拓扑:
配置过程:
HS-20(config-if-eth0/2)# zone trust HS-20(config-if-eth0/2)# ip add 192.168.20.1/24 HS-20(config-if-eth0/2)# ping 192.168.20.20 Sending ICMP packets to 192.168.20.20 Seq ttl time(ms) VPCS> ping 192.168.20.1 192.168.20.1 icmp_seq=1 timeout 192.168.20.1 icmp_seq=2 timeout 192.168.20.1 icmp_seq=3 timeout ^C 开启ping HS-20(config-if-eth0/2)# manage ping HS-20(config-if-eth0/2)# VPCS> ping 192.168.20.1 84 bytes from 192.168.20.1 icmp_seq=1 ttl=128 time=1.229 ms 84 bytes from 192.168.20.1 icmp_seq=2 ttl=128 time=1.126 ms 84 bytes from 192.168.20.1 icmp_seq=3 ttl=128 time=1.113 ms ^C VPCS> # R1(config-if)#ip add 100.0.0.1 255.255.255.0 R1(config-if)#no shu R1(config-if)# # R1#ping 100.0.0.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 100.0.0.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms R1# HILLSTONE-20 HS-20(config)# ip vrouter trust-vr HS-20(config-vrouter)# ip route 0.0.0.0/0 100.0.0.1 //到公网的默认路由 HS-20(config)# nat//配置nat HS-20(config-nat)# snatrule from any to any service any eif eth0/4 trans-to eif-ip mode dynamicport log //配置nat,并加上log记录 HS-20(config)# policy-global HS-20(config-policy)# rule HS-20(config-policy-rule)# src-zone trust HS-20(config-policy-rule)# dst-zone untrust HS-20(config-policy-rule)# src-addr any HS-20(config-policy-rule)# dst-addr any HS-20(config-policy-rule)# service any HS-20(config-policy-rule)# action permit HS-20(config)# show policy//查看策略 Total rules count: 1 S: Rule Status (E - Enabled; D - Disabled) Flag: * - Need Application Identification S - Log Session Start; E - Log Session End; D - Log Policy Deny F - Drop Fragment; P - Permit Unknown Application; W - Web Redirect Default action DENY. Default log OFF. Check to-self OFF. Session rematch ON ==================================================================================================================== S Id Name RBNS_Attr Source Destination Service Application Action Flag -------------------------------------------------------------------------------------------------------------------- trust => untrust E 1 Any Any Any PERMIT ------ ==================================================================================================================== HS-20(config)# HS-20(config)# show snat//查看SNAT ------------------------------------------------------------------------------------------------------------------------------------- vr name:trust-vr snat rules total number is :1 ===================================================================================================================================== id ingress if from to service egress if/vr translate to mode start end size ------------------------------------------------------------------------------------------------------------------------------------- 1 Any Any Any ethernet0/4 egress if's IP Dyn-Pt log enabled ===================================================================================================================================== HS-20(config)# HS-20(config)# show configuration vrouter //查看路由 ip vrouter "twin-mode-vr" exit ip vrouter "trust-vr" snatrule id 1 from address-book "Any" to address-book "Any" service "Any" eif ethernet0/4 trans-to eif-ip mode dynamicport log ip route 0.0.0.0/0 100.0.0.1 exit HS-20(config)# # HS-10(config)# show interface H:physical state;A:admin state;L:link state;P:protocol state;U:up;D:down;K:ha keep up ======================================================================================================== Interface name IP address/mask Zone name H A L P MAC address Description -------------------------------------------------------------------------------------------------------- ethernet0/0 0.0.0.0/0 untrust U U U D 5000.0004.0000 ------ //dhcp(留着web管理用,后续HS-10用web的方式配置) ethernet0/1 192.168.10.1/24 trust U U U U 5000.0004.0001 ------ ethernet0/2 192.168.20.1/24 trust U U U U 5000.0004.0002 ------ ethernet0/3 0.0.0.0/0 NULL U U U D 5000.0004.0003 ------ ethernet0/4 200.0.0.2/24 untrust U U U U 5000.0004.0004 ------ ethernet0/5 0.0.0.0/0 NULL U U U D 5000.0004.0005 ------ ethernet0/6 0.0.0.0/0 NULL U U U D 5000.0004.0006 ------ ethernet0/7 0.0.0.0/0 NULL U U U D 5000.0004.0007 ------ vswitchif1 0.0.0.0/0 NULL D U D D 001c.545a.1f13 ------ ======================================================================================================== VPCS> VPCS> ping 192.168.10.1 84 bytes from 192.168.10.1 icmp_seq=1 ttl=128 time=1.142 ms 84 bytes from 192.168.10.1 icmp_seq=2 ttl=128 time=0.747 ms ^C VPCS> VPCS> ping 200.0.0.1 84 bytes from 200.0.0.1 icmp_seq=1 ttl=254 time=6.347 ms 84 bytes from 200.0.0.1 icmp_seq=2 ttl=254 time=1.669 ms ^C VPCS> 配置VPN 内置的isakmp HS-20# show isakmp proposal Total: 15 ================================================================================ Name Auth Grp Enc Hash Lifetime -------------------------------------------------------------------------------- psk-sha256-aes128-g2 pre-share 2 aes sha256 86400 psk-sha256-aes256-g2 pre-share 2 aes-256 sha256 86400 psk-sha256-3des-g2 pre-share 2 3des sha256 86400 psk-md5-aes128-g2 pre-share 2 aes md5 86400 psk-md5-aes256-g2 pre-share 2 aes-256 md5 86400 psk-md5-3des-g2 pre-share 2 3des md5 86400 rsa-sha256-aes128-g2 rsa-sig 2 aes sha256 86400 rsa-sha256-aes256-g2 rsa-sig 2 aes-256 sha256 86400 rsa-sha256-3des-g2 rsa-sig 2 3des sha256 86400 rsa-md5-aes128-g2 rsa-sig 2 aes md5 86400 rsa-md5-aes256-g2 rsa-sig 2 aes-256 md5 86400 rsa-md5-3des-g2 rsa-sig 2 3des md5 86400 dsa-sha-aes128-g2 dsa-sig 2 aes sha 86400 dsa-sha-aes256-g2 dsa-sig 2 aes-256 sha 86400 dsa-sha-3des-g2 dsa-sig 2 3des sha 86400 ================================================================================ HS-20# HS-20(config)# isakmp peer tohs-10//定义名称 HS-20(config-isakmp-peer)# interface eth0/4 //定义出接口 HS-20(config-isakmp-peer)# peer 200.0.0.2 //指定对端IP地址 HS-20(config-isakmp-peer)# isakmp-proposal psk-sha256-aes128-g2 //定义proposal HS-20(config-isakmp-peer)# pre-share hillstone //定义hillstone为预共享秘钥 查看 HS-20(config)# show isakmp peer tohs-10 Name: tohs-10 Interface: ethernet0/4 Type: static Mode: main Peer: 200.0.0.2 Connection-type: bidirectional Peer id: Local id: Proposals: psk-sha256-aes128-g2 Nat-T: disabled Accept-all-peer-id: disabled DPD: disabled PKI trust-domain: trust-domain-enc: AAA server: Generate Route: disabled Xauth-server: disabled Xauth pool-name: Description: protocol-standard: IKEV1 HS-20(config)# tunnel ipsec tohs-10 auto HS-20(config-tunnel-ipsec-auto)# isakmp-peer tohs-10 //调用模板 HS-20(config-tunnel-ipsec-auto)# ipsec-proposal esp-sha256-aes128-g2//第二阶段调用 HS-20(config)# address lan20 HS-20(config-addr)# ip 192.168.20.0/24 //本端的IP HS-20(config)# address lan10 HS-20(config-addr)# ip 192.168.10.0/24 //对端IP HS-20(config)# policy-global //配置策略 HS-20(config-policy)# rule HS-20(config-policy-rule)# src-zone trust HS-20(config-policy-rule)# dst-zone untrust HS-20(config-policy-rule)# src-addr lan20 HS-20(config-policy-rule)# dst-addr lan10 HS-20(config-policy-rule)# service any HS-20(config-policy-rule)# action tunnel tohs-10 HS-20(config)# show policy // 查看策略 Total rules count: 2 S: Rule Status (E - Enabled; D - Disabled) Flag: * - Need Application Identification S - Log Session Start; E - Log Session End; D - Log Policy Deny F - Drop Fragment; P - Permit Unknown Application; W - Web Redirect Default action DENY. Default log OFF. Check to-self OFF. Session rematch ON ==================================================================================================================== S Id Name RBNS_Attr Source Destination Service Application Action Flag -------------------------------------------------------------------------------------------------------------------- trust => untrust E 1 Any Any Any PERMIT ------ E 2 lan20 lan10 Any TO ------ ==================================================================================================================== HS-20(config)#
策略从上往下匹配,无法满足要求
HS-20(config)# policy-global HS-20(config-policy)# move 2 top //把policy置顶 HS-20(config-policy)# show policy Total rules count: 2 S: Rule Status (E - Enabled; D - Disabled) Flag: * - Need Application Identification S - Log Session Start; E - Log Session End; D - Log Policy Deny F - Drop Fragment; P - Permit Unknown Application; W - Web Redirect Default action DENY. Default log OFF. Check to-self OFF. Session rematch ON ==================================================================================================================== S Id Name RBNS_Attr Source Destination Service Application Action Flag -------------------------------------------------------------------------------------------------------------------- trust => untrust E 2 lan20 lan10 Any TO ------ E 1 Any Any Any PERMIT ------ ==================================================================================================================== HS-20(config-policy)# HS-20(config-policy)# rule from any to any from-zone untrust to-zone trust service any fromtunnel tohs-10 //创建流量返回的策略 HS-20(config)# show policy Total rules count: 4 S: Rule Status (E - Enabled; D - Disabled) Flag: * - Need Application Identification S - Log Session Start; E - Log Session End; D - Log Policy Deny F - Drop Fragment; P - Permit Unknown Application; W - Web Redirect Default action DENY. Default log OFF. Check to-self OFF. Session rematch ON ==================================================================================================================== S Id Name RBNS_Attr Source Destination Service Application Action Flag -------------------------------------------------------------------------------------------------------------------- trust => untrust E 2 lan20 lan10 Any TO ------ E 1 Any Any Any PERMIT ------ Any => Any E 3 ------ untrust => trust E 4 Any Any Any FROM ------ ==================================================================================================================== HS-20(config)# 做SNAT不转换 HS-20(config)# nat HS-20(config-nat)# snatrule top from lan20 to lan10 service any no-trans HS-20(config-nat)# show snat ------------------------------------------------------------------------------------------------------------------------------------- vr name:trust-vr snat rules total number is :2 ===================================================================================================================================== id ingress if from to service egress if/vr translate to mode start end size ------------------------------------------------------------------------------------------------------------------------------------- 2 lan20 lan10 Any 1 Any Any Any ethernet0/4 egress if's IP Dyn-Pt log enabled ===================================================================================================================================== HS-20(config-nat)# HS-20配置结束
web配置HS-10
1.创建地址簿
配置vpn
进入到策略模式里面
查看(这个步骤有问题,演示用,rule 3 源地址和rule2目的地址没写)
更正:
做nat不转换
测试:PC-10 ping PC-20 //验证IPSEC VPN状态
VPCS> ping 192.168.20.20 192.168.20.20 icmp_seq=1 timeout 84 bytes from 192.168.20.20 icmp_seq=2 ttl=62 time=7.287 ms 84 bytes from 192.168.20.20 icmp_seq=3 ttl=62 time=2.549 ms 84 bytes from 192.168.20.20 icmp_seq=4 ttl=62 time=3.113 ms 84 bytes from 192.168.20.20 icmp_seq=5 ttl=62 time=3.271 ms VPCS>
查ipsec vpn状态
第一阶段:
第二阶段:
查看HS-10 ipsec vpn状态
第一阶段:
第二阶段:
IPSEC VPN到此结束
