F1060 GRE OVER IPSEC典型组网配置案例

2020-03-12 14:33:07 浏览数 (1)

组网及说明

组网说明:

本案例采用H3C HCL模拟器的F1060防火墙来模拟GRE OVER IPSEC 的典型组网配置。内网和外网在网络拓扑图中已经有了明确的标识。FW1与FW2均为各自内网的出口设备,提供NAT地址转换的服务。为了内网1和内网2能跨越外网实现通信,因为在FW1和FW2之间采用GRE V**建立隧道,同时为了保证数据传输的安全性,将ipsec嵌入到GRE V**隧道中。

配置步骤
1、按照网络拓扑图正确配置IP地址
2、FW1配置NAT,并配置默认路由指向ISP
3、FW2配置NAT,并配置默认路由指向ISP
4、FW1与FW2建立GRE V**隧道
5、在GRE V**隧道的基础上在嵌套IPSEC
配置关键点

F1060 GRE OVER IPSEC关键配置点如下所示,全部配置过程及测试结果的详情见附件:

GRE OVER IPSEC关键配置点:
FW1:
代码语言:javascript复制
[FW1]acl advanced 3000

[FW1-acl-ipv4-adv-3000]rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255

[FW1-acl-ipv4-adv-3000]quit

[FW1]ike proposal 1

[FW1-ike-proposal-1]quit

[FW1]ike keychain james

[FW1-ike-keychain-james]pre-shared-key address 123.0.0.2 255.255.255.252 key simple james

[FW1-ike-keychain-james]quit

[FW1]ike profile james

[FW1-ike-profile-james]proposal 1

[FW1-ike-profile-james]keychain james

[FW1-ike-profile-james]local-identity address 123.0.0.1

[FW1-ike-profile-james]match remote identity address 123.0.0.2 255.255.255.252

[FW1-ike-profile-james]quit

[FW1]ipsec transform-set james

[FW1-ipsec-transform-set-james]protocol esp

[FW1-ipsec-transform-set-james]encapsulation-mode tunnel

[FW1-ipsec-transform-set-james]esp authentication-algorithm md5

[FW1-ipsec-transform-set-james]esp encryption-algorithm des-cbc

[FW1-ipsec-transform-set-james]quit

[FW1]ipsec policy james 1 isakmp

[FW1-ipsec-policy-isakmp-james-1]security acl 3000

[FW1-ipsec-policy-isakmp-james-1]transform-set james

[FW1-ipsec-policy-isakmp-james-1]ike-profile james

[FW1-ipsec-policy-isakmp-james-1]remote-address 123.0.0.2

[FW1-ipsec-policy-isakmp-james-1]quit

[FW1]int Tunnel 0 mode gre

[FW1-Tunnel0]ip address 123.0.0.1 30

[FW1-Tunnel0]source 202.1.100.2

[FW1-Tunnel0]destination 202.2.100.2

[FW1-Tunnel0]ipsec apply policy james

[FW1-Tunnel0]quit

[FW1]ip route-static 172.16.1.0 255.255.255.0 123.0.0.2

[FW1]security-zone name Untrust

[FW1-security-zone-Untrust]import interface Tunnel 0

[FW1-security-zone-Untrust]quit
FW2:
代码语言:javascript复制
[FW2]acl advanced 3000

[FW2-acl-ipv4-adv-3000]rule 0 permit ip source 172.16.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

[FW2-acl-ipv4-adv-3000]quit

[FW2]ike proposal 1

[FW2-ike-proposal-1]quit

[FW2]ike keychain james

[FW2-ike-keychain-james]pre-shared-key address 123.0.0.1 255.255.255.252 key simple james

[FW2-ike-keychain-james]quit

[FW2]ike profile james

[FW2-ike-profile-james]keychain james

[FW2-ike-profile-james]proposal 1

[FW2-ike-profile-james]match remote identity address 123.0.0.1 255.255.255.252

[FW2-ike-profile-james]local-identity address 123.0.0.2

[FW2-ike-profile-james]quit

[FW2]ipsec policy james 1 isakmp

[FW2-ipsec-policy-isakmp-james-1]security acl 3000

[FW2-ipsec-policy-isakmp-james-1]transform-set james

[FW2-ipsec-policy-isakmp-james-1]ike-profile james

[FW2-ipsec-policy-isakmp-james-1]remote-address 123.0.0.1

[FW2-ipsec-policy-isakmp-james-1]quit

[FW2]int Tunnel 0 mode gre

[FW2-Tunnel0]ip address 123.0.0.2 30

[FW2-Tunnel0]source 202.2.100.2

[FW2-Tunnel0]destination 202.1.100.2

[FW2-Tunnel0]ipsec apply policy james

[FW2-Tunnel0]quit

[FW2]ip route-static 192.168.1.0 255.255.255.0 123.0.0.1

[FW2]security-zone name Untrust

[FW2-security-zone-Untrust]import interface Tunnel 0

[FW2-security-zone-Untrust]quit
tcp/ip nat NAT网关

0 人点赞