H3C基于双机热备主备模式的IPsec
拓扑
规划
总部
Core-FW:10.0.98.254
FW-Core:10.40.98.1-10.40.98.2
VRRP20:10.0.98.253
心跳:10.10.10.1-10.10.10.2
外网1:22.1.1.82/29-86/29,Gateway:81/29
外网2:DHCP,192.168.1.1/24
Tunnel:10.10.20.1-10.10.20.2
192.168.56.11/24
192.168.56.12/24
AC管理vlan999,业务vlan100和300
分支
外网:36.1.1.130/30,Gateway:129/30
内网:192.168.100.254
192.168.56.14/24
核心(堆叠)
#
version 7.1.070, Alpha 7170
#
sysname Core
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 10
irf member 2 priority 1
#
ip ttl-expires enable
#
dhcp enable
#
lldp global enable
#
system-working-mode standard
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
vlan 100
#
vlan 200
#
vlan 300
#
vlan 998 to 999
#
irf-port 1/1
port group interface Ten-GigabitEthernet1/0/51
port group interface Ten-GigabitEthernet1/0/52
#
irf-port 2/2
port group interface Ten-GigabitEthernet2/0/51
port group interface Ten-GigabitEthernet2/0/52
#
stp global enable
#
dhcp server ip-pool Wireless999
gateway-list 10.40.99.254
network 10.40.99.0 mask 255.255.255.0
address range 10.40.99.100 10.40.99.150
dns-list 223.5.5.5
#
dhcp server ip-pool vlan100
gateway-list 10.40.10.254
network 10.40.10.0 mask 255.255.255.0
dns-list 223.5.5.5
#
dhcp server ip-pool vlan200
gateway-list 10.40.20.254
network 10.40.20.0 mask 255.255.255.0
address range 10.40.20.1 10.40.20.253
dns-list 223.5.5.5
#
dhcp server ip-pool vlan300
gateway-list 10.40.30.254
network 10.40.30.0 mask 255.255.255.0
dns-list 223.5.5.5
#
interface Bridge-Aggregation10
port link-type trunk
port trunk permit vlan all
#
interface Bridge-Aggregation20
port link-type trunk
port trunk permit vlan all
#
interface Bridge-Aggregation30
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 999
#
interface NULL0
#
interface Vlan-interface100
ip address 10.40.10.254 255.255.255.0
#
interface Vlan-interface200
ip address 10.40.20.254 255.255.255.0
#
interface Vlan-interface300
ip address 10.40.30.254 255.255.255.0
#
interface Vlan-interface998
ip address 10.0.98.254 255.255.255.0
#
interface Vlan-interface999
ip address 10.40.99.254 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
port link-aggregation group 10
#
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
port link-aggregation group 20
#
interface GigabitEthernet1/0/3
port link-mode bridge
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 999
combo enable fiber
port link-aggregation group 30
#
interface GigabitEthernet1/0/48
port link-mode bridge
port access vlan 998
combo enable fiber
#
interface GigabitEthernet2/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
port link-aggregation group 10
#
interface GigabitEthernet2/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
port link-aggregation group 20
#
interface GigabitEthernet2/0/3
port link-mode bridge
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 999
combo enable fiber
port link-aggregation group 30
#
interface GigabitEthernet2/0/48
port link-mode bridge
port access vlan 998
combo enable fiber
#
ip route-static 0.0.0.0 0 10.0.98.253
接入
交换机和交换机使用trunk口
交换机和PC使用access口
交换机和AP使用trunk+pvid(管理vlan的pvid)
无线
#
version 7.1.064, Alpha 7165
#
sysname AC
#
wlan global-configuration
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
vlan 56
#
vlan 100
#
vlan 300
#
vlan 999
#
wlan service-template 1
ssid Wireless_SC
vlan 100
client forwarding-location ap vlan 999
service-template enable
#
wlan service-template 2
ssid Wireless_BG
vlan 300
client forwarding-location ap vlan 999
service-template enable
#
interface Bridge-Aggregation10
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 999
#
interface NULL0
#
interface Vlan-interface56
ip address 192.168.56.13 255.255.255.0
#
interface Vlan-interface999
ip address 10.40.99.13 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/1
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/2
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/3
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/4
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/5
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/6
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/7
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/8
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/9
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/10
port link-mode bridge
port access vlan 56
combo enable fiber
#
interface GigabitEthernet1/0/11
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/12
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/13
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/14
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/15
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/16
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/17
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/18
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/19
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/20
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/21
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/22
port link-mode bridge
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 999
combo enable fiber
port link-aggregation group 10
#
interface GigabitEthernet1/0/23
port link-mode bridge
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 999
combo enable fiber
port link-aggregation group 10
#
interface Ten-GigabitEthernet1/0/24
port link-mode bridge
combo enable fiber
#
interface Ten-GigabitEthernet1/0/25
port link-mode bridge
combo enable fiber
#
interface Ten-GigabitEthernet1/0/26
port link-mode bridge
combo enable fiber
#
interface Ten-GigabitEthernet1/0/27
port link-mode bridge
combo enable fiber
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 31
user-role network-operator
#
ip route-static 0.0.0.0 0 10.40.99.254
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$tOu3SK8IB+qNC5U8$2faiCqpOe+K6AGweUB0JvhV2DvmsD39g0Ffr5P93LGTJ5hrXv0hKquG3NCgTmbNz7J5OFYW9RGwMf7Aaox3ohQ==
service-type ssh terminal http https
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ip http enable
ip https enable
#
wlan auto-ap enable
wlan auto-persistent enable
#
wlan ap-group default-group
vlan 1
#
wlan virtual-ap-group default-virtualapgroup
#
wlan ap 44c8-87c7-0e00 model WA6320-HCL
serial-id H3C_44-C8-87-C7-0E-00
vlan 1
radio 1
radio enable
service-template 1
radio 2
radio disable
service-template 1
gigabitethernet 1
#
wlan ap 44c8-8ef0-0f00 model WA6320-HCL
serial-id H3C_44-C8-8E-F0-0F-00
vlan 1
radio 1
radio enable
service-template 2
radio 2
radio enable
service-template 2
gigabitethernet 1
#
return
AP
想快速上线,开启自动AP,自动固化,让AC自己扫描
实际项目中安装前统计好点位,AP的MAC地址,规划好IP,做好点位和AP的对应表,方便以后排故
AC
我一般做本地转发,这儿的缺省vlan就是业务vlan,本地转发vlan就是管理vlan
集中式转发也就是隧道转发,业务和管理都走隧道;本地转发只有管理走隧道
按需选择
SSID绑定AP
射频开启可以选择5G和204G射频的开启和关闭
双机热备
FW1
#
version 7.1.064, Alpha 7164
#
sysname FW1
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
track 1 interface GigabitEthernet1/0/2
#
track 2 interface GigabitEthernet1/0/22
#
track 3 interface GigabitEthernet1/0/23
#
ip ttl-expires enable
#
nat address-group 1 name ww1
address 22.1.1.82 22.1.1.86
#
nat address-group 2 name ww2
address 192.168.1.3 192.168.1.3
probe ww2
#
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
object-group ip address 10.40.0.0
security-zone Trust
0 network subnet 10.40.0.0 255.255.0.0
#
object-group ip address 10.40.10.0
security-zone Trust
0 network subnet 10.40.10.0 255.255.255.0
#
object-group ip address 10.40.20.0
security-zone Trust
0 network subnet 10.40.20.0 255.255.255.0
#
object-group ip address 10.40.30.0
security-zone Trust
0 network subnet 10.40.30.0 255.255.255.0
#
object-group ip address 192.168.100.0
security-zone Untrust
0 network subnet 192.168.100.0 255.255.255.0
#
interface NULL0
#
interface LoopBack0
ip address 10.0.0.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 10.0.98.1 255.255.255.0
vrrp vrid 20 virtual-ip 10.0.98.253 active
manage ping inbound
manage ping outbound
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
ip address 10.10.10.1 255.255.255.0
#
interface GigabitEthernet1/0/4
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/5
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/6
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/7
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/8
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/9
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/10
port link-mode route
combo enable copper
ip address 192.168.56.11 255.255.255.0
#
interface GigabitEthernet1/0/11
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/12
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/13
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/14
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/15
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/16
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/17
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/18
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/19
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/20
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/21
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/22
port link-mode route
combo enable copper
ip address 192.168.1.4 255.255.255.0
vrrp vrid 30 virtual-ip 192.168.1.3 255.255.255.0 active
#
interface GigabitEthernet1/0/23
port link-mode route
combo enable copper
ip address 10.40.101.1 255.255.255.0
vrrp vrid 10 virtual-ip 22.1.1.82 255.255.255.248 active
ipsec apply policy ipsec
ipsec no-nat-process enable
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/22
import interface GigabitEthernet1/0/23
#
security-zone name Management
import interface GigabitEthernet1/0/10
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role network-admin
#
line vty 5 63
user-role network-operator
#
ip route-static 0.0.0.0 0 22.1.1.81
ip route-static 0.0.0.0 0 192.168.1.1 preference 70
ip route-static 10.40.0.0 16 10.0.98.254
ip route-static 192.168.100.0 24 22.1.1.81
#
info-center loghost 127.0.0.1 port 3301 format default
info-center source CFGLOG loghost level informational
#
acl basic 2000
rule 0 permit source 10.40.20.0 0.0.0.255
#
acl advanced name IPsec_ipsec_IPv4_1
rule 0 permit ip source 10.40.0.0 0.0.255.255 destination 192.168.100.0 0.0.0.255
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$l0JyVC9LNw2lloNF$xZ6ml7B0e/C6vZ1ex9vFYwOznREMGicJ3A4rLHV8LoqN7uAAK3H3cNN7rjpL3vhFnsntzJb+yv202QjXuwLrsA==
service-type telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ipsec transform-set ipsec_IPv4_1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy ipsec 1 isakmp
transform-set ipsec_IPv4_1
security acl name IPsec_ipsec_IPv4_1
local-address 22.1.1.82
remote-address 36.1.1.130
ike-profile ipsec_IPv4_1
#
nat policy
rule name ipsec
source-ip 10.40.0.0
destination-ip 192.168.100.0
outbound-interface GigabitEthernet1/0/23
action no-nat
rule name Internet
source-ip 10.40.0.0
outbound-interface GigabitEthernet1/0/23
action address-group 1
rule name Internet2
source-ip 10.40.0.0
outbound-interface GigabitEthernet1/0/22
action address-group 2
#
ike profile ipsec_IPv4_1
keychain ipsec_IPv4_1
dpd interval 3 on-demand
match remote identity address 36.1.1.130 255.255.255.255
match local address GigabitEthernet1/0/23
#
ike keychain ipsec_IPv4_1
match local address GigabitEthernet1/0/23
pre-shared-key address 36.1.1.130 255.255.255.255 key cipher $c$3$09Y1afqLIXAibB6joHfvpv0CvvGbqAKJEg==
#
ip http enable
ip https enable
#
security-policy ip
rule 2 name Internet
action pass
source-zone Trust
destination-zone Untrust
source-ip 10.40.0.0
rule 3 name ipsec1
action pass
source-zone Local
source-zone Untrust
destination-zone Local
destination-zone Untrust
rule 4 name ipsec2
action pass
source-zone Trust
source-zone Untrust
destination-zone Trust
destination-zone Untrust
source-ip 192.168.100.0
source-ip 10.40.0.0
destination-ip 10.40.0.0
destination-ip 192.168.100.0
#
remote-backup group
data-channel interface GigabitEthernet1/0/3
delay-time 1
track 1
track 2
track 3
local-ip 10.10.10.1
remote-ip 10.10.10.2
device-role primary
#
return
FW2
#
version 7.1.064, Alpha 7164
#
sysname FW2
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
track 1 interface GigabitEthernet1/0/2
#
track 2 interface GigabitEthernet1/0/22
#
track 3 interface GigabitEthernet1/0/23
#
ip ttl-expires enable
#
nat address-group 1 name ww1
address 22.1.1.82 22.1.1.86
#
nat address-group 2 name ww2
address 192.168.1.3 192.168.1.3
probe ww2
#
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
object-group ip address 10.40.0.0
security-zone Trust
0 network subnet 10.40.0.0 255.255.0.0
#
object-group ip address 10.40.10.0
security-zone Trust
0 network subnet 10.40.10.0 255.255.255.0
#
object-group ip address 10.40.20.0
security-zone Trust
0 network subnet 10.40.20.0 255.255.255.0
#
object-group ip address 10.40.30.0
security-zone Trust
0 network subnet 10.40.30.0 255.255.255.0
#
object-group ip address 192.168.100.0
security-zone Untrust
0 network subnet 192.168.100.0 255.255.255.0
#
nqa template icmp ww2
destination ip 192.168.1.1
next-hop ip 192.168.1.1
out interface GigabitEthernet1/0/22
#
interface NULL0
#
interface LoopBack0
ip address 10.0.0.3 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 10.0.98.2 255.255.255.0
vrrp vrid 20 virtual-ip 10.0.98.253 standby
manage ping inbound
manage ping outbound
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
ip address 10.10.10.2 255.255.255.0
#
interface GigabitEthernet1/0/4
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/5
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/6
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/7
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/8
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/9
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/10
port link-mode route
combo enable copper
ip address 192.168.56.12 255.255.255.0
#
interface GigabitEthernet1/0/11
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/12
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/13
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/14
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/15
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/16
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/17
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/18
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/19
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/20
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/21
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/22
port link-mode route
combo enable copper
ip address 192.168.1.5 255.255.255.0
vrrp vrid 30 virtual-ip 192.168.1.3 255.255.255.0 standby
#
interface GigabitEthernet1/0/23
port link-mode route
combo enable copper
ip address 10.40.101.2 255.255.255.0
vrrp vrid 10 virtual-ip 22.1.1.82 255.255.255.248 standby
ipsec apply policy ipsec
ipsec no-nat-process enable
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/22
import interface GigabitEthernet1/0/23
#
security-zone name Management
import interface GigabitEthernet1/0/10
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role network-admin
#
line vty 5 63
user-role network-operator
#
ip route-static 0.0.0.0 0 22.1.1.81
ip route-static 0.0.0.0 0 192.168.1.1 preference 70
ip route-static 10.40.0.0 16 10.0.98.254
ip route-static 192.168.100.0 24 22.1.1.81
#
info-center loghost 127.0.0.1 port 3301 format default
info-center source CFGLOG loghost level informational
#
acl basic 2000
rule 0 permit source 10.40.20.0 0.0.0.255
#
acl advanced name IPsec_ipsec_IPv4_1
rule 0 permit ip source 10.40.0.0 0.0.255.255 destination 192.168.100.0 0.0.0.255
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$82DgUmGA+z2tOyfc$GeDw9Zx4HM/AbN2RrYYDP/SB8dgP3dDAcXL9yIx4C7o6jAqC370JNnd25nEIqVBQQ4UE+o0jHLD4eO6bY3j7LQ==
service-type telnet terminal http
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ipsec transform-set ipsec_IPv4_1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy ipsec 1 isakmp
transform-set ipsec_IPv4_1
security acl name IPsec_ipsec_IPv4_1
local-address 22.1.1.82
remote-address 36.1.1.130
ike-profile ipsec_IPv4_1
#
nat policy
rule name ipsec
source-ip 10.40.0.0
destination-ip 192.168.100.0
outbound-interface GigabitEthernet1/0/23
action no-nat
rule name Internet
source-ip 10.40.0.0
outbound-interface GigabitEthernet1/0/23
action address-group 1
rule name Internet2
source-ip 10.40.0.0
outbound-interface GigabitEthernet1/0/22
action address-group 2
#
ike profile ipsec_IPv4_1
keychain ipsec_IPv4_1
match remote identity address 36.1.1.130 255.255.255.255
match local address GigabitEthernet1/0/23
#
ike keychain ipsec_IPv4_1
match local address GigabitEthernet1/0/23
pre-shared-key address 36.1.1.130 255.255.255.255 key cipher $c$3$PMGaKGTtmbNFoxyDJ6l31tDyqbceKLKtIA==
#
ip http enable
ip https enable
#
security-policy ip
rule 2 name Internet
action pass
source-zone Trust
destination-zone Untrust
source-ip 10.40.0.0
rule 3 name ipsec1
action pass
source-zone Local
source-zone Untrust
destination-zone Local
destination-zone Untrust
rule 4 name ipsec2
action pass
source-zone Trust
source-zone Untrust
destination-zone Trust
destination-zone Untrust
source-ip 192.168.100.0
source-ip 10.40.0.0
destination-ip 10.40.0.0
destination-ip 192.168.100.0
#
remote-backup group
data-channel interface GigabitEthernet1/0/3
delay-time 1
track 1
track 2
track 3
local-ip 10.10.10.2
remote-ip 10.10.10.1
device-role secondary
#
return
FW3
#
version 7.1.064, Alpha 7164
#
sysname FW-cz
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
ip ttl-expires enable
#
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
object-group ip address 10.40.0.0
security-zone Untrust
0 network subnet 10.40.0.0 255.255.0.0
#
object-group ip address 192.168.100.0
security-zone Trust
0 network subnet 192.168.100.0 255.255.255.0
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 192.168.100.254 255.255.255.0
manage ping inbound
manage ping outbound
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/4
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/5
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/6
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/7
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/8
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/9
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/10
port link-mode route
combo enable copper
ip address 192.168.56.14 255.255.255.0
manage http inbound
manage http outbound
manage https inbound
manage https outbound
#
interface GigabitEthernet1/0/11
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/12
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/13
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/14
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/15
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/16
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/17
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/18
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/19
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/20
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/21
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/22
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/23
port link-mode route
combo enable copper
ip address 36.1.1.130 255.255.255.252
manage ping inbound
manage ping outbound
ipsec apply policy ipsec
ipsec no-nat-process enable
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/2
import interface GigabitEthernet1/0/10
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/23
#
security-zone name Management
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role network-admin
#
line vty 5 63
user-role network-operator
#
ip route-static 0.0.0.0 0 36.1.1.129
ip route-static 10.40.0.0 16 36.1.1.129
#
info-center loghost 127.0.0.1 port 3301 format default
info-center source CFGLOG loghost level informational
#
acl advanced name IPsec_ipsec_IPv4_1
rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 10.40.0.0 0.0.255.255
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$6YFXrlxMBTxs/+17$FnGCMqPR7yNTNGnTwZs3zLCpOOeuwhbp5EYitqbxy1TsaWAS6R/0OYO7cnY59OTnWxcxHGWJUMJQOHem17Mpvg==
service-type telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ipsec transform-set ipsec_IPv4_1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy ipsec 1 isakmp
transform-set ipsec_IPv4_1
security acl name IPsec_ipsec_IPv4_1
local-address 36.1.1.130
remote-address 22.1.1.82
ike-profile ipsec_IPv4_1
#
nat policy
rule name ipsec
source-ip 192.168.100.0
destination-ip 10.40.0.0
outbound-interface GigabitEthernet1/0/23
action no-nat
rule name Internet
source-ip 192.168.100.0
outbound-interface GigabitEthernet1/0/23
action easy-ip
#
ike profile ipsec_IPv4_1
keychain ipsec_IPv4_1
dpd interval 3 on-demand
match remote identity address 22.1.1.82 255.255.255.255
match local address GigabitEthernet1/0/23
#
ike keychain ipsec_IPv4_1
match local address GigabitEthernet1/0/23
pre-shared-key address 22.1.1.82 255.255.255.255 key cipher $c$3$DTIjReK3hvUMqKwSqodxDgxIC43PiV0hMg==
#
ip http enable
ip https enable
#
security-policy ip
rule 0 name Internet
action pass
source-zone Trust
destination-zone Untrust
source-ip 192.168.100.0
rule 1 name ipsec1
action pass
source-zone Local
source-zone Untrust
destination-zone Local
destination-zone Untrust
rule 2 name ipsec2
action pass
source-zone Trust
source-zone Untrust
destination-zone Trust
destination-zone Untrust
source-ip 10.40.0.0
source-ip 192.168.100.0
destination-ip 10.40.0.0
destination-ip 192.168.100.0
#
return
接口
总部
分部
区域
总部
分部
路由
总部
分部
高可靠性
VRRP
Track
ipsec
总部
分部
安全策略
总部
分部
NAT策略
总部
分部
切换测试
双机热备的接口故障切换以及接口状态恢复后1分钟倒计时抢占,经测试没问题。
分部作为发起方,ipsec切换测试在开启DPD后会在收不到报文后重建隧道,丢几个包后显示ping通。