se

[fw-2-ipsec-policy-manual-policy1-10]security acl 3000

[fw-2-ipsec-policy-manual-policy1-10]pro

[fw-2-ipsec-policy-manual-policy1-10]proposal tran1

[fw-2-ipsec-policy-manual-policy1-10]t

[fw-2-ipsec-policy-manual-policy1-10]tunnel local 2.2.2.1

[fw-2-ipsec-policy-manual-policy1-10]t

[fw-2-ipsec-policy-manual-policy1-10]tunnel re

[fw-2-ipsec-policy-manual-policy1-10]tunnel remote 1.1.1.1

[fw-2-ipsec-policy-manual-policy1-10]q

[fw-2]sa spi o

[fw-2]sa s

[fw-2]sa ?

STRING The name of specific file(*.cfg)[drive]filename<5-56>

safely Save current configuration safely

<cr>

[fw-2]ipsec policy policy1 10

[fw-2-ipsec-policy-manual-policy1-10]sa ?

authentication-hex Specify the authentication key of manual SA with

hexadecimal format

encryption-hex Specify the encryption key of manual SA with hexadecimal

format

spi Specify the SPI parameter of manual SA

string-key Specify the key of manual SA with string format

[fw-2-ipsec-policy-manual-policy1-10]sa spi o

[fw-2-ipsec-policy-manual-policy1-10]sa spi outbound 654321

% Unrecognized command found at '^' position.

[fw-2-ipsec-policy-manual-policy1-10]sa spi outbound esp 654321

[fw-2-ipsec-policy-manual-policy1-10]sa st

[fw-2-ipsec-policy-manual-policy1-10]sa string-key in

[fw-2-ipsec-policy-manual-policy1-10]sa string-key inbound esp qaws

[fw-2-ipsec-policy-manual-policy1-10]sa spi in

[fw-2-ipsec-policy-manual-policy1-10]sa spi inbound esp 12345

[fw-2-ipsec-policy-manual-policy1-10]sa st

[fw-2-ipsec-policy-manual-policy1-10]sa string-key in

[fw-2-ipsec-policy-manual-policy1-10]sa string-key inbound esp abcdefg

[fw-2-ipsec-policy-manual-policy1-10]

[fw-2-ipsec-policy-manual-policy1-10]q

[fw-2]int eth0/4

[fw-2-Ethernet0/4]ipsec po

[fw-2-Ethernet0/4]ipsec policy policy1

Some parameters of the IPsec policy policy1-10 are invalid, please check it.

[fw-2-Ethernet0/4]q

[fw-2]ipsec policy policy1 10

[fw-2-ipsec-policy-manual-policy1-10]sa spi u

[fw-2-ipsec-policy-manual-policy1-10]sa spi o

[fw-2-ipsec-policy-manual-policy1-10]sa spi outbound esp 654321

[fw-2-ipsec-policy-manual-policy1-10]sa st

[fw-2-ipsec-policy-manual-policy1-10]sa string-key ou

[fw-2-ipsec-policy-manual-policy1-10]sa string-key outbound esp qaws

[fw-2-ipsec-policy-manual-policy1-10]sa spi in

[fw-2-ipsec-policy-manual-policy1-10]sa spi inbound esp 12345

[fw-2-ipsec-policy-manual-policy1-10]sa st

[fw-2-ipsec-policy-manual-policy1-10]sa string-key in

[fw-2-ipsec-policy-manual-policy1-10]sa string-key inbound esp abcdefg

[fw-2-ipsec-policy-manual-policy1-10]

[fw-2-ipsec-policy-manual-policy1-10]q

[fw-2]dis ipsec policy

===========================================

IPsec Policy Group: "policy1"

Using interface: {Ethernet0/4}

===========================================

-----------------------------

IPsec policy name: "policy1"

sequence number: 10

mode: manual

-----------------------------

security data flow : 3000

selector mode: standard

tunnel local address: 2.2.2.1

tunnel remote address: 1.1.1.1

proposal name:tran1

inbound AH setting:

AH spi:

AH string-key:

AH authentication hex key:

inbound ESP setting:

ESP spi: 12345 (0x3039)

ESP string-key: abcdefg

ESP encryption hex key:

---- More ----

[fw-2]dis ipsec policy

===========================================

IPsec Policy Group: "policy1"

Using interface: {Ethernet0/4}

===========================================

-----------------------------

IPsec policy name: "policy1"

sequence number: 10

mode: manual

-----------------------------

security data flow : 3000

selector mode: standard

tunnel local address: 2.2.2.1

tunnel remote address: 1.1.1.1

proposal name:tran1

inbound AH setting:

AH spi:

AH string-key:

AH authentication hex key:

inbound ESP setting:

ESP spi: 12345 (0x3039)

ESP string-key: abcdefg

ESP encryption hex key:

ESP authentication hex key:

outbound AH setting:

AH spi:

AH string-key:

AH authentication hex key:

outbound ESP setting:

ESP spi: 654321 (0x9fbf1)

ESP string-key: qaws

ESP encryption hex key:

ESP authentication hex key:

[fw-1]ping -a 192.168.4.1 192.168.2.1

PING 192.168.2.1: 56 data bytes, press CTRL_C to break

Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=255 time=27 ms

Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=16 ms

Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=16 ms

Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=16 ms

Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=16 ms

--- 192.168.2.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 16/18/27 ms

[fw-1]

到此第一条链路配置完毕，

[fw-1]acl number 3001 match-order au

[fw-1]acl number 3001 match-order auto

[fw-1-acl-adv-3001]rule 10 p

[fw-1-acl-adv-3001]rule 10 permit ip s

[fw-1-acl-adv-3001]rule 10 permit ip source 192.168.4.0 0.0.0.255 de

[fw-1-acl-adv-3001]rule 10 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

[fw-1-acl-adv-3001]rule 20 de

[fw-1-acl-adv-3001]rule 20 deny ip s

[fw-1-acl-adv-3001]rule 20 deny ip source any de

[fw-1-acl-adv-3001]rule 20 deny ip source any destination any

[fw-1-acl-adv-3001]q

[fw-1]ipsec pro

[fw-1]ipsec proposal tran2

[fw-1-ipsec-proposal-tran2]en

[fw-1-ipsec-proposal-tran2]encapsulation-mode t

[fw-1-ipsec-proposal-tran2]encapsulation-mode tunnel

[fw-1-ipsec-proposal-tran2]t

[fw-1-ipsec-proposal-tran2]tran

[fw-1-ipsec-proposal-tran2]transform esp

[fw-1-ipsec-proposal-tran2]esp au

[fw-1-ipsec-proposal-tran2]esp authentication-algorithm md5

[fw-1-ipsec-proposal-tran2]esp en

[fw-1-ipsec-proposal-tran2]esp encryption-algorithm ?

3des Use triple DES

aes Use AES

des Use DES

[fw-1-ipsec-proposal-tran2]esp encryption-algorithm des

[fw-1-ipsec-proposal-tran2]q

[fw-1]ipsec policy policy1 20

This IPSec policy/sequence combination is new; please indicate the mode to finish creating it.

[fw-1]ipsec policy policy1 20 m

[fw-1]ipsec policy policy1 20 manual

[fw-1-ipsec-policy-manual-policy1-20]se

[fw-1-ipsec-policy-manual-policy1-20]security acl 3001

[fw-1-ipsec-policy-manual-policy1-20]pro

[fw-1-ipsec-policy-manual-policy1-20]proposal tran2

[fw-1-ipsec-policy-manual-policy1-20]t

[fw-1-ipsec-policy-manual-policy1-20]tunnel local 1.1.1.1

[fw-1-ipsec-policy-manual-policy1-20]t

[fw-1-ipsec-policy-manual-policy1-20]tunnel remote 3.3.3.1

[fw-1-ipsec-policy-manual-policy1-20]sa spi o

[fw-1-ipsec-policy-manual-policy1-20]sa spi outbound esp 123456

[fw-1-ipsec-policy-manual-policy1-20]sa st

[fw-1-ipsec-policy-manual-policy1-20]sa string-key u

[fw-1-ipsec-policy-manual-policy1-20]sa string-key o

[fw-1-ipsec-policy-manual-policy1-20]sa string-key outbound esp abcdef

[fw-1-ipsec-policy-manual-policy1-20]sa spi i

[fw-1-ipsec-policy-manual-policy1-20]sa spi inbound esp 65432

[fw-1-ipsec-policy-manual-policy1-20]sa st

[fw-1-ipsec-policy-manual-policy1-20]sa string-key i

[fw-1-ipsec-policy-manual-policy1-20]sa string-key inbound esp qaw

[fw-1-ipsec-policy-manual-policy1-20]dis cu

sysname fw-1

firewall packet-filter enable

firewall packet-filter default permit

insulate

firewall statistic system enable

radius scheme system

server-type extended

domain system

local-user admin

password cipher .]@USE=B,53Q=^Q`MAF4<1!!

service-type telnet terminal

level 3

service-type ftp

ipsec proposal tran1

ipsec proposal tran2

ipsec policy policy1 10 manual

security acl 3000

proposal tran1

tunnel local 1.1.1.1

tunnel remote 2.2.2.1

sa spi inbound esp 654321

sa string-key inbound esp qaws

sa spi outbound esp 12345

sa string-key outbound esp abcdefg

ipsec policy policy1 20 manual

security acl 3001

proposal tran2

tunnel local 1.1.1.1

tunnel remote 3.3.3.1

sa spi inbound esp 65432

sa string-key inbound esp qaw

sa spi outbound esp 123456

sa string-key outbound esp abcdef

acl number 3000 match-order auto

rule 10 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

rule 20 deny ip

acl number 3001 match-order auto

rule 10 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

rule 20 deny ip

interface Aux0

async mode flow

interface Ethernet0/0

loopback

ip address 192.168.4.1 255.255.255.0

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

ip address 1.1.1.1 255.255.255.0

ipsec policy policy1

interface Encrypt1/0

interface NULL0

firewall zone local

set priority 100

firewall zone trust

add interface Ethernet0/0

set priority 85

firewall zone untrust

add interface Ethernet0/4

set priority 5

firewall zone DMZ

set priority 50

firewall interzone local trust

firewall interzone local untrust

firewall interzone local DMZ

firewall interzone trust untrust

firewall interzone trust DMZ

firewall interzone DMZ untrust

FTP server enable

ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 preference 60

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

%Jan 1 19:17:35:967 2014 fw-3 SHELL/4/LOGIN: Console login from con0

<fw-3>sys

System View: return to User View with Ctrl+Z.

[fw-3]acl nu

[fw-3]acl number 3001 ma

[fw-3]acl number 3001 match-order au

[fw-3]acl number 3001 match-order auto

[fw-3-acl-adv-3001]rule 10 p

[fw-3-acl-adv-3001]rule 10 permit ip s

[fw-3-acl-adv-3001]rule 10 permit ip source 192.168.3. 0.0.0.255 de

[fw-3-acl-adv-3001]rule 10 permit ip source 192.168.3.0 0.0.0.255 de

[fw-3-acl-adv-3001]rule 10 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.4.0 0.0.0.255

[fw-3-acl-adv-3001]rule 20 de

[fw-3-acl-adv-3001]rule 20 deny ip so

[fw-3-acl-adv-3001]rule 20 deny ip source any de

[fw-3-acl-adv-3001]rule 20 deny ip source any destination any

[fw-3-acl-adv-3001]quit

[fw-3]ipsec pro

[fw-3]ipsec proposal tran2

[fw-3-ipsec-proposal-tran2]en

[fw-3-ipsec-proposal-tran2]encapsulation-mode ?

transport Only the payload of IP packet is protected(transport mode)

tunnel The entire IP packet is protected(tunnel mode)

[fw-3-ipsec-proposal-tran2]encapsulation-mode tun

[fw-3-ipsec-proposal-tran2]encapsulation-mode tunnel

[fw-3-ipsec-proposal-tran2]tr

[fw-3-ipsec-proposal-tran2]tras

[fw-3-ipsec-proposal-tran2]trasf

[fw-3-ipsec-proposal-tran2]tran

[fw-3-ipsec-proposal-tran2]transform ?

ah AH protocol defined in RFC2402

ah-esp ESP protocol first, then AH protocol

esp ESP protocol defined in RFC2406

[fw-3-ipsec-proposal-tran2]transform esp

[fw-3-ipsec-proposal-tran2]au

[fw-3-ipsec-proposal-tran2]esp au

[fw-3-ipsec-proposal-tran2]esp authentication-algorithm md5

[fw-3-ipsec-proposal-tran2]esp en

[fw-3-ipsec-proposal-tran2]esp encryption-algorithm des

[fw-3-ipsec-proposal-tran2]quit

[fw-3]ipsec policy policy1 20 m

[fw-3]ipsec policy policy1 20 manual

[fw-3-ipsec-policy-manual-policy1-20]se

[fw-3-ipsec-policy-manual-policy1-20]security acl 3001

[fw-3-ipsec-policy-manual-policy1-20]pro

[fw-3-ipsec-policy-manual-policy1-20]proposal tran2

[fw-3-ipsec-policy-manual-policy1-20]t

[fw-3-ipsec-policy-manual-policy1-20]tunnel local 3.3.3.1

[fw-3-ipsec-policy-manual-policy1-20]t

[fw-3-ipsec-policy-manual-policy1-20]tunnel remote 1.1.1.1

[fw-3-ipsec-policy-manual-policy1-20]sa spi o

[fw-3-ipsec-policy-manual-policy1-20]sa spi outbound esp 65432

[fw-3-ipsec-policy-manual-policy1-20]sa st

[fw-3-ipsec-policy-manual-policy1-20]sa string-key o

[fw-3-ipsec-policy-manual-policy1-20]sa string-key outbound esp qaw

[fw-3-ipsec-policy-manual-policy1-20]sa spi i

[fw-3-ipsec-policy-manual-policy1-20]sa spi inbound esp

[fw-3-ipsec-policy-manual-policy1-20]sa spi inbound esp 123456

[fw-3-ipsec-policy-manual-policy1-20]sa st

[fw-3-ipsec-policy-manual-policy1-20]sa string-key in

[fw-3-ipsec-policy-manual-policy1-20]sa string-key inbound esp abcdef

[fw-3-ipsec-policy-manual-policy1-20]

[fw-3-ipsec-policy-manual-policy1-20]q

[fw-3]int eth0/4

[fw-3-Ethernet0/4]ipsec policy policy1

[fw-3-Ethernet0/4]q

[fw-3]int eth0/4

[fw-3-Ethernet0/4]ipsec policy policy1

[fw-3-Ethernet0/4]q

[fw-3]ping -a 192.168.3.1 192.168.4.1

PING 192.168.4.1: 56 data bytes, press CTRL_C to break

Reply from 192.168.4.1: bytes=56 Sequence=1 ttl=255 time=16 ms

Reply from 192.168.4.1: bytes=56 Sequence=2 ttl=255 time=20 ms

Reply from 192.168.4.1: bytes=56 Sequence=3 ttl=255 time=16 ms

Reply from 192.168.4.1: bytes=56 Sequence=4 ttl=255 time=14 ms

Reply from 192.168.4.1: bytes=56 Sequence=5 ttl=255 time=14 ms

--- 192.168.4.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 14/16/20 ms

[fw-3]

<fw-1>ping -a 192.168.4.1 192.168.3.1

PING 192.168.3.1: 56 data bytes, press CTRL_C to break

Reply from 192.168.3.1: bytes=56 Sequence=1 ttl=255 time=16 ms

Reply from 192.168.3.1: bytes=56 Sequence=2 ttl=255 time=17 ms

Reply from 192.168.3.1: bytes=56 Sequence=3 ttl=255 time=16 ms

Reply from 192.168.3.1: bytes=56 Sequence=4 ttl=255 time=16 ms

Reply from 192.168.3.1: bytes=56 Sequence=5 ttl=255 time=20 ms

--- 192.168.3.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 16/17/20 ms

<fw-1>ping -a 192.168.4.1 192.168.2.1

PING 192.168.2.1: 56 data bytes, press CTRL_C to break

Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=255 time=23 ms

Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=15 ms

Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=15 ms

Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=15 ms

Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=15 ms

--- 192.168.2.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 15/16/23 ms

第二条隧道，

总体配置表;

<fw-1>dis cu

sysname fw-1

firewall packet-filter enable

firewall packet-filter default permit

insulate

firewall statistic system enable

radius scheme system

server-type extended

domain system

local-user admin

password cipher .]@USE=B,53Q=^Q`MAF4<1!!

service-type telnet terminal

level 3

service-type ftp

ipsec proposal tran1

ipsec proposal tran2

ipsec policy policy1 10 manual

security acl 3000

proposal tran1

tunnel local 1.1.1.1

tunnel remote 2.2.2.1

sa spi inbound esp 654321

sa string-key inbound esp qaws

sa spi outbound esp 12345

sa string-key outbound esp abcdefg

ipsec policy policy1 20 manual

security acl 3001

proposal tran2

tunnel local 1.1.1.1

tunnel remote 3.3.3.1

sa spi inbound esp 65432

sa string-key inbound esp qaw

sa spi outbound esp 123456

sa string-key outbound esp abcdef

acl number 3000 match-order auto

rule 10 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

rule 20 deny ip

acl number 3001 match-order auto

rule 10 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

rule 20 deny ip

interface Aux0

async mode flow

interface Ethernet0/0

loopback

ip address 192.168.4.1 255.255.255.0

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

ip address 1.1.1.1 255.255.255.0

ipsec policy policy1

interface Encrypt1/0

interface NULL0

firewall zone local

set priority 100

firewall zone trust

add interface Ethernet0/0

set priority 85

firewall zone untrust

add interface Ethernet0/4

set priority 5

firewall zone DMZ

set priority 50

firewall interzone local trust

firewall interzone local untrust

firewall interzone local DMZ

firewall interzone trust untrust

firewall interzone trust DMZ

firewall interzone DMZ untrust

FTP server enable

ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 preference 60

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

<fw-2>dis cu

sysname fw-2

firewall packet-filter enable

firewall packet-filter default permit

insulate

firewall statistic system enable

radius scheme system

server-type extended

domain system

local-user admin

password cipher .]@USE=B,53Q=^Q`MAF4<1!!

service-type telnet terminal

level 3

service-type ftp

ipsec proposal tran1

ipsec policy policy1 10 manual

security acl 3000

proposal tran1

tunnel local 2.2.2.1

tunnel remote 1.1.1.1

sa spi inbound esp 12345

sa string-key inbound esp abcdefg

sa spi outbound esp 654321

sa string-key outbound esp qaws

acl number 3000 match-order auto

rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.4.0 0.0.0.255

rule 20 deny ip

interface Aux0

async mode flow

interface Ethernet0/0

loopback

ip address 192.168.2.1 255.255.255.0

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

ip address 2.2.2.1 255.255.255.0

ipsec policy policy1

interface Encrypt1/0

interface NULL0

firewall zone local

set priority 100

firewall zone trust

add interface Ethernet0/0

add interface Ethernet0/1

set priority 85

firewall zone untrust

add interface Ethernet0/4

set priority 5

firewall zone DMZ

set priority 50

firewall interzone local trust

firewall interzone local untrust

firewall interzone local DMZ

firewall interzone trust untrust

firewall interzone trust DMZ

firewall interzone DMZ untrust

FTP server enable

ip route-static 0.0.0.0 0.0.0.0 2.2.2.2 preference 60

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

return

<fw-2>

<fw-3>dis cu

sysname fw-3

firewall packet-filter enable

firewall packet-filter default permit

insulate

firewall statistic system enable

radius scheme system

server-type extended

domain system

ipsec proposal tran2

ipsec policy policy1 20 manual

security acl 3001

proposal tran2

tunnel local 3.3.3.1

tunnel remote 1.1.1.1

sa spi inbound esp 123456

sa string-key inbound esp abcdef

sa spi outbound esp 65432

sa string-key outbound esp qaw

acl number 3001 match-order auto

rule 10 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.4.0 0.0.0.255

rule 20 deny ip

interface Aux0

async mode flow

interface Ethernet0/0

loopback

ip address 192.168.3.1 255.255.255.0

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

ip address 3.3.3.1 255.255.255.0

ipsec policy policy1

interface Encrypt1/0

interface NULL0

firewall zone local

set priority 100

firewall zone trust

add interface Ethernet0/0

set priority 85

firewall zone untrust

add interface Ethernet0/4

set priority 5

firewall zone DMZ

set priority 50

firewall interzone local trust

firewall interzone local untrust

firewall interzone local DMZ

firewall interzone trust untrust

firewall interzone trust DMZ

firewall interzone DMZ untrust

ip route-static 0.0.0.0 0.0.0.0 3.3.3.2 preference 60

user-interface con 0

user-interface aux 0

user-interface vty 0 4

return

<fw-3>

<fw-1>

隧道构建完成。

注意在同一台设备上只能有一个ipsec策略，而安全提议可以有多个，一个策略下可以有多条规则

转载于:https://blog.51cto.com/blackhwak/1347790

开发板推荐：天空星STM32F407VET6开发板

超高性价比 STM32主控 | 超高主频 | 一板兼容百芯 | 比赛神器 | 沉金彩色丝印

点击查看