一、实验目的
通过NAT设备将内网地址映射至外网,在站点间构建VPN隧道,认证方式分别使用预配置密码和证书两种方式实现
二、基础配置
(一)如图所示配置接口地址,在R1上将FW1地址映射至外网
[R1-GigabitEthernet0/0/1]dis th
[V200R003C00]
#
interface GigabitEthernet0/0/1
ip address 155.1.12.1 255.255.255.0
nat static global 155.1.12.12 inside 10.1.121.12 netmask 255.255.255.255
#
(二)各防火墙配置接口地址并将连接pc、连接路由器、虚拟接口地址加入trust、untrust和dmz区域,在防火墙上及R1上启用ospf并宣告路由10.1.0.0
(三)防火墙配置安全策略
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name OUT_TO_LOCAL
source-zone untrust
destination-zone local
service protocol 47
action permit
rule name IN_TO_DMZ
source-zone trust
destination-zone dmz
action permit
rule name DMZ_TO_IN
source-zone dmz
destination-zone trust
source-address 10.1.0.0 mask 255.255.0.0
destination-address 10.1.0.0 mask 255.255.0.0
action permit
三、详细配置
(一)在防火墙上设置虚拟接口,配置gre模式为点到多点,启用nhrp的相应功能,设置ospf网络模式为p2mp实现互联
[FW1-Tunnel0]dis th
#
interface Tunnel0
ip address 10.1.0.12 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp
ospf timer hello 10
nhrp redirect
nhrp entry multicast dynamic
#
[FW2-Tunnel0]dis th
#
interface Tunnel0
ip address 10.1.0.13 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp
ospf timer hello 10
nhrp shortcut
nhrp entry 10.1.0.12 155.1.12.12 register
#
[FW3-Tunnel0]dis th
#
interface Tunnel0
ip address 10.1.0.14 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp
ospf timer hello 10
nhrp shortcut
nhrp entry 10.1.0.12 155.1.12.12 register
#
(三)以CA证书方式实现IPsec认证互联
1、打开win server2016,在服务器管理器中配置IIS服务器和AD域服务器,并打开页面http://主机IP地址/certsrv,下载CA根证书并保存至电脑
调整三个防火墙时间与CA保持一致:
[FW1]dis clock
[FW1]clock timezone GMT add 8
2、在CA生成根证书,打开防火墙web管理页面上传根证书,生成本地证书并在向CA申请证书后再上传至防火墙
在防火墙本地证书生成证书
将防火墙所生成的本地证书下载并上传至CA并在CA总申请证书
用记事本打开各防火墙生成的本地证书并将内容粘贴至“保存的申请”中
回到主页查看挂起的证书
打开证书颁发机构
在挂起的申请中进行颁发,并下载
在防火墙本地证书中上传对应的证书
调整IPSEC配置
ipsec proposal DM_SET
encapsulation-mode transport
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal 10
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
authentication-method rsa-signature
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer ALL
ike-proposal 10
certificate local-filename fw1-certnew.cer
#
ipsec profile DM_PRO
ike-peer ALL
proposal DM_SET
调整安全策略
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name OUT_TO_LOCAL
source-zone untrust
destination-zone local
service protocol 47
service protocol udp destination-port 4500
service protocol udp destination-port 500
action permit
rule name IN_TO_DMZ
source-zone trust
destination-zone dmz
action permit
rule name DMZ_TO_IN
source-zone dmz
destination-zone trust
source-address 10.1.0.0 mask 255.255.0.0
destination-address 10.1.0.0 mask 255.255.0.0
action permit
在R1上调整NAT策略
[R1-GigabitEthernet0/0/1]dis th
#
interface GigabitEthernet0/0/1
ip address 155.1.12.1 255.255.255.0
nat server protocol udp global 155.1.12.12 500 inside 10.1.121.12 500
nat server protocol udp global 155.1.12.12 4500 inside 10.1.121.12 4500
#
四、结果验证
(一)节点间通过nhrp获得了地址,通过ospf获得了路由,已能互联
[FW1]dis nhrp peer all
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
--------------------------------------------------------------------------------
--
10.1.0.13 32 155.1.132.13 10.1.0.13 registered up|unique
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
--------------------------------------------------------------------------------
--
10.1.0.14 32 155.1.142.14 10.1.0.14 registered up|unique
--------------------------------------------------------------------------------
[FW1]dis ospf interface
Area: 0.0.0.0
IP Address Type State Cost Pri DR BDR
10.1.12.12 Broadcast DR 1 1 10.1.12.12 0.0.0.0
10.1.121.12 Broadcast BDR 1 1 10.1.121.1 10.1.121.12
10.1.0.12 P2MP P-2-P 1562 1 0.0.0.0 0.0.0.0
PC>tracert 10.1.14.10
traceroute to 10.1.14.10, 8 hops max
(ICMP), press Ctrl+C to stop
1 10.1.13.13 <1 ms <1 ms 16 ms
2 10.1.0.14 47 ms 16 ms 46 ms
3 10.1.14.10 47 ms 47 ms 31 ms
(二)通过证书实现IPsec互联,通过
[FW1]dis ospf peer brief
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet1/0/0 10.1.121.1 Full
0.0.0.0 Tunnel0 10.1.0.13 Full
0.0.0.0 Tunnel0 10.1.0.14 Full
----------------------------------------------------------------------------
[FW1]dis ike sa
IKE SA information :
Conn-ID Peer VPN Flag(
s) Phase RemoteType RemoteID
--------------------------------------------------------------------------------
----------------------------------------------------
8 155.1.142.14:4500 RD|ST
|A v2:2 IP 155.1.142.14
3 155.1.142.14:4500 RD|A
v2:1 IP 155.1.142.14
7 155.1.132.13:4500 RD|A
v2:2 IP 155.1.132.13
1 155.1.132.13:4500 RD|A
v2:1 IP 155.1.132.13
Number of IKE SA : 4
--------------------------------------------------------------------------------
[FW1]dis nhrp peer all
--------------------------------------------------------------------------------
--
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
--------------------------------------------------------------------------------
--
10.1.0.13 32 155.1.132.13 10.1.0.13 registered up|unique
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
--------------------------------------------------------------------------------
--
10.1.0.14 32 155.1.142.14 10.1.0.14 registered up|unique
--------------------------------------------------------------------------------
)
—— setup、ref、reactive、toRefs、toRef)