需求:企业新分支机构D部署CISCO 路由器为互联网出口网关,需与总部hillstonefwa建立ipsec vpn。
总部防火墙关键配置
fwa# show configuration
interface tunnel50
exit
zone “untrust”
type wan
exit
zone “ipsecvpn“
vrouter “trust-vr”
exit
hostname “fwa”
isakmp proposal “psk-md5-3des-g2“
hash md5
exit
isakmp peer “ciscora“
mode aggressive
isakmp-proposal “psk-md5-3des-g2“
pre-share “123456“
peer 20.3.3.1
nat-traversal
accept-all-peer-id
interface ethernet0/1
exit
ipsec proposal “esp-md5-3des-g2“
hash md5
encryption 3des
group 2
exit
tunnel ipsec “ciscoraipsec” auto
mode tunnel
isakmp-peer “ciscora“
ipsec-proposal “esp-md5-3des-g2“
auto-connect
id local 10.1.1.0/24 remote 172.16.3.0/24 service “any”
exit
interface ethernet0/0
zone “trust”
ip address 10.1.1.254 255.255.255.0
manage ping
manage ssh
exit
interface ethernet0/1
zone “untrust”
ip address 20.0.0.1 255.255.255.0
manage ping
exit
interface tunnel50
zone “ipsecvpn“
manage ping
tunnel ipsec “ciscoraipsec“
reverse-route prefer
exit
ip vrouter “trust-vr”
snatrule id 1 from “10.1.1.0/24” to “Any” service “Any” eif ethernet0/1 trans-to eif-ip mode dynamicport
ip route 0.0.0.0/0 20.0.0.100
ip route 172.16.3.0/24 “tunnel50”
exit
rule id 1
action permit
src-zone “trust”
dst-zone “untrust”
src-addr “Any”
dst-addr “Any”
service “Any”
exit
rule id 51
action permit
src-zone “ipsecvpn“
dst-zone “trust”
src-ip “20.3.3.1/32“
src-ip “172.16.3.0/24“
dst-ip 10.1.1.0/24
service “Any”
exit
rule id 52
action permit
src-zone “trust”
dst-zone “ipsecvpn“
src-ip “10.1.1.0/24“
dst-addr “172.16.3.0/24“
service “Any”
exit
End
分支D CISCO路由器关键配置
ciscoRA# show configuration
!
hostname ciscoRA
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123456 address 20.0.0.1
!
!
crypto ipsec transform-set hillstonefwa esp-3des esp-md5-hmac
!
crypto map crymap 10 ipsec-isakmp
set peer 20.0.0.1
set transform-set hillstonefwa
set pfs group2
match address ipsecvpn
!
interface FastEthernet0/0
ip address 172.16.3.254 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
ip address 20.3.3.1 255.255.255.0
ip nat outside
crypto map crymap
!
ip route 0.0.0.0 0.0.0.0 20.3.3.100
!
ip nat inside source list PAT interface FastEthernet0/1 overload
!
ip access-list extended PAT
deny ip 172.16.3.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip 172.16.3.0 0.0.0.255 any
ip access-list extended ipsecvpn
permit ip 172.16.3.0 0.0.0.255 10.1.1.0 0.0.0.255
!
end
测试验证
1、在分支机构D 内部设备使用ping 测试至总部内部服务的连通性;
2、分支机构D 思科路由器使用show crypto isakmp sa 和 show crypto engine connections active命令查看IKE第一阶段协商状态和IPSEC加密连接状态;
3、分支机构D 思科路由器使用show crypto ipsec sa 命令查看IKE第二阶段协商状态;
4、总部山石防火墙使用 show isakmp sa 和 show ipsec sa 命令查看IKE 第一阶段和第二阶段协调状态。