IPSEC VPN 点到多点配置

总部为静态IP地址，分支为动态拨号获得IP地址不稳定。搭建IPSEC VPN

总部USG-1配置

[USG-1]firewall zone trust [USG-1-zone-trust]add int g0/0/0 [USG-1-zone-trust]quit [USG-1]firewall zon untrust

[USG-1-zone-untrust]add int g0/0/1 [USG-1-zone-untrust]quit

[USG-1]ip route-static 0.0.0.0 0.0.0.0 11.0.0.1 [USG-1]int g0/0/1

[USG-1-GigabitEthernet0/0/1]ip add 11.0.0.2 24 [USG-1-GigabitEthernet0/0/1]int g0/0/0

[USG-1-GigabitEthernet0/0/0]ip add 192.168.10.1 24 [USG-1-GigabitEthernet0/0/0]quit

------------------------阶段一---------------------------- [USG-1]ike proposal 1//配置一个安全提议

[USG-1-ike-proposal-1]authentication-method pre-share

//配置IKE认证方式为预共享密钥

[USG-1-ike-proposal-1]authentication-algorithm sha1

//配置IKE认证算法为sha1

[USG-1-ike-proposal-1]integrity-algorithm aes-xcbc-96

//配置IKE完整性算法

[USG-1-ike-proposal-1]dh group2

//配置IKE密钥协商DH组

[USG-1-ike-proposal-1]quit

[USG-1]ike peer usg-n//创建一个IKE对等体名字为usg-n [USG-1-ike-peer-usg-n]ike-proposal 1//调用ike安全提议 [USG-1-ike-peer-usg-n]pre-shared-key abc123//配置预共享密钥 [USG-1-ike-peer-usg-n]quit

注意：由于对端地址不是固定的所以不需要指定对端地址

------------------------阶段二----------------------------- [USG-1]ipsec proposal test //配置一个ipsec安全提议

[USG-1-ipsec-proposal-test]encapsulation-mode tunnel//封装方式采用隧道 [USG-1-ipsec-proposal-test]transform esp//配置IPSEC安全协议为ESP [USG-1-ipsec-proposal-test]esp authentication-algorithm sha1

//配置ESP协议认证算法

[USG-1-ipsec-proposal-test]esp encryption-algorithm aes

//配置ESP协议加密算法为aes

[USG-1-ipsec-proposal-test]quit

[USG-1]acl 3000//创建一个ACL定义感兴趣流

[USG-1-acl-adv-3000]rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 [USG-1-acl-adv-3000]quit

-------------------------配置策略模板----------------------------- [USG-1]ipsec policy-template tem 1 //创建一个策略模板

[USG-1-ipsec-policy-template-tem-1]ike-peer usg-n//调用ike对等体 [USG-1-ipsec-policy-template-tem-1]proposal test//调用IPsec安全提议 [USG-1-ipsec-policy-template-tem-1]security acl 3000//配置感兴趣流 [USG-1-ipsec-policy-template-tem-1]quit [USG-1]ipsec policy map 1 isakmp template tem //创建一个策略叫map然后和配置模板关联起来 [USG-1]int g0/0/1

[USG-1-GigabitEthernet0/0/1]ipsec policy map //接口下调用策略 [USG-1-GigabitEthernet0/0/1]quit

区域间策略配置

[USG-1]policy interzone trust untrust outbound

[USG-1-policy-interzone-trust-untrust-outbound]policy 1

[USG-1-policy-interzone-trust-untrust-outbound-1]action permit [USG-1-policy-interzone-trust-untrust-outbound-1]quit [USG-1-policy-interzone-trust-untrust-outbound]quit [USG-1]policy interzone trust untrust inbound

[USG-1-policy-interzone-trust-untrust-inbound]policy 1

[USG-1-policy-interzone-trust-untrust-inbound-1]policy source 192.168.20.0 0.0.0.255

[USG-1-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.10.0 0.0.0.255

[USG-1-policy-interzone-trust-untrust-inbound-1]action permit [USG-1-policy-interzone-trust-untrust-inbound-1]quit [USG-1-policy-interzone-trust-untrust-inbound]quit [USG-1]policy interzone local untrust inbound

[USG-1-policy-interzone-local-untrust-inbound]policy 1 [USG-1-policy-interzone-local-untrust-inbound-1]policy

destination

11.0.0.2 0 //允许任何人访问目标为11.0.0.2

[USG-1-policy-interzone-local-untrust-inbound-1]action permit [USG-1-policy-interzone-local-untrust-inbound-1]quit [USG-1-policy-interzone-local-untrust-inbound]quit

分支配置

[USG-2]firewall zone trust [USG-2-zone-trust]add int g0/0/0 [USG-2-zone-trust]quit [USG-2]firewall zone untrust [USG-2-zone-untrust]add int g0/0/1 [USG-2-zone-untrust]quit [USG-2]int g0/0/0

[USG-2-GigabitEthernet0/0/0]ip add 192.168.20.1 24 [USG-2-GigabitEthernet0/0/0]int g0/0/1

[USG-2-GigabitEthernet0/0/1]ip add 12.0.0.2 24 [USG-2-GigabitEthernet0/0/1]quit

[USG-2]ip route-static 0.0.0.0 0.0.0.0 12.0.0.1

----------------------------阶段一----------------------------- [USG-2]ike proposal 1

[USG-2-ike-proposal-1]authentication-method pre-share [USG-2-ike-proposal-1]authentication-algorithm sha1 [USG-2-ike-proposal-1]integrity-algorithm aes-xcbc-96 [USG-2-ike-proposal-1]dh group2 [USG-2-ike-proposal-1]quit [USG-2]ike peer usg-1

[USG-2-ike-peer-usg-1]ike-proposal 1

[USG-2-ike-peer-usg-1]pre-shared-key abc123 [USG-2-ike-peer-usg-1]remote-address 11.0.0.2 [USG-2-ike-peer-usg-1]quit

----------------------------阶段二-------------------------------- [USG-2]ipsec proposal test

[USG-2-ipsec-proposal-test]encapsulation-mode tunnel [USG-2-ipsec-proposal-test]transform esp

[USG-2-ipsec-proposal-test]esp authentication-algorithm sha1 [USG-2-ipsec-proposal-test]esp encryption-algorithm aes [USG-2-ipsec-proposal-test]quit [USG-2]acl 3000

[USG-2-acl-adv-3000]rule permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 [USG-2-acl-adv-3000]quit

-----------------------------配

置

安

全

策

-------------------------------

略

[USG-2]ipsec policy map 1 isakmp

[USG-2-ipsec-policy-isakmp-map-1]ike-peer usg-1 [USG-2-ipsec-policy-isakmp-map-1]proposal test [USG-2-ipsec-policy-isakmp-map-1]security acl 3000 [USG-2-ipsec-policy-isakmp-map-1]quit [USG-2]int g0/0/1

[USG-2-GigabitEthernet0/0/1]ipsec policy map auto-neg

//如果不加auto-neg的话，只有分支主动触发流量隧道才会建立否则总公司不能和分支通信。加了auto-neg的话隧道则会自动建立 [USG-2-GigabitEthernet0/0/1]quit

[USG-2]policy interzone trust untrust outbound

[USG-2-policy-interzone-trust-untrust-outbound]policy 1

[USG-2-policy-interzone-trust-untrust-outbound-1]action permit [USG-2-policy-interzone-trust-untrust-outbound-1]quit [USG-2-policy-interzone-trust-untrust-outbound]quit [USG-2]policy interzone trust untrust inbound

[USG-2-policy-interzone-trust-untrust-inbound]policy 1

[USG-2-policy-interzone-trust-untrust-inbound-1]policy source 192.168.10.0 0.0.0.255

[USG-2-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.20.0 0.0.0.255

[USG-2-policy-interzone-trust-untrust-inbound-1]action permit [USG-2-policy-interzone-trust-untrust-inbound-1]quit [USG-2-policy-interzone-trust-untrust-inbound]quit [USG-2]policy interzone local untrust inbound

[USG-2-policy-interzone-local-untrust-inbound]policy 1

[USG-2-policy-interzone-local-untrust-inbound-1]policy source 11.0.0.2 0

[USG-2-policy-interzone-local-untrust-inbound-1]action permit

本文来源：https://www.bwwdw.com/article/9y6v.html