IPSEC在企業網中的應用（四）

IKE野蠻模式實驗

一、實驗裝置：

 3台PC，4台H3C SecPath F100-C防火牆，網線若幹。

二、實驗拓撲:

三、要求在FW-1與FW-2、FW-1與FW-3之間建立×××，實作内網通訊（即PC1與PC2能通訊、PC1能與PC3通訊）。FW-4僅充當交換機實驗。

四、配置步驟：

FW-1：

system-view

firewall zone trust

add interface Ethernet 0/2

quit

firewall zone untrust

add interface Ethernet 0/1

interface Ethernet0/2

ip address 192.168.1.1 255.255.255.0

interface Ethernet0/1

ip address 1.1.1.1 255.255.255.0

ip route-static 0.0.0.0 0.0.0.0 1.1.1.2

acl number 3000

rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

rule 20 deny ip source any destination any

acl number 3001

rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

ipsec proposal zhu-1

encapsulation-mode tunnel

transform esp

esp authentication-algorithm md5

esp encryption-algorithm des

ipsec proposal zhu-2

ike local-name fw1

ike peer peer-1

exchange-mode aggressive

pre-shared-key simple 12345

id-type name

remote-name fw2

ike peer peer-2

remote-name fw3

ipsec policy policy1 10 isakmp

sec acl 3000

proposal zhu-1

ike-peer peer-1

ipsec policy policy1 20 isakmp

sec acl 3001

proposal zhu-2

ike-peer peer-2

ipsec policy policy1

FW-2：

ip add 2.1.1.1 24

ip add 192.168.2.1 24

add interface Ethernet0/2

add interface Ethernet0/1

ip route-static 0.0.0.0 0 2.1.1.2

ike local-name fw2

rule 10 permit ip source 192.168.2.0 0.0.0.255 dest 192.168.1.0 0.0.0.255

rule 20 deny ip source any dest any

ike peer peer-1 

exchange-mode aggressive  

pre-shared-key 12345

remote-name fw1

remote-address 1.1.1.1

ipsec propo zhu

enca tunnel

trans esp

es auth md5

esp enc des

ipsec policy policy2 10 isakmp

ike-peer peer-1

sec acl 3000

propo zhu

inter Ethernet0/1

ipsec poli policy2

FW-3：

ip add 3.1.1.1 24

ip add 192.168.3.1 24

ip route-static 0.0.0.0 0 3.1.1.2

ike local-name fw3

rule 10 permit ip source 192.168.3.0 0.0.0.255 dest 192.168.1.0 0.0.0.255

ike peer peer-2 

ipsec propo zhu-3

ipsec policy policy3 20 isakmp

propo zhu-3

ipsec poli policy3

FW-4：

firewall zone untrust

add interface Ethernet 0/3

ip add 1.1.1.2 24

ip add 2.1.1.2 24   

quit                

interface Ethernet0/3

ip add 3.1.1.2 24   

檢視配置：

dis ipsec sa

display ipsec policy

display   ipsec tunnel

display ipsec proposal

display ike sa

FW-3:

dis   ipsec   sa

display ipsec policy

display ipsec tunnel

測試：

（1）、PC1與PC2之間通信：

（2）、PC1與PC3之間的通信：