hcie-security认证专家培训v1.0bate02实验手册ipsec上机指导书

Siteto 点到多点L2TPOver L2TPOver 配置 配置 4高可 IPSec隧道化实现链路备份实 Hub主备备份场 Hub负载分担场 NAT穿 GREOver GREOver 11SitetoSite-to-实验目组网设（例：USG6630两台，PC机两台实验拓网实验步骤

（拓扑图Step1USG_A和USG_BIPUSG_A<USG><USG>system-[USG]sysnameUSG_AIPGE1/0/0Untrust，GE1/0/1Trust[USG_A][USG_A]interface[USG_A-GigabitEthernet1/0/0]ipaddress202.1.1.1255.255.255.0[USG_A-GigabitEthernet1/0/0]service-manage [USG_A]interfaceGigabitEthernet1/0/1[USG_A-GigabitEthernet1/01]ipaddress10.1.1.1 [USG_A][USG_A]firewallzone[USG_A-zone-untrust]addinterface[USG_A][USG_A]firewallzone[USG_A-zone-trust]addinterfaceUSG_B<USG><USG>system-[USG]sysnameUSG_BIPGE1/0/0Untrust，GE1/0/1Trust[USG_B]interface[USG_B]interface[USG_B-GigabitEthernet1/0/0]ipaddress202.1.1.2255.255.255.0[USG_B-GigabitEthernet1/0/0]service-manage [USG]interfaceGigabitEthernet1/0/1[USG_B-GigabitEthernet1/01]ipaddress10.1.2.1 [USG_B]firewallzone[USG_B-zone-untrust]addinterface[USG_B]firewallzone[USG_B-zone-trust]addinterfaceStep2USG_AUSG_A[USG_A] 名源安全区源地址/地目的地址/地动允-security]rule_ipsec_1]source-address10.1.1.0_ipsec_1]destination-address10.1.2.0 _ipsec_1]action_ipsec_1]action 名源安全区源地址/地目的地址/地动允 -security]rule-security]rule 名源安全区源地址/地目的地址/地动允 -security]rule Step-security]rule USG_B[USG_B] 名源安全区源地址/地目的地址/地动允_ipsec_1]source-zone _ipsec_1]destination-zone _ipsec_1]source-address10.1.2.0 _ipsec_1]destination-address10.1.1.0 _ipsec_1]action -security]rule-security]rule 名源安全区源地址/地目的地址/地动允_ipsec_3]source-zone _ipsec_3]destination-zone _ipsec_3]source-address202.1.1.1 _ipsec_3]destination-address202.1.1.2 _ipsec_3]action -security]rule-security]rule 名源安全区源地址/地目的地址/地动允_ipsec_3]rulename _ipsec_4]source-zone _ipsec_4]destination-zone _ipsec_4]source-address202.1.1.2 _ipsec_4]destination-address202.1.1.1 _ipsec_4]actionStep4USG_A和USG_BUSG_A[USG_A][USG_A]iproute-static0.0.0.00.0.0.0USG_B[USG_B][USG_B]iproute-static0.0.0.00.0.0.0Step5配置USG_A的IPSec[USG_A][USG_A]acl[USG_A-acl-adv-3000]rule5permitipsource10.1.1.00.0.0.25510.1.2.0IKE[USG_A][USG_A]ikeproposalIKE[USG_A][USG_A]ikepeer[USG_A-ike-peer-b]exchange-modeauto[USG_A-ike-peer-b]pre-shared-keyAdmin@123[USG_A-ike-peer-b]ike-proposal1[USG_A-ike-peer-b]remote-id-typeipIPsec[USG_A][USG_A]ipsecproposalIPsec[USG_A][USG_A]a1-isakmp-a-1]securityacl-isakmp-a-1]ike-peer-isakmp-a-1]proposal aauto-Step6配置USG_B的IPSec[USG_B][USG_B]acl[USG_B-acl-adv-3000]rule5permitipsource10.1.2.00.0.0.25510.1.1.0IKE[USG_A][USG_A]ikeproposalIKE[USG_B][USG_B]ikepeer[USG_B-ike-peer-b]exchange-modeauto[USG_B-ike-peer-b]pre-shared-keyAdmin@123[USG_B-ike-peer-b]ike-proposal1[USG_B-ike-peer-b]remote-id-typeipIPsec[USG_B][USG_B]ipsecproposalIPsec[USG_B][USG_B]ipsecb1-isakmp-b-1]securityacl-isakmp-b-1]ike-peer-isakmp-b-1]proposal bauto-实验步骤Step1USG_A和USG_BIPUSG_AUSG_AIPGE1/0/0Untrust，GE1/0/1TrustUSG_BUSG_BIPGE1/0/0Untrust，GE1/0/1TrustStep2USG_AUSG_A名源安全区源地址/地目的地址/地动允名源安全区源地址/地目的地址/地动允名源安全区源地址/地目的地址/地动允Step3USG_BUSG_B名源安全区源地址/地目的地址/地动允名源安全区源地址/地目的地址/地动允名源安全区源地址/地目的地址/地动允Step4USG_A和USG_BUSG_AUSG_BStep5配置USG_A的IPSecIPSecIPSec”，单击“新建”，选择“场景”为“点到Step6配置USG_B的IPSecIPSecIPSec”，单击“新建”，选择“场景”为“点到验证结在USG_A上选择“网络>IPSec>”，查看IPSec隧道信息，可以在USG_B上选择“网络>IPSec>”，查看IPSec隧道信息，可以PC_A测试：Replyfrom10.1.2.2:bytes=56Sequence=349ttl=255time=1Replyfrom10.1.2.2:bytes=56Sequence=350ttl=255time=1msReplyfrom10.1.2.2:bytes=56Sequence=351ttl=255time=1msReplyfrom10.1.2.2:bytes=56Sequence=352ttl=255time=1PC_B测试：Replyfrom10.1.1.2:bytes=56Sequence=349ttl=255time=1Replyfrom10.1.1.2:bytes=56Sequence=350ttl=255time=1msReplyfrom10.1.1.2:bytes=56Sequence=351ttl=255time=1msReplyfrom10.1.1.2:bytes=56Sequence=352ttl=255time=1USG_A<USG_A>disyfirewallsession18:21:19CurrentTotalSessions:icmp:public-->public10.1.1.2:43987-->10.1.2.2:2048esp:public-->public202.1.1.2:0-->202.1.1.1:0USG_A查看加状<USG_B>disyipsecstatistics18:18:232014/09/11thesecuritypacketstatistics:input/outputsecuritypackets:68/58input/outputsecuritybytes:5712/4872input/outputdroppedsecuritypackets:0/0theencryptpacketstatisticssendsae:58,recvsae:58,sendlocalcpu:58,othercpu:0,recvothercpu:0intactpacket:2,firstslice:0,afterslice:0thedecryptpacketsendsae:68,recvsae:68,sendlocalcpu:0,othercpu:0,recvothercpu:0reassfirstslice:0,afterslice:0,lenerr:0点到多实验目通过本实验，你将了解点到多点的工作原理及详细配置组网设（例：USG6630两台，PC机两台实验拓网组网介

（拓扑图实验步骤Step1USG_A和USG_BIPUSG_AIPGE1/0/0Untrust，GE1/0/1Trust（略）USG_BIPGE1/0/0Untrust，GE1/0/1Trust（略）Step2USG_AUSG_A[USG_A] 名源安全区源地址/地目的地址/地动允-security]rule_ipsec_1]action名源安全区源地址/地目的地址/地动允-security]rule[USG_A--security-rule-_ipsec_3]source-zoneuntrust[USG_A--security-rule-_ipsec_3]destination-zonelocal[USG_A--security-rule-_ipsec_3]source-address202.1.1.232名源安全区源地址/地目的地址/地动允 -security]rule Step-security]rule USG_B[USG_B] 名源安全区源地址/地目的地址/地动允-security]rule_ipsec_1]action名源安全区源地址/地目的地址/地动允_ipsec_3]source-zone _ipsec_3]destination-zone _ipsec_3]source-address202.1.1.1 _ipsec_3]destination-address202.1.1.2 _ipsec_3]action -security]rule-security]rule 名源安全区源地址/地目的地址/地动允_ipsec_3]rulename _ipsec_4]source-zone _ipsec_4]destination-zone _ipsec_4]source-address202.1.1.2 _ipsec_4]destination-address202.1.1.1 _ipsec_4]action Step4USG_A和USG_BUSG_A[USG_A]iproute-static0.0.0.00.0.0.0 USG_B[USG_B]iproute-static0.0.0.00.0.0.0 Step5配置USG_A的IPSec[USG_A][USG_A]acl[USG_A-acl-adv-3000]rule5permitipsource10.1.1.00.0.0.25510.1.2.0IKE[USG_A][USG_A]ikeproposalIKE[USG_A][USG_A]ikepeer[USG_A-ike-peer-b]exchange-modeauto[USG_A-ike-peer-b]pre-shared-keyAdmin@123[USG_A-ike-peer-b]ike-proposal1[USG_A-ike-peer-b]remote-id-typeipIPsec[USG_A][USG_A]ipsecproposal------temap1te-map1-1]securityaclte-map1-1]ike-peerte-map1-1]te-map1-1]proposal1a1isakmp teaauto-Step6配置USG_B的IPSec[USG_B][USG_B]acl[USG_B-acl-adv-3000]rule5permitipsource10.1.2.00.0.0.25510.1.1.0IKE[USG_A][USG_A]ikeproposalIKE[USG_B][USG_B]ikepeer[USG_B-ike-peer-b]exchange-modeauto[USG_B-ike-peer-b]pre-shared-keyAdmin@123[USG_B-ike-peer-b]ike-proposal1[USG_B-ike-peer-b]remote-id-typeipIPsec[USG_B][USG_B]ipsecproposalIPsec[USG_B][USG_B]ipsecb1-isakmp-b-1]securityacl-isakmp-b-1]ike-peer-isakmp-b-1]proposal bauto-实验步骤Step1USG_A和USG_BIPUSG_AIPGE1/0/0Untrust，GE1/0/1Trust（略）USG_BIPGE1/0/0Untrust，GE1/0/1Trust（略）Step2USG_AUSG_A名源安全区源地址/地目的地址/地动允名源安全区源地址/地目的地址/地动允名源安全区源地址/地目的地址/地动允Step3USG_BUSG_B名源安全区源地址/地目的地址/地动允名源安全区源地址/地目的地址/地动允名源安全区源地址/地目的地址/地动允Step4USG_A和USG_BUSG_AUSG_BStep5配置USG_A的IPSecIPSecIPSec”，单击“新建”，选择“场景”为“点到Step6配置USG_B的IPSecIPSecIPSec”，单击“新建”，选择“场景”为“点到验证结在USG_A上选择“网络>IPSec>”，查看IPSec隧道信息，可以在USG_B上选择“网络>IPSec>”，查看IPSec隧道信息，可以PC_A测试：Replyfrom10.1.2.2:bytes=56Sequence=349ttl=255time=1Replyfrom10.1.2.2:bytes=56Sequence=350ttl=255time=1msReplyfrom10.1.2.2:bytes=56Sequence=351ttl=255time=1msReplyfrom10.1.2.2:bytes=56Sequence=352ttl=255time=1PC_B测试：Replyfrom10.1.1.2:bytes=56Sequence=349ttl=255time=1Replyfrom10.1.1.2:bytes=56Sequence=350ttl=255time=1msReplyfrom10.1.1.2:bytes=56Sequence=351ttl=255time=1msReplyfrom10.1.1.2:bytes=56Sequence=352ttl=255time=1USG_A<USG_A>disyfirewallsession18:21:19CurrentTotalSessions:icmp:public-->public10.1.1.2:43987-->10.1.2.2:2048esp:public-->public202.1.1.2:0-->202.1.1.1:0USG_A查看加状<USG_B>disyipsecstatistics18:18:232014/09/11thesecuritypacketstatistics:input/outputsecuritypackets:68/58input/outputsecuritybytes:5712/4872input/outputdroppedsecuritypackets:0/0theencryptpacketstatisticssendsae:58,recvsae:58,sendlocalcpu:58,othercpu:0,recvothercpu:0intactpacket:2,firstslice:0,afterslice:0thedecryptpacketsendsae:68,recvsae:68,sendlocalcpu:0,othercpu:0,recvothercpu:0reassfirstslice:0,afterslice:0,lenerr:0L2TPOverL2TPOver实验目L2TPOverIPsec组网设USG一台，PC机两台实验拓隧网（拓扑图实验步骤Step1IP地址和安全区域，完成网络基本参数配置。（略Step2>>用户/员工“vpdnuser”的用户信息，为o123。本例以“root”组为例，实选择“对象>用户>认证域”。单击认证域“default”对应的。Step3L2TPoverIPSecStep4IPSecIPSec”，在“IPSecStep5选择“场景”为“点到多点”，“对端接入类型”选择“L2TPoverIPSecStep6按如下参数配置“基本配置”，总部此时为了让多个分支接入，不指定分支的Admin@123。Step7单击“应用”，完成N的配置。Step8配置出差员工 出差员工侧主机上必须装有L2TPInternet。以Secoway软件为例。Step9打开 软Step10请单击，在“基本设置”页面设置基本信息，并启用IPSec安全协议。启用IPSec安全协议并设置登录为 o123验证字为Admin@123。Step11在“IPSec设置”IPSecStep12在“IKE设置”IKE验证结在 连接的，建L2TPLAC拨号成功后，在LNS端查看L2TP隧道的建立情况选择“网络>L2TP>”，查看到有L2TP隧道ID，说明L2TP隧道本端通道1对端通道1本端地址/PPP地对端地址/PPP地端1对端名1LNSIPSecIPSec策略名状本端地对端地IKE协商成功PSec在LAC端PC上，可以查看到分配到了33 实验目通过本实验你将了解配置Efficient采用 方式建立IPSec隧道的详组网设（例：USG一台，PC机两台实验拓DHCPDHCP 10.1.1.1/24RTARTB10.1.2.1/24隧网实验步骤(命令Step1在Rou上配置接口的IP地址 >system- ]sysname ]interfacegigabitethernet -GigabitEthernet1/0/0]ipaddress60.1.1.1 ]interfacegigabitethernet -GigabitEthernet2/0/0]ipaddress10.1.1.1 Step2在Rou上配置到对端的静态路由，此处假设到对端的下一跳地址60.1.1.2 ]iproute-static60.1.2.0255.255.255.0 ]iproute-static10.1.2.0255.255.255.0Step3RouterBIPEthernet4/0/0DHCPIPIP<<[>system-]sysname[RouterB]interfacegigabitethernet[RouterB-GigabitEthernet1/0/0]ipaddress60.1.2.1[RouterB]interfacegigabitethernet[RouterB-GigabitEthernet2/0/0]ipaddress10.1.2.1[RouterB]interfacegigabitethernet[RouterB-GigabitEthernet3/0/0]ipaddress60.1.3.1[RouterB]interfacegigabitethernet[RouterB-GigabitEthernet4/0/0]ipaddress100.1.1.360.1.2.2[RouterB][RouterB]iproute-static60.1.1.0255.255.255.0[RouterB]iproute-static10.1.1.0255.255.255.0Step5RouterBDHCPDHCP#DHCPDHCP服务器组并为服务器组添加DHCP[RouterB][RouterB]dhcp[RouterB]dhcpservergroupdhcp-Step6RouterB作为IPSec隧道协商响应方，采用策略模板方式与Rou建IPSec#通过AAA业务模板配置要推送的资源属性，推送IP地址、DNS、DNSWINS服务器地址。[RouterB][RouterB][RouterB-aaa]service-scheme[RouterB-aaa-service-schemetest]dhcp-servergroupdhcp-ser1[RouterB-aaa-service-schemetest]dns-name [RouterB-aaa-service-schemetest]dns2.2.2.2[RouterB-aaa-service-schemetest]dns2.2.2.3[RouterB-aaa-service-schemetest]wins3.3.3.3[RouterB-aaa]Step7IKEIKEAAAIKE[RouterB][RouterB]ikeproposal[RouterB-ike-proposal-5]dh[RouterB]ikepeerrut3Step8IPSec[RouterB][RouterB]ipsecproposal[RouterB]ipsec[RouterB]tetemp1-templet-temp1-10]proposal110isakmpteStep9[RouterB][RouterB]interfacegigabitethernet1 Step10在Rou上采用方式配置Efficient，建立IPSec隧道#配置Efficient的模式为模式，并在模式视图下指定IKE协商时的对端地址和预共享密钥]ipsece]Step11在接口上应用Efficient]interfacegigabitethernete验证结配置成功后，在主机PCA上执行操作仍然可以通主机PCB，执行命令disyipsecstatisticsesp可以查看数据包的统计信息。在Rou上执行disyikesav2操作，结果如下 ]yikesa0021分别在Rou 和RouterB上执行disyipsecsa可以查看所配置的信息，以Rou ] yipsecInterface:GigabitEthernet1/0/0PathMTU:1500IPSec name: :-Connection:Encapsulationmode:TunnelTunnel :Tunnel :Flow :100.1.1.254/255.255.255.0Flowdestination :Flowdestination :0.0.0.0/0.0.0.00/0Qospre-classify :DisableQos :[OutboundESP SAremainingkeyduration(bytes/sec): Maxsentsequence-number:0UDPencapsulationusedforNATtraversal:[InboundESP SAremainingkeyduration(bytes/sec): Maxreceivedsequence-number:0 ywindowsize:UDPencapsulationusedforNATtraversal:在Rou上执行disyipsecefficient-显示Efficient策配置文 ##sysnameRouipsecefficient- remote-address60.1.2.1v2pre-shared-keysimple#interfaceipaddress60.1.1.1255.255.255.0ipsecefficient- #interfaceipaddress10.1.1.1255.255.255.0iproute-static60.1.2.0255.255.255.0iproute-static10.1.2.0255.255.255.060.1.1.2RouterB##sysnameRouterBdhcpenableipsecproposalprop1ikeproposalencryption-algorithm3des-cbcdhgroup2#ikepeerrut3pre-shared-keysimpleike-proposal5service-schemeschemetest - tetemp1ike-peerrut3proposalprop1#110isakmptedhcpservergroupdhcp-ser1dhcp-server60.1.2.10gateway100.1.1.3service-schemeschemetestdns2.2.2.2dns2.2.2.3dhcp-servergroupdhcp-ser1wins3.3.3.2wins3.3.3.3dns- #interfaceipaddress60.1.2.1 #interfaceinterfaceipaddress10.1.2.1255.255.255.0interfaceipaddress60.1.3.1255.255.255.0interfaceipaddress100.1.1.3255.255.255.0iproute-static60.1.1.0255.255.255.0iproute-static10.1.1.0255.255.255.060.1.2.2配置 采用Network模式建IPSec隧道示实验目通过本实验，你将了解配置Efficient 采用Network模式建立IPSec隧道配组网设实验拓10.1.1.1/24RTARTB10.1.2.1/24隧网实验步骤(命令Step1在 >system- ]sysname ]interfacegigabitethernet -GigabitEthernet1/0/0]ipaddress60.1.1.1 ]interfacegigabitethernet -GigabitEthernet2/0/0]ipaddress10.1.1.1 Step2在Rou上配置到对端的静态路由，此处假设到对端的下一跳地址60.1.1.2 ]iproute-static60.1.2.0255.255.255.0 ]iproute-static10.1.2.0255.255.255.0Step3RouterBIP<<[>system-]sysname[RouterB]interfacegigabitethernet[RouterB-GigabitEthernet1/0/0]ipaddress60.1.2.1[RouterB]interfacegigabitethernet[RouterB-GigabitEthernet2/0/0]ipaddress10.1.2.1Step4RouterB60.1.2.2[RouterB][RouterB]iproute-static60.1.1.0255.255.255.0[RouterB]iproute-static10.1.1.0255.255.255.0Step5在Rou上采用Network模式配置Efficient，作为协商发RouterBIPSecStep6ACL10.1.1.0/2410.1.2.0/24 ]aclnumber Step7配置Efficient的模式为Network，并在模式视图下ACL、指定 ]ipsec mode ]securityacl ]remote-address60.1.2.1 ]pre-shared-key ]Step8在接口上应用Efficient ]interfacegigabitethernet Step9在RouterB上配置策略模板方式的安全策略，作为协商响应Rou建IPSecStep10通过AAA业务模板配置要推送的资源属性，推送DNS、DNS服务器地WINS服务器地址。[RouterB][RouterB][RouterB-aaa]service-scheme [RouterB-aaa-service-schemetest]dns[RouterB-aaa-service-schemetest]dns2.2.2.3[RouterB-aaa-service-schemetest]wins3.3.3.3[RouterB-aaa]Step11IKEIKE[RouterB][RouterB]ikeproposal[RouterB-ike-proposal-5]dh[RouterB]ikepeerrut3Step12IPSec[RouterB][RouterB]ipsecproposal[RouterB]ipsec[RouterB]teuse1-templet-use1-10]ike-peer-templet-use1-10]proposal110isakmpteStep13[RouterB][RouterB]interfacegigabitethernet1 ] y ] yipsecInterface:GigabitEthernet1/0/0PathMTU:1500IPSec name: :-NETWORKConnection:Encapsulationmode:Qos:[OutboundESP SAremainingkeyduration(bytes/sec): Maxsentsequence-number:0UDPencapsulationusedforNATtraversal:NAToutbound配置成功后，在主机PCA上执行操作仍然可以通主机PCB，执行命令disyipsecstatisticsesp可以查看数据包的统计信息。分别在Rou 和RouterB上执行disyikesav2会显示所配置的信息，以Rou ] yikesa 0021分别在Rou 和RouterB上执行disyipsecsa会显示所配置的信息，以Rou Tunnel:Tunnel:Flow:10.1.1.0/0.0.0.255Flow:10.1.2.0/0.0.0.255Qospre-:[Inbound[InboundESP SAremainingkeyduration(bytes/sec): Maxreceivedsequence-number:0 ywindowsize:UDPencapsulationusedforNATtraversal:在Rou上执行disyipsecefficient-显示Efficient策略的信配置文Rou的配置文##sysnameRouaclnumberrule1permitipsource10.1.1.00.0.0.255destination10.1.2.00.0.0.255ipsecefficient- modenetworkremote-address60.1.2.1v2pre-shared-keysimplesecurityacl3001#interfaceipaddress60.1.1.1255.255.255.0ipsecefficient- #interfaceipaddress10.1.1.1255.255.255.0iproute-static60.1.2.0255.255.255.0iproute-static10.1.2.0255.255.255.060.1.1.2##sysnameRouterBipsecproposal#ikeikeproposalencryption-algorithm3des-cbcdhgroup2#ikepeerrut3pre-shared-keysimpleike-proposal5service-schemeschemetest - teuse1ike-peerrut3proposaltran1110isakmpteservice-schemeschemetestdns2.2.2.2dns2.2.2.3winswins3.3.3.3dns- #interfaceipaddress60.1.2.1 #interfaceipaddress10.1.2.1255.255.255.0iproute-static60.1.1.0255.255.255.0iproute-static10.1.1.0255.255.255.060.1.2.2Efficient采用Network-plus方式建IPSec隧道示实验目 采用Network-plus方式建立组网设实验拓10.1.1.1/24RTARTB10.1.2.1/24隧网实验步骤(命令Step1在 上配置接口的IP地址 >system- ]sysname ]interfacegigabitethernet -GigabitEthernet1/0/0]ipaddress60.1.1.1 ]interfacegigabitethernet -GigabitEthernet2/0/0]ipaddress10.1.1.1 Step2在 ]iproute-static60.1.2.0255.255.255.0 ]iproute-static10.1.2.0255.255.255.0Step3在RouterB上配置接口的IP<<[>system-]sysname[RouterB]interfacegigabitethernet[RouterB-GigabitEthernet1/0/0]ipaddress60.1.2.1[RouterB]interfacegigabitethernet[RouterB-GigabitEthernet2/0/0]ipaddress10.1.2.1Step4在RouterB60.1.2.2[RouterB][RouterB]iproute-static60.1.1.0255.255.255.0[RouterB]iproute-static10.1.1.0255.255.255.0Step5在Rou上采用Network-plus模式配置Efficient，作为协商发RouterBIPSecStep6配置ACL10.1.1.0/2410.1.2.0/24 ]aclnumber Step7配置Efficient的模式为Network-plus，并在模式视图下ACL、指定 ]ipsec modenetwork- ]securityacl ]remote-address60.1.2.1 ]pre-shared-key ]Step8在接口上应用Efficient ]interfacegigabitethernet Step9在RouterB上配置策略模板方式的安全策略，作为协商响应 Rou建立IPSec隧道,配置要推送的资源属性，推送IP地址、DNS 、DNS服务器地址和WINS服务器地址。[RouterB][RouterB]ippool[RouterB-ip-pool-po1]network100.1.1.0mask[RouterB-ip-pool-po1]gateway-list[RouterB][RouterB-aaa]service-scheme [RouterB-aaa-service-schemetest]dns[RouterB-aaa-service-schemetest]dns2.2.2.3[RouterB-aaa-service-schemetest]wins3.3.3.3[RouterB-aaa]Step10IKEIKE[RouterB][RouterB]ikeproposal[RouterB-ike-proposal-5]dh[RouterB]ikepeerrut3[RouterB-ike-peer-rut3]exchange-modeaggressive[RouterB-ike-peer-rut3]pre-shared-keysimple[RouterB-ike-peer-rut3]ike-proposal5Step11IPSec[RouterB][RouterB]ipsecproposal[RouterB]ipsec[RouterB]teuse1-templet-use1-10]ike-peer-templet-use1-10]proposal110isakmpteStep12[RouterB][RouterB]interfacegigabitethernet1验证结配置成功后，在主机PCA上执行操作仍然可以通主机PCB，执行命令disyipsecstatisticsesp可以查看数据包的统计信息。分别在Rou 和RouterB上执行disyikesa会显示所配置的信息，以Rou [Rou]disyike Flag(s) 2 2 1 分别在 息，以 为例yipsecsa[Rou]disyipsecInterface:GigabitEthernet1/0/0PathMTU:1500IPSec name: : Connection Encapsulationmode:TunnelTunnel :Tunnel :Flow :100.1.1.126/255.255.255.255Flow :0.0.0.0/0.0.0.0Qospre- :[OutboundESP SAremainingkeyduration(bytes/sec): Maxsentsequence-number:0UDPencapsulationusedforNATtraversal:[InboundESP SAremainingkeyduration(bytes/sec): Maxreceivedsequence-number:0 ywindowsize:UDPencapsulationusedforNATtraversal:IPSec name: : Connection Encapsulationmode:TunnelTunnel :Tunnel :Flow :10.1.1.0/255.255.255.0Flow :10.1.2.0/255.255.255.0Qospre- :[OutboundESPSAremainingkeyduration(bytes/sec): Maxsentsequence-number:0UDPencapsulationusedforNATtraversal:[InboundESP SAremainingkeyduration(bytes/sec): Maxreceivedsequence-number:0 ywindowsize:UDPencapsulationusedforNATtraversal: 在 上执行 yipsec 显示 ] yipsecIPSec name:Using :IPSecEfficient-IPSecEfficient-ACLNumberAuthMethodLocalIDTypeIKEVersionRemoteAddressPreSharedKeyPFSTypeLocalAddressRemotePKI::3 ::8(8:PSK::1(1:IP:1(1:IKEv1: ::0(0:Disable1:Group12:Group2:: ywindowsizeQospre-classifyInterfaceloopbackInterfaceloopbackIPDnsserverIPWinsserver:::0(0:Disable:::2.2.2.2,:3.3.3.2,Dns Auto-updateAuto-updateAuto-update::配置文Rou的配置文##sysnameRouaclnumberrule1permitipsource10.1.1.00.0.0.255destination10.1.2.00.0.0.255ipsecefficient- modenetwork-plusremote-address60.1.2.1v1pre-shared-keysimplesecurityacl3001#interfaceipaddress60.1.1.1255.255.255.0ipsecefficient- #interfaceipaddress10.1.1.1255.255.255.0iproute-static60.1.2.0255.255.255.0iproute-static10.1.2.0255.255.255.060.1.1.2##sysnameRouterBipsecproposaltran1ikeproposalencryption-algorithm3des-cbcdhgroup2#ikepeerrut3exchange-modeaggressivepre-shared-keysimpleike-proposalike-proposalservice-schemeschemetest - teuse1ike-peerrut3proposaltran1ippool110isakmptegateway-listnetwork100.1.1.0mask255.255.255.128service-schemeschemetestdns2.2.2.2dns2.2.2.3secondaryip-poolpo1winswins3.3.3.3dns- #interfaceipaddress60.1.2.1 #interfaceipaddress10.1.2.1255.255.255.0iproute-static60.1.1.0255.255.255.0iproute-static10.1.1.0255.255.255.060.1.2.244IPSec主备链路实验目组网设USG两台，S5700交换机一台，PC机两台实验拓10.1.1.1/24RTARTB10.1.2.1/24隧网（拓扑图实验步骤IPIPIPIPIPTunnel1Tunnel2IP _B通过Tunnel接口与N _A在公网上建立IPSec隧道，因此需要使用公网地址，本例中Tunnel1和Tunnel2接口借用了GigabitEthernet1/0/1接口IPSecIPSec安全提ESP协议验ESP协议加IKEIPIPStep1IP>system-]sysname _A]interfaceGigabitEthernet_A-GigabitEthernet1/0/0]ipaddress10.1.1.1_A]interfaceGigabitEthernet_A-GigabitEthernet1/0/1]ipaddress202.38.163.1_A]interfaceGigabitEthernet_A-GigabitEthernet1/0/2]ipaddress202.38.164.1Step2_A]firewallzone_A-zone-trust]addinterfaceGigabitEthernet_A-zone-trust]_A]firewallzone_A-zone-untrust]addinterfaceGigabitEthernet_A-zone-untrust]addinterfaceGigabitEthernet_A-zone-untrust]Step3配置策略TrustUntrust域的转发策略，允许封装前和解封后的报文能通过N_A。_A][N_A--security]rulename[N_A--security-rule-1]source-zonetrust[N_A--security-rule-1]destination-zoneuntrust[N_A--security-rule-1]source-address10.1.1.024[N_A--security-rule-1]destination-address10.2.1.024[N_A--security-rule-1]actionpermit[N_A--security-rule-1]quit[N_A--security]rulename2[N_A--security-rule-2]source-zoneuntrust[N_A--security-rule-2]destination-zonetrust[N_A--security-rule-2]source-address10.2.1.024[N_A--security-rule-2]destination-address10.1.1.024[N_A--security-rule-2]actionpermit-security-rule-2]N_A-security]rulename[N_A--security-rule-3]source-zonelocal[N_A--security-rule-3]destination-zoneuntrust[N_A--security-rule-3]source-address202.38.0.016[N_A--security-rule-3]destination-address2.2.2.024[N_A--security-rule-3]actionpermit[N_A--security-rule-3]quit[N_A--security]rulename4[N_A--security-rule-4]source-zoneuntrust[N_A--security-rule-4]destination-zonelocal[N_A--security-rule-4]source-address2.2.2.024[N_A--security-rule-4]destination-address202.38.0.016[N_A--security-rule-4]actionpermit[N_A--security-rule-4]-security]Step4配置IP-Link，用于检测N_A到N_B的主链路是否正常_A]ip-linkcheck_A]ip-link1destination2.2.2.2interfaceGigabitEthernet1/0/1modenext-hopnext-hopStep510IP-Link功能；备用路由20。当设备检测到主链路故障时，将自动启用备用路由。_A]iproute-static10.2.1.024202.38.163.2preference10trackip-link_A]iproute-static10.2.1.024202.38.164.2preference_A]iproute-static0.0.0.00.0.0.0202.38.163.2preference10trackip-link_A]iproute-static0.0.0.00.0.0.0202.38.164.2preferenceStep6配置控制列表，定义需要保护的数据流_A]acl_A-acl-adv-3000]rulepermitipsource10.1.1.00.0.0.255destination_A-acl-adv-3000]_A]acl_A-acl-adv-3001]rulepermitipsource10.1.1.00.0.0.255destination_A-acl-adv-3001]Step7tran1IPSec_A]ipsecproposal_A-ipsec-proposal-tran1]transformStep810IKE_A]ikeproposal_A-ike-proposal-10]Step9IKEPeer_A]ikepeer_A-ike-peer-b]ike-proposal_A-ike-peer-b]remote-address_A-ike-peer-b]pre-shared-key_A-ike-peer-b]undoversion_A-ike-peer-b]Step10IPSecmap1_A]map110_A--isakmp-map1-10]securityacl_A--isakmp-map1-10]proposal_A--isakmp-map1-10]ike-peer_A-_A]map210_A--isakmp-map1-10]securityacl_A--isakmp-map1-10]proposal_A--isakmp-map1-10]ike-peer_A-Step11GigabitEthernet1/0/1GigabitEthernet1/0/2map1。_A]interfaceGigabitEthernet_A]interfaceGigabitEthernetmap1auto-map2auto-Step12配置N_B基础配置配置接口IP地址>system-]sysname _B]interfaceGigabitEthernet_B-GigabitEthernet1/0/0]ipaddress10.2.1.1_B]interfaceGigabitEthernet_B-GigabitEthernet1/0/1]ipaddress2.2.2.2_B]interfacetunnel_B-Tunnel1]ipaddressunnumberedinterfaceGigabitEthernet_B-Tunnel1]tunnel-protocol_B-Tunnel1]_B]interfacetunnel_B-Tunnel2]ipaddressunnumberedinterfaceGigabitEthernet_B-Tunnel2]tunnel-protocol_B-Tunnel2]_B]firewallzone_B-zone-trust]addinterfaceGigabitEthernet_B-zone-trust]_B]firewallzone_B-zone-untrust]addinterfaceGigabitEthernet_B-zone-untrust]addinterfaceTunnel_B-zone-untrust]addinterfaceTunnel_B-zone-untrust]Step13配置策略_B][N_B--security]rulename[N_B--security-rule-1]source-zonetrust[N_B--security-rule-1]destination-zoneuntrust[N_B--security-rule-1]source-address10.2.1.024[N_B--security-rule-1]destination-address10.1.1.024[N_B--security-rule-1]actionpermit[N_B--security-rule-1]quit[N_B--security]rulename2[N_B--security-rule-2]source-zoneuntrust[N_B--security-rule-2]destination-zonetrust[N_B--security-rule-2]source-address10.1.1.024[N_B--security-rule-2]destination-address10.2.1.024[N_B--security-rule-2]actionpermitLocalUntrustIKE-security]rulename[N_B--security-rule-3]source-zonelocal[N_B--security-rule-3]destination-zoneuntrust[N_B--security-rule-3]source-address2.2.2.024[N_B--security-rule-3]destination-address202.38.0.016[N_B--security-rule-3]actionpermit[N_B--security-rule-3]quit[N_B--security]rulename4[N_B--security-rule-4]source-zoneuntrust[N_B--security-rule-4]destination-zonelocal[N_B--security-rule-4]source-address202.38.0.016[N_B--security-rule-4]destination-address2.2.2.024[N_B--security-rule-4]actionpermitStep14配置IP-Link，用于检测N_B到N_A的链路是否正常_B]ip-linkcheck_B]ip-link1destination202.38.163.1interfaceGigabitEthernet1/0/1icmpnext-hopStep15配置到Tunnel接口的路由。分支总部的数据流被首先到Tunnel接1_B]iproute-static10.1.1.0255.255.255.0Tunnel1preference10trackip-_B]iproute-static10.1.1.0255.255.255.0Tunnel2preference Step162.2.2.1_B]iproute-static0.0.0.00.0.0.0 Step17配置控制列表，定义需要保护的数据流在N_B中需要配置两个IPSec策略，因为两个IPSec策略不能同一_B]acl_B-acl-adv-3000]rulepermitipsource10.2.1.00.0.0.255destination_B-acl-adv-3000]_B]acl_B-acl-adv-3001]rulepermitipsource10.2.1.00.0.0.255destination_B-acl-adv-3001]Step18tran1IPSec_B]ipsecproposal_B-ipsec-proposal-tran1]transform_B-ipsec-proposal-tran1]espencryption-algorithm_B-ipsec-proposal-tran1]Step1910IKE_B]ikeproposal_B-ike-proposal-10]Step20IKEPeer需要在N_B上配置两个对等体。当N_A主备切换时，N_B将切换对等体与N _A进行协商。_B]ikepeer_B-ike-peer-a1]ike-proposal_B-ike-peer-a1]remote-address_B-ike-peer-a1]pre-shared-key_B-ike-peer-a1]undoversion_B-ike-peer-a1]_B]ikepeer_B-ike-peer-a2]ike-proposal_B-ike-peer-a2]remote-address_B-ike-peer-a2]pre-shared-key_B-ike-peer-a2]undoversion_B-ike-peer-a2]Step21IPSecmap1map2_B]map110[N_B-ipsec--isakmp-map1-10]securityacl3000[N_B-ipsec--isakmp-map1-10]proposaltran1[N_B-ipsec--isakmp-map1-10]ike-peera1[N_B-ipsec--isakmp-map1-10]quit[N_B]ipsecmap210[N_B-ipsec--isakmp-map2-10]securityacl3001[N_B-ipsec--isakmp-map2-10]proposaltran1[N_B-ipsec--isakmp-map2-10]ike-peera2_B-Step22Tunnel1和Tunnel2map1map2_B]interfacetunnel_B-Tunnel1]_B-Tunnel1]_B]interfacetunnel_B-Tunnel2]_B-Tunnel2]结果验配置完成后，在总部的PC1上执行命令，看能否通分支下的PC2。如果配置正确，则PC1和PC2可以相互通。如果有步骤23、4PC1PC2IPSec隧道封分别在N_A、N_B上执行disyikesa命令会显示IKE安全联盟的建立情况。以N_A为例，出现以下显示说明IKE安全建立<N_A>disyikecurrentikesanumber:conn- phasev1:22v1:1flag ST--STAYALIVERL--RECED TO--TIMEOUTTD--DELETINGNEG--NEGOTIATINGD--DPD分别在N_A、N_B上执行disyipsecsa命令会显示IPSec安全的建立情况。以N_A为例，出现以下显示说明IPSec安全联 _A>disyipsecInterface:GigabitEthernet1/0/1pathMTU:1500IPsecname:"map1"sequencenumber:10mode:isakmp:connectionid:rulenumber:5encapsulationmode:tunnelholdingtime:1d0h5mtunnellocal:202.38.163.1 tunnelremote:2.2.2.2 source:10.1.1.0flowdestination:[inboundESP :publicsaid:0cpuid:0x0000proposal:ESP-ENCRYPT-AESESP-AUTH-sha1saremainingkeyduration(bytes/sec): maxreceivedsequence-number:4udpencapsulationusedfornattraversal:[outboundESP :publicsaid:1cpuid:0x0000proposal:ESP-ENCRYPT-AESESP-AUTH-sha1saremainingkeyduration(bytes/sec): maxsentsequence-number:5udpencapsulationusedfornattraversal:执行命令disyipsecstatistics可以查看被加密的数据包的变化，即它们之间的数据传输将被加密。以N _A为例。 _A>disyipsecthesecuritypacketstatistics:input/outputsecuritypackets:4/4input/outputsecuritybytes:400/400input/outputdroppedsecuritypackets:0/0theencryptpacketstatisticssendsae:0,recvsae:0,sendlocalcpu:0,othercpu:0,recvothercpu:0intactpacket:0,firstslice:0,afterslice:0thedecryptpacketsendsae:0,recvsae:0,sendlocalcpu:0,othercpu:0,recvothercpu:0reassfirstslice:0,afterslice:0,lenerr:0droppedsecuritypacketdetail:noenoughmemory:0,toolong:0can'tfindSA:0,wrongSA:0authentication:0,rey:0frontrecheck:0,afterrecheck:ex