Shulou(Shulou.com)06/01 Report--

ipsec profile

IPSec (Internet Protocol Security) is the long-term direction for secure networking. It provides proactive protection against private networks and Internet intrusion through end-to-end security. In communications, the sender and receiver are the only computers that must understand IPSec protection. In the Windows 2000, Windows XP, and Windows Server 2003 families, IPSec provides the ability to secure communications between Workgroups, local area network computers, domain clients and servers, branch offices (physically remote), Extranet, and roaming clients.

Let's simulate ipsec with a layer 3 switch and three firewalls

topology diagram

Setting up a Layer 3 Switch

sys

[Quidway]sys isp

[isp]vlan 10

[isp-vlan10]port e0/1

[isp-vlan10]vlan 20

[isp-vlan20]port e0/9

[isp-vlan20]vlan 30

[isp-vlan30]port e0/17

[isp-vlan30]int vlan10

[isp-Vlan-interface10]ip add 67.130.130.1 255.255.255.252

[isp-Vlan-interface10]int vlan 20

[isp-Vlan-interface20]ip add 67.130.130.5 255.255.255.252

[isp-Vlan-interface20]int vlan 30

[isp-Vlan-interface30]ip add 67.130.130.9 255.255.255.252

Set fw1

sys

[H3C]sys fw1

[fw1]int eth0/0

[fw1-Ethernet0/0]ip add 192.168.3.1 24

[fw1-Ethernet0/0]loopback

[fw1-Ethernet0/0]int eth0/4

[fw1-Ethernet0/4]ip add 67.130.130.2 30

Remove port isolation

[fw1]undo insulate

Add eth0/4 to untrust

[fw1]firewall zone untrust

[fw1-zone-untrust]add int eth0/4

Add eth0/0 to trust

[fw1]firewall zone trust

[fw1-zone-trust]add int eth0/0

Filter by access control list

[fw1]acl number 3000 match-order auto

[fw1-acl-adv-3000]rule 10 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.4.0 0.0.0.255

[fw1-acl-adv-3000]rule 20 deny ip source any destination any

Create security proposal tran1

[fw1]ipsec proposal tran1

Select pipe type

[fw1-ipsec-proposal-tran1]encapsulation-mode tunnel

Select security protocol sep

[fw1-ipsec-proposal-tran1]transform esp

Integrity check option md5

[fw1-ipsec-proposal-tran1]esp authentication-algorithm md5

DES encryption algorithm selection

[fw1-ipsec-proposal-tran1]esp encryption-algorithm des

Set ike peer

[fw1]ike peer fw2

Set Source IP

[fw1-ike-peer-fw2]local-address 67.130.130.2

Set target ip

[fw1-ike-peer-fw2]remote-address 67.130.130.6

set the key

[fw1-ike-peer-fw2]pre-shared-key 123456

Note that this key must be remembered, and it will be used below.

Isa combined with screening flow

Select Dynamic ISA

[fw1]ipsec policy policy1 10 isakmp

Filter flows that conform to the 3000 table

[fw1-ipsec-policy-isakmp-policy1-10]security acl 3000

Select Tran1 that matches proposal

[fw1-ipsec-policy-isakmp-policy1-10]proposal tran1

Select ike peer as fw2

[fw1-ipsec-policy-isakmp-policy1-10]ike-peer fw2

Enter port eth0/4 Apply policy

[fw1]int eth0/4

[fw1-Ethernet0/4]ipsec policy policy1

The first tunnel has been set up, and it is time to set up the other end of this tunnel into firewall fw2

Here is the setup for the second tunnel

[fw1]acl number 3001 match-order auto

[fw1-acl-adv-3001]rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.5.0 0.0.0.255

[fw1-acl-adv-3001]rule deny ip source any destination any

[fw1]ipsec proposal tran2

[fw1-ipsec-proposal-tran2]encapsulation-mode tunnel

[fw1-ipsec-proposal-tran2]transform esp

[fw1-ipsec-proposal-tran2]esp authentication-algorithm md5

[fw1-ipsec-proposal-tran2]esp encryption-algorithm des

[fw1]ike peer fw3

[fw1-ike-peer-fw3]local-address 67.130.130.2

[fw1-ike-peer-fw3]remote-address 67.130.130.10

[fw1-ike-peer-fw3]pre-shared-key 654321

[fw1]acl number 3001 match-order auto

[fw1-acl-adv-3000]undo rule 20

Set fw2

sys

[H3C]sys fw2

[fw2]int eth0/0

[fw2-Ethernet0/0]ip add 192.168.4.1 24

[fw2-Ethernet0/0]loopback

[fw2-Ethernet0/0]int eth0/4

[fw2-Ethernet0/4]ip add 67.130.130.6 30

[fw2]undo insulate

[fw2]firewall packet-filter default permit

[fw2]firewall zone trust

[fw2-zone-trust]add interface eth0/0

[fw2]firewall zone untrust

[fw2-zone-untrust]add int eth0/4

[fw2]ip route-static 0.0.0.0 0 67.130.130.5

[fw2]acl number 3000 match-order auto

[fw2-acl-adv-3000]rule 10 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

[fw2-acl-adv-3000]rule 20 deny ip source any destination any

[fw2]ipsec proposal tran1

[fw2-ipsec-proposal-tran1]encapsulation-mode tunnel

[fw2-ipsec-proposal-tran1]esp authentication-algorithm md5

[fw2-ipsec-proposal-tran1]esp encryption-algorithm des

[fw2]ike peer fw1

[fw2-ike-peer-fw1]local-address 67.130.130.6

[fw2-ike-peer-fw1]remote-address 67.130.130.2

[fw2-ike-peer-fw1]pre-shared-key 123456

This key has to be the same as the one on the other end.

[fw2]ipsec policy policy1 10 isakmp

[fw2-ipsec-policy-isakmp-policy1-10]security acl 3000

[fw2-ipsec-policy-isakmp-policy1-10]proposal tran1

[fw2-ipsec-policy-isakmp-policy1-10]ike-peer fw1

[fw2]int eth0/4

[fw2-Ethernet0/4]ipsec policy policy1

Configuration FW3

sys

[H3C]sys fw3

[fw3]int eth0/0

[fw3-Ethernet0/0]ip add 192.168.5.1 24

[fw3-Ethernet0/0]loopback

[fw3-Ethernet0/0]int eth0/4

[fw3-Ethernet0/4]ip add 67.130.130.10 30

[fw3]undo insulate

[fw3]firewall zone untrust

[fw3-zone-untrust]add int eth0/4

[fw3]firewall zone trust

[fw3-zone-trust]add int eth0/0

[fw3]ip route-static 0.0.0.0 0 67.130.130.9

[fw3]acl number 3001 match-order auto

[fw3-acl-adv-3001]rule 10 permit ip source 192.168.5.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

[fw3-acl-adv-3001]rule 20 deny ip source any destination any

[fw3]ipsec proposal tran2

[fw3-ipsec-proposal-tran2]encapsulation-mode tunnel

[fw3-ipsec-proposal-tran2]transform esp

[fw3-ipsec-proposal-tran2]esp authentication-algorithm md5

[fw3-ipsec-proposal-tran2]esp encryption-algorithm des

[fw3]ike peer fw1

[fw3-ike-peer-fw1]local-address 67.130.130.10

[fw3-ike-peer-fw1]remote-address 67.130.130.2

[fw3-ike-peer-fw1]pre-shared-key 654321

[fw3]ipsec policy policy1 10 isakmp

[fw3-ipsec-policy-isakmp-policy1-10]security acl 3001

[fw3-ipsec-policy-isakmp-policy1-10]tracert tran2

[fw3-ipsec-policy-isakmp-policy1-10]ike-peer fw1

[fw3]int eth0/4

[fw3-Ethernet0/4]ipsec policy policy1

All right, ipsec.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.