Add to Favorites | Login | Register
Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

About us Contact us

Implementation of dynamic ipsec

2025-03-28 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

Configuration of dynamic ipsec

The main difference from static is that it is no longer necessary to specify security alliance sa, which is through key negotiation and is mainly used for configuration, which is faster than static.

I. configuration of Fw-1

1) configuration of interface address

[fw-1] inter eth0/0

[fw-1-Ethernet0/0] ip add 192.168.101.55 255.255.255.0

[fw-1-Ethernet0/0] inter eth0/4

[fw-1-Ethernet0/4] ip add 1.1.1.1 255.255.255.0

Check whether the port is added to the area. If not, join the area.

2) configure access control lists to filter data flows

[fw-1] acl number 3000

[fw-1-acl-adv-3000] rule 10 permit ip source 192.168.101.0 0.0.0.255 dest 192.168.102.0 0.0.0.255

[fw-1-acl-adv-3000] rule 20 deny ip source any dest any

3) configure security proposal (system default, optional)

[fw-1] ipsec proposal tran1

[fw-1-ipsec-proposal-tran1] encapsulation-mode tunnel

[fw-1-ipsec-proposal-tran1] transform esp

[fw-1-ipsec-proposal-tran1] esp encryption-algorithm des

[fw-1-ipsec-proposal-tran1] esp authentication-algorithm md5

4) configure neighbor parameters. In the global configuration / / this is different from static manual configuration

[fw-1] ike peer fw-2

[fw-1-ike-peer-fw-2] pre-shared-key simple 123456 (define and share key)

[fw-1-ike-peer-fw-2] remote-address 1.1.2.2 (define the address of the peer)

5) configure security policy

[fw-1] ipsec policy policy1 10 isakmp (dynamically configure security policy)

[fw-1-ipsec-policy-isakmp-policy1-10] security acl 3000

[fw-1-ipsec-policy-isakmp-policy1-10] proposal tran1

[fw-1-ipsec-policy-isakmp-policy1-10] ike-peer fw-2

Apply security policy

[fw-1] inter eth0/4

[fw-1-Ethernet0/4] ipsec policy policy1

II. Router configuration

[Router] inter e0

[Router-Ethernet0] ip add 1.1.1.2 255.255.255.0

[Router-Ethernet0] inter e1

[Router-Ethernet1] ip add 1.1.2.1 255.255.255.0

III. Configuration of fw-2

[fw-2] inter eth0/0

[fw-2-Ethernet0/0] ip add 192.168.102.90 255.255.255.0

[fw-2-Ethernet0/0] loop

[fw-2-Ethernet0/0] inter eth0/4

[fw-2-Ethernet0/4] ip add 1.1.2.2 255.255.255.0

Add the port to the area (if the port is in the default area, you don't have to add it)

[fw-2] firewall zone untrust

[fw-2-zone-untrust] add interface eth0/4

[fw-2-zone-untrust] q

[fw-2] firewall zone trust

[fw-2-zone-trust] add interface eth0/0

Configure access control lists to filter

[fw-2] acl number 3000

[fw-2-acl-adv-3000] rule 10 permit ip source 192.168.102.0 0.0.0.255 dest 192.168.101.0 0.0.0.255

[fw-2-acl-adv-3000] rule 20 deny ip source any dest any

Configure the security proposal (system default, optional)

[fw-2] ipsec proposal tran1

[fw-2-ipsec-proposal-tran1] encapsulation-mode tunnel

[fw-2-ipsec-proposal-tran1] transform esp

[fw-2-ipsec-proposal-tran1] esp encryption-algorithm des

[fw-2-ipsec-proposal-tran1] esp authentication-algorithm md5

Configure neighbor parameters

[fw-2] ike peer fw-1

[fw-2-ike-peer-fw-1] pre-shared-key simple 123456

[fw-2-ike-peer-fw-1] remote-address 1.1.1.1

Configure security policy

[fw-2] ipsec policy policy1 10 isakmp

[fw-2-ipsec-policy-isakmp-policy1-10] security acl 3000

[fw-2-ipsec-policy-isakmp-policy1-10] proposal tran1

[fw-2-ipsec-policy-isakmp-policy1-10] ike-peer fw-1

Apply security policy

[fw-2] inter eth0/4

[fw-2-Ethernet0/4] ipsec policy policy

Test result

Note: the red part is different from the static configuration.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Tag Search: Configuration security policy area static port dynamic no parameter address place key system neighbor application control function global manual interface vpn macOS Linux MariaDB MySQL Docker Shulou Information Shulou Technology Shulou Tech Info OPPO Reno Redmi Xiaomi NVidia Microsoft Huawei Apple Redmi vpn Huawei Apple NVidia Linux macOS Shulou Tech Info Shulou Information Microsoft OPPO Reno MySQL Xiaomi MariaDB Docker Shulou Technology Redmi vpn Huawei Apple NVidia Linux macOS Shulou Tech Info Shulou Information Microsoft OPPO Reno MySQL Xiaomi MariaDB Docker Shulou Technology

Share To

Related

Network Security

More Network Security >

Latest Network Security More Network Security >

Latest Internet Technology More Internet Technology >

Latest Development More Development >

Latest Database More Database >

Latest Servers More Servers >

Latest Mobile Phone More Mobile Phone >

Latest Android Software More Android Software >

Latest Apple Software More Apple Software >

Latest Computer Software News More Computer Software News >

Latest IT Information More IT Information >

Wechat

About us Contact us Product review car news thenatureplanet

© 2024 shulou.com SLNews company. All rights reserved.

12
Report