重温IPsec隧道❤️

本文涉及的产品
云防火墙,500元 1000GB
简介: 重温IPsec隧道❤️

IPsec VPN配置案例

image.png

🐄拓扑图

image.png

🐄实验环境

该拓扑图分为四个部分最左边位总部Tiger  HQ,中间的为ISP,右上角为分部Branch1,右下角为分部Branch2。总部和分部的边界设备用的是型号为USG  6000V的防火墙,都分别连接运营商的PE设备。总部内有vlan10和20,主机A和B属于vlan10,主机C和D属于vlan20。

🐄需求

  • 各部分内网主机之间能够互相联通。
  • 所有总部、分部内网主机要通过边界防火墙能够访问Internet。
  • 总部的主机可以访问两个分部的主机,两个分部的主机也能访问总部的主机。

🐄具体配置

总部部分

🐖SW1

[SW1]int lo0
[SW1-LoopBack0]ip add 10.1.11.11 32
[SW1-LoopBack0]quit
[SW1]vlan batch 10 20          //创建vlan
[SW1]quit
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]port link-type trunk
[SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW1-GigabitEthernet0/0/1]quit
[SW1]int g0/0/2
[SW1-GigabitEthernet0/0/2]port link-type trunk
[SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[SW1-GigabitEthernet0/0/2]quit
[SW1]Int eth-trunk 12
[SW1-Eth-Trunk12]trunk port  g0/0/23 to 0/0/24
[SW1-Eth-Trunk12]port link-type trunk
[SW1-Eth-Trunk12]port trunk allow-pass vlan all
[SW1]sto mode mstp
[SW1]stp region-configuration
[SW1-mst-]stp region-name Tigerlab
[SW1-mst-region]revision-level 1256
[SW1-mst-region]instance 10 vlan 10
[SW1-mst-region]instance 20 vlan 20
[SW1-mst-region]active region-configuration
[SW1]stp instance 10 root primary
[SW1]stp instance 20 root second
[SW1]int vlan 10
[SW1-vlanif10]ip add 10.1.10.11 24
[SW1-vlanif10]quit
[SW1]int vlan 20
[SW1-vlanif20]ip add 10.1.20.11 24
[SW1-vlanif20]quit
[SW1]int vlan 10
[SW1-vlanif10]vrrp vrid 10 virtual-ip 10.1.10.254
[SW1-vlanif10]vrrp vrid 10 priority 105
[SW1-vlanif10]quit
[SW1]int vlan 20
[SW1-vlanif20]vrrp vrid 20 virtual-ip 10.1.20.254
[SW1-vlanif20]quit
[SW1]vlan 111
[SW1-vlanif111]quit
[SW1]int g0/0/3
[SW1-GigabitEthernet0/0/3]port link-type access
[SW1-GigabitEthernet0/0/3]port default vlan 111
[SW1-GigabitEthernet0/0/3]stp egded-port  enable
[SW1-GigabitEthernet0/0/3]quit
[SW1]stp bpdu-protection
[SW1]int vlan 111
[SW1-vlanif111]ip add 10.1.111.11 24
[SW1-vlanif111]quit
[SW1]ospf 10 router-id10.1.11.11
[SW1-ospf-10]area 0
[SW1-ospf-10-area-0.0.0.0]net 10.1.11.11 0.0.0.0
[SW1-ospf-10-area-0.0.0.0]net 10.1.111.11 0.0.0.0
[SW1-ospf-10-area-0.0.0.0]net 10.1.10.11 0.0.0.0
[SW1-ospf-10-area-0.0.0.0]net 10.1.20.11 0.0.0.0

检查stp的配置结果,display stp instance 10,可以看到vlan10是主根

image.png

🐖SW2

[SW2]int lo0
[SW2-LoopBack0]ip add 10.1.12.12 32
[SW2-LoopBack0]quit
[SW2]vlan batch 10 20 
[SW2]int g0/0/1
[SW2-GigabitEthernet0/0/1]port link-type trunk
[SW2-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW2-GigabitEthernet0/0/1]quit
[SW2]int g0/0/2
[SW2-GigabitEthernet0/0/2]port link-type trunk
[SW2-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[SW2-GigabitEthernet0/0/2]quit
[SW2]int eth-trunk 12
[SW2-Eth-Trunk12]trunk port  g0/0/23 to 0/0/24
[SW2-Eth-Trunk12]port link-type trunk
[SW2-Eth-Trunk12]port trunk allow-pass vlan all
[SW2]sto mode mstp
[SW2]stp region-configuration
[SW2-mst-]stp region-name Tigerlab
[SW2-mst-region]revision-level 1256
[SW2-mst-region]instance 10 vlan 10
[SW2-mst-region]instance 20 vlan 20
[SW2-mst-region]active region-configuration
[SW2]stp instance 20 root primary
[SW2]stp instance 10 root second
[SW2]int vlan 10
[SW2-vlanif10]ip add 10.1.20.12 24
[SW2-vlanif10]quit
[SW2]int vlan 20
[SW2-vlanif20]ip add 10.1.20.12 24
[SW2-vlanif20]quit
[SW2]int vlan 10
[SW2-vlanif10]vrrp vrid 10 virtual-ip 10.1.10.254
[SW2-vlanif10]quit
[SW2]int vlan 20
[SW2-vlanif20]vrrp vrid 20 virtual-ip 10.1.20.254
[SW2-vlanif20]vrrp vrid 20 priority 105
[SW2-vlanif20]quit
[SW2]vlan 112
[SW2-vlanif112]quit
[SW2]int g0/0/3
[SW2-GigabitEthernet0/0/3]port link-type access
[SW2-GigabitEthernet0/0/3]port default vlan 112
[SW2-GigabitEthernet0/0/3]stp egded-port  enable
[SW2-GigabitEthernet0/0/3]quit
[SW2]stp bpdu-protection
[SW2]int vlan 112
[SW2-vlanif112]ip add 10.1.112.12 24
[SW2-vlanif112]quit
[SW2]ospf 10 router-id10.1.12.12
[SW2-ospf-10]area 0
[SW2-ospf-10-area-0.0.0.0]net 10.1.12.12 0.0.0.0
[SW2-ospf-10-area-0.0.0.0]net 10.1.112.12 0.0.0.0
[SW2-ospf-10-area-0.0.0.0]net 10.1.10.12 0.0.0.0
[SW2-ospf-10-area-0.0.0.0]net 10.1.20.12 0.0.0.0

在SW1上,接下来验证一下端口的vlan情况,display port vlan

image.png

在SW1上检查一下vrrp的配置情况:display vrrp brief

image.png

🐖SW3

[SW3]int lo0
[SW3-LoopBack0]ip add 10.2.13.13 32
[SW3-LoopBack0]quit
[SW3]vlan batch 30 40
[SW3]int g0/0/1
[SW3-GigabitEthernet0/0/1]port link-type access
[SW3-GigabitEthernet0/0/1]port default vlan 30
[SW3-GigabitEthernet0/0/1]stp edged-port enable
[SW3-GigabitEthernet0/0/1]quit
[SW3]int g0/0/2
[SW3-GigabitEthernet0/0/2]port link-type access
[SW3-GigabitEthernet0/0/2]port default vlan 30
[SW3-GigabitEthernet0/0/2]stp edged-port enable
[SW3-GigabitEthernet0/0/2]quit
[SW3]int g0/0/3
[SW3-GigabitEthernet0/0/3]port link-type access
[SW3-GigabitEthernet0/0/3]port default vlan 40
[SW3-GigabitEthernet0/0/3]stp edged-port enable
[SW3-GigabitEthernet0/0/3]quit
[SW3]int g0/0/4
[SW3-GigabitEthernet0/0/4]port link-type access
[SW3-GigabitEthernet0/0/4]port default vlan 40
[SW3-GigabitEthernet0/0/4]stp edged-port enable
[SW3-GigabitEthernet0/0/4]quit
[SW3]stp bpdu-protection
[SW3]vlan 132
[SW3-vlanif112]quit
[SW3]int g0/0/24
[SW3-GigabitEthernet0/0/24]port link-type access
[SW3-GigabitEthernet0/0/24]port default vlan 132
[SW3-GigabitEthernet0/0/24]stp egded-port  enable
[SW3-GigabitEthernet0/0/24]quit
[SW3]int vlan 132
[SW3-vlanif132]ip add 10.2.132.13 24
[SW3-vlanif132]quit
[SW3]int vlan 30
[SW3-vlanif30]ip add 10.2.30.254 24
[SW3-vlanif30]quit
[SW3]int vlan 40
[SW3-vlanif40]ip add 10.2.40.254 24
[SW3-vlanif40]quit
[SW3]ospf 10 router-id10.2.13.13
[SW3-ospf-10]area 0
[SW3-ospf-10-area-0.0.0.0]net 10.2.13.13 0.0.0.0
[SW3-ospf-10-area-0.0.0.0]net 10.2.30.254 0.0.0.0
[SW3-ospf-10-area-0.0.0.0]net 10.2.40.254 0.0.0.0
[SW3-ospf-10-area-0.0.0.0]net 10.2.132.13 0.0.0.0

🐖SW4

[SW4]int lo0
[SW4-LoopBack0]ip add 10.3.14.14 32
[SW4-LoopBack0]quit
[SW4]vlan batch 50
[SW4]int g0/0/1
[SW4-GigabitEthernet0/0/1]port link-type access
[SW4-GigabitEthernet0/0/1]port default vlan 50
[SW4-GigabitEthernet0/0/1]stp edged-port enable
[SW4-GigabitEthernet0/0/1]quit
[SW4]int g0/0/2
[SW4-GigabitEthernet0/0/2]port link-type access
[SW4-GigabitEthernet0/0/2]port default vlan 50
[SW4-GigabitEthernet0/0/2]stp edged-port enable
[SW4-GigabitEthernet0/0/2]quit
[SW4]int g0/0/3
[SW4-GigabitEthernet0/0/3]port link-type access
[SW4-GigabitEthernet0/0/2]port default vlan 50
[SW4-GigabitEthernet0/0/2]stp edged-port enable
[SW4]stp bpdu-protection
[SW4]vlan 143
[SW4-vlanif112]quit
[SW4]int g0/0/24
[SW4-GigabitEthernet0/0/24]port link-type access
[SW4-GigabitEthernet0/0/24]port default vlan 143
[SW4-GigabitEthernet0/0/24]stp egded-port  enable
[SW4-GigabitEthernet0/0/24]quit
[SW4]int vlan 143
[SW4-vlanif132]ip add 10.3.143.14 24
[SW4-vlanif132]quit
[SW4]int vlan 50
[SW4-vlanif30]ip add 10.3.50.254 24
[SW4-vlanif30]quit
[SW4]ospf 10 router-id10.3.14.14
[SW4-ospf-10]area 0
[SW4-ospf-10-area-0.0.0.0]net 10.3.14.14 0.0.0.0
[SW4-ospf-10-area-0.0.0.0]net 10.2.50.254 0.0.0.0
[SW4-ospf-10-area-0.0.0.0]net 10.2.40.254 0.0.0.0
[SW4-ospf-10-area-0.0.0.0]net 10.2.143.14 0.0.0.0

🐖SW5

[SW5]vlan batch 10 20 
[SW5]int g0/0/1
[SW5-GigabitEthernet0/0/1]port link-type trunk
[SW5-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW5-GigabitEthernet0/0/1]quit
[SW5]int g0/0/2
[SW5-GigabitEthernet0/0/2]port link-type trunk
[SW5-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[SW5-GigabitEthernet0/0/2]quit
[SW5]int e0/0/1
[SW5-Ethernet0/0/1]port link-type access
[SW5-Ethernet0/0/1]port default vlan 10
[SW5-Ethernet0/0/1]stp edged-port enable
[SW5-Ethernet0/0/1]quit
[SW5]int e0/0/2
[SW5-Ethernet0/0/2]port link-type access
[SW5-Ethernet0/0/2]port default vlan 20
[SW5-Ethernet0/0/2]stp edged-port enable
[SW5-Ethernet0/0/2]quit
[SW5]stp bpdu-protection
[SW5]sto mode mstp
[SW5]stp region-configuration
[SW5-mst-]stp region-name Tigerlab
[SW5-mst-region]revision-level 1256
[SW5-mst-region]instance 10 vlan 10
[SW5-mst-region]instance 20 vlan 20
[SW5-mst-region]active region-configuration

接下来验证一下端口的vlan情况,display port vlan。

🐖SW6

[SW6]vlan batch 10 20 
[SW6]int g0/0/1
[SW6-GigabitEthernet0/0/1]port link-type trunk
[SW6-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW6-GigabitEthernet0/0/1]quit
[SW6]int g0/0/2
[SW6-GigabitEthernet0/0/2]port link-type trunk
[SW6-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[SW6-GigabitEthernet0/0/2]quit
[SW6]int e0/0/1
[SW6-Ethernet0/0/1]port link-type access
[SW6-Ethernet0/0/1]port default vlan 10
[SW6-Ethernet0/0/1]stp edged-port enable
[SW6-Ethernet0/0/1]quit
[SW6]int e0/0/2
[SW6-Ethernet0/0/2]port link-type access
[SW6-Ethernet0/0/2]port default vlan 20
[SW6-Ethernet0/0/2]stp edged-port enable
[SW6-Ethernet0/0/2]quit
[SW6]stp bpdu-protection
[SW6]sto mode mstp
[SW6]stp region-configuration
[SW6-mst-]stp region-name Tigerlab
[SW6-mst-region]revision-level 1256
[SW6-mst-region]instance 10 vlan 10
[SW6-mst-region]instance 20 vlan 20
[SW6-mst-region]active region-configuration

验证一下总部内主机与网关之间的连通性。

🐖总部防火墙FW1

[USG1]int lo0 
[USG1-LoopBack0]ip add 10.1.1.1 32
[USG1-LoopBack0]quit
[USG1]int g1/0/0
[USG1-GigabitEthernet1/0/0 ]ip add 100.1.41.1 24
[USG1-GigabitEthernet1/0/0 ]quit
[USG1]int g1/0/1
[USG1-GigabitEthernet1/0/1 ]ip add 10.1.111.1 24
[USG1-GigabitEthernet1/0/1 ]quit
[USG1]int g1/0/2
[USG1-GigabitEthernet1/0/2 ]ip add 10.1.112.1 24
[USG1-GigabitEthernet1/0/2 ]quit
[USG1]firewall zone trust
[USG1-zone-trust]add int g1/0/1
[USG1-zone-trust]add int g1/0/2
[USG1-zone-trust]quit
[USG1]firewall zone untrust
[USG1-zone-untrust]add int g1/0/0
[USG1-zone-untrust]quit
[USG1]security-policy
[USG1-policy-security]rule name Inside
[USG1-policy-security-rule-Inside]source-zone trust
[USG1-policy-security-rule-Inside]destination-zone local
[USG1-policy-security-rule-Inside]source-zone local
[USG1-policy-security-rule-Inside]destination-zone trust
[USG1-policy-security-rule-Inside]access-authentication
[USG1-policy-security-rule-Inside]action permit
[USG1-policy-security-rule-Inside]quit
[USG1-policy-security]quit
[USG1]int g1/0/1
[USG1-GigabitEthernet1/0/1]service-manage ping permit
[USG1-GigabitEthernet1/0/1 ]quit
[USG1]int g1/0/2
[USG1-GigabitEthernet1/0/2 ]service-manage ping permit
[USG1-GigabitEthernet1/0/2 ]quit
[USG1]ospf 10 router-id 10.1.1.1
[USG1-ospf-10]area 0
[USG1-ospf-10-area-0.0.0.0]net 10.1.1.1 0.0.0.0
[USG1-ospf-10-area-0.0.0.0]net 10.1.111.1 0.0.0.0
[USG1-ospf-10-area-0.0.0.0]net 10.1.112.1 0.0.0.0
[USG1]ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 100.1.41.4
[USG1]security-policy
[USG1-policy-security]rule name Internet
[USG1-policy-security-rule-Internet]source-zone trust
[USG1-policy-security-rule-Internet]destination-zone untrust
[USG1-policy-security-rule-Internet]source-address 10.1.0.0 16
[USG1-policy-security-rule-Internet]action permit
[USG1]nat-policy
[USG1-policy-nat]rule name 0
[USG1-policy-nat-rule-0]source-zone trust
[USG1-policy-nat-rule-0]destination-zone untrust
[USG1-policy-nat-rule-0]destination-address 10.2.0.0 16
[USG1-policy-nat-rule-0]destination-address 10.3.0.0 16
[USG1-policy-nat-rule-0]action no-nat
[USG1-policy-nat]rule name Internet
[USG1-policy-nat-rule-Internet]source-zone trust
[USG1-policy-nat-rule-Internet]destination-zone untrust
[USG1-policy-nat-rule-Internet]source-address 10.1.0.0 16
[USG1-policy-nat-rule-Internet]egress-interface GigabitEthernet 1/0/0
[USG1-policy-nat-rule-Internet]action source-natm easy-ip
[USG1]ospf 10
[USG1-ospf-10]default-route-advertise
[USG1]security-policy
[USG1-policy-security]rule name IPSec
[USG1-policy-security-rule-IPSec]source-zone untrust
[USG1-policy-security-rule-IPSec]destination-zone local
[USG1-policy-security-rule-IPSec]source-address any
[USG1-policy-security-rule-IPSec]destination-address 100.1.41.1 32
[USG1-policy-security-rule-IPSec]service esp
[USG1-policy-security-rule-IPSec]service protocol udp source-port 500 destination-port 500
[USG1-policy-security-rule-IPSec]service protocol udp source-port 4500 destination-port 4500
[USG1-policy-security-rule-IPSec]action permit
[USG1-policy-security-rule-IPSec]quit
[USG1-policy-security]rule name IPSec-OUT
[USG1-policy-security-rule-IPSec-OUT]source-zone local
[USG1-policy-security-rule-IPSec-OUT]destination-zone untrust
[USG1-policy-security-rule-IPSec-OUT]source-address 100.1.41.1 32
[USG1-policy-security-rule-IPSec-OUT]destination-address any
[USG1-policy-security-rule-IPSec-OUT]service esp
[USG1-policy-security-rule-IPSec-OUT]service protocol udp source-port 500 destination-port 500
[USG1-policy-security-rule-IPSec-OUT]service protocol udp source-port 4500 destination-port 4500
[USG1-policy-security-rule-IPSec-OUT]action permit
[USG1-policy-security-rule-IPSec-OUT]quit
[USG1-policy-security]rule name IPSec-DATA
[USG1-policy-security-rule-IPSec-DATA]source-zone trust
[USG1-policy-security-rule-IPSec-DATA]destination-zone untrust
[USG1-policy-security-rule-IPSec-DATA]source-zone untrust
[USG1-policy-security-rule-IPSec-DATA]destination-zone trust
[USG1-policy-security-rule-IPSec-DATA]source-address 10.1.0.0 16
[USG1-policy-security-rule-IPSec-DATA]]destination-address 10.2.0.0 16
[USG1-policy-security-rule-IPSec-DATA]]destination-address 10.3.0.0 16
[USG1-policy-security-rule-IPSec-DATA]source-address 10.2.0.0 16
[USG1-policy-security-rule-IPSec-DATA]source-address 10.3.0.0 16
[USG1-policy-security-rule-IPSec-DATA]destination-address 10.1.0.0 16
[USG1-policy-security-rule-IPSec-DATA]action permit
[USG1-policy-security-rule-IPSec-DATA]quit
[USG1-policy-security]quit
[USG1]ike proposal 10
[USG1-ike-proposal-10]encryption-algorithm aes-256
[USG1-ike-proposal-10]authentication-algorithm sha2-512
[USG1-ike-proposal-10]authentication-method pre-share 
[USG1-ike-proposal-10]dh group14
[USG1-ike-proposal-10]quit
[USG1]ike peer Hub
[USG1-ike-peer-Hub]ike-proposal 10
[USG1-ike-peer-Hub]exchange-mode main 
[USG1-ike-peer-Hub]undo version 2
[USG1-ike-peer-Hub]nat traversal
[USG1-ike-peer-Hub]pre-shared-key Cisco12345
[USG1]ipsec proposal ESP
[USG1-ipsec-proposal-ESP]transform esp
[USG1-ipsec-proposal-ESP]esp authentication-algorithm sha2-512
[USG1-ipsec-proposal-ESP]espencrption-algorithm aes-256
[USG1]ipsec policy-template T 10
[USG1-ipsec-policy-template-T-10]ike-peer Hub
[USG1-ipsec-policy-template-T-10] proposal ESP
[USG1-ipsec-policy-template-T-10]tunnel local 100.1.41.1
[USG1]ipsec policy Tigerlab 10 isakmp template T
[USG1]int g1/0/0
[USG1-GigabitEthernet1/0/0 ]ipsec policy Tigerlab 

1、做到这里检查一下防火墙能否ping通交换机

2、在防火墙上查看ospf邻居和路由:display ospf peer brief、display ip routing-table protocol ospf

3、在防火墙上ping内网的主机

分支部分

🐖分支Branch1的防火墙FW2

[USG2]int lo0 
[USG2-LoopBack0]ip add 10.2.2.2 32
[USG2-LoopBack0]quit
[USG2]int g1/0/0
[USG2-GigabitEthernet1/0/0 ]ip add 100.1.52.2 24
[USG2-GigabitEthernet1/0/0 ]quit
[USG2]int g1/0/1
[USG2-GigabitEthernet1/0/1 ]ip add 10.2.132.2 24
[USG2-GigabitEthernet1/0/1 ]quit
[USG2]firewall zone trust
[USG2-zone-trust]add int g1/0/1
[USG2-zone-trust]quit
[USG2]firewall zone untrust
[USG2-zone-untrust]add int g1/0/0
[USG2-zone-untrust]quit
[USG2]security-policy
[USG2-policy-security]rule name Inside
[USG2-policy-security-rule-Inside]source-zone trust
[USG2-policy-security-rule-Inside]destination-zone local
[USG2-policy-security-rule-Inside]source-zone local
[USG2-policy-security-rule-Inside]destination-zone trust
[USG2-policy-security-rule-Inside]access-authentication
[USG2-policy-security-rule-Inside]action permit
[USG2-policy-security-rule-Inside]quit
[USG2-policy-security]quit
[USG2]int g1/0/1
[USG2-GigabitEthernet1/0/1]service-manage ping permit
[USG2-GigabitEthernet1/0/1 ]quit
[USG2]ospf 10 router-id 10.2.2.2
[USG2-ospf-10]area 0
[USG2-ospf-10-area-0.0.0.0]net 10.2.2.2 0.0.0.0
[USG2-ospf-10-area-0.0.0.0]net 10.2.132.2 0.0.0.0
[USG2]ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 100.1.52.5
[USG2]security-policy
[USG2-policy-security]rule name Internet
[USG2-policy-security-rule-Internet]source-zone trust
[USG2-policy-security-rule-Internet]destination-zone untrust
[USG2-policy-security-rule-Internet]source-address 10.2.0.0 16
[USG2-policy-security-rule-Internet]action permit
[USG2]nat-policy
[USG2-policy-nat]rule name 0
[USG2-policy-nat-rule-0]source-zone trust
[USG2-policy-nat-rule-0]destination-zone untrust
[USG2-policy-nat-rule-0]destination-address 10.1.0.0 16
[USG2-policy-nat-rule-0]action no-nat
[USG2-policy-nat]rule name Internet
[USG2-policy-nat-rule-Internet]source-zone trust
[USG2-policy-nat-rule-Internet]destination-zone untrust
[USG2-policy-nat-rule-Internet]source-address 10.2.0.0 16
[USG2-policy-nat-rule-Internet]egress-interface GigabitEthernet 1/0/0
[USG2-policy-nat-rule-Internet]action source-natm easy-ip
[USG2]ospf 10
[USG2-ospf-10]default-route-advertise
[USG2]security-policy
[USG2-policy-security]rule name IPSec-IN
[USG2-policy-security-rule-IPSec-IN]source-zone untrust
[USG2-policy-security-rule-IPSec-IN]destination-zone local
[USG2-policy-security-rule-IPSec-IN]source-address 100.1.41.1 32
[USG2-policy-security-rule-IPSec-IN]destination-address any
[USG2-policy-security-rule-IPSec-IN]service esp
[USG2-policy-security-rule-IPSec-IN]service protocol udp source-port 500 destination-port 500
[USG2-policy-security-rule-IPSec-IN]service protocol udp source-port 4500 destination-port 4500
[USG2-policy-security-rule-IPSec-IN]action permit
[USG2-policy-security-rule-IPSec-IN]quit
[USG2-policy-security]rule name IPSec-OUT
[USG2-policy-security-rule-IPSec-OUT]source-zone local
[USG2-policy-security-rule-IPSec-OUT]destination-zone untrust
[USG2-policy-security-rule-IPSec-OUT]source-address any
[USG2-policy-security-rule-IPSec-OUT]destination-address 100.1.41.1 32
[USG2-policy-security-rule-IPSec-OUT]service esp
[USG2-policy-security-rule-IPSec-OUT]service protocol udp source-port 500 destination-port 500
[USG2-policy-security-rule-IPSec-OUT]service protocol udp source-port 4500 destination-port 4500
[USG2-policy-security-rule-IPSec-OUT]action permit
[USG2-policy-security]rule name IPSec-DATA
[USG2-policy-security-rule-IPSec-DATA]source-zone trust
[USG2-policy-security-rule-IPSec-DATA]destination-zone untrust
[USG2-policy-security-rule-IPSec-DATA]source-zone untrust
[USG2-policy-security-rule-IPSec-DATA]destination-zone trust
[USG2-policy-security-rule-IPSec-DATA]source-address 10.1.0.0 16
[USG2-policy-security-rule-IPSec-DATA]]destination-address 10.2.0.0 16
[USG2-policy-security-rule-IPSec-DATA]source-address 10.2.0.0 16
[USG2-policy-security-rule-IPSec-DATA]destination-address 10.1.0.0 16
[USG2-policy-security-rule-IPSec-DATA]action permit
[USG2]ike proposal 10
[USG2-ike-proposal-10]encryption-algorithm aes-256
[USG2-ike-proposal-10]authentication-algorithm sha2-512
[USG2-ike-proposal-10]authentication-method pre-share 
[USG2-ike-proposal-10]dh group14
[USG2-ike-proposal-10]quit
[USG2]ike peer Speak1
[USG2-ike-peer-Speak1]ike-proposal 10
[USG2-ike-peer-Speak1]exchange-mode main 
[USG2-ike-peer-Speak1]undo version 2
[USG2-ike-peer-Speak1]nat traversal
[USG2-ike-peer-Speak1]remote-address 100.1.41.1
[USG2-ike-peer-Speak1]pre-shared-key Cisco12345
[USG2]ipsec proposal ESP
[USG2-ipsec-proposal-ESP]transform esp
[USG2-ipsec-proposal-ESP]esp authentication-algorithm sha2-512
[USG2-ipsec-proposal-ESP]espencrption-algorithm aes-256
[USG2]acl number 3000
[USG2-acl-adv-3000] rule 10 permit ip source 10.2.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
[USG2]ipsec policy Tigerlab 10 isakmp 
[USG2-ipsec-policy-isakmp-Tigerlab-10]ike-peer Spoke1
[USG2-ipsec-policy-isakmp-Tigerlab-10]proposal ESP
[USG2-ipsec-policy-isakmp-Tigerlab-10]security acl 3000
[USG2]int g1/0/0
[USG2-GigabitEthernet1/0/0 ]ipsec policy Tigerlab

测试在防火墙上ping内网的主机,可以看到已经全部ping通

🐖分支Branch2的防火墙FW3

[USG3]int lo0 
[USG3-LoopBack0]ip add 10.3.3.3 32
[USG3-LoopBack0]quit
[USG3]int g1/0/0
[USG3-GigabitEthernet1/0/0 ]ip add 100.1.63.3 24
[USG3-GigabitEthernet1/0/0 ]quit
[USG3]int g1/0/1
[USG3-GigabitEthernet1/0/1 ]ip add 10.3.143.3 24
[USG3-GigabitEthernet1/0/1 ]quit
[USG3]firewall zone trust
[USG3-zone-trust]add int g1/0/1
[USG3-zone-trust]quit
[USG3]firewall zone untrust
[USG3-zone-untrust]add int g1/0/0
[USG3-zone-untrust]quit
[USG3]security-policy
[USG3-policy-security]rule name Inside
[USG3-policy-security-rule-Inside]source-zone trust
[USG3-policy-security-rule-Inside]destination-zone local
[USG3-policy-security-rule-Inside]source-zone local
[USG3-policy-security-rule-Inside]destination-zone trust
[USG3-policy-security-rule-Inside]access-authentication
[USG3-policy-security-rule-Inside]action permit
[USG3-policy-security-rule-Inside]quit
[USG3-policy-security]quit
[USG3]int g1/0/1
[USG3-GigabitEthernet1/0/1]service-manage ping permit
[USG3-GigabitEthernet1/0/1 ]quit
[USG3]ospf 10 router-id 10.3.3..3
[USG3-ospf-10]area 0
[USG3-ospf-10-area-0.0.0.0]net 10.3.3.3 0.0.0.0
[USG3-ospf-10-area-0.0.0.0]net 10.3.143.3 0.0.0.0
[USG3]ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 100.1.63.6
[USG3]security-policy
[USG3-policy-security]rule name Internet
[USG3-policy-security-rule-Internet]source-zone trust
[USG3-policy-security-rule-Internet]destination-zone untrust
[USG3-policy-security-rule-Internet]source-address 10.3.0.0 16
[USG3-policy-security-rule-Internet]action permit
[USG3]nat-policy
[USG3-policy-nat]rule name 0
[USG3-policy-nat-rule-0]source-zone trust
[USG3-policy-nat-rule-0]destination-zone untrust
[USG3-policy-nat-rule-0]destination-address 10.1.0.0 16
[USG3-policy-nat-rule-0]action no-nat
[USG3-policy-nat]rule name Internet
[USG3-policy-nat-rule-Internet]source-zone trust
[USG3-policy-nat-rule-Internet]destination-zone untrust
[USG3-policy-nat-rule-Internet]source-address 10.3.0.0 16
[USG3-policy-nat-rule-Internet]egress-interface GigabitEthernet 1/0/0
[USG3-policy-nat-rule-Internet]action source-natm easy-ip
[USG3]ospf 10
[USG3-ospf-10]default-route-advertise
[USG3]security-policy
[USG3-policy-security]rule name IPSec-IN
[USG3-policy-security-rule-IPSec-IN]source-zone untrust
[USG3-policy-security-rule-IPSec-IN]destination-zone local
[USG3-policy-security-rule-IPSec-IN]source-address 100.1.41.1 32
[USG3-policy-security-rule-IPSec-IN]destination-address any
[USG3-policy-security-rule-IPSec-IN]service esp
[USG3-policy-security-rule-IPSec-IN]service protocol udp source-port 500 destination-port 500
[USG3-policy-security-rule-IPSec-IN]service protocol udp source-port 4500 destination-port 4500
[USG3-policy-security-rule-IPSec-IN]action permit
[USG3-policy-security-rule-IPSec-IN]quit
[USG3-policy-security]rule name IPSec-OUT
[USG3-policy-security-rule-IPSec-OUT]source-zone local
[USG3-policy-security-rule-IPSec-OUT]destination-zone untrust
[USG3-policy-security-rule-IPSec-OUT]source-address any
[USG3-policy-security-rule-IPSec-OUT]destination-address 100.1.41.1 32
[USG3-policy-security-rule-IPSec-OUT]service esp
[USG3-policy-security-rule-IPSec-OUT]service protocol udp source-port 500 destination-port 500
[USG3-policy-security-rule-IPSec-OUT]service protocol udp source-port 4500 destination-port 4500
[USG3-policy-security-rule-IPSec-OUT]action permit
[USG3-policy-security]rule name IPSec-DATA
[USG3-policy-security-rule-IPSec-DATA]source-zone trust
[USG3-policy-security-rule-IPSec-DATA]destination-zone untrust
[USG3-policy-security-rule-IPSec-DATA]source-zone untrust
[USG3-policy-security-rule-IPSec-DATA]destination-zone trust
[USG3-policy-security-rule-IPSec-DATA]source-address 10.1.0.0 16
[USG3-policy-security-rule-IPSec-DATA]]destination-address 10.3.0.0 16
[USG3-policy-security-rule-IPSec-DATA]source-address 10.3.0.0 16
[USG3-policy-security-rule-IPSec-DATA]destination-address 10.1.0.0 16
[USG3-policy-security-rule-IPSec-DATA]action permit
[USG3]ike proposal 10
[USG3-ike-proposal-10]encryption-algorithm aes-256
[USG3-ike-proposal-10]authentication-algorithm sha2-512
[USG3-ike-proposal-10]authentication-method pre-share 
[USG3-ike-proposal-10]dh group14
[USG3]ike peer Speak2
[USG3-ike-peer-Speak2]ike-proposal 10
[USG3-ike-peer-Speak2]exchange-mode main 
[USG3-ike-peer-Speak2]undo version 2
[USG3-ike-peer-Speak2]nat traversal
[USG3-ike-peer-Speak2]remote-address 100.1.41.1
[USG3-ike-peer-Speak2]pre-shared-key Cisco12345
[USG3]ipsec proposal ESP
[USG3-ipsec-proposal-ESP]transform esp
[USG3-ipsec-proposal-ESP]esp authentication-algorithm sha2-512
[USG3-ipsec-proposal-ESP]espencrption-algorithm aes-256
[USG3]acl number 3000
[USG3-acl-adv-3000] rule 10 permit ip source 10.3.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
[USG3]ipsec policy Tigerlab 10 isakmp 
[USG3-ipsec-policy-isakmp-Tigerlab-10]ike-peer Spoke2
[USG3-ipsec-policy-isakmp-Tigerlab-10]proposal ESP
[USG3-ipsec-policy-isakmp-Tigerlab-10]security acl 3000
[USG3]int g1/0/0
[USG3-GigabitEthernet1/0/0 ]ipsec policy Tigerlab

ISP部分

🐖AR4

[AR4]int lo0
[AR4-LoopBack0]ip add 10.1.4.4 32
[AR4-LoopBack0]quit
[AR4]itn g0/0/0
[AR4-GigabitEthernet0/0/0 ]ip add 100.1.41.4 24
[AR4-GigabitEthernet0/0/0 ]quit
[AR4]itn g0/0/1
[AR4-GigabitEthernet0/0/1 ]ip add 100.1.100.4 24
[AR4-GigabitEthernet0/0/1 ]quit
[AR4]ospf 10 router-id 10.1.4.4
[AR4-ospf-10]area 0
[AR4-ospf-10-area-0.0.0.0]net 10.1.4.4 0.0.0.0
[AR4-ospf-10-area-0.0.0.0]net 10.1.41.4 0.0.0.0
[AR4-ospf-10-area-0.0.0.0]net 100.1.100.4 0.0.0.0

🐖AR5

[AR5]int lo0
[AR5-LoopBack0]ip add 10.1.5.5 32
[AR5-LoopBack0]quit
[AR5]itn g0/0/0
[AR5-GigabitEthernet0/0/0 ]ip add 100.1.52.5 24
[AR5-GigabitEthernet0/0/0 ]quit
[AR5]itn g0/0/1
[AR5-GigabitEthernet0/0/1 ]ip add 100.1.100.5 24
[AR5-GigabitEthernet0/0/1 ]quit
[AR5]ospf 10 router-id 10.1.5.5
[AR5-ospf-10]area 0
[AR5-ospf-10-area-0.0.0.0]net 10.1.5.5 0.0.0.0
[AR5-ospf-10-area-0.0.0.0]net 10.1.52.5 0.0.0.0
[AR5-ospf-10-area-0.0.0.0]net 100.1.100.5 0.0.0.05

🐖AR6

[AR6]int lo0
[AR6-LoopBack0]ip add 10.1.6.6 32
[AR6-LoopBack0]quit
[AR6]itn g0/0/0
[AR6-GigabitEthernet0/0/0 ]ip add 100.1.63.6 24
[AR6-GigabitEthernet0/0/0 ]quit
[AR6]itn g0/0/1
[AR6-GigabitEthernet0/0/1 ]ip add 100.1.100.6 24
[AR6-GigabitEthernet0/0/1 ]quit
[AR6]itn g0/0/2
[AR6-GigabitEthernet0/0/2 ]ip add 100.1.36.6 24
[AR6-GigabitEthernet0/0/2 ]quit
[AR6]ospf 10 router-id 10.1.6.6
[AR6-ospf-10]area 0
[AR6-ospf-10-area-0.0.0.0]net 10.1.6.6 0.0.0.0
[AR6-ospf-10-area-0.0.0.0]net 10.1.63.6 0.0.0.0
[AR6-ospf-10-area-0.0.0.0]net 100.1.100.6 0.0.0.0
[AR6-ospf-10-area-0.0.0.0]net 100.1.36.6 0.0.0.0

测试

1、各区域主机是否能ping通isp的服务器,可以看到总部和分部的主机都能够ping通isp的服务器。

2、总部与分部之间的联通测试。

可以看到总部已经可以与分部之间通讯,实验到这里就结束了。

实验来源:Tigerlab

相关文章
|
7月前
|
安全 网络安全 网络虚拟化
网络工程师必须搞清楚MPLS与专线的区别
基干MPLS的VPN解决方案可以方便地实施流量控制,保证OoS,同时具有很强的扩展性和管理性,且能够提供与传统ATM或帧中继V.PN相类似的安全保证,在企业VPN组网中具有明显优势。
297 2
|
网络协议 安全 网络安全
路由与交换系列之GRE VPN 技术原理笔记分享
GRE VPN 技术原理笔记分享
1155 0
|
1月前
|
存储 网络协议 安全
30 道初级网络工程师面试题,涵盖 OSI 模型、TCP/IP 协议栈、IP 地址、子网掩码、VLAN、STP、DHCP、DNS、防火墙、NAT、VPN 等基础知识和技术,帮助小白们充分准备面试,顺利踏入职场
本文精选了 30 道初级网络工程师面试题,涵盖 OSI 模型、TCP/IP 协议栈、IP 地址、子网掩码、VLAN、STP、DHCP、DNS、防火墙、NAT、VPN 等基础知识和技术,帮助小白们充分准备面试,顺利踏入职场。
83 2
|
4月前
网络工程师如何用策略路由解决双出口问题?
网络工程师如何用策略路由解决双出口问题?
|
4月前
|
网络协议 Shell 网络虚拟化
手把手教你玩MPLS VPN如何配置
手把手教你玩MPLS VPN如何配置
347 0
|
网络虚拟化 网络架构
|
网络架构
|
网络架构
网络工程思科路由器NAT实验
本篇博文讲述的是大学网络工程思科路由器之NAT实验
162 2
网络工程思科路由器NAT实验
|
安全 数据安全/隐私保护
GRE隧道也能实现两端配置相同子网了,快来看看!(上)
GRE隧道也能实现两端配置相同子网了,快来看看!
GRE隧道也能实现两端配置相同子网了,快来看看!(上)
|
网络安全 数据安全/隐私保护 网络虚拟化
GRE隧道也能实现两端配置相同子网了,快来看看!(下)
GRE隧道也能实现两端配置相同子网了,快来看看!
GRE隧道也能实现两端配置相同子网了,快来看看!(下)