华三IPsec-野蛮模式

【拓扑图】

【需求】FW3（分部）通过NAT设备与FW4（总部1）建立IPsec隧道；FW3（分部）通过NAT设备与FW8（总部2）建立IPsec隧道

----------------------------------------------------分部配置如下-----------------------------------------------

【FW1】

interface GigabitEthernet1/0/5

 ip address 1.1.1.2 255.255.255.0

 nat outbound 2000

#

interface GigabitEthernet1/0/10

 ip address 10.0.12.1 255.255.255.0

#

security-zone name Trust

 import interface GigabitEthernet1/0/10

#

security-zone name Untrust

 import interface GigabitEthernet1/0/5

#

 ip route-static 0.0.0.0 0 1.1.1.1

 ip route-static 192.168.10.0 24 10.0.12.2

#

acl basic 2000

 rule 5 permit source 10.0.12.0 0.0.0.255

#

nat policy

 rule name 5

  action easy-ip

#

security-policy ip

 rule 0 name test-any

  action pass

#

【FW3】

interface GigabitEthernet1/0/5

 ip address 10.0.12.2 255.255.255.0

 ipsec apply policy zb1policy

或者

 ipsec apply policy zb2policy

#

interface GigabitEthernet1/0/10

 ip address 192.168.10.1 255.255.255.0

#

security-zone name Trust

 import interface GigabitEthernet1/0/10

#

security-zone name Untrust

 import interface GigabitEthernet1/0/5

#

 ip route-static 0.0.0.0 0 10.0.12.1

#

acl advanced 3000

 rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

 rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255

#

ipsec transform-set 5

 esp encryption-algorithm 3des-cbc

 esp authentication-algorithm sha256

#

ipsec transform-set 10

 esp encryption-algorithm 3des-cbc

 esp authentication-algorithm sha256

#

ipsec policy zb1policy 5 isakmp

 transform-set 10

 security acl 3000

 remote-address 2.2.2.2

 ike-profile 10

#

ipsec policy zb2policy 5 isakmp

 transform-set 5

 security acl 3000

 remote-address 3.3.3.2

 ike-profile 5

#

ike profile 5

 keychain 5

 exchange-mode aggressive

 local-identity user-fqdn fb

 match remote identity address 3.3.3.2 255.255.255.255

 proposal 5

#

ike profile 10

 keychain 10

 exchange-mode aggressive

 local-identity user-fqdn fb

 match remote identity address 2.2.2.2 255.255.255.255

 proposal 10

#

ike proposal 5

 encryption-algorithm 3des-cbc

 dh group14

 authentication-algorithm sha256

#

ike proposal 10

 encryption-algorithm 3des-cbc

 dh group14

 authentication-algorithm sha256

#

ike keychain 5

 pre-shared-key address 3.3.3.2 255.255.255.255 key cipher $c$3$JpP3sPfDJjtOON3t7atiLT19pTaZc0X3QQ==

#

ike keychain 10

 pre-shared-key address 2.2.2.2 255.255.255.255 key cipher $c$3$RFQqv8wL0FmwZW5CEL9snwo6MJaFq5gDBg==

#

security-policy ip

 rule 0 name test-any

  action pass

#

----------------------------------------------------总部1配置如下-----------------------------------------------

【FW2】

interface GigabitEthernet1/0/5

 ip address 2.2.2.2 255.255.255.0

 nat outbound 2000

 nat server protocol udp global 2.2.2.2 500 inside 172.0.12.2 500 rule ServerRule_2

 nat server protocol udp global 2.2.2.2 4500 inside 172.0.12.2 4500 rule ServerRule_3

 nat server protocol 50 global 2.2.2.2 inside 172.0.12.2 rule ServerRule_1

#

interface GigabitEthernet1/0/10

 ip address 172.0.12.1 255.255.255.0

#

security-zone name Trust

 import interface GigabitEthernet1/0/10

#

security-zone name Untrust

 import interface GigabitEthernet1/0/5

#

 ip route-static 0.0.0.0 0 2.2.2.1

 ip route-static 192.168.20.0 24 172.0.12.2

#

acl basic 2000

 rule 5 permit source 172.0.12.0 0.0.0.255

#

security-policy ip

 rule 0 name test-any

  action pass

#

【FW4】

interface GigabitEthernet1/0/5

 port link-mode route

 combo enable copper

 ip address 172.0.12.2 255.255.255.0

 ipsec apply policy fbpolicy1

#

interface GigabitEthernet1/0/10

 port link-mode route

 combo enable copper

 ip address 192.168.20.1 255.255.255.0

#

security-zone name Trust

 import interface GigabitEthernet1/0/10

#

security-zone name Untrust

 import interface GigabitEthernet1/0/5

#

 ip route-static 0.0.0.0 0 172.0.12.1

#

acl advanced 3000

 rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

#

ipsec transform-set 10

 esp encryption-algorithm 3des-cbc

 esp authentication-algorithm sha256

#

ipsec policy-template fbpolicy 5

 transform-set 10

 security acl 3000

 ike-profile 10

#

ipsec policy fbpolicy1 5 isakmp template fbpolicy

#

ike profile 10

 keychain 10

 exchange-mode aggressive

 match remote identity user-fqdn fb

 proposal 10

#

ike proposal 10

 encryption-algorithm 3des-cbc

 dh group14

 authentication-algorithm sha256

#

ike keychain 10

 pre-shared-key hostname fb key cipher $c$3$jy74ZpWrbna/X8mV5+JgWknoKqSrnftSxQ==

#

security-policy ip

 rule 0 name test-any

  action pass

#

----------------------------------------------------总部2配置如下-----------------------------------------------

【FW8】

interface GigabitEthernet1/0/5

 ip address 3.3.3.2 255.255.255.0

 ipsec apply policy fbpolicy1

#

interface GigabitEthernet1/0/10

 ip address 192.168.30.1 255.255.255.0

#

security-zone name Trust

 import interface GigabitEthernet1/0/10

#

security-zone name Untrust

 import interface GigabitEthernet1/0/5

#

 ip route-static 0.0.0.0 0 3.3.3.1

#

acl advanced 3000

 rule 5 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

#

ipsec transform-set 5

 esp encryption-algorithm 3des-cbc

 esp authentication-algorithm sha256

#

ipsec policy-template fbpolicy 5

 transform-set 5

 security acl 3000

 ike-profile 5

#

ipsec policy fbpolicy1 5 isakmp template fbpolicy

#

ike profile 5

 keychain 5

 exchange-mode aggressive

 match remote identity user-fqdn fb

 proposal 5

#

ike proposal 5

 encryption-algorithm 3des-cbc

 dh group14

 authentication-algorithm sha256

#

ike keychain 5

 pre-shared-key hostname fb key cipher $c$3$teL4sOn7Lb5MHZaqJMQK0gNmybAgBbdc2Q==

#

security-policy ip

 rule 0 name test-any

  action pass

#

【验证】

分部到总部1

分部到总部2