华为ensp防火墙ipsec-vpn点到多点场景(1总-3分)
该场景适用于点到多点的毕设、大作业、课程等场景,该拓扑只不过是把各公司内网简化成一台pc,同学们要有举一反三的能力。需求很简单,中间的R代表互联网(公网),企业场景1总部对三分部,用过防火墙进行ipsec vpn点到多点部署。不要质疑我答案的正确性,我百分百保证,你照着敲大概率也会做不通,要具有排障能力。连通性正常后,ping各个分部的业务,观察ike sa 和ipsec sa。初次完成全补配置后
·
需求很简单,中间的R代表互联网(公网),企业场景1总部对三分部,用过防火墙进行ipsec vpn点到多点部署。
解题思路,只要是会ipsec vpn的点到点,既可以做出点到多点实验效果。
该场景适用于点到多点的毕设、大作业、课程等场景,该拓扑只不过是把各公司内网简化成一台pc,同学们要有举一反三的能力
不要质疑我答案的正确性,我百分百保证,你照着敲大概率也会做不通,要具有排障能力。
R配置
#
sysname R
#
undo info-center enable
#
interface GigabitEthernet0/0/0
ip address 100.1.21.2 255.255.255.252
#
interface GigabitEthernet0/0/1
ip address 100.1.22.2 255.255.255.252
#
interface GigabitEthernet0/0/2
ip address 100.1.23.2 255.255.255.252
#
interface GigabitEthernet0/0/3
ip address 100.1.24.2 255.255.255.252
FW1配置:
sysname FW1
#
acl number 3000
rule 1 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
acl number 3001
rule 1 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
acl number 3002
rule 1 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.40.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha1
esp encryption-algorithm aes-256
#
ike proposal 10
encryption-algorithm aes-256
dh group2
authentication-algorithm sha1
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer f2
pre-shared-key 18812668402
ike-proposal 10
remote-address 100.1.22.1
ike peer f3
pre-shared-key 18812668402
ike-proposal 10
remote-address 100.1.23.1
ike peer f4
pre-shared-key 18812668402
ike-proposal 10
remote-address 100.1.24.1
#
ipsec policy ips 1 isakmp
security acl 3000
ike-peer f2
proposal tran1
ipsec policy ips 2 isakmp
security acl 3001
ike-peer f3
proposal tran1
ipsec policy ips 3 isakmp
security acl 3002
ike-peer f4
proposal tran1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 100.1.21.1 255.255.255.252
service-manage ping permit
ipsec policy ips
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 172.16.10.2 255.255.255.0
service-manage ping permit
#
firewall zone trust
add interface GigabitEthernet1/0/1
#
firewall zone untrust
add interface GigabitEthernet1/0/0
#
ip route-static 0.0.0.0 0.0.0.0 100.1.21.2
#
security-policy
rule name L-U
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
action permit
rule name f-f4
source-zone trust
destination-zone untrust
source-address 172.16.10.0 mask 255.255.255.0
destination-address 192.168.40.0 mask 255.255.255.0
action permit
rule name f4-f
source-zone untrust
destination-zone dmz
destination-zone trust
source-address 192.168.40.0 mask 255.255.255.0
destination-address 172.16.10.0 mask 255.255.255.0
action permit
rule name f-f2
source-zone trust
destination-zone untrust
source-address 172.16.10.0 mask 255.255.255.0
destination-address 192.168.20.0 mask 255.255.255.0
action permit
rule name f2-f
source-zone untrust
destination-zone dmz
destination-zone trust
source-address 192.168.20.0 mask 255.255.255.0
destination-address 172.16.10.0 mask 255.255.255.0
action permit
rule name f-f3
source-zone trust
destination-zone untrust
source-address 172.16.10.0 mask 255.255.255.0
destination-address 192.168.30.0 mask 255.255.255.0
action permit
rule name f3-f
source-zone untrust
destination-zone dmz
destination-zone trust
source-address 192.168.30.0 mask 255.255.255.0
destination-address 172.16.10.0 mask 255.255.255.0
action permit
rule name f-isp
source-zone trust
destination-zone untrust
source-address 172.16.10.0 mask 255.255.255.0
action permit
#
nat-policy
rule name z-f234
source-zone trust
destination-zone untrust
source-address 172.16.10.0 mask 255.255.255.0
destination-address 192.168.40.0 mask 255.255.255.0
destination-address 192.168.20.0 mask 255.255.255.0
destination-address 192.168.30.0 mask 255.255.255.0
action no-nat
rule name any-isp
source-zone trust
destination-zone untrust
source-address 172.16.10.0 mask 255.255.255.0
action source-nat easy-ip
fw2配置
sysname FW2
#
acl number 3000
rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha1
esp encryption-algorithm aes-256
#
ike proposal 10
encryption-algorithm aes-256
dh group2
authentication-algorithm sha1
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer f
pre-shared-key 18812668402
ike-proposal 10
remote-address 100.1.21.1
#
ipsec policy map1 1 isakmp
security acl 3000
ike-peer f
proposal tran1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.20.254 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 100.1.22.1 255.255.255.252
service-manage ping permit
ipsec policy map1
#
firewall zone trust
add interface GigabitEthernet1/0/0
#
firewall zone untrust
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 100.1.22.2
#
security-policy
rule name L-U
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
action permit
rule name f2-f
source-zone trust
destination-zone untrust
source-address 192.168.20.0 mask 255.255.255.0
destination-address 172.16.10.0 mask 255.255.255.0
action permit
rule name f-f2
source-zone untrust
destination-zone trust
source-address 172.16.10.0 mask 255.255.255.0
destination-address 192.168.20.0 mask 255.255.255.0
action permit
rule name f2-isp
source-zone trust
destination-zone untrust
source-address 192.168.20.0 mask 255.255.255.0
action permit
#
nat-policy
rule name f2-f
source-zone trust
destination-zone untrust
source-address 192.168.20.0 mask 255.255.255.0
destination-address 172.16.10.0 mask 255.255.255.0
action no-nat
rule name f2-isp
source-zone trust
destination-zone untrust
source-address 192.168.20.0 mask 255.255.255.0
action source-nat easy-ip
fw3配置
sysname FW3
#
acl number 3000
rule 5 permit ip source 192.168.30.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha1
esp encryption-algorithm aes-256
#
ike proposal 10
encryption-algorithm aes-256
dh group2
authentication-algorithm sha1
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer f
pre-shared-key 18812668402
ike-proposal 10
remote-address 100.1.21.1
#
ipsec policy map1 1 isakmp
security acl 3000
ike-peer f
proposal tran1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.30.254 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 100.1.23.1 255.255.255.252
service-manage ping permit
ipsec policy map1
#
firewall zone trust
add interface GigabitEthernet1/0/0
#
firewall zone untrust
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 100.1.23.2
#
security-policy
rule name L-U
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
action permit
rule name f3-f
source-zone trust
destination-zone untrust
source-address 192.168.30.0 mask 255.255.255.0
destination-address 172.16.10.0 mask 255.255.255.0
action permit
rule name f-f3
source-zone untrust
destination-zone trust
source-address 172.16.10.0 mask 255.255.255.0
destination-address 192.168.30.0 mask 255.255.255.0
action permit
rule name f3-isp
source-zone trust
destination-zone untrust
source-address 192.168.30.0 mask 255.255.255.0
action permit
#
nat-policy
rule name f3-f
source-zone trust
destination-zone untrust
source-address 192.168.30.0 mask 255.255.255.0
destination-address 172.16.10.0 mask 255.255.255.0
action no-nat
rule name f3-isp
source-zone trust
destination-zone untrust
source-address 192.168.30.0 mask 255.255.255.0
action source-nat easy-ip
sysname FW4
#
acl number 3000
rule 5 permit ip source 192.168.40.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha1
esp encryption-algorithm aes-256
#
ike proposal 10
encryption-algorithm aes-256
dh group2
authentication-algorithm sha1
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer f
pre-shared-key 18812668402
ike-proposal 10
remote-address 100.1.21.1
#
ipsec policy map1 1 isakmp
security acl 3000
ike-peer f
proposal tran1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.40.254 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 100.1.24.1 255.255.255.252
service-manage ping permit
ipsec policy map1
#
firewall zone trust
add interface GigabitEthernet1/0/0
#
firewall zone untrust
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 100.1.24.2
#
security-policy
rule name L-U
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
action permit
rule name f4-f
source-zone trust
destination-zone untrust
source-address 192.168.40.0 mask 255.255.255.0
destination-address 172.16.10.0 mask 255.255.255.0
action permit
rule name f-f4
source-zone untrust
destination-zone trust
source-address 172.16.10.0 mask 255.255.255.0
destination-address 192.168.40.0 mask 255.255.255.0
action permit
rule name f4-isp
source-zone trust
destination-zone untrust
source-address 192.168.40.0 mask 255.255.255.0
action permit
#
nat-policy
rule name f4-f
source-zone trust
destination-zone untrust
source-address 192.168.40.0 mask 255.255.255.0
destination-address 172.16.10.0 mask 255.255.255.0
action no-nat
rule name f4-isp
source-zone trust
destination-zone untrust
source-address 192.168.40.0 mask 255.255.255.0
action source-nat easy-ip
杜绝拿着配置复制粘贴,不通就来质疑我的答案,真是可笑!!!
测试总部防火墙到三台防火墙的建立ike隧道的接口地址连通性
连通性正常后,ping各个分部的业务,观察ike sa 和ipsec sa
初次完成全补配置后,测试过程中均丢2个包,丢包为arp的过程,真机不会
ike sa 对等体有三对儿
ipsec sa 的摘要信息也是3对儿
ipsec sa 可以看到你出方向的加密流量
细心的同学可以反复查看该命令,你会发现每次ping后,进出加密流量是增长过程
下课!
腾讯云面向开发者汇聚海量精品云计算使用和开发经验,营造开放的云计算技术生态圈。
更多推荐
13
0- 0
已为社区贡献4条内容
所有评论(0)