1 beijing 配置
f1
ike local-name f1
firewall packet-filter enable 开启包过滤的功能
firewall packet-filter default permit 默认的为允许
ike peer peer1 指定peer的 对等体
exchange-mode aggressive 配置ipsec 为野蛮模式
pre-shared-key 123456 配置预共享的密钥
id-type name 配置为名字的方式
remote-name f2
ike peer peer2指定peer的 对等体
exchange-mode aggressive配置ipsec 为野蛮模式
pre-shared-key 654321 配置预共享的密
id-type name配置为名字的方式
remote-name f3
ipsec proposal tran1 安全提议tran1
ipsec proposal tran2 安全提议tran2
ipsec policy policy1 10 isakmp 安全策略
security acl 3000 引用acl规则
ike-peer peer1 指定ike的对等体
proposal tran1引用协商
ipsec policy policy1 20 isakmp安全策略
security acl 3001引用acl规则
ike-peer peer2指定ike的对等体
proposal tran2引用协商
acl number 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 1 deny ip source any dest any
acl number 3001
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 1 deny ip source any dest any
interface Ethernet0/0
ip address 192.168.1.254 255.255.255.0
#
interface Ethernet0/3
ip address 202.196.10.100 255.255.255.0
ipsec policy policy1 在接口上应用相应的规则
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/3
add interface Ethernet0/4
set priority 85
ip route-static 0.0.0.0 0.0.0.0 202.196.10.1 preference 60 默认的路由
[F1]dis ipsec proposal 查看安全提议
IPsec proposal name: tran2
encapsulation mode: tunnel
transform: esp-new
ESP protocol: authentication md5-hmac-96, encryption des
IPsec proposal name: tran1
encapsulation mode: tunnel
transform: esp-new
ESP protocol: authentication md5-hmac-96, encryption des
[F1]dis ipsec tunnel 查看隧道的信息
上海的配置
f2
ike local-name f2
firewall packet-filter enable
firewall packet-filter default permit
ike peer peer1
exchange-mode aggressive
pre-shared-key 123456
id-type name
remote-name f1
remote-address 202.196.10.100 需要指定远程的ip地址
ipsec proposal tran1
ipsec policy policy1 10 isakmp
security acl 3000
ike-peer peer1
proposal tran1
acl number 3000
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 1 deny ip source any destination any
interface Ethernet0/0
ip address 192.168.2.254 255.255.255.0
interface Ethernet0/3
ip address dhcp-alloc
ipsec policy policy1
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/3
add interface Ethernet0/4
set priority 85
ip route-static 0.0.0.0 0.0.0.0 202.196.20.1 preference 60
zhengzhou的配置
f3
ike local-name f3
firewall packet-filter enable
firewall packet-filter default permit
ike peer peer2
exchange-mode aggressive
pre-shared-key 654321
id-type name
remote-name f1
remote-address 202.196.10.100 需要指定远端的ip地址
ipsec proposal tran2
ipsec policy policy1 20 isakmp
security acl 3001
ike-peer peer2
proposal tran2
acl number 3001
rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 1 deny ip source any dest any
interface Ethernet0/0
ip address 192.168.3.254 255.255.255.0
interface Ethernet0/3
ip address dhcp-alloc
ipsec policy policy1
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/3
add interface Ethernet0/4
set priority 85
ip route-static 0.0.0.0 0.0.0.0 202.196.30.1 preference 60
sw 3层SW的配置
dhcp server ip-pool shanghai
network 202.196.20.0 mask 255.255.255.0
dhcp server ip-pool zhengzhou
network 202.196.30.0 mask 255.255.255.0
vlan 1
vlan 10
vlan 20
vlan 30
interface Vlan-interface1
ip address 192.168.100.33 255.255.255.0
interface Vlan-interface10
ip address 202.196.10.1 255.255.255.0
interface Vlan-interface20
ip address 202.196.20.1 255.255.255.
interface Vlan-interface30
ip address 202.196.30.1 255.255.255.0
interface Ethernet0/6
port access vlan 10
interface Ethernet0/12
port access vlan 20
interface Ethernet0/18
port access vlan 30
dhcp server forbidden-ip 202.196.20.1
dhcp server forbidden-ip 202.196.30.1
dis dhcp server ip-in-use all 查看dhcp服务器的状态
Global pool:
IP address Hardware address Lease expiration Type
202.196.20.2 3ce5-a67f-374b Mar 29 2012 18:31:43 PM Auto:COMMITTED
202.196.30.2 3ce5-a6ce-1895 Mar 29 2012 19:52:32 PM Auto:COMMI
测试:
北京到上海分公司
北京到郑州分公司
