📢CSDN homepage: New network engineer Li Bai 📢 Routing switching column: HCIE Routing&Switching
Example of configuring IPsec VPN
🐄 topology
🐄 Experimental environment
The topology is divided into four parts: Tiger HQ on the left, ISP in the middle, Branch Branch1 in the upper right, and Branch Branch2 in the lower right. The border devices of the headquarters and branches use USG 6000V firewalls, which are connected to PE devices of carriers. Hosts A and B belong to VLAN10, and hosts C and D belong to VLAN20.
🐄 demand
-
Hosts on the Intranet can communicate with each other.
-
All hosts on the headquarters and branch Intranet must be able to access the Internet through the border firewall.
-
Hosts at the headquarters can access hosts at the two branches, and hosts at the two branches can access hosts at the headquarters.
🐄 Configuration details
Headquarters of the part
🐖 SW1
[SW1]int lo0 [sw1-loopback0] IP add 10.1.11.11 32 [SW1-loopback0]quit [SW1] VLAN batch 10 20 // Create VLAN [SW1]quit [SW1]int g0/0/1 [SW1-GigabitEthernet0/0/1]port link-type trunk [SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan all [SW1-GigabitEthernet0/0/1]quit [SW1]int g0/0/2 [SW1-GigabitEthernet0/0/2]port link-type trunk [SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan all [SW1-GigabitEthernet0/0/2]quit [SW1]Int eth-trunk 12 [SW1-Eth-Trunk12]trunk port g0/0/23 to 0/0/24 [SW1-Eth-Trunk12]port link-type trunk [SW1-Eth-Trunk12]port trunk allow-pass vlan all [SW1]sto mode mstp [SW1]stp region-configuration [SW1-mst-]stp region-name Tigerlab [SW1-mst-region]revision-level 1256 [SW1-mst-region]instance 10 vlan 10 [SW1-mst-region]instance 20 vlan 20 [SW1-mst-region]active region-configuration [SW1]stp instance 10 root primary [SW1]stp instance 20 root second [SW1]int Vlan 10 [sw1-Vlanif10] IP add 10.1.10.11 24 [sw1-Vlanif10]quit [SW1]int VLAN 20 [SW1-Vlanif20] IP add 10.1.20.11 24 [sw1-Vlanif20]quit [SW1]int VLAN 10 [sw1-Vlanif10] VRRP vrid 10 Virtual-ip 10.1.10.254 [SW1-Vlanif10] VRRP VRID 10 Priority 105 [sw1-Vlanif10]quit [SW1]int VLAN 20 [SW1-Vlanif20] VRRP vrid 20 virtual-ip 10.1.20.254 [SW1-Vlanif20]quit [SW1]vlan 111 [SW1-vlanif111]quit [SW1]int g0/0/3 [SW1-GigabitEthernet0/0/3]port link-type access [SW1-GigabitEthernet0/0/3]port default vlan 111 [SW1-GigabitEthernet0/0/3]stp egded-port enable [sw1-gigabitethernet0/0/3]quit [SW1] STP bpdu-protection [SW1]int VLAN 111 [SW1-Vlanif111] IP add 10.1.111.11 24 [sw1-Vlanif111]quit [SW1]ospf 10 router-id10.1.11.11 [SW1-ospf-10]area 0 [SW1-OSPf-10-area-0.0.0.0]net 10.1.11.11 0.0.0.0 [SW1 - ospf - 10 - area - 0.0.0.0].net 10.1.111.11 0.0.0.0 [SW1 - ospf - 10 - area - 0.0.0.0].net 10.1.10.11 0.0.0.0 [SW1 - ospf - 10 - area - 0.0.0.0].net 10.1.20.11 0.0.0.0Copy the code
Run the display STP instance 10 command to check the STP configuration. You can view that VLAN10 is the primary root
🐖 SW2
[SW2]int lo0 [sw2-loopback0] IP add 10.1.12.12 32 [sw2-loopback0]quit [SW2] VLAN batch 10 20 [SW2]int g0/0/1 [SW2-GigabitEthernet0/0/1]port link-type trunk [SW2-GigabitEthernet0/0/1]port trunk allow-pass vlan all [SW2-GigabitEthernet0/0/1]quit [SW2]int g0/0/2 [SW2-GigabitEthernet0/0/2]port link-type trunk [SW2-GigabitEthernet0/0/2]port trunk allow-pass vlan all [SW2-GigabitEthernet0/0/2]quit [SW2]int eth-trunk 12 [SW2-Eth-Trunk12]trunk port g0/0/23 to 0/0/24 [SW2-Eth-Trunk12]port link-type trunk [SW2-Eth-Trunk12]port trunk allow-pass vlan all [SW2]sto mode mstp [SW2]stp region-configuration [SW2-mst-]stp region-name Tigerlab [SW2-mst-region]revision-level 1256 [SW2-mst-region]instance 10 vlan 10 [SW2-mst-region]instance 20 vlan 20 [SW2-mst-region]active region-configuration [SW2]stp instance 20 root primary [SW2]stp instance 10 root second [SW2]int Vlan 10 [sw2-Vlanif10] IP add 10.1.20.12 24 [sw2-Vlanif10]quit [SW2]int VLAN 20 [SW2-Vlanif20] IP add 10.1.20.12 24 [sw2-Vlanif20]quit [SW2]int vlan 10 [sw2-Vlanif10] VRRP vrid 10 virtual-ip 10.1.10.254 [sw2-Vlanif10]quit [SW2]int vlan 20 [sw2-Vlanif20] VRRP vRID 20 virtual-ip 10.1.20.254 [SW2-Vlanif20] VRRP VRID 20 priority 105 [SW2-Vlanif20]quit [SW2]vlan 112 [SW2-vlanif112]quit [SW2]int g0/0/3 [SW2-GigabitEthernet0/0/3]port link-type access [SW2-GigabitEthernet0/0/3]port default vlan 112 [SW2-GigabitEthernet0/0/3]stp egded-port enable [sw2-gigabitethernet0/0/3]quit [SW2] STP bpdu-protection [SW2]int VLAN 112 [SW2-Vlanif112] IP add 10.1.112.12 24 [sw2-Vlanif112]quit [SW2]ospf 10 router-id10.1.12.12 [SW2-ospf-10]area 0 [SW2-OSPf-10-area-0.0.0.0]net 10.1.12.12 0.0.0.0 [SW2 - ospf - 10 - area - 0.0.0.0].net 10.1.112.12 0.0.0.0 [SW2 - ospf - 10 - area - 0.0.0.0].net 10.1.10.12 0.0.0.0 [SW2 - ospf - 10 - area - 0.0.0.0].net 10.1.20.12 0.0.0.0Copy the code
On SW1, next verify the vlan status of the port, display port VLAN
Run the display VRRP brief command to check the VRRP configuration on SW1
🐖 SW3
[SW3]int lo0 [sw3-loopback0] IP add 10.2.13.13 32 [sw3-loopback0]quit [SW3] VLAN batch 30 40 [SW3]int g0/0/1 [SW3-GigabitEthernet0/0/1]port link-type access [SW3-GigabitEthernet0/0/1]port default vlan 30 [SW3-GigabitEthernet0/0/1]stp edged-port enable [SW3-GigabitEthernet0/0/1]quit [SW3]int g0/0/2 [SW3-GigabitEthernet0/0/2]port link-type access [SW3-GigabitEthernet0/0/2]port default vlan 30 [SW3-GigabitEthernet0/0/2]stp edged-port enable [SW3-GigabitEthernet0/0/2]quit [SW3]int g0/0/3 [SW3-GigabitEthernet0/0/3]port link-type access [SW3-GigabitEthernet0/0/3]port default vlan 40 [SW3-GigabitEthernet0/0/3]stp edged-port enable [SW3-GigabitEthernet0/0/3]quit [SW3]int g0/0/4 [SW3-GigabitEthernet0/0/4]port link-type access [SW3-GigabitEthernet0/0/4]port default vlan 40 [SW3-GigabitEthernet0/0/4]stp edged-port enable [SW3-GigabitEthernet0/0/4]quit [SW3]stp bpdu-protection [SW3]vlan 132 [SW3-vlanif112]quit [SW3]int g0/0/24 [SW3-GigabitEthernet0/0/24]port link-type access [SW3-GigabitEthernet0/0/24]port default vlan 132 [SW3-GigabitEthernet0/0/24]stp egded-port enable [SW3-GigabitEthernet0/0/24]quit [SW3]int vlan 132 [sw3-Vlanif132] IP add 10.2.132.13 24 [sw3-Vlanif132]quit [SW3]int VLAN 30 [sw3-Vlanif30] IP add 10.2.30.254 24 [sw3-Vlanif30]quit [SW3]int vlan 40 [sw3-Vlanif40] IP add 10.2.40.254 24 [sw3-Vlanif40]quit [SW3]ospf 10 Router-id10.2.13.13 [SW3-ospf-10]area 0 [SW3-ospf-10-area-0.0.0.0]net 10.2.13.13 0.0.0.0 [SW3-OSPf-10-area-0.0.0.0]net 10.2.30.254 0.0.0.0 [SW3 - ospf - 10 - area - 0.0.0.0].net 10.2.40.254 0.0.0.0 [SW3 - ospf - 10 - area - 0.0.0.0].net 10.2.132.13 0.0.0.0Copy the code
🐖 SW4
[SW4]int lo0 [sw4-loopback0] IP add 10.3.14.14 32 [sw4-loopback0]quit [SW4] VLAN batch 50 [SW4]int g0/0/1 [SW4-GigabitEthernet0/0/1]port link-type access [SW4-GigabitEthernet0/0/1]port default vlan 50 [SW4-GigabitEthernet0/0/1]stp edged-port enable [SW4-GigabitEthernet0/0/1]quit [SW4]int g0/0/2 [SW4-GigabitEthernet0/0/2]port link-type access [SW4-GigabitEthernet0/0/2]port default vlan 50 [SW4-GigabitEthernet0/0/2]stp edged-port enable [SW4-GigabitEthernet0/0/2]quit [SW4]int g0/0/3 [SW4-GigabitEthernet0/0/3]port link-type access [SW4-GigabitEthernet0/0/2]port default vlan 50 [SW4-GigabitEthernet0/0/2]stp edged-port enable [SW4]stp bpdu-protection [SW4]vlan 143 [SW4-vlanif112]quit [SW4]int g0/0/24 [SW4-GigabitEthernet0/0/24]port link-type access [SW4-GigabitEthernet0/0/24]port default vlan 143 [SW4-GigabitEthernet0/0/24]stp egded-port enable [SW4-GigabitEthernet0/0/24]quit [SW4]int vlan 143 [SW4-vlanif132]ip add 10.3.143.14 24 [sw4-Vlanif132]quit [SW4]int vlan 50 [sw4-Vlanif30] IP add 10.3.50.254 24 [sw4-Vlanif30]quit [SW4]ospf 10 Router-id10.3.14.14 [SW4-ospf-10]area 0 [SW4-ospf-10-area-0.0.0.0]net 10.3.14.14 0.0.0.0 [SW4-OSPf-10-area-0.0.0.0]net 10.2.50.254 0.0.0.0 [SW4 - ospf - 10 - area - 0.0.0.0].net 10.2.40.254 0.0.0.0 [SW4 - ospf - 10 - area - 0.0.0.0].net 10.2.143.14 0.0.0.0Copy the code
🐖 SW5
[SW5]vlan batch 10 20 [SW5]int g0/0/1 [SW5-GigabitEthernet0/0/1]port link-type trunk [SW5-GigabitEthernet0/0/1]port trunk allow-pass vlan all [SW5-GigabitEthernet0/0/1]quit [SW5]int g0/0/2 [SW5-GigabitEthernet0/0/2]port link-type trunk [SW5-GigabitEthernet0/0/2]port trunk allow-pass vlan all [SW5-GigabitEthernet0/0/2]quit [SW5]int e0/0/1 [SW5-Ethernet0/0/1]port link-type access [SW5-Ethernet0/0/1]port default vlan 10 [SW5-Ethernet0/0/1]stp edged-port enable [SW5-Ethernet0/0/1]quit [SW5]int e0/0/2 [SW5-Ethernet0/0/2]port link-type access [SW5-Ethernet0/0/2]port default vlan 20 [SW5-Ethernet0/0/2]stp edged-port enable [SW5-Ethernet0/0/2]quit [SW5]stp bpdu-protection [SW5]sto mode mstp [SW5]stp region-configuration [SW5-mst-]stp region-name Tigerlab [SW5-mst-region]revision-level 1256 [SW5-mst-region]instance 10 vlan 10 [SW5-mst-region]instance 20 vlan 20 [SW5-mst-region]active region-configurationCopy the code
To verify the vlan status of the port, display port VLAN.
🐖 SW6
[SW6]vlan batch 10 20 [SW6]int g0/0/1 [SW6-GigabitEthernet0/0/1]port link-type trunk [SW6-GigabitEthernet0/0/1]port trunk allow-pass vlan all [SW6-GigabitEthernet0/0/1]quit [SW6]int g0/0/2 [SW6-GigabitEthernet0/0/2]port link-type trunk [SW6-GigabitEthernet0/0/2]port trunk allow-pass vlan all [SW6-GigabitEthernet0/0/2]quit [SW6]int e0/0/1 [SW6-Ethernet0/0/1]port link-type access [SW6-Ethernet0/0/1]port default vlan 10 [SW6-Ethernet0/0/1]stp edged-port enable [SW6-Ethernet0/0/1]quit [SW6]int e0/0/2 [SW6-Ethernet0/0/2]port link-type access [SW6-Ethernet0/0/2]port default vlan 20 [SW6-Ethernet0/0/2]stp edged-port enable [SW6-Ethernet0/0/2]quit [SW6]stp bpdu-protection [SW6]sto mode mstp [SW6]stp region-configuration [SW6-mst-]stp region-name Tigerlab [SW6-mst-region]revision-level 1256 [SW6-mst-region]instance 10 vlan 10 [SW6-mst-region]instance 20 vlan 20 [SW6-mst-region]active region-configurationCopy the code
Verify the connectivity between the host and the gateway in the headquarters.
🐖 Firewall FW1 of the headquarters
[USG1]int lo0
[USG1-LoopBack0]ip add 10.1.1.1 32
[USG1-LoopBack0]quit
[USG1]int g1/0/0
[USG1-GigabitEthernet1/0/0 ]ip add 100.1.41.1 24
[USG1-GigabitEthernet1/0/0 ]quit
[USG1]int g1/0/1
[USG1-GigabitEthernet1/0/1 ]ip add 10.1.111.1 24
[USG1-GigabitEthernet1/0/1 ]quit
[USG1]int g1/0/2
[USG1-GigabitEthernet1/0/2 ]ip add 10.1.112.1 24
[USG1-GigabitEthernet1/0/2 ]quit
[USG1]firewall zone trust
[USG1-zone-trust]add int g1/0/1
[USG1-zone-trust]add int g1/0/2
[USG1-zone-trust]quit
[USG1]firewall zone untrust
[USG1-zone-untrust]add int g1/0/0
[USG1-zone-untrust]quit
[USG1]security-policy
[USG1-policy-security]rule name Inside
[USG1-policy-security-rule-Inside]source-zone trust
[USG1-policy-security-rule-Inside]destination-zone local
[USG1-policy-security-rule-Inside]source-zone local
[USG1-policy-security-rule-Inside]destination-zone trust
[USG1-policy-security-rule-Inside]access-authentication
[USG1-policy-security-rule-Inside]action permit
[USG1-policy-security-rule-Inside]quit
[USG1-policy-security]quit
[USG1]int g1/0/1
[USG1-GigabitEthernet1/0/1]service-manage ping permit
[USG1-GigabitEthernet1/0/1 ]quit
[USG1]int g1/0/2
[USG1-GigabitEthernet1/0/2 ]service-manage ping permit
[USG1-GigabitEthernet1/0/2 ]quit
[USG1]ospf 10 router-id 10.1.1.1
[USG1-ospf-10]area 0
[USG1-ospf-10-area-0.0.0.0]net 10.1.1.1 0.0.0.0
[USG1-ospf-10-area-0.0.0.0]net 10.1.111.1 0.0.0.0
[USG1-ospf-10-area-0.0.0.0]net 10.1.112.1 0.0.0.0
[USG1]ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 100.1.41.4
[USG1]security-policy
[USG1-policy-security]rule name Internet
[USG1-policy-security-rule-Internet]source-zone trust
[USG1-policy-security-rule-Internet]destination-zone untrust
[USG1-policy-security-rule-Internet]source-address 10.1.0.0 16
[USG1-policy-security-rule-Internet]action permit
[USG1]nat-policy
[USG1-policy-nat]rule name 0
[USG1-policy-nat-rule-0]source-zone trust
[USG1-policy-nat-rule-0]destination-zone untrust
[USG1-policy-nat-rule-0]destination-address 10.2.0.0 16
[USG1-policy-nat-rule-0]destination-address 10.3.0.0 16
[USG1-policy-nat-rule-0]action no-nat
[USG1-policy-nat]rule name Internet
[USG1-policy-nat-rule-Internet]source-zone trust
[USG1-policy-nat-rule-Internet]destination-zone untrust
[USG1-policy-nat-rule-Internet]source-address 10.1.0.0 16
[USG1-policy-nat-rule-Internet]egress-interface GigabitEthernet 1/0/0
[USG1-policy-nat-rule-Internet]action source-natm easy-ip
[USG1]ospf 10
[USG1-ospf-10]default-route-advertise
[USG1]security-policy
[USG1-policy-security]rule name IPSec
[USG1-policy-security-rule-IPSec]source-zone untrust
[USG1-policy-security-rule-IPSec]destination-zone local
[USG1-policy-security-rule-IPSec]source-address any
[USG1-policy-security-rule-IPSec]destination-address 100.1.41.1 32
[USG1-policy-security-rule-IPSec]service esp
[USG1-policy-security-rule-IPSec]service protocol udp source-port 500 destination-port 500
[USG1-policy-security-rule-IPSec]service protocol udp source-port 4500 destination-port 4500
[USG1-policy-security-rule-IPSec]action permit
[USG1-policy-security-rule-IPSec]quit
[USG1-policy-security]rule name IPSec-OUT
[USG1-policy-security-rule-IPSec-OUT]source-zone local
[USG1-policy-security-rule-IPSec-OUT]destination-zone untrust
[USG1-policy-security-rule-IPSec-OUT]source-address 100.1.41.1 32
[USG1-policy-security-rule-IPSec-OUT]destination-address any
[USG1-policy-security-rule-IPSec-OUT]service esp
[USG1-policy-security-rule-IPSec-OUT]service protocol udp source-port 500 destination-port 500
[USG1-policy-security-rule-IPSec-OUT]service protocol udp source-port 4500 destination-port 4500
[USG1-policy-security-rule-IPSec-OUT]action permit
[USG1-policy-security-rule-IPSec-OUT]quit
[USG1-policy-security]rule name IPSec-DATA
[USG1-policy-security-rule-IPSec-DATA]source-zone trust
[USG1-policy-security-rule-IPSec-DATA]destination-zone untrust
[USG1-policy-security-rule-IPSec-DATA]source-zone untrust
[USG1-policy-security-rule-IPSec-DATA]destination-zone trust
[USG1-policy-security-rule-IPSec-DATA]source-address 10.1.0.0 16
[USG1-policy-security-rule-IPSec-DATA]]destination-address 10.2.0.0 16
[USG1-policy-security-rule-IPSec-DATA]]destination-address 10.3.0.0 16
[USG1-policy-security-rule-IPSec-DATA]source-address 10.2.0.0 16
[USG1-policy-security-rule-IPSec-DATA]source-address 10.3.0.0 16
[USG1-policy-security-rule-IPSec-DATA]destination-address 10.1.0.0 16
[USG1-policy-security-rule-IPSec-DATA]action permit
[USG1-policy-security-rule-IPSec-DATA]quit
[USG1-policy-security]quit
[USG1]ike proposal 10
[USG1-ike-proposal-10]encryption-algorithm aes-256
[USG1-ike-proposal-10]authentication-algorithm sha2-512
[USG1-ike-proposal-10]authentication-method pre-share
[USG1-ike-proposal-10]dh group14
[USG1-ike-proposal-10]quit
[USG1]ike peer Hub
[USG1-ike-peer-Hub]ike-proposal 10
[USG1-ike-peer-Hub]exchange-mode main
[USG1-ike-peer-Hub]undo version 2
[USG1-ike-peer-Hub]nat traversal
[USG1-ike-peer-Hub]pre-shared-key Cisco12345
[USG1]ipsec proposal ESP
[USG1-ipsec-proposal-ESP]transform esp
[USG1-ipsec-proposal-ESP]esp authentication-algorithm sha2-512
[USG1-ipsec-proposal-ESP]espencrption-algorithm aes-256
[USG1]ipsec policy-template T 10
[USG1-ipsec-policy-template-T-10]ike-peer Hub
[USG1-ipsec-policy-template-T-10] proposal ESP
[USG1-ipsec-policy-template-T-10]tunnel local 100.1.41.1
[USG1]ipsec policy Tigerlab 10 isakmp template T
[USG1]int g1/0/0
[USG1-GigabitEthernet1/0/0 ]ipsec policy Tigerlab
Copy the code
1. Check whether the firewall can ping through the switch
2. Run the display ospf peer brief command and display IP routing-table protocol OSPF command to check ospf neighbors and routes on the firewall
3. Ping the Intranet host on the firewall
The branch part
🐖 Firewall FW2 of branch Branch1
[USG2]int lo0
[USG2-LoopBack0]ip add 10.2.2.2 32
[USG2-LoopBack0]quit
[USG2]int g1/0/0
[USG2-GigabitEthernet1/0/0 ]ip add 100.1.52.2 24
[USG2-GigabitEthernet1/0/0 ]quit
[USG2]int g1/0/1
[USG2-GigabitEthernet1/0/1 ]ip add 10.2.132.2 24
[USG2-GigabitEthernet1/0/1 ]quit
[USG2]firewall zone trust
[USG2-zone-trust]add int g1/0/1
[USG2-zone-trust]quit
[USG2]firewall zone untrust
[USG2-zone-untrust]add int g1/0/0
[USG2-zone-untrust]quit
[USG2]security-policy
[USG2-policy-security]rule name Inside
[USG2-policy-security-rule-Inside]source-zone trust
[USG2-policy-security-rule-Inside]destination-zone local
[USG2-policy-security-rule-Inside]source-zone local
[USG2-policy-security-rule-Inside]destination-zone trust
[USG2-policy-security-rule-Inside]access-authentication
[USG2-policy-security-rule-Inside]action permit
[USG2-policy-security-rule-Inside]quit
[USG2-policy-security]quit
[USG2]int g1/0/1
[USG2-GigabitEthernet1/0/1]service-manage ping permit
[USG2-GigabitEthernet1/0/1 ]quit
[USG2]ospf 10 router-id 10.2.2.2
[USG2-ospf-10]area 0
[USG2-ospf-10-area-0.0.0.0]net 10.2.2.2 0.0.0.0
[USG2-ospf-10-area-0.0.0.0]net 10.2.132.2 0.0.0.0
[USG2]ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 100.1.52.5
[USG2]security-policy
[USG2-policy-security]rule name Internet
[USG2-policy-security-rule-Internet]source-zone trust
[USG2-policy-security-rule-Internet]destination-zone untrust
[USG2-policy-security-rule-Internet]source-address 10.2.0.0 16
[USG2-policy-security-rule-Internet]action permit
[USG2]nat-policy
[USG2-policy-nat]rule name 0
[USG2-policy-nat-rule-0]source-zone trust
[USG2-policy-nat-rule-0]destination-zone untrust
[USG2-policy-nat-rule-0]destination-address 10.1.0.0 16
[USG2-policy-nat-rule-0]action no-nat
[USG2-policy-nat]rule name Internet
[USG2-policy-nat-rule-Internet]source-zone trust
[USG2-policy-nat-rule-Internet]destination-zone untrust
[USG2-policy-nat-rule-Internet]source-address 10.2.0.0 16
[USG2-policy-nat-rule-Internet]egress-interface GigabitEthernet 1/0/0
[USG2-policy-nat-rule-Internet]action source-natm easy-ip
[USG2]ospf 10
[USG2-ospf-10]default-route-advertise
[USG2]security-policy
[USG2-policy-security]rule name IPSec-IN
[USG2-policy-security-rule-IPSec-IN]source-zone untrust
[USG2-policy-security-rule-IPSec-IN]destination-zone local
[USG2-policy-security-rule-IPSec-IN]source-address 100.1.41.1 32
[USG2-policy-security-rule-IPSec-IN]destination-address any
[USG2-policy-security-rule-IPSec-IN]service esp
[USG2-policy-security-rule-IPSec-IN]service protocol udp source-port 500 destination-port 500
[USG2-policy-security-rule-IPSec-IN]service protocol udp source-port 4500 destination-port 4500
[USG2-policy-security-rule-IPSec-IN]action permit
[USG2-policy-security-rule-IPSec-IN]quit
[USG2-policy-security]rule name IPSec-OUT
[USG2-policy-security-rule-IPSec-OUT]source-zone local
[USG2-policy-security-rule-IPSec-OUT]destination-zone untrust
[USG2-policy-security-rule-IPSec-OUT]source-address any
[USG2-policy-security-rule-IPSec-OUT]destination-address 100.1.41.1 32
[USG2-policy-security-rule-IPSec-OUT]service esp
[USG2-policy-security-rule-IPSec-OUT]service protocol udp source-port 500 destination-port 500
[USG2-policy-security-rule-IPSec-OUT]service protocol udp source-port 4500 destination-port 4500
[USG2-policy-security-rule-IPSec-OUT]action permit
[USG2-policy-security]rule name IPSec-DATA
[USG2-policy-security-rule-IPSec-DATA]source-zone trust
[USG2-policy-security-rule-IPSec-DATA]destination-zone untrust
[USG2-policy-security-rule-IPSec-DATA]source-zone untrust
[USG2-policy-security-rule-IPSec-DATA]destination-zone trust
[USG2-policy-security-rule-IPSec-DATA]source-address 10.1.0.0 16
[USG2-policy-security-rule-IPSec-DATA]]destination-address 10.2.0.0 16
[USG2-policy-security-rule-IPSec-DATA]source-address 10.2.0.0 16
[USG2-policy-security-rule-IPSec-DATA]destination-address 10.1.0.0 16
[USG2-policy-security-rule-IPSec-DATA]action permit
[USG2]ike proposal 10
[USG2-ike-proposal-10]encryption-algorithm aes-256
[USG2-ike-proposal-10]authentication-algorithm sha2-512
[USG2-ike-proposal-10]authentication-method pre-share
[USG2-ike-proposal-10]dh group14
[USG2-ike-proposal-10]quit
[USG2]ike peer Speak1
[USG2-ike-peer-Speak1]ike-proposal 10
[USG2-ike-peer-Speak1]exchange-mode main
[USG2-ike-peer-Speak1]undo version 2
[USG2-ike-peer-Speak1]nat traversal
[USG2-ike-peer-Speak1]remote-address 100.1.41.1
[USG2-ike-peer-Speak1]pre-shared-key Cisco12345
[USG2]ipsec proposal ESP
[USG2-ipsec-proposal-ESP]transform esp
[USG2-ipsec-proposal-ESP]esp authentication-algorithm sha2-512
[USG2-ipsec-proposal-ESP]espencrption-algorithm aes-256
[USG2]acl number 3000
[USG2-acl-adv-3000] rule 10 permit ip source 10.2.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
[USG2]ipsec policy Tigerlab 10 isakmp
[USG2-ipsec-policy-isakmp-Tigerlab-10]ike-peer Spoke1
[USG2-ipsec-policy-isakmp-Tigerlab-10]proposal ESP
[USG2-ipsec-policy-isakmp-Tigerlab-10]security acl 3000
[USG2]int g1/0/0
[USG2-GigabitEthernet1/0/0 ]ipsec policy Tigerlab
Copy the code
After the firewall is pinged from hosts on the Intranet, all hosts can be pinged successfully
🐖 Firewall FW3 of Branch2
[USG3]int lo0 [USG3-loopback0] IP add 10.3.3.3 32 [USG3-loopback0]quit [USG3]int G1/0/0 [USG3-gigabitethernet1/0/0] IP Add 100.1.63.3 24 [USG3-gigabitethernet1/0/0]quit [USG3]int G1/0/1 [USG3-gigabitethernet1/0/1] IP add 10.3.143.3 24 [USG3-GigabitEthernet1/0/1 ]quit [USG3]firewall zone trust [USG3-zone-trust]add int g1/0/1 [USG3-zone-trust]quit [USG3]firewall zone untrust [USG3-zone-untrust]add int g1/0/0 [USG3-zone-untrust]quit [USG3]security-policy [USG3-policy-security]rule name Inside [USG3-policy-security-rule-Inside]source-zone trust [USG3-policy-security-rule-Inside]destination-zone local [USG3-policy-security-rule-Inside]source-zone local [USG3-policy-security-rule-Inside]destination-zone trust [USG3-policy-security-rule-Inside]access-authentication [USG3-policy-security-rule-Inside]action permit [USG3-policy-security-rule-Inside]quit [USG3-policy-security]quit [USG3]int g1/0/1 [USG3-GigabitEthernet1/0/1]service-manage ping permit [USG3-GigabitEthernet1/0/1 ]quit [USG3]ospf 10 The router - id 10.3.3.. 3 [USG3-ospf-10]area 0 [USG3-ospf-10-area-0.0.0.0]net 10.3.3.3 0.0.0.0 [USG3-ospf-10-area-0.0.0.0]net 10.3.143.3 0.0.0.0 [USG3] IP route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 100.1.63.6 [USG3]security-policy [USG3-policy-security]rule name Internet [USG3-policy-security-rule-Internet]source-zone trust [USG3 - policy ws-security - rule - the Internet] destination - zone untrust [USG3 - policy ws-security - rule - the Internet] source - address 10.3.0.0 16 [USG3-policy-security-rule-Internet]action permit [USG3]nat-policy [USG3-policy-nat]rule name 0 [USG3-policy-nat-rule-0]source-zone trust [USG3-policy-nat-rule-0]destination-zone untrust [USG3-policy-nat-rule-0]destination-address 10.1.0.0 16 [USG3-policy-nat-rule-0] Action no-nat [USG3-policy-nat]rule name Internet [USG3-policy-nat-rule-Internet]source-zone trust [USG3-policy-nat-rule-Internet]destination-zone untrust [USG3 - policy - NAT - rule - the Internet] source - address 10.3.0.0 16 [USG3 - policy - NAT - rule - the Internet] egress interface. - GigabitEthernet 1/0/0 [USG3-policy-nat-rule-Internet]action source-natm easy-ip [USG3]ospf 10 [USG3-ospf-10]default-route-advertise [USG3]security-policy [USG3-policy-security]rule name IPSec-IN [USG3-policy-security-rule-IPSec-IN]source-zone untrust [USG3-policy-security-rule-IPSec-IN]destination-zone local [USG3 - policy ws-security - rule - IPSec -] IN the source - the address 100.1.41.1 32 [USG3 - policy ws-security - rule - IPSec -] IN destination address any [USG3-policy-security-rule-IPSec-IN]service esp [USG3-policy-security-rule-IPSec-IN]service protocol udp source-port 500 destination-port 500 [USG3-policy-security-rule-IPSec-IN]service protocol udp source-port 4500 destination-port 4500 [USG3-policy-security-rule-IPSec-IN]action permit [USG3-policy-security-rule-IPSec-IN]quit [USG3-policy-security]rule name IPSec-OUT [USG3-policy-security-rule-IPSec-OUT]source-zone local [USG3-policy-security-rule-IPSec-OUT]destination-zone untrust [USG3-policy-security-rule-IPSec-OUT]source-address any [USG3-policy-security-rule-ipsec -OUT]destination-address 100.1.41.1 32 [USG3-policy-security-rule-ipsec -OUT]service ESP [USG3-policy-security-rule-IPSec-OUT]service protocol udp source-port 500 destination-port 500 [USG3-policy-security-rule-IPSec-OUT]service protocol udp source-port 4500 destination-port 4500 [USG3-policy-security-rule-IPSec-OUT]action permit [USG3-policy-security]rule name IPSec-DATA [USG3-policy-security-rule-IPSec-DATA]source-zone trust [USG3-policy-security-rule-IPSec-DATA]destination-zone untrust [USG3-policy-security-rule-IPSec-DATA]source-zone untrust [USG3-policy-security-rule-IPSec-DATA]destination-zone trust [USG3 - policy ws-security - rule - IPSec - DATA] source - address 10.1.0.0 16 [USG3 - policy ws-security - rule - IPSec - DATA]] destination - address 10.3.0.0 16 [USG3 - policy ws-security - rule - IPSec - DATA] source - address 10.3.0.0 16 [USG3 - policy ws-security - rule - IPSec - DATA] destination - address 10.1.0.0 16 [USG3 - policy ws-security - rule - IPSec - DATA] action permit [USG3]ike proposal 10 [USG3-ike-proposal-10]encryption-algorithm aes-256 [USG3-ike-proposal-10]authentication-algorithm sha2-512 [USG3-ike-proposal-10]authentication-method pre-share [USG3-ike-proposal-10]dh group14 [USG3]ike peer Speak2 [USG3-ike-peer-Speak2]ike-proposal 10 [USG3-ike-peer-Speak2]exchange-mode main [USG3-ike-peer-Speak2]undo version 2 [USG3-ike-peer-Speak2]nat traversal [USG3-ike-peer-speak2]remote-address 100.1.41.1 [USG3-ike-peer-speak2]pre-shared-key Cisco12345 [USG3]ipsec proposal ESP [USG3-ipsec-proposal-ESP]transform esp [USG3-ipsec-proposal-ESP]esp authentication-algorithm sha2-512 [USG3-ipsec-proposal-ESP]espencrption-algorithm aes-256 [USG3]acl number 3000 [USG3-acl-adv-3000] rule 10 permit ip Source 10.3.0.0 0.0.255.255 Destination 10.1.0.0 0.0.255.255 [USG3]ipsec Policy Tigerlab 10 ISAKMP [USG3-ipsec-policy-isakmp-Tigerlab-10]ike-peer Spoke2 [USG3-ipsec-policy-isakmp-Tigerlab-10]proposal ESP [USG3-ipsec-policy-isakmp-Tigerlab-10]security acl 3000 [USG3]int g1/0/0 [USG3-GigabitEthernet1/0/0 ]ipsec policy TigerlabCopy the code
ISP part
🐖 AR4
[AR4]int lo0 [ar4-loopback0] IP add 10.1.4.4 32 [ar4-loopback0]quit [AR4] ITN g0/0/0 [AR4-gigabitethernet0/0/0] IP add 100.1.41.4 24 [AR4-gigabitethernet0/0/0]quit [AR4] ITN g0/0/1 [AR4-gigabitethernet0/0/1] IP add 100.1.100.4 24 [AR4-gigabitethernet0/0/1]quit [AR4]ospf 10 router-id 10.1.4.4 [AR4-ospf-10]area 0 [AR4-OSPf-10-area-0.0.0.0]net 10.1.4.4 0.0.0.0 [AR4 - ospf - 10 - area - 0.0.0.0].net 10.1.41.4 0.0.0.0 [AR4 - ospf - 10 - area - 0.0.0.0].net 100.1.100.4 0.0.0.0Copy the code
🐖 AR5
[AR5]int lo0 [ar5-loopback0] IP add 10.1.5.5 32 [ar5-loopback0]quit [AR5] ITN g0/0/0 [AR5-gigabitethernet0/0/0] IP add 100.1.52.5 24 [AR5-gigabitethernet0/0/0]quit [AR5] ITN g0/0/1 [AR5-gigabitethernet0/0/1] IP add 100.1.100.5 24 [ar5-gigabitethernet0/0/1]quit [AR5]ospf 10 router-id 10.1.5.5 [AR5-ospf-10]area 0 [AR5-OSPf-10-area-0.0.0.0]net 10.1.5.5 0.0.0.0 [AR5 - ospf - 10 - area - 0.0.0.0].net 10.1.52.5 0.0.0.0 [AR5 - ospf - 10 - area - 0.0.0.0].net 100.1.100.5 0.0.0.05Copy the code
🐖 AR6
[AR6]int lo0 [ar6-loopback0] IP add 10.1.6.6 32 [ar6-loopback0]quit [AR6] ITN g0/0/0 [AR6-gigabitethernet0/0/0] IP add 100.1.63.6 24 [AR6-gigabitethernet0/0/0]quit [AR6] ITN g0/0/1 [AR6-gigabitethernet0/0/1] IP add 100.1.100.6 24 [ar6-gigabitethernet0/0/1]quit [AR6] ITN g0/0/2 [AR6-gigabitethernet0/0/2] IP add 100.1.36.6 24 [ar6-gigabitethernet0/0/2]quit [AR6]ospf 10 router-id 10.1.6.6 [AR6-ospf-10]area 0 [AR6-OSPf-10-area-0.0.0.0]net 10.1.6.6 0.0.0.0 [AR6 - ospf - 10 - area - 0.0.0.0].net 10.1.63.6 0.0.0.0 [AR6 - ospf - 10 - area - 0.0.0.0].net 100.1.100.6 0.0.0.0 [AR6 - ospf - 10 - area - 0.0.0.0].net 100.1.36.6 0.0.0.0Copy the code
test
1. Check whether the HOSTS in each area can ping through the ISP server. You can see that the hosts in the headquarters and branches can ping through the ISP server.
2. Test the connection between headquarters and branches.
As you can see, headquarters can now communicate with the branch, and this is the end of the experiment.
💬 summary
1️ This article shares IPse VPN
2️ Vendor authentication data and videos are on wechat public accounts
3️ interested partners can subscribe to a wave of don’t get lost ~ of course, three-link + attention is more wonderful!