华为USG防火墙IPsec怎么配置Word文件下载.docx
《华为USG防火墙IPsec怎么配置Word文件下载.docx》由会员分享,可在线阅读,更多相关《华为USG防火墙IPsec怎么配置Word文件下载.docx(8页珍藏版)》请在冰点文库上搜索。
[USG-1-zone-untrust]addintg0/0/1//将接口参加untrust区域
[USG-1-zone-untrust]quit
[USG-1]intg0/0/0
[USG-1-GigabitEthernet0/0/0]ipadd192.168.10.124
[USG-1-GigabitEthernet0/0/0]intg0/0/1
[USG-1-GigabitEthernet0/0/1]ipadd11.0.0.224
[USG-1-GigabitEthernet0/0/1]quit
[USG-1]iproute-static0.0.0.00.0.0.011.0.0.1//配置默认路由上公网
[USG-1]nat-policyinterzonetrustuntrustoutbound
//进入trust到untrust区域out方向的策略视图
[USG-1-nat-policy-interzone-trust-untrust-outbound]policy1//创立一个策略
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]policysource192.168.10.00.0.0.255
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]policydestination192.168.20.00.0.0.255
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]actionno-nat
//以上三条命令意思是不允许将源为192.168.10.0/24网段目的为192.168.20.0/24网段的数据包进行NAT
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]quit
[USG-1-nat-policy-interzone-trust-untrust-outbound]policy2//创立策略2
[USG-1-nat-policy-interzone-trust-untrust-outbound-2]actionsource-nat
//允许对源IP进行NAT
[USG-1-nat-policy-interzone-trust-untrust-outbound-2]easy-ipg0/0/1
//对接口G0/0/1地址复用
[USG-1-nat-policy-interzone-trust-untrust-outbound-2]quit
[USG-1-nat-policy-interzone-trust-untrust-outbound]quit
-------阶段一---------
[USG-1]ikeproposal1//配置一个安全提议
[USG-1-ike-proposal-1]authentication-methodpre-share//配置IKE认证方式为预分享密钥
[USG-1-ike-proposal-1]authentication-algorithmsha1//配置IKE认证算法为sha1
[USG-1-ike-proposal-1]integrity-algorithmaes-xcbc-96//配置IKE完好性算法
[USG-1-ike-proposal-1]dhgroup2//配置IKE密钥协商DH组
[USG-1-ike-proposal-1]quit
[USG-1]ikepeerUSG-2//创立一个IKE对等体名字为USG-2
[USG-1-ike-peer-usg-2]pre-shared-keyabc123//配置预分享密钥
[USG-1-ike-peer-usg-2]remote-address12.0.0.2//配置对等体IP地址
[USG-1-ike-peer-usg-2]ike-proposal1//调用ike安全提议
[USG-1-ike-peer-usg-2]quit
----------阶段二----------
[USG-1]ipsecproposaltest//配置一个ipsec安全提议
[USG-1-ipsec-proposal-test]encapsulation-modetunnel//封装方式采用隧道
[USG-1-ipsec-proposal-test]transformesp//配置IPSEC安全协议为ESP
[USG-1-ipsec-proposal-test]espencryption-algorithmaes//配置ESP协议加密算法为aes
[USG-1-ipsec-proposal-test]espauthentication-algorithmsha1//配置ESP协议认证算法
[USG-1-ipsec-proposal-test]quit
[USG-1]acl3000//创立一个ACL定义感兴趣流
[USG-1-acl-adv-3000]rulepermitipsource192.168.10.00.0.0.255destination192.168.20.00.0.0.255
[USG-1]ipsecpolicymap1isakmp//创立一个安全策略,名称为map
[USG-1-ipsec-policy-isakmp-map-1]ike-peerUSG-2//调用ike对等体
[USG-1-ipsec-policy-isakmp-map-1]proposaltest//调用IPsec安全提议
[USG-1-ipsec-policy-isakmp-map-1]securityacl3000//配置感兴趣流
[USG-1-ipsec-policy-isakmp-map-1]quit
[USG-1]intg0/0/1
[USG-1-GigabitEthernet0/0/1]ipsecpolicymap//在外网口上调用安全策略
区域间策略配置
[USG-1]policyinterzonetrustuntrustoutbound.
//进入trust到untrust区域out方向策略视图
[USG-1-policy-interzone-trust-untrust-outbound]policy1//创立策略
[USG-1-policy-interzone-trust-untrust-outbound-1]actionpermit
//允许trust区域所有主机访问untrust区域
[USG-1-policy-interzone-trust-untrust-outbound-1]quit
[USG-1-policy-interzone-trust-untrust-outbound]quit
[USG-1]policyinterzonetrustuntrustinbound
//进入trust区域到untrust区域的in方向策略视图
[USG-1-policy-interzone-trust-untrust-inbound]policy1
[USG-1-policy-interzone-trust-untrust-inbound-1]policysource192.168.20.00.0.0.255
[USG-1-policy-interzone-trust-untrust-inbound-1]policydestination192.168.10.00.0.0.255
[USG-1-policy-interzone-trust-untrust-inbound-1]actionpermit
//以上命令为允许数据包源地址为192.168.20.0/24网段和目的地址为192.168.10.0/24网段的流量过
[USG-1-policy-interzone-trust-untrust-inbound-1]quit
[USG-1-policy-interzone-trust-untrust-inbound]quit
[USG-1]policyinterzonelocaluntrustinbound
//进入local区域到untrust区域的in方向策略视图
[USG-1-policy-interzone-local-untrust-inbound]policy1
[USG-1-policy-interzone-local-untrust-inbound-1]policyserviceservice-setesp
[USG-1-policy-interzone-local-untrust-inbound-1]policysource12.0.0.20
[USG-1-policy-interzone-local-untrust-inbound-1]policydestination11.0.0.20
[USG-1-policy-interzone-local-untrust-inbound-1]actionpermit
//允许源地址是12.0.0.2目的地址是11.0.0.2的数据包访问esp协议
USG-2配置
[USG-2]firewallzonetrust
[USG-2-zone-trust]addintg0/0/0
[USG-2-zone-trust]quit
[USG-2]firewallzoneuntrust
[USG-2-zone-untrust]addintg0/0/1
[USG-2-zone-untrust]quit
[USG-2]intg0/0/0
[USG-2-GigabitEthernet0/0/0]ipadd192.168.20.124
[USG-2-GigabitEthernet0/0/0]intg0/0/1
[USG-2-GigabitEthernet0/0/1]ipadd12.0.0.224
[USG-2-GigabitEthernet0/0/1]quit
[USG-2]iproute-static0.0.0.00.0.0.012.0.0.1
[USG-2]nat-policyinterzonetrustuntrustoutbound
[USG-2-nat-policy-interzone-trust-untrust-outbound]policy1
[USG-2-nat-policy-interzone-trust-untrust-outbound-1]policysource192.168.20.00.0.0.255
[USG-2-nat-policy-interzone-trust-untrust-outbound-1]policydestination192.168.10.00.0.0.255
[USG-2-nat-policy-interzone-trust-untrust-outbound-1]actionno-nat
[USG-2-nat-policy-interzone-trust-untrust-outbound-1]quit
[USG-2-nat-policy-interzone-trust-untrust-outbound]policy2
[USG-2-nat-policy-interzone-trust-untrust-outbound-2]actionsource-nat
[USG-2-nat-policy-interzone-trust-untrust-outbound-2]easy-ipGigabitEthernet0/0/1
[USG-2-nat-policy-interzone-trust-untrust-outbound-2]quit
[USG-2-nat-policy-interzone-trust-untrust-outbound]quit
[USG-2]ikeproposal1
[USG-2-ike-proposal-1]authentication-methodpre-share
[USG-2-ike-proposal-1]authentication-algorithmsha1
[USG-2-ike-proposal-1]integrity-algorithmaes-xcbc-96
[USG-2-ike-proposal-1]dhgroup2
[USG-2-ike-proposal-1]quit
[USG-2]ikepeerUSG-A
[USG-2-ike-peer-usg-a]pre-shared-keyabc123
[USG-2-ike-peer-usg-a]ike-proposal1
[USG-2-ike-peer-usg-a]remote-address11.0.0.2
[USG-2-ike-peer-usg-a]quit
[USG-2]ipsecproposaltest
[USG-2-ipsec-proposal-test]encapsulation-modetunnel
[USG-2-ipsec-proposal-test]transformesp
[USG-2-ipsec-proposal-test]espencryption-algorithmaes
[USG-2-ipsec-proposal-test]espauthentication-algorithmsha1
[USG-2-ipsec-proposal-test]quit
[USG-2]acl3000
[USG-2-acl-adv-3000]rulepermitipsource192.168.20.00.0.0.255destination192.168.10.00.0.0.255
[USG-2-acl-adv-3000]quit
[USG-2]ipsecpolicymap1isakmp
[USG-2-ipsec-policy-isakmp-map-1]ike-peerUSG-A
[USG-2-ipsec-policy-isakmp-map-1]proposaltest
[USG-2-ipsec-policy-isakmp-map-1]securityacl3000
[USG-2-ipsec-policy-isakmp-map-1]quit
[USG-2]intg0/0/1
[USG-2-GigabitEthernet0/0/1]ipsecpolicymap
[USG-2]policyinterzonetrustuntrustoutbound
[USG-2-policy-interzone-trust-untrust-outbound]policy1
[USG-2-policy-interzone-trust-untrust-outbound-1]actionpermit
[USG-2-policy-interzone-trust-untrust-outbound-1]quit
[USG-2-policy-interzone-trust-untrust-outbound]quit
[USG-2]policyinterzonetrustuntrustinbound
[USG-2-policy-interzone-trust-untrust-inbound]policy1
[USG-2-policy-interzone-trust-untrust-inbound-1]policysource192.168.10.00.0.0.255
[USG-2-policy-interzone-trust-untrust-inbound-1]policydestination192.168.20.00.0.0.255
[USG-2-policy-interzone-trust-untrust-inbound-1]actionpermit
[USG-2-policy-interzone-trust-untrust-inbound-1]quit
[USG-2-policy-interzone-trust-untrust-inbound]quit
[USG-2]policyinterzonelocaluntrustinbound
[USG-2-policy-interzone-local-untrust-inbound]policy1
[USG-2-policy-interzone-local-untrust-inbound-1]policysource11.0.0.20
[USG-2-policy-interzone-local-untrust-inbound-1]policydestination12.0.0.20
[USG-2-policy-interzone-local-untrust-inbound-1]policyserviceservice-setesp
[USG-2-policy-interzone-local-untrust-inbound-1]actionpermit
使用C1(192.168.10.10)去pingC2(192.168.20.10)
使用dispalyikesa和displayipsecsa来查看邻居建立情况
看过文章华为USG防火墙IPsec怎么配置的人还看了:
1.华为路由器配置命令大全
2.华为路由器设置
3.华为路由器设置wifi的具体方法
4.华为路由器配置具体教程
5.华为怎样设置连接两个无线路由器
6.华为路由器具体介绍