怎样通过IPsec野蛮模式实现分支之间相互通信呢
一、组网及说明
注:如无特别说明,描述中的 fw1 或 msr1 对应拓扑中设备名称末尾数字为 1 的设备,fw2 或 msr2 对应拓扑中设备名称末尾数字为 2 的设备,以此类推;另外,同一网段中,ip 地址的主机位为其设备编号,如 fw1 的 g0/0 接口若在 1.1.1.0/24 网段,则其 ip 地址为 1.1.1.1/24,以此类推。
二、实验需求
fw1代表中心节点,fw2和fw3代表分支。
fw上使用环回口loopback0模拟业务网段。
分支分别和中心节点通信,各分支节点之间可以相互通信。
三、配置步骤
3.1 ip、路由、安全域
fw1
#interface loopback0 ip address 10.1.1.1 255.255.255.255#interface gigabitethernet1/0/1 port link-mode route combo enable copper ip address 2.2.2.1 255.255.255.0 ipsec apply policy ply#security-zone name local#security-zone name trust import interface gigabitethernet1/0/0 import interface gigabitethernet1/0/1# ip route-static 10.2.2.1 32 1.1.1.2 ip route-static 10.3.3.1 32 2.2.2.3#security-policy ip rule 0 name any action pass
fw2
#interface loopback0 ip address 10.2.2.1 255.255.255.255#interface gigabitethernet1/0/0 port link-mode route combo enable copper ip address 1.1.1.2 255.255.255.0 ipsec apply policy ply#security-zone name local#security-zone name trust import interface gigabitethernet1/0/0 import interface gigabitethernet1/0/1# ip route-static 0.0.0.0 0 1.1.1.1#security-policy ip rule 0 name any action pass
fw3
#interface loopback0 ip address 10.3.3.1 255.255.255.0#interface gigabitethernet1/0/0 port link-mode route combo enable copper ip address 2.2.2.3 255.255.255.0 ipsec apply policy ply#security-zone name local#security-zone name trust import interface gigabitethernet1/0/0 import interface gigabitethernet1/0/1# ip route-static 0.0.0.0 0 2.2.2.1#security-policy ip rule 0 name any action pass#
3.2 ike部分
fw1
#ike keychain k1 pre-shared-key hostname f2 key cipher $c$3$rftho6o4pplohvzewmsfgc3gjfry7q75qw==#ike keychain k2 pre-shared-key hostname f3 key cipher $c$3$lo0lextmx41uhb7vxok9kfeojxznjz0miw==#ike profile pf keychain k1 keychain k2 dpd interval 10 on-demand exchange-mode aggressive local-identity fqdn f1 match remote identity fqdn f2 match remote identity fqdn f3
fw2
#ike keychain k1 pre-shared-key address 1.1.1.1 255.255.255.255 key cipher $c$3$v44jhwonfkj3w9bqdnkq+leifriulbkugw==#ike profile pf keychain k1 exchange-mode aggressive local-identity fqdn f2 match remote identity fqdn f1
fw3
#ike keychain k1 pre-shared-key address 2.2.2.1 255.255.255.255 key cipher $c$3$pksnapnnogzicn73gxzd3l3zo9or3ius1a==#ike profile pf keychain k1 exchange-mode aggressive local-identity fqdn f3 match remote identity fqdn f1
3.3 ipsec部分
fw1
#acl advanced 3000 rule 0 permit ip source 10.1.1.1 0 destination 10.2.2.1 0 rule 5 permit ip source 10.1.1.1 0 destination 10.3.3.1 0 rule 10 permit ip source 10.3.3.1 0 destination 10.2.2.1 0 rule 15 permit ip source 10.2.2.1 0 destination 10.3.3.1 0#ipsec transform-set ts esp encryption-algorithm 3des-cbc esp authentication-algorithm md5#ipsec policy-template pt 1 transform-set ts security acl 3000 ike-profile pf#ipsec policy ply 1 isakmp template pt
fw2
#acl advanced 3000 rule 0 permit ip source 10.2.2.1 0 destination 10.1.1.1 0 rule 5 permit ip source 10.2.2.1 0 destination 10.3.3.1 0#ipsec transform-set ts esp encryption-algorithm 3des-cbc esp authentication-algorithm md5#ipsec policy ply 1 isakmp transform-set ts security acl 3000 remote-address 1.1.1.1 ike-profile pf
fw3
#acl advanced 3000 rule 0 permit ip source 10.3.3.1 0 destination 10.1.1.1 0 rule 5 permit ip source 10.3.3.1 0 destination 10.2.2.1 0#ipsec transform-set ts esp encryption-algorithm 3des-cbc esp authentication-algorithm md5#ipsec policy ply 1 isakmp transform-set ts security acl 3000 remote-address 2.2.2.1 ike-profile pf
四、配置关键点
分支和中心节点之间的隧道建立要通过分支来触发,即fw2向fw1发起访问,fw3向fw1发起访问。
分支和分支之间建立隧道需要两边触发,即fw2向fw3发起访问,fw3向fw2发起访问。
分支的感兴趣流除了目的是中心节点外,还需要包括到分支的。
fw1上的ipsec sa如下:
-------------------------------interface: gigabitethernet1/0/0------------------------------- ----------------------------- ipsec policy: ply sequence number: 1 mode: template ----------------------------- tunnel id: 1 encapsulation mode: tunnel perfect forward secrecy: inside vpn: extended sequence numbers enable: n traffic flow confidentiality enable: n transmitting entity: responder path mtu: 1444 tunnel: local address: 1.1.1.1 remote address: 1.1.1.2 flow: sour addr: 10.1.1.1/255.255.255.255 port: 0 protocol: ip dest addr: 10.2.2.1/255.255.255.255 port: 0 protocol: ip [inbound esp sas] spi: 3754823141 (0xdfce0de5) connection id: 4294967298 transform set: esp-encrypt-3des-cbc esp-auth-md5 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3562 max received sequence-number: 4 anti-replay check enable: y anti-replay window size: 64 udp encapsulation used for nat traversal: n status: active [outbound esp sas] spi: 1056998950 (0x3f008626) connection id: 4294967299 transform set: esp-encrypt-3des-cbc esp-auth-md5 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3562 max sent sequence-number: 4 udp encapsulation used for nat traversal: n status: active ----------------------------- ipsec policy: ply sequence number: 1 mode: template ----------------------------- tunnel id: 2 encapsulation mode: tunnel perfect forward secrecy: inside vpn: extended sequence numbers enable: n traffic flow confidentiality enable: n transmitting entity: responder path mtu: 1444 tunnel: local address: 1.1.1.1 remote address: 1.1.1.2 flow: sour addr: 10.3.3.1/255.255.255.255 port: 0 protocol: ip dest addr: 10.2.2.1/255.255.255.255 port: 0 protocol: ip [inbound esp sas] spi: 3260450656 (0xc2568760) connection id: 4294967300 transform set: esp-encrypt-3des-cbc esp-auth-md5 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3575 max received sequence-number: 8 anti-replay check enable: y anti-replay window size: 64 udp encapsulation used for nat traversal: n status: active [outbound esp sas] spi: 2013923382 (0x780a0836) connection id: 4294967301 transform set: esp-encrypt-3des-cbc esp-auth-md5 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3575 max sent sequence-number: 5 udp encapsulation used for nat traversal: n status: active-------------------------------interface: gigabitethernet1/0/1------------------------------- ----------------------------- ipsec policy: ply sequence number: 1 mode: template ----------------------------- tunnel id: 0 encapsulation mode: tunnel perfect forward secrecy: inside vpn: extended sequence numbers enable: n traffic flow confidentiality enable: n transmitting entity: responder path mtu: 1444 tunnel: local address: 2.2.2.1 remote address: 2.2.2.3 flow: sour addr: 10.1.1.1/255.255.255.255 port: 0 protocol: ip dest addr: 10.3.3.1/255.255.255.255 port: 0 protocol: ip [inbound esp sas] spi: 2022161426 (0x7887bc12) connection id: 4294967296 transform set: esp-encrypt-3des-cbc esp-auth-md5 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3554 max received sequence-number: 4 anti-replay check enable: y anti-replay window size: 64 udp encapsulation used for nat traversal: n status: active [outbound esp sas] spi: 3633752750 (0xd896aaae) connection id: 4294967297 transform set: esp-encrypt-3des-cbc esp-auth-md5 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3554 max sent sequence-number: 4 udp encapsulation used for nat traversal: n status: active ----------------------------- ipsec policy: ply sequence number: 1 mode: template ----------------------------- tunnel id: 3 encapsulation mode: tunnel perfect forward secrecy: inside vpn: extended sequence numbers enable: n traffic flow confidentiality enable: n transmitting entity: responder path mtu: 1444 tunnel: local address: 2.2.2.1 remote address: 2.2.2.3 flow: sour addr: 10.2.2.1/255.255.255.255 port: 0 protocol: ip dest addr: 10.3.3.1/255.255.255.255 port: 0 protocol: ip [inbound esp sas] spi: 3168528224 (0xbcdbe760) connection id: 4294967302 transform set: esp-encrypt-3des-cbc esp-auth-md5 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3583 max received sequence-number: 5 anti-replay check enable: y anti-replay window size: 64 udp encapsulation used for nat traversal: n status: active [outbound esp sas] spi: 2761355159 (0xa496ef97) connection id: 4294967303 transform set: esp-encrypt-3des-cbc esp-auth-md5 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3583 max sent sequence-number: 5 udp encapsulation used for nat traversal: n status: active
实验结束!
压电位移台简介!
数字滤波器的设计实验
华为聘请巴西前总统为顾问,以确保其在当地的5G地位
三星s8正式发售,三星s8最新消息:三星s8黑科技,手机秒变电脑,三星DeX底座体验,爽翻
2017斯柯达或推出第二代yeti车型
怎样通过IPsec野蛮模式实现分支之间相互通信呢
LPC下的应用三相输配电功率因对数测控系统的设计
lm706应用电路图
米家iHealth体温计评测 真正的为发烧而生
三星稳占全球最大手机制造商第一位置长达8年 它到底凭什么长年屹立不倒
同茂线性马达谈先进封装将迎来高光时刻
CAD技术在电子封装中的应用及其发展
如何将位置编码器主协议集成到Sitara™处理器应用
浅析红外线感应开关原理和安装要求
美甲灯开关电源方案芯片U6315B
伟创力实业(珠海)有限公司将100%股权转让给领益智造
两列CMOS接口电路分享
海尔与上汽携手进军智能汽车领域
晶科能源TOPCON电池片产品获颁TUV南德首张电池片LID认证证书
输出过电压保护电路
注:如无特别说明,描述中的 fw1 或 msr1 对应拓扑中设备名称末尾数字为 1 的设备,fw2 或 msr2 对应拓扑中设备名称末尾数字为 2 的设备,以此类推;另外,同一网段中,ip 地址的主机位为其设备编号,如 fw1 的 g0/0 接口若在 1.1.1.0/24 网段,则其 ip 地址为 1.1.1.1/24,以此类推。
二、实验需求
fw1代表中心节点,fw2和fw3代表分支。
fw上使用环回口loopback0模拟业务网段。
分支分别和中心节点通信,各分支节点之间可以相互通信。
三、配置步骤
3.1 ip、路由、安全域
fw1
#interface loopback0 ip address 10.1.1.1 255.255.255.255#interface gigabitethernet1/0/1 port link-mode route combo enable copper ip address 2.2.2.1 255.255.255.0 ipsec apply policy ply#security-zone name local#security-zone name trust import interface gigabitethernet1/0/0 import interface gigabitethernet1/0/1# ip route-static 10.2.2.1 32 1.1.1.2 ip route-static 10.3.3.1 32 2.2.2.3#security-policy ip rule 0 name any action pass
fw2
#interface loopback0 ip address 10.2.2.1 255.255.255.255#interface gigabitethernet1/0/0 port link-mode route combo enable copper ip address 1.1.1.2 255.255.255.0 ipsec apply policy ply#security-zone name local#security-zone name trust import interface gigabitethernet1/0/0 import interface gigabitethernet1/0/1# ip route-static 0.0.0.0 0 1.1.1.1#security-policy ip rule 0 name any action pass
fw3
#interface loopback0 ip address 10.3.3.1 255.255.255.0#interface gigabitethernet1/0/0 port link-mode route combo enable copper ip address 2.2.2.3 255.255.255.0 ipsec apply policy ply#security-zone name local#security-zone name trust import interface gigabitethernet1/0/0 import interface gigabitethernet1/0/1# ip route-static 0.0.0.0 0 2.2.2.1#security-policy ip rule 0 name any action pass#
3.2 ike部分
fw1
#ike keychain k1 pre-shared-key hostname f2 key cipher $c$3$rftho6o4pplohvzewmsfgc3gjfry7q75qw==#ike keychain k2 pre-shared-key hostname f3 key cipher $c$3$lo0lextmx41uhb7vxok9kfeojxznjz0miw==#ike profile pf keychain k1 keychain k2 dpd interval 10 on-demand exchange-mode aggressive local-identity fqdn f1 match remote identity fqdn f2 match remote identity fqdn f3
fw2
#ike keychain k1 pre-shared-key address 1.1.1.1 255.255.255.255 key cipher $c$3$v44jhwonfkj3w9bqdnkq+leifriulbkugw==#ike profile pf keychain k1 exchange-mode aggressive local-identity fqdn f2 match remote identity fqdn f1
fw3
#ike keychain k1 pre-shared-key address 2.2.2.1 255.255.255.255 key cipher $c$3$pksnapnnogzicn73gxzd3l3zo9or3ius1a==#ike profile pf keychain k1 exchange-mode aggressive local-identity fqdn f3 match remote identity fqdn f1
3.3 ipsec部分
fw1
#acl advanced 3000 rule 0 permit ip source 10.1.1.1 0 destination 10.2.2.1 0 rule 5 permit ip source 10.1.1.1 0 destination 10.3.3.1 0 rule 10 permit ip source 10.3.3.1 0 destination 10.2.2.1 0 rule 15 permit ip source 10.2.2.1 0 destination 10.3.3.1 0#ipsec transform-set ts esp encryption-algorithm 3des-cbc esp authentication-algorithm md5#ipsec policy-template pt 1 transform-set ts security acl 3000 ike-profile pf#ipsec policy ply 1 isakmp template pt
fw2
#acl advanced 3000 rule 0 permit ip source 10.2.2.1 0 destination 10.1.1.1 0 rule 5 permit ip source 10.2.2.1 0 destination 10.3.3.1 0#ipsec transform-set ts esp encryption-algorithm 3des-cbc esp authentication-algorithm md5#ipsec policy ply 1 isakmp transform-set ts security acl 3000 remote-address 1.1.1.1 ike-profile pf
fw3
#acl advanced 3000 rule 0 permit ip source 10.3.3.1 0 destination 10.1.1.1 0 rule 5 permit ip source 10.3.3.1 0 destination 10.2.2.1 0#ipsec transform-set ts esp encryption-algorithm 3des-cbc esp authentication-algorithm md5#ipsec policy ply 1 isakmp transform-set ts security acl 3000 remote-address 2.2.2.1 ike-profile pf
四、配置关键点
分支和中心节点之间的隧道建立要通过分支来触发,即fw2向fw1发起访问,fw3向fw1发起访问。
分支和分支之间建立隧道需要两边触发,即fw2向fw3发起访问,fw3向fw2发起访问。
分支的感兴趣流除了目的是中心节点外,还需要包括到分支的。
fw1上的ipsec sa如下:
-------------------------------interface: gigabitethernet1/0/0------------------------------- ----------------------------- ipsec policy: ply sequence number: 1 mode: template ----------------------------- tunnel id: 1 encapsulation mode: tunnel perfect forward secrecy: inside vpn: extended sequence numbers enable: n traffic flow confidentiality enable: n transmitting entity: responder path mtu: 1444 tunnel: local address: 1.1.1.1 remote address: 1.1.1.2 flow: sour addr: 10.1.1.1/255.255.255.255 port: 0 protocol: ip dest addr: 10.2.2.1/255.255.255.255 port: 0 protocol: ip [inbound esp sas] spi: 3754823141 (0xdfce0de5) connection id: 4294967298 transform set: esp-encrypt-3des-cbc esp-auth-md5 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3562 max received sequence-number: 4 anti-replay check enable: y anti-replay window size: 64 udp encapsulation used for nat traversal: n status: active [outbound esp sas] spi: 1056998950 (0x3f008626) connection id: 4294967299 transform set: esp-encrypt-3des-cbc esp-auth-md5 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3562 max sent sequence-number: 4 udp encapsulation used for nat traversal: n status: active ----------------------------- ipsec policy: ply sequence number: 1 mode: template ----------------------------- tunnel id: 2 encapsulation mode: tunnel perfect forward secrecy: inside vpn: extended sequence numbers enable: n traffic flow confidentiality enable: n transmitting entity: responder path mtu: 1444 tunnel: local address: 1.1.1.1 remote address: 1.1.1.2 flow: sour addr: 10.3.3.1/255.255.255.255 port: 0 protocol: ip dest addr: 10.2.2.1/255.255.255.255 port: 0 protocol: ip [inbound esp sas] spi: 3260450656 (0xc2568760) connection id: 4294967300 transform set: esp-encrypt-3des-cbc esp-auth-md5 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3575 max received sequence-number: 8 anti-replay check enable: y anti-replay window size: 64 udp encapsulation used for nat traversal: n status: active [outbound esp sas] spi: 2013923382 (0x780a0836) connection id: 4294967301 transform set: esp-encrypt-3des-cbc esp-auth-md5 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3575 max sent sequence-number: 5 udp encapsulation used for nat traversal: n status: active-------------------------------interface: gigabitethernet1/0/1------------------------------- ----------------------------- ipsec policy: ply sequence number: 1 mode: template ----------------------------- tunnel id: 0 encapsulation mode: tunnel perfect forward secrecy: inside vpn: extended sequence numbers enable: n traffic flow confidentiality enable: n transmitting entity: responder path mtu: 1444 tunnel: local address: 2.2.2.1 remote address: 2.2.2.3 flow: sour addr: 10.1.1.1/255.255.255.255 port: 0 protocol: ip dest addr: 10.3.3.1/255.255.255.255 port: 0 protocol: ip [inbound esp sas] spi: 2022161426 (0x7887bc12) connection id: 4294967296 transform set: esp-encrypt-3des-cbc esp-auth-md5 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3554 max received sequence-number: 4 anti-replay check enable: y anti-replay window size: 64 udp encapsulation used for nat traversal: n status: active [outbound esp sas] spi: 3633752750 (0xd896aaae) connection id: 4294967297 transform set: esp-encrypt-3des-cbc esp-auth-md5 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3554 max sent sequence-number: 4 udp encapsulation used for nat traversal: n status: active ----------------------------- ipsec policy: ply sequence number: 1 mode: template ----------------------------- tunnel id: 3 encapsulation mode: tunnel perfect forward secrecy: inside vpn: extended sequence numbers enable: n traffic flow confidentiality enable: n transmitting entity: responder path mtu: 1444 tunnel: local address: 2.2.2.1 remote address: 2.2.2.3 flow: sour addr: 10.2.2.1/255.255.255.255 port: 0 protocol: ip dest addr: 10.3.3.1/255.255.255.255 port: 0 protocol: ip [inbound esp sas] spi: 3168528224 (0xbcdbe760) connection id: 4294967302 transform set: esp-encrypt-3des-cbc esp-auth-md5 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3583 max received sequence-number: 5 anti-replay check enable: y anti-replay window size: 64 udp encapsulation used for nat traversal: n status: active [outbound esp sas] spi: 2761355159 (0xa496ef97) connection id: 4294967303 transform set: esp-encrypt-3des-cbc esp-auth-md5 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3583 max sent sequence-number: 5 udp encapsulation used for nat traversal: n status: active
实验结束!
压电位移台简介!
数字滤波器的设计实验
华为聘请巴西前总统为顾问,以确保其在当地的5G地位
三星s8正式发售,三星s8最新消息:三星s8黑科技,手机秒变电脑,三星DeX底座体验,爽翻
2017斯柯达或推出第二代yeti车型
怎样通过IPsec野蛮模式实现分支之间相互通信呢
LPC下的应用三相输配电功率因对数测控系统的设计
lm706应用电路图
米家iHealth体温计评测 真正的为发烧而生
三星稳占全球最大手机制造商第一位置长达8年 它到底凭什么长年屹立不倒
同茂线性马达谈先进封装将迎来高光时刻
CAD技术在电子封装中的应用及其发展
如何将位置编码器主协议集成到Sitara™处理器应用
浅析红外线感应开关原理和安装要求
美甲灯开关电源方案芯片U6315B
伟创力实业(珠海)有限公司将100%股权转让给领益智造
两列CMOS接口电路分享
海尔与上汽携手进军智能汽车领域
晶科能源TOPCON电池片产品获颁TUV南德首张电池片LID认证证书
输出过电压保护电路