VPN şirket lokasyonları arasında veri iletişimini, ekonomik ve güvenli biçimde sağlayan, mevcut WAN altyapılarına alternatif, ideal bir erişim şeklidir
IPSec internet üzerinden veri taşınması işleminde tünelleme, şifreleme ve kimlik doğrulama için kullanılan standart bir güvenlik protokolüdür.
-
Genel cihaz ip address yapılandırması.
S1 ve S2 cihazlarında routerler için frewall yapılandırmasında hiçbir yapılandırma gerektirmez. Konfigürasyonda S1 ve S2 yapılandırmalarını sıfırlayıp , S1 ve S2 yeniden başlatın.
Cihazların ip address yapılandırmasını ayarlayalım.
<Huawei>system-viewEnter system view, return user view with Ctrl+Z.[Huawei]sysname R1[R1]interface GigabitEthernet 0/0/1[R1-GigabitEthernet0/0/1]ip address 10.0.10.2 24[R1-GigabitEthernet0/0/1]interface Serial 1/0/0[R1-Serial1/0/0]ip address 10.0.12.1 24[R1-Serial1/0/0]interface loopback 0[R1-LoopBack0]ip address 10.0.1.1 24 |
<Huawei>system-viewEnter system view, return user view with Ctrl+Z.[Huawei]sysname R2[R2]interface GigabitEthernet0/0/1[R2-GigabitEthernet0/0/2]ip address 10.0.20.1 24[R2-GigabitEthernet0/0/2]interface Serial 1/0/0[R2-Serial1/0/0]ip address 10.0.12.2 24[R2-Serial1/0/0]interface Serial2/0/0[R2-Serial2/0/0]ip address 10.0.23.2 24[R2-Serial2/0/0]interface loopback 0[R2-LoopBack0]ip address 10.0.2.2 24 |
<Huawei>system-viewEnter system view, return user view with Ctrl+Z.[Huawei]sysname R3[R3]interface Serial2/0/0[R3-Serial2/0/0]ip address 10.0.23.3 24[R3-Serial2/0/0]interface loopback 0[R3-LoopBack0]ip address 10.0.3.3 24 |
FW1 ve FW2 üzerinde interfaceler için IP adreslerini yapılandıralım.
<Eudemon 200E>system-viewEnter system view, return user view with Ctrl+Z.[Eudemon 200E]sysname FW1[FW1]interface Ethernet 0/0/0[FW1-Ethernet0/0/0]ip address 10.0.100.1 24[FW1-Ethernet0/0/0]interface Ethernet 2/0/0[FW1-Ethernet2/0/0]ip address 10.0.10.1 24 |
<Eudemon 200E>system-viewEnter system view, return user view with Ctrl+Z.[Eudemon 200E]sysname FW2[FW2]interface Ethernet 0/0/0[FW2-Ethernet0/0/0]ip address 10.0.200.1 24[FW2-Ethernet0/0/0]interface Ethernet 2/0/0[FW2-Ethernet2/0/0]ip address 10.0.20.2 24 |
FW1 ve FW2 cihazları için firewall yapılandırın ve firewall ‘un bölümlerini interfacelere ekleyelim.
[FW1-zone-dmz]firewall zone trust[FW1-zone-dmz]add interface Ethernet 0/0/0[FW1-zone-trust]firewall zone untrust[FW1-zone-untrust]add interface Ethernet 2/0/0 |
[FW2-zone-dmz]firewall zone trust[FW2-zone-dmz]add interface Ethernet 0/0/0[FW2-zone-trust]firewall zone untrust[FW2-zone-untrust]add interface Ethernet 2/0/0 |
-
Bölgeler arasındaki security filtresi yapılandırması.
Yalnızca yerel bölgeye , untrust bölgeye ,trust bölgesinden ve untrust bölgesinden paketleri iletmek için cihazları yapılandıralım.
[FW1]firewall packet-filter default permit interzone trust untrust[FW1]firewall packet-filter default permit interzone local untrust |
[FW2]firewall packet-filter default permit interzone trust untrust[FW2]firewall packet-filter default permit interzone local untrust |
-
Network’ün haberleşmesi için routerleri yapılandıralım.
Cihazlar üzerinde single-area OSPF’i yapılandıralım.
[R1]ospf 1[R1-ospf-1]area 0.0.0.0[R1-ospf-1-area-0.0.0.0]network 10.0.10.0 0.0.0.255[R1-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255 |
[R2]ospf 1[R2-ospf-1]area 0.0.0.0[R2-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255[R2-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255[R2-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255 |
[R3]ospf 1[R3-ospf-1]area 0.0.0.0[R3-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255 |
[FW1]ospf 1[FW1-ospf-1]area 0.0.0.0[FW1-ospf-1-area-0.0.0.0]network 10.0.10.0 0.0.0.255 |
[FW2]ospf 1[FW2-ospf-1]area 0.0.0.0[FW2-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255 |
FW1 ve FW2 cihazları arasındaki bağlantıyı kontrol edelim.
[FW1]ping 10.0.20.2PING 10.0.20.2: 56 data bytes, press CTRL_C to breakReply from 10.0.20.2: bytes=56 Sequence=1 ttl=253 time=40 msReply from 10.0.20.2: bytes=56 Sequence=2 ttl=253 time=30 msReply from 10.0.20.2: bytes=56 Sequence=3 ttl=253 time=30 msReply from 10.0.20.2: bytes=56 Sequence=4 ttl=253 time=40 msReply from 10.0.20.2: bytes=56 Sequence=5 ttl=253 time=30 ms— 10.0.20.2 ping statistics —5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 30/34/40 ms |
[FW1]ping 10.0.23.3PING 10.0.23.3: 56 data bytes, press CTRL_C to breakReply from 10.0.23.3: bytes=56 Sequence=1 ttl=253 time=70 msReply from 10.0.23.3: bytes=56 Sequence=2 ttl=253 time=60 msReply from 10.0.23.3: bytes=56 Sequence=3 ttl=253 time=70 msReply from 10.0.23.3: bytes=56 Sequence=4 ttl=253 time=70 msReply from 10.0.23.3: bytes=56 Sequence=5 ttl=253 time=60 ms— 10.0.23.3 ping statistics —5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 60/66/70 ms |
[FW2]ping 10.0.10.1PING 10.0.10.1: 56 data bytes, press CTRL_C to breakReply from 10.0.10.1: bytes=56 Sequence=1 ttl=253 time=40 msReply from 10.0.10.1: bytes=56 Sequence=2 ttl=253 time=30 msReply from 10.0.10.1: bytes=56 Sequence=3 ttl=253 time=40 msReply from 10.0.10.1: bytes=56 Sequence=4 ttl=253 time=30 msReply from 10.0.10.1: bytes=56 Sequence=5 ttl=253 time=30 ms— 10.0.10.1 ping statistics —5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 30/34/40 ms |
[FW2]ping 10.0.23.3PING 10.0.23.3: 56 data bytes, press CTRL_C to breakReply from 10.0.23.3: bytes=56 Sequence=1 ttl=254 time=30 msReply from 10.0.23.3: bytes=56 Sequence=2 ttl=254 time=30 msReply from 10.0.23.3: bytes=56 Sequence=3 ttl=254 time=30 msReply from 10.0.23.3: bytes=56 Sequence=4 ttl=254 time=30 msReply from 10.0.23.3: bytes=56 Sequence=5 ttl=254 time=30 ms— 10.0.23.3 ping statistics —5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 30/30/30 ms |
Test sonuçları, 10.0.10.0/24, 10.0.20.0/24, 10.0.12.0/24 ve 10.0.23.0/24 netwoklerinin bağlı olduğunu göstermektedir.
-
Bir şube ağı ve merkezi ağı arasında IPSec VPN yapılandırması .
FW1 ve FW2 cihazları arasında IPSec VPN trafiği tanımlamak için cihazlarda ACL oluşturalım.
[FW1]acl 3000[FW1-acl-adv-3000]rule permit ip source 10.0.100.0 0.0.0.255 destination 10.0.200.0 0.0.0.255 |
[FW2]acl 3000[FW2-acl-adv-3000]rule permit ip source 10.0.200.0 0.0.0.255 destination 10.0.100.0 0.0.0.255 |
Headquarters intranet ve branch network arasında statik yolları yapılandıralım.
[FW1]ip route-static 10.0.200.0 24 10.0.10.2 |
[FW2]ip route-static 10.0.100.0 24 10.0.20.1 |
FW1 ve FW2 cihazlarında bir IPSec proposal oluşturalım.
Tünel modunu encapsulation modda ayarlayalım. Verileri korumak için ESP kullanın. ESP DES şifreleme algoritmasını ve SHA 1 kimlik doğrulama algoritmasını kullanır.
[FW1]ipsec proposal tran1[FW1-ipsec-proposal-tran1]encapsulation-mode tunnel[FW1-ipsec-proposal-tran1]transform esp[FW1-ipsec-proposal-tran1]esp authentication-algorithm sha1[FW1-ipsec-proposal-tran1]esp encryption-algorithm des |
[FW2]ipsec proposal tran1[FW2-ipsec-proposal-tran1]encapsulation-mode tunnel[FW2-ipsec-proposal-tran1]transform esp[FW2-ipsec-proposal-tran1]esp authentication-algorithm sha1[FW2-ipsec-proposal-tran1]esp encryption-algorithm des |
FW1 ve FW2 bir IKE proposal yapılandıralım.
DES şifreleme algoritması ve kimlik doğrulama algoritması için SHA1 ayarlayalım.
[FW1]ike proposal 10[FW1-ike-proposal-10]authentication-algorithm sha1[FW1-ike-proposal-10]encryption-algorithm des |
[FW2]ike proposal 10[FW2-ike-proposal-10]authentication-algorithm sha1[FW2-ike-proposal-10]encryption-algorithm des |
Default olarak IKEv2 anlaşmayı kullanan bir IKE peer yapılandıralım.
IKE proposal uygulayın ve önceden paylaşılan key ve peeri yapılandıralım FW1 ve FW2 ip addresslerini verelim.
[FW1]ike peer fw12[FW1-ike-peer-fw12]ike-proposal 10[FW1-ike-peer-fw12]remote-address 10.0.20.2[FW1-ike-peer-fw12]pre-shared-key abcde |
[FW2]ike peer fw21[FW2-ike-peer-fw21]ike-proposal 10[FW2-ike-peer-fw21]remote-address 10.0.10.1[FW2-ike-peer-fw21]pre-shared-key abcde |
FW1 ve FW2 cihazları için bir IPSec policy oluşturalım.
IPSec policy yapılandırması sırasında, IPSec politikası ACL, IPSec proposal ve IKE peer protokollerini de yapılandıralım.
[FW1]ipsec policy map1 10 isakmp[FW1-ipsec-policy-isakmp-map1-10]security acl 3000[FW1-ipsec-policy-isakmp-map1-10]proposal tran1[FW1-ipsec-policy-isakmp-map1-10]ike-peer fw12 |
[FW2]ipsec policy map1 10 isakmp[FW2-ipsec-policy-isakmp-map1-10]security acl 3000[FW2-ipsec-policy-isakmp-map1-10]proposal tran1[FW2-ipsec-policy-isakmp-map1-10]ike-peer fw21 |
FW1 ve FW2 üzerinde interfacelere IPSec policyi uygulayalım.
[FW1]interface Ethernet2/0/0[FW1-Ethernet2/0/0]ipsec policy map1 |
[FW2]interface Ethernet2/0/0[FW2-Ethernet2/0/0]ipsec policy map1 |
Ipsec konfigürayonunu kontrol edelim.
[FW1]ping -a 10.0.100.1 10.0.200.1PING 10.0.200.1: 56 data bytes, press CTRL_C to breakReply from 10.0.200.1: bytes=56 Sequence=1 ttl=255 time=50 msReply from 10.0.200.1: bytes=56 Sequence=2 ttl=255 time=50 msReply from 10.0.200.1: bytes=56 Sequence=3 ttl=255 time=60 msReply from 10.0.200.1: bytes=56 Sequence=4 ttl=255 time=50 msReply from 10.0.200.1: bytes=56 Sequence=5 ttl=255 time=50 ms— 10.0.200.1 ping statistics —5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 50/52/60 ms |
[FW1]display ike sacurrent ike sa number: 1———————————————————————connection-id peer vpn flag phase doi——————————————————————–0x1a 10.0.20.2 0 RD v2:2 IPSEC0x1 10.0.20.2 0 RD|ST v2:1 IPSECflag meaningRD–READY ST–STAYALIVE RL–REPLACED FD–FADINGTO–TIMEOUT TD–DELETING NEG–NEGOTIATING D—DPD[FW1]display ipsec sa===============================Interface: Ethernet2/0/0path MTU: 1500===============================—————————–IPsec policy name: “map1”sequence number: 10mode: isakmpvpn: 0—————————–connection id: 9rule number: 5encapsulation mode: tunnelholding time: 0d 0h 0m 16stunnel local : 10.0.10.1 tunnel remote: 10.0.20.2flow source: 10.0.100.0-10.0.100.255 0-65535 0flow destination: 10.0.200.0-10.0.200.255 0-65535 0[inbound ESP SAs]spi: 74331737 (0x46e3659)vpn: 0 said: 0 cpuid: 0x0000proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1sa remaining key duration (bytes/sec): 1887436464/3584max received sequence-number: 4udp encapsulation used for nat traversal: N[outbound ESP SAs]spi: 18969668 (0x1217444)vpn: 0 said: 1 cpuid: 0x0000proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1sa remaining key duration (bytes/sec): 1887436464/3584max sent sequence-number: 5udp encapsulation used for nat traversal: N |
Branch intranet , headquarters intranet ile iletişim kurabilir.
-
Bir şube ofis ağı ve merkezi ağı arasında IPSec VPN yapılandırması .
IPSec VPN trafiği tanımlamak için branch ofis ve headquartes arasında bir ACL oluşturalım.
[R3]acl 3000[R3-acl-adv-3000]rule permit ip source 10.0.3.0 0.0.0.255 destination 10.0.200.0 0.0.0.255 |
[FW2]acl 3001[FW2-acl-adv-3001]rule permit ip source 10.0.200.0 0.0.0.255 destination 10.0.3.0 0.0.0.255 |
Branch network ve headquarters arasında statik yolları yapılandıralım.
[R3]ip route-static 10.0.200.0 24 10.0.23.2 |
[FW2]ip route-static 10.0.3.0 24 10.0.20.1 |
R3 cihazı üzerinde Ipsec proposal oluşturalım.
Tünel modunu encapsulation modda ayarlayalım. Verileri korumak için ESP kullanın. ESP DES şifreleme algoritmasını ve SHA 1 kimlik doğrulama algoritmasını kullanır.
[R3]ipsec proposal tran1[R3-ipsec-proposal-tran2]encapsulation-mode tunnel[R3-ipsec-proposal-tran2]transform esp[R3-ipsec-proposal-tran2]esp authentication-algorithm sha1[R3-ipsec-proposal-tran2]esp encryption-algorithm des |
FW2 ve R3 cihazlarında bir IKE proposal yapılandıralım.
DES şifreleme algoritması ve kimlik doğrulama algoritması için SHA1 ayarlayalım.
[R3]ike proposal 10[R3-ike-proposal-10]authentication-algorithm sha1[R3-ike-proposal-10]encryption-algorithm des |
Default olarak IKEv2 anlaşmayı kullanan bir IKE peer yapılandıralım.
IKE proposal uygulayın ve önceden paylaşılan key ve peeri yapılandıralım R3 ve FW2 ip addresslerini verelim.
[FW2]ike peer fw23[FW2-ike-peer-fw23]ike-proposal 10[FW2-ike-peer-fw23]remote-address 10.0.23.3[FW2-ike-peer-fw23]pre-shared-key abcde |
[R3]ike peer r32 v2[R3-ike-peer-r32]ike-proposal 10[R3-ike-peer-r32]remote-address 10.0.20.2[R3-ike-peer-r32]pre-shared-key abcde |
IPSec policy yapılandırması sırasında, IPSec politikası ACL, IPSec proposal ve IKE peer protokollerini de yapılandıralım.
[FW2]ipsec policy map1 11 isakmp[FW2-ipsec-policy-isakmp-map1-11]security acl 3001[FW2-ipsec-policy-isakmp-map1-11]proposal tran1[FW2-ipsec-policy-isakmp-map1-11]ike-peer fw23 |
[R3]ipsec policy map1 10 isakmp[R3-ipsec-policy-isakmp-map2-10]security acl 3000[R3-ipsec-policy-isakmp-map2-10]proposal tran1[R3-ipsec-policy-isakmp-map2-10]ike-peer r32 |
R3 ve FW2 üzerinde interfacelere IPSec policyi uygulayalım.
[FW2]interface Ethernet2/0/0[FW2-Ethernet2/0/0]ipsec policy map1 |
[R3]interface Ethernet2/0/0[R3-Ethernet2/0/0]ipsec policy map1 |
Ipsec konfigürayonunu kontrol edelim.
[R3]ping -a 10.0.3.3 10.0.200.1PING 10.0.200.1: 56 data bytes, press CTRL_C to breakReply from 10.0.200.1: bytes=56 Sequence=1 ttl=255 time=50 msReply from 10.0.200.1: bytes=56 Sequence=2 ttl=255 time=48 msReply from 10.0.200.1: bytes=56 Sequence=3 ttl=255 time=48 msReply from 10.0.200.1: bytes=56 Sequence=4 ttl=255 time=48 msReply from 10.0.200.1: bytes=56 Sequence=5 ttl=255 time=48 ms— 10.0.200.1 ping statistics —5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 48/48/50 ms |
[R3]display ike sa v2Conn-ID Peer VPN Flag(s) Phase—————————————————————2 10.0.20.2 0 RD|ST 21 10.0.20.2 0 RD|ST 1Flag Description:RD–READY ST–STAYALIVE RL–REPLACED FD–FADING TO–TIMEOUTHRT–HEARTBEAT LKG–LAST KNOWN GOOD SEQ NO. BCK–BACKED UP[R3]display ipsec sa===============================Interface: Serial2/0/0Path MTU: 1500===============================—————————–IPSec policy name: “map2”Sequence number : 10Mode : ISAKMP—————————–Connection ID : 2Encapsulation mode: TunnelTunnel local : 10.0.23.3Tunnel remote : 10.0.20.2[Outbound ESP SAs]SPI: 247406703 (0xebf206f)Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1SA remaining key duration (bytes/sec): 1887436380/3534Max sent sequence-number: 5UDP encapsulation used for NAT traversal: N[Inbound ESP SAs]SPI: 155207494 (0x9404746)Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1SA remaining key duration (bytes/sec): 1887436380/3534Max received sequence-number: 5UDP encapsulation used for NAT traversal: N |
Branch intranet , headquarters intranet ile iletişim kurabilir.
-
Bir branch network ve headquarters network arasında IPSec VPN üzerinden bir GRE yapılandıralım.
FW1 cihazında bir tünel interface oluştururup ve GRE etkinleştirelim.
FW1 cihazına ve untrust bölgeye tünel interface i ekleyelim.
[FW1]interface tunnel 1[FW1-Tunnel1]tunnel-protocol gre[FW1-Tunnel1]ip address 30.1.1.1 24[FW1-Tunnel1]source 10.0.10.1[FW1-Tunnel1]destination 10.0.20.2[FW1-Tunnel1]firewall zone untrust[FW1-zone-untrust]add interface Tunnel 1 |
FW2 cihazında bir tünel interfacesi oluşturalım ve GRE etkinleştirelim.
FW2 cihazına ve untrust bölgeye tünel interface ekleyelim.
[FW2]interface tunnel 1[FW2-Tunnel1]tunnel-protocol gre[FW2-Tunnel1]ip address 30.1.1.2 24[FW2-Tunnel1]source 10.0.20.2[FW2-Tunnel1]destination 10.0.10.1[FW2-Tunnel1]firewall zone untrust[FW2-zone-untrust]add interface Tunnel 1 |
Önceki adımlarda yapılandırılmış statik yolları silin. Branch network ve headquarters network arasındaki RIP (version 2) etkinleştirin.
[FW1]undo ip route-static 10.0.200.0 24 10.0.10.2[FW1]rip[FW1-rip-1]version 2[FW1-rip-1]network 30.0.0.0[FW1-rip-1]network 10.0.0.0 |
[FW2]undo ip route-static 10.0.100.0 24 10.0.20.1[FW2]rip[FW2-rip-1]version 2[FW2-rip-1]network 30.0.0.0[FW2-rip-1]network 10.0.0.0 |
FW1 ve FW2 cihazlarında ACL ve GRE konfigürasyonlarını oluşturalım ve FW1 ve FW2 cihazlarında yeni ACL IPSec ilkesini bağlayalım.
[FW1]acl 3001[FW1-acl-adv-3001]rule permit gre source 10.0.10.1 0 destination 10.0.20.2 0[FW1-acl-adv-3001]quit[FW1]ipsec policy map1 10 isakmp[FW1-ipsec-policy-isakmp-map1-10]security acl 3001 |
[FW2]acl 3002[FW2-acl-adv-3002]rule permit gre source 10.0.20.2 0 destination 10.0.10.1 0[FW2-acl-adv-3002]quit[FW2]ipsec policy map1 10 isakmp[FW2-ipsec-policy-isakmp-map1-10]security acl 3002 |
Konfigürasyonu kontrol edelim bağlantıları sınayalım.
[FW1]ping -a 10.0.100.1 10.0.200.1PING 10.0.200.1: 56 data bytes, press CTRL_C to breakReply from 10.0.200.1: bytes=56 Sequence=1 ttl=255 time=50 msReply from 10.0.200.1: bytes=56 Sequence=2 ttl=255 time=50 msReply from 10.0.200.1: bytes=56 Sequence=3 ttl=255 time=60 msReply from 10.0.200.1: bytes=56 Sequence=4 ttl=255 time=50 msReply from 10.0.200.1: bytes=56 Sequence=5 ttl=255 time=50 ms— 10.0.200.1 ping statistics —5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 50/52/60 ms |
[FW1]display ipsec sa===============================Interface: Ethernet2/0/0path MTU: 1500===============================—————————–IPsec policy name: “map1”sequence number: 10mode: isakmpvpn: 0—————————–connection id: 26rule number: 5encapsulation mode: tunnelholding time: 0d 0h 5m 21stunnel local : 10.0.10.1 tunnel remote: 10.0.20.2flow source: 10.0.100.0-10.0.100.255 0-65535 0flow destination: 10.0.200.0-10.0.200.255 0-65535 0[inbound ESP SAs]spi: 240396810 (0xe542a0a)vpn: 0 said: 34 cpuid: 0x0000proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1sa remaining key duration (bytes/sec): 1887436044/3279max received sequence-number: 9udp encapsulation used for nat traversal: N[outbound ESP SAs]spi: 208723708 (0xc70defc)vpn: 0 said: 35 cpuid: 0x0000proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1sa remaining key duration (bytes/sec): 1887436044/3279max sent sequence-number: 10udp encapsulation used for nat traversal: N |
Branch intranet headquarter intranet ile iletişim kurabilir.
-
Bir branch ofis network ve headquarters network arasında IPSec VPN üzerinde bir GRE yapılandıralım.
FW2 cihazında bir tünel interface oluştururup ve GRE etkinleştirelim.
FW2 cihazına ve untrust bölgeye tünel interface i ekleyelim.
[FW2]interface tunnel 2[FW2-Tunnel2]tunnel-protocol gre[FW2-Tunnel2]ip address 40.1.1.1 24[FW2-Tunnel2]source 10.0.20.2[FW2-Tunnel2]destination 10.0.23.3[FW2-Tunnel2]firewall zone untrust[FW2-zone-untrust]add interface Tunnel 2 |
R3 cihazında bir tünel interfacesi oluşturalım ve GRE etkinleştirelim.
[R3]interface tunnel 0/0/1[R3-Tunnel0/0/1]tunnel-protocol gre[R3-Tunnel0/0/1]ip address 40.1.1.2 24[R3-Tunnel0/0/1]source 10.0.23.3[R3-Tunnel0/0/1]destination 10.0.20.2 |
Önceki adımlarda yapılandırılmış statik yolları silin. Branch network ve headquarters network arasındaki RIP (version 2) etkinleştirin.
[FW2]undo ip route-static 10.0.3.0 24 10.0.20.1[FW2]rip[FW2-rip-1]version 2[FW2-rip-1]network 40.0.0.0 |
[R3]undo ip route-static 10.0.200.0 24 10.0.23.2[R3]rip[R3-rip-1]version 2[R3-rip-1]network 40.0.0.0[R3-rip-1]network 10.0.0.0 |
FW2 ve R3 cihazlarında ACL ve GRE konfigürasyonlarını oluşturalım . IPSec ilkesini yapılandıralım ve ACL, IPSec proposal ve IKE peer IPSec ilkesi arasındaki bağlantıyı kuralım.
[R3]acl 3001[R3-acl-adv-3001]rule permit gre source 10.0.23.3 0 destination 10.0.20.2 0[R3-acl-adv-3001]quit[R3]ipsec policy map1 20 isakmp[R3-ipsec-policy-isakmp-map1-10]security acl 3001[R3-ipsec-policy-isakmp-map1-20]proposal tran1[R3-ipsec-policy-isakmp-map1-20]ike-peer r32 |
[FW2]acl 3003[FW2-acl-adv-3003]rule permit gre source 10.0.20.2 0 destination 10.0.23.3 0[FW2-acl-adv-3003]quit[FW2]ipsec policy map1 20 isakmp[FW2-ipsec-policy-isakmp-map1-20]security acl 3003[FW2-ipsec-policy-isakmp-map1-20]proposal tran1[FW2-ipsec-policy-isakmp-map1-20]ike-peer fw23 |
Konfigürasyonu kontrol edelim ve bağlantıları sınayalım.
[R3]ping -a 10.0.3.3 10.0.200.1PING 10.0.200.1: 56 data bytes, press CTRL_C to breakReply from 10.0.200.1: bytes=56 Sequence=1 ttl=255 time=56 msReply from 10.0.200.1: bytes=56 Sequence=2 ttl=255 time=53 msReply from 10.0.200.1: bytes=56 Sequence=3 ttl=255 time=54 msReply from 10.0.200.1: bytes=56 Sequence=4 ttl=255 time=54 msReply from 10.0.200.1: bytes=56 Sequence=5 ttl=255 time=54 ms— 10.0.200.1 ping statistics —5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 53/54/56 ms |
[R3]display ipsec sa===============================Interface: Serial2/0/0Path MTU: 1500===============================—————————–IPSec policy name: “map2”Sequence number : 10Mode : ISAKMP—————————–Connection ID : 2Encapsulation mode: TunnelTunnel local : 10.0.23.3Tunnel remote : 10.0.20.2[Outbound ESP SAs]SPI: 247406703 (0xebf206f)Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1SA remaining key duration (bytes/sec): 1887435120/1952Max sent sequence-number: 20UDP encapsulation used for NAT traversal: N[Inbound ESP SAs]SPI: 155207494 (0x9404746)Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1SA remaining key duration (bytes/sec): 1887435120/1952Max received sequence-number: 20UDP encapsulation used for NAT traversal: N |
Cihazlar arasında ki bağlantılar doğru şekilde çalışmaktadır.
Final Configurations
[FW1]display current-configuration#sysname FW1#acl number 3000rule 5 permit ip source 10.0.100.0 0.0.0.255 destination 10.0.200.0 0.0.0.255#acl number 3001rule 5 permit gre source 10.0.10.1 0 destination 10.0.20.2 0#ike proposal 10#ike peer fw12pre-shared-key abcdeike-proposal 10remote-address 10.0.20.2#ipsec proposal tran1esp authentication-algorithm sha1#ipsec policy map1 10 isakmpsecurity acl 3001ike-peer fw12proposal tran1#interface Ethernet0/0/0ip address 10.0.100.1 255.255.255.0#interface Ethernet2/0/0ip address 10.0.10.1 255.255.255.0ipsec policy map1#interface Tunnel1ip address 30.1.1.1 255.255.255.0tunnel-protocol gresource 10.0.10.1destination 10.0.20.2#firewall zone localset priority 100#firewall zone trustset priority 85add interface Ethernet0/0/0#firewall zone untrustset priority 5add interface Ethernet2/0/0add interface Tunnel1#ospf 1area 0.0.0.0network 10.0.10.0 0.0.0.255#rip 1version 2network 30.0.0.0network 10.0.0.0#Return |
[FW2]display current-configuration#sysname FW2#acl number 3000rule 5 permit ip source 10.0.200.0 0.0.0.255 destination 10.0.100.0 0.0.0.255#acl number 3001rule 5 permit ip source 10.0.200.0 0.0.0.255 destination 10.0.3.0 0.0.0.255#acl number 3002rule 5 permit gre source 10.0.20.2 0 destination 10.0.10.1 0#acl number 3003rule 5 permit gre source 10.0.20.2 0 destination 10.0.23.3 0#ike proposal 10#ike peer fw21pre-shared-key abcdeike-proposal 10remote-address 10.0.10.1#ike peer fw23pre-shared-key abcdeike-proposal 10remote-address 10.0.23.3#ipsec proposal tran1esp authentication-algorithm sha1#ipsec policy map1 10 isakmpsecurity acl 3002ike-peer fw21proposal tran1#ipsec policy map1 11 isakmpsecurity acl 3001ike-peer cproposal tran1#ipsec policy map1 20 isakmpsecurity acl 3003ike-peer fw23proposal tran1#interface Ethernet0/0/0ip address 10.0.200.1 255.255.255.0#interface Ethernet2/0/0ip address 10.0.20.2 255.255.255.0ipsec policy map1#interface Tunnel1ip address 30.1.1.2 255.255.255.0tunnel-protocol gresource 10.0.20.2destination 10.0.10.1#interface Tunnel2ip address 40.1.1.1 255.255.255.0tunnel-protocol gresource 10.0.20.2destination 10.0.23.3#firewall zone localset priority 100#firewall zone trustset priority 85add interface Ethernet0/0/0#firewall zone untrustset priority 5add interface Ethernet2/0/0add interface Tunnel1add interface Tunnel2#firewall zone dmzset priority 50#ospf 1area 0.0.0.0network 10.0.20.0 0.0.0.255#rip 1version 2network 30.0.0.0network 10.0.0.0network 40.0.0.0#Return |
[R3]display current-configuration[V200R001C00SPC200]#sysname R3#acl number 3000rule 5 permit ip source 10.0.3.0 0.0.0.255 destination 10.0.200.0 0.0.0.255#acl number 3001rule 5 permit gre source 10.0.23.3 0 destination 10.0.20.2 0#ipsec proposal tran1esp authentication-algorithm sha1#ike proposal 10#ike peer r32 v2pre-shared-key abcdeike-proposal 10remote-address 10.0.20.2#ipsec policy map1 10 isakmpsecurity acl 3000ike-peer r32proposal tran1#ipsec policy map1 20 isakmpsecurity acl 3001ike-peer r32proposal tran1#interface Serial2/0/0link-protocol pppip address 10.0.23.3 255.255.255.0ipsec policy map1#interface LoopBack0ip address 10.0.3.3 255.255.255.0#interface Tunnel0/0/1ip address 40.1.1.2 255.255.255.0tunnel-protocol gresource 10.0.23.3destination 10.0.20.2#ospf 1area 0.0.0.0network 10.0.23.0 0.0.0.255#rip 1version 2network 40.0.0.0network 10.0.0.0#Return |