当前位置: 首页 > news >正文

超详细IPsec的真实案例(简化),总部和分支和地级市互通

news 2026/6/3 4:09:27
1.实验拓扑

2.基本配置(为了方便)
a.基础配置(IP地址,路由等)

AR1:

#
interface GigabitEthernet0/0/0
ip address 192.168.1.254 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.1.13.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 10.1.12.1 255.255.255.0
#

ip route-static 0.0.0.0 0 10.1.12.2
ip route-static 192.168.2.0 24 10.1.13.3
ip route-static 192.168.3.0 24 10.1.13.3

AR2:

#
interface GigabitEthernet0/0/0
ip address 10.1.12.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 100.1.23.2 255.255.255.0
#

ip route-static 0.0.0.0 0 100.1.23.3
ip route-static 192.168.1.0 24 10.1.12.1

ip route-static 10.1.13.0 24 10.1.12.1

AR3:

#
interface GigabitEthernet0/0/0
ip address 100.1.13.3 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 100.1.23.3 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 100.1.32.3 255.255.255.0
#

interface LoopBack0
ip address 8.8.8.8 255.255.255.255
#
FW1:

#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.2.254 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 100.1.13.1 255.255.255.0
#

firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 100.1.13.3
#

FW2:

#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.3.254 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 100.1.32.2 255.255.255.0
service-manage ping permit
#

firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 100.1.32.3
#

FW3:

#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.13.3 255.255.255.0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
#
firewall zone dmz
set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 10.1.13.1
#

b.每个设备需要上网nat配置

FW1:

#
nat-policy
rule name fw1
source-zone trust
egress-interface GigabitEthernet1/0/1
source-address 192.168.2.0 mask 255.255.255.0
action source-nat easy-ip
#

FW2:

#
nat-policy
rule name fw2
source-zone trust
egress-interface GigabitEthernet1/0/1
source-address 192.168.3.0 mask 255.255.255.0
action source-nat easy-ip
#

AR2:

#
acl number 3000
rule 5 permit ip

#

interface GigabitEthernet0/0/1
ip address 100.1.23.2 255.255.255.0
nat outbound 3000
#

c.建立IPsec隧道(地级市需要绕分支和总部通信)

FW1:

#
acl number 3000
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
#
ipsec proposal prop104936740
encapsulation-mode auto
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer ike104936740
exchange-mode auto
pre-shared-key %^%#tgx.RLbZt$ky7AY3MIp+G@@g#Q$MvE$u@-4LP0S.%^%#
ike-proposal 1
remote-id-type none
dpd type periodic
remote-address 100.1.23.2
#
ipsec policy ipsec104936481 1 isakmp
security acl 3000
ike-peer ike104936740
proposal prop104936740
tunnel local applied-interface
alias to_changsha
sa trigger-mode auto
sa duration traffic-based 10485760
sa duration time-based 3600
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 100.1.13.1 255.255.255.0
ipsec policy ipsec104936481
#
FW2:

#
acl number 3000
rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 10 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.25
5
#
ipsec proposal prop1049033817
encapsulation-mode auto
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer ike1049033817
exchange-mode auto
pre-shared-key %^%#7sD6G*NP#C!*_Q@=nyg,%C"8(o]>F&0fmLWOAZvJ%^%#
ike-proposal 1
remote-id-type ip
dpd type periodic
remote-address 100.1.23.2
#
ipsec policy ipsec1049033528 1 isakmp
security acl 3000
ike-peer ike1049033817
proposal prop1049033817
tunnel local applied-interface
alias to_changsha
sa trigger-mode auto
sa duration traffic-based 10485760
sa duration time-based 3600

#
interface GigabitEthernet1/0/1
undo shutdown
ip address 100.1.32.2 255.255.255.0
service-manage ping permit
ipsec policy ipsec1049033528
#

FW3:

#
acl number 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.25
5
acl number 3001
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 10 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.25
5
#
ipsec proposal prop1049031759
encapsulation-mode auto
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
ipsec proposal prop104920373
encapsulation-mode auto
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#

ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike proposal 2
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer ike1049031759
exchange-mode auto
pre-shared-key %^%#Fp_p-)g(aF}YM8YzA.c-%Wm+SmH&o~PhKbJg^J"4%^%#
ike-proposal 1
remote-id-type ip
dpd type periodic
remote-address 100.1.32.2
ike peer ike104920373
exchange-mode auto
pre-shared-key %^%#R^'%B{:4c1"kz43$TSc25(%aDxV9vIc,L"I9y`\I%^%#
ike-proposal 2
remote-id-type none
dpd type periodic
remote-address 100.1.13.1
#
ipsec policy ipsec1049031457 1 isakmp
security acl 3000
ike-peer ike1049031759
proposal prop1049031759
tunnel local applied-interface
alias to_地级市
sa trigger-mode auto
sa duration traffic-based 10485760
sa duration time-based 3600
ipsec policy ipsec1049031457 2 isakmp
security acl 3001
ike-peer ike104920373
proposal prop104920373
tunnel local applied-interface
alias to_zongbu
sa trigger-mode auto
sa duration traffic-based 10485760
sa duration time-based 3600
#

3.结果验证
a.是否可以上公网

b.IPsec隧道是否建立

c.是否可以走IPsecf隧道是ping通

4.总结

a,这种绕行互访,只需要在ipsec的感兴趣流中添加感兴趣流即可

b.一定要注意nat设备,建立的时候需要注意地址,如果地址不可知,使用ipsec-temnplate建立

c.底层路由一定要通(特别特别注意)

http://www.jsqmd.com/news/621999/

相关文章:

  • 【现代通信技术】SDH技术:从PDH到SDH的演进与核心优势解析
  • 零基础入门Qwen3-ForcedAligner:快速为音频添加时间轴字幕
  • Qwen3-ASR-1.7B在Windows下的WSL2部署教程
  • 溶气气浮机(竖流式)
  • 开源模型应用:EasyAnimateV5-7b-zh-InP社区贡献指南
  • Pixel Epic惊艳效果展示:16-bit像素风AI贤者生成的10份高质量研报作品集
  • 关于欧盟机械产品的CE-MD指令认证
  • QT桌面应用集成AI:开发一个调用Qwen3.5-4B模型的智能笔记软件
  • Meta推出Muse Spark,AI领域再掀波澜
  • 后端开发架构设计:支撑高并发Pixel Script Temple调用服务
  • Windows10下用VS2019编译UE4.27源码的完整避坑指南(附常见错误解决)
  • 后端开发进阶:Phi-4-mini-reasoning实现智能API文档生成与校验
  • Hcia综合实验
  • Lychee-Rerank惊艳效果展示:100+文档批量打分响应时间<8s性能实测
  • 保姆级教程:GPT-SoVITS一键部署,5秒语音克隆你的专属AI助手
  • Phi-4-mini-reasoning企业级监控:vLLM指标接入Zabbix告警体系
  • 五层能力架构全景
  • Pixel Dimension Fissioner 企业级部署架构:高可用与弹性伸缩设计
  • bootstrap如何实现平滑滚动到页面顶部
  • **发散创新:基于Solid协议的Web3.0去中心化身份认证系统实战解析**在Web3.
  • PyCharm专业开发:调试与集成千问3.5-9B模型调用代码
  • 马斯克修改对 OpenAI 诉讼,赔偿诉求转变背后的法律博弈
  • 【深度解析】设备无关性与I/O性能优化:从缓冲区管理到磁盘调度
  • 2026年封闭式叛逆学校技术解析:从合规到效果的核心标准 - 优质品牌商家
  • Agent工具调用数据提效全攻略(非常详细),搞懂CoVe约束验证看这篇就够了!
  • Phi-4-mini-reasoning新手指南:专为推理任务设计的模型使用边界与最佳实践
  • Youtu-Parsing优化升级:双并行加速技术解析,为何速度能快11倍
  • AIGlasses_for_navigation 在 Python 环境下的快速部署与调用教程
  • Fun-ASR语音识别系统部署避坑指南:环境配置、端口访问、权限设置全解析
  • Qwen3-ForcedAligner-0.6B快速体验:上传音频+文本,秒出词级时间戳