IPsec VPN配置案例
🐄拓扑图
🐄实验环境
该拓扑图分为四个部分最左边位总部Tiger HQ,中间的为ISP,右上角为分部Branch1,右下角为分部Branch2。总部和分部的边界设备用的是型号为USG 6000V的防火墙,都分别连接运营商的PE设备。总部内有vlan10和20,主机A和B属于vlan10,主机C和D属于vlan20。
🐄需求
- 各部分内网主机之间能够互相联通。
- 所有总部、分部内网主机要通过边界防火墙能够访问Internet。
- 总部的主机可以访问两个分部的主机,两个分部的主机也能访问总部的主机。
🐄具体配置
总部部分
🐖SW1
[SW1]int lo0 [SW1-LoopBack0]ip add 10.1.11.11 32 [SW1-LoopBack0]quit [SW1]vlan batch 10 20 //创建vlan [SW1]quit [SW1]int g0/0/1 [SW1-GigabitEthernet0/0/1]port link-type trunk [SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan all [SW1-GigabitEthernet0/0/1]quit [SW1]int g0/0/2 [SW1-GigabitEthernet0/0/2]port link-type trunk [SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan all [SW1-GigabitEthernet0/0/2]quit [SW1]Int eth-trunk 12 [SW1-Eth-Trunk12]trunk port g0/0/23 to 0/0/24 [SW1-Eth-Trunk12]port link-type trunk [SW1-Eth-Trunk12]port trunk allow-pass vlan all [SW1]sto mode mstp [SW1]stp region-configuration [SW1-mst-]stp region-name Tigerlab [SW1-mst-region]revision-level 1256 [SW1-mst-region]instance 10 vlan 10 [SW1-mst-region]instance 20 vlan 20 [SW1-mst-region]active region-configuration [SW1]stp instance 10 root primary [SW1]stp instance 20 root second [SW1]int vlan 10 [SW1-vlanif10]ip add 10.1.10.11 24 [SW1-vlanif10]quit [SW1]int vlan 20 [SW1-vlanif20]ip add 10.1.20.11 24 [SW1-vlanif20]quit [SW1]int vlan 10 [SW1-vlanif10]vrrp vrid 10 virtual-ip 10.1.10.254 [SW1-vlanif10]vrrp vrid 10 priority 105 [SW1-vlanif10]quit [SW1]int vlan 20 [SW1-vlanif20]vrrp vrid 20 virtual-ip 10.1.20.254 [SW1-vlanif20]quit [SW1]vlan 111 [SW1-vlanif111]quit [SW1]int g0/0/3 [SW1-GigabitEthernet0/0/3]port link-type access [SW1-GigabitEthernet0/0/3]port default vlan 111 [SW1-GigabitEthernet0/0/3]stp egded-port enable [SW1-GigabitEthernet0/0/3]quit [SW1]stp bpdu-protection [SW1]int vlan 111 [SW1-vlanif111]ip add 10.1.111.11 24 [SW1-vlanif111]quit [SW1]ospf 10 router-id10.1.11.11 [SW1-ospf-10]area 0 [SW1-ospf-10-area-0.0.0.0]net 10.1.11.11 0.0.0.0 [SW1-ospf-10-area-0.0.0.0]net 10.1.111.11 0.0.0.0 [SW1-ospf-10-area-0.0.0.0]net 10.1.10.11 0.0.0.0 [SW1-ospf-10-area-0.0.0.0]net 10.1.20.11 0.0.0.0
检查stp的配置结果,display stp instance 10,可以看到vlan10是主根
🐖SW2
[SW2]int lo0 [SW2-LoopBack0]ip add 10.1.12.12 32 [SW2-LoopBack0]quit [SW2]vlan batch 10 20 [SW2]int g0/0/1 [SW2-GigabitEthernet0/0/1]port link-type trunk [SW2-GigabitEthernet0/0/1]port trunk allow-pass vlan all [SW2-GigabitEthernet0/0/1]quit [SW2]int g0/0/2 [SW2-GigabitEthernet0/0/2]port link-type trunk [SW2-GigabitEthernet0/0/2]port trunk allow-pass vlan all [SW2-GigabitEthernet0/0/2]quit [SW2]int eth-trunk 12 [SW2-Eth-Trunk12]trunk port g0/0/23 to 0/0/24 [SW2-Eth-Trunk12]port link-type trunk [SW2-Eth-Trunk12]port trunk allow-pass vlan all [SW2]sto mode mstp [SW2]stp region-configuration [SW2-mst-]stp region-name Tigerlab [SW2-mst-region]revision-level 1256 [SW2-mst-region]instance 10 vlan 10 [SW2-mst-region]instance 20 vlan 20 [SW2-mst-region]active region-configuration [SW2]stp instance 20 root primary [SW2]stp instance 10 root second [SW2]int vlan 10 [SW2-vlanif10]ip add 10.1.20.12 24 [SW2-vlanif10]quit [SW2]int vlan 20 [SW2-vlanif20]ip add 10.1.20.12 24 [SW2-vlanif20]quit [SW2]int vlan 10 [SW2-vlanif10]vrrp vrid 10 virtual-ip 10.1.10.254 [SW2-vlanif10]quit [SW2]int vlan 20 [SW2-vlanif20]vrrp vrid 20 virtual-ip 10.1.20.254 [SW2-vlanif20]vrrp vrid 20 priority 105 [SW2-vlanif20]quit [SW2]vlan 112 [SW2-vlanif112]quit [SW2]int g0/0/3 [SW2-GigabitEthernet0/0/3]port link-type access [SW2-GigabitEthernet0/0/3]port default vlan 112 [SW2-GigabitEthernet0/0/3]stp egded-port enable [SW2-GigabitEthernet0/0/3]quit [SW2]stp bpdu-protection [SW2]int vlan 112 [SW2-vlanif112]ip add 10.1.112.12 24 [SW2-vlanif112]quit [SW2]ospf 10 router-id10.1.12.12 [SW2-ospf-10]area 0 [SW2-ospf-10-area-0.0.0.0]net 10.1.12.12 0.0.0.0 [SW2-ospf-10-area-0.0.0.0]net 10.1.112.12 0.0.0.0 [SW2-ospf-10-area-0.0.0.0]net 10.1.10.12 0.0.0.0 [SW2-ospf-10-area-0.0.0.0]net 10.1.20.12 0.0.0.0
在SW1上,接下来验证一下端口的vlan情况,display port vlan
在SW1上检查一下vrrp的配置情况:display vrrp brief
🐖SW3
[SW3]int lo0 [SW3-LoopBack0]ip add 10.2.13.13 32 [SW3-LoopBack0]quit [SW3]vlan batch 30 40 [SW3]int g0/0/1 [SW3-GigabitEthernet0/0/1]port link-type access [SW3-GigabitEthernet0/0/1]port default vlan 30 [SW3-GigabitEthernet0/0/1]stp edged-port enable [SW3-GigabitEthernet0/0/1]quit [SW3]int g0/0/2 [SW3-GigabitEthernet0/0/2]port link-type access [SW3-GigabitEthernet0/0/2]port default vlan 30 [SW3-GigabitEthernet0/0/2]stp edged-port enable [SW3-GigabitEthernet0/0/2]quit [SW3]int g0/0/3 [SW3-GigabitEthernet0/0/3]port link-type access [SW3-GigabitEthernet0/0/3]port default vlan 40 [SW3-GigabitEthernet0/0/3]stp edged-port enable [SW3-GigabitEthernet0/0/3]quit [SW3]int g0/0/4 [SW3-GigabitEthernet0/0/4]port link-type access [SW3-GigabitEthernet0/0/4]port default vlan 40 [SW3-GigabitEthernet0/0/4]stp edged-port enable [SW3-GigabitEthernet0/0/4]quit [SW3]stp bpdu-protection [SW3]vlan 132 [SW3-vlanif112]quit [SW3]int g0/0/24 [SW3-GigabitEthernet0/0/24]port link-type access [SW3-GigabitEthernet0/0/24]port default vlan 132 [SW3-GigabitEthernet0/0/24]stp egded-port enable [SW3-GigabitEthernet0/0/24]quit [SW3]int vlan 132 [SW3-vlanif132]ip add 10.2.132.13 24 [SW3-vlanif132]quit [SW3]int vlan 30 [SW3-vlanif30]ip add 10.2.30.254 24 [SW3-vlanif30]quit [SW3]int vlan 40 [SW3-vlanif40]ip add 10.2.40.254 24 [SW3-vlanif40]quit [SW3]ospf 10 router-id10.2.13.13 [SW3-ospf-10]area 0 [SW3-ospf-10-area-0.0.0.0]net 10.2.13.13 0.0.0.0 [SW3-ospf-10-area-0.0.0.0]net 10.2.30.254 0.0.0.0 [SW3-ospf-10-area-0.0.0.0]net 10.2.40.254 0.0.0.0 [SW3-ospf-10-area-0.0.0.0]net 10.2.132.13 0.0.0.0
🐖SW4
[SW4]int lo0 [SW4-LoopBack0]ip add 10.3.14.14 32 [SW4-LoopBack0]quit [SW4]vlan batch 50 [SW4]int g0/0/1 [SW4-GigabitEthernet0/0/1]port link-type access [SW4-GigabitEthernet0/0/1]port default vlan 50 [SW4-GigabitEthernet0/0/1]stp edged-port enable [SW4-GigabitEthernet0/0/1]quit [SW4]int g0/0/2 [SW4-GigabitEthernet0/0/2]port link-type access [SW4-GigabitEthernet0/0/2]port default vlan 50 [SW4-GigabitEthernet0/0/2]stp edged-port enable [SW4-GigabitEthernet0/0/2]quit [SW4]int g0/0/3 [SW4-GigabitEthernet0/0/3]port link-type access [SW4-GigabitEthernet0/0/2]port default vlan 50 [SW4-GigabitEthernet0/0/2]stp edged-port enable [SW4]stp bpdu-protection [SW4]vlan 143 [SW4-vlanif112]quit [SW4]int g0/0/24 [SW4-GigabitEthernet0/0/24]port link-type access [SW4-GigabitEthernet0/0/24]port default vlan 143 [SW4-GigabitEthernet0/0/24]stp egded-port enable [SW4-GigabitEthernet0/0/24]quit [SW4]int vlan 143 [SW4-vlanif132]ip add 10.3.143.14 24 [SW4-vlanif132]quit [SW4]int vlan 50 [SW4-vlanif30]ip add 10.3.50.254 24 [SW4-vlanif30]quit [SW4]ospf 10 router-id10.3.14.14 [SW4-ospf-10]area 0 [SW4-ospf-10-area-0.0.0.0]net 10.3.14.14 0.0.0.0 [SW4-ospf-10-area-0.0.0.0]net 10.2.50.254 0.0.0.0 [SW4-ospf-10-area-0.0.0.0]net 10.2.40.254 0.0.0.0 [SW4-ospf-10-area-0.0.0.0]net 10.2.143.14 0.0.0.0
🐖SW5
[SW5]vlan batch 10 20 [SW5]int g0/0/1 [SW5-GigabitEthernet0/0/1]port link-type trunk [SW5-GigabitEthernet0/0/1]port trunk allow-pass vlan all [SW5-GigabitEthernet0/0/1]quit [SW5]int g0/0/2 [SW5-GigabitEthernet0/0/2]port link-type trunk [SW5-GigabitEthernet0/0/2]port trunk allow-pass vlan all [SW5-GigabitEthernet0/0/2]quit [SW5]int e0/0/1 [SW5-Ethernet0/0/1]port link-type access [SW5-Ethernet0/0/1]port default vlan 10 [SW5-Ethernet0/0/1]stp edged-port enable [SW5-Ethernet0/0/1]quit [SW5]int e0/0/2 [SW5-Ethernet0/0/2]port link-type access [SW5-Ethernet0/0/2]port default vlan 20 [SW5-Ethernet0/0/2]stp edged-port enable [SW5-Ethernet0/0/2]quit [SW5]stp bpdu-protection [SW5]sto mode mstp [SW5]stp region-configuration [SW5-mst-]stp region-name Tigerlab [SW5-mst-region]revision-level 1256 [SW5-mst-region]instance 10 vlan 10 [SW5-mst-region]instance 20 vlan 20 [SW5-mst-region]active region-configuration
接下来验证一下端口的vlan情况,display port vlan。
🐖SW6
[SW6]vlan batch 10 20 [SW6]int g0/0/1 [SW6-GigabitEthernet0/0/1]port link-type trunk [SW6-GigabitEthernet0/0/1]port trunk allow-pass vlan all [SW6-GigabitEthernet0/0/1]quit [SW6]int g0/0/2 [SW6-GigabitEthernet0/0/2]port link-type trunk [SW6-GigabitEthernet0/0/2]port trunk allow-pass vlan all [SW6-GigabitEthernet0/0/2]quit [SW6]int e0/0/1 [SW6-Ethernet0/0/1]port link-type access [SW6-Ethernet0/0/1]port default vlan 10 [SW6-Ethernet0/0/1]stp edged-port enable [SW6-Ethernet0/0/1]quit [SW6]int e0/0/2 [SW6-Ethernet0/0/2]port link-type access [SW6-Ethernet0/0/2]port default vlan 20 [SW6-Ethernet0/0/2]stp edged-port enable [SW6-Ethernet0/0/2]quit [SW6]stp bpdu-protection [SW6]sto mode mstp [SW6]stp region-configuration [SW6-mst-]stp region-name Tigerlab [SW6-mst-region]revision-level 1256 [SW6-mst-region]instance 10 vlan 10 [SW6-mst-region]instance 20 vlan 20 [SW6-mst-region]active region-configuration
验证一下总部内主机与网关之间的连通性。
🐖总部防火墙FW1
[USG1]int lo0 [USG1-LoopBack0]ip add 10.1.1.1 32 [USG1-LoopBack0]quit [USG1]int g1/0/0 [USG1-GigabitEthernet1/0/0 ]ip add 100.1.41.1 24 [USG1-GigabitEthernet1/0/0 ]quit [USG1]int g1/0/1 [USG1-GigabitEthernet1/0/1 ]ip add 10.1.111.1 24 [USG1-GigabitEthernet1/0/1 ]quit [USG1]int g1/0/2 [USG1-GigabitEthernet1/0/2 ]ip add 10.1.112.1 24 [USG1-GigabitEthernet1/0/2 ]quit [USG1]firewall zone trust [USG1-zone-trust]add int g1/0/1 [USG1-zone-trust]add int g1/0/2 [USG1-zone-trust]quit [USG1]firewall zone untrust [USG1-zone-untrust]add int g1/0/0 [USG1-zone-untrust]quit [USG1]security-policy [USG1-policy-security]rule name Inside [USG1-policy-security-rule-Inside]source-zone trust [USG1-policy-security-rule-Inside]destination-zone local [USG1-policy-security-rule-Inside]source-zone local [USG1-policy-security-rule-Inside]destination-zone trust [USG1-policy-security-rule-Inside]access-authentication [USG1-policy-security-rule-Inside]action permit [USG1-policy-security-rule-Inside]quit [USG1-policy-security]quit [USG1]int g1/0/1 [USG1-GigabitEthernet1/0/1]service-manage ping permit [USG1-GigabitEthernet1/0/1 ]quit [USG1]int g1/0/2 [USG1-GigabitEthernet1/0/2 ]service-manage ping permit [USG1-GigabitEthernet1/0/2 ]quit [USG1]ospf 10 router-id 10.1.1.1 [USG1-ospf-10]area 0 [USG1-ospf-10-area-0.0.0.0]net 10.1.1.1 0.0.0.0 [USG1-ospf-10-area-0.0.0.0]net 10.1.111.1 0.0.0.0 [USG1-ospf-10-area-0.0.0.0]net 10.1.112.1 0.0.0.0 [USG1]ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 100.1.41.4 [USG1]security-policy [USG1-policy-security]rule name Internet [USG1-policy-security-rule-Internet]source-zone trust [USG1-policy-security-rule-Internet]destination-zone untrust [USG1-policy-security-rule-Internet]source-address 10.1.0.0 16 [USG1-policy-security-rule-Internet]action permit [USG1]nat-policy [USG1-policy-nat]rule name 0 [USG1-policy-nat-rule-0]source-zone trust [USG1-policy-nat-rule-0]destination-zone untrust [USG1-policy-nat-rule-0]destination-address 10.2.0.0 16 [USG1-policy-nat-rule-0]destination-address 10.3.0.0 16 [USG1-policy-nat-rule-0]action no-nat [USG1-policy-nat]rule name Internet [USG1-policy-nat-rule-Internet]source-zone trust [USG1-policy-nat-rule-Internet]destination-zone untrust [USG1-policy-nat-rule-Internet]source-address 10.1.0.0 16 [USG1-policy-nat-rule-Internet]egress-interface GigabitEthernet 1/0/0 [USG1-policy-nat-rule-Internet]action source-natm easy-ip [USG1]ospf 10 [USG1-ospf-10]default-route-advertise [USG1]security-policy [USG1-policy-security]rule name IPSec [USG1-policy-security-rule-IPSec]source-zone untrust [USG1-policy-security-rule-IPSec]destination-zone local [USG1-policy-security-rule-IPSec]source-address any [USG1-policy-security-rule-IPSec]destination-address 100.1.41.1 32 [USG1-policy-security-rule-IPSec]service esp [USG1-policy-security-rule-IPSec]service protocol udp source-port 500 destination-port 500 [USG1-policy-security-rule-IPSec]service protocol udp source-port 4500 destination-port 4500 [USG1-policy-security-rule-IPSec]action permit [USG1-policy-security-rule-IPSec]quit [USG1-policy-security]rule name IPSec-OUT [USG1-policy-security-rule-IPSec-OUT]source-zone local [USG1-policy-security-rule-IPSec-OUT]destination-zone untrust [USG1-policy-security-rule-IPSec-OUT]source-address 100.1.41.1 32 [USG1-policy-security-rule-IPSec-OUT]destination-address any [USG1-policy-security-rule-IPSec-OUT]service esp [USG1-policy-security-rule-IPSec-OUT]service protocol udp source-port 500 destination-port 500 [USG1-policy-security-rule-IPSec-OUT]service protocol udp source-port 4500 destination-port 4500 [USG1-policy-security-rule-IPSec-OUT]action permit [USG1-policy-security-rule-IPSec-OUT]quit [USG1-policy-security]rule name IPSec-DATA [USG1-policy-security-rule-IPSec-DATA]source-zone trust [USG1-policy-security-rule-IPSec-DATA]destination-zone untrust [USG1-policy-security-rule-IPSec-DATA]source-zone untrust [USG1-policy-security-rule-IPSec-DATA]destination-zone trust [USG1-policy-security-rule-IPSec-DATA]source-address 10.1.0.0 16 [USG1-policy-security-rule-IPSec-DATA]]destination-address 10.2.0.0 16 [USG1-policy-security-rule-IPSec-DATA]]destination-address 10.3.0.0 16 [USG1-policy-security-rule-IPSec-DATA]source-address 10.2.0.0 16 [USG1-policy-security-rule-IPSec-DATA]source-address 10.3.0.0 16 [USG1-policy-security-rule-IPSec-DATA]destination-address 10.1.0.0 16 [USG1-policy-security-rule-IPSec-DATA]action permit [USG1-policy-security-rule-IPSec-DATA]quit [USG1-policy-security]quit [USG1]ike proposal 10 [USG1-ike-proposal-10]encryption-algorithm aes-256 [USG1-ike-proposal-10]authentication-algorithm sha2-512 [USG1-ike-proposal-10]authentication-method pre-share [USG1-ike-proposal-10]dh group14 [USG1-ike-proposal-10]quit [USG1]ike peer Hub [USG1-ike-peer-Hub]ike-proposal 10 [USG1-ike-peer-Hub]exchange-mode main [USG1-ike-peer-Hub]undo version 2 [USG1-ike-peer-Hub]nat traversal [USG1-ike-peer-Hub]pre-shared-key Cisco12345 [USG1]ipsec proposal ESP [USG1-ipsec-proposal-ESP]transform esp [USG1-ipsec-proposal-ESP]esp authentication-algorithm sha2-512 [USG1-ipsec-proposal-ESP]espencrption-algorithm aes-256 [USG1]ipsec policy-template T 10 [USG1-ipsec-policy-template-T-10]ike-peer Hub [USG1-ipsec-policy-template-T-10] proposal ESP [USG1-ipsec-policy-template-T-10]tunnel local 100.1.41.1 [USG1]ipsec policy Tigerlab 10 isakmp template T [USG1]int g1/0/0 [USG1-GigabitEthernet1/0/0 ]ipsec policy Tigerlab
1、做到这里检查一下防火墙能否ping通交换机
2、在防火墙上查看ospf邻居和路由:display ospf peer brief、display ip routing-table protocol ospf
3、在防火墙上ping内网的主机
分支部分
🐖分支Branch1的防火墙FW2
[USG2]int lo0 [USG2-LoopBack0]ip add 10.2.2.2 32 [USG2-LoopBack0]quit [USG2]int g1/0/0 [USG2-GigabitEthernet1/0/0 ]ip add 100.1.52.2 24 [USG2-GigabitEthernet1/0/0 ]quit [USG2]int g1/0/1 [USG2-GigabitEthernet1/0/1 ]ip add 10.2.132.2 24 [USG2-GigabitEthernet1/0/1 ]quit [USG2]firewall zone trust [USG2-zone-trust]add int g1/0/1 [USG2-zone-trust]quit [USG2]firewall zone untrust [USG2-zone-untrust]add int g1/0/0 [USG2-zone-untrust]quit [USG2]security-policy [USG2-policy-security]rule name Inside [USG2-policy-security-rule-Inside]source-zone trust [USG2-policy-security-rule-Inside]destination-zone local [USG2-policy-security-rule-Inside]source-zone local [USG2-policy-security-rule-Inside]destination-zone trust [USG2-policy-security-rule-Inside]access-authentication [USG2-policy-security-rule-Inside]action permit [USG2-policy-security-rule-Inside]quit [USG2-policy-security]quit [USG2]int g1/0/1 [USG2-GigabitEthernet1/0/1]service-manage ping permit [USG2-GigabitEthernet1/0/1 ]quit [USG2]ospf 10 router-id 10.2.2.2 [USG2-ospf-10]area 0 [USG2-ospf-10-area-0.0.0.0]net 10.2.2.2 0.0.0.0 [USG2-ospf-10-area-0.0.0.0]net 10.2.132.2 0.0.0.0 [USG2]ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 100.1.52.5 [USG2]security-policy [USG2-policy-security]rule name Internet [USG2-policy-security-rule-Internet]source-zone trust [USG2-policy-security-rule-Internet]destination-zone untrust [USG2-policy-security-rule-Internet]source-address 10.2.0.0 16 [USG2-policy-security-rule-Internet]action permit [USG2]nat-policy [USG2-policy-nat]rule name 0 [USG2-policy-nat-rule-0]source-zone trust [USG2-policy-nat-rule-0]destination-zone untrust [USG2-policy-nat-rule-0]destination-address 10.1.0.0 16 [USG2-policy-nat-rule-0]action no-nat [USG2-policy-nat]rule name Internet [USG2-policy-nat-rule-Internet]source-zone trust [USG2-policy-nat-rule-Internet]destination-zone untrust [USG2-policy-nat-rule-Internet]source-address 10.2.0.0 16 [USG2-policy-nat-rule-Internet]egress-interface GigabitEthernet 1/0/0 [USG2-policy-nat-rule-Internet]action source-natm easy-ip [USG2]ospf 10 [USG2-ospf-10]default-route-advertise [USG2]security-policy [USG2-policy-security]rule name IPSec-IN [USG2-policy-security-rule-IPSec-IN]source-zone untrust [USG2-policy-security-rule-IPSec-IN]destination-zone local [USG2-policy-security-rule-IPSec-IN]source-address 100.1.41.1 32 [USG2-policy-security-rule-IPSec-IN]destination-address any [USG2-policy-security-rule-IPSec-IN]service esp [USG2-policy-security-rule-IPSec-IN]service protocol udp source-port 500 destination-port 500 [USG2-policy-security-rule-IPSec-IN]service protocol udp source-port 4500 destination-port 4500 [USG2-policy-security-rule-IPSec-IN]action permit [USG2-policy-security-rule-IPSec-IN]quit [USG2-policy-security]rule name IPSec-OUT [USG2-policy-security-rule-IPSec-OUT]source-zone local [USG2-policy-security-rule-IPSec-OUT]destination-zone untrust [USG2-policy-security-rule-IPSec-OUT]source-address any [USG2-policy-security-rule-IPSec-OUT]destination-address 100.1.41.1 32 [USG2-policy-security-rule-IPSec-OUT]service esp [USG2-policy-security-rule-IPSec-OUT]service protocol udp source-port 500 destination-port 500 [USG2-policy-security-rule-IPSec-OUT]service protocol udp source-port 4500 destination-port 4500 [USG2-policy-security-rule-IPSec-OUT]action permit [USG2-policy-security]rule name IPSec-DATA [USG2-policy-security-rule-IPSec-DATA]source-zone trust [USG2-policy-security-rule-IPSec-DATA]destination-zone untrust [USG2-policy-security-rule-IPSec-DATA]source-zone untrust [USG2-policy-security-rule-IPSec-DATA]destination-zone trust [USG2-policy-security-rule-IPSec-DATA]source-address 10.1.0.0 16 [USG2-policy-security-rule-IPSec-DATA]]destination-address 10.2.0.0 16 [USG2-policy-security-rule-IPSec-DATA]source-address 10.2.0.0 16 [USG2-policy-security-rule-IPSec-DATA]destination-address 10.1.0.0 16 [USG2-policy-security-rule-IPSec-DATA]action permit [USG2]ike proposal 10 [USG2-ike-proposal-10]encryption-algorithm aes-256 [USG2-ike-proposal-10]authentication-algorithm sha2-512 [USG2-ike-proposal-10]authentication-method pre-share [USG2-ike-proposal-10]dh group14 [USG2-ike-proposal-10]quit [USG2]ike peer Speak1 [USG2-ike-peer-Speak1]ike-proposal 10 [USG2-ike-peer-Speak1]exchange-mode main [USG2-ike-peer-Speak1]undo version 2 [USG2-ike-peer-Speak1]nat traversal [USG2-ike-peer-Speak1]remote-address 100.1.41.1 [USG2-ike-peer-Speak1]pre-shared-key Cisco12345 [USG2]ipsec proposal ESP [USG2-ipsec-proposal-ESP]transform esp [USG2-ipsec-proposal-ESP]esp authentication-algorithm sha2-512 [USG2-ipsec-proposal-ESP]espencrption-algorithm aes-256 [USG2]acl number 3000 [USG2-acl-adv-3000] rule 10 permit ip source 10.2.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255 [USG2]ipsec policy Tigerlab 10 isakmp [USG2-ipsec-policy-isakmp-Tigerlab-10]ike-peer Spoke1 [USG2-ipsec-policy-isakmp-Tigerlab-10]proposal ESP [USG2-ipsec-policy-isakmp-Tigerlab-10]security acl 3000 [USG2]int g1/0/0 [USG2-GigabitEthernet1/0/0 ]ipsec policy Tigerlab
测试在防火墙上ping内网的主机,可以看到已经全部ping通
🐖分支Branch2的防火墙FW3
[USG3]int lo0 [USG3-LoopBack0]ip add 10.3.3.3 32 [USG3-LoopBack0]quit [USG3]int g1/0/0 [USG3-GigabitEthernet1/0/0 ]ip add 100.1.63.3 24 [USG3-GigabitEthernet1/0/0 ]quit [USG3]int g1/0/1 [USG3-GigabitEthernet1/0/1 ]ip add 10.3.143.3 24 [USG3-GigabitEthernet1/0/1 ]quit [USG3]firewall zone trust [USG3-zone-trust]add int g1/0/1 [USG3-zone-trust]quit [USG3]firewall zone untrust [USG3-zone-untrust]add int g1/0/0 [USG3-zone-untrust]quit [USG3]security-policy [USG3-policy-security]rule name Inside [USG3-policy-security-rule-Inside]source-zone trust [USG3-policy-security-rule-Inside]destination-zone local [USG3-policy-security-rule-Inside]source-zone local [USG3-policy-security-rule-Inside]destination-zone trust [USG3-policy-security-rule-Inside]access-authentication [USG3-policy-security-rule-Inside]action permit [USG3-policy-security-rule-Inside]quit [USG3-policy-security]quit [USG3]int g1/0/1 [USG3-GigabitEthernet1/0/1]service-manage ping permit [USG3-GigabitEthernet1/0/1 ]quit [USG3]ospf 10 router-id 10.3.3..3 [USG3-ospf-10]area 0 [USG3-ospf-10-area-0.0.0.0]net 10.3.3.3 0.0.0.0 [USG3-ospf-10-area-0.0.0.0]net 10.3.143.3 0.0.0.0 [USG3]ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 100.1.63.6 [USG3]security-policy [USG3-policy-security]rule name Internet [USG3-policy-security-rule-Internet]source-zone trust [USG3-policy-security-rule-Internet]destination-zone untrust [USG3-policy-security-rule-Internet]source-address 10.3.0.0 16 [USG3-policy-security-rule-Internet]action permit [USG3]nat-policy [USG3-policy-nat]rule name 0 [USG3-policy-nat-rule-0]source-zone trust [USG3-policy-nat-rule-0]destination-zone untrust [USG3-policy-nat-rule-0]destination-address 10.1.0.0 16 [USG3-policy-nat-rule-0]action no-nat [USG3-policy-nat]rule name Internet [USG3-policy-nat-rule-Internet]source-zone trust [USG3-policy-nat-rule-Internet]destination-zone untrust [USG3-policy-nat-rule-Internet]source-address 10.3.0.0 16 [USG3-policy-nat-rule-Internet]egress-interface GigabitEthernet 1/0/0 [USG3-policy-nat-rule-Internet]action source-natm easy-ip [USG3]ospf 10 [USG3-ospf-10]default-route-advertise [USG3]security-policy [USG3-policy-security]rule name IPSec-IN [USG3-policy-security-rule-IPSec-IN]source-zone untrust [USG3-policy-security-rule-IPSec-IN]destination-zone local [USG3-policy-security-rule-IPSec-IN]source-address 100.1.41.1 32 [USG3-policy-security-rule-IPSec-IN]destination-address any [USG3-policy-security-rule-IPSec-IN]service esp [USG3-policy-security-rule-IPSec-IN]service protocol udp source-port 500 destination-port 500 [USG3-policy-security-rule-IPSec-IN]service protocol udp source-port 4500 destination-port 4500 [USG3-policy-security-rule-IPSec-IN]action permit [USG3-policy-security-rule-IPSec-IN]quit [USG3-policy-security]rule name IPSec-OUT [USG3-policy-security-rule-IPSec-OUT]source-zone local [USG3-policy-security-rule-IPSec-OUT]destination-zone untrust [USG3-policy-security-rule-IPSec-OUT]source-address any [USG3-policy-security-rule-IPSec-OUT]destination-address 100.1.41.1 32 [USG3-policy-security-rule-IPSec-OUT]service esp [USG3-policy-security-rule-IPSec-OUT]service protocol udp source-port 500 destination-port 500 [USG3-policy-security-rule-IPSec-OUT]service protocol udp source-port 4500 destination-port 4500 [USG3-policy-security-rule-IPSec-OUT]action permit [USG3-policy-security]rule name IPSec-DATA [USG3-policy-security-rule-IPSec-DATA]source-zone trust [USG3-policy-security-rule-IPSec-DATA]destination-zone untrust [USG3-policy-security-rule-IPSec-DATA]source-zone untrust [USG3-policy-security-rule-IPSec-DATA]destination-zone trust [USG3-policy-security-rule-IPSec-DATA]source-address 10.1.0.0 16 [USG3-policy-security-rule-IPSec-DATA]]destination-address 10.3.0.0 16 [USG3-policy-security-rule-IPSec-DATA]source-address 10.3.0.0 16 [USG3-policy-security-rule-IPSec-DATA]destination-address 10.1.0.0 16 [USG3-policy-security-rule-IPSec-DATA]action permit [USG3]ike proposal 10 [USG3-ike-proposal-10]encryption-algorithm aes-256 [USG3-ike-proposal-10]authentication-algorithm sha2-512 [USG3-ike-proposal-10]authentication-method pre-share [USG3-ike-proposal-10]dh group14 [USG3]ike peer Speak2 [USG3-ike-peer-Speak2]ike-proposal 10 [USG3-ike-peer-Speak2]exchange-mode main [USG3-ike-peer-Speak2]undo version 2 [USG3-ike-peer-Speak2]nat traversal [USG3-ike-peer-Speak2]remote-address 100.1.41.1 [USG3-ike-peer-Speak2]pre-shared-key Cisco12345 [USG3]ipsec proposal ESP [USG3-ipsec-proposal-ESP]transform esp [USG3-ipsec-proposal-ESP]esp authentication-algorithm sha2-512 [USG3-ipsec-proposal-ESP]espencrption-algorithm aes-256 [USG3]acl number 3000 [USG3-acl-adv-3000] rule 10 permit ip source 10.3.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255 [USG3]ipsec policy Tigerlab 10 isakmp [USG3-ipsec-policy-isakmp-Tigerlab-10]ike-peer Spoke2 [USG3-ipsec-policy-isakmp-Tigerlab-10]proposal ESP [USG3-ipsec-policy-isakmp-Tigerlab-10]security acl 3000 [USG3]int g1/0/0 [USG3-GigabitEthernet1/0/0 ]ipsec policy Tigerlab
ISP部分
🐖AR4
[AR4]int lo0 [AR4-LoopBack0]ip add 10.1.4.4 32 [AR4-LoopBack0]quit [AR4]itn g0/0/0 [AR4-GigabitEthernet0/0/0 ]ip add 100.1.41.4 24 [AR4-GigabitEthernet0/0/0 ]quit [AR4]itn g0/0/1 [AR4-GigabitEthernet0/0/1 ]ip add 100.1.100.4 24 [AR4-GigabitEthernet0/0/1 ]quit [AR4]ospf 10 router-id 10.1.4.4 [AR4-ospf-10]area 0 [AR4-ospf-10-area-0.0.0.0]net 10.1.4.4 0.0.0.0 [AR4-ospf-10-area-0.0.0.0]net 10.1.41.4 0.0.0.0 [AR4-ospf-10-area-0.0.0.0]net 100.1.100.4 0.0.0.0
🐖AR5
[AR5]int lo0 [AR5-LoopBack0]ip add 10.1.5.5 32 [AR5-LoopBack0]quit [AR5]itn g0/0/0 [AR5-GigabitEthernet0/0/0 ]ip add 100.1.52.5 24 [AR5-GigabitEthernet0/0/0 ]quit [AR5]itn g0/0/1 [AR5-GigabitEthernet0/0/1 ]ip add 100.1.100.5 24 [AR5-GigabitEthernet0/0/1 ]quit [AR5]ospf 10 router-id 10.1.5.5 [AR5-ospf-10]area 0 [AR5-ospf-10-area-0.0.0.0]net 10.1.5.5 0.0.0.0 [AR5-ospf-10-area-0.0.0.0]net 10.1.52.5 0.0.0.0 [AR5-ospf-10-area-0.0.0.0]net 100.1.100.5 0.0.0.05
🐖AR6
[AR6]int lo0 [AR6-LoopBack0]ip add 10.1.6.6 32 [AR6-LoopBack0]quit [AR6]itn g0/0/0 [AR6-GigabitEthernet0/0/0 ]ip add 100.1.63.6 24 [AR6-GigabitEthernet0/0/0 ]quit [AR6]itn g0/0/1 [AR6-GigabitEthernet0/0/1 ]ip add 100.1.100.6 24 [AR6-GigabitEthernet0/0/1 ]quit [AR6]itn g0/0/2 [AR6-GigabitEthernet0/0/2 ]ip add 100.1.36.6 24 [AR6-GigabitEthernet0/0/2 ]quit [AR6]ospf 10 router-id 10.1.6.6 [AR6-ospf-10]area 0 [AR6-ospf-10-area-0.0.0.0]net 10.1.6.6 0.0.0.0 [AR6-ospf-10-area-0.0.0.0]net 10.1.63.6 0.0.0.0 [AR6-ospf-10-area-0.0.0.0]net 100.1.100.6 0.0.0.0 [AR6-ospf-10-area-0.0.0.0]net 100.1.36.6 0.0.0.0
测试
1、各区域主机是否能ping通isp的服务器,可以看到总部和分部的主机都能够ping通isp的服务器。
2、总部与分部之间的联通测试。
可以看到总部已经可以与分部之间通讯,实验到这里就结束了。
实验来源:Tigerlab
