IPSEC在企业网中的应用（三）

原创

zhuchaobo 2012-03-27 01:03:20 博主文章分类：路由交换 ©著作权

文章标签 职场 IPSEC 休闲 IKE 安全联盟 文章分类 网络安全

©著作权归作者所有：来自51CTO博客作者zhuchaobo的原创作品，请联系作者获取转载授权，否则将追究法律责任

IKE动态实验

一、实验设备：

3台PC，3台H3C SecPath F100-C防火墙，1台华为Quidway S3526交换机，网线若干。

二、实验拓扑:

三、实验说明：

要求在FW-1与FW-2、FW-1与FW-3之间建立×××，实现内网通讯（即PC1与PC2能通讯、PC1能与PC3通讯）。

四、配置步骤：

FW-1：

system-view

interface Ethernet0/1

ip add 1.1.1.1 24

interface Ethernet0/2

ip add 192.168.1.1 24

quit

firewall zone trust

add interface Ethernet0/2

quit

firewall zone untrust

add interface Ethernet0/1

quit

ip route-static 0.0.0.0 0 1.1.1.2

acl number 3000

rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

rule 20 deny ip source any destination any

quit

acl number 3001

rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

rule 20 deny ip source any destination any

quit

ipsec proposal zhu-1

encapsulation-mode tunnel

transform esp

esp authentication-algorithm md5

esp encryption-algorithm des

quit

ipsec proposal zhu-2

encapsulation-mode tunnel

transform esp

esp authentication-algorithm md5

esp encryption-algorithm des

display ipsec proposal

quit

ipsec policy policy1 10 isakmp

sec acl 3000

proposal zhu-1

ike-peer peer-1

quit

ike peer peer-1

local-address 1.1.1.1

remote-address 2.1.1.1

pre-shared-key simple 12345

quit

ipsec policy policy1 20 isakmp

sec acl 3001

proposal zhu-2

ike-peer peer-2

quit

ike peer peer-2

local-address 1.1.1.1

remote-address 3.1.1.1

pre-shared-key simple 123456

quit

interface Ethernet0/1

ipsec policy policy1

quit

FW-2:

system-view

interface Ethernet0/1

ip add 2.1.1.1 24

interface Ethernet0/2

ip add 192.168.2.1 24

quit

firewall zone trust

add interface Ethernet0/2

quit

firewall zone untrust

add interface Ethernet0/1

quit

ip route-static 0.0.0.0 0 2.1.1.2

acl number 3000

rule 10 permit ip source 192.168.2.0 0.0.0.255 dest 192.168.1.0 0.0.0.255

rule 20 deny ip source any dest any

quit

ipsec propo zhu

enca tunnel

trans esp

es auth md5

esp enc des

quit

ipsec policy policy2 10 isakmp

sec acl 3000

propo zhu

ike-peer peer-1

quit

ike peer peer-1

local-address 2.1.1.1

remote-address 1.1.1.1

pre-shared-key simple 12345

quit

inter Ethernet0/1

ipsec poli policy2

FW-3：

system-view

firewall zone trust

add interface Ethernet0/2

quit

firewall zone untrust

add interface Ethernet0/1

interface Ethernet0/1

ip add 3.1.1.1 24

interface Ethernet0/2

ip add 192.168.3.1 24

quit

ip route-static 0.0.0.0 0 3.1.1.2

acl number 3001

rule 10 permit ip source 192.168.3.0 0.0.0.255 dest 192.168.1.0 0.0.0.255

rule 20 deny ip source any dest any

quit

ipsec propo zhu-3

enca tunnel

trans esp

es auth md5

esp enc des

quit

ipsec policy policy3 20 isakmp

sec acl 3001

propo zhu-3

ike-peer peer-2

quit

ike peer peer-2

local-address 3.1.1.1

remote-address 1.1.1.1

pre-shared-key simple 123456

quit

inter Ethernet0/1

ipsec poli policy3

quit

查看相关配置：

FW-2：dis ipsec sa

dis ike peer

FW-3：

dis ipsec sa

dis ike peer

测试：

PC1和PC2之间：

2、PC1和PC3之间：

上一篇：IPSEC在企业网中的应用（二）

下一篇：IPSEC在企业网中的应用（四）

提问和评论都可以，用心的回复会被更多人看到评论

发布评论

相关文章

官方博客	全部文章	热门标签	班级博客
了解我们	网站地图	意见反馈

鸿蒙开发者社区	51CTO学堂
51CTO	软考资讯