资源记录
rsrc.ink

HILLSTONE FW & CISCO ROUTE IPSEC VPN 山石防火墙 思科路由器IPSEC VPN

需求:企业新分支机构D部署CISCO 路由器为互联网出口网关,需与总部hillstonefwa建立ipsec vpn。

总部防火墙关键配置

fwa# show configuration

interface tunnel50
exit
zone “untrust”
  type wan
exit
zone “ipsecvpn“
  vrouter “trust-vr”
exit
hostname “fwa”

isakmp proposal “psk-md5-3des-g2“
  hash md5
exit

isakmp peer “ciscora“
  mode aggressive
  isakmp-proposal “psk-md5-3des-g2“
  pre-share “123456“
  peer 20.3.3.1
  nat-traversal
  accept-all-peer-id
  interface ethernet0/1
exit

ipsec proposal “esp-md5-3des-g2“
  hash md5
  encryption 3des
  group 2
exit

tunnel ipsec “ciscoraipsec” auto
  mode tunnel 
  isakmp-peer “ciscora“
  ipsec-proposal “esp-md5-3des-g2“
  auto-connect
  id local 10.1.1.0/24 remote 172.16.3.0/24 service “any”
exit

interface ethernet0/0
  zone  “trust”
  ip address 10.1.1.254 255.255.255.0
  manage ping
  manage ssh
exit
interface ethernet0/1
  zone  “untrust”
  ip address 20.0.0.1 255.255.255.0
  manage ping
exit

interface tunnel50
  zone  “ipsecvpn“
  manage ping
  tunnel ipsec “ciscoraipsec“
  reverse-route prefer
exit
ip vrouter “trust-vr”
  snatrule id 1 from “10.1.1.0/24” to “Any” service “Any” eif ethernet0/1 trans-to eif-ip mode dynamicport
  ip route 0.0.0.0/0 20.0.0.100
  ip route 172.16.3.0/24 “tunnel50”
exit

rule id 1
  action permit
  src-zone “trust”
  dst-zone “untrust”
  src-addr “Any”
  dst-addr “Any”
  service “Any”
exit

rule id 51
  action permit
  src-zone “ipsecvpn“
  dst-zone “trust”
  src-ip “20.3.3.1/32“
  src-ip “172.16.3.0/24“
  dst-ip 10.1.1.0/24
  service “Any”
exit
rule id 52
  action permit
  src-zone “trust”
  dst-zone “ipsecvpn“
  src-ip “10.1.1.0/24“
  dst-addr “172.16.3.0/24“
  service “Any”
exit

End
分支D CISCO路由器关键配置

ciscoRA# show configuration

!
hostname ciscoRA
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 123456 address 20.0.0.1
!
!
crypto ipsec transform-set hillstonefwa esp-3des esp-md5-hmac
!
crypto map crymap 10 ipsec-isakmp
 set peer 20.0.0.1
 set transform-set hillstonefwa
 set pfs group2
 match address ipsecvpn
!
interface FastEthernet0/0
 ip address 172.16.3.254 255.255.255.0
 ip nat inside
!
interface FastEthernet0/1
 ip address 20.3.3.1 255.255.255.0
 ip nat outside
 crypto map crymap
!
ip route 0.0.0.0 0.0.0.0 20.3.3.100
!
ip nat inside source list PAT interface FastEthernet0/1 overload
!
ip access-list extended PAT
 deny   ip 172.16.3.0 0.0.0.255 10.1.1.0 0.0.0.255
 permit ip 172.16.3.0 0.0.0.255 any
ip access-list extended ipsecvpn
 permit ip 172.16.3.0 0.0.0.255 10.1.1.0 0.0.0.255
!
end

测试验证

1、在分支机构D 内部设备使用ping 测试至总部内部服务的连通性;

2、分支机构D 思科路由器使用show crypto isakmp sa 和 show crypto engine connections active命令查看IKE第一阶段协商状态和IPSEC加密连接状态;

3、分支机构D 思科路由器使用show crypto ipsec sa  命令查看IKE第二阶段协商状态;

4、总部山石防火墙使用 show isakmp sa 和 show ipsec sa 命令查看IKE 第一阶段和第二阶段协调状态。