超详细IPsec的真实案例（简化），总部和分支和地级市互通

news2026/4/11 5:58:04

1.实验拓扑2.基本配置为了方便a.基础配置IP地址路由等AR1#interface GigabitEthernet0/0/0ip address 192.168.1.254 255.255.255.0#interface GigabitEthernet0/0/1ip address 10.1.13.1 255.255.255.0#interface GigabitEthernet0/0/2ip address 10.1.12.1 255.255.255.0#ip route-static 0.0.0.0 0 10.1.12.2ip route-static 192.168.2.0 24 10.1.13.3ip route-static 192.168.3.0 24 10.1.13.3AR2#interface GigabitEthernet0/0/0ip address 10.1.12.2 255.255.255.0#interface GigabitEthernet0/0/1ip address 100.1.23.2 255.255.255.0#ip route-static 0.0.0.0 0 100.1.23.3ip route-static 192.168.1.0 24 10.1.12.1ip route-static 10.1.13.0 24 10.1.12.1AR3#interface GigabitEthernet0/0/0ip address 100.1.13.3 255.255.255.0#interface GigabitEthernet0/0/1ip address 100.1.23.3 255.255.255.0#interface GigabitEthernet0/0/2ip address 100.1.32.3 255.255.255.0#interface LoopBack0ip address 8.8.8.8 255.255.255.255#FW1:#interface GigabitEthernet1/0/0undo shutdownip address 192.168.2.254 255.255.255.0service-manage ping permit#interface GigabitEthernet1/0/1undo shutdownip address 100.1.13.1 255.255.255.0#firewall zone localset priority 100#firewall zone trustset priority 85add interface GigabitEthernet0/0/0add interface GigabitEthernet1/0/0#firewall zone untrustset priority 5add interface GigabitEthernet1/0/1#firewall zone dmzset priority 50#ip route-static 0.0.0.0 0.0.0.0 100.1.13.3#FW2:#interface GigabitEthernet1/0/0undo shutdownip address 192.168.3.254 255.255.255.0#interface GigabitEthernet1/0/1undo shutdownip address 100.1.32.2 255.255.255.0service-manage ping permit#firewall zone localset priority 100#firewall zone trustset priority 85add interface GigabitEthernet0/0/0add interface GigabitEthernet1/0/0#firewall zone untrustset priority 5add interface GigabitEthernet1/0/1#firewall zone dmzset priority 50#ip route-static 0.0.0.0 0.0.0.0 100.1.32.3#FW3:#interface GigabitEthernet1/0/0undo shutdownip address 10.1.13.3 255.255.255.0#firewall zone localset priority 100#firewall zone trustset priority 85add interface GigabitEthernet0/0/0#firewall zone untrustset priority 5add interface GigabitEthernet1/0/0#firewall zone dmzset priority 50#ip route-static 0.0.0.0 0.0.0.0 10.1.13.1#b.每个设备需要上网nat配置FW1:#nat-policyrule name fw1source-zone trustegress-interface GigabitEthernet1/0/1source-address 192.168.2.0 mask 255.255.255.0action source-nat easy-ip#FW2:#nat-policyrule name fw2source-zone trustegress-interface GigabitEthernet1/0/1source-address 192.168.3.0 mask 255.255.255.0action source-nat easy-ip#AR2:#acl number 3000rule 5 permit ip#interface GigabitEthernet0/0/1ip address 100.1.23.2 255.255.255.0nat outbound 3000#c.建立IPsec隧道地级市需要绕分支和总部通信FW1#acl number 3000rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255#ipsec proposal prop104936740encapsulation-mode autoesp authentication-algorithm sha2-256esp encryption-algorithm aes-256#ike proposal 1encryption-algorithm aes-256dh group14authentication-algorithm sha2-256authentication-method pre-shareintegrity-algorithm hmac-sha2-256prf hmac-sha2-256#ike peer ike104936740exchange-mode autopre-shared-key %^%#tgx.RLbZt$ky7AY3MIpGg#Q$MvE$u-4LP0S.%^%#ike-proposal 1remote-id-type nonedpd type periodicremote-address 100.1.23.2#ipsec policy ipsec104936481 1 isakmpsecurity acl 3000ike-peer ike104936740proposal prop104936740tunnel local applied-interfacealias to_changshasa trigger-mode autosa duration traffic-based 10485760sa duration time-based 3600#interface GigabitEthernet1/0/1undo shutdownip address 100.1.13.1 255.255.255.0ipsec policy ipsec104936481#FW2:#acl number 3000rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255rule 10 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255#ipsec proposal prop1049033817encapsulation-mode autoesp authentication-algorithm sha2-256esp encryption-algorithm aes-256#ike proposal 1encryption-algorithm aes-256dh group14authentication-algorithm sha2-256authentication-method pre-shareintegrity-algorithm hmac-sha2-256prf hmac-sha2-256#ike peer ike1049033817exchange-mode autopre-shared-key %^%#7sD6G*NP#C!*_Qnyg,%C8(o]F0fmLWOAZvJ%^%#ike-proposal 1remote-id-type ipdpd type periodicremote-address 100.1.23.2#ipsec policy ipsec1049033528 1 isakmpsecurity acl 3000ike-peer ike1049033817proposal prop1049033817tunnel local applied-interfacealias to_changshasa trigger-mode autosa duration traffic-based 10485760sa duration time-based 3600#interface GigabitEthernet1/0/1undo shutdownip address 100.1.32.2 255.255.255.0service-manage ping permitipsec policy ipsec1049033528#FW3:#acl number 3000rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255acl number 3001rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255rule 10 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255#ipsec proposal prop1049031759encapsulation-mode autoesp authentication-algorithm sha2-256esp encryption-algorithm aes-256ipsec proposal prop104920373encapsulation-mode autoesp authentication-algorithm sha2-256esp encryption-algorithm aes-256#ike proposal 1encryption-algorithm aes-256dh group14authentication-algorithm sha2-256authentication-method pre-shareintegrity-algorithm hmac-sha2-256prf hmac-sha2-256ike proposal 2encryption-algorithm aes-256dh group14authentication-algorithm sha2-256authentication-method pre-shareintegrity-algorithm hmac-sha2-256prf hmac-sha2-256#ike peer ike1049031759exchange-mode autopre-shared-key %^%#Fp_p-)g(aF}YM8YzA.c-%WmSmHo~PhKbJg^J4%^%#ike-proposal 1remote-id-type ipdpd type periodicremote-address 100.1.32.2ike peer ike104920373exchange-mode autopre-shared-key %^%#R^%B{:4c1kz43$TSc25(%aDxV9vIc,LI9y\I%^%#ike-proposal 2remote-id-type nonedpd type periodicremote-address 100.1.13.1#ipsec policy ipsec1049031457 1 isakmpsecurity acl 3000ike-peer ike1049031759proposal prop1049031759tunnel local applied-interfacealias to_地级市sa trigger-mode autosa duration traffic-based 10485760sa duration time-based 3600ipsec policy ipsec1049031457 2 isakmpsecurity acl 3001ike-peer ike104920373proposal prop104920373tunnel local applied-interfacealias to_zongbusa trigger-mode autosa duration traffic-based 10485760sa duration time-based 3600#3.结果验证a.是否可以上公网b.IPsec隧道是否建立c.是否可以走IPsecf隧道是ping通4.总结a,这种绕行互访只需要在ipsec的感兴趣流中添加感兴趣流即可b.一定要注意nat设备建立的时候需要注意地址如果地址不可知使用ipsec-temnplate建立c.底层路由一定要通特别特别注意

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：http://www.coloradmin.cn/o/2505230.html

如若内容造成侵权/违法违规/事实不符，请联系多彩编程网进行投诉反馈，一经查实，立即删除！