金橘 2007-12-26 15:59
RouterOS and NetScreen(NS25) IPSec VPN 配置例子
省里做一套监管系统,每天要提取地市数据库的相关数据。因为市级业务系统都已经建成且有一段时间了,所以互联互通很成问题。10多个地市,每家的设备都不一样(但清一色的用防火墙跑路由模式,真xx节俭啊!)。刚刚连通两个地市,其它的还要等。
现将其中一个地市的NetScreen(NS25)墙和ROS的配置拿出来,共同学习一下,我做的配置如果不对,还请大家指正。
另外一家用的神州数码的1800墙,也通了,但那头的配置我拿不出来,只好做罢。
------------------------------------------------------------------------------------------------------------
1.1.1.1:省公网IP(ROS)
2.2.2.2:市公网IP(NS25)
NS25:
ethernet1:内网网卡(nat)
ethernet3:外网网卡(route)
set address "Untrust" "省里" 10.10.10.0 255.255.255.0--建立untrust区域,省内网IP段
set address "Trust" "市里" 192.168.0.0 255.255.255.0--建立trust区域,市内网IP段
set ike gateway "Gateway for 省里" address 1.1.1.1 Main outgoing-interface "ethernet3" preshare "共享密钥" proposal "pre-g2-3des-sha"--认证方式及共享密钥
set ike gateway "Gateway for 省里" nat-traversal
unset ike gateway "Gateway for 省里" nat-traversal udp-checksum
set ike gateway "Gateway for 省里" nat-traversal keepalive-frequency 0
set vpn "VPN for 省里" gateway "Gateway for 省里" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha" --VPN的方式tunnel
set policy id 127 name "省-市" from "Untrust" to "Trust" "省里" "市里" "ANY" tunnel vpn "VPN for 省里" id 145 pair-policy 126 --
set policy id 126 name "省-市" from "Trust" to "Untrust" "市里" "省里" "ANY" tunnel vpn "VPN for 省里" id 145 pair-policy 127 --两条安全策略
NS25结束
---------------------
我们熟悉的ROS:都不用说了
[admin@省里] ip ipsec policy> pr
Flags: X - disabled, D - dynamic, I - invalid
1 src-address=10.10.10.0/24:any dst-address=192.168.0.0/24:any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=1.1.1.1 sa-dst-address=2.2.2.2 proposal=市
manual-sa=none dont-fragment=clear
[admin@省里] ip ipsec peer> pr
Flags: X - disabled
1 address=2.2.2.2/32:500 secret="共享密钥" generate-policy=no
exchange-mode=main send-initial-contact=yes proposal-check=obey
hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0
[admin@省里] ip ipsec proposal> pr
Flags: X - disabled
1 name="市" auth-algorithms=md5,sha1 enc-algorithms=3des,aes-128
lifetime=30m lifebytes=0 pfs-group=modp1024
[admin@JST10M] ip ipsec> installed-sa
[admin@JST10M] ip ipsec installed-sa> pr
Flags: A - AH, E - ESP, P - pfs, M - manual
0 E spi=0x5D25650B direction=in src-address=2.2.2.2
dst-address=1.1.1.1 auth-algorithm=sha1 enc-algorithm=3des
replay=4 state=mature
auth-key="xxxxxxf406c6e96fe6e75b7a59949bd4bc3da414"
enc-key="xxxxxx5afb9b8049ab74c146b16a17949087904597a5f3c8"
add-lifetime=48m/1h use-lifetime=0s/0s lifebytes=0/0
current-addtime=aug/23/2007 08:16:23
current-usetime=aug/23/2007 08:16:28 current-bytes=1840
---------------------2007-08-24 又一地市用H3C(华为)AR18-21A路由连接---------------------
H3C AR18-21A:
#
ike peer 省里
exchange-mode aggressive--ROS,IPSec-Peer中也选aggressive
pre-shared-key huawei2008--共享密钥
remote-address 1.1.1.1--省公网地址
#
ipsec proposal center
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy-template center 1
ike-peer 省里
proposal center
#
ipsec policy huawei 1 isakmp template center
#
interface Ethernet2/1
ip address 192.168.1.1 255.255.255.0--地市内网地址
#
interface Ethernet3/0
ip address 3.3.3.3 255.255.255.0--地市公网地址
nat outbound 3000--NAT口,应用第3000号ACL
ipsec policy huawei
#
acl number 3000
rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 10.10.10.0 0.0.0.255--定义192.168.1段到10.10.10段(省内网段)不走NAT,因为当路由器即配置ipsec,又使用NAT的,一定要在NAT的ACL中deny掉ipsec保护的流,否则需要进行ipsec保护的流会先会被NAT的ACL匹配,进行NAT了,而无法触发ipsec的建立。
rule 1 permit ip source 192.168.1.0 0.0.0.255--这是允许192.168.1段NAT(对上面NAT口,E3/0)
rule 2 deny ip--禁掉其它源IP
#
ip route-static 0.0.0.0 0.0.0.0 3.3.3.254 preference 60--18-21A的静路由表。
华为的命令可以随处下载,这里不多写啦。(还是咱国家华为的东西看着顺眼,看上面netscreen的,一点儿条理都没有,嘿嘿)
连通!!Ping通!!访问数据通!!
