IKE动态实验
一、实验设备:
3台PC,3台H3C SecPath F100-C防火墙,1台华为Quidway S3526交换机,网线若干。
二、 实验拓扑:
三、 实验说明:
要求在FW-1与FW-2、FW-1与FW-3之间建立×××,实现内网通讯(即PC1与PC2能通讯、PC1能与PC3通讯)。
四、 配置步骤:
FW-1:
system-view
interface Ethernet0/1
ip add 1.1.1.1 24
interface Ethernet0/2
ip add 192.168.1.1 24
quit
firewall zone trust
add interface Ethernet0/2
quit
firewall zone untrust
add interface Ethernet0/1
quit
ip route-static 0.0.0.0 0 1.1.1.2
acl number 3000
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 20 deny ip source any destination any
quit
acl number 3001
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 20 deny ip source any destination any
quit
ipsec proposal zhu-1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
quit
ipsec proposal zhu-2
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
display ipsec proposal
quit
ipsec policy policy1 10 isakmp
sec acl 3000
proposal zhu-1
ike-peer peer-1
quit
ike peer peer-1
local-address 1.1.1.1
remote-address 2.1.1.1
pre-shared-key simple 12345
quit
ipsec policy policy1 20 isakmp
sec acl 3001
proposal zhu-2
ike-peer peer-2
quit
ike peer peer-2
local-address 1.1.1.1
remote-address 3.1.1.1
pre-shared-key simple 123456
quit
interface Ethernet0/1
ipsec policy policy1
quit
FW-2:
system-view
interface Ethernet0/1
ip add 2.1.1.1 24
interface Ethernet0/2
ip add 192.168.2.1 24
quit
firewall zone trust
add interface Ethernet0/2
quit
firewall zone untrust
add interface Ethernet0/1
quit
ip route-static 0.0.0.0 0 2.1.1.2
acl number 3000
rule 10 permit ip source 192.168.2.0 0.0.0.255 dest 192.168.1.0 0.0.0.255
rule 20 deny ip source any dest any
quit
ipsec propo zhu
enca tunnel
trans esp
es auth md5
esp enc des
quit
ipsec policy policy2 10 isakmp
sec acl 3000
propo zhu
ike-peer peer-1
quit
ike peer peer-1
local-address 2.1.1.1
remote-address 1.1.1.1
pre-shared-key simple 12345
quit
inter Ethernet0/1
ipsec poli policy2
FW-3:
system-view
firewall zone trust
add interface Ethernet0/2
quit
firewall zone untrust
add interface Ethernet0/1
interface Ethernet0/1
ip add 3.1.1.1 24
interface Ethernet0/2
ip add 192.168.3.1 24
quit
ip route-static 0.0.0.0 0 3.1.1.2
acl number 3001
rule 10 permit ip source 192.168.3.0 0.0.0.255 dest 192.168.1.0 0.0.0.255
rule 20 deny ip source any dest any
quit
ipsec propo zhu-3
enca tunnel
trans esp
es auth md5
esp enc des
quit
ipsec policy policy3 20 isakmp
sec acl 3001
propo zhu-3
ike-peer peer-2
quit
ike peer peer-2
local-address 3.1.1.1
remote-address 1.1.1.1
pre-shared-key simple 123456
quit
inter Ethernet0/1
ipsec poli policy3
quit
查看相关配置:
FW-2:dis ipsec sa
dis ike peer
FW-3:
dis ipsec sa
dis ike peer
测试:
PC1和PC2之间:
2、PC1和PC3之间: