山石网科IP Sec VPN实验分享

简介: 山石网科IP Sec VPN实验分享

拓扑:


640.jpg


配置过程:

HS-20(config-if-eth0/2)# zone trust
HS-20(config-if-eth0/2)# ip add 192.168.20.1/24
HS-20(config-if-eth0/2)# ping 192.168.20.20
Sending ICMP packets to 192.168.20.20
   Seq    ttl    time(ms)
VPCS> ping 192.168.20.1
 192.168.20.1 icmp_seq=1 timeout
192.168.20.1 icmp_seq=2 timeout
192.168.20.1 icmp_seq=3 timeout
^C
开启ping
HS-20(config-if-eth0/2)# manage ping
HS-20(config-if-eth0/2)#
VPCS> ping 192.168.20.1
84 bytes from 192.168.20.1 icmp_seq=1 ttl=128 time=1.229 ms
84 bytes from 192.168.20.1 icmp_seq=2 ttl=128 time=1.126 ms
84 bytes from 192.168.20.1 icmp_seq=3 ttl=128 time=1.113 ms
^C
VPCS>
#
R1(config-if)#ip add 100.0.0.1 255.255.255.0
R1(config-if)#no shu
R1(config-if)#
#
R1#ping 100.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
R1#
HILLSTONE-20
HS-20(config)# ip vrouter trust-vr
HS-20(config-vrouter)# ip route 0.0.0.0/0 100.0.0.1 //到公网的默认路由
HS-20(config)# nat//配置nat
HS-20(config-nat)# snatrule from any to any service any eif eth0/4 trans-to eif-ip mode dynamicport log //配置nat,并加上log记录
HS-20(config)# policy-global
HS-20(config-policy)# rule
HS-20(config-policy-rule)# src-zone trust
HS-20(config-policy-rule)# dst-zone untrust
HS-20(config-policy-rule)# src-addr any
HS-20(config-policy-rule)# dst-addr any
HS-20(config-policy-rule)# service any
HS-20(config-policy-rule)# action permit
HS-20(config)# show policy//查看策略
Total rules count: 1
S: Rule Status (E - Enabled;  D - Disabled)
Flag: * - Need Application Identification
      S - Log Session Start;  E - Log Session End;  D - Log Policy Deny
      F - Drop Fragment;  P - Permit Unknown Application;  W - Web Redirect
Default action DENY. Default log OFF. Check to-self OFF. Session rematch ON
====================================================================================================================
S    Id Name             RBNS_Attr   Source           Destination      Service          Application  Action     Flag
--------------------------------------------------------------------------------------------------------------------
trust => untrust
E     1                              Any              Any              Any                           PERMIT   ------
====================================================================================================================
HS-20(config)#
HS-20(config)# show snat//查看SNAT
-------------------------------------------------------------------------------------------------------------------------------------
vr name:trust-vr
snat rules total number is :1
=====================================================================================================================================
  id ingress if       from             to               service       egress if/vr     translate to     mode         start end   size
-------------------------------------------------------------------------------------------------------------------------------------
   1                  Any              Any              Any           ethernet0/4      egress if's IP   Dyn-Pt     
  log enabled
=====================================================================================================================================
HS-20(config)#
HS-20(config)# show configuration vrouter //查看路由
ip vrouter "twin-mode-vr"
exit
ip vrouter "trust-vr"
  snatrule id 1 from address-book "Any" to address-book "Any" service "Any" eif ethernet0/4 trans-to eif-ip mode dynamicport log
  ip route 0.0.0.0/0 100.0.0.1
exit
HS-20(config)#
#
HS-10(config)# show interface
H:physical state;A:admin state;L:link state;P:protocol state;U:up;D:down;K:ha keep up
========================================================================================================
Interface name       IP address/mask    Zone name       H A L P MAC address     Description                    
--------------------------------------------------------------------------------------------------------
ethernet0/0          0.0.0.0/0          untrust         U U U D 5000.0004.0000  ------           //dhcp(留着web管理用,后续HS-10用web的方式配置)               
ethernet0/1          192.168.10.1/24    trust           U U U U 5000.0004.0001  ------                         
ethernet0/2          192.168.20.1/24    trust           U U U U 5000.0004.0002  ------                         
ethernet0/3          0.0.0.0/0          NULL            U U U D 5000.0004.0003  ------                         
ethernet0/4          200.0.0.2/24       untrust         U U U U 5000.0004.0004  ------                         
ethernet0/5          0.0.0.0/0          NULL            U U U D 5000.0004.0005  ------                         
ethernet0/6          0.0.0.0/0          NULL            U U U D 5000.0004.0006  ------                         
ethernet0/7          0.0.0.0/0          NULL            U U U D 5000.0004.0007  ------                         
vswitchif1           0.0.0.0/0          NULL            D U D D 001c.545a.1f13  ------                         
========================================================================================================
VPCS>
VPCS> ping 192.168.10.1
84 bytes from 192.168.10.1 icmp_seq=1 ttl=128 time=1.142 ms
84 bytes from 192.168.10.1 icmp_seq=2 ttl=128 time=0.747 ms
^C
VPCS>
VPCS> ping 200.0.0.1
84 bytes from 200.0.0.1 icmp_seq=1 ttl=254 time=6.347 ms
84 bytes from 200.0.0.1 icmp_seq=2 ttl=254 time=1.669 ms
^C
VPCS>
配置VPN
内置的isakmp
HS-20# show isakmp proposal
Total: 15
================================================================================
Name                   Auth        Grp  Enc            Hash           Lifetime 
--------------------------------------------------------------------------------
psk-sha256-aes128-g2   pre-share   2    aes            sha256         86400    
psk-sha256-aes256-g2   pre-share   2    aes-256        sha256         86400    
psk-sha256-3des-g2     pre-share   2    3des           sha256         86400    
psk-md5-aes128-g2      pre-share   2    aes            md5            86400    
psk-md5-aes256-g2      pre-share   2    aes-256        md5            86400    
psk-md5-3des-g2        pre-share   2    3des           md5            86400    
rsa-sha256-aes128-g2   rsa-sig     2    aes            sha256         86400    
rsa-sha256-aes256-g2   rsa-sig     2    aes-256        sha256         86400    
rsa-sha256-3des-g2     rsa-sig     2    3des           sha256         86400    
rsa-md5-aes128-g2      rsa-sig     2    aes            md5            86400    
rsa-md5-aes256-g2      rsa-sig     2    aes-256        md5            86400    
rsa-md5-3des-g2        rsa-sig     2    3des           md5            86400    
dsa-sha-aes128-g2      dsa-sig     2    aes            sha            86400    
dsa-sha-aes256-g2      dsa-sig     2    aes-256        sha            86400    
dsa-sha-3des-g2        dsa-sig     2    3des           sha            86400    
================================================================================
HS-20#
HS-20(config)# isakmp peer tohs-10//定义名称
HS-20(config-isakmp-peer)# interface eth0/4  //定义出接口
HS-20(config-isakmp-peer)# peer 200.0.0.2  //指定对端IP地址
HS-20(config-isakmp-peer)# isakmp-proposal psk-sha256-aes128-g2   //定义proposal
HS-20(config-isakmp-peer)# pre-share hillstone  //定义hillstone为预共享秘钥
查看
HS-20(config)# show isakmp peer tohs-10
        Name:                                        tohs-10
        Interface:                               ethernet0/4
        Type:                                         static
        Mode:                                           main
        Peer:                                      200.0.0.2
        Connection-type:                       bidirectional
        Peer id:                                           
        Local id:                                          
        Proposals:                      psk-sha256-aes128-g2
        Nat-T:                                      disabled
        Accept-all-peer-id:                         disabled
        DPD:                                        disabled
        PKI trust-domain:                                  
        trust-domain-enc:                                  
        AAA server:                                        
        Generate Route:                             disabled
        Xauth-server:                               disabled
        Xauth pool-name:                                   
        Description:                                       
        protocol-standard:                             IKEV1
HS-20(config)# tunnel ipsec tohs-10 auto
HS-20(config-tunnel-ipsec-auto)# isakmp-peer tohs-10  //调用模板
HS-20(config-tunnel-ipsec-auto)# ipsec-proposal esp-sha256-aes128-g2//第二阶段调用
HS-20(config)# address lan20
HS-20(config-addr)# ip 192.168.20.0/24  //本端的IP
HS-20(config)# address lan10
HS-20(config-addr)# ip 192.168.10.0/24  //对端IP
HS-20(config)# policy-global   //配置策略
HS-20(config-policy)# rule
HS-20(config-policy-rule)# src-zone trust
HS-20(config-policy-rule)# dst-zone untrust
HS-20(config-policy-rule)# src-addr lan20
HS-20(config-policy-rule)# dst-addr lan10
HS-20(config-policy-rule)# service any
HS-20(config-policy-rule)# action tunnel tohs-10
HS-20(config)# show policy  // 查看策略
Total rules count: 2
S: Rule Status (E - Enabled;  D - Disabled)
Flag: * - Need Application Identification
      S - Log Session Start;  E - Log Session End;  D - Log Policy Deny
      F - Drop Fragment;  P - Permit Unknown Application;  W - Web Redirect
Default action DENY. Default log OFF. Check to-self OFF. Session rematch ON
====================================================================================================================
S    Id Name             RBNS_Attr   Source           Destination      Service          Application  Action     Flag
--------------------------------------------------------------------------------------------------------------------
trust => untrust
E     1                              Any              Any              Any                           PERMIT   ------
E     2                              lan20            lan10            Any                           TO       ------
====================================================================================================================
HS-20(config)#

策略从上往下匹配,无法满足要求

HS-20(config)# policy-global
HS-20(config-policy)# move 2 top  //把policy置顶
HS-20(config-policy)# show policy  
Total rules count: 2
S: Rule Status (E - Enabled;  D - Disabled)
Flag: * - Need Application Identification
      S - Log Session Start;  E - Log Session End;  D - Log Policy Deny
      F - Drop Fragment;  P - Permit Unknown Application;  W - Web Redirect
Default action DENY. Default log OFF. Check to-self OFF. Session rematch ON
====================================================================================================================
S    Id Name             RBNS_Attr   Source           Destination      Service          Application  Action     Flag
--------------------------------------------------------------------------------------------------------------------
trust => untrust
E     2                              lan20            lan10            Any                           TO       ------
E     1                              Any              Any              Any                           PERMIT   ------
====================================================================================================================
HS-20(config-policy)#
HS-20(config-policy)# rule from any to any from-zone untrust to-zone trust service any fromtunnel tohs-10   //创建流量返回的策略
HS-20(config)# show policy
Total rules count: 4
S: Rule Status (E - Enabled;  D - Disabled)
Flag: * - Need Application Identification
      S - Log Session Start;  E - Log Session End;  D - Log Policy Deny
      F - Drop Fragment;  P - Permit Unknown Application;  W - Web Redirect
Default action DENY. Default log OFF. Check to-self OFF. Session rematch ON
====================================================================================================================
S    Id Name             RBNS_Attr   Source           Destination      Service          Application  Action     Flag
--------------------------------------------------------------------------------------------------------------------
trust => untrust
E     2                              lan20            lan10            Any                           TO       ------
E     1                              Any              Any              Any                           PERMIT   ------
Any => Any
E     3                                                                                                       ------
untrust => trust
E     4                              Any              Any              Any                           FROM     ------
====================================================================================================================
HS-20(config)#
做SNAT不转换
HS-20(config)# nat
HS-20(config-nat)# snatrule top from lan20 to lan10 service any no-trans
HS-20(config-nat)# show snat
-------------------------------------------------------------------------------------------------------------------------------------
vr name:trust-vr
snat rules total number is :2
=====================================================================================================================================
  id ingress if       from             to               service       egress if/vr     translate to     mode         start end   size
-------------------------------------------------------------------------------------------------------------------------------------
   2                  lan20            lan10            Any                                                        
   1                  Any              Any              Any           ethernet0/4      egress if's IP   Dyn-Pt     
  log enabled
=====================================================================================================================================
HS-20(config-nat)#
HS-20配置结束

web配置HS-10


1.创建地址簿

640.jpg

640.png


配置vpn

640.jpg

640.png

640.png

进入到策略模式里面

640.png

640.png

查看(这个步骤有问题,演示用,rule 3 源地址和rule2目的地址没写)


640.png


更正:

640.jpg


做nat不转换


640.png640.png

测试:PC-10 ping PC-20 //验证IPSEC VPN状态

 

VPCS> ping 192.168.20.20
192.168.20.20 icmp_seq=1 timeout
84 bytes from 192.168.20.20 icmp_seq=2 ttl=62 time=7.287 ms
84 bytes from 192.168.20.20 icmp_seq=3 ttl=62 time=2.549 ms
84 bytes from 192.168.20.20 icmp_seq=4 ttl=62 time=3.113 ms
84 bytes from 192.168.20.20 icmp_seq=5 ttl=62 time=3.271 ms
VPCS>

查ipsec vpn状态

第一阶段:

640.png

第二阶段:

640.png


查看HS-10 ipsec vpn状态

第一阶段:

640.jpg

第二阶段:

640.jpg


IPSEC VPN到此结束

相关文章
|
7月前
|
安全 算法 网络安全
IPSec VPN配置实验
IPSec VPN配置实验
148 7
|
7月前
|
网络虚拟化
配置BGP/MPLS IP VPN示例
配置BGP/MPLS IP VPN示例
|
7月前
|
网络协议 PHP 网络虚拟化
BGP MPLS VPN(OPTION C)实验笔记
BGP MPLS VPN(OPTION C)实验笔记
169 1
|
7月前
|
网络协议 PHP 网络虚拟化
BGP MPLS VPN(OPTION B)实验笔记
BGP MPLS VPN(OPTION B)实验笔记
146 0
BGP MPLS VPN(OPTION B)实验笔记
|
网络协议 网络虚拟化
MPLS VPN Hub&Spole理论及实验配置
MPLS VPN Hub&Spole理论及实验配置
115 0
|
网络安全 网络虚拟化 数据安全/隐私保护
EVE-NG下模拟山石网科SSL VPN 实验
EVE-NG下模拟山石网科SSL VPN 实验
552 1
EVE-NG下模拟山石网科SSL VPN 实验
|
网络安全 网络虚拟化 数据安全/隐私保护
Cisco Packet Tracer模拟:ASA5505 IP Sec VPN实验
Cisco Packet Tracer模拟:ASA5505 IP Sec VPN实验
861 0
Cisco Packet Tracer模拟:ASA5505 IP Sec VPN实验
|
网络虚拟化
MPLS VPN跨域C2 RR反射器方案(二)
MPLS VPN跨域C2 RR反射器方案
142 0
|
网络虚拟化
MPLS VPN跨域C2 RR反射器方案(一)
MPLS VPN跨域C2 RR反射器方案
159 0
|
网络虚拟化
MPLS VPN跨域C1方案 RR反射器(二)
MPLS VPN跨域C1方案 RR反射器
87 0