IPSEC VPN 点到多点配置.docx

《IPSEC VPN 点到多点配置.docx》由会员分享，可在线阅读，更多相关《IPSEC VPN 点到多点配置.docx（7页珍藏版）》请在三一办公上搜索。

1、IPSEC VPN 点到多点配置总部为静态IP地址，分支为动态拨号获得IP地址不稳定。搭建IPSEC VPN 总部USG-1配置 USG-1firewall zone trust USG-1-zone-trustadd int g0/0/0 USG-1-zone-trustquit USG-1firewall zon untrust USG-1-zone-untrustadd int g0/0/1 USG-1-zone-untrustquit USG-1ip route-static 0.0.0.0 0.0.0.0 11.0.0.1 USG-1int g0/0/1 USG-1-GigabitE

2、thernet0/0/1ip add 11.0.0.2 24 USG-1-GigabitEthernet0/0/1int g0/0/0 USG-1-GigabitEthernet0/0/0ip add 192.168.10.1 24 USG-1-GigabitEthernet0/0/0quit -阶段一- USG-1ike proposal 1/配置一个安全提议 USG-1-ike-proposal-1authentication-method pre-share /配置IKE认证方式为预共享密钥 USG-1-ike-proposal-1authentication-algorithm sha

3、1 /配置IKE认证算法为sha1 USG-1-ike-proposal-1integrity-algorithm aes-xcbc-96 /配置IKE完整性算法 USG-1-ike-proposal-1dh group2 /配置IKE密钥协商DH组 USG-1-ike-proposal-1quit USG-1ike peer usg-n/创建一个IKE对等体名字为usg-n USG-1-ike-peer-usg-nike-proposal 1/调用ike安全提议 USG-1-ike-peer-usg-npre-shared-key abc123/配置预共享密钥 USG-1-ike-peer-

4、usg-nquit 注意：由于对端地址不是固定的所以不需要指定对端地址 -阶段二- USG-1ipsec proposal test /配置一个ipsec安全提议 USG-1-ipsec-proposal-testencapsulation-mode tunnel/封装方式采用隧道 USG-1-ipsec-proposal-testtransform esp/配置IPSEC安全协议为ESP USG-1-ipsec-proposal-testesp authentication-algorithm sha1 /配置ESP协议认证算法 USG-1-ipsec-proposal-testesp en

5、cryption-algorithm aes /配置ESP协议加密算法为aes USG-1-ipsec-proposal-testquit USG-1acl 3000/创建一个ACL定义感兴趣流 USG-1-acl-adv-3000rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 USG-1-acl-adv-3000quit -配置策略模板- USG-1ipsec policy-template tem 1 /创建一个策略模板 USG-1-ipsec-policy-template-t

6、em-1ike-peer usg-n/调用ike对等体 USG-1-ipsec-policy-template-tem-1proposal test/调用IPsec安全提议 USG-1-ipsec-policy-template-tem-1security acl 3000/配置感兴趣流 USG-1-ipsec-policy-template-tem-1quit USG-1ipsec policy map 1 isakmp template tem /创建一个策略叫map然后和配置模板关联起来 USG-1int g0/0/1 USG-1-GigabitEthernet0/0/1ipsec po

7、licy map /接口下调用策略 USG-1-GigabitEthernet0/0/1quit 区域间策略配置 USG-1policy interzone trust untrust outbound USG-1-policy-interzone-trust-untrust-outboundpolicy 1 USG-1-policy-interzone-trust-untrust-outbound-1action permit USG-1-policy-interzone-trust-untrust-outbound-1quit USG-1-policy-interzone-trust-un

8、trust-outboundquit USG-1policy interzone trust untrust inbound USG-1-policy-interzone-trust-untrust-inboundpolicy 1 USG-1-policy-interzone-trust-untrust-inbound-1policy source 192.168.20.0 0.0.0.255 USG-1-policy-interzone-trust-untrust-inbound-1policy destination 192.168.10.0 0.0.0.255 USG-1-policy-

9、interzone-trust-untrust-inbound-1action permit USG-1-policy-interzone-trust-untrust-inbound-1quit USG-1-policy-interzone-trust-untrust-inboundquit USG-1policy interzone local untrust inbound USG-1-policy-interzone-local-untrust-inboundpolicy 1 USG-1-policy-interzone-local-untrust-inbound-1policy des

10、tination 11.0.0.2 0 /允许任何人访问目标为11.0.0.2 USG-1-policy-interzone-local-untrust-inbound-1action permit USG-1-policy-interzone-local-untrust-inbound-1quit USG-1-policy-interzone-local-untrust-inboundquit 分支配置 USG-2firewall zone trust USG-2-zone-trustadd int g0/0/0 USG-2-zone-trustquit USG-2firewall zone

11、 untrust USG-2-zone-untrustadd int g0/0/1 USG-2-zone-untrustquit USG-2int g0/0/0 USG-2-GigabitEthernet0/0/0ip add 192.168.20.1 24 USG-2-GigabitEthernet0/0/0int g0/0/1 USG-2-GigabitEthernet0/0/1ip add 12.0.0.2 24 USG-2-GigabitEthernet0/0/1quit USG-2ip route-static 0.0.0.0 0.0.0.0 12.0.0.1 -阶段一- USG-2

12、ike proposal 1 USG-2-ike-proposal-1authentication-method pre-share USG-2-ike-proposal-1authentication-algorithm sha1 USG-2-ike-proposal-1integrity-algorithm aes-xcbc-96 USG-2-ike-proposal-1dh group2 USG-2-ike-proposal-1quit USG-2ike peer usg-1 USG-2-ike-peer-usg-1ike-proposal 1 USG-2-ike-peer-usg-1p

13、re-shared-key abc123 USG-2-ike-peer-usg-1remote-address 11.0.0.2 USG-2-ike-peer-usg-1quit -阶段二- USG-2ipsec proposal test USG-2-ipsec-proposal-testencapsulation-mode tunnel USG-2-ipsec-proposal-testtransform esp USG-2-ipsec-proposal-testesp authentication-algorithm sha1 USG-2-ipsec-proposal-testesp e

14、ncryption-algorithm aes USG-2-ipsec-proposal-testquit USG-2acl 3000 USG-2-acl-adv-3000rule permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 USG-2-acl-adv-3000quit -配置安全策- 略USG-2ipsec policy map 1 isakmp USG-2-ipsec-policy-isakmp-map-1ike-peer usg-1 USG-2-ipsec-policy-isakmp

15、-map-1proposal test USG-2-ipsec-policy-isakmp-map-1security acl 3000 USG-2-ipsec-policy-isakmp-map-1quit USG-2int g0/0/1 USG-2-GigabitEthernet0/0/1ipsec policy map auto-neg /如果不加auto-neg的话，只有分支主动触发流量隧道才会建立否则总公司不能和分支通信。加了auto-neg的话隧道则会自动建立 USG-2-GigabitEthernet0/0/1quit USG-2policy interzone trust un

16、trust outbound USG-2-policy-interzone-trust-untrust-outboundpolicy 1 USG-2-policy-interzone-trust-untrust-outbound-1action permit USG-2-policy-interzone-trust-untrust-outbound-1quit USG-2-policy-interzone-trust-untrust-outboundquit USG-2policy interzone trust untrust inbound USG-2-policy-interzone-t

17、rust-untrust-inboundpolicy 1 USG-2-policy-interzone-trust-untrust-inbound-1policy source 192.168.10.0 0.0.0.255 USG-2-policy-interzone-trust-untrust-inbound-1policy destination 192.168.20.0 0.0.0.255 USG-2-policy-interzone-trust-untrust-inbound-1action permit USG-2-policy-interzone-trust-untrust-inbound-1quit USG-2-policy-interzone-trust-untrust-inboundquit USG-2policy interzone local untrust inbound USG-2-policy-interzone-local-untrust-inboundpolicy 1 USG-2-policy-interzone-local-untrust-inbound-1policy source 11.0.0.2 0 USG-2-policy-interzone-local-untrust-inbound-1action permit