h12-731認證精英hcie security v1.5培訓(xùn)與實驗手冊hcsce技術(shù)

SitetoSite Site-to-Site 點到多 L2TPOver L2TPOver 配置 采 方式建立IPSec隧 配置 采用Network模式建立IPSec隧道示 采用Network-plus方式建立IPSec隧道示 IPSec主備鏈路備 IPSec網(wǎng)關(guān)主備備 5 Hub基本場 NAT穿 的NAT穿 GREOver GREOver SitetoSiteSite-to-Site實驗?zāi)?組網(wǎng)設(shè)USG6630兩臺，PC機兩臺實驗拓網(wǎng)實驗步驟Step1USG_AUSG_BIPUSG_A<USG><USG>system-[USG]sysnameUSG_AIPGE0/0/1Untrust區(qū)域，GE0/0/2加入Trust區(qū)域[USG_A][USG_A]interface[USG_A-GigabitEthernet1/0/0]ipaddress[USG_A-GigabitEthernet1/0/0]service-manage [USG_A]interfaceGigabitEthernet0/0/2[USG_A-GigabitEthernet1/01]ipaddress [USG_A][USG_A]firewallzone[USG_A-zone-untrust]addinterface[USG_A]firewallzonetrust [USG_A-zone-trust]addinterfaceGigabitEthernet0/0/2USG_B<USG><USG>system-[USG]sysnameUSG_BIPGE0/0/1Untrust區(qū)域，GE0/0/2加入Trust區(qū)域[USG_B]interface[USG_B]interface[USG_B-GigabitEthernet0/0/1]ipaddress[USG_B-GigabitEthernet0/0/1]service-manage [USG]interfaceGigabitEthernet0/0/2 [USG_B]firewallzone[USG_B-zone-untrust]addinterface[USG_B]firewallzone[USG_B-zone-trust]addinterfaceStep2USG_AUSG_A[USG_A] TrustUntrust名源安全目的安全區(qū)源地址/地目的地址/地動允 _ipsec_1]source-zone _ipsec_1]action 名源安全目的安全區(qū)源地址/地目的地址/地動允 名源安全目的安全區(qū)源地址/地目的地址/地動允 Step3USG_BUSG_B[USG_B] TrustUntrust-security]rule 名源安全目的安全區(qū)源地址/地目的地址/地動允_ipsec_1]source-zone _ipsec_1]action UntrustLocal名源安全目的安全區(qū)源地址/地目的地址/地動允-security]rulename _ipsec_3]action LocalUntrust名源安全目的安全區(qū)源地址/地目的地址/地動允 -security]rule _ipsec_4]source-zone _ipsec_4]source-address _ipsec_4]action Step4USG_AUSG_BUSG_A[USG_A]iproute-static USG_B[USG_B]iproute-static Step5USG_AIPSecIPSec[USG_A]acl[USG_A]acl[USG_A-acl-adv-3000]rule5permitipsource55IKE[USG_A]ike[USG_A]ikeproposalIKE[USG_A]ike[USG_A]ikepeerIPSec[USG_A]ipsec[USG_A]ipsecproposalIPSec[USG_A] a1 -isakmp-a-1]securityacl3000 -isakmp-a-1]ike-peerb -isakmp-a-1]proposal1 IPSec[USG_A]interface[USG_A]interface aauto-Step6USG_BIPSec[USG_B]acl[USG_B]acl[USG_B-acl-adv-3000]rule5permitipsource55IKE[USG_A]ike[USG_A]ikeproposalIKE[USG_B]ike[USG_B]ikepeer[USG_B-ike-peer-b]exchange-modeauto[USG_B-ike-peer-b]pre-shared-keyAdmin@123[USG_B-ike-peer-b]ike-proposal1IPSec[USG_B]ipsec[USG_B]ipsecproposalIPSec[USG_B] b1 -isakmp-b-1]securityacl3000 -isakmp-b-1]ike-peera -isakmp-b-1]proposal1 IPSec[USG_B]interface[USG_B]interface bauto-實驗步驟Step1USG_AUSG_BIPUSG_A USG_BUSG_BIPGE0/0/1Untrust區(qū)域，GE0/0/2TrustStep2USG_AUSG_ATrustUntrust名源安全目的安全區(qū)源地址/地目的地址/地動允UntrustLocal名源安全目的安全區(qū)源地址/地目的地址/地動允LocalUntrust名源安全目的安全區(qū)源地址/地目的地址/地允允動Step3USG_BUSG_BTrustUntrust名源安全目的安全區(qū)源地址/地目的地址/地動允UntrustLocal名源安全目的安全區(qū)源地址/地目的地址/地動允LocalUntrust名源安全目的安全區(qū)源地址/地目的地址/地動允Step4USG_AUSG_BUSG_AUSG_BStep5USG_AIPSec選擇“網(wǎng)絡(luò)IPSecIPSec”，單擊“新建”，選擇“場景”為“點到點配置在“待加密的數(shù)據(jù)流”中單擊“新建”，按如下數(shù)據(jù)增加一條數(shù)據(jù)流規(guī)則展開“安全提議”中的“高級”，按照默認即Step6USG_BIPSec選擇“網(wǎng)絡(luò)IPSecIPSec”，單擊“新建”，選擇“場景”為“點到點”配置在“待加密的數(shù)據(jù)流”中單擊“新建”，按如下數(shù)據(jù)增加一條數(shù)據(jù)流規(guī)則展開“安全提議”中的“高級”，按照默認即驗證結(jié)在USG_A上選擇“網(wǎng)絡(luò)>IPSec>”，查看IPSec隧道信息，可以看在USG_B上選擇“網(wǎng)絡(luò)>IPSec>”，查看IPSec隧道信息，可以看PC_A測試 Replyfrom:bytes=56Sequence=349ttl=255time=1msReplyfrom:bytes=56Sequence=350ttl=255time=1msReplyfrom:bytes=56Sequence=351ttl=255time=1msReplyfrom:bytes=56Sequence=352ttl=255time=1PC_B測試：Replyfrom:bytes=56Sequence=349ttl=255time=1msReplyfrom:bytes=56Sequence=350ttl=255time=1msReplyfrom:bytes=56Sequence=351ttl=255time=1msReplyfrom:bytes=56Sequence=352ttl=255time=1 yfirewallsession18:21:19CurrentTotalSessions: :public-->public :public-->public:0--<USG_A>disyipsecstatistics18:18:232014/09/11thesecuritypacketinput/outputsecuritypackets:68/58input/outputsecuritybytes:5712/4872input/outputdroppedsecuritypackets:0/0theencryptpacketsendsae:58,recvsae:58,sendlocalcpu:58,othercpu:0,recvothercpu:0intactpacket:2,firstslice:0,afterslice:0thedecryptpacketsendsae:68,recvsae:68,sendlocalcpu:0,othercpu:0,recvothercpu:0reassfirstslice:0,afterslice:0,lenerr:0點到多實驗?zāi)?組網(wǎng)設(shè)USG6630三臺，PC機三臺實驗拓組網(wǎng)介本組網(wǎng)使用3臺，USG_A模擬公司總部,USG_B,USG_C分別模擬2個分部，在做IPSec配置的時候，分部的 USG_B的配置，USG_C的配置類似，總部 USG_A與點對點模式不一樣，在 實驗步驟Step1USG_AUSG_BIPUSG_AIPGE0/0/1Untrust區(qū)域，GE0/0/2加入Trust區(qū)域（略）USG_BIPGE0/0/1Untrust區(qū)域，GE0/0/2加入Trust區(qū)域（略）Step2USG_AUSG_A[USG_A] TrustUntrust名源安全目的安全區(qū)源地址/地目的地址/地動允_ipsec_1]source-zone _ipsec_1]action 名源安全目的安全區(qū)源地址/地目的地址/地動允 LocalUntrust名源安全目的安全區(qū)源地址/地目的地址/地動允 Step3USG_BUSG_B[USG_B] TrustUntrust名源安全目的安全區(qū)源地址/地目的地址/地動允_ipsec_1]source-zone _ipsec_1]action -security]rule-security]rule 名源安全目的安全區(qū)源地址/地目的地址/地動允 _ipsec_3]action -security]rule-security]rule 名源安全目的安全區(qū)源地址/地目的地址/地動允-security]rulename _ipsec_4]source-zone _ipsec_4]source-address _ipsec_4]action Step4USG_AUSG_BUSG_A[USG_A]iproute-static USG_B[USG_B]iproute-static Step5USG_AIPSecIPSec[USG_A]acl[USG_A]acl[USG_A-acl-adv-3000]rule5permitipsource55IKE[USG_A]ike[USG_A]ikeproposalIKE[USG_A]ike[USG_A]ikepeer[USG_A-ike-peer-b]exchange-modeauto[USG_A-ike-peer-b]pre-shared-keyAdmin@123[USG_A-ike-peer-b]ike-proposal1IPSec[USG_A]ipsec[USG_A]ipsecproposalIPSectemap1te-map1-1]securityaclte-map1-1]proposal1IPSeca1isakmp teIPSec[USG_A]interface[USG_A]interface aauto-Step6USG_BIPSec[USG_B]acl[USG_B]acl[USG_B-acl-adv-3000]rule5permitipsource55IKE[USG_A]ike[USG_A]ikeproposalIKE[USG_B]ike[USG_B]ikepeer[USG_B-ike-peer-b]exchange-modeauto[USG_B-ike-peer-b]pre-shared-keyAdmin@123[USG_B-ike-peer-b]ike-proposal1IPSec[USG_B]ipsec[USG_B]ipsecproposalIPSec[USG_B] b1 -isakmp-b-1]securityacl3000 -isakmp-b-1]ike-peera -isakmp-b-1]proposal1 IPSec[USG_A]interface[USG_A]interface bauto-實驗步驟Step1USG_AUSG_BIPUSG_AIPGE0/0/1Untrust區(qū)域，GE0/0/2加入Trust區(qū)域（略）USG_BIPGE0/0/1Untrust區(qū)域，GE0/0/2加入Trust區(qū)域（略）Step2USG_AUSG_ATrustUntrust名源安全目的安全區(qū)源地址/地目的地址/地動允UntrustLocal名源安全目的安全區(qū)源地址/地目的地址/地動允LocalUntrust名源安全目的安全區(qū)源地址/地目的地址/地動允Step3USG_BUSG_BTrustUntrust名源安全目的安全區(qū)源地址/地目的地址/地動允UntrustLocal名源安全目的安全區(qū)源地址/地目的地址/地動允LocalUntrust名源安全目的安全區(qū)源地址/地目的地址/地動允Step4USG_AUSG_BUSG_AUSG_BStep5USG_AIPSec選擇“網(wǎng)絡(luò)IPSecIPSec”，單擊“新建”，選擇“場景”為“點到多點”，對配置Step6USG_BIPSec選擇“網(wǎng)絡(luò)IPSecIPSec”，單擊“新建”，選擇“場景”為“點到點配置展開“安全提議”中的“高級”，按照默認即驗證結(jié)在USG_A上選擇“網(wǎng)絡(luò)>IPSec>”，查看IPSec隧道信息，可以看在USG_B上選擇“網(wǎng)絡(luò)>IPSec> ”，查看IPSec隧道信息，可以看PC_A測試：Replyfrom:bytes=56Sequence=349ttl=255time=1msReplyfrom:bytes=56Sequence=350ttl=255time=1msReplyfrom:bytes=56Sequence=351ttl=255time=1msReplyfrom:bytes=56Sequence=352ttl=255time=1PC_B測試：Replyfrom:bytes=56Sequence=349ttl=255time=1msReplyfrom:bytes=56Sequence=350ttl=255time=1msReplyfrom:bytes=56Sequence=351ttl=255time=1msReplyfrom:bytes=56Sequence=352ttl=255time=1<USG_A>disyfirewallsession18:21:19CurrentTotalSessions: :public-->public:43987-->:2048 :public-->public:0-->:0<USG_A>disyipsecstatistics18:18:232014/09/11thesecuritypacketstatistics:input/outputsecuritypackets:68/58input/outputsecuritybytes:5712/4872input/outputdroppedsecuritypackets:0/0theencryptpacketstatisticssendsae:58,recvsae:58,sendlocalcpu:58,othercpu:0,recvothercpu:0intactpacket:2,firstslice:0,afterslice:0thedecryptpacketsendsae:68,recvsae:68,sendlocalcpu:0,othercpu:0,recvothercpu:0reassfirstslice:0,afterslice:0,lenerr:0L2TPOverL2TPOver實驗?zāi)縇2TPOverIPSec組網(wǎng)設(shè)USG一臺，PC機兩臺實驗拓隧網(wǎng)Step1IP選擇“網(wǎng)絡(luò)>接口”，在‘接口列表’里面選擇上連接LAC對應(yīng)的接口，點擊右邊的編輯，untrustIPStep2選擇“策略”2localuntrustuntrustlocalStep3選擇“對象>用戶>用戶/組在“成員管理”中，單擊“新建”，選擇“新建用戶”，按如下參數(shù)配置出差員工“vpdnuser”的用戶信息，為o123。本例以“default”組為例，實際應(yīng)用Step4L2TPoverIPSecStep5選擇“網(wǎng)絡(luò)IPSecIPSec”，在“IPSec策略列表”下單擊“新建”Step6選擇“場景”為“點到多點”，“對端接入類型”選擇“L2TPoverIPSec客戶端”Step7按如下參數(shù)配置“基本配置”，總部此時為了讓多個分支接入，不指定分支的地址。預(yù)共享密鑰為Admin@123。Step9Step10選擇“網(wǎng)絡(luò)L2TP創(chuàng)建L2TP隧道，隧 Step11配置出差員工 出差員工側(cè)主機上必須裝有L2TP客戶端軟件并通過撥號方式連接到Internet。以Secoway Step12打開 軟Step13Step14設(shè)置L2TP用戶名：vpdnuser，登 驗證字 驗證結(jié)在 端PC上，單擊配置完畢 連接的，建L2TP LNSL2TP選擇“網(wǎng)絡(luò)>L2TP> ”，查看到有L2TP隧道ID，說明L2TP隧道建本端通道1對端通道1本端地址/PPP地對端地址/PPP地端1對端名1LNSIPSecIPSec隧道策略名狀本端地對端地IKEPSec在LAC端PC上，可以查看到分配到了 實驗?zāi)客ㄟ^本實驗，你將了解配置Efficient 方式建立IPSec隧道的詳組網(wǎng)設(shè)USG一臺，PC機兩臺實驗拓隧DHCP DHCP /24RTARTB/24網(wǎng)Step1在 上配置接口的IP地址 >system- ]sysname ]interfacegigabitethernet -GigabitEthernet0/0/1]ipaddress ]interfacegigabitethernet -GigabitEthernet2/0/0]ipaddress Step2在Rou上配置到對端的靜態(tài)路由，此處假設(shè)到對端的下一跳地址]iproute-static]iproute-staticStep3RouterBIPEthernet4/0/0IPIP<<[>system-]sysname[RouterB]interfacegigabitethernet[RouterB-GigabitEthernet1/0/0]ipaddress[RouterB]interfacegigabitethernet[RouterB-GigabitEthernet2/0/0]ipaddress[RouterB]interfacegigabitethernet[RouterB-GigabitEthernet3/0/0]ipaddress[RouterB]interfacegigabitethernet[RouterB-GigabitEthernet4/0/0]ipaddressStep4RouterB[RouterB][RouterB]iproute-static[RouterB]iproute-staticStep5RouterBDHCPDHCP#DHCPDHCPDHCP[RouterB][RouterB]dhcp[RouterB]dhcpservergroupdhcp-Step6RouterB作為IPSec隧道協(xié)商響應(yīng)方，采用策略模板方式與Rou建IPSec#通過AAA業(yè)務(wù)模板配置要推送的資源屬性，推送IP地址、DNS、DNS服務(wù)器地址和WINS服務(wù)器地址。[RouterB][RouterB][RouterB-aaa][RouterB-aaa]service-scheme[RouterB-aaa-service-schemetest]dhcp-servergroupdhcp-ser1[RouterB-aaa-service-schemetest]dns-name [RouterB-aaa-service-schemetest]dns[RouterB-aaa-service-schemetest]dns[RouterB-aaa]Step7IKEIKEAAAIKE[RouterB][RouterB]ikeproposal[RouterB-ike-proposal-5]dh[RouterB]ikepeerrut3Step8IPSec[RouterB][RouterB]ipsecproposal[RouterB]ipsec[RouterB]-tetemp1-templet-temp1-10]ike-peer-templet-temp1-10]proposal110isakmpteStep9[RouterB][RouterB]interfacegigabitethernet1Step10在Rou上采用方式配置Efficient，建立IPSec隧道#配置Efficient的模式為模式，并在模式視圖下指定IKE協(xié)商時的對端]ipsec - ]remote-address - ]pre-shared-key - ]Step11在接口上應(yīng)用Efficient]interfacegigabitethernet-GigabitEthernet1/0/0]ipsece驗證結(jié)配置成功后，在主機PCA上執(zhí)行操作仍然可以通主機PCB，執(zhí)行命令disyipsecstatisticsesp可以查看數(shù)據(jù)包的統(tǒng)計信息。在Rou上執(zhí)行disyikesav2操作，結(jié)果如下]yikesa0021分別在Rou和RouterB上執(zhí)行disyipsecsa可以查看所配置的信息，以Rou為例。] yipsecInterface:GigabitEthernet1/0/0PathMTU:1500IPSecname: :-Connection:Encapsulationmode:TunnelTunnellocal :Tunnelremote :Flow Flowdestination :/0/0Qospre-classify :DisableQos :[OutboundESP SAremainingkeyduration(bytes/sec): Maxsentsequence-number:0UDPencapsulationusedforNATtraversal:[InboundESP SAremainingkeyduration(bytes/sec): Maxreceivedsequence-number:0 ywindowsize:UDPencapsulationusedforNATtraversal:在Rou上執(zhí)行disyipsecefficient-顯示Efficient策略的配置文Rou的配置文##sysnameRouipseceremote-addressv2pre-shared-keysimple#interfaceipaddressipsecefficient- #interfaceGigabitEthernet2/0/0ipaddressiproute-staticiproute-static##sysnameRouterBdhcp#ipsecproposalprop1ikeproposalencryption-algorithm3des-cbcdhgroup2#ikepeerrut3pre-shared-keysimpleike-proposal5service-schemeschemetest tetemp110ike-peerrut3proposalprop1 110isakmptem tetemp1dhcpservergroupdhcp-ser1dhcp-server0gatewayservice-schemeschemetestdnsdnsdhcp-servergroupdhcp-ser1winswins #interfaceipaddress #interfaceGigabitEthernet2/0/0ipaddressinterfaceipaddress##interfaceipaddressiproute-staticiproute-static 實驗?zāi)客ㄟ^本實驗，你將了解配置Efficient 采用Network模式建立IPSec隧道組網(wǎng)設(shè)AR2200路由器兩臺，PC實驗拓隧/24/24RTARTB/24網(wǎng)Step1在 上配置接口的IP地址 >system- ]sysname ]interfacegigabitethernet -GigabitEthernet1/0/0]ipaddress]interfacegigabitethernet-GigabitEthernet2/0/0]ipaddressStep2在Rou上配置到對端的靜態(tài)路由，此處假設(shè)到對端的下一跳地址]iproute-static]iproute-staticStep3RouterBIP<<[>system-]sysname[RouterB]interfacegigabitethernet[RouterB-GigabitEthernet0/0/1]ipaddress[RouterB]interfacegigabitethernet[RouterB-GigabitEthernet2/0/0]ipaddressStep4RouterB[RouterB][RouterB]iproute-static[RouterB]iproute-staticStep5在Rou上采用Network模式配置Efficient，作為協(xié)商發(fā)RouterBIPSecStep6ACL/24/24]aclnumber-acl-adv-3001]rule1permitipsource55Step7配置Efficient的模式為Network，并在模式視圖下ACL、指定]ipsecemode[Rou-ipsec-efficient--e]securityacl[Rou-ipsec-efficient--e]remote-address-]Step8在接口上應(yīng)用Efficient ]interfacegigabitethernet-GigabitEthernet1/0/0]ipsec eStep9在RouterB上配置策略模板方式的安全策略，作為協(xié)商響應(yīng)Rou建立IPSec隧道Step10通過AAA業(yè)務(wù)模板配置要推送的資源屬性，推送DNS、DNS服務(wù)器地址和WINS服務(wù)器地址。[RouterB][RouterB][RouterB-aaa]service-scheme [RouterB-aaa-service-schemetest]dns[RouterB-aaa]Step11IKEIKE[RouterB][RouterB]ikeproposal[RouterB-ike-proposal-5]dh[RouterB]ikepeerrut3Step12IPSec[RouterB][RouterB]ipsecproposal[RouterB]ipsec[RouterB]-teuse1-templet-use1-10]ike-peer-templet-use1-10]proposal110isakmpteStep13[RouterB][RouterB]interfacegigabitethernet1驗證結(jié)配置成功后，在主機PCA上執(zhí)行操作仍然可以通主機PCB，執(zhí)行命令disyipsecstatisticsesp可以查看數(shù)據(jù)包的統(tǒng)計信息。分別在Rou和RouterB上執(zhí)行disyikesav2會顯示所配置的信息，以Rou為例。 ] yikesa 0021分別在Rou和RouterB上執(zhí)行disyipsecsa會顯示所配置的信息，以Rou為例。] yipsecInterface:GigabitEthernet1/0/0PathMTU:1500IPSecname: :-NETWORKConnection:Encapsulationmode:TunnelTunnellocal :Tunnelremote :Flowsource :/550/0Flowdestination:/550/0Qospre-classify:DisableQos :[OutboundESP SAremainingkeyduration(bytes/sec): Maxsentsequence-number:0UDPencapsulationusedforNATtraversal:[InboundESPSAremainingkeyduration(bytes/sec): Maxreceivedsequence-number:0 ywindowsize:UDPencapsulationusedforNATtraversal:在Rou上執(zhí)行disyipsecefficient-顯示Efficient策略的配置文Rou的配置文##sysnameRouaclnumberrule1permitipsource55destination55ipsecefficient- modenetworkremote-addressv2pre-shared-keysimplesecurityacl3001#interfaceipaddressipsecefficient- #interfaceGigabitEthernet2/0/0ipaddressiproute-staticiproute-static##sysnameRouterBipsecproposaltran1ikeproposalencryption-algorithmencryption-algorithm3des-cbcdhgroup2#ikepeerrut3pre-shared-keysimpleike-proposal5service-schemeschemetest - teuse1ike-peerrut3proposaltran1110isakmpteservice-schemeschemetestdnsdnswinswins #interfaceipaddress #interfaceGigabitEthernet2/0/0ipaddressiproute-staticiproute-staticIPSec隧道示實驗?zāi)客ㄟ^本實驗，你將了解配置Efficient采用Network-plus方式建立組網(wǎng)設(shè)AR2200路由器兩臺，PC/24RTARTB/24網(wǎng)隧實驗步驟Step1在 上配置接口的IP地址 >system- ]sysname ]interfacegigabitethernet -GigabitEthernet1/0/0]ipaddress ]interfacegigabitethernet -GigabitEthernet2/0/0]ipaddress Step2在 ]iproute-static]iproute-staticStep3RouterBIP<<[>system-]sysname[RouterB]interfacegigabitethernet[RouterB-GigabitEthernet1/0/0]ipaddress[RouterB]interfacegigabitethernet[RouterB-GigabitEthernet2/0/0]ipaddress在[RouterB][RouterB]iproute-static[RouterB]iproute-staticStep5在Rou上采用Network-plus模式配置Efficient，作為協(xié)商發(fā)RouterBIPSecStep6ACL/24/24]aclnumber-acl-adv-3001]rule1permitipsource55Step7配置Efficient的模式為Network-plus，并在模式視圖下ACL、指定]ipsece[Rou-ipsec-efficient--e]securityacl[Rou-ipsec-efficient--e]remote-address-]Step8在接口上應(yīng)用Efficient]interfacegigabitethernet-GigabitEthernet1/0/0]ipseceStep9在RouterB上配置策略模板方式的安全策略，作為協(xié)商響應(yīng) Rou建立IPSec隧道，配置要推送的資源屬性，推送IP地址、DNS 、DNS服務(wù)器地址和WINS服務(wù)器地址。[RouterB][RouterB]ippool[RouterB-ip-pool-po1]networkmask[RouterB-ip-pool-po1]gateway-list[RouterB][RouterB-aaa]service-scheme [RouterB-aaa-service-schemetest]dns[RouterB-aaa]Step10IKEIKE[RouterB][RouterB]ikeproposal[RouterB-ike-proposal-5]dh[RouterB]ikepeerrut3[RouterB-ike-peer-rut3]exchange-modeaggressive[RouterB-ike-peer-rut3]pre-shared-keysimple[RouterB-ike-peer-rut3]ike-proposal5Step11IPSec[RouterB][RouterB]ipsecproposal[RouterB]ipsec[RouterB]-teuse1-templet-use1-10]ike-peer-templet-use1-10]proposal110isakmpteStep12[RouterB][RouterB]interfacegigabitethernet1驗證結(jié)配置成功后，在主機PCA上執(zhí)行操作仍然可以通主機PCB，執(zhí)行命令disyipsecstatisticsesp可以查看數(shù)據(jù)包的統(tǒng)計信息。分別在Rou和RouterB上執(zhí)行disyikesa會顯示所配置的信息，以Rou為例。[Rou]disyike Flag(s) 2 2 1 分別在Rou和RouterB上執(zhí)行息，以Rou為例yipsecsa[Rou]disyipsecInterface:GigabitEthernet1/0/0PathMTU:1500IPSec name: : -NETWORKPLUSConnection Encapsulationmode:TunnelTunnellocal :Tunnelremote :Flow Flow :/0.00.0Qospre- :[OutboundESP SAremainingkeyduration(bytes/sec): Maxsentsequence-number:0UDPencapsulationusedforNATtraversal:[InboundESP SAremainingkeyduration(bytes/sec): Maxreceivedsequence-number:0 ywindowsize:UDPencapsulationusedforNATtraversal:IPSec name: : -NETWORKPLUSConnection Encapsulationmode:TunnelTunnellocal :Tunnelremote :Flow :/255.255255.0Flow :/255.255255.0Qospre-classify :Disable[OutboundESPSAs] SAremainingkeyduration(bytes/sec): Maxsentsequence-number:0UDPencapsulationusedforNATtraversal:N[InboundESPSAs] SAremainingkeyduration(bytes/sec): Maxreceivedsequence-number:0 ywindowsize:UDPencapsulationusedforNATtraversal: 在Rou上執(zhí)行disyipsecefficient-顯示Efficient策略的信] yipsecIPSec name:Using :IPSecEfficient-IPSecEfficient-ACLNumberAuthMethodLocalIDTypeIKEVersionRemoteAddressPreSharedKeyPFSTypeLocalAddressRemotePKI::3 ::8(8:PSK::1(1:IP:1(1:IKEv1: ::0(0:Disable1:Group12:Group2:: ywindowsizeQospre-classifyInterfaceloopbackInterfaceloopbackIPDnsserverIPWinsserver:::0(0:Disable:::,:,DnsAuto-update::Auto-updateAuto-update 配置文Rou的配置文##sysnameRouaclnumberrule1permitipsource55destination55ipsecefficient- modenetwork-plusremote-addressv1pre-shared-keysimplesecurityacl3001#interfaceipaddressipsecefficient- #interfaceGigabitEthernet2/0/0ipaddressiproute-staticiproute-static##sysnameRouterBipsecproposaltran1ikeproposal5encryption-algorithm3des-cbcdhgroup2#ikepeerrut3exchange-modeaggressivepre-shared-keysimpleike-proposalservice-scheme##- teuse1ike-peerrut3proposaltran1ippool110isakmptegateway-listnetworkmask28service-schemeschemetestdnsdnssecondaryip-poolpo1winswins #interfaceipaddress #interfaceGigabitEthernet2/0/0ipaddressiproute-staticiproute-staticIPSec主備鏈路備實驗?zāi)縄PSec組網(wǎng)設(shè)USG兩臺，路由器一臺，PC機兩臺實驗拓實驗步驟IPIPIPIPIPTunnel1Tunnel2IP _B通過Tunnel接口與N _A在公網(wǎng)上建立IPSec隧道，因此需要使用公網(wǎng)地址，本例中Tunnel1和Tunnel2接口借用了GigabitEthernet1/0/1接口IPSec安全提ESP協(xié)議驗ESP協(xié)議加IKEIPIPStep1IP>system-]sysname_A]interfaceGigabitEthernet_A-GigabitEthernet1/0/0]ipaddress_A]interfaceGigabitEthernet_A-GigabitEthernet1/0/1]ipaddress_A]interfaceGigabitEthernet_A-GigabitEthernet1/0/2]ipaddressStep2_A]firewallzone _A-zone-trust]addinterfaceGigabitEthernet _A]firewallzone _A-zone-untrust]addinterfaceGigabitEthernet _A-zone-untrust]addinterfaceGigabitEthernet Step3配置策略TrustUntrust域的轉(zhuǎn)發(fā)策略，允許封裝前和解封后的報文能通過N_A。 _A]-security]rulename -security-rule-1]action -security]rulename -security-rule-2]source-address -security-rule-2]action LocalUntrustIKEN_A-security]rulename -security-rule-3]action -security]rulename Step4配置IP-Link，用于檢測N_A到N_B的主鏈路是否正常 _A]ip-linkcheck _A]ip-link1destinationinterfaceGigabitEthernet1/0/1icmpnext-hop Step5配置兩條到分支的路由，主路由的優(yōu)先級為10，綁定IP-Link功能；備用路由的優(yōu)先級為20。當設(shè)備檢測到主鏈路故障時，將自動啟用備用路由。 _A]iproute-static24preference10trackip-link _A]iproute-static24preference _A]iproute-staticpreference Step6配置控制列表， _A]acl _A-acl-adv-3000]rulepermitipsource55 _A-acl-adv-3000]quit _A]acl3001 _A-acl-adv-3001]rulepermitipsource55Step7tran1IPSec_A]ipsecproposal Step810IKE_A]ikeproposal Step9IKEPeer_A]ikepeer_A-ike-peer-b]ike-proposal _A-ike-peer-b]pre-shared-keyKey123 _A-ike-peer-b]undoversion2 Step10IPSecmap1_A]_A]map110 -isakmp-map1-10]securityacl -isakmp-map1-10]ike-peer map210 -isakmp-map1-10]securityacl -isakmp-map1-10]ike-peer Step11GigabitEthernet1/0/1GigabitEthernet1/0/2上分別應(yīng)用安全策略組map1。_A]interfaceGigabitEthernet map1auto- _A]interfaceGigabitEthernet map2auto- Step12配置N_B基礎(chǔ)配置配置接口IP地址>system-]sysname_B]interfaceGigabitEthernet_B-GigabitEthernet1/0/0]ipaddress_B]interfaceGigabitEthernet_B-GigabitEthernet1/0/1]ipaddress_B]interfacetunnel_B-Tunnel1]ipaddressunnumberedinterfaceGigabitEthernet_B-Tunnel1]_B]interfacetunnel_B-Tunnel2]ipaddressunnumberedinterfaceGigabitEthernet_B-Tunnel2] _B]firewallzone _B-zone-trust]addinterfaceGigabitEthernet _B]firewallzone _B-zone-untrust]addinterfaceGigabitEthernet _B-zone-untrust]addinterfaceTunnel _B-zone-untrust]addinterfaceTunnel Step13配置策略TrustUntrust域的轉(zhuǎn)發(fā)策略，允許封裝前和解封后的報文能通過N_B。 _B]-security]rulename -security-rule-1]source-address -security-rule-1]action -security]rulename -security-rule-2]action LocalUntrustIKEN_B-security]rulename -security-rule-3]source-address -security-rule-3]action -security]rulename Step14配置IP-Link，用于檢測N_B到N_A的鏈路是否正常 _B]ip-linkcheck _B]ip-link1destinationinterfaceGigabitEthernetmodeicmpnext-hop Step15配置到Tunnel接口的路由。分支總部的數(shù)據(jù)流被首先到Tunnel接 _B]iproute-staticTunnel2preference linkStep _B]iproute-static Step17配置控制列表，定義需要保護的數(shù)據(jù)流在N_B中需要配置兩個IPSec策略，因為兩個IPSec策略不能同一 _B]acl _B-acl-adv-3000]rulepermitipsource55 _B-acl-adv-3000]quit _B]acl3001 _B-acl-adv-3001]rulepermitipsource55Step18tran1IPSec_B]ipsecproposal Step1910IKE_B]ikeproposal Step20IKEPeer需要在N_B上配置兩個對等體。當N_A主備切換時，N_B將切換對等體與N_A進行協(xié)商。 _B]ikepeer _B-ike-peer-a1]ike-proposal _B-ike-peer-a1]remote-address _B-ike-peer-a1]pre-shared-keyKey123 _B-ike-peer-a1]undoversion2 _B-ike-peer-a1]quit _B]ikepeer _B-ike-peer-a2]ike-proposal _B-ike-peer-a2]remote-address _B-ike-peer-a2]pre-shared-keyKey123 _B-ike-peer-a2]undoversion Step21IPSecmap1map2_B]_B]map110 -isakmp-map1-10]securityacl -isakmp-map1-10]ike-peer map210 -isakmp-map2-10]securityacl -isakmp-map2-10]proposal Step22Tunnel1Tunnel2map1map2_B]interfacetunnel_B-Tunnel1]_B-Tunnel1]_B]interfacetunnel_B-Tunnel2]_B-Tunnel2] 結(jié)果驗配置完成后，在總部的PC1上執(zhí)行命令，看能否通分支下的PC2。如果配置正確，則PC1和PC2可以相互通。如果有步驟2、3、4的顯示信息，則說明PC1和PC2之間的通信經(jīng)過了IPSec隧道封分別在N_A、N_B上執(zhí)行disyikesa命令會顯示IKE安全聯(lián)盟的建立情況。以N_A為例，出現(xiàn)以下顯示說明IKE安全建立_A> yikecurrentikesanumber: 2 flag 分別在N_A、N_B上執(zhí)行disyipsecsa命令會顯示IPSec安全的建立情況。以N_A為例，出現(xiàn)以下顯示說明IPSec安全聯(lián) _A> yipsecInterface:GigabitEthernet1/0/1pathMTU:1500 name:"map1"sequencenumber:10mode:isakmp:connectionid:rulenumber:5encapsulationmode:tunnelholdingtime:1d0h5m39stunnellocal: tunnelremote: source:flowdestination:[inboundESPSAs] :public said:0 cpuid:0x0000proposal:ESP-ENCRYPT-AESESP-AUTH-sha1saremainingkeyduration(bytes/sec): maxreceivedsequence-number:4udpencapsulationusedfornattraversal:N[outboundESPSAs] :public said:1 cpuid:0x0000proposal:ESP-ENCRYPT-AESESP-AUTH-sha1saremainingkeyduration(bytes/sec): maxsentsequence-number:5udpencapsulationusedfornattraversal:執(zhí)行命令disyipsecstatistics可以查看被加密的數(shù)據(jù)包的變化，即它們之間的數(shù)據(jù)傳輸將被加密。以N_A為例。input/outputinput/outputsecuritypackets:thesecuritypacket_A> yipsecinput/outputsecuritybytes:input/outputdroppedsecuritypackets:theencryptpacketsendsae:0,recvsae:0,sendlocalcpu:0,othercpu:0,recvotherintactpacket:0,firstslice:0,afterthedecryptpacketsendsae:0,recvsae:0,sendlocalcpu:0,othercpu:0,recvother firstslice:0,afterslice:0,lendroppedsecuritypacketnoenoughmemory:0,toolong:can'tfindSA:0,wrongSA:0authentication:0,rey:0frontrecheck:0,afterrecheck:exceedbytelimit:0,exceedpacketlimit:changecpuenc:0,decchangecpu:0changedhan:0,fibsearch:0rcvenc(dec)formsaesaiderr:0,sendport:0,outputl3:0,l2tpinput:negotiateaboutpacketIP ok:0,err:0,IPrcvother toike:0,IKEpacket ok:0,IKEpacket ok:0,SoftExpr:0,HardExpr:0,DPDOper:0,t:0,SaeSucc:0,SoftwareSucc:斷開N_A的GigabitEthernet1/0/1接口，查看是否完成鏈路切換。執(zhí)行disyikesa、disyipsecsa命令，查看到新的安全已經(jīng)存在?？偛亢头种еg依然能夠成功發(fā)送和接收報文。且執(zhí)行disyipsecstatisticsIPSec隧道化實現(xiàn)鏈路備份實實驗?zāi)縄PSecIPSec組網(wǎng)設(shè)USG兩臺，路由器一臺，PC機兩臺實驗拓NN 隧 網(wǎng)實驗步驟Step1 IP IP IP IPTunnel ：TunnelIPIKEIKEIKE驗 IPSecESP認證方式：SHA1ESP：AESIPIPIKEIKEIKE驗證類型IPSecESPStep2配置N_A的接口IP地址 _A>system- _A]interfaceGigabitEthernet _A-GigabitEthernet1/0/3]ipaddress24 _A-GigabitEthernet1/0/3]quit _A]interfaceGigabitEthernet _A-GigabitEthernet1/0/1]ipaddress24 _A-GigabitEthernet1/0/1]quit _A]interfaceGigabitEthernet _A-GigabitEthernet1/0/2]ipaddress_A]interfaceGigabitEthernet_A-GigabitEthernet1/0/4]ipaddressStep3_A]firewallzone_A-zone-trust]addinterfaceGigabitEthernet_A]firewallzone_A-zone-untrust]addinterfaceGigabitEthernet_A-zone-untrust]addinterfaceGigabitEthernet_A-zone-untrust]addinterfaceGigabitEthernetStep4Tunnel_A]interfacetunnel_A-tunnel0]tunnel-protocol_A-tunnel0]ipaddress Step5Tunnel[N_A]firewallzone[N_A-zone-untrust]addinterfacetunnel Step6#TrustUntrust _A]-security]rulename _ipsec_1]destination-zone _ipsec_1]destination-zone _ipsec_1]source-address _ipsec_1]destination-address_ipsec_1]action -security]rule _ipsec_2]source-zone _ipsec_2]destination-zone _ipsec_2]source-address _ipsec_2]destination-address_ipsec_2]action _ipsec_2] #LocalUntrust-security]rulename [N_ipsec_3]source-zone _ipsec_3]source-address_ipsec_3]source-address_ipsec_3]source-address_ipsec_3]source-address _ipsec_3]action -security]rulename _ipsec_4]source-zone _ipsec_4]source-address _ipsec_4]destination-address _ipsec_4] Step7BBTunnel0 _A]iproute-statictunnel Step8配置到N_B的3條等價路由_A]iproute-static32 _A]iproute-static32 _A]iproute-static32 Step9IPSec_A]acl_A-acl-adv-3000]rulepermitipsource55 Step10tran1IPSec_A]ipsecproposal 為ESP默認的認證算法，AES為ESP默認的加密算法，可以不配置。Step1110IKE_A]ikeproposal pre-share驗證方法為IKE默認的驗證方法，SHA1為默認驗證算法，可以不配 Step12 _A]ikepeer _A-ike-peer-b]ike-proposal _A-ike-peer-b]remote-address _A-ike-peer-b]pre-shared-keyabcdeN同時開啟IKEv1和IKEv2，缺省情況下采用IKEv2進行協(xié)商，若對端不支持IKEv2，請禁用IKEv2，采用IKEv1進行協(xié)商。隧道對端IP地址為N_B與Internet相連的接口的IP地址。Step13IPSecmap1_A]map110 -isakmp-map1-10]securityacl -isakmp-map1-10]ike-peer Step14Tunnelmap1_A]interfacetunnelStep15配置N_B的基礎(chǔ)配置GigabitEthernet1/0/3TrustGigabitEthernet1/0/1加入Untrust區(qū)域。詳細步驟可參見N_A的配置。Step16#TrustUntrust_B]-security]rule _ipsec_1]source-zone _ipsec_1]destination-zone _ipsec_1]source-address _ipsec_1]destination-address_ipsec_1]action -security]rule _ipsec_2]source-zone _ipsec_2]destination-zone _ipsec_2]source-address _ipsec_2]destination-address_ipsec_2]action _ipsec_2] #LocalUntrust-security]rulename [N_ipsec_3]source-zone _ipsec_3]source-address _ipsec_3]destination-address _ipsec_3] -security]rule_ipsec_3] -security]rulename _ipsec_4]source-zone _ipsec_4]source-address_ipsec_4]source-address_ipsec_4]source-address_ipsec_4]source-address _ipsec_4]actionpermit _ipsec_4]quit Step17 _B]iproute-static Step18配置到N_A的Tunnel接口的路由 _B]iproute-static55 Step _B]acl _B-acl-adv-3000]rulepermitipsource55Step20tran1IPSec_B]ipsecproposal 為ESP默認的認證算法，AES為ESP默認的加密算法，可以不配置。Step2110IKE_B]ikeproposal pre-share驗證方法為IKE默認的驗證方法，SHA1為默認驗證算法，可以不配Step22aIKEpeer_B]ikepeer_B-ike-peer-a]N同時開啟IKEv1和IKEv2，缺省情況下采用IKEv2進行協(xié)商，若對端不支持IKEv2，請禁用IKEv2，采用IKEv1進行協(xié)商。Step23map110_B]map110 -isakmp-map1-10]securityacl -isakmp-map1-10]ike-peer Step24GigabitEthernet1/0/1map1_B]interfaceGigabitEthernet 結(jié)果驗配置完成后，在PC1執(zhí)行命令，看能否通PC2。如果配置正確，則PC1和PC2可以相互通。如果有步驟2、3、4的顯示信息，則說明PC1和PC2之間的通信經(jīng)過了IPSec隧道封裝。分別在N_A、N_B上執(zhí)行disyikesa命令會顯示IKE安全聯(lián)盟的建立情況。以N_A為例，出現(xiàn)以下顯示說明IKE安全建立<N_A>disyikecurrentikesanumber: phase flag 分別在N_A、N_B上執(zhí)行disyipsecsa命令會顯示IPSec安全的建立情況。以N_A為例，出現(xiàn)以下顯示說明IPSec安全聯(lián)_A> yips