备案控制台
探索云世界
开发者社区 安全 文章 正文

重温IPsec隧道❤️

2021-12-06 121
版权
版权声明:
本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《 阿里云开发者社区用户服务协议》和 《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写 侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
简介: 重温IPsec隧道❤️

IPsec VPN配置案例

image.png

🐄拓扑图

image.png

🐄实验环境

该拓扑图分为四个部分最左边位总部Tiger  HQ,中间的为ISP,右上角为分部Branch1,右下角为分部Branch2。总部和分部的边界设备用的是型号为USG  6000V的防火墙,都分别连接运营商的PE设备。总部内有vlan10和20,主机A和B属于vlan10,主机C和D属于vlan20。

🐄需求

  • 各部分内网主机之间能够互相联通。
  • 所有总部、分部内网主机要通过边界防火墙能够访问Internet。
  • 总部的主机可以访问两个分部的主机,两个分部的主机也能访问总部的主机。

🐄具体配置

总部部分

🐖SW1

[SW1]int lo0
[SW1-LoopBack0]ip add 10.1.11.11 32
[SW1-LoopBack0]quit
[SW1]vlan batch 10 20          //创建vlan
[SW1]quit
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]port link-type trunk
[SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW1-GigabitEthernet0/0/1]quit
[SW1]int g0/0/2
[SW1-GigabitEthernet0/0/2]port link-type trunk
[SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[SW1-GigabitEthernet0/0/2]quit
[SW1]Int eth-trunk 12
[SW1-Eth-Trunk12]trunk port  g0/0/23 to 0/0/24
[SW1-Eth-Trunk12]port link-type trunk
[SW1-Eth-Trunk12]port trunk allow-pass vlan all
[SW1]sto mode mstp
[SW1]stp region-configuration
[SW1-mst-]stp region-name Tigerlab
[SW1-mst-region]revision-level 1256
[SW1-mst-region]instance 10 vlan 10
[SW1-mst-region]instance 20 vlan 20
[SW1-mst-region]active region-configuration
[SW1]stp instance 10 root primary
[SW1]stp instance 20 root second
[SW1]int vlan 10
[SW1-vlanif10]ip add 10.1.10.11 24
[SW1-vlanif10]quit
[SW1]int vlan 20
[SW1-vlanif20]ip add 10.1.20.11 24
[SW1-vlanif20]quit
[SW1]int vlan 10
[SW1-vlanif10]vrrp vrid 10 virtual-ip 10.1.10.254
[SW1-vlanif10]vrrp vrid 10 priority 105
[SW1-vlanif10]quit
[SW1]int vlan 20
[SW1-vlanif20]vrrp vrid 20 virtual-ip 10.1.20.254
[SW1-vlanif20]quit
[SW1]vlan 111
[SW1-vlanif111]quit
[SW1]int g0/0/3
[SW1-GigabitEthernet0/0/3]port link-type access
[SW1-GigabitEthernet0/0/3]port default vlan 111
[SW1-GigabitEthernet0/0/3]stp egded-port  enable
[SW1-GigabitEthernet0/0/3]quit
[SW1]stp bpdu-protection
[SW1]int vlan 111
[SW1-vlanif111]ip add 10.1.111.11 24
[SW1-vlanif111]quit
[SW1]ospf 10 router-id10.1.11.11
[SW1-ospf-10]area 0
[SW1-ospf-10-area-0.0.0.0]net 10.1.11.11 0.0.0.0
[SW1-ospf-10-area-0.0.0.0]net 10.1.111.11 0.0.0.0
[SW1-ospf-10-area-0.0.0.0]net 10.1.10.11 0.0.0.0
[SW1-ospf-10-area-0.0.0.0]net 10.1.20.11 0.0.0.0

检查stp的配置结果,display stp instance 10,可以看到vlan10是主根

image.png

🐖SW2

[SW2]int lo0
[SW2-LoopBack0]ip add 10.1.12.12 32
[SW2-LoopBack0]quit
[SW2]vlan batch 10 20 
[SW2]int g0/0/1
[SW2-GigabitEthernet0/0/1]port link-type trunk
[SW2-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW2-GigabitEthernet0/0/1]quit
[SW2]int g0/0/2
[SW2-GigabitEthernet0/0/2]port link-type trunk
[SW2-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[SW2-GigabitEthernet0/0/2]quit
[SW2]int eth-trunk 12
[SW2-Eth-Trunk12]trunk port  g0/0/23 to 0/0/24
[SW2-Eth-Trunk12]port link-type trunk
[SW2-Eth-Trunk12]port trunk allow-pass vlan all
[SW2]sto mode mstp
[SW2]stp region-configuration
[SW2-mst-]stp region-name Tigerlab
[SW2-mst-region]revision-level 1256
[SW2-mst-region]instance 10 vlan 10
[SW2-mst-region]instance 20 vlan 20
[SW2-mst-region]active region-configuration
[SW2]stp instance 20 root primary
[SW2]stp instance 10 root second
[SW2]int vlan 10
[SW2-vlanif10]ip add 10.1.20.12 24
[SW2-vlanif10]quit
[SW2]int vlan 20
[SW2-vlanif20]ip add 10.1.20.12 24
[SW2-vlanif20]quit
[SW2]int vlan 10
[SW2-vlanif10]vrrp vrid 10 virtual-ip 10.1.10.254
[SW2-vlanif10]quit
[SW2]int vlan 20
[SW2-vlanif20]vrrp vrid 20 virtual-ip 10.1.20.254
[SW2-vlanif20]vrrp vrid 20 priority 105
[SW2-vlanif20]quit
[SW2]vlan 112
[SW2-vlanif112]quit
[SW2]int g0/0/3
[SW2-GigabitEthernet0/0/3]port link-type access
[SW2-GigabitEthernet0/0/3]port default vlan 112
[SW2-GigabitEthernet0/0/3]stp egded-port  enable
[SW2-GigabitEthernet0/0/3]quit
[SW2]stp bpdu-protection
[SW2]int vlan 112
[SW2-vlanif112]ip add 10.1.112.12 24
[SW2-vlanif112]quit
[SW2]ospf 10 router-id10.1.12.12
[SW2-ospf-10]area 0
[SW2-ospf-10-area-0.0.0.0]net 10.1.12.12 0.0.0.0
[SW2-ospf-10-area-0.0.0.0]net 10.1.112.12 0.0.0.0
[SW2-ospf-10-area-0.0.0.0]net 10.1.10.12 0.0.0.0
[SW2-ospf-10-area-0.0.0.0]net 10.1.20.12 0.0.0.0

在SW1上,接下来验证一下端口的vlan情况,display port vlan

image.png

在SW1上检查一下vrrp的配置情况:display vrrp brief

image.png

🐖SW3

[SW3]int lo0
[SW3-LoopBack0]ip add 10.2.13.13 32
[SW3-LoopBack0]quit
[SW3]vlan batch 30 40
[SW3]int g0/0/1
[SW3-GigabitEthernet0/0/1]port link-type access
[SW3-GigabitEthernet0/0/1]port default vlan 30
[SW3-GigabitEthernet0/0/1]stp edged-port enable
[SW3-GigabitEthernet0/0/1]quit
[SW3]int g0/0/2
[SW3-GigabitEthernet0/0/2]port link-type access
[SW3-GigabitEthernet0/0/2]port default vlan 30
[SW3-GigabitEthernet0/0/2]stp edged-port enable
[SW3-GigabitEthernet0/0/2]quit
[SW3]int g0/0/3
[SW3-GigabitEthernet0/0/3]port link-type access
[SW3-GigabitEthernet0/0/3]port default vlan 40
[SW3-GigabitEthernet0/0/3]stp edged-port enable
[SW3-GigabitEthernet0/0/3]quit
[SW3]int g0/0/4
[SW3-GigabitEthernet0/0/4]port link-type access
[SW3-GigabitEthernet0/0/4]port default vlan 40
[SW3-GigabitEthernet0/0/4]stp edged-port enable
[SW3-GigabitEthernet0/0/4]quit
[SW3]stp bpdu-protection
[SW3]vlan 132
[SW3-vlanif112]quit
[SW3]int g0/0/24
[SW3-GigabitEthernet0/0/24]port link-type access
[SW3-GigabitEthernet0/0/24]port default vlan 132
[SW3-GigabitEthernet0/0/24]stp egded-port  enable
[SW3-GigabitEthernet0/0/24]quit
[SW3]int vlan 132
[SW3-vlanif132]ip add 10.2.132.13 24
[SW3-vlanif132]quit
[SW3]int vlan 30
[SW3-vlanif30]ip add 10.2.30.254 24
[SW3-vlanif30]quit
[SW3]int vlan 40
[SW3-vlanif40]ip add 10.2.40.254 24
[SW3-vlanif40]quit
[SW3]ospf 10 router-id10.2.13.13
[SW3-ospf-10]area 0
[SW3-ospf-10-area-0.0.0.0]net 10.2.13.13 0.0.0.0
[SW3-ospf-10-area-0.0.0.0]net 10.2.30.254 0.0.0.0
[SW3-ospf-10-area-0.0.0.0]net 10.2.40.254 0.0.0.0
[SW3-ospf-10-area-0.0.0.0]net 10.2.132.13 0.0.0.0

🐖SW4

[SW4]int lo0
[SW4-LoopBack0]ip add 10.3.14.14 32
[SW4-LoopBack0]quit
[SW4]vlan batch 50
[SW4]int g0/0/1
[SW4-GigabitEthernet0/0/1]port link-type access
[SW4-GigabitEthernet0/0/1]port default vlan 50
[SW4-GigabitEthernet0/0/1]stp edged-port enable
[SW4-GigabitEthernet0/0/1]quit
[SW4]int g0/0/2
[SW4-GigabitEthernet0/0/2]port link-type access
[SW4-GigabitEthernet0/0/2]port default vlan 50
[SW4-GigabitEthernet0/0/2]stp edged-port enable
[SW4-GigabitEthernet0/0/2]quit
[SW4]int g0/0/3
[SW4-GigabitEthernet0/0/3]port link-type access
[SW4-GigabitEthernet0/0/2]port default vlan 50
[SW4-GigabitEthernet0/0/2]stp edged-port enable
[SW4]stp bpdu-protection
[SW4]vlan 143
[SW4-vlanif112]quit
[SW4]int g0/0/24
[SW4-GigabitEthernet0/0/24]port link-type access
[SW4-GigabitEthernet0/0/24]port default vlan 143
[SW4-GigabitEthernet0/0/24]stp egded-port  enable
[SW4-GigabitEthernet0/0/24]quit
[SW4]int vlan 143
[SW4-vlanif132]ip add 10.3.143.14 24
[SW4-vlanif132]quit
[SW4]int vlan 50
[SW4-vlanif30]ip add 10.3.50.254 24
[SW4-vlanif30]quit
[SW4]ospf 10 router-id10.3.14.14
[SW4-ospf-10]area 0
[SW4-ospf-10-area-0.0.0.0]net 10.3.14.14 0.0.0.0
[SW4-ospf-10-area-0.0.0.0]net 10.2.50.254 0.0.0.0
[SW4-ospf-10-area-0.0.0.0]net 10.2.40.254 0.0.0.0
[SW4-ospf-10-area-0.0.0.0]net 10.2.143.14 0.0.0.0

🐖SW5

[SW5]vlan batch 10 20 
[SW5]int g0/0/1
[SW5-GigabitEthernet0/0/1]port link-type trunk
[SW5-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW5-GigabitEthernet0/0/1]quit
[SW5]int g0/0/2
[SW5-GigabitEthernet0/0/2]port link-type trunk
[SW5-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[SW5-GigabitEthernet0/0/2]quit
[SW5]int e0/0/1
[SW5-Ethernet0/0/1]port link-type access
[SW5-Ethernet0/0/1]port default vlan 10
[SW5-Ethernet0/0/1]stp edged-port enable
[SW5-Ethernet0/0/1]quit
[SW5]int e0/0/2
[SW5-Ethernet0/0/2]port link-type access
[SW5-Ethernet0/0/2]port default vlan 20
[SW5-Ethernet0/0/2]stp edged-port enable
[SW5-Ethernet0/0/2]quit
[SW5]stp bpdu-protection
[SW5]sto mode mstp
[SW5]stp region-configuration
[SW5-mst-]stp region-name Tigerlab
[SW5-mst-region]revision-level 1256
[SW5-mst-region]instance 10 vlan 10
[SW5-mst-region]instance 20 vlan 20
[SW5-mst-region]active region-configuration

接下来验证一下端口的vlan情况,display port vlan。

🐖SW6

[SW6]vlan batch 10 20 
[SW6]int g0/0/1
[SW6-GigabitEthernet0/0/1]port link-type trunk
[SW6-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW6-GigabitEthernet0/0/1]quit
[SW6]int g0/0/2
[SW6-GigabitEthernet0/0/2]port link-type trunk
[SW6-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[SW6-GigabitEthernet0/0/2]quit
[SW6]int e0/0/1
[SW6-Ethernet0/0/1]port link-type access
[SW6-Ethernet0/0/1]port default vlan 10
[SW6-Ethernet0/0/1]stp edged-port enable
[SW6-Ethernet0/0/1]quit
[SW6]int e0/0/2
[SW6-Ethernet0/0/2]port link-type access
[SW6-Ethernet0/0/2]port default vlan 20
[SW6-Ethernet0/0/2]stp edged-port enable
[SW6-Ethernet0/0/2]quit
[SW6]stp bpdu-protection
[SW6]sto mode mstp
[SW6]stp region-configuration
[SW6-mst-]stp region-name Tigerlab
[SW6-mst-region]revision-level 1256
[SW6-mst-region]instance 10 vlan 10
[SW6-mst-region]instance 20 vlan 20
[SW6-mst-region]active region-configuration

验证一下总部内主机与网关之间的连通性。

🐖总部防火墙FW1

[USG1]int lo0 
[USG1-LoopBack0]ip add 10.1.1.1 32
[USG1-LoopBack0]quit
[USG1]int g1/0/0
[USG1-GigabitEthernet1/0/0 ]ip add 100.1.41.1 24
[USG1-GigabitEthernet1/0/0 ]quit
[USG1]int g1/0/1
[USG1-GigabitEthernet1/0/1 ]ip add 10.1.111.1 24
[USG1-GigabitEthernet1/0/1 ]quit
[USG1]int g1/0/2
[USG1-GigabitEthernet1/0/2 ]ip add 10.1.112.1 24
[USG1-GigabitEthernet1/0/2 ]quit
[USG1]firewall zone trust
[USG1-zone-trust]add int g1/0/1
[USG1-zone-trust]add int g1/0/2
[USG1-zone-trust]quit
[USG1]firewall zone untrust
[USG1-zone-untrust]add int g1/0/0
[USG1-zone-untrust]quit
[USG1]security-policy
[USG1-policy-security]rule name Inside
[USG1-policy-security-rule-Inside]source-zone trust
[USG1-policy-security-rule-Inside]destination-zone local
[USG1-policy-security-rule-Inside]source-zone local
[USG1-policy-security-rule-Inside]destination-zone trust
[USG1-policy-security-rule-Inside]access-authentication
[USG1-policy-security-rule-Inside]action permit
[USG1-policy-security-rule-Inside]quit
[USG1-policy-security]quit
[USG1]int g1/0/1
[USG1-GigabitEthernet1/0/1]service-manage ping permit
[USG1-GigabitEthernet1/0/1 ]quit
[USG1]int g1/0/2
[USG1-GigabitEthernet1/0/2 ]service-manage ping permit
[USG1-GigabitEthernet1/0/2 ]quit
[USG1]ospf 10 router-id 10.1.1.1
[USG1-ospf-10]area 0
[USG1-ospf-10-area-0.0.0.0]net 10.1.1.1 0.0.0.0
[USG1-ospf-10-area-0.0.0.0]net 10.1.111.1 0.0.0.0
[USG1-ospf-10-area-0.0.0.0]net 10.1.112.1 0.0.0.0
[USG1]ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 100.1.41.4
[USG1]security-policy
[USG1-policy-security]rule name Internet
[USG1-policy-security-rule-Internet]source-zone trust
[USG1-policy-security-rule-Internet]destination-zone untrust
[USG1-policy-security-rule-Internet]source-address 10.1.0.0 16
[USG1-policy-security-rule-Internet]action permit
[USG1]nat-policy
[USG1-policy-nat]rule name 0
[USG1-policy-nat-rule-0]source-zone trust
[USG1-policy-nat-rule-0]destination-zone untrust
[USG1-policy-nat-rule-0]destination-address 10.2.0.0 16
[USG1-policy-nat-rule-0]destination-address 10.3.0.0 16
[USG1-policy-nat-rule-0]action no-nat
[USG1-policy-nat]rule name Internet
[USG1-policy-nat-rule-Internet]source-zone trust
[USG1-policy-nat-rule-Internet]destination-zone untrust
[USG1-policy-nat-rule-Internet]source-address 10.1.0.0 16
[USG1-policy-nat-rule-Internet]egress-interface GigabitEthernet 1/0/0
[USG1-policy-nat-rule-Internet]action source-natm easy-ip
[USG1]ospf 10
[USG1-ospf-10]default-route-advertise
[USG1]security-policy
[USG1-policy-security]rule name IPSec
[USG1-policy-security-rule-IPSec]source-zone untrust
[USG1-policy-security-rule-IPSec]destination-zone local
[USG1-policy-security-rule-IPSec]source-address any
[USG1-policy-security-rule-IPSec]destination-address 100.1.41.1 32
[USG1-policy-security-rule-IPSec]service esp
[USG1-policy-security-rule-IPSec]service protocol udp source-port 500 destination-port 500
[USG1-policy-security-rule-IPSec]service protocol udp source-port 4500 destination-port 4500
[USG1-policy-security-rule-IPSec]action permit
[USG1-policy-security-rule-IPSec]quit
[USG1-policy-security]rule name IPSec-OUT
[USG1-policy-security-rule-IPSec-OUT]source-zone local
[USG1-policy-security-rule-IPSec-OUT]destination-zone untrust
[USG1-policy-security-rule-IPSec-OUT]source-address 100.1.41.1 32
[USG1-policy-security-rule-IPSec-OUT]destination-address any
[USG1-policy-security-rule-IPSec-OUT]service esp
[USG1-policy-security-rule-IPSec-OUT]service protocol udp source-port 500 destination-port 500
[USG1-policy-security-rule-IPSec-OUT]service protocol udp source-port 4500 destination-port 4500
[USG1-policy-security-rule-IPSec-OUT]action permit
[USG1-policy-security-rule-IPSec-OUT]quit
[USG1-policy-security]rule name IPSec-DATA
[USG1-policy-security-rule-IPSec-DATA]source-zone trust
[USG1-policy-security-rule-IPSec-DATA]destination-zone untrust
[USG1-policy-security-rule-IPSec-DATA]source-zone untrust
[USG1-policy-security-rule-IPSec-DATA]destination-zone trust
[USG1-policy-security-rule-IPSec-DATA]source-address 10.1.0.0 16
[USG1-policy-security-rule-IPSec-DATA]]destination-address 10.2.0.0 16
[USG1-policy-security-rule-IPSec-DATA]]destination-address 10.3.0.0 16
[USG1-policy-security-rule-IPSec-DATA]source-address 10.2.0.0 16
[USG1-policy-security-rule-IPSec-DATA]source-address 10.3.0.0 16
[USG1-policy-security-rule-IPSec-DATA]destination-address 10.1.0.0 16
[USG1-policy-security-rule-IPSec-DATA]action permit
[USG1-policy-security-rule-IPSec-DATA]quit
[USG1-policy-security]quit
[USG1]ike proposal 10
[USG1-ike-proposal-10]encryption-algorithm aes-256
[USG1-ike-proposal-10]authentication-algorithm sha2-512
[USG1-ike-proposal-10]authentication-method pre-share 
[USG1-ike-proposal-10]dh group14
[USG1-ike-proposal-10]quit
[USG1]ike peer Hub
[USG1-ike-peer-Hub]ike-proposal 10
[USG1-ike-peer-Hub]exchange-mode main 
[USG1-ike-peer-Hub]undo version 2
[USG1-ike-peer-Hub]nat traversal
[USG1-ike-peer-Hub]pre-shared-key Cisco12345
[USG1]ipsec proposal ESP
[USG1-ipsec-proposal-ESP]transform esp
[USG1-ipsec-proposal-ESP]esp authentication-algorithm sha2-512
[USG1-ipsec-proposal-ESP]espencrption-algorithm aes-256
[USG1]ipsec policy-template T 10
[USG1-ipsec-policy-template-T-10]ike-peer Hub
[USG1-ipsec-policy-template-T-10] proposal ESP
[USG1-ipsec-policy-template-T-10]tunnel local 100.1.41.1
[USG1]ipsec policy Tigerlab 10 isakmp template T
[USG1]int g1/0/0
[USG1-GigabitEthernet1/0/0 ]ipsec policy Tigerlab

1、做到这里检查一下防火墙能否ping通交换机

2、在防火墙上查看ospf邻居和路由:display ospf peer brief、display ip routing-table protocol ospf

3、在防火墙上ping内网的主机

分支部分

🐖分支Branch1的防火墙FW2

[USG2]int lo0 
[USG2-LoopBack0]ip add 10.2.2.2 32
[USG2-LoopBack0]quit
[USG2]int g1/0/0
[USG2-GigabitEthernet1/0/0 ]ip add 100.1.52.2 24
[USG2-GigabitEthernet1/0/0 ]quit
[USG2]int g1/0/1
[USG2-GigabitEthernet1/0/1 ]ip add 10.2.132.2 24
[USG2-GigabitEthernet1/0/1 ]quit
[USG2]firewall zone trust
[USG2-zone-trust]add int g1/0/1
[USG2-zone-trust]quit
[USG2]firewall zone untrust
[USG2-zone-untrust]add int g1/0/0
[USG2-zone-untrust]quit
[USG2]security-policy
[USG2-policy-security]rule name Inside
[USG2-policy-security-rule-Inside]source-zone trust
[USG2-policy-security-rule-Inside]destination-zone local
[USG2-policy-security-rule-Inside]source-zone local
[USG2-policy-security-rule-Inside]destination-zone trust
[USG2-policy-security-rule-Inside]access-authentication
[USG2-policy-security-rule-Inside]action permit
[USG2-policy-security-rule-Inside]quit
[USG2-policy-security]quit
[USG2]int g1/0/1
[USG2-GigabitEthernet1/0/1]service-manage ping permit
[USG2-GigabitEthernet1/0/1 ]quit
[USG2]ospf 10 router-id 10.2.2.2
[USG2-ospf-10]area 0
[USG2-ospf-10-area-0.0.0.0]net 10.2.2.2 0.0.0.0
[USG2-ospf-10-area-0.0.0.0]net 10.2.132.2 0.0.0.0
[USG2]ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 100.1.52.5
[USG2]security-policy
[USG2-policy-security]rule name Internet
[USG2-policy-security-rule-Internet]source-zone trust
[USG2-policy-security-rule-Internet]destination-zone untrust
[USG2-policy-security-rule-Internet]source-address 10.2.0.0 16
[USG2-policy-security-rule-Internet]action permit
[USG2]nat-policy
[USG2-policy-nat]rule name 0
[USG2-policy-nat-rule-0]source-zone trust
[USG2-policy-nat-rule-0]destination-zone untrust
[USG2-policy-nat-rule-0]destination-address 10.1.0.0 16
[USG2-policy-nat-rule-0]action no-nat
[USG2-policy-nat]rule name Internet
[USG2-policy-nat-rule-Internet]source-zone trust
[USG2-policy-nat-rule-Internet]destination-zone untrust
[USG2-policy-nat-rule-Internet]source-address 10.2.0.0 16
[USG2-policy-nat-rule-Internet]egress-interface GigabitEthernet 1/0/0
[USG2-policy-nat-rule-Internet]action source-natm easy-ip
[USG2]ospf 10
[USG2-ospf-10]default-route-advertise
[USG2]security-policy
[USG2-policy-security]rule name IPSec-IN
[USG2-policy-security-rule-IPSec-IN]source-zone untrust
[USG2-policy-security-rule-IPSec-IN]destination-zone local
[USG2-policy-security-rule-IPSec-IN]source-address 100.1.41.1 32
[USG2-policy-security-rule-IPSec-IN]destination-address any
[USG2-policy-security-rule-IPSec-IN]service esp
[USG2-policy-security-rule-IPSec-IN]service protocol udp source-port 500 destination-port 500
[USG2-policy-security-rule-IPSec-IN]service protocol udp source-port 4500 destination-port 4500
[USG2-policy-security-rule-IPSec-IN]action permit
[USG2-policy-security-rule-IPSec-IN]quit
[USG2-policy-security]rule name IPSec-OUT
[USG2-policy-security-rule-IPSec-OUT]source-zone local
[USG2-policy-security-rule-IPSec-OUT]destination-zone untrust
[USG2-policy-security-rule-IPSec-OUT]source-address any
[USG2-policy-security-rule-IPSec-OUT]destination-address 100.1.41.1 32
[USG2-policy-security-rule-IPSec-OUT]service esp
[USG2-policy-security-rule-IPSec-OUT]service protocol udp source-port 500 destination-port 500
[USG2-policy-security-rule-IPSec-OUT]service protocol udp source-port 4500 destination-port 4500
[USG2-policy-security-rule-IPSec-OUT]action permit
[USG2-policy-security]rule name IPSec-DATA
[USG2-policy-security-rule-IPSec-DATA]source-zone trust
[USG2-policy-security-rule-IPSec-DATA]destination-zone untrust
[USG2-policy-security-rule-IPSec-DATA]source-zone untrust
[USG2-policy-security-rule-IPSec-DATA]destination-zone trust
[USG2-policy-security-rule-IPSec-DATA]source-address 10.1.0.0 16
[USG2-policy-security-rule-IPSec-DATA]]destination-address 10.2.0.0 16
[USG2-policy-security-rule-IPSec-DATA]source-address 10.2.0.0 16
[USG2-policy-security-rule-IPSec-DATA]destination-address 10.1.0.0 16
[USG2-policy-security-rule-IPSec-DATA]action permit
[USG2]ike proposal 10
[USG2-ike-proposal-10]encryption-algorithm aes-256
[USG2-ike-proposal-10]authentication-algorithm sha2-512
[USG2-ike-proposal-10]authentication-method pre-share 
[USG2-ike-proposal-10]dh group14
[USG2-ike-proposal-10]quit
[USG2]ike peer Speak1
[USG2-ike-peer-Speak1]ike-proposal 10
[USG2-ike-peer-Speak1]exchange-mode main 
[USG2-ike-peer-Speak1]undo version 2
[USG2-ike-peer-Speak1]nat traversal
[USG2-ike-peer-Speak1]remote-address 100.1.41.1
[USG2-ike-peer-Speak1]pre-shared-key Cisco12345
[USG2]ipsec proposal ESP
[USG2-ipsec-proposal-ESP]transform esp
[USG2-ipsec-proposal-ESP]esp authentication-algorithm sha2-512
[USG2-ipsec-proposal-ESP]espencrption-algorithm aes-256
[USG2]acl number 3000
[USG2-acl-adv-3000] rule 10 permit ip source 10.2.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
[USG2]ipsec policy Tigerlab 10 isakmp 
[USG2-ipsec-policy-isakmp-Tigerlab-10]ike-peer Spoke1
[USG2-ipsec-policy-isakmp-Tigerlab-10]proposal ESP
[USG2-ipsec-policy-isakmp-Tigerlab-10]security acl 3000
[USG2]int g1/0/0
[USG2-GigabitEthernet1/0/0 ]ipsec policy Tigerlab

测试在防火墙上ping内网的主机,可以看到已经全部ping通

🐖分支Branch2的防火墙FW3

[USG3]int lo0 
[USG3-LoopBack0]ip add 10.3.3.3 32
[USG3-LoopBack0]quit
[USG3]int g1/0/0
[USG3-GigabitEthernet1/0/0 ]ip add 100.1.63.3 24
[USG3-GigabitEthernet1/0/0 ]quit
[USG3]int g1/0/1
[USG3-GigabitEthernet1/0/1 ]ip add 10.3.143.3 24
[USG3-GigabitEthernet1/0/1 ]quit
[USG3]firewall zone trust
[USG3-zone-trust]add int g1/0/1
[USG3-zone-trust]quit
[USG3]firewall zone untrust
[USG3-zone-untrust]add int g1/0/0
[USG3-zone-untrust]quit
[USG3]security-policy
[USG3-policy-security]rule name Inside
[USG3-policy-security-rule-Inside]source-zone trust
[USG3-policy-security-rule-Inside]destination-zone local
[USG3-policy-security-rule-Inside]source-zone local
[USG3-policy-security-rule-Inside]destination-zone trust
[USG3-policy-security-rule-Inside]access-authentication
[USG3-policy-security-rule-Inside]action permit
[USG3-policy-security-rule-Inside]quit
[USG3-policy-security]quit
[USG3]int g1/0/1
[USG3-GigabitEthernet1/0/1]service-manage ping permit
[USG3-GigabitEthernet1/0/1 ]quit
[USG3]ospf 10 router-id 10.3.3..3
[USG3-ospf-10]area 0
[USG3-ospf-10-area-0.0.0.0]net 10.3.3.3 0.0.0.0
[USG3-ospf-10-area-0.0.0.0]net 10.3.143.3 0.0.0.0
[USG3]ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 100.1.63.6
[USG3]security-policy
[USG3-policy-security]rule name Internet
[USG3-policy-security-rule-Internet]source-zone trust
[USG3-policy-security-rule-Internet]destination-zone untrust
[USG3-policy-security-rule-Internet]source-address 10.3.0.0 16
[USG3-policy-security-rule-Internet]action permit
[USG3]nat-policy
[USG3-policy-nat]rule name 0
[USG3-policy-nat-rule-0]source-zone trust
[USG3-policy-nat-rule-0]destination-zone untrust
[USG3-policy-nat-rule-0]destination-address 10.1.0.0 16
[USG3-policy-nat-rule-0]action no-nat
[USG3-policy-nat]rule name Internet
[USG3-policy-nat-rule-Internet]source-zone trust
[USG3-policy-nat-rule-Internet]destination-zone untrust
[USG3-policy-nat-rule-Internet]source-address 10.3.0.0 16
[USG3-policy-nat-rule-Internet]egress-interface GigabitEthernet 1/0/0
[USG3-policy-nat-rule-Internet]action source-natm easy-ip
[USG3]ospf 10
[USG3-ospf-10]default-route-advertise
[USG3]security-policy
[USG3-policy-security]rule name IPSec-IN
[USG3-policy-security-rule-IPSec-IN]source-zone untrust
[USG3-policy-security-rule-IPSec-IN]destination-zone local
[USG3-policy-security-rule-IPSec-IN]source-address 100.1.41.1 32
[USG3-policy-security-rule-IPSec-IN]destination-address any
[USG3-policy-security-rule-IPSec-IN]service esp
[USG3-policy-security-rule-IPSec-IN]service protocol udp source-port 500 destination-port 500
[USG3-policy-security-rule-IPSec-IN]service protocol udp source-port 4500 destination-port 4500
[USG3-policy-security-rule-IPSec-IN]action permit
[USG3-policy-security-rule-IPSec-IN]quit
[USG3-policy-security]rule name IPSec-OUT
[USG3-policy-security-rule-IPSec-OUT]source-zone local
[USG3-policy-security-rule-IPSec-OUT]destination-zone untrust
[USG3-policy-security-rule-IPSec-OUT]source-address any
[USG3-policy-security-rule-IPSec-OUT]destination-address 100.1.41.1 32
[USG3-policy-security-rule-IPSec-OUT]service esp
[USG3-policy-security-rule-IPSec-OUT]service protocol udp source-port 500 destination-port 500
[USG3-policy-security-rule-IPSec-OUT]service protocol udp source-port 4500 destination-port 4500
[USG3-policy-security-rule-IPSec-OUT]action permit
[USG3-policy-security]rule name IPSec-DATA
[USG3-policy-security-rule-IPSec-DATA]source-zone trust
[USG3-policy-security-rule-IPSec-DATA]destination-zone untrust
[USG3-policy-security-rule-IPSec-DATA]source-zone untrust
[USG3-policy-security-rule-IPSec-DATA]destination-zone trust
[USG3-policy-security-rule-IPSec-DATA]source-address 10.1.0.0 16
[USG3-policy-security-rule-IPSec-DATA]]destination-address 10.3.0.0 16
[USG3-policy-security-rule-IPSec-DATA]source-address 10.3.0.0 16
[USG3-policy-security-rule-IPSec-DATA]destination-address 10.1.0.0 16
[USG3-policy-security-rule-IPSec-DATA]action permit
[USG3]ike proposal 10
[USG3-ike-proposal-10]encryption-algorithm aes-256
[USG3-ike-proposal-10]authentication-algorithm sha2-512
[USG3-ike-proposal-10]authentication-method pre-share 
[USG3-ike-proposal-10]dh group14
[USG3]ike peer Speak2
[USG3-ike-peer-Speak2]ike-proposal 10
[USG3-ike-peer-Speak2]exchange-mode main 
[USG3-ike-peer-Speak2]undo version 2
[USG3-ike-peer-Speak2]nat traversal
[USG3-ike-peer-Speak2]remote-address 100.1.41.1
[USG3-ike-peer-Speak2]pre-shared-key Cisco12345
[USG3]ipsec proposal ESP
[USG3-ipsec-proposal-ESP]transform esp
[USG3-ipsec-proposal-ESP]esp authentication-algorithm sha2-512
[USG3-ipsec-proposal-ESP]espencrption-algorithm aes-256
[USG3]acl number 3000
[USG3-acl-adv-3000] rule 10 permit ip source 10.3.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
[USG3]ipsec policy Tigerlab 10 isakmp 
[USG3-ipsec-policy-isakmp-Tigerlab-10]ike-peer Spoke2
[USG3-ipsec-policy-isakmp-Tigerlab-10]proposal ESP
[USG3-ipsec-policy-isakmp-Tigerlab-10]security acl 3000
[USG3]int g1/0/0
[USG3-GigabitEthernet1/0/0 ]ipsec policy Tigerlab

ISP部分

🐖AR4

[AR4]int lo0
[AR4-LoopBack0]ip add 10.1.4.4 32
[AR4-LoopBack0]quit
[AR4]itn g0/0/0
[AR4-GigabitEthernet0/0/0 ]ip add 100.1.41.4 24
[AR4-GigabitEthernet0/0/0 ]quit
[AR4]itn g0/0/1
[AR4-GigabitEthernet0/0/1 ]ip add 100.1.100.4 24
[AR4-GigabitEthernet0/0/1 ]quit
[AR4]ospf 10 router-id 10.1.4.4
[AR4-ospf-10]area 0
[AR4-ospf-10-area-0.0.0.0]net 10.1.4.4 0.0.0.0
[AR4-ospf-10-area-0.0.0.0]net 10.1.41.4 0.0.0.0
[AR4-ospf-10-area-0.0.0.0]net 100.1.100.4 0.0.0.0

🐖AR5

[AR5]int lo0
[AR5-LoopBack0]ip add 10.1.5.5 32
[AR5-LoopBack0]quit
[AR5]itn g0/0/0
[AR5-GigabitEthernet0/0/0 ]ip add 100.1.52.5 24
[AR5-GigabitEthernet0/0/0 ]quit
[AR5]itn g0/0/1
[AR5-GigabitEthernet0/0/1 ]ip add 100.1.100.5 24
[AR5-GigabitEthernet0/0/1 ]quit
[AR5]ospf 10 router-id 10.1.5.5
[AR5-ospf-10]area 0
[AR5-ospf-10-area-0.0.0.0]net 10.1.5.5 0.0.0.0
[AR5-ospf-10-area-0.0.0.0]net 10.1.52.5 0.0.0.0
[AR5-ospf-10-area-0.0.0.0]net 100.1.100.5 0.0.0.05

🐖AR6

[AR6]int lo0
[AR6-LoopBack0]ip add 10.1.6.6 32
[AR6-LoopBack0]quit
[AR6]itn g0/0/0
[AR6-GigabitEthernet0/0/0 ]ip add 100.1.63.6 24
[AR6-GigabitEthernet0/0/0 ]quit
[AR6]itn g0/0/1
[AR6-GigabitEthernet0/0/1 ]ip add 100.1.100.6 24
[AR6-GigabitEthernet0/0/1 ]quit
[AR6]itn g0/0/2
[AR6-GigabitEthernet0/0/2 ]ip add 100.1.36.6 24
[AR6-GigabitEthernet0/0/2 ]quit
[AR6]ospf 10 router-id 10.1.6.6
[AR6-ospf-10]area 0
[AR6-ospf-10-area-0.0.0.0]net 10.1.6.6 0.0.0.0
[AR6-ospf-10-area-0.0.0.0]net 10.1.63.6 0.0.0.0
[AR6-ospf-10-area-0.0.0.0]net 100.1.100.6 0.0.0.0
[AR6-ospf-10-area-0.0.0.0]net 100.1.36.6 0.0.0.0

测试

1、各区域主机是否能ping通isp的服务器,可以看到总部和分部的主机都能够ping通isp的服务器。

2、总部与分部之间的联通测试。

可以看到总部已经可以与分部之间通讯,实验到这里就结束了。

实验来源:Tigerlab

文章标签:
云防火墙
网络安全
网络协议
网络虚拟化
李白你好
目录
相关文章
parish
|
3月前
|
网络协议 网络安全 网络架构
网络路由之静态路由学习资料整理
静态路由是由网络管理员手动配置的固定路由表项,不受动态路由协议的影响,用于指定网络目标及其下一跳,提供网络控制和管理的手动路由选择。
parish
42 0
rubia--
|
9月前
|
网络架构
静态路由器实验报告
静态路由器实验报告
rubia--
104 0
七镜
|
9月前
|
网络架构
《计算机网络》阅读摘要——链路层交换机
《计算机网络》阅读摘要——链路层交换机
七镜
82 0
业余幻想家
|
10月前
|
网络架构
帧中继网配置实例学习记录
帧中继网配置实例
业余幻想家
57 0
帧中继网配置实例学习记录
Danileaf_Guo
|
网络安全 数据安全/隐私保护 网络虚拟化
GRE隧道也能实现两端配置相同子网了,快来看看!(下)
GRE隧道也能实现两端配置相同子网了,快来看看!
Danileaf_Guo
222 0
GRE隧道也能实现两端配置相同子网了,快来看看!(下)
Danileaf_Guo
|
安全 数据安全/隐私保护
GRE隧道也能实现两端配置相同子网了,快来看看!(上)
GRE隧道也能实现两端配置相同子网了,快来看看!
Danileaf_Guo
378 0
GRE隧道也能实现两端配置相同子网了,快来看看!(上)
洲的学习日记
计算机网络学习21:静态路由配置及其可能产生的问题
全1的掩码才能特定路由
洲的学习日记
85 0
计算机网络学习21:静态路由配置及其可能产生的问题
洲的学习日记
计算机网络学习15:集线器、交换机简单概述与对比
分析问题的时候可以将集线器HUB看做是一条总线即可。
洲的学习日记
74 0
计算机网络学习15:集线器、交换机简单概述与对比
游客yarbwh6ylvlvk
|
网络协议 算法 网络性能优化
网络入门基础模型, 网络大体框架, TCP/IP协议栈, 各种局域网和广域网刨析 (以图解的方式推开网络大门)
网络入门基础模型, 网络大体框架, TCP/IP协议栈, 各种局域网和广域网刨析 (以图解的方式推开网络大门)
游客yarbwh6ylvlvk
192 0
网络入门基础模型, 网络大体框架, TCP/IP协议栈, 各种局域网和广域网刨析 (以图解的方式推开网络大门)
陈丹宇jmu
|
Shell 数据安全/隐私保护 网络架构
CCNA-NAT协议(理论与实验练习)
CCNA-NAT协议(理论与实验练习)
陈丹宇jmu
81 0
CCNA-NAT协议(理论与实验练习)
为什么选择阿里云什么是云计算全球基础设施技术领先稳定可靠安全合规分析师报告
产品和定价全部产品免费试用产品动态产品定价价格计算器云上成本管理
解决方案技术解决方案
文档与社区文档开发者社区天池大赛培训与认证
权益中心免费试用高校计划企业扶持计划推荐返现计划
支持与服务基础服务企业增值服务迁云服务官网公告健康看板信任中心
关注阿里云
关注阿里云公众号或下载阿里云APP,关注云资讯,随时随地运维管控云服务
阿里云APP阿里云微信
联系我们:4008013260
法律声明Cookies政策廉正举报安全举报联系我们加入我们
阿里巴巴集团淘宝网天猫全球速卖通阿里巴巴国际交易市场1688阿里妈妈飞猪阿里云计算AliOS万网高德UC友盟优酷钉钉支付宝达摩院淘宝海外阿里云盘饿了么
© 2009-2024 Aliyun.com 版权所有 增值电信业务经营许可证: 浙B2-20080101 域名注册服务机构许可: 浙D3-20210002 京D3-20220015
浙公网安备 33010602009975号浙B2-20080101-4