問題描述:
中心有一台華三防火牆f1080,做了ipsec,利用分支節點的方式和下麵公司華為防火牆做了vpn,我是遠程使用web端配置的。現在還有一家公司想接入中心節點,但是應用接口那裏隻能用一個接口,我優先級那裏做了配置,一條線是200,另一條是201,配置好之後隻有200的這個建立成功,應用策略接口出現ip。另一條沒有應用策略接口信息,隧道也沒有建立。我想保持原有的那條不動,新建立一個隧道應該怎麼做?web端配置應該怎麼做,謝謝各位大佬。
- 2025-01-02提問
- 舉報
-
(0)
最佳答案
多分支 可以實現的
如下圖所示,企業分支通過IPsec VPN接入企業總部,有如下具體需求:
總部網關Device A和各分支網關Device B、Device C之間建立IPsec隧道,對總部網絡4.4.4.0/24分別與分支網絡5.5.5.0/24和6.6.6.0/24之間的數據進行安全保護。
使用IKE協商方式建立IPsec SA,采用ESP安全協議,DES加密算法,HMAC-SHA-1-96認證算法。
IKE協商采用預共享密鑰認證方式、3DES加密算法、HMAC-SHA1認證算法。
總部網關Device A采用IKE安全策略模板方式,分支網關Device B和DeviceC采用IKE安全策略方式。
圖-1 IPsec安全策略模板方式配置組網圖
/images/m230712x1z15/x_Img_x_png_19.png)
配置步驟
配置Device A
配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/1] quit
請參考以上步驟配置其他接口的IP地址,具體配置步驟略。
配置靜態路由
本舉例僅以靜態路由方式配置路由信息。實際組網中,請根據具體情況選擇相應的路由配置方式。
# 請根據組網圖中規劃的信息,配置靜態路由,本舉例假設到達對端網關設備和分支網絡的下一跳IP地址為1.1.1.2,實際使用中請以具體組網情況為準,具體配置步驟如下。
[DeviceA] ip route-static 2.2.2.2 24 1.1.1.2
[DeviceA] ip route-static 3.3.3.3 24 1.1.1.2
[DeviceA] ip route-static 5.5.5.0 255.255.255.0 1.1.1.2
[DeviceA] ip route-static 6.6.6.0 255.255.255.0 1.1.1.2
配置接口加入安全域。
# 請根據組網圖中規劃的信息,將接口加入對應的安全域,具體配置步驟如下。
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Untrust] quit
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Trust] quit
配置安全策略
配置安全策略放行Untrust與Local安全域之間的流量,用於設備之間可以建立IPsec隧道。
# 配置名稱為ipseclocalout1的安全策規則,使Device A可以向Device B發送IPsec隧道協商報文,具體配置步驟如下。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name ipseclocalout1
[DeviceA-security-policy-ip-1-ipseclocalout1] source-zone local
[DeviceA-security-policy-ip-1-ipseclocalout1] destination-zone untrust
[DeviceA-security-policy-ip-1-ipseclocalout1] source-ip-host 1.1.1.1
[DeviceA-security-policy-ip-1-ipseclocalout1] destination-ip-host 2.2.2.2
[DeviceA-security-policy-ip-1-ipseclocalout1] action pass
[DeviceA-security-policy-ip-1-ipseclocalout1] quit
# 配置名稱為ipseclocalin1的安全策略規則,使Device A可以接收和處理來自Device B的IPsec隧道協商報文,具體配置步驟如下。
[DeviceA-security-policy-ip] rule name ipseclocalin1
[DeviceA-security-policy-ip-2-ipseclocalin1] source-zone untrust
[DeviceA-security-policy-ip-2-ipseclocalin1] destination-zone local
[DeviceA-security-policy-ip-2-ipseclocalin1] source-ip-host 2.2.2.2
[DeviceA-security-policy-ip-2-ipseclocalin1] destination-ip-host 1.1.1.1
[DeviceA-security-policy-ip-2-ipseclocalin1] action pass
[DeviceA-security-policy-ip-2-ipseclocalin1] quit
# 配置名稱為ipseclocalout2的安全策規則,使Device A可以向Device C發送IPsec隧道協商報文,具體配置步驟如下。
[DeviceA-security-policy-ip] rule name ipseclocalout2
[DeviceA-security-policy-ip-3-ipseclocalout2] source-zone local
[DeviceA-security-policy-ip-3-ipseclocalout2] destination-zone untrust
[DeviceA-security-policy-ip-3-ipseclocalout2] source-ip-host 1.1.1.1
[DeviceA-security-policy-ip-3-ipseclocalout2] destination-ip-host 3.3.3.3
[DeviceA-security-policy-ip-3-ipseclocalout2] action pass
[DeviceA-security-policy-ip-3-ipseclocalout2] quit
# 配置名稱為ipseclocalin2的安全策略規則,使Device A可以接收和處理來自Device C的IPsec隧道協商報文,具體配置步驟如下。
[DeviceA-security-policy-ip] rule name ipseclocalin2
[DeviceA-security-policy-ip-4-ipseclocalin2] source-zone untrust
[DeviceA-security-policy-ip-4-ipseclocalin2] destination-zone local
[DeviceA-security-policy-ip-4-ipseclocalin2] source-ip-host 3.3.3.3
[DeviceA-security-policy-ip-4-ipseclocalin2] destination-ip-host 1.1.1.1
[DeviceA-security-policy-ip-4-ipseclocalin2] action pass
[DeviceA-security-policy-ip-4-ipseclocalin2] quit
配置安全策略放行Host A與Host B、Host C之間的流量
# 配置名稱為trust-untrust的安全策略規則,使Host A訪問Host B的報文可通,具體配置步驟如下。
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-5-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-5-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-5-trust-untrust] source-ip-subnet 4.4.4.0 24
[DeviceA-security-policy-ip-5-trust-untrust] destination-ip-subnet 5.5.5.0 24
[DeviceA-security-policy-ip-5-trust-untrust] action pass
[DeviceA-security-policy-ip-5-trust-untrust] quit
# 配置名稱為untrust-trust的安全策略規則,使Host B訪問Host A的報文可通,具體配置步驟如下。
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-6-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-6-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-6-untrust-trust] source-ip-subnet 5.5.5.0 24
[DeviceA-security-policy-ip-6-untrust-trust] destination-ip-subnet 4.4.4.0 24
[DeviceA-security-policy-ip-6-untrust-trust] action pass
[DeviceA-security-policy-ip-6-untrust-trust] quit
# 配置名稱為trust-untrust的安全策略規則,使Host A訪問Host C的報文可通,具體配置步驟如下。
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-7-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-7-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-7-trust-untrust] source-ip-subnet 4.4.4.0 24
[DeviceA-security-policy-ip-7-trust-untrust] destination-ip-subnet 6.6.6.0 24
[DeviceA-security-policy-ip-7-trust-untrust] action pass
[DeviceA-security-policy-ip-7-trust-untrust] quit
# 配置名稱為untrust-trust的安全策略規則,使Host C訪問Host A的報文可通,具體配置步驟如下。
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-8-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-8-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-8-untrust-trust] source-ip-subnet 6.6.6.0 24
[DeviceA-security-policy-ip-8-untrust-trust] destination-ip-subnet 4.4.4.0 24
[DeviceA-security-policy-ip-8-untrust-trust] action pass
[DeviceA-security-policy-ip-8-untrust-trust] quit
[DeviceA-security-policy-ip] quit
配置IPsec安全提議,協商封裝報文使用的各種安全協議
# 創建IPsec安全提議,兩端配置的安全提議參數需要完全相同,具體配置步驟如下。
[DeviceA] ipsec transform-set tran1
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceA-ipsec-transform-set-tran1] protocol esp
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
配置IKE keychain,約定通信雙方使用的密鑰信息
# 創建並配置名為key1的IKE keychain,指定與地址為2.2.2.2的對端使用的預共享密鑰為明文123。
[DeviceA] ike keychain key1
[DeviceA-ike-keychain-key1] pre-shared-key address 2.2.2.2 key simple 123
[DeviceA-ike-keychain-key1] quit
# 創建並配置名為key2的IKE keychain,指定與地址為3.3.3.3的對端使用的預共享密鑰為明文456。
[DeviceA] ike keychain key2
[DeviceA-ike-keychain-key2] pre-shared-key address 3.3.3.3 key simple 456
[DeviceA-ike-keychain-key2] quit
配置IKE profile,約定建立IKE SA所需的安全參數
[DeviceA] ike profile profile1
[DeviceA-ike-profile-profile1] keychain key1
[DeviceA-ike-profile-profile1] keychain key2
[DeviceA-ike-profile-profile1] match remote identity address 2.2.2.2 255.255.255.0
[DeviceA-ike-profile-profile1] match remote identity address 3.3.3.3 255.255.255.0
[DeviceA-ike-profile-profile1] quit
配置IPsec安全策略模板,用於創建IPsec安全策略
# 創建並配置名為temp1的IPsec安全策略模板,引用安全提議tran1
[DeviceA] ipsec policy-template temp1 1
[DeviceA-ipsec-policy-template-temp1-1] transform-set tran1
[DeviceA-ipsec-policy-template-temp1-1] ike-profile profile1
引用安全策略模板temp1創建一條IKE協商方式的安全策略policy1,建立IPsec隧道,保護需要防護的數據流
[DeviceA] ipsec policy map1 10 isakmp template temp1
配置IKE提議,定義雙方進行IKE協商所需的安全參數
# 創建並配置IKE提議1,指定使用預共享密鑰認證方式、3DES加密算法、HMAC-SHA1認證算法。
[DeviceA] ike proposal 1
[DeviceA-ike-proposal-1] encryption-algorithm 3des-cbc
[DeviceA-ike-proposal-1] authentication-algorithm sha
[DeviceA-ike-proposal-1] authentication-method pre-share
[DeviceA-ike-proposal-1] quit
在接口下引用IPsec安全策略,對接口上的流量進行保護
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ipsec apply policy map1
[DeviceA-GigabitEthernet1/0/1] quit
配置Device B
配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 2.2.2.2 255.255.255.0
[DeviceB-GigabitEthernet1/0/1] quit
請參考以上步驟配置其他接口的IP地址,具體配置步驟略。
配置靜態路由
本舉例僅以靜態路由方式配置路由信息。實際組網中,請根據具體情況選擇相應的路由配置方式。
# 請根據組網圖中規劃的信息,配置靜態路由,本舉例假設到達對端網關設備和總部網絡的下一跳IP地址為2.2.2.3,實際使用中請以具體組網情況為準,具體配置步驟如下。
[DeviceB] ip route-static 4.4.4.0 24 2.2.2.3
[DeviceB] ip route-static 1.1.1.1 24 2.2.2.3
配置接口加入安全域。
# 請根據組網圖中規劃的信息,將接口加入對應的安全域,具體配置步驟如下。
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Untrust] quit
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Trust] quit
配置安全策略
配置安全策略放行Untrust與Local安全域之間的流量,用於設備之間可以建立IPsec隧道。
# 配置名稱為ipseclocalout的安全策規則,使Device B可以向Device A發送IPsec隧道協商報文,具體配置步驟如下。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name ipseclocalout
[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.2
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1
[DeviceB-security-policy-ip-1-ipseclocalout] action pass
[DeviceB-security-policy-ip-1-ipseclocalout] quit
# 配置名稱為ipseclocalin的安全策略規則,使Device B可以接收和處理來自Device A的IPsec隧道協商報文,具體配置步驟如下。
[DeviceB-security-policy-ip] rule name ipseclocalin
[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1
[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.2
[DeviceB-security-policy-ip-2-ipseclocalin] action pass
[DeviceB-security-policy-ip-2-ipseclocalin] quit
配置安全策略放行Host B與Host A之間的流量
# 配置名稱為trust-untrust的安全策略規則,使Host B訪問Host A的報文可通,具體配置步驟如下。
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 5.5.5.0 24
[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 4.4.4.0 24
[DeviceB-security-policy-ip-3-trust-untrust] action pass
[DeviceB-security-policy-ip-3-trust-untrust] quit
# 配置名稱為untrust-trust的安全策略規則,使Host A訪問Host B的報文可通,具體配置步驟如下。
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 4.4.4.0 24
[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 5.5.5.0 24
[DeviceB-security-policy-ip-4-untrust-trust] action pass
[DeviceB-security-policy-ip-4-untrust-trust] quit
[DeviceB-security-policy-ip] quit
配置ACL,定義需要保護的數據流
# 配置IPv4高級ACL 3000,定義要保護由子網5.5.5.0/24去往子網4.4.4.0/24的數據流。
[DeviceB] acl advanced 3000
[DeviceB-acl-ipv4-adv-3000] rule permit ip source 5.5.5.0 0.0.0.255 destination 4.4.4.0 0.0.0.255
[DeviceB-acl-ipv4-adv-3000] quit
配置IPsec安全提議,協商封裝報文使用的各種安全協議
# 創建IPsec安全提議,兩端配置的安全提議參數需要完全相同,具體配置步驟如下。
[DeviceB] ipsec transform-set tran1
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceB-ipsec-transform-set-tran1] protocol esp
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
配置IKE keychain,約定通信雙方使用的密鑰信息
# 創建並配置名為key1的IKE keychain,指定與地址為1.1.1.1的對端使用的預共享密鑰為明文123。
[DeviceB] ike keychain key1
[DeviceB-ike-keychain-key1] pre-shared-key address 1.1.1.1 key simple 123
[DeviceB-ike-keychain-key1] quit
配置IKE profile,約定建立IKE SA所需的安全參數
[DeviceB] ike profile profile1
[DeviceB-ike-profile-profile1] keychain key1
[DeviceB-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0
[DeviceB-ike-profile-profile1] quit
配置ISAKMP方式的安全策略,建立IPsec隧道,保護需要防護的數據流
# 創建並配置名為map1的IPsec安全策略,引用安全提議tran1,引用ACL 3000,並指定IPsec隧道的對端地址為1.1.1.1。
[DeviceB] ipsec policy map1 10 isakmp
[DeviceB-ipsec-policy-isakmp-map1-10] transform-set tran1
[DeviceB-ipsec-policy-isakmp-map1-10] security acl 3000
[DeviceB-ipsec-policy-isakmp-map1-10] local-address 2.2.2.2
[DeviceB-ipsec-policy-isakmp-map1-10] remote-address 1.1.1.1
[DeviceB-ipsec-policy-isakmp-map1-10] ike-profile profile1
[DeviceB-ipsec-policy-isakmp-map1-10] quit
配置IKE提議,定義雙方進行IKE協商所需的安全參數
# 創建並配置IKE提議1,指定預共享密鑰認證方式、3DES加密算法、HMAC-SHA1認證算法。
[DeviceB] ike proposal 1
[DeviceB-ike-proposal-1] encryption-algorithm 3des-cbc
[DeviceB-ike-proposal-1] authentication-algorithm sha
[DeviceB-ike-proposal-1] authentication-method pre-share
[DeviceB-ike-proposal-1] quit
在接口上應用IPsec安全策略,對接口上的流量進行保護
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ipsec apply policy map1
[DeviceB-GigabitEthernet1/0/1] quit
配置Device C
配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<DeviceC> system-view
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] ip address 3.3.3.3 255.255.255.0
[DeviceC-GigabitEthernet1/0/1] quit
請參考以上步驟配置其他接口的IP地址,具體配置步驟略。
配置靜態路由
本舉例僅以靜態路由方式配置路由信息。實際組網中,請根據具體情況選擇相應的路由配置方式。
# 請根據組網圖中規劃的信息,配置靜態路由,本舉例假設到達對端網關設備和總部網絡的下一跳IP地址為3.3.3.4,實際使用中請以具體組網情況為準,具體配置步驟如下。
[DeviceC] ip route-static 4.4.4.0 24 3.3.3.4
[DeviceC] ip route-static 1.1.1.1 24 3.3.3.4
配置接口加入安全域。
# 請根據組網圖中規劃的信息,將接口加入對應的安全域,具體配置步驟如下。
[DeviceC] security-zone name untrust
[DeviceC-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceC-security-zone-Untrust] quit
[DeviceC] security-zone name trust
[DeviceC-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceC-security-zone-Trust] quit
配置安全策略
配置安全策略放行Untrust與Local安全域之間的流量,用於設備之間可以建立IPsec隧道。
# 配置名稱為ipseclocalout的安全策規則,使Device C可以向Device A發送IPsec隧道協商報文,具體配置步驟如下。
[DeviceC] security-policy ip
[DeviceC-security-policy-ip] rule name ipseclocalout
[DeviceC-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceC-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceC-security-policy-ip-1-ipseclocalout] source-ip-host 3.3.3.3
[DeviceC-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1
[DeviceC-security-policy-ip-1-ipseclocalout] action pass
[DeviceC-security-policy-ip-1-ipseclocalout] quit
# 配置名稱為ipseclocalin的安全策略規則,使Device C可以接收和處理來自Device A的IPsec隧道協商報文,具體配置步驟如下。
[DeviceC-security-policy-ip] rule name ipseclocalin
[DeviceC-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceC-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceC-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1
[DeviceC-security-policy-ip-2-ipseclocalin] destination-ip-host 3.3.3.3
[DeviceC-security-policy-ip-2-ipseclocalin] action pass
[DeviceC-security-policy-ip-2-ipseclocalin] quit
配置安全策略放行Host C與Host A之間的流量
# 配置名稱為trust-untrust的安全策略規則,使Host C訪問Host A的報文可通,具體配置步驟如下。
[DeviceC-security-policy-ip] rule name trust-untrust
[DeviceC-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceC-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceC-security-policy-ip-3-trust-untrust] source-ip-subnet 6.6.6.0 24
[DeviceC-security-policy-ip-3-trust-untrust] destination-ip-subnet 4.4.4.0 24
[DeviceC-security-policy-ip-3-trust-untrust] action pass
[DeviceC-security-policy-ip-3-trust-untrust] quit
# 配置名稱為untrust-trust的安全策略規則,使Host A訪問Host C的報文可通,具體配置步驟如下。
[DeviceC-security-policy-ip] rule name untrust-trust
[DeviceC-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceC-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceC-security-policy-ip-4-untrust-trust] source-ip-subnet 4.4.4.0 24
[DeviceC-security-policy-ip-4-untrust-trust] destination-ip-subnet 6.6.6.0 24
[DeviceC-security-policy-ip-4-untrust-trust] action pass
[DeviceC-security-policy-ip-4-untrust-trust] quit
[DeviceC-security-policy-ip] quit
配置ACL,定義需要保護的數據流
# 配置IPv4高級ACL 3000,定義要保護由子網6.6.6.0/24去往子網4.4.4.0/24的數據流。
[DeviceC] acl advanced 3000
[DeviceC-acl-ipv4-adv-3000] rule permit ip source 6.6.6.0 0.0.0.255 destination 4.4.4.0 0.0.0.255
[DeviceC-acl-ipv4-adv-3000] quit
配置IPsec安全提議,協商封裝報文使用的各種安全協議
# 創建IPsec安全提議,兩端配置的安全提議參數需要完全相同,具體配置步驟如下。
[DeviceC] ipsec transform-set tran1
[DeviceC-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceC-ipsec-transform-set-tran1] protocol esp
[DeviceC-ipsec-transform-set-tran1] esp encryption-algorithm des
[DeviceC-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceC-ipsec-transform-set-tran1] quit
配置IKE keychain,約定通信雙方使用的密鑰信息
# 創建並配置名為key1的IKE keychain,指定與地址為1.1.1.1的對端使用的預共享密鑰為明文456。
[DeviceC] ike keychain key1
[DeviceC-ike-keychain-key1] pre-shared-key address 1.1.1.1 key simple 456
[DeviceC-ike-keychain-key1] quit
配置IKE profile,約定建立IKE SA所需的安全參數
[DeviceC] ike profile profile1
[DeviceC-ike-profile-profile1] keychain key1
[DeviceC-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0
[DeviceC-ike-profile-profile1] quit
配置ISAKMP方式的安全策略,建立IPsec隧道,保護需要防護的數據流
# 創建並配置名為map1的IPsec安全策略,引用安全提議tran1,引用ACL 3000,並指定IPsec隧道的對端地址為1.1.1.1。
[DeviceC] ipsec policy map1 10 isakmp
[DeviceC-ipsec-policy-isakmp-map1-10] transform-set tran1
[DeviceC-ipsec-policy-isakmp-map1-10] security acl 3000
[DeviceC-ipsec-policy-isakmp-map1-10] local-address 3.3.3.3
[DeviceC-ipsec-policy-isakmp-map1-10] remote-address 1.1.1.1
[DeviceC-ipsec-policy-isakmp-map1-10] ike-profile profile1
[DeviceC-ipsec-policy-isakmp-map1-10] quit
在接口上應用IPsec安全策略,對接口上的流量進行保護
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] ipsec apply policy map1
[DeviceC-GigabitEthernet1/0/1] quit
- 2025-01-02回答
- 評論(0)
- 舉報
-
(0)
親~登錄後才可以操作哦!
確定你的郵箱還未認證,請認證郵箱或綁定手機後進行當前操作
舉報
×
侵犯我的權益
×
侵犯了我企業的權益
×
- 1. 您舉報的內容是什麼?(請在郵件中列出您舉報的內容和鏈接地址)
- 2. 您是誰?(身份證明材料,可以是身份證或護照等證件)
- 3. 是哪家企業?(營業執照,單位登記證明等證件)
- 4. 您與該企業的關係是?(您是企業法人或被授權人,需提供企業委托授權書)
抄襲了我的內容
×
原文鏈接或出處
誹謗我
×
- 1. 您舉報的內容以及侵犯了您什麼權益?(請在郵件中列出您舉報的內容、鏈接地址,並給出簡短的說明)
- 2. 您是誰?(身份證明材料,可以是身份證或護照等證件)
對根叔社區有害的內容
×
不規範轉載
×
舉報說明
暫無評論