Shulou(Shulou.com)06/01 Report--

Another protocol to implement * * is ipsec. To be exact, ipsec is a framework for a combination of multiple protocols. Its implementation can be divided into the following four steps:

1. Realize the filter control of data flow (control by acl)

two。 Security proposal (implementation of working mode, selection of security protocols, verification algorithm, and consistent choice of encryption algorithm for esp protocol)

3. Create a security policy (acl+ security proposal + ike neighbor). The implementation of the general policy is auto-negotiated, so it is necessary to establish ike neighbors.

4. Policy applied to port

The following is the topology diagram of this lab (sw is the firewall isp is the switch):

Here are some configurations on isp:

[Quidway] sysname isp

[isp] int vlan 10

[isp-vlan10] port Ethernet 0/2

[isp-vlan10] vlan 20

[isp-vlan20] port Ethernet 0/10

[isp-vlan20] vlan 30

[isp-vlan30] port Ethernet 0/3

[isp-vlan30] vlan 40

[isp-vlan40] port Ethernet 0/20

[isp-vlan40] qu

[isp] int Vlan-interface 10

[isp-Vlan-interface10] ip add 61.130.132.2 255.255.255.252

[isp-Vlan-interface10] qu

[isp] int vlan 20

[isp-Vlan-interface20] ip add 61.130.134.2 255.255.255.252

[isp-Vlan-interface20] qu

[isp] int vlan 30

[isp-Vlan-interface30] ip add 61.130.133.2 255.255.255.252

[isp-Vlan-interface30] qu

[isp] int vlan 40

[isp-Vlan-interface40] ip add 61.130.135.2 255.255.255.252

Some configurations on Sw1:

[H3C] sysname sw1

[sw1] int eth0/0

[sw1-Ethernet0/0] ip add 192.168.1.254 24

[sw1-Ethernet0/0] int eth0/3

[sw1-Ethernet0/3] ip add 61.130.132.1 30

[sw1-Ethernet0/3] int eth 0/4

[sw1-Ethernet0/4] ip add 61.130.133.1 30

[sw1-Ethernet0/4] qu

[sw1] firewall zone trust

[sw1-zone-trust] add interface e0/0

[sw1-zone-trust] qu

[sw1] firewall zone untrust

[sw1-zone-untrust] add int e0/3

[sw1-zone-untrust] add int e0/4

Some configurations on Sw3:

[H3C] sysname sw3

[sw3] int e0/4

[sw3-Ethernet0/4] ip add 61.130.135.1 255.255.255.252

[sw3-Ethernet0/4] int eth0/0

[sw3-Ethernet0/0] ip add 192.168.3.254 255.255.255.0

[sw3-Ethernet0/0] loopback

[sw3-Ethernet0/0] qu

[sw3] firewall zone untrust

[sw3-zone-untrust] add int e0/4

[sw3] ip route 0.0.0.0 0 61.130.135.2

Some configurations on Sw2:

[H3C] sysname sw2

[sw2] int e0/4

[sw2-Ethernet0/4] ip add 61.130.134.1 255.255.255.252

[sw2-Ethernet0/4] int e0/0

[sw2-Ethernet0/0] ip add 192.168.2.254 255.255.255.0

[sw2-Ethernet0/0] loopback

[sw2-Ethernet0/0] qu

[sw2] firewall zone untrust

[sw2-zone-untrust] add int e0/4

[sw2] ip route 0.0.0.0 0 61.130.134.2

Implement the configuration of ipsec on sw1:

/ / use acl to implement flow filtering

[sw1] acl number 3000 match-order auto

[sw1-acl-adv-3000] rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

[sw1-acl-adv-3000] rule 20 deny ip source any destination any

[sw1-acl-adv-3000] qu

/ / make a security proposal

[sw1] ipsec proposal tran3

[sw1-ipsec-proposal-tran3] encapsulation-mode tunnel

[sw1-ipsec-proposal-tran3] transform esp

[sw1-ipsec-proposal-tran3] esp authentication-algorithm md5

[sw1-ipsec-proposal-tran3] esp en des

[sw1-ipsec-proposal-tran3] quit

/ / configure ike neighbor

[sw1] ike peer fw3

[sw1-ike-peer-fw3] pre-shared-key simple 12345

[sw1-ike-peer-fw3] local-address 61.130.132.1

[sw1-ike-peer-fw3] remote-address 61.130.134.1

[sw1-ike-peer-fw3] qu

/ / configure policy

[sw1] ipsec policy policy3 10 isakmp

[sw1-ipsec-policy-isakmp-policy3-10] security acl 3000

[sw1-ipsec-policy-isakmp-policy3-10] proposal tran3

[sw1-ipsec-policy-isakmp-policy3-10] ike-peer fw3

[sw1-ipsec-policy-isakmp-policy3-10] qu

/ / apply to the interface

[sw1] int eth0/3

[sw1-Ethernet0/3] ipsec policy policy3

[sw1-Ethernet0/3] qu

Similarly, you can make the same settings on sw2 and sw3, and pay attention to the consistency between the proposal and ike pre-shared-key

The results are as follows:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.