當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

重温IPsec隧道❤️

發布時間：2024/1/1 编程问答 50 豆豆

生活随笔收集整理的這篇文章主要介紹了重温IPsec隧道❤️ 小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

IPsec VPN配置案例

- 🐄拓撲圖
- 🐄實驗環境
- 🐄需求
- 🐄具體配置
- - 總部部分
  - 分支部分
- 💬總結

🐄拓撲圖

🐄實驗環境

該拓撲圖分為四個部分最左邊位總部Tiger HQ，中間的為ISP，右上角為分部Branch1，右下角為分部Branch2。總部和分部的邊界設備用的是型號為USG 6000V的防火墻，都分別連接運營商的PE設備。總部內有vlan10和20，主機A和B屬于vlan10,主機C和D屬于vlan20。

🐄需求

各部分內網主機之間能夠互相聯通。
所有總部、分部內網主機要通過邊界防火墻能夠訪問Internet。
總部的主機可以訪問兩個分部的主機，兩個分部的主機也能訪問總部的主機。

🐄具體配置

總部部分

🐖SW1

[SW1]int lo0[SW1-LoopBack0]ip add 10.1.11.11 32[SW1-LoopBack0]quit[SW1]vlan batch 10 20 //創建vlan[SW1]quit[SW1]int g0/0/1[SW1-GigabitEthernet0/0/1]port link-type trunk[SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan all[SW1-GigabitEthernet0/0/1]quit[SW1]int g0/0/2[SW1-GigabitEthernet0/0/2]port link-type trunk[SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan all[SW1-GigabitEthernet0/0/2]quit[SW1]Int eth-trunk 12[SW1-Eth-Trunk12]trunk port g0/0/23 to 0/0/24[SW1-Eth-Trunk12]port link-type trunk[SW1-Eth-Trunk12]port trunk allow-pass vlan all[SW1]sto mode mstp[SW1]stp region-configuration[SW1-mst-]stp region-name Tigerlab[SW1-mst-region]revision-level 1256[SW1-mst-region]instance 10 vlan 10[SW1-mst-region]instance 20 vlan 20[SW1-mst-region]active region-configuration[SW1]stp instance 10 root primary[SW1]stp instance 20 root second[SW1]int vlan 10[SW1-vlanif10]ip add 10.1.10.11 24[SW1-vlanif10]quit[SW1]int vlan 20[SW1-vlanif20]ip add 10.1.20.11 24[SW1-vlanif20]quit[SW1]int vlan 10[SW1-vlanif10]vrrp vrid 10 virtual-ip 10.1.10.254[SW1-vlanif10]vrrp vrid 10 priority 105[SW1-vlanif10]quit[SW1]int vlan 20[SW1-vlanif20]vrrp vrid 20 virtual-ip 10.1.20.254[SW1-vlanif20]quit[SW1]vlan 111[SW1-vlanif111]quit[SW1]int g0/0/3[SW1-GigabitEthernet0/0/3]port link-type access[SW1-GigabitEthernet0/0/3]port default vlan 111[SW1-GigabitEthernet0/0/3]stp egded-port enable[SW1-GigabitEthernet0/0/3]quit[SW1]stp bpdu-protection[SW1]int vlan 111[SW1-vlanif111]ip add 10.1.111.11 24[SW1-vlanif111]quit[SW1]ospf 10 router-id10.1.11.11[SW1-ospf-10]area 0[SW1-ospf-10-area-0.0.0.0]net 10.1.11.11 0.0.0.0[SW1-ospf-10-area-0.0.0.0]net 10.1.111.11 0.0.0.0[SW1-ospf-10-area-0.0.0.0]net 10.1.10.11 0.0.0.0[SW1-ospf-10-area-0.0.0.0]net 10.1.20.11 0.0.0.0

檢查stp的配置結果，display stp instance 10,可以看到vlan10是主根

🐖SW2

[SW2]int lo0[SW2-LoopBack0]ip add 10.1.12.12 32[SW2-LoopBack0]quit[SW2]vlan batch 10 20 [SW2]int g0/0/1[SW2-GigabitEthernet0/0/1]port link-type trunk[SW2-GigabitEthernet0/0/1]port trunk allow-pass vlan all[SW2-GigabitEthernet0/0/1]quit[SW2]int g0/0/2[SW2-GigabitEthernet0/0/2]port link-type trunk[SW2-GigabitEthernet0/0/2]port trunk allow-pass vlan all[SW2-GigabitEthernet0/0/2]quit[SW2]int eth-trunk 12[SW2-Eth-Trunk12]trunk port g0/0/23 to 0/0/24[SW2-Eth-Trunk12]port link-type trunk[SW2-Eth-Trunk12]port trunk allow-pass vlan all[SW2]sto mode mstp[SW2]stp region-configuration[SW2-mst-]stp region-name Tigerlab[SW2-mst-region]revision-level 1256[SW2-mst-region]instance 10 vlan 10[SW2-mst-region]instance 20 vlan 20[SW2-mst-region]active region-configuration[SW2]stp instance 20 root primary[SW2]stp instance 10 root second[SW2]int vlan 10[SW2-vlanif10]ip add 10.1.20.12 24[SW2-vlanif10]quit[SW2]int vlan 20[SW2-vlanif20]ip add 10.1.20.12 24[SW2-vlanif20]quit[SW2]int vlan 10[SW2-vlanif10]vrrp vrid 10 virtual-ip 10.1.10.254[SW2-vlanif10]quit[SW2]int vlan 20[SW2-vlanif20]vrrp vrid 20 virtual-ip 10.1.20.254[SW2-vlanif20]vrrp vrid 20 priority 105[SW2-vlanif20]quit[SW2]vlan 112[SW2-vlanif112]quit[SW2]int g0/0/3[SW2-GigabitEthernet0/0/3]port link-type access[SW2-GigabitEthernet0/0/3]port default vlan 112[SW2-GigabitEthernet0/0/3]stp egded-port enable[SW2-GigabitEthernet0/0/3]quit[SW2]stp bpdu-protection[SW2]int vlan 112[SW2-vlanif112]ip add 10.1.112.12 24[SW2-vlanif112]quit[SW2]ospf 10 router-id10.1.12.12[SW2-ospf-10]area 0[SW2-ospf-10-area-0.0.0.0]net 10.1.12.12 0.0.0.0[SW2-ospf-10-area-0.0.0.0]net 10.1.112.12 0.0.0.0[SW2-ospf-10-area-0.0.0.0]net 10.1.10.12 0.0.0.0[SW2-ospf-10-area-0.0.0.0]net 10.1.20.12 0.0.0.0

在SW1上，接下來驗證一下端口的vlan情況，display port vlan

在SW1上檢查一下vrrp的配置情況：display vrrp brief

🐖SW3

[SW3]int lo0[SW3-LoopBack0]ip add 10.2.13.13 32[SW3-LoopBack0]quit[SW3]vlan batch 30 40[SW3]int g0/0/1[SW3-GigabitEthernet0/0/1]port link-type access[SW3-GigabitEthernet0/0/1]port default vlan 30[SW3-GigabitEthernet0/0/1]stp edged-port enable[SW3-GigabitEthernet0/0/1]quit[SW3]int g0/0/2[SW3-GigabitEthernet0/0/2]port link-type access[SW3-GigabitEthernet0/0/2]port default vlan 30[SW3-GigabitEthernet0/0/2]stp edged-port enable[SW3-GigabitEthernet0/0/2]quit[SW3]int g0/0/3[SW3-GigabitEthernet0/0/3]port link-type access[SW3-GigabitEthernet0/0/3]port default vlan 40[SW3-GigabitEthernet0/0/3]stp edged-port enable[SW3-GigabitEthernet0/0/3]quit[SW3]int g0/0/4[SW3-GigabitEthernet0/0/4]port link-type access[SW3-GigabitEthernet0/0/4]port default vlan 40[SW3-GigabitEthernet0/0/4]stp edged-port enable[SW3-GigabitEthernet0/0/4]quit[SW3]stp bpdu-protection[SW3]vlan 132[SW3-vlanif112]quit[SW3]int g0/0/24[SW3-GigabitEthernet0/0/24]port link-type access[SW3-GigabitEthernet0/0/24]port default vlan 132[SW3-GigabitEthernet0/0/24]stp egded-port enable[SW3-GigabitEthernet0/0/24]quit[SW3]int vlan 132[SW3-vlanif132]ip add 10.2.132.13 24[SW3-vlanif132]quit[SW3]int vlan 30[SW3-vlanif30]ip add 10.2.30.254 24[SW3-vlanif30]quit[SW3]int vlan 40[SW3-vlanif40]ip add 10.2.40.254 24[SW3-vlanif40]quit[SW3]ospf 10 router-id10.2.13.13[SW3-ospf-10]area 0[SW3-ospf-10-area-0.0.0.0]net 10.2.13.13 0.0.0.0[SW3-ospf-10-area-0.0.0.0]net 10.2.30.254 0.0.0.0[SW3-ospf-10-area-0.0.0.0]net 10.2.40.254 0.0.0.0[SW3-ospf-10-area-0.0.0.0]net 10.2.132.13 0.0.0.0

🐖SW4

[SW4]int lo0[SW4-LoopBack0]ip add 10.3.14.14 32[SW4-LoopBack0]quit[SW4]vlan batch 50[SW4]int g0/0/1[SW4-GigabitEthernet0/0/1]port link-type access[SW4-GigabitEthernet0/0/1]port default vlan 50[SW4-GigabitEthernet0/0/1]stp edged-port enable[SW4-GigabitEthernet0/0/1]quit[SW4]int g0/0/2[SW4-GigabitEthernet0/0/2]port link-type access[SW4-GigabitEthernet0/0/2]port default vlan 50[SW4-GigabitEthernet0/0/2]stp edged-port enable[SW4-GigabitEthernet0/0/2]quit[SW4]int g0/0/3[SW4-GigabitEthernet0/0/3]port link-type access[SW4-GigabitEthernet0/0/2]port default vlan 50[SW4-GigabitEthernet0/0/2]stp edged-port enable[SW4]stp bpdu-protection[SW4]vlan 143[SW4-vlanif112]quit[SW4]int g0/0/24[SW4-GigabitEthernet0/0/24]port link-type access[SW4-GigabitEthernet0/0/24]port default vlan 143[SW4-GigabitEthernet0/0/24]stp egded-port enable[SW4-GigabitEthernet0/0/24]quit[SW4]int vlan 143[SW4-vlanif132]ip add 10.3.143.14 24[SW4-vlanif132]quit[SW4]int vlan 50[SW4-vlanif30]ip add 10.3.50.254 24[SW4-vlanif30]quit[SW4]ospf 10 router-id10.3.14.14[SW4-ospf-10]area 0[SW4-ospf-10-area-0.0.0.0]net 10.3.14.14 0.0.0.0[SW4-ospf-10-area-0.0.0.0]net 10.2.50.254 0.0.0.0[SW4-ospf-10-area-0.0.0.0]net 10.2.40.254 0.0.0.0[SW4-ospf-10-area-0.0.0.0]net 10.2.143.14 0.0.0.0

🐖SW5

[SW5]vlan batch 10 20 [SW5]int g0/0/1[SW5-GigabitEthernet0/0/1]port link-type trunk[SW5-GigabitEthernet0/0/1]port trunk allow-pass vlan all[SW5-GigabitEthernet0/0/1]quit[SW5]int g0/0/2[SW5-GigabitEthernet0/0/2]port link-type trunk[SW5-GigabitEthernet0/0/2]port trunk allow-pass vlan all[SW5-GigabitEthernet0/0/2]quit[SW5]int e0/0/1[SW5-Ethernet0/0/1]port link-type access[SW5-Ethernet0/0/1]port default vlan 10[SW5-Ethernet0/0/1]stp edged-port enable[SW5-Ethernet0/0/1]quit[SW5]int e0/0/2[SW5-Ethernet0/0/2]port link-type access[SW5-Ethernet0/0/2]port default vlan 20[SW5-Ethernet0/0/2]stp edged-port enable[SW5-Ethernet0/0/2]quit[SW5]stp bpdu-protection[SW5]sto mode mstp[SW5]stp region-configuration[SW5-mst-]stp region-name Tigerlab[SW5-mst-region]revision-level 1256[SW5-mst-region]instance 10 vlan 10[SW5-mst-region]instance 20 vlan 20[SW5-mst-region]active region-configuration

接下來驗證一下端口的vlan情況，display port vlan。

🐖SW6

[SW6]vlan batch 10 20 [SW6]int g0/0/1[SW6-GigabitEthernet0/0/1]port link-type trunk[SW6-GigabitEthernet0/0/1]port trunk allow-pass vlan all[SW6-GigabitEthernet0/0/1]quit[SW6]int g0/0/2[SW6-GigabitEthernet0/0/2]port link-type trunk[SW6-GigabitEthernet0/0/2]port trunk allow-pass vlan all[SW6-GigabitEthernet0/0/2]quit[SW6]int e0/0/1[SW6-Ethernet0/0/1]port link-type access[SW6-Ethernet0/0/1]port default vlan 10[SW6-Ethernet0/0/1]stp edged-port enable[SW6-Ethernet0/0/1]quit[SW6]int e0/0/2[SW6-Ethernet0/0/2]port link-type access[SW6-Ethernet0/0/2]port default vlan 20[SW6-Ethernet0/0/2]stp edged-port enable[SW6-Ethernet0/0/2]quit[SW6]stp bpdu-protection[SW6]sto mode mstp[SW6]stp region-configuration[SW6-mst-]stp region-name Tigerlab[SW6-mst-region]revision-level 1256[SW6-mst-region]instance 10 vlan 10[SW6-mst-region]instance 20 vlan 20[SW6-mst-region]active region-configuration

驗證一下總部內主機與網關之間的連通性。

🐖總部防火墻FW1

[USG1]int lo0 [USG1-LoopBack0]ip add 10.1.1.1 32[USG1-LoopBack0]quit[USG1]int g1/0/0[USG1-GigabitEthernet1/0/0 ]ip add 100.1.41.1 24[USG1-GigabitEthernet1/0/0 ]quit[USG1]int g1/0/1[USG1-GigabitEthernet1/0/1 ]ip add 10.1.111.1 24[USG1-GigabitEthernet1/0/1 ]quit[USG1]int g1/0/2[USG1-GigabitEthernet1/0/2 ]ip add 10.1.112.1 24[USG1-GigabitEthernet1/0/2 ]quit[USG1]firewall zone trust[USG1-zone-trust]add int g1/0/1[USG1-zone-trust]add int g1/0/2[USG1-zone-trust]quit[USG1]firewall zone untrust[USG1-zone-untrust]add int g1/0/0[USG1-zone-untrust]quit[USG1]security-policy[USG1-policy-security]rule name Inside[USG1-policy-security-rule-Inside]source-zone trust[USG1-policy-security-rule-Inside]destination-zone local[USG1-policy-security-rule-Inside]source-zone local[USG1-policy-security-rule-Inside]destination-zone trust[USG1-policy-security-rule-Inside]access-authentication[USG1-policy-security-rule-Inside]action permit[USG1-policy-security-rule-Inside]quit[USG1-policy-security]quit[USG1]int g1/0/1[USG1-GigabitEthernet1/0/1]service-manage ping permit[USG1-GigabitEthernet1/0/1 ]quit[USG1]int g1/0/2[USG1-GigabitEthernet1/0/2 ]service-manage ping permit[USG1-GigabitEthernet1/0/2 ]quit[USG1]ospf 10 router-id 10.1.1.1[USG1-ospf-10]area 0[USG1-ospf-10-area-0.0.0.0]net 10.1.1.1 0.0.0.0[USG1-ospf-10-area-0.0.0.0]net 10.1.111.1 0.0.0.0[USG1-ospf-10-area-0.0.0.0]net 10.1.112.1 0.0.0.0[USG1]ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 100.1.41.4[USG1]security-policy[USG1-policy-security]rule name Internet[USG1-policy-security-rule-Internet]source-zone trust[USG1-policy-security-rule-Internet]destination-zone untrust[USG1-policy-security-rule-Internet]source-address 10.1.0.0 16[USG1-policy-security-rule-Internet]action permit[USG1]nat-policy[USG1-policy-nat]rule name 0[USG1-policy-nat-rule-0]source-zone trust[USG1-policy-nat-rule-0]destination-zone untrust[USG1-policy-nat-rule-0]destination-address 10.2.0.0 16[USG1-policy-nat-rule-0]destination-address 10.3.0.0 16[USG1-policy-nat-rule-0]action no-nat[USG1-policy-nat]rule name Internet[USG1-policy-nat-rule-Internet]source-zone trust[USG1-policy-nat-rule-Internet]destination-zone untrust[USG1-policy-nat-rule-Internet]source-address 10.1.0.0 16[USG1-policy-nat-rule-Internet]egress-interface GigabitEthernet 1/0/0[USG1-policy-nat-rule-Internet]action source-natm easy-ip[USG1]ospf 10[USG1-ospf-10]default-route-advertise[USG1]security-policy[USG1-policy-security]rule name IPSec[USG1-policy-security-rule-IPSec]source-zone untrust[USG1-policy-security-rule-IPSec]destination-zone local[USG1-policy-security-rule-IPSec]source-address any[USG1-policy-security-rule-IPSec]destination-address 100.1.41.1 32[USG1-policy-security-rule-IPSec]service esp[USG1-policy-security-rule-IPSec]service protocol udp source-port 500 destination-port 500[USG1-policy-security-rule-IPSec]service protocol udp source-port 4500 destination-port 4500[USG1-policy-security-rule-IPSec]action permit[USG1-policy-security-rule-IPSec]quit[USG1-policy-security]rule name IPSec-OUT[USG1-policy-security-rule-IPSec-OUT]source-zone local[USG1-policy-security-rule-IPSec-OUT]destination-zone untrust[USG1-policy-security-rule-IPSec-OUT]source-address 100.1.41.1 32[USG1-policy-security-rule-IPSec-OUT]destination-address any[USG1-policy-security-rule-IPSec-OUT]service esp[USG1-policy-security-rule-IPSec-OUT]service protocol udp source-port 500 destination-port 500[USG1-policy-security-rule-IPSec-OUT]service protocol udp source-port 4500 destination-port 4500[USG1-policy-security-rule-IPSec-OUT]action permit[USG1-policy-security-rule-IPSec-OUT]quit[USG1-policy-security]rule name IPSec-DATA[USG1-policy-security-rule-IPSec-DATA]source-zone trust[USG1-policy-security-rule-IPSec-DATA]destination-zone untrust[USG1-policy-security-rule-IPSec-DATA]source-zone untrust[USG1-policy-security-rule-IPSec-DATA]destination-zone trust[USG1-policy-security-rule-IPSec-DATA]source-address 10.1.0.0 16[USG1-policy-security-rule-IPSec-DATA]]destination-address 10.2.0.0 16[USG1-policy-security-rule-IPSec-DATA]]destination-address 10.3.0.0 16[USG1-policy-security-rule-IPSec-DATA]source-address 10.2.0.0 16[USG1-policy-security-rule-IPSec-DATA]source-address 10.3.0.0 16[USG1-policy-security-rule-IPSec-DATA]destination-address 10.1.0.0 16[USG1-policy-security-rule-IPSec-DATA]action permit[USG1-policy-security-rule-IPSec-DATA]quit[USG1-policy-security]quit[USG1]ike proposal 10[USG1-ike-proposal-10]encryption-algorithm aes-256[USG1-ike-proposal-10]authentication-algorithm sha2-512[USG1-ike-proposal-10]authentication-method pre-share [USG1-ike-proposal-10]dh group14[USG1-ike-proposal-10]quit[USG1]ike peer Hub[USG1-ike-peer-Hub]ike-proposal 10[USG1-ike-peer-Hub]exchange-mode main [USG1-ike-peer-Hub]undo version 2[USG1-ike-peer-Hub]nat traversal[USG1-ike-peer-Hub]pre-shared-key Cisco12345[USG1]ipsec proposal ESP[USG1-ipsec-proposal-ESP]transform esp[USG1-ipsec-proposal-ESP]esp authentication-algorithm sha2-512[USG1-ipsec-proposal-ESP]espencrption-algorithm aes-256[USG1]ipsec policy-template T 10[USG1-ipsec-policy-template-T-10]ike-peer Hub[USG1-ipsec-policy-template-T-10] proposal ESP[USG1-ipsec-policy-template-T-10]tunnel local 100.1.41.1[USG1]ipsec policy Tigerlab 10 isakmp template T[USG1]int g1/0/0[USG1-GigabitEthernet1/0/0 ]ipsec policy Tigerlab

1、做到這里檢查一下防火墻能否ping通交換機

2、在防火墻上查看ospf鄰居和路由：display ospf peer brief、display ip routing-table protocol ospf

3、在防火墻上ping內網的主機

分支部分

🐖分支Branch1的防火墻FW2

[USG2]int lo0 [USG2-LoopBack0]ip add 10.2.2.2 32[USG2-LoopBack0]quit[USG2]int g1/0/0[USG2-GigabitEthernet1/0/0 ]ip add 100.1.52.2 24[USG2-GigabitEthernet1/0/0 ]quit[USG2]int g1/0/1[USG2-GigabitEthernet1/0/1 ]ip add 10.2.132.2 24[USG2-GigabitEthernet1/0/1 ]quit[USG2]firewall zone trust[USG2-zone-trust]add int g1/0/1[USG2-zone-trust]quit[USG2]firewall zone untrust[USG2-zone-untrust]add int g1/0/0[USG2-zone-untrust]quit[USG2]security-policy[USG2-policy-security]rule name Inside[USG2-policy-security-rule-Inside]source-zone trust[USG2-policy-security-rule-Inside]destination-zone local[USG2-policy-security-rule-Inside]source-zone local[USG2-policy-security-rule-Inside]destination-zone trust[USG2-policy-security-rule-Inside]access-authentication[USG2-policy-security-rule-Inside]action permit[USG2-policy-security-rule-Inside]quit[USG2-policy-security]quit[USG2]int g1/0/1[USG2-GigabitEthernet1/0/1]service-manage ping permit[USG2-GigabitEthernet1/0/1 ]quit[USG2]ospf 10 router-id 10.2.2.2[USG2-ospf-10]area 0[USG2-ospf-10-area-0.0.0.0]net 10.2.2.2 0.0.0.0[USG2-ospf-10-area-0.0.0.0]net 10.2.132.2 0.0.0.0[USG2]ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 100.1.52.5[USG2]security-policy[USG2-policy-security]rule name Internet[USG2-policy-security-rule-Internet]source-zone trust[USG2-policy-security-rule-Internet]destination-zone untrust[USG2-policy-security-rule-Internet]source-address 10.2.0.0 16[USG2-policy-security-rule-Internet]action permit[USG2]nat-policy[USG2-policy-nat]rule name 0[USG2-policy-nat-rule-0]source-zone trust[USG2-policy-nat-rule-0]destination-zone untrust[USG2-policy-nat-rule-0]destination-address 10.1.0.0 16[USG2-policy-nat-rule-0]action no-nat[USG2-policy-nat]rule name Internet[USG2-policy-nat-rule-Internet]source-zone trust[USG2-policy-nat-rule-Internet]destination-zone untrust[USG2-policy-nat-rule-Internet]source-address 10.2.0.0 16[USG2-policy-nat-rule-Internet]egress-interface GigabitEthernet 1/0/0[USG2-policy-nat-rule-Internet]action source-natm easy-ip[USG2]ospf 10[USG2-ospf-10]default-route-advertise[USG2]security-policy[USG2-policy-security]rule name IPSec-IN[USG2-policy-security-rule-IPSec-IN]source-zone untrust[USG2-policy-security-rule-IPSec-IN]destination-zone local[USG2-policy-security-rule-IPSec-IN]source-address 100.1.41.1 32[USG2-policy-security-rule-IPSec-IN]destination-address any[USG2-policy-security-rule-IPSec-IN]service esp[USG2-policy-security-rule-IPSec-IN]service protocol udp source-port 500 destination-port 500[USG2-policy-security-rule-IPSec-IN]service protocol udp source-port 4500 destination-port 4500[USG2-policy-security-rule-IPSec-IN]action permit[USG2-policy-security-rule-IPSec-IN]quit[USG2-policy-security]rule name IPSec-OUT[USG2-policy-security-rule-IPSec-OUT]source-zone local[USG2-policy-security-rule-IPSec-OUT]destination-zone untrust[USG2-policy-security-rule-IPSec-OUT]source-address any[USG2-policy-security-rule-IPSec-OUT]destination-address 100.1.41.1 32[USG2-policy-security-rule-IPSec-OUT]service esp[USG2-policy-security-rule-IPSec-OUT]service protocol udp source-port 500 destination-port 500[USG2-policy-security-rule-IPSec-OUT]service protocol udp source-port 4500 destination-port 4500[USG2-policy-security-rule-IPSec-OUT]action permit[USG2-policy-security]rule name IPSec-DATA[USG2-policy-security-rule-IPSec-DATA]source-zone trust[USG2-policy-security-rule-IPSec-DATA]destination-zone untrust[USG2-policy-security-rule-IPSec-DATA]source-zone untrust[USG2-policy-security-rule-IPSec-DATA]destination-zone trust[USG2-policy-security-rule-IPSec-DATA]source-address 10.1.0.0 16[USG2-policy-security-rule-IPSec-DATA]]destination-address 10.2.0.0 16[USG2-policy-security-rule-IPSec-DATA]source-address 10.2.0.0 16[USG2-policy-security-rule-IPSec-DATA]destination-address 10.1.0.0 16[USG2-policy-security-rule-IPSec-DATA]action permit[USG2]ike proposal 10[USG2-ike-proposal-10]encryption-algorithm aes-256[USG2-ike-proposal-10]authentication-algorithm sha2-512[USG2-ike-proposal-10]authentication-method pre-share [USG2-ike-proposal-10]dh group14[USG2-ike-proposal-10]quit[USG2]ike peer Speak1[USG2-ike-peer-Speak1]ike-proposal 10[USG2-ike-peer-Speak1]exchange-mode main [USG2-ike-peer-Speak1]undo version 2[USG2-ike-peer-Speak1]nat traversal[USG2-ike-peer-Speak1]remote-address 100.1.41.1[USG2-ike-peer-Speak1]pre-shared-key Cisco12345[USG2]ipsec proposal ESP[USG2-ipsec-proposal-ESP]transform esp[USG2-ipsec-proposal-ESP]esp authentication-algorithm sha2-512[USG2-ipsec-proposal-ESP]espencrption-algorithm aes-256[USG2]acl number 3000[USG2-acl-adv-3000] rule 10 permit ip source 10.2.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255[USG2]ipsec policy Tigerlab 10 isakmp [USG2-ipsec-policy-isakmp-Tigerlab-10]ike-peer Spoke1[USG2-ipsec-policy-isakmp-Tigerlab-10]proposal ESP[USG2-ipsec-policy-isakmp-Tigerlab-10]security acl 3000[USG2]int g1/0/0[USG2-GigabitEthernet1/0/0 ]ipsec policy Tigerlab

測試在防火墻上ping內網的主機，可以看到已經全部ping通

🐖分支Branch2的防火墻FW3

[USG3]int lo0 [USG3-LoopBack0]ip add 10.3.3.3 32[USG3-LoopBack0]quit[USG3]int g1/0/0[USG3-GigabitEthernet1/0/0 ]ip add 100.1.63.3 24[USG3-GigabitEthernet1/0/0 ]quit[USG3]int g1/0/1[USG3-GigabitEthernet1/0/1 ]ip add 10.3.143.3 24[USG3-GigabitEthernet1/0/1 ]quit[USG3]firewall zone trust[USG3-zone-trust]add int g1/0/1[USG3-zone-trust]quit[USG3]firewall zone untrust[USG3-zone-untrust]add int g1/0/0[USG3-zone-untrust]quit[USG3]security-policy[USG3-policy-security]rule name Inside[USG3-policy-security-rule-Inside]source-zone trust[USG3-policy-security-rule-Inside]destination-zone local[USG3-policy-security-rule-Inside]source-zone local[USG3-policy-security-rule-Inside]destination-zone trust[USG3-policy-security-rule-Inside]access-authentication[USG3-policy-security-rule-Inside]action permit[USG3-policy-security-rule-Inside]quit[USG3-policy-security]quit[USG3]int g1/0/1[USG3-GigabitEthernet1/0/1]service-manage ping permit[USG3-GigabitEthernet1/0/1 ]quit[USG3]ospf 10 router-id 10.3.3..3[USG3-ospf-10]area 0[USG3-ospf-10-area-0.0.0.0]net 10.3.3.3 0.0.0.0[USG3-ospf-10-area-0.0.0.0]net 10.3.143.3 0.0.0.0[USG3]ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 100.1.63.6[USG3]security-policy[USG3-policy-security]rule name Internet[USG3-policy-security-rule-Internet]source-zone trust[USG3-policy-security-rule-Internet]destination-zone untrust[USG3-policy-security-rule-Internet]source-address 10.3.0.0 16[USG3-policy-security-rule-Internet]action permit[USG3]nat-policy[USG3-policy-nat]rule name 0[USG3-policy-nat-rule-0]source-zone trust[USG3-policy-nat-rule-0]destination-zone untrust[USG3-policy-nat-rule-0]destination-address 10.1.0.0 16[USG3-policy-nat-rule-0]action no-nat[USG3-policy-nat]rule name Internet[USG3-policy-nat-rule-Internet]source-zone trust[USG3-policy-nat-rule-Internet]destination-zone untrust[USG3-policy-nat-rule-Internet]source-address 10.3.0.0 16[USG3-policy-nat-rule-Internet]egress-interface GigabitEthernet 1/0/0[USG3-policy-nat-rule-Internet]action source-natm easy-ip[USG3]ospf 10[USG3-ospf-10]default-route-advertise[USG3]security-policy[USG3-policy-security]rule name IPSec-IN[USG3-policy-security-rule-IPSec-IN]source-zone untrust[USG3-policy-security-rule-IPSec-IN]destination-zone local[USG3-policy-security-rule-IPSec-IN]source-address 100.1.41.1 32[USG3-policy-security-rule-IPSec-IN]destination-address any[USG3-policy-security-rule-IPSec-IN]service esp[USG3-policy-security-rule-IPSec-IN]service protocol udp source-port 500 destination-port 500[USG3-policy-security-rule-IPSec-IN]service protocol udp source-port 4500 destination-port 4500[USG3-policy-security-rule-IPSec-IN]action permit[USG3-policy-security-rule-IPSec-IN]quit[USG3-policy-security]rule name IPSec-OUT[USG3-policy-security-rule-IPSec-OUT]source-zone local[USG3-policy-security-rule-IPSec-OUT]destination-zone untrust[USG3-policy-security-rule-IPSec-OUT]source-address any[USG3-policy-security-rule-IPSec-OUT]destination-address 100.1.41.1 32[USG3-policy-security-rule-IPSec-OUT]service esp[USG3-policy-security-rule-IPSec-OUT]service protocol udp source-port 500 destination-port 500[USG3-policy-security-rule-IPSec-OUT]service protocol udp source-port 4500 destination-port 4500[USG3-policy-security-rule-IPSec-OUT]action permit[USG3-policy-security]rule name IPSec-DATA[USG3-policy-security-rule-IPSec-DATA]source-zone trust[USG3-policy-security-rule-IPSec-DATA]destination-zone untrust[USG3-policy-security-rule-IPSec-DATA]source-zone untrust[USG3-policy-security-rule-IPSec-DATA]destination-zone trust[USG3-policy-security-rule-IPSec-DATA]source-address 10.1.0.0 16[USG3-policy-security-rule-IPSec-DATA]]destination-address 10.3.0.0 16[USG3-policy-security-rule-IPSec-DATA]source-address 10.3.0.0 16[USG3-policy-security-rule-IPSec-DATA]destination-address 10.1.0.0 16[USG3-policy-security-rule-IPSec-DATA]action permit[USG3]ike proposal 10[USG3-ike-proposal-10]encryption-algorithm aes-256[USG3-ike-proposal-10]authentication-algorithm sha2-512[USG3-ike-proposal-10]authentication-method pre-share [USG3-ike-proposal-10]dh group14[USG3]ike peer Speak2[USG3-ike-peer-Speak2]ike-proposal 10[USG3-ike-peer-Speak2]exchange-mode main [USG3-ike-peer-Speak2]undo version 2[USG3-ike-peer-Speak2]nat traversal[USG3-ike-peer-Speak2]remote-address 100.1.41.1[USG3-ike-peer-Speak2]pre-shared-key Cisco12345[USG3]ipsec proposal ESP[USG3-ipsec-proposal-ESP]transform esp[USG3-ipsec-proposal-ESP]esp authentication-algorithm sha2-512[USG3-ipsec-proposal-ESP]espencrption-algorithm aes-256[USG3]acl number 3000[USG3-acl-adv-3000] rule 10 permit ip source 10.3.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255[USG3]ipsec policy Tigerlab 10 isakmp [USG3-ipsec-policy-isakmp-Tigerlab-10]ike-peer Spoke2[USG3-ipsec-policy-isakmp-Tigerlab-10]proposal ESP[USG3-ipsec-policy-isakmp-Tigerlab-10]security acl 3000[USG3]int g1/0/0[USG3-GigabitEthernet1/0/0 ]ipsec policy Tigerlab

ISP部分

🐖AR4

[AR4]int lo0[AR4-LoopBack0]ip add 10.1.4.4 32[AR4-LoopBack0]quit[AR4]itn g0/0/0[AR4-GigabitEthernet0/0/0 ]ip add 100.1.41.4 24[AR4-GigabitEthernet0/0/0 ]quit[AR4]itn g0/0/1[AR4-GigabitEthernet0/0/1 ]ip add 100.1.100.4 24[AR4-GigabitEthernet0/0/1 ]quit[AR4]ospf 10 router-id 10.1.4.4[AR4-ospf-10]area 0[AR4-ospf-10-area-0.0.0.0]net 10.1.4.4 0.0.0.0[AR4-ospf-10-area-0.0.0.0]net 10.1.41.4 0.0.0.0[AR4-ospf-10-area-0.0.0.0]net 100.1.100.4 0.0.0.0

🐖AR5

[AR5]int lo0[AR5-LoopBack0]ip add 10.1.5.5 32[AR5-LoopBack0]quit[AR5]itn g0/0/0[AR5-GigabitEthernet0/0/0 ]ip add 100.1.52.5 24[AR5-GigabitEthernet0/0/0 ]quit[AR5]itn g0/0/1[AR5-GigabitEthernet0/0/1 ]ip add 100.1.100.5 24[AR5-GigabitEthernet0/0/1 ]quit[AR5]ospf 10 router-id 10.1.5.5[AR5-ospf-10]area 0[AR5-ospf-10-area-0.0.0.0]net 10.1.5.5 0.0.0.0[AR5-ospf-10-area-0.0.0.0]net 10.1.52.5 0.0.0.0[AR5-ospf-10-area-0.0.0.0]net 100.1.100.5 0.0.0.05

🐖AR6

[AR6]int lo0[AR6-LoopBack0]ip add 10.1.6.6 32[AR6-LoopBack0]quit[AR6]itn g0/0/0[AR6-GigabitEthernet0/0/0 ]ip add 100.1.63.6 24[AR6-GigabitEthernet0/0/0 ]quit[AR6]itn g0/0/1[AR6-GigabitEthernet0/0/1 ]ip add 100.1.100.6 24[AR6-GigabitEthernet0/0/1 ]quit[AR6]itn g0/0/2[AR6-GigabitEthernet0/0/2 ]ip add 100.1.36.6 24[AR6-GigabitEthernet0/0/2 ]quit[AR6]ospf 10 router-id 10.1.6.6[AR6-ospf-10]area 0[AR6-ospf-10-area-0.0.0.0]net 10.1.6.6 0.0.0.0[AR6-ospf-10-area-0.0.0.0]net 10.1.63.6 0.0.0.0[AR6-ospf-10-area-0.0.0.0]net 100.1.100.6 0.0.0.0[AR6-ospf-10-area-0.0.0.0]net 100.1.36.6 0.0.0.0

測試

1、各區域主機是否能ping通isp的服務器，可以看到總部和分部的主機都能夠ping通isp的服務器。

2、總部與分部之間的聯通測試。

可以看到總部已經可以與分部之間通訊，實驗到這里就結束了。

實驗來源：Tigerlab

💬總結

1??本篇文章分享了IPse VPN

2?? 廠商認證資料和視頻都在微信公眾號上

3??感興趣的小伙伴們可以去訂閱一波不迷路哦~當然一鍵三連+關注更是妙不可言！

總結

以上是生活随笔為你收集整理的重温IPsec隧道❤️的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。

隧道
IPSec

上一篇： WebSocket和心跳机制
下一篇：华为USG6306多线负载均衡、ISP选