![图片[1]-8.12 GRE-OVER-IPSEC-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片61-1024x646.png)
1.IKE-IPSEC配置
1)接口安全区
#FW1
firewall zone trust
add interface GigabitEthernet1/0/1
firewall zone untrust
add interface GigabitEthernet1/0/0
#FW2
firewall zone trust
add interface GigabitEthernet1/0/1
firewall zone untrust
add interface GigabitEthernet1/0/0
2)配置路由
#FW1
ip route-static 0.0.0.0 0.0.0.0 13.13.13.254
ip route-static 172.16.101.0 24 172.16.1.1
#FW2
ip route-static 0.0.0.0 0.0.0.0 23.23.23.254
ip route-static 172.17.101.0 24 172.17.1.1
#R1
ip route-static 0.0.0.0 0.0.0.0 172.16.1.2
#R2
ip route-static 0.0.0.0 0.0.0.0 172.17.1.2
3)配置安全策略
#FW1IKE协商流量策略
security-policy
rule name ike_l_2_u
source-zone local
destination-zone untrust
source-address 13.13.13.13 24
destination-address 23.23.23.23 24
action permit
rule name ike_u_2_l
source-zone untrust
destination-zone local
source-address 23.23.23.23 24
destination-address 13.13.13.13 24
action permit
#FW1IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
source-zone trust
destination-zone untrust
source-address 172.16.101.0 24
destination-address 172.17.101.0 24
action permit
rule name ipsec_un_2_t
source-zone untrust
destination-zone trust
source-address 172.17.101.0 24
destination-address 172.16.101.0 24
action permit
#FW1访问internet安全策略
#FW1
security-policy
rule name nat_internet_access
source-zone trust
destination-zone untrust
source-address 172.16.101.0 mask 255.255.255.0
action permit
#FW2
#FW2IKE协商流量策略
security-policy
rule name ike_l_2_u
source-zone local
destination-zone untrust
source-address 23.23.23.23 24
destination-address 13.13.13.13. 24
action permit
rule name ike_u_2_l
source-zone untrust
destination-zone local
source-address 13.13.13.13. 24
destination-address 23.23.23.23 24
action permit
#FW2IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
source-zone trust
destination-zone untrust
source-address 172.17.101.0 24
destination-address 172.16.101.0 24
action permit
rule name ipsec_un_2_t
source-zone untrust
destination-zone trust
source-address 172.16.101.0 24
destination-address 172.17.101.0 24
action permit
#FW2访问internet安全策略
#FW2
security-policy
rule name nat_internet_access
source-zone trust
destination-zone untrust
source-address 172.17.101.0 mask 255.255.255.0
action permit
4)配置NAT策略
#FW1
nat-policy
rule name ipsec_flow_no_nat
source-zone trust
destination-zone untrust
source-address 172.16.101.0 24
destination-address 172.17.101.0 24
action no-nat
rule name nat_internet_access
source-zone trust
destination-zone untrust
source-address 172.16.101.0 mask 255.255.255.0
action source-nat easy-ip
#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat top
#FW2
nat-policy
rule name ipsec_flow_no_nat
source-zone trust
destination-zone untrust
source-address 172.17.101.0 24
destination-address 172.16.101.0 24
action no-nat
rule name nat_internet_access
source-zone trust
destination-zone untrust
source-address 172.17.101.0 mask 255.255.255.0
action source-nat easy-ip
#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat top
5)配置感兴趣流
#FW1
acl number 3001
rule 10 permit ip source 172.16.101.0 0.0.0.255 destination 172.17.101.0 0.0.0.255
#FW2
acl number 3001
rule 10 permit ip source 172.17.101.0 0.0.0.255 destination 172.16.101.0 0.0.0.255
6)配置IKE proposal
#FW1
ike proposal 5
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#FW2
ike proposal 5
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
7)配置IKE Peer
#FW1
ike peer fw2
#禁用IKEv2版本
undo version 2
exchange-mode main
pre-shared-key Admin@1234
ike-proposal 5
remote-address 23.23.23.23
#FW2
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main
pre-shared-key Admin@1234
ike-proposal 5
remote-address 13.13.13.13
8)配置IPSEC proposal
#FW1
ipsec proposal pps01
transform ah-esp
ah authentication-algorithm sha2-256
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#FW2
ipsec proposal pps01
transform ah-esp
ah authentication-algorithm sha2-256
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
9)配置IPSEC 策略
#FW1
ipsec policy pl01 10 isakmp
security acl 3001
ike-peer fw2
proposal pps01
#FW2
ipsec policy pl01 10 isakmp
security acl 3001
ike-peer fw1
proposal pps01
10)接口调用IPSEC 策略
#FW1
interface GigabitEthernet1/0/0
ipsec policy pl01
#FW2
interface GigabitEthernet1/0/0
ipsec policy pl01
2.传统IPSEC网络扩展
![图片[2]-8.12 GRE-OVER-IPSEC-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片62-1024x616.png)
(1)IPSEC
IPSEC 优势: 可以安全加密数据/验证
IPSEC缺点: 不支持组播流量,不支持动态路由协议,站点之间路由无法交换。
2)GRE
GRE缺点: 无法加密
GRE优点: 支持组播流量,支持动态路由协议|站点之间交换路由,无需手写大量路由/感兴趣流
3.GRE-OVER-IPSEC配置
![图片[3]-8.12 GRE-OVER-IPSEC-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片63-1024x615.png)
#流量先进入到GRE隧道,再对GRE流量进行IPSEC隧道封装
#策略优先级:GRE > NAT > IPSEC
1)配置OSPF
#R1
ospf 1 router-id 1.1.1.1
area 0
interface GigabitEthernet0/0/0
ospf enable 1 area 0.0.0.0
interface GigabitEthernet0/0/1
ospf enable 1 area 0.0.0.0
#R2
ospf 1 router-id 2.2.2.2
area 0
interface GigabitEthernet0/0/0
ospf enable 1 area 0.0.0.0
interface GigabitEthernet0/0/1
ospf enable 1 area 0.0.0.0
#FW1(下发路由)
ospf 1 router-id 1.1.1.11
default-route-advertise
area 0
interface GigabitEthernet1/0/1
ospf enable 1 area 0.0.0.0
#FW2(下发路由)
ospf 1 router-id 2.2.2.22
default-route-advertise
area 0
interface GigabitEthernet1/0/1
ospf enable 1 area 0.0.0.0
2)配置GRE隧道接口
#FW1配置tunnel
interface Tunnel10
ip address 172.16.17.1 255.255.255.252
tunnel-protocol gre
source 13.13.13.13
destination 23.23.23.23
#FW2配置tunnel
interface Tunnel10
ip address 172.16.17.2 255.255.255.252
tunnel-protocol gre
source 23.23.23.23
destination 13.13.13.13
3)GRE配置安全区域
#FW1
firewall zone untrust
add interface GigabitEthernet1/0/0
firewall zone trust
add interface Tunnel10
add interface GigabitEthernet1/0/1
#FW2
firewall zone untrust
add interface GigabitEthernet1/0/0
firewall zone trust
add interface Tunnel10
add interface GigabitEthernet1/0/1
4)配置GER安全策略
#FW1
security-policy
rule name nat_internet_access
source-zone trust
destination-zone untrust
source-address 172.16.101.0 mask 255.255.255.0
action permit
rule name GRE_outside_out
source-zone local
destination-zone untrust
source-address 13.13.13.13 mask 255.255.255.255
destination-address 23.23.23.23 mask 255.255.255.255
action permit
rule name GRE_outside_in
source-zone untrust
destination-zone local
source-address 23.23.23.23 mask 255.255.255.255
destination-address 13.13.13.13 mask 255.255.255.255
action permit
rule name GRE_inside_out
source-zone local
source-address 172.16.17.1 mask 255.255.255.255
action permit
rule name GRE_inside_in
destination-zone local
destination-address 172.16.17.1 mask 255.255.255.255
action permit
#配置NAT策略
nat-policy
rule name nat_internet_access
source-zone trust
destination-zone untrust
source-address 172.17.101.0 mask 255.255.255.0
action source-nat easy-ip
#FW2
security-policy
rule name nat_internet_access
source-zone trust
destination-zone untrust
source-address 172.17.101.0 mask 255.255.255.0
action permit
rule name GRE_outside_out
source-zone local
destination-zone untrust
source-address 23.23.23.23 mask 255.255.255.255
destination-address 13.13.13.13 mask 255.255.255.255
action permit
rule name GRE_outside_in
source-zone untrust
destination-zone local
source-address 13.13.13.13 mask 255.255.255.255
destination-address 23.23.23.23 mask 255.255.255.255
action permit
rule name GRE_inside_out
source-zone local
source-address 172.16.17.2 mask 255.255.255.255
action permit
rule name GRE_inside_in
destination-zone local
destination-address 172.16.17.2 mask 255.255.255.255
action permit
#配置NAT策略
nat-policy
rule name nat_internet_access
source-zone trust
destination-zone untrust
source-address 172.17.101.0 mask 255.255.255.0
action source-nat easy-ip
5)GRE隧道开启OSPF
#FW1
interface Tunnel10
ospf enable 1 area 0.0.0.0
#FW2
interface Tunnel10
ospf enable 1 area 0.0.0.0
6)配置IPSEC
(1)配置感兴趣流
#FW1
acl number 3001
rule 10 permit ip source 13.13.13.13 0.0.0.0 destination 23.23.23.23 0.0.0.0
#FW2
acl number 3001
rule 10 permit ip source 23.23.23.23 0.0.0.0 destination 13.13.13.13 0.0.0.0
(2)配置IKE proposal
#FW1
ike proposal 5
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#FW2
ike proposal 5
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
(3)配置IKE Peer
#FW1
ike peer fw2
#禁用IKEv2版本
undo version 2
exchange-mode main
pre-shared-key Admin@1234
ike-proposal 5
remote-address 23.23.23.23
#FW2
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main
pre-shared-key Admin@1234
ike-proposal 5
remote-address 13.13.13.13
(4)配置IPSEC proposal
#FW1
ipsec proposal pps01
transform ah
ah authentication-algorithm sha2-256
#FW2
ipsec proposal pps01
transform ah
ah authentication-algorithm sha2-256
(5)配置IPSEC 策略
#FW1
ipsec policy pl01 10 isakmp
security acl 3001
ike-peer fw2
proposal pps01
#FW2
ipsec policy pl01 10 isakmp
security acl 3001
ike-peer fw1
proposal pps01
(6)接口调用IPSEC 策略
#FW1
interface GigabitEthernet1/0/0
ipsec policy pl01
#FW2
interface GigabitEthernet1/0/0
ipsec policy pl01
![图片[4]-8.12 GRE-OVER-IPSEC-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片64-1024x283.png)
7)GRE-OVER-IPSEC扩展
![图片[5]-8.12 GRE-OVER-IPSEC-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片65-1024x678.png)
1)R1
interface GigabitEthernet0/0/2
ip address 172.16.102.254 255.255.255.0
ospf enable 1 area 0.0.0.0
2)R2
interface GigabitEthernet0/0/2
ip address 172.17.102.254 255.255.255.0
ospf enable 1 area 0.0.0.0
3)配置去往internet的安全策略
#FW1
security-policy
rule name nat_internet_access
source-zone trust
destination-zone untrust
source-address 172.16.101.0 mask 255.255.255.0
source-address 172.16.102.0 mask 255.255.255.0
action permit
#FW2
security-policy
rule name nat_internet_access
source-zone trust
destination-zone untrust
source-address 172.17.101.0 mask 255.255.255.0
source-address 172.17.102.0 mask 255.255.255.0
action permit
4)配置去往internet的NAT策略
#FW1
nat-policy
source-zone trust
destination-zone untrust
source-address 172.16.101.0 mask 255.255.255.0
source-address 172.16.102.0 mask 255.255.255.0
action source-nat easy-ip
#FW2
nat-policy
rule name nat_internet_access
source-zone trust
destination-zone untrust
source-address 172.17.102.0 mask 255.255.255.0
action source-nat easy-ip
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容