Firewall IPSec VPN Yapılandırması


 ipsec
VPN şirket lokasyonları arasında veri iletişimini, ekonomik ve güvenli biçimde sağlayan, mevcut WAN altyapılarına alternatif, ideal bir erişim şeklidir
IPSec internet üzerinden veri taşınması işleminde tünelleme, şifreleme ve kimlik doğrulama için kullanılan standart bir güvenlik protokolüdür.
  1. Genel cihaz ip address yapılandırması.
S1 ve S2 cihazlarında  routerler için  frewall yapılandırmasında  hiçbir yapılandırma gerektirmez. Konfigürasyonda  S1 ve S2 yapılandırmalarını  sıfırlayıp , S1 ve S2 yeniden başlatın.
Cihazların ip address yapılandırmasını ayarlayalım.
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R1
[R1]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]ip address 10.0.10.2 24
[R1-GigabitEthernet0/0/1]interface Serial 1/0/0
[R1-Serial1/0/0]ip address 10.0.12.1 24
[R1-Serial1/0/0]interface loopback 0
[R1-LoopBack0]ip address 10.0.1.1 24
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R2
[R2]interface GigabitEthernet0/0/1
[R2-GigabitEthernet0/0/2]ip address 10.0.20.1 24
[R2-GigabitEthernet0/0/2]interface Serial 1/0/0
[R2-Serial1/0/0]ip address 10.0.12.2 24
[R2-Serial1/0/0]interface Serial2/0/0
[R2-Serial2/0/0]ip address 10.0.23.2 24
[R2-Serial2/0/0]interface loopback 0
[R2-LoopBack0]ip address 10.0.2.2 24
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R3
[R3]interface Serial2/0/0
[R3-Serial2/0/0]ip address 10.0.23.3 24
[R3-Serial2/0/0]interface loopback 0
[R3-LoopBack0]ip address 10.0.3.3 24
FW1 ve FW2 üzerinde interfaceler için IP adreslerini yapılandıralım.
<Eudemon 200E>system-view
Enter system view, return user view with Ctrl+Z.
[Eudemon 200E]sysname FW1
[FW1]interface Ethernet 0/0/0
[FW1-Ethernet0/0/0]ip address 10.0.100.1 24
[FW1-Ethernet0/0/0]interface Ethernet 2/0/0
[FW1-Ethernet2/0/0]ip address 10.0.10.1 24
<Eudemon 200E>system-view
Enter system view, return user view with Ctrl+Z.
[Eudemon 200E]sysname FW2
[FW2]interface Ethernet 0/0/0
[FW2-Ethernet0/0/0]ip address 10.0.200.1 24
[FW2-Ethernet0/0/0]interface Ethernet 2/0/0
[FW2-Ethernet2/0/0]ip address 10.0.20.2 24
FW1 ve FW2 cihazları için  firewall yapılandırın ve firewall ‘un bölümlerini  interfacelere  ekleyelim.
[FW1-zone-dmz]firewall zone trust
[FW1-zone-dmz]add interface Ethernet 0/0/0
[FW1-zone-trust]firewall zone untrust
[FW1-zone-untrust]add interface Ethernet 2/0/0
[FW2-zone-dmz]firewall zone trust
[FW2-zone-dmz]add interface Ethernet 0/0/0
[FW2-zone-trust]firewall zone untrust
[FW2-zone-untrust]add interface Ethernet 2/0/0
  1. Bölgeler arasındaki security filtresi yapılandırması.
Yalnızca yerel bölgeye  , untrust  bölgeye ,trust  bölgesinden  ve untrust bölgesinden paketleri  iletmek için cihazları yapılandıralım.
[FW1]firewall packet-filter default permit interzone trust untrust
[FW1]firewall packet-filter default permit interzone local untrust
[FW2]firewall packet-filter default permit interzone trust untrust
[FW2]firewall packet-filter default permit interzone local untrust
  1. Network’ün haberleşmesi için routerleri yapılandıralım.
Cihazlar üzerinde single-area OSPF’i yapılandıralım.
[R1]ospf 1
[R1-ospf-1]area 0.0.0.0
[R1-ospf-1-area-0.0.0.0]network 10.0.10.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255
[R2]ospf 1
[R2-ospf-1]area 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255
[R3]ospf 1
[R3-ospf-1]area 0.0.0.0
[R3-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255
[FW1]ospf 1
[FW1-ospf-1]area 0.0.0.0
[FW1-ospf-1-area-0.0.0.0]network 10.0.10.0 0.0.0.255
[FW2]ospf 1
[FW2-ospf-1]area 0.0.0.0
[FW2-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255
FW1 ve FW2 cihazları arasındaki bağlantıyı kontrol edelim.
[FW1]ping 10.0.20.2
PING 10.0.20.2: 56  data bytes, press CTRL_C to break
Reply from 10.0.20.2: bytes=56 Sequence=1 ttl=253 time=40 ms
Reply from 10.0.20.2: bytes=56 Sequence=2 ttl=253 time=30 ms
Reply from 10.0.20.2: bytes=56 Sequence=3 ttl=253 time=30 ms
Reply from 10.0.20.2: bytes=56 Sequence=4 ttl=253 time=40 ms
Reply from 10.0.20.2: bytes=56 Sequence=5 ttl=253 time=30 ms
— 10.0.20.2 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/34/40 ms
[FW1]ping 10.0.23.3
PING 10.0.23.3: 56  data bytes, press CTRL_C to break
Reply from 10.0.23.3: bytes=56 Sequence=1 ttl=253 time=70 ms
Reply from 10.0.23.3: bytes=56 Sequence=2 ttl=253 time=60 ms
Reply from 10.0.23.3: bytes=56 Sequence=3 ttl=253 time=70 ms
Reply from 10.0.23.3: bytes=56 Sequence=4 ttl=253 time=70 ms
Reply from 10.0.23.3: bytes=56 Sequence=5 ttl=253 time=60 ms
— 10.0.23.3 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 60/66/70 ms
[FW2]ping 10.0.10.1
PING 10.0.10.1: 56  data bytes, press CTRL_C to break
Reply from 10.0.10.1: bytes=56 Sequence=1 ttl=253 time=40 ms
Reply from 10.0.10.1: bytes=56 Sequence=2 ttl=253 time=30 ms
Reply from 10.0.10.1: bytes=56 Sequence=3 ttl=253 time=40 ms
Reply from 10.0.10.1: bytes=56 Sequence=4 ttl=253 time=30 ms
Reply from 10.0.10.1: bytes=56 Sequence=5 ttl=253 time=30 ms
— 10.0.10.1 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/34/40 ms
[FW2]ping 10.0.23.3
PING 10.0.23.3: 56  data bytes, press CTRL_C to break
Reply from 10.0.23.3: bytes=56 Sequence=1 ttl=254 time=30 ms
Reply from 10.0.23.3: bytes=56 Sequence=2 ttl=254 time=30 ms
Reply from 10.0.23.3: bytes=56 Sequence=3 ttl=254 time=30 ms
Reply from 10.0.23.3: bytes=56 Sequence=4 ttl=254 time=30 ms
Reply from 10.0.23.3: bytes=56 Sequence=5 ttl=254 time=30 ms
— 10.0.23.3 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/30/30 ms
Test sonuçları, 10.0.10.0/24, 10.0.20.0/24, 10.0.12.0/24 ve 10.0.23.0/24 netwoklerinin bağlı olduğunu göstermektedir.
  1. Bir şube ağı ve merkezi ağı arasında IPSec VPN yapılandırması .
FW1 ve FW2 cihazları  arasında IPSec VPN trafiği tanımlamak için  cihazlarda ACL oluşturalım.
[FW1]acl 3000
[FW1-acl-adv-3000]rule permit ip source 10.0.100.0 0.0.0.255 destination 10.0.200.0 0.0.0.255
[FW2]acl 3000
[FW2-acl-adv-3000]rule permit ip source 10.0.200.0 0.0.0.255 destination 10.0.100.0 0.0.0.255
Headquarters intranet ve branch network arasında  statik yolları yapılandıralım.
[FW1]ip route-static 10.0.200.0 24 10.0.10.2
[FW2]ip route-static 10.0.100.0 24 10.0.20.1
FW1 ve FW2 cihazlarında  bir IPSec proposal oluşturalım.
Tünel modunu encapsulation  modda  ayarlayalım. Verileri korumak için ESP kullanın. ESP DES şifreleme algoritmasını ve SHA 1 kimlik doğrulama algoritmasını kullanır.
[FW1]ipsec proposal tran1
[FW1-ipsec-proposal-tran1]encapsulation-mode tunnel
[FW1-ipsec-proposal-tran1]transform esp
[FW1-ipsec-proposal-tran1]esp authentication-algorithm sha1
[FW1-ipsec-proposal-tran1]esp encryption-algorithm des
[FW2]ipsec proposal tran1
[FW2-ipsec-proposal-tran1]encapsulation-mode tunnel
[FW2-ipsec-proposal-tran1]transform esp
[FW2-ipsec-proposal-tran1]esp authentication-algorithm sha1
[FW2-ipsec-proposal-tran1]esp encryption-algorithm des
FW1 ve FW2 bir IKE proposal yapılandıralım.
DES şifreleme algoritması ve kimlik doğrulama  algoritması  için SHA1 ayarlayalım.
[FW1]ike proposal 10
[FW1-ike-proposal-10]authentication-algorithm sha1
[FW1-ike-proposal-10]encryption-algorithm des
[FW2]ike proposal 10
[FW2-ike-proposal-10]authentication-algorithm sha1
[FW2-ike-proposal-10]encryption-algorithm des
Default  olarak IKEv2 anlaşmayı kullanan bir IKE peer  yapılandıralım.
IKE proposal  uygulayın  ve önceden paylaşılan key  ve peeri yapılandıralım FW1 ve FW2 ip addresslerini verelim.
[FW1]ike peer fw12
[FW1-ike-peer-fw12]ike-proposal 10
[FW1-ike-peer-fw12]remote-address 10.0.20.2
[FW1-ike-peer-fw12]pre-shared-key abcde
[FW2]ike peer fw21
[FW2-ike-peer-fw21]ike-proposal 10
[FW2-ike-peer-fw21]remote-address 10.0.10.1
[FW2-ike-peer-fw21]pre-shared-key abcde
FW1 ve FW2 cihazları için  bir IPSec policy oluşturalım.
IPSec policy  yapılandırması sırasında, IPSec politikası ACL, IPSec proposal ve IKE peer  protokollerini de yapılandıralım.
[FW1]ipsec policy map1 10 isakmp
[FW1-ipsec-policy-isakmp-map1-10]security acl 3000
[FW1-ipsec-policy-isakmp-map1-10]proposal tran1
[FW1-ipsec-policy-isakmp-map1-10]ike-peer fw12
[FW2]ipsec policy map1 10 isakmp
[FW2-ipsec-policy-isakmp-map1-10]security acl 3000
[FW2-ipsec-policy-isakmp-map1-10]proposal tran1
[FW2-ipsec-policy-isakmp-map1-10]ike-peer fw21
FW1 ve FW2 üzerinde interfacelere  IPSec policyi  uygulayalım.
[FW1]interface Ethernet2/0/0
[FW1-Ethernet2/0/0]ipsec policy map1
[FW2]interface Ethernet2/0/0
[FW2-Ethernet2/0/0]ipsec policy map1
Ipsec konfigürayonunu kontrol edelim.
[FW1]ping -a 10.0.100.1 10.0.200.1
PING 10.0.200.1: 56  data bytes, press CTRL_C to break
Reply from 10.0.200.1: bytes=56 Sequence=1 ttl=255 time=50 ms
Reply from 10.0.200.1: bytes=56 Sequence=2 ttl=255 time=50 ms
Reply from 10.0.200.1: bytes=56 Sequence=3 ttl=255 time=60 ms
Reply from 10.0.200.1: bytes=56 Sequence=4 ttl=255 time=50 ms
Reply from 10.0.200.1: bytes=56 Sequence=5 ttl=255 time=50 ms
— 10.0.200.1 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 50/52/60 ms
[FW1]display ike sa
current ike sa number: 1
———————————————————————
connection-id  peer                    vpn   flag        phase   doi
——————————————————————–
0x1a         10.0.20.2               0     RD          v2:2    IPSEC
0x1         10.0.20.2               0     RD|ST       v2:1    IPSEC
flag meaning
RD–READY    ST–STAYALIVE  RL–REPLACED      FD–FADING
TO–TIMEOUT  TD–DELETING   NEG–NEGOTIATING  D—DPD
[FW1]display ipsec sa
===============================
Interface: Ethernet2/0/0
path MTU: 1500
===============================
—————————–
IPsec policy name: “map1”
sequence number: 10
mode: isakmp
vpn: 0
—————————–
connection id: 9
rule number: 5
encapsulation mode: tunnel
holding time: 0d 0h 0m 16s
tunnel local : 10.0.10.1    tunnel remote: 10.0.20.2
flow      source: 10.0.100.0-10.0.100.255 0-65535 0
flow destination: 10.0.200.0-10.0.200.255 0-65535 0
[inbound ESP SAs]
spi: 74331737 (0x46e3659)
vpn: 0      said: 0  cpuid: 0x0000
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887436464/3584
max received sequence-number: 4
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 18969668 (0x1217444)
vpn: 0      said: 1  cpuid: 0x0000
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887436464/3584
max sent sequence-number: 5
udp encapsulation used for nat traversal: N
Branch intranet , headquarters  intranet ile iletişim kurabilir.
  1. Bir şube ofis ağı  ve merkezi ağı arasında IPSec VPN yapılandırması .
IPSec VPN trafiği tanımlamak için branch ofis ve headquartes arasında  bir ACL oluşturalım.
[R3]acl 3000
[R3-acl-adv-3000]rule permit ip source 10.0.3.0 0.0.0.255 destination 10.0.200.0 0.0.0.255
[FW2]acl 3001
[FW2-acl-adv-3001]rule permit ip source 10.0.200.0 0.0.0.255 destination 10.0.3.0 0.0.0.255
Branch network ve headquarters  arasında statik yolları yapılandıralım.
[R3]ip route-static 10.0.200.0 24 10.0.23.2
[FW2]ip route-static 10.0.3.0 24 10.0.20.1
R3 cihazı üzerinde Ipsec proposal oluşturalım.
Tünel modunu encapsulation  modda  ayarlayalım. Verileri korumak için ESP kullanın. ESP DES şifreleme algoritmasını ve SHA 1 kimlik doğrulama algoritmasını kullanır.
[R3]ipsec proposal tran1
[R3-ipsec-proposal-tran2]encapsulation-mode tunnel
[R3-ipsec-proposal-tran2]transform esp
[R3-ipsec-proposal-tran2]esp authentication-algorithm sha1
[R3-ipsec-proposal-tran2]esp encryption-algorithm des
FW2 ve R3  cihazlarında bir IKE proposal  yapılandıralım.
DES şifreleme algoritması ve kimlik doğrulama  algoritması  için SHA1 ayarlayalım.
[R3]ike proposal 10
[R3-ike-proposal-10]authentication-algorithm sha1
[R3-ike-proposal-10]encryption-algorithm des
Default  olarak IKEv2 anlaşmayı kullanan bir IKE peer  yapılandıralım.
IKE proposal  uygulayın  ve önceden paylaşılan key  ve peeri yapılandıralım R3 ve FW2 ip addresslerini verelim.
[FW2]ike peer fw23
[FW2-ike-peer-fw23]ike-proposal 10
[FW2-ike-peer-fw23]remote-address 10.0.23.3
[FW2-ike-peer-fw23]pre-shared-key abcde
[R3]ike peer r32 v2
[R3-ike-peer-r32]ike-proposal 10
[R3-ike-peer-r32]remote-address 10.0.20.2
[R3-ike-peer-r32]pre-shared-key abcde
IPSec policy  yapılandırması sırasında, IPSec politikası ACL, IPSec proposal ve IKE peer  protokollerini de yapılandıralım.
[FW2]ipsec policy map1 11 isakmp
[FW2-ipsec-policy-isakmp-map1-11]security acl 3001
[FW2-ipsec-policy-isakmp-map1-11]proposal tran1
[FW2-ipsec-policy-isakmp-map1-11]ike-peer fw23
[R3]ipsec policy map1 10 isakmp
[R3-ipsec-policy-isakmp-map2-10]security acl 3000
[R3-ipsec-policy-isakmp-map2-10]proposal tran1
[R3-ipsec-policy-isakmp-map2-10]ike-peer r32
R3 ve FW2 üzerinde interfacelere  IPSec policyi  uygulayalım.
[FW2]interface Ethernet2/0/0
[FW2-Ethernet2/0/0]ipsec policy map1
[R3]interface Ethernet2/0/0
[R3-Ethernet2/0/0]ipsec policy map1
Ipsec konfigürayonunu kontrol edelim.
[R3]ping -a 10.0.3.3 10.0.200.1
PING 10.0.200.1: 56  data bytes, press CTRL_C to break
Reply from 10.0.200.1: bytes=56 Sequence=1 ttl=255 time=50 ms
Reply from 10.0.200.1: bytes=56 Sequence=2 ttl=255 time=48 ms
Reply from 10.0.200.1: bytes=56 Sequence=3 ttl=255 time=48 ms
Reply from 10.0.200.1: bytes=56 Sequence=4 ttl=255 time=48 ms
Reply from 10.0.200.1: bytes=56 Sequence=5 ttl=255 time=48 ms
— 10.0.200.1 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 48/48/50 ms
[R3]display ike sa v2
Conn-ID  Peer            VPN   Flag(s)                Phase
—————————————————————
2    10.0.20.2       0     RD|ST                  2
1    10.0.20.2       0     RD|ST                  1
Flag Description:
RD–READY   ST–STAYALIVE   RL–REPLACED   FD–FADING   TO–TIMEOUT
HRT–HEARTBEAT   LKG–LAST KNOWN GOOD SEQ NO.   BCK–BACKED UP
[R3]display ipsec sa
===============================
Interface: Serial2/0/0
Path MTU: 1500
===============================
—————————–
IPSec policy name: “map2”
Sequence number  : 10
Mode             : ISAKMP
—————————–
Connection ID     : 2
Encapsulation mode: Tunnel
Tunnel local      : 10.0.23.3
Tunnel remote     : 10.0.20.2
[Outbound ESP SAs]
SPI: 247406703 (0xebf206f)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
SA remaining key duration (bytes/sec): 1887436380/3534
Max sent sequence-number: 5
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 155207494 (0x9404746)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
SA remaining key duration (bytes/sec): 1887436380/3534
Max received sequence-number: 5
UDP encapsulation used for NAT traversal: N
Branch intranet , headquarters  intranet ile iletişim kurabilir.
  1. Bir branch network ve headquarters  network arasında IPSec VPN üzerinden bir GRE yapılandıralım.
FW1 cihazında  bir tünel interface oluştururup  ve GRE etkinleştirelim.
FW1 cihazına ve untrust bölgeye tünel interface i ekleyelim.
[FW1]interface tunnel 1
[FW1-Tunnel1]tunnel-protocol gre
[FW1-Tunnel1]ip address 30.1.1.1 24
[FW1-Tunnel1]source 10.0.10.1
[FW1-Tunnel1]destination 10.0.20.2
[FW1-Tunnel1]firewall zone untrust
[FW1-zone-untrust]add interface Tunnel 1
FW2 cihazında  bir tünel interfacesi  oluşturalım ve GRE etkinleştirelim.
FW2 cihazına ve untrust bölgeye tünel  interface ekleyelim.
[FW2]interface tunnel 1
[FW2-Tunnel1]tunnel-protocol gre
[FW2-Tunnel1]ip address 30.1.1.2 24
[FW2-Tunnel1]source 10.0.20.2
[FW2-Tunnel1]destination 10.0.10.1
[FW2-Tunnel1]firewall zone untrust
[FW2-zone-untrust]add interface Tunnel 1
Önceki adımlarda yapılandırılmış statik yolları silin. Branch network ve  headquarters network arasındaki RIP (version 2) etkinleştirin.
[FW1]undo ip route-static 10.0.200.0 24 10.0.10.2
[FW1]rip
[FW1-rip-1]version 2
[FW1-rip-1]network 30.0.0.0
[FW1-rip-1]network 10.0.0.0
[FW2]undo ip route-static 10.0.100.0 24 10.0.20.1
[FW2]rip
[FW2-rip-1]version 2
[FW2-rip-1]network 30.0.0.0
[FW2-rip-1]network 10.0.0.0
FW1 ve FW2 cihazlarında ACL ve GRE konfigürasyonlarını oluşturalım ve FW1 ve FW2 cihazlarında  yeni ACL IPSec ilkesini bağlayalım.
[FW1]acl 3001
[FW1-acl-adv-3001]rule permit gre source 10.0.10.1 0 destination 10.0.20.2 0
[FW1-acl-adv-3001]quit
[FW1]ipsec policy map1 10 isakmp
[FW1-ipsec-policy-isakmp-map1-10]security acl 3001
[FW2]acl 3002
[FW2-acl-adv-3002]rule permit gre source 10.0.20.2 0 destination 10.0.10.1 0
[FW2-acl-adv-3002]quit
[FW2]ipsec policy map1 10 isakmp
[FW2-ipsec-policy-isakmp-map1-10]security acl 3002
Konfigürasyonu kontrol edelim bağlantıları sınayalım.
[FW1]ping -a 10.0.100.1 10.0.200.1
PING 10.0.200.1: 56  data bytes, press CTRL_C to break
Reply from 10.0.200.1: bytes=56 Sequence=1 ttl=255 time=50 ms
Reply from 10.0.200.1: bytes=56 Sequence=2 ttl=255 time=50 ms
Reply from 10.0.200.1: bytes=56 Sequence=3 ttl=255 time=60 ms
Reply from 10.0.200.1: bytes=56 Sequence=4 ttl=255 time=50 ms
Reply from 10.0.200.1: bytes=56 Sequence=5 ttl=255 time=50 ms
— 10.0.200.1 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 50/52/60 ms
[FW1]display ipsec sa
===============================
Interface: Ethernet2/0/0
path MTU: 1500
===============================
—————————–
IPsec policy name: “map1”
sequence number: 10
mode: isakmp
vpn: 0
—————————–
connection id: 26
rule number: 5
encapsulation mode: tunnel
holding time: 0d 0h 5m 21s
tunnel local : 10.0.10.1    tunnel remote: 10.0.20.2
flow      source: 10.0.100.0-10.0.100.255 0-65535 0
flow destination: 10.0.200.0-10.0.200.255 0-65535 0
[inbound ESP SAs]
spi: 240396810 (0xe542a0a)
vpn: 0      said: 34  cpuid: 0x0000
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887436044/3279
max received sequence-number: 9
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 208723708 (0xc70defc)
vpn: 0      said: 35  cpuid: 0x0000
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887436044/3279
max sent sequence-number: 10
udp encapsulation used for nat traversal: N
Branch  intranet  headquarter intranet ile iletişim kurabilir.
  1. Bir branch ofis network ve  headquarters  network arasında IPSec VPN üzerinde bir GRE yapılandıralım.
FW2 cihazında  bir tünel interface oluştururup  ve GRE etkinleştirelim.
FW2 cihazına ve untrust bölgeye tünel interface i ekleyelim.
[FW2]interface tunnel 2
[FW2-Tunnel2]tunnel-protocol gre
[FW2-Tunnel2]ip address 40.1.1.1 24
[FW2-Tunnel2]source 10.0.20.2
[FW2-Tunnel2]destination 10.0.23.3
[FW2-Tunnel2]firewall zone untrust
[FW2-zone-untrust]add interface Tunnel 2
R3 cihazında  bir tünel interfacesi  oluşturalım ve GRE etkinleştirelim.
[R3]interface tunnel 0/0/1
[R3-Tunnel0/0/1]tunnel-protocol gre
[R3-Tunnel0/0/1]ip address 40.1.1.2 24
[R3-Tunnel0/0/1]source 10.0.23.3
[R3-Tunnel0/0/1]destination 10.0.20.2
Önceki adımlarda yapılandırılmış statik yolları silin. Branch network ve  headquarters network arasındaki RIP (version 2) etkinleştirin.
[FW2]undo ip route-static 10.0.3.0 24 10.0.20.1
[FW2]rip
[FW2-rip-1]version 2
[FW2-rip-1]network 40.0.0.0
[R3]undo ip route-static 10.0.200.0 24 10.0.23.2
[R3]rip
[R3-rip-1]version 2
[R3-rip-1]network 40.0.0.0
[R3-rip-1]network 10.0.0.0
FW2 ve R3 cihazlarında ACL ve GRE konfigürasyonlarını oluşturalım . IPSec ilkesini yapılandıralım ve ACL, IPSec proposal  ve IKE peer  IPSec ilkesi arasındaki bağlantıyı kuralım.
[R3]acl 3001
[R3-acl-adv-3001]rule permit gre source 10.0.23.3 0 destination 10.0.20.2 0
[R3-acl-adv-3001]quit
[R3]ipsec policy map1 20 isakmp
[R3-ipsec-policy-isakmp-map1-10]security acl 3001
[R3-ipsec-policy-isakmp-map1-20]proposal tran1
[R3-ipsec-policy-isakmp-map1-20]ike-peer r32
[FW2]acl 3003
[FW2-acl-adv-3003]rule permit gre source 10.0.20.2 0 destination 10.0.23.3 0
[FW2-acl-adv-3003]quit
[FW2]ipsec policy map1 20 isakmp
[FW2-ipsec-policy-isakmp-map1-20]security acl 3003
[FW2-ipsec-policy-isakmp-map1-20]proposal tran1
[FW2-ipsec-policy-isakmp-map1-20]ike-peer fw23
Konfigürasyonu kontrol edelim ve bağlantıları sınayalım.
[R3]ping -a 10.0.3.3 10.0.200.1
PING 10.0.200.1: 56  data bytes, press CTRL_C to break
Reply from 10.0.200.1: bytes=56 Sequence=1 ttl=255 time=56 ms
Reply from 10.0.200.1: bytes=56 Sequence=2 ttl=255 time=53 ms
Reply from 10.0.200.1: bytes=56 Sequence=3 ttl=255 time=54 ms
Reply from 10.0.200.1: bytes=56 Sequence=4 ttl=255 time=54 ms
Reply from 10.0.200.1: bytes=56 Sequence=5 ttl=255 time=54 ms
— 10.0.200.1 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 53/54/56 ms
[R3]display ipsec sa
===============================
Interface: Serial2/0/0
Path MTU: 1500
===============================
—————————–
IPSec policy name: “map2”
Sequence number  : 10
Mode             : ISAKMP
—————————–
Connection ID     : 2
Encapsulation mode: Tunnel
Tunnel local      : 10.0.23.3
Tunnel remote     : 10.0.20.2
[Outbound ESP SAs]
SPI: 247406703 (0xebf206f)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
SA remaining key duration (bytes/sec): 1887435120/1952
Max sent sequence-number: 20
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 155207494 (0x9404746)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
SA remaining key duration (bytes/sec): 1887435120/1952
Max received sequence-number: 20
UDP encapsulation used for NAT traversal: N
Cihazlar arasında ki bağlantılar doğru şekilde çalışmaktadır.
Final Configurations
[FW1]display current-configuration
#
sysname FW1
#
acl number 3000
rule 5 permit ip source 10.0.100.0 0.0.0.255 destination 10.0.200.0 0.0.0.255
#
acl number 3001
rule 5 permit gre source 10.0.10.1 0 destination 10.0.20.2 0
#
ike proposal 10
#
ike peer fw12
pre-shared-key abcde
ike-proposal 10
remote-address 10.0.20.2
#
ipsec proposal tran1
esp authentication-algorithm sha1
#
ipsec policy map1 10 isakmp
security acl 3001
ike-peer fw12
proposal tran1
#
interface Ethernet0/0/0
ip address 10.0.100.1 255.255.255.0
#
interface Ethernet2/0/0
ip address 10.0.10.1 255.255.255.0
ipsec policy map1
#
interface Tunnel1
ip address 30.1.1.1 255.255.255.0
tunnel-protocol gre
source 10.0.10.1
destination 10.0.20.2
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface Ethernet0/0/0
#
firewall zone untrust
set priority 5
add interface Ethernet2/0/0
add interface Tunnel1
#
ospf 1
area 0.0.0.0
network 10.0.10.0 0.0.0.255
#
rip 1
version 2
network 30.0.0.0
network 10.0.0.0
#
Return
[FW2]display current-configuration
#
sysname FW2
#
acl number 3000
rule 5 permit ip source 10.0.200.0 0.0.0.255 destination 10.0.100.0 0.0.0.255
#
acl number 3001
rule 5 permit ip source 10.0.200.0 0.0.0.255 destination 10.0.3.0 0.0.0.255
#
acl number 3002
rule 5 permit gre source 10.0.20.2 0 destination 10.0.10.1 0
#
acl number 3003
rule 5 permit gre source 10.0.20.2 0 destination 10.0.23.3 0
#
ike proposal 10
#
ike peer fw21
pre-shared-key abcde
ike-proposal 10
remote-address 10.0.10.1
#
ike peer fw23
pre-shared-key abcde
ike-proposal 10
remote-address 10.0.23.3
#
ipsec proposal tran1
esp authentication-algorithm sha1
#
ipsec policy map1 10 isakmp
security acl 3002
ike-peer fw21
proposal tran1
#
ipsec policy map1 11 isakmp
security acl 3001
ike-peer c
proposal tran1
#
ipsec policy map1 20 isakmp
security acl 3003
ike-peer fw23
proposal tran1
#
interface Ethernet0/0/0
ip address 10.0.200.1 255.255.255.0
#
interface Ethernet2/0/0
ip address 10.0.20.2 255.255.255.0
ipsec policy map1
#
interface Tunnel1
ip address 30.1.1.2 255.255.255.0
tunnel-protocol gre
source 10.0.20.2
destination 10.0.10.1
#
interface Tunnel2
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 10.0.20.2
destination 10.0.23.3
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface Ethernet0/0/0
#
firewall zone untrust
set priority 5
add interface Ethernet2/0/0
add interface Tunnel1
add interface Tunnel2
#
firewall zone dmz
set priority 50
#
ospf 1
area 0.0.0.0
network 10.0.20.0 0.0.0.255
#
rip 1
version 2
network 30.0.0.0
network 10.0.0.0
network 40.0.0.0
#
Return
[R3]display current-configuration
[V200R001C00SPC200]
#
sysname R3
#
acl number 3000
rule 5 permit ip source 10.0.3.0 0.0.0.255 destination 10.0.200.0 0.0.0.255
#
acl number 3001
rule 5 permit gre source 10.0.23.3 0 destination 10.0.20.2 0
#
ipsec proposal tran1
esp authentication-algorithm sha1
#
ike proposal 10
#
ike peer r32 v2
pre-shared-key abcde
ike-proposal 10
remote-address 10.0.20.2
#
ipsec policy map1 10 isakmp
security acl 3000
ike-peer r32
proposal tran1
#
ipsec policy map1 20 isakmp
security acl 3001
ike-peer r32
proposal tran1
#
interface Serial2/0/0
link-protocol ppp
ip address 10.0.23.3 255.255.255.0
ipsec policy map1
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
interface Tunnel0/0/1
ip address 40.1.1.2 255.255.255.0
tunnel-protocol gre
source 10.0.23.3
destination 10.0.20.2
#
ospf 1
area 0.0.0.0
network 10.0.23.0 0.0.0.255
#
rip 1
version 2
network 40.0.0.0
network 10.0.0.0
#
Return