资源记录
rsrc.ink

CISCO ROUTER & NETSCREEN SSG IPSEC VPN IKEV1 思科路由器 NETSCREEN SSG防火墙 IKEV1 IPSEC VPN

adminPosted in 未分类

需求:企业分支机构A部署netscreen ssg防火墙 为互联网出口网关,并与总部cisco 路由器建立ipsec vpn。

总部思科路由器配置:

center#show run

!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 86400
!
crypto isakmp peer address 20.1.1.1
 set aggressive-mode password 123456
 set aggressive-mode client-endpoint ipv4-address 20.1.1.1
!
!
crypto ipsec transform-set ipsectran esp-3des esp-md5-hmac
!
!
crypto map vpnmap 10 ipsec-isakmp
 set peer 20.1.1.1
 set transform-set ipsectran
 set pfs group2
 match address vpn
 set security-association lifetime seconds 3600
!
!
interface FastEthernet0/0
 ip address 10.0.0.254 255.255.255.0
!
interface FastEthernet0/1
 ip address 20.0.0.1 255.255.255.0
 ip nat outside
 crypto map vpnmap
!
ip nat inside source list snat interface FastEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 20.0.0.100
!
ip access-list extended snat
 deny   ip 10.0.0.0 0.0.0.255 172.16.1.0 0.0.0.255
 permit ip any any
ip access-list extended vpn
 permit ip 10.0.0.0 0.0.0.255 172.16.1.0 0.0.0.255
!
end
分支A netscreen ssg防火墙配置:
fw-branch-A-> get config
 
set interface “ethernet0/0” zone “Untrust“
set interface “bgroup0” zone “Trust“
set interface bgroup0 port ethernet0/1
 
set interface ethernet0/0 ip 20.1.1.1/24
set interface ethernet0/0 route
set interface bgroup0 ip 172.16.1.254/24
set interface bgroup0 route
 
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
 
set hostname fw-branch-A
 
set address “Trust” “ipseclocal” 172.16.1.0 255.255.255.0
set address “Untrust” “ipsecremote” 10.0.0.0 255.255.255.0
set ike p1-proposal “ikepro” preshare group2 esp 3des md5 second 86400
set ike p2-proposal “ipsecpro” group2 esp 3des md5 second 3600
set ike gateway “center” address 20.0.0.1 Aggr outgoing-interface “ethernet0/0” preshare 123456 proposal “ikepro“
 
set vpn “centeripsec” gateway “center” no-replay tunnel idletime 0 proposal “ipsecpro“
set vpn “centeripsec” proxy-id local-ip 172.16.1.0/24 remote-ip 10.0.0.0/24 “ANY”

set policy id 2 name “ipsecvpn” from “Trust” to “Untrust”  “ipseclocal” “ipsecremote” “ANY” tunnel vpn “centeripsec” id 0x1 pair-policy 3
set policy id 2
exit
set policy id 1 from “Trust” to “Untrust”  “Any” “Any” “ANY” nat src permit
set policy id 1
exit        
set policy id 3 name “ipsecvpn” from “Untrust” to “Trust”  “ipsecremote” “ipseclocal” “ANY” tunnel vpn “centeripsec” id 0x1 pair-policy 2
set policy id 3
exit
 
set route 0.0.0.0/0 gateway 20.1.1.100
exit
fw-branch-A->  
……
注意调整策略顺序,IPSEC VPN策略置与NAT策略之前!

测试验证:

1、总部服务器 ping 和 tracert 分支终端或网关 测试IPSEC VPN 联通性及路径;

2、总部思科路由器使用以下命令验证 ike ipsec 第一、二阶段协调状态及数据加密状态;

show crypto isakmp sa

show crypto ipsec sa

show crypto engine connections active

3、分支终端 ping 和 tracert 总部服务器验证IPSEC VPN 联通性及路径;

4、分支 netscreen防火墙使用以下命令验证IKE协商状态及ipsec 对等体、隧道状态。

get ike gateway 

get ike cookies 

get vpn proxy-id

get vpn auto