华为与做配置测试报告.doc

USG与juniper IPSEC VPN 测试报告 USG与juniper IPSEC VPN 测试报告产品型号：USG5000产品名称：中端防火墙测试单位：华为技术有限公司目 录一、测试目标3二、测试拓扑及IP地址3三、测试过程31.IPSEC VPN配置主模式42.命令行配置73.IPSEC VPN野蛮模式中心端配置114.命令行配置15四、测试结果19一、 测试目标主要测试功能 华为USG 防火墙与juniper产品进行IPSEC VPN 对接。数据在中心端各分部都需要访问，分部接入主要有两种一种是有公网的一种是动态IP的所以采用IPSEC 主模式与野蛮模式两种VPN 接入方式。华为USG 为中心端，juniper模拟两种不同的VPN 。二、 测试拓扑及IP地址三、 测试过程1. IPSEC VPN配置主模式IPSEC VPN测试表本端对端设备名称USG5000设备名称juniper VPN模式公司to公司VPN模式公司to公司协商模式主模式协商模式主模式共享密钥123456共享密钥123456IKE阶段IKE阶段认证算法MD5认证算法MD5加密算法3DES加密算法3DESDH组DH-Group2DH组DH-Group2IPSEC阶段IPSEC阶段封装模式隧道模式封装模式隧道模式安全提议ESP安全提议ESPESP加密MD5ESP加密MD5ESP认证3DESESP认证3DESNAT穿越noNAT穿越no本地网段/24本地网段/242. 命令行配置USGDISCUR18:16:052013/06/28#sysnameUSG#l2tpdomainsuffix-separator#firewallpacket-filterdefaultpermitinterzonelocaltrustdirectioninboundfirewallpacket-filterdefaultpermitinterzonelocaltrustdirectionoutboundfirewallpacket-filterdefaultpermitinterzonelocaluntrustdirectioninboundfirewallpacket-filterdefaultpermitinterzonelocaluntrustdirectionoutboundfirewallpacket-filterdefaultpermitinterzonelocaldmzdirectioninboundfirewallpacket-filterdefaultpermitinterzonelocaldmzdirectionoutboundfirewallpacket-filterdefaultpermitinterzonetrustuntrustdirectioninboundfirewallpacket-filterdefaultpermitinterzonetrustuntrustdirectionoutboundfirewallpacket-filterdefaultpermitinterzonetrustdmzdirectioninboundfirewallpacket-filterdefaultpermitinterzonetrustdmzdirectionoutboundfirewallpacket-filterdefaultpermitinterzonedmzuntrustdirectioninboundfirewallpacket-filterdefaultpermitinterzonedmzuntrustdirectionoutbound#ipdf-unreachablesenable#firewallipv6sessionlink-statecheckfirewallipv6statisticsystemenable#dnsresolve#vlanbatch1#firewallstatisticsystemenable#dnsproxyenable##runmodefirewall#updatescheduleipsdaily0:55updatescheduleavdaily0:55#web-managerenable#user-manageweb-authenticationport8888#l2fwdfastenable#aclnumber3000rule5permitipsource55destination55#ikeproposal1encryption-algorithm3des-cbcdhgroup2authentication-algorithmmd5#ikepeerike28618347778pre-shared-key%$%$(up5*Gp|#mItg84&7mFOG5%$%$ike-proposal1remote-addressundonattraversal#ipsecproposalprop28618347778espencryption-algorithm3des#ipsecpolicyipsec28618347771isakmpsecurityacl3000ike-peerike28618347778proposalprop28618347778local-address#interfaceVlanif1ipaddress44#interfaceCellular5/0/0link-protocolppp#interfaceEthernet0/0/0ipaddressipsecpolicyipsec2861834777auto-neg#interfaceEthernet1/0/0portswitchportlink-typeaccess#interfaceEthernet1/0/1portswitchportlink-typeaccess#interfaceEthernet1/0/2portswitchportlink-typeaccess#interfaceEthernet1/0/3portswitchportlink-typeaccess#interfaceEthernet1/0/4portswitchportlink-typeaccess#interfaceEthernet1/0/5portswitchportlink-typeaccess#interfaceEthernet1/0/6portswitchportlink-typeaccess#interfaceEthernet1/0/7portswitchportlink-typeaccess#interfaceNULL0#firewallzonelocalsetpriority100#firewallzonetrustsetpriority85addinterfaceEthernet1/0/0addinterfaceEthernet1/0/1addinterfaceEthernet1/0/2addinterfaceEthernet1/0/3addinterfaceEthernet1/0/4addinterfaceEthernet1/0/5addinterfaceEthernet1/0/6addinterfaceEthernet1/0/7addinterfaceVlanif1#firewallzoneuntrustsetpriority5addinterfaceEthernet0/0/0#firewallzonedmzsetpriority50#aaalocal-useradminpasswordcipher%$%$2yA9)!l,#gel;VwZ&OjaX%$%$local-useradminservice-typewebterminaltelnetlocal-useradminlevel15authentication-schemedefault#authorization-schemedefault#accounting-schemedefault#domaindefaultdomaindot1x#nqa-jittertag-version1#iproute-static#bannerenable#user-interfacecon0user-interfacetty2authentication-modepasswordmodembothuser-interfacevty04authentication-modeaaaprotocolinboundall#slb#cwmp#right-managerserver-group#returnUSG3. IPSEC VPN野蛮模式中心端配置IPSEC VPN测试表本端对端设备名称USG5000设备名称juniper VPN模式中心to分支VPN模式分支to中心协商模式野蛮模式协商模式野蛮模式共享密钥123456共享密钥123456IKE阶段IKE阶段认证算法MD5认证算法MD5加密算法3DES加密算法3DESDH组DH-Group2DH组DH-Group2IPSEC阶段IPSEC阶段封装模式隧道模式封装模式隧道模式安全提议ESP安全提议ESPESP加密MD5ESP加密MD5ESP认证3DESESP认证3DESNAT穿越yesNAT穿越yes本地网段/24本地网段/244. 命令行配置USGdiscur18:21:522013/06/28#sysnameUSG#l2tpdomainsuffix-separator#firewallpacket-filterdefaultpermitinterzonelocaltrustdirectioninboundfirewallpacket-filterdefaultpermitinterzonelocaltrustdirectionoutboundfirewallpacket-filterdefaultpermitinterzonelocaluntrustdirectioninboundfirewallpacket-filterdefaultpermitinterzonelocaluntrustdirectionoutboundfirewallpacket-filterdefaultpermitinterzonelocaldmzdirectioninboundfirewallpacket-filterdefaultpermitinterzonelocaldmzdirectionoutboundfirewallpacket-filterdefaultpermitinterzonetrustuntrustdirectioninboundfirewallpacket-filterdefaultpermitinterzonetrustuntrustdirectionoutboundfirewallpacket-filterdefaultpermitinterzonetrustdmzdirectioninboundfirewallpacket-filterdefaultpermitinterzonetrustdmzdirectionoutboundfirewallpacket-filterdefaultpermitinterzonedmzuntrustdirectioninboundfirewallpacket-filterdefaultpermitinterzonedmzuntrustdirectionoutbound#ipdf-unreachablesenable#firewallipv6sessionlink-statecheckfirewallipv6statisticsystemenable#dnsresolve#vlanbatch1#firewallstatisticsystemenable#dnsproxyenable##runmodefirewall#updatescheduleipsdaily0:55updatescheduleavdaily0:55#web-managerenable#user-manageweb-authenticationport8888#l2fwdfastenable#aclnumber3000rule5permitipsource55destination55#aclnumber3001#ikeproposal1encryption-algorithm3des-cbcdhgroup2