IKE野蛮模式实验
一、实验设备:
3台PC,4台H3C SecPath F100-C防火墙,网线若干。
二、实验拓扑:
![](https://img.laitimes.com/img/_0nNw4CM6IyYiwiM6ICdiwiIn5GcugDM5MTM1ATMw8CXzAjMxAjMvwFduVWboNWY0RXYvwVbvNmLvR3YxUjL1M3Lc9CX6MHc0RHaiojIsJye.png)
三、要求在FW-1与FW-2、FW-1与FW-3之间建立×××,实现内网通讯(即PC1与PC2能通讯、PC1能与PC3通讯)。FW-4仅充当交换机实验。
四、配置步骤:
FW-1:
system-view
firewall zone trust
add interface Ethernet 0/2
quit
firewall zone untrust
add interface Ethernet 0/1
interface Ethernet0/2
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/1
ip address 1.1.1.1 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
acl number 3000
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 20 deny ip source any destination any
acl number 3001
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
ipsec proposal zhu-1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
ipsec proposal zhu-2
ike local-name fw1
ike peer peer-1
exchange-mode aggressive
pre-shared-key simple 12345
id-type name
remote-name fw2
ike peer peer-2
remote-name fw3
ipsec policy policy1 10 isakmp
sec acl 3000
proposal zhu-1
ike-peer peer-1
ipsec policy policy1 20 isakmp
sec acl 3001
proposal zhu-2
ike-peer peer-2
ipsec policy policy1
FW-2:
ip add 2.1.1.1 24
ip add 192.168.2.1 24
add interface Ethernet0/2
add interface Ethernet0/1
ip route-static 0.0.0.0 0 2.1.1.2
ike local-name fw2
rule 10 permit ip source 192.168.2.0 0.0.0.255 dest 192.168.1.0 0.0.0.255
rule 20 deny ip source any dest any
ike peer peer-1
exchange-mode aggressive
pre-shared-key 12345
remote-name fw1
remote-address 1.1.1.1
ipsec propo zhu
enca tunnel
trans esp
es auth md5
esp enc des
ipsec policy policy2 10 isakmp
ike-peer peer-1
sec acl 3000
propo zhu
inter Ethernet0/1
ipsec poli policy2
FW-3:
ip add 3.1.1.1 24
ip add 192.168.3.1 24
ip route-static 0.0.0.0 0 3.1.1.2
ike local-name fw3
rule 10 permit ip source 192.168.3.0 0.0.0.255 dest 192.168.1.0 0.0.0.255
ike peer peer-2
ipsec propo zhu-3
ipsec policy policy3 20 isakmp
propo zhu-3
ipsec poli policy3
FW-4:
firewall zone untrust
add interface Ethernet 0/3
ip add 1.1.1.2 24
ip add 2.1.1.2 24
quit
interface Ethernet0/3
ip add 3.1.1.2 24
查看配置:
dis ipsec sa
display ipsec policy
display ipsec tunnel
display ipsec proposal
display ike sa
FW-3:
dis ipsec sa
display ipsec policy
display ipsec tunnel
测试:
(1)、PC1与PC2之间通信:
(2)、PC1与PC3之间的通信: