【實(shí)訓(xùn)任務(wù)9.2】配置GRE over IPSec VPN實(shí)現(xiàn)私網(wǎng)之間通過(guò)隧道安全互訪_第1頁(yè)
【實(shí)訓(xùn)任務(wù)9.2】配置GRE over IPSec VPN實(shí)現(xiàn)私網(wǎng)之間通過(guò)隧道安全互訪_第2頁(yè)
【實(shí)訓(xùn)任務(wù)9.2】配置GRE over IPSec VPN實(shí)現(xiàn)私網(wǎng)之間通過(guò)隧道安全互訪_第3頁(yè)
【實(shí)訓(xùn)任務(wù)9.2】配置GRE over IPSec VPN實(shí)現(xiàn)私網(wǎng)之間通過(guò)隧道安全互訪_第4頁(yè)
【實(shí)訓(xùn)任務(wù)9.2】配置GRE over IPSec VPN實(shí)現(xiàn)私網(wǎng)之間通過(guò)隧道安全互訪_第5頁(yè)
已閱讀5頁(yè),還剩31頁(yè)未讀 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說(shuō)明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)

文檔簡(jiǎn)介

【實(shí)訓(xùn)任務(wù)9.2】配置GREoverIPSecVPN,實(shí)現(xiàn)私網(wǎng)之間通過(guò)隧道安全互訪任務(wù)陳述配置思路任務(wù)實(shí)施123任務(wù)陳述1某企業(yè)總部局域網(wǎng)和分支機(jī)構(gòu)局域網(wǎng)經(jīng)由防火墻A和防火墻B連接到Internet,路由器R1用于模擬ISP路由器。考慮到總部和分支機(jī)構(gòu)局域網(wǎng)之間除傳輸單播報(bào)文外,還要承載視頻會(huì)議等組播業(yè)務(wù),所以需要在防火墻A和防火墻B兩個(gè)網(wǎng)關(guān)之間構(gòu)建GREoverIPSec隧道,在GRE隧道之外再封裝IPSec隧道,對(duì)兩個(gè)局域網(wǎng)之間的通信進(jìn)行加密保護(hù)。1任務(wù)陳述配置思路22配置思路防火墻A和防火墻B的配置思路相同。①

配置防火墻A。②

配置防火墻B。③

配置路由器R1。④

驗(yàn)證和調(diào)試。

任務(wù)實(shí)施33任務(wù)實(shí)施1.配置防火墻A(1)配置網(wǎng)絡(luò)基本參數(shù)①

配置接口IP地址。<FW_A>system-view[FW_A]interfaceGigabitEthernet1/0/1[FW_A-GigabitEthernet1/0/1]ipaddress1.1.1.124[FW_A-GigabitEthernet1/0/1]quit[FW_A]interfaceGigabitEthernet1/0/2[FW_A-GigabitEthernet1/0/2]ipaddress10.1.1.124[FW_A-GigabitEthernet1/0/2]quit3任務(wù)實(shí)施1.配置防火墻A(1)配置網(wǎng)絡(luò)基本參數(shù)②

將接口加入安全區(qū)域。[FW_A]firewallzoneuntrust[FW_A-zone-untrust]addinterfaceGigabitEthernet1/0/1[FW_A-zone-untrust]quit[FW_A]firewallzonetrust[FW_A-zone-trust]addinterfaceGigabitEthernet1/0/2[FW_A-zone-trust]quit3任務(wù)實(shí)施1.配置防火墻A(1)配置網(wǎng)絡(luò)基本參數(shù)③

配置安全策略。[FW_A]security-policy[FW_A-policy-security]rulenamepolicy1//兩個(gè)局域網(wǎng)間互訪的安全策略[FW_A-policy-security-rule-policy1]source-zonetrustuntrust[FW_A-policy-security-rule-policy1]destination-zoneuntrusttrust[FW_A-policy-security-rule-policy1]source-address10.1.1.024[FW_A-policy-security-rule-policy1]source-address10.1.2.024[FW_A-policy-security-rule-policy1]destination-address10.1.1.024[FW_A-policy-security-rule-policy1]destination-address10.1.2.024[FW_A-policy-security-rule-policy1]actionpermit[FW_A-policy-security-rule-policy1]quit3任務(wù)實(shí)施1.配置防火墻A(1)配置網(wǎng)絡(luò)基本參數(shù)③

配置安全策略。[FW_A-policy-security]rulenamepolicy2//GRE封裝后及IPSec隧道協(xié)商的安全策略[FW_A-policy-security-rule-policy2]source-zonelocaluntrust[FW_A-policy-security-rule-policy2]destination-zoneuntrustlocal[FW_A-policy-security-rule-policy2]source-address1.1.1.132[FW_A-policy-security-rule-policy2]source-address2.2.2.132[FW_A-policy-security-rule-policy2]destination-address2.2.2.132[FW_A-policy-security-rule-policy2]destination-address1.1.1.132[FW_A-policy-security-rule-policy2]actionpermit[FW_A-policy-security-rule-policy2]quit[FW_A-policy-security]quit3任務(wù)實(shí)施1.配置防火墻A(2)配置GRE①

配置Tunnel接口的相關(guān)參數(shù)。[FW_A]interfacetunnel1[FW_A-Tunnel1]tunnel-protocolgre[FW_A-Tunnel1]ipaddress172.16.2.124/*Tunnel接口的IP地址可以任意配置。當(dāng)使用動(dòng)態(tài)路由協(xié)議生成經(jīng)過(guò)Tunnel接口轉(zhuǎn)發(fā)的路由時(shí),GRE隧道兩端Tunnel接口的IP地址必須屬于同一網(wǎng)段*/[FW_A-Tunnel1]source1.1.1.1[FW_A-Tunnel1]destination2.2.2.1[FW_A-Tunnel1]quit3任務(wù)實(shí)施1.配置防火墻A(2)配置GRE②

將接口加入安全區(qū)域。[FW_A]firewallzoneuntrust[FW_A-zone-untrust]addinterfacetunnel1[FW_A-zone-untrust]quit3任務(wù)實(shí)施1.配置防火墻A(3)配置路由[FW_A]iproute-static10.1.2.0255.255.255.0tunnel1//將訪問(wèn)分支機(jī)構(gòu)局域網(wǎng)的流量送入Tunnel1接口[FW_A]iproute-static2.2.2.0255.255.255.0GigabitEthernet1/0/11.1.1.23任務(wù)實(shí)施1.配置防火墻A(4)配置IPSec①

創(chuàng)建ACL,以匹配GRE隧道的流量。[FW_A]acl3000[FW_A-acl-adv-3000]rule5permitgresource1.1.1.10destination2.2.2.10//源IP地址和目的IP地址分別為GRE隧道的源IP地址和目的IP地址[FW_A-acl-adv-3000]quit3任務(wù)實(shí)施1.配置防火墻A(4)配置IPSec②

配置IKE安全提議。[FW_A]ikeproposal10[FW_A-ike-proposal-10]authentication-methodpre-share[FW_A-ike-proposal-10]prfhmac-sha2-256[FW_A-ike-proposal-10]encryption-algorithmaes-256[FW_A-ike-proposal-10]dhgroup14[FW_A-ike-proposal-10]integrity-algorithmhmac-sha2-256[FW_A-ike-proposal-10]quit3任務(wù)實(shí)施1.配置防火墻A(4)配置IPSec③

配置IKEPeer。[FW_A]ikepeerb[FW_A-ike-peer-b]ike-proposal10[FW_A-ike-peer-b]remote-address2.2.2.1[FW_A-ike-peer-b]pre-shared-keyHuawei@123[FW_A-ike-peer-b]quit3任務(wù)實(shí)施1.配置防火墻A(4)配置IPSec④

配置IPSec安全提議。[FW_A]ipsecproposaltran1[FW_A-ipsec-proposal-tran1]espauthentication-algorithmsha2-256[FW_A-ipsec-proposal-tran1]espencryption-algorithmaes-256[FW_A-ipsec-proposal-tran1]quit3任務(wù)實(shí)施1.配置防火墻A(4)配置IPSec⑤

配置ISAKMP方式的IPSec安全策略。[FW_A]ipsecpolicymap110isakmp[FW_A-ipsec-policy-isakmp-map1-10]securityacl3000[FW_A-ipsec-policy-isakmp-map1-10]proposaltran1[FW_A-ipsec-policy-isakmp-map1-10]ike-peerb[FW_A-ipsec-policy-isakmp-map1-10]quit3任務(wù)實(shí)施1.配置防火墻A(4)配置IPSec⑥

在接口上應(yīng)用IPSec策略。[FW_A]interfaceGigabitEthernet1/0/1[FW_A-GigabitEthernet1/0/1]ipsecpolicymap1[FW_A-GigabitEthernet1/0/1]quit3任務(wù)實(shí)施2.配置防火墻B(1)配置網(wǎng)絡(luò)基本參數(shù)①

配置接口IP地址。<FW_B>system-view[FW_B]interfaceGigabitEthernet1/0/1[FW_B-GigabitEthernet1/0/1]ipaddress2.2.2.124[FW_B-GigabitEthernet1/0/1]quit[FW_B]interfaceGigabitEthernet1/0/2[FW_B-GigabitEthernet1/0/2]ipaddress10.1.2.124[FW_B-GigabitEthernet1/0/2]quit3任務(wù)實(shí)施2.配置防火墻B(1)配置網(wǎng)絡(luò)基本參數(shù)②

將接口加入安全區(qū)域。[FW_B]firewallzoneuntrust[FW_B-zone-untrust]addinterfaceGigabitEthernet1/0/1[FW_B-zone-untrust]quit[FW_B]firewallzonetrust[FW_B-zone-trust]addinterfaceGigabitEthernet1/0/2[FW_B-zone-trust]quit3任務(wù)實(shí)施2.配置防火墻B(1)配置網(wǎng)絡(luò)基本參數(shù)③

配置安全策略。[FW_B]security-policy[FW_B-policy-security]rulenamepolicy1[FW_B-policy-security-rule-policy1]source-zonetrustuntrust[FW_B-policy-security-rule-policy1]destination-zoneuntrusttrust[FW_B-policy-security-rule-policy1]source-address10.1.2.024[FW_B-policy-security-rule-policy1]source-address10.1.1.024[FW_B-policy-security-rule-policy1]destination-address10.1.1.024[FW_B-policy-security-rule-policy1]destination-address10.1.2.024[FW_B-policy-security-rule-policy1]actionpermit[FW_B-policy-security-rule-policy1]quit3任務(wù)實(shí)施2.配置防火墻B(1)配置網(wǎng)絡(luò)基本參數(shù)③

配置安全策略。[FW_B-policy-security]rulenamepolicy2[FW_B-policy-security-rule-policy2]source-zonelocaluntrust[FW_B-policy-security-rule-policy2]destination-zoneuntrustlocal[FW_B-policy-security-rule-policy2]source-address2.2.2.132[FW_B-policy-security-rule-policy2]source-address1.1.1.132[FW_B-policy-security-rule-policy2]destination-address1.1.1.132[FW_B-policy-security-rule-policy2]destination-address2.2.2.132[FW_B-policy-security-rule-policy2]actionpermit[FW_B-policy-security-rule-policy2]quit[FW_B-policy-security]quit3任務(wù)實(shí)施2.配置防火墻B(2)配置GRE①

配置Tunnel接口的相關(guān)參數(shù)。[FW_B]interfacetunnel1[FW_B-Tunnel1]tunnel-protocolgre[FW_B-Tunnel1]ipaddress172.16.2.224[FW_B-Tunnel1]source2.2.2.1[FW_B-Tunnel1]destination1.1.1.1[FW_B-Tunnel1]quit3任務(wù)實(shí)施2.配置防火墻B(2)配置GRE②

將接口加入安全區(qū)域。[FW_B]firewallzoneuntrust[FW_B-zone-untrust]addinterfacetunnel1[FW_B-zone-untrust]quit(3)配置路由[FW_B]iproute-static10.1.1.0255.255.255.0tunnel1[FW_B]iproute-static1.1.1.0255.255.255.0GigabitEthernet1/0/12.2.2.23任務(wù)實(shí)施2.配置防火墻B(4)配置IPSec①

創(chuàng)建ACL,以匹配GRE隧道的流量。[FW_B]acl3000[FW_B-acl-adv-3000]rule5permitgresource2.2.2.10destination1.1.1.10[FW_B-acl-adv-3000]quit3任務(wù)實(shí)施2.配置防火墻B(4)配置IPSec②

配置IKE安全提議。[FW_B]ikeproposal10[FW_B-ike-proposal-10]authentication-methodpre-share[FW_B-ike-proposal-10]prfhmac-sha2-256[FW_B-ike-proposal-10]encryption-algorithmaes-256[FW_B-ike-proposal-10]dhgroup14[FW_B-ike-proposal-10]integrity-algorithmhmac-sha2-256[FW_B-ike-proposal-10]quit3任務(wù)實(shí)施2.配置防火墻B(4)配置IPSec③

配置IKEPeer。[FW_B]ikepeera[FW_B-ike-peer-a]ike-proposal10[FW_B-ike-peer-a]remote-address1.1.1.1[FW_B-ike-peer-a]pre-shared-keyHuawei@123[FW_B-ike-peer-b]quit3任務(wù)實(shí)施2.配置防火墻B(4)配置IPSec④

配置IPSec安全提議。[FW_B]ipsecproposaltran1[FW_B-ipsec-proposal-tran1]espauthentication-algorithmsha2-256[FW_B-ipsec-proposal-tran1]espencryption-algorithmaes-256[FW_B-ipsec-proposal-tran1]quit3任務(wù)實(shí)施2.配置防火墻B(4)配置IPSec⑤

配置ISAKMP方式的IPSec安全策略。[FW_B]ipsecpolicymap110isakmp[FW_B-ipsec-policy-isakmp-map1-10]securityacl3000[FW_B-ipsec-policy-isakmp-map1-10]proposaltran1[FW_B-ipsec-policy-isakmp-map1-10]ike-peera[FW_B-i

溫馨提示

  • 1. 本站所有資源如無(wú)特殊說(shuō)明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁(yè)內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒(méi)有圖紙預(yù)覽就沒(méi)有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫(kù)網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。

最新文檔

評(píng)論

0/150

提交評(píng)論