网管程序员论坛

 找回密码
 注册

QQ登录

只需一步,快速开始

查看: 2214|回复: 0

H3C的secpath的防火墙和IOS 路由器Z组建基于pre-share的IPSEC VPN

[复制链接]
发表于 2007-8-31 16:09:41 | 显示全部楼层 |阅读模式
H3C的secpath的防火墙和IOS 路由器Z组建基于pre-share的IPSEC VPN
拓扑如下:
   R3-------------------secpath防火墙-------------R2(远程边界)---------内网
(内网路由器)    (企业边缘设备,做VPN)    (做VPN)

   防火墙配置:
[Quidway]dis current-configuration
#
sysname Quidway
#
firewall packet-filter enable
firewall packet-filter default permit
#
undo connection-limit enable
connection-limit default deny
connection-limit default amount upper-limit 50 lower-limit 20
#
firewall statistic system enable
#
radius scheme system
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
#
ike proposal 10
encryption-algorithm aes-cbc 128
authentication-algorithm md5            
#
ike peer 1
pre-shared-key 123456
remote-address 172.16.12.1
local-address 172.16.12.2
#
ipsec proposal 1
esp encryption-algorithm 3des
#
ipsec policy test 1 isakmp
security acl 3000
ike-peer 1
proposal 1
#
acl number 3000
rule 0 permit ip source 10.10.10.0 0.0.0.255 destination 11.11.11.0 0.0.0.255
rule 1 deny ip
#
interface Ethernet1/0
ip address 172.16.12.2 255.255.255.0
ipsec policy test
#
interface Ethernet2/0
speed 10                                 
duplex half
ip address 10.10.10.1 255.255.255.0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet2/0
set priority 85
#
firewall zone untrust
add interface Ethernet1/0
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ              
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
ip route-static 11.11.11.0 255.255.255.0 172.16.12.1 preference 60
#
user-interface con 0
user-interface vty 0 4
authentication-mode scheme
#
return
=============================
IOS路由器配置:

r2#sh run
Building configuration...
Current configuration : 1107 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
!
!
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
crypto isakmp key 6 123456 address 172.16.12.2
!
!
crypto ipsec transform-set ccie esp-3des esp-md5-hmac
!         
crypto map mymap 65535 ipsec-isakmp
set peer 172.16.12.2
set transform-set ccie
match address 100
!
!
!
!
interface Loopback0
ip address 11.11.11.1 255.255.255.0
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Serial0/0
no ip address
encapsulation frame-relay IETF
shutdown
frame-relay lmi-type ansi
!
interface Ethernet0/1
ip address 172.16.12.1 255.255.255.0
half-duplex
crypto map mymap
!
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.12.2
!
!
!
access-list 100 permit ip 11.11.11.0 0.0.0.255 10.10.10.0 0.0.0.255
!
!
!
control-plane
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!

end

查看IKE的SA:
1.jpg

IPSEC SA
2.jpg
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|小黑屋|手机版|Archiver|最新更新|网管程序员社区 鄂ICP备11008024号-3

GMT+8, 2019-11-16 07:21 , Processed in 0.093600 second(s), 25 queries .

Powered by 网管论坛

© 2001-2018 www.027safe.com Inc.

快速回复 返回顶部 返回列表