IPSec 是安全联网的长期方向。它通过端对端的安全性来提供主动的保护以防止 专用网络与 Internet 的攻击。在通信中,只有发送方和接收方才是唯一必须了解 IPSec 保护的计算机。在 Windows XP 和 Windows Server 2003 家族中,IPSec 提供了一种能力,以保护工作组、局域网计算机、域 客户端和服务器、分支机构(物理上为远程机构)、Extranet 以及漫游客户端之间的通信。
IPSec案例:(2)
F2:
<F2>dis cu
#
sysname F2
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
local-user user1
password simple 123
service-type telnet
level 3
#
ike peer f1
pre-shared-key 123456
remote-address 192.168.10.200
local-address 192.168.20.200
#
ipsec proposal tran1
#
ipsec policy policy10 20 isakmp
security acl 3000
ike-peer f1
proposal tran1
#
acl number 3000
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 1 deny ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 192.168.100.42 255.255.255.0
#
interface Ethernet0/1
ip address 192.168.20.200 255.255.255.0
ipsec policy policy10
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
ip address 192.168.2.1 255.255.255.0
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/4
set priority 85
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.1 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
F4:
[F4]dis cu
#
sysname F4
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
local-user user1
password simple 123
service-type telnet
level 3
#
ike peer route
pre-shared-key 123456
remote-address 192.168.10.200
local-address 192.168.30.200
#
ipsec proposal tran1
#
ipsec policy policy10 20 isakmp
security acl 3000
ike-peer route
proposal tran1
#
acl number 3000
rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 1 deny ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 192.168.100.44 255.255.255.0
#
interface Ethernet0/1
ip address 192.168.30.200 255.255.255.0
ipsec policy policy10
#
interface Ethernet0/2
ip address 192.168.3.1 255.255.255.0
#
interface Ethernet0/3
#
interface Ethernet0/4
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/2
set priority 85
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 192.168.30.1 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return