【正文】 vlan 13return實(shí)驗(yàn) 12 Eudemon防火墻IPSec VPN配置學(xué)習(xí)目的 掌握在Eudemon防火墻上配置IPSec VPN的方法 掌握在Eudemon防火墻上配置GRE over IPSec VPN的方法 掌握在路由器上配置IPSec VPN的方法 掌握在路由器上配置GRE over IPSec VPN的方法拓?fù)鋱D圖12 Eudemon防火墻VPN配置場(chǎng)景你是你們公司的網(wǎng)絡(luò)管理員。公司的網(wǎng)絡(luò)分為總部區(qū)域、分部網(wǎng)絡(luò)和分支辦公室三個(gè)部分。現(xiàn)在分部網(wǎng)絡(luò)內(nèi)Trust區(qū)域的用戶需要能夠訪問總部的Trust區(qū)域。并且分支辦公室也需要能夠訪問總部的Trust區(qū)域。并要求總部、分部網(wǎng)絡(luò)之間，總部、分支辦公室之間傳輸?shù)臄?shù)據(jù)需要加密。學(xué)習(xí)任務(wù)步驟一. 基本配置與IP編址S1與S2參與到本次實(shí)驗(yàn)（實(shí)現(xiàn)防火墻與路由器的互聯(lián)），但無需配置。實(shí)驗(yàn)之前，請(qǐng)清空S1與S2的配置，并重啟它們。給所有路由器配置IP地址和掩碼。配置時(shí)注意所有的Loopback接口配置掩碼均為24位。Huaweisystemview Enter system view, return user view with Ctrl+Z.[Huawei]sysname R1[R1]interface GigabitEthernet 0/0/1[R1GigabitEthernet0/0/1]ip address 24[R1GigabitEthernet0/0/1]interface Serial 1/0/0[R1Serial1/0/0]ip address 24[R1Serial1/0/0]interface loopback 0[R1LoopBack0]ip address 24Huaweisystemview Enter system view, return user view with Ctrl+Z.[Huawei]sysname R2[R2]interface GigabitEthernet0/0/1[R2GigabitEthernet0/0/2]ip address 24[R2GigabitEthernet0/0/2]interface Serial 1/0/0[R2Serial1/0/0]ip address 24[R2Serial1/0/0]interface Serial2/0/0[R2Serial2/0/0]ip address 24[R2Serial2/0/0]interface loopback 0[R2LoopBack0]ip address 24Huaweisystemview Enter system view, return user view with Ctrl+Z.[Huawei]sysname R3[R3]interface Serial2/0/0[R3Serial2/0/0]ip address 24[R3Serial2/0/0]interface loopback 0[R3LoopBack0]ip address 24配置防火墻FW1和FW2的接口地址。Eudemon 200Esystemview Enter system view, return user view with Ctrl+Z.[Eudemon 200E]sysname FW1[FW1]interface Ethernet 0/0/0[FW1Ethernet0/0/0]ip address 24[FW1Ethernet0/0/0]interface Ethernet 2/0/0[FW1Ethernet2/0/0]ip address 24Eudemon 200Esystemview Enter system view, return user view with Ctrl+Z.[Eudemon 200E]sysname FW2[FW2]interface Ethernet 0/0/0[FW2Ethernet0/0/0]ip address 24[FW2Ethernet0/0/0]interface Ethernet 2/0/0[FW2Ethernet2/0/0]ip address 24配置防火墻FW1和FW2的安全區(qū)域，并將接口添加到對(duì)應(yīng)的安全區(qū)域。[FW1zonedmz]firewall zone trust[FW1zonedmz]add interface Ethernet 0/0/0[FW1zonetrust]firewall zone untrust[FW1zoneuntrust]add interface Ethernet 2/0/0[FW2zonedmz]firewall zone trust[FW2zonedmz]add interface Ethernet 0/0/0[FW2zonetrust]firewall zone untrust[FW2zoneuntrust]add interface Ethernet 2/0/0步驟二. 配置區(qū)域間的安全過濾在防火墻上配置從Trust區(qū)域發(fā)往Untrust區(qū)域的數(shù)據(jù)包被放行，從Untrust區(qū)域發(fā)往Local區(qū)域的數(shù)據(jù)包被放行，其他方向數(shù)據(jù)流被禁止。[FW1]firewall packetfilter default permit interzone trust untrust[FW1]firewall packetfilter default permit interzone local untrust[FW2]firewall packetfilter default permit interzone trust untrust[FW2]firewall packetfilter default permit interzone local untrust步驟三. 配置路由，實(shí)現(xiàn)網(wǎng)絡(luò)的連通在RRRFW1和FW2上配置單區(qū)域OSPF,、。[R1]ospf 1[R1ospf1]area []network []network [R2]ospf 1 [R2ospf1]area []network []network []network [R3]ospf 1 [R3ospf1]area []network [FW1]ospf 1 [FW1ospf1]area []network [FW2]ospf 1 [FW2ospf1]area []network 在FW1和FW2上測(cè)試網(wǎng)段的連通性。[FW1]ping PING : 56 data bytes, press CTRL_C to break Reply from : bytes=56 Sequence=1 ttl=253 time=40 ms Reply from : bytes=56 Sequence=2 ttl=253 time=30 ms Reply from : bytes=56 Sequence=3 ttl=253 time=30 ms Reply from : bytes=56 Sequence=4 ttl=253 time=40 ms Reply from : bytes=56 Sequence=5 ttl=253 time=30 ms ping statistics 5 packet(s) transmitted 5 packet(s) received % packet loss roundtrip min/avg/max = 30/34/40 ms[FW1]ping PING : 56 data bytes, press CTRL_C to break Reply from : bytes=56 Sequence=1 ttl=253 time=70 ms Reply from : bytes=56 Sequence=2 ttl=253 time=60 ms Reply from : bytes=56 Sequence=3 ttl=253 time=70 ms Reply from : bytes=56 Sequence=4 ttl=253 time=70 ms Reply from : bytes=56 Sequence=5 ttl=253 time=60 ms ping statistics 5 packet(s) transmitted 5 packet(s) received % packet loss roundtrip min/avg/max = 60/66/70 ms[FW2]ping PING : 56 data bytes, press CTRL_C to break Reply from : bytes=56 Sequence=1 ttl=253 time=40 ms Reply from : bytes=56 Sequence=2 ttl=253 time=30 ms Reply from : bytes=56 Sequence=3 ttl=253 time=40 ms Reply from : bytes=56 Sequence=4 ttl=253 time=30 ms Reply from : bytes=56 Sequence=5 ttl=253 time=30 ms ping statistics 5 packet(s) transmitted 5 packet(s) received % packet loss roundtrip min/avg/max = 30/34/40 ms[FW2]ping PING : 56 data bytes, press CTRL_C to break Reply from : bytes=56 Sequence=1 ttl=254 time=30 ms Reply from : bytes=56 Sequence=2 ttl=254 time=30 ms Reply from : bytes=56 Sequence=3 ttl=254 time=30 ms Reply from : bytes=56 Sequence=4 ttl=254 time=30 ms Reply from : bytes=56 Sequence=5 ttl=254 time=30 ms ping statistics 5 packet(s) transmitted 5 packet(s) received % packet lossroundtrip min/avg/max = 30/30/30 msRRR。步驟四. 配置分部網(wǎng)絡(luò)與總部網(wǎng)絡(luò)之間的IPSec VPN配置匹配被保護(hù)數(shù)據(jù)的ACL。[FW1]acl 3000 [FW1acladv3000]rule permit ip source destination [FW2]acl 3000 [FW2acladv3000]rule permit ip source destination 配置分部網(wǎng)絡(luò)到總部?jī)?nèi)網(wǎng)的靜態(tài)路由。[FW1]ip routestatic 24 [FW2]ip routestatic 24 在防火墻FW1和FW2上配置IPSec安全提議。配置時(shí)，封裝模式使用隧道模式，使用ESP協(xié)議對(duì)數(shù)據(jù)進(jìn)行保護(hù)。ESP使用的加密算法為DES、完整性驗(yàn)證算法使用SHA1。[FW1]ipsec proposal tran1 [FW1ipsecproposaltran1]encapsulationmode tunnel [FW1ipsecproposaltran1]transform esp [FW1ipsecproposaltran1]esp authenticationalgorithm sha1 [FW1ipsecproposaltran1]esp encryptionalgorithm des[FW2]ipsec proposal tran1 [FW2ipsecproposaltran1]encapsulationmode tunnel [FW2ipsecproposaltran1]transform esp [FW2ipsecproposaltran1]esp authenticationalgorithm sha1 [FW2ipsecproposaltran1]esp encryptionalgorithm des在防火墻FW1和FW2上配置IKE安全提議。在IKE安全提議中，定義加密算法為DES、完整性驗(yàn)證算法使用SHA1。[FW1]ike proposal 10 [FW1ikeproposal10]authenticationalgor