8.12 GRE-OVER-IPSEC

0497
图片[1]-8.12 GRE-OVER-IPSEC-大赛人网

1.IKE-IPSEC配置

1)接口安全区
#FW1
firewall zone trust
  add interface GigabitEthernet1/0/1

firewall zone untrust
 add interface GigabitEthernet1/0/0

#FW2
firewall zone trust
  add interface GigabitEthernet1/0/1

firewall zone untrust
 add interface GigabitEthernet1/0/0

2)配置路由
#FW1
ip route-static 0.0.0.0 0.0.0.0 13.13.13.254
ip route-static 172.16.101.0 24 172.16.1.1

#FW2
ip route-static 0.0.0.0 0.0.0.0 23.23.23.254
ip route-static 172.17.101.0 24 172.17.1.1

#R1
ip route-static 0.0.0.0 0.0.0.0 172.16.1.2 

#R2
ip route-static 0.0.0.0 0.0.0.0 172.17.1.2 

3)配置安全策略
#FW1IKE协商流量策略
security-policy
 rule name ike_l_2_u
  source-zone local
  destination-zone untrust
  source-address 13.13.13.13 24
  destination-address 23.23.23.23 24
  action permit

rule name ike_u_2_l
  source-zone untrust
  destination-zone local
  source-address 23.23.23.23 24
  destination-address 13.13.13.13 24
  action permit

#FW1IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
  source-zone trust
  destination-zone untrust
  source-address 172.16.101.0 24
  destination-address 172.17.101.0 24
  action permit

 rule name ipsec_un_2_t
  source-zone untrust
  destination-zone trust
  source-address 172.17.101.0 24
  destination-address 172.16.101.0 24
  action permit 

#FW1访问internet安全策略
#FW1
security-policy
 rule name nat_internet_access
  source-zone trust
  destination-zone untrust
  source-address 172.16.101.0 mask 255.255.255.0
  action permit

#FW2
#FW2IKE协商流量策略
security-policy
 rule name ike_l_2_u
  source-zone local
  destination-zone untrust
  source-address 23.23.23.23 24
  destination-address 13.13.13.13. 24
  action permit

rule name ike_u_2_l
  source-zone untrust
  destination-zone local
  source-address 13.13.13.13. 24
  destination-address 23.23.23.23 24
  action permit

#FW2IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
  source-zone trust
  destination-zone untrust
  source-address 172.17.101.0 24
  destination-address 172.16.101.0 24
  action permit

 rule name ipsec_un_2_t
  source-zone untrust
  destination-zone trust
  source-address 172.16.101.0 24
  destination-address 172.17.101.0 24
  action permit 

#FW2访问internet安全策略
#FW2
security-policy
 rule name nat_internet_access
  source-zone trust
  destination-zone untrust
  source-address 172.17.101.0 mask 255.255.255.0
  action permit

4)配置NAT策略
#FW1
 nat-policy
 rule name ipsec_flow_no_nat
  source-zone trust
  destination-zone untrust
  source-address 172.16.101.0 24
  destination-address 172.17.101.0 24
  action no-nat

 rule name nat_internet_access
  source-zone trust
  destination-zone untrust
  source-address 172.16.101.0 mask 255.255.255.0
  action source-nat easy-ip

#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat top

#FW2
 nat-policy
  rule name ipsec_flow_no_nat
  source-zone trust
  destination-zone untrust
  source-address 172.17.101.0 24
  destination-address 172.16.101.0 24
  action no-nat

rule name nat_internet_access
  source-zone trust
  destination-zone untrust
  source-address 172.17.101.0 mask 255.255.255.0
  action source-nat easy-ip

#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat top
5)配置感兴趣流
#FW1
acl number 3001
 rule 10 permit ip source 172.16.101.0 0.0.0.255 destination 172.17.101.0 0.0.0.255

#FW2
acl number 3001
 rule 10 permit ip source 172.17.101.0 0.0.0.255 destination 172.16.101.0 0.0.0.255

6)配置IKE proposal
#FW1
ike proposal 5
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256

#FW2
ike proposal 5
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256

7)配置IKE Peer
#FW1
ike peer fw2
#禁用IKEv2版本 
undo version 2
exchange-mode main 
pre-shared-key Admin@1234
ike-proposal 5
remote-address 23.23.23.23

#FW2
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main 
pre-shared-key Admin@1234
ike-proposal 5
remote-address 13.13.13.13

8)配置IPSEC proposal
#FW1
ipsec proposal pps01
 transform ah-esp
 ah authentication-algorithm sha2-256
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256

#FW2
ipsec proposal pps01
 transform ah-esp
 ah authentication-algorithm sha2-256
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256

9)配置IPSEC 策略
#FW1
ipsec policy pl01 10 isakmp
 security acl 3001
 ike-peer fw2
 proposal pps01

#FW2
ipsec policy pl01 10 isakmp
 security acl 3001
 ike-peer fw1
 proposal pps01

10)接口调用IPSEC 策略
#FW1
interface GigabitEthernet1/0/0
 ipsec policy pl01

#FW2
interface GigabitEthernet1/0/0
 ipsec policy pl01

2.传统IPSEC网络扩展

图片[2]-8.12 GRE-OVER-IPSEC-大赛人网

(1)IPSEC

IPSEC 优势: 可以安全加密数据/验证

IPSEC缺点: 不支持组播流量,不支持动态路由协议,站点之间路由无法交换。

2)GRE

GRE缺点: 无法加密

GRE优点: 支持组播流量,支持动态路由协议|站点之间交换路由,无需手写大量路由/感兴趣流

3.GRE-OVER-IPSEC配置

图片[3]-8.12 GRE-OVER-IPSEC-大赛人网

#流量先进入到GRE隧道,再对GRE流量进行IPSEC隧道封装

#策略优先级:GRE > NAT > IPSEC

1)配置OSPF
#R1
ospf 1 router-id 1.1.1.1
area 0

interface GigabitEthernet0/0/0
 ospf enable 1 area 0.0.0.0

interface GigabitEthernet0/0/1
 ospf enable 1 area 0.0.0.0

#R2
ospf 1 router-id 2.2.2.2
area 0

interface GigabitEthernet0/0/0
 ospf enable 1 area 0.0.0.0

interface GigabitEthernet0/0/1
 ospf enable 1 area 0.0.0.0

#FW1(下发路由)
ospf 1 router-id 1.1.1.11
default-route-advertise
area 0

interface GigabitEthernet1/0/1
ospf enable 1 area 0.0.0.0

#FW2(下发路由)
ospf 1 router-id 2.2.2.22
default-route-advertise
area 0

interface GigabitEthernet1/0/1
ospf enable 1 area 0.0.0.0

2)配置GRE隧道接口
#FW1配置tunnel
interface Tunnel10
 ip address 172.16.17.1 255.255.255.252
 tunnel-protocol gre
 source 13.13.13.13
 destination 23.23.23.23

#FW2配置tunnel
interface Tunnel10
 ip address 172.16.17.2 255.255.255.252
 tunnel-protocol gre
 source 23.23.23.23
 destination 13.13.13.13

3)GRE配置安全区域
#FW1
firewall zone untrust
add interface GigabitEthernet1/0/0

firewall zone trust
add interface Tunnel10
 add interface GigabitEthernet1/0/1

#FW2
firewall zone untrust
add interface GigabitEthernet1/0/0

firewall zone trust
add interface Tunnel10
 add interface GigabitEthernet1/0/1

4)配置GER安全策略
#FW1
security-policy
 rule name nat_internet_access
  source-zone trust
  destination-zone untrust
  source-address 172.16.101.0 mask 255.255.255.0
  action permit

 rule name GRE_outside_out
  source-zone local
  destination-zone untrust
  source-address 13.13.13.13 mask 255.255.255.255
  destination-address 23.23.23.23 mask 255.255.255.255
  action permit
 rule name GRE_outside_in
  source-zone untrust
  destination-zone local
  source-address 23.23.23.23 mask 255.255.255.255
  destination-address 13.13.13.13 mask 255.255.255.255
  action permit 

 rule name GRE_inside_out
  source-zone local
  source-address 172.16.17.1 mask 255.255.255.255
  action permit

 rule name GRE_inside_in
  destination-zone local
  destination-address 172.16.17.1 mask 255.255.255.255
  action permit

#配置NAT策略
nat-policy
 rule name nat_internet_access
  source-zone trust
  destination-zone untrust
  source-address 172.17.101.0 mask 255.255.255.0
  action source-nat easy-ip

#FW2
security-policy
 rule name nat_internet_access
  source-zone trust
  destination-zone untrust
  source-address 172.17.101.0 mask 255.255.255.0
  action permit

 rule name GRE_outside_out
  source-zone local
  destination-zone untrust
  source-address 23.23.23.23 mask 255.255.255.255
  destination-address 13.13.13.13 mask 255.255.255.255
  action permit

 rule name GRE_outside_in
  source-zone untrust
  destination-zone local
  source-address 13.13.13.13 mask 255.255.255.255
  destination-address 23.23.23.23 mask 255.255.255.255
  action permit  

 rule name GRE_inside_out
  source-zone local
  source-address 172.16.17.2 mask 255.255.255.255
  action permit

 rule name GRE_inside_in
  destination-zone local
  destination-address 172.16.17.2 mask 255.255.255.255
  action permit

#配置NAT策略
nat-policy
 rule name nat_internet_access
  source-zone trust
  destination-zone untrust
  source-address 172.17.101.0 mask 255.255.255.0
  action source-nat easy-ip

5)GRE隧道开启OSPF
#FW1
interface Tunnel10
ospf enable 1 area 0.0.0.0

#FW2
interface Tunnel10
ospf enable 1 area 0.0.0.0

6)配置IPSEC
(1)配置感兴趣流
#FW1
acl number 3001
 rule 10 permit ip source 13.13.13.13 0.0.0.0 destination 23.23.23.23 0.0.0.0

#FW2
acl number 3001
 rule 10 permit ip source 23.23.23.23 0.0.0.0  destination 13.13.13.13 0.0.0.0

(2)配置IKE proposal
#FW1
ike proposal 5
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256

#FW2
ike proposal 5
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256

(3)配置IKE Peer
#FW1
ike peer fw2
#禁用IKEv2版本 
undo version 2
exchange-mode main 
pre-shared-key Admin@1234
ike-proposal 5
remote-address 23.23.23.23

#FW2
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main 
pre-shared-key Admin@1234
ike-proposal 5
remote-address 13.13.13.13

(4)配置IPSEC proposal
#FW1
ipsec proposal pps01
 transform ah
 ah authentication-algorithm sha2-256

#FW2
ipsec proposal pps01
 transform ah
 ah authentication-algorithm sha2-256

(5)配置IPSEC 策略
#FW1
ipsec policy pl01 10 isakmp
 security acl 3001
 ike-peer fw2
 proposal pps01

#FW2
ipsec policy pl01 10 isakmp
 security acl 3001
 ike-peer fw1
 proposal pps01

(6)接口调用IPSEC 策略
#FW1
interface GigabitEthernet1/0/0
 ipsec policy pl01

#FW2
interface GigabitEthernet1/0/0
 ipsec policy pl01
图片[4]-8.12 GRE-OVER-IPSEC-大赛人网

7)GRE-OVER-IPSEC扩展

图片[5]-8.12 GRE-OVER-IPSEC-大赛人网
1)R1
interface GigabitEthernet0/0/2
 ip address 172.16.102.254 255.255.255.0
 ospf enable 1 area 0.0.0.0

2)R2
interface GigabitEthernet0/0/2
 ip address 172.17.102.254 255.255.255.0
 ospf enable 1 area 0.0.0.0

3)配置去往internet的安全策略
#FW1
security-policy
 rule name nat_internet_access
  source-zone trust
  destination-zone untrust
  source-address 172.16.101.0 mask 255.255.255.0
 source-address 172.16.102.0 mask 255.255.255.0
  action permit

#FW2
security-policy
 rule name nat_internet_access
  source-zone trust
  destination-zone untrust
  source-address 172.17.101.0 mask 255.255.255.0
source-address 172.17.102.0 mask 255.255.255.0
  action permit

4)配置去往internet的NAT策略
#FW1
nat-policy
  source-zone trust
  destination-zone untrust
  source-address 172.16.101.0 mask 255.255.255.0
  source-address 172.16.102.0 mask 255.255.255.0
  action source-nat easy-ip

#FW2
nat-policy
 rule name nat_internet_access
  source-zone trust
  destination-zone untrust
  source-address 172.17.102.0 mask 255.255.255.0
  action source-nat easy-ip
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
网络安全
喜欢就支持一下吧
点赞7 分享
lanzeou的头像-大赛人网
第1章 基本配置-大赛人网
第1章 基本配置
第1章 基本配置
2年前 251
1.3 Wireshark网络封包分析软件-大赛人网
1.3 Wireshark网络封包分析软件
1.3 Wireshark网络封包分析软件
2年前 251
2.8 OSPF与BFD联动-大赛人网
2.8 OSPF与BFD联动
2.8 OSPF与BFD联动
2年前 245
3.4破解root密码-大赛人网
3.4破解root密码
3.4破解root密码
2年前 215
第1章 安装工具-1.1 VirtualBox虚拟机软件第1章 安装工具-大赛人网
第1章 安装工具-1.1 VirtualBox虚拟机软件第1章 安装工具
第1章 安装工具-1.1 VirtualBox虚拟机软件第1章 安装工具
2年前 193
1.3直连路由引入-大赛人网
1.3直连路由引入
1.3直连路由引入
2年前 178
相关推荐
3.11 NAT-ALG(应用层网关)-大赛人网
3.11 NAT-ALG(应用层网关)
3.11 NAT-ALG(应用层网关)
2年前 145
3.8 防火墙静态目的NAT-大赛人网
3.8 防火墙静态目的NAT
3.8 防火墙静态目的NAT
2年前 105
第1章 网络攻击模拟基础-大赛人网
第1章 网络攻击模拟基础
第1章 网络攻击模拟基础
2年前 101
7.2 防火墙虚拟系统-大赛人网
7.2 防火墙虚拟系统
7.2 防火墙虚拟系统
2年前 86
第2章 防火墙基础-大赛人网
第2章 防火墙基础
第2章 防火墙基础
2年前 84
3.6 防火墙源NAT-三元组NAT-大赛人网
3.6 防火墙源NAT-三元组NAT
3.6 防火墙源NAT-三元组NAT
2年前 75
评论 抢沙发
头像
欢迎您留下宝贵的见解!
提交
头像

昵称

取消
昵称

请填写用户信息:

  • 昵称(必填)
  • 邮箱(必填)

    请登录后查看评论内容

热榜文章
第1章 基本配置-大赛人网
251人已阅读
第1章 基本配置
TOP1
1.3 Wireshark网络封包分析软件-大赛人网
1.3 Wireshark网络封包分析软件
2年前251人已阅读
TOP2
2.8 OSPF与BFD联动-大赛人网
2.8 OSPF与BFD联动
2年前245人已阅读
TOP3
3.4破解root密码-大赛人网
3.4破解root密码
2年前215人已阅读
TOP4
第1章 安装工具-1.1 VirtualBox虚拟机软件第1章 安装工具-大赛人网
第1章 安装工具-1.1 VirtualBox虚拟机软件第1章 安装工具
2年前193人已阅读
TOP5
1.3直连路由引入-大赛人网
1.3直连路由引入
2年前178人已阅读
TOP6
标签云
软考网络数通安全大赛华为云计算VIP专区PythonPremierePhotoShopMysqlLinuxAutoCADAfter Effects