IKE野蠻模式實驗
一、實驗裝置:
3台PC,4台H3C SecPath F100-C防火牆,網線若幹。
二、實驗拓撲:
三、要求在FW-1與FW-2、FW-1與FW-3之間建立×××,實作内網通訊(即PC1與PC2能通訊、PC1能與PC3通訊)。FW-4僅充當交換機實驗。
四、配置步驟:
FW-1:
system-view
firewall zone trust
add interface Ethernet 0/2
quit
firewall zone untrust
add interface Ethernet 0/1
interface Ethernet0/2
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/1
ip address 1.1.1.1 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
acl number 3000
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 20 deny ip source any destination any
acl number 3001
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
ipsec proposal zhu-1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
ipsec proposal zhu-2
ike local-name fw1
ike peer peer-1
exchange-mode aggressive
pre-shared-key simple 12345
id-type name
remote-name fw2
ike peer peer-2
remote-name fw3
ipsec policy policy1 10 isakmp
sec acl 3000
proposal zhu-1
ike-peer peer-1
ipsec policy policy1 20 isakmp
sec acl 3001
proposal zhu-2
ike-peer peer-2
ipsec policy policy1
FW-2:
ip add 2.1.1.1 24
ip add 192.168.2.1 24
add interface Ethernet0/2
add interface Ethernet0/1
ip route-static 0.0.0.0 0 2.1.1.2
ike local-name fw2
rule 10 permit ip source 192.168.2.0 0.0.0.255 dest 192.168.1.0 0.0.0.255
rule 20 deny ip source any dest any
ike peer peer-1
exchange-mode aggressive
pre-shared-key 12345
remote-name fw1
remote-address 1.1.1.1
ipsec propo zhu
enca tunnel
trans esp
es auth md5
esp enc des
ipsec policy policy2 10 isakmp
ike-peer peer-1
sec acl 3000
propo zhu
inter Ethernet0/1
ipsec poli policy2
FW-3:
ip add 3.1.1.1 24
ip add 192.168.3.1 24
ip route-static 0.0.0.0 0 3.1.1.2
ike local-name fw3
rule 10 permit ip source 192.168.3.0 0.0.0.255 dest 192.168.1.0 0.0.0.255
ike peer peer-2
ipsec propo zhu-3
ipsec policy policy3 20 isakmp
propo zhu-3
ipsec poli policy3
FW-4:
firewall zone untrust
add interface Ethernet 0/3
ip add 1.1.1.2 24
ip add 2.1.1.2 24
quit
interface Ethernet0/3
ip add 3.1.1.2 24
檢視配置:
dis ipsec sa
display ipsec policy
display ipsec tunnel
display ipsec proposal
display ike sa
FW-3:
dis ipsec sa
display ipsec policy
display ipsec tunnel
測試:
(1)、PC1與PC2之間通信:
(2)、PC1與PC3之間的通信: