IPSECVPN配置采用IKE方式建立SA示例(预共享密钥)组网需求如图7-2所示,组网需求如下:Host1与Host2之间进行安全通信,在USG2110A与USG2110B之间使用IKE自动协商建立安全通道。IKE验证方式为预共享密钥。图7-2采用IKE方式建立SA配置示例组网图(预共享密钥)配置步骤步骤1配置USG2110A。#进入系统视图。USG2110system-view#配置本端设备的名称。[USG2110]sysnameUSG2110A#进入Ethernet0/0/0视图。[USG2110A]interfaceEthernet0/0/0#配置Ethernet0/0/0的IP地址。[USG2110A-Ethernet0/0/0]ipaddress202.39.160.116#关闭接口的快速转发功能。[USG2110A-Ethernet0/0/0]undoipfast-forwardingqff#退回系统视图。[USG2110A-Ethernet0/0/0]quit#进入Ethernet0/0/1视图。[USG2110A]interfaceEthernet0/0/1#配置Ethernet0/0/1的IP地址。[USG2110A-Ethernet0/0/1]ipaddress200.39.1.124#关闭接口的快速转发功能。[USG2110A-Ethernet0/0/1]undoipfast-forwardingqff#退回系统视图。[USG2110A-Ethernet0/0/1]quit#进入Trust区域视图。[USG2110A]firewallzonetrust#配置Ethernet0/0/1加入Trust区域。[USG2110A-zone-trust]addinterfaceEthernet0/0/1#退回系统视图。[USG2110A-zone-trust]quit#进入Untrust区域视图。[USG2110A]firewallzoneuntrust#配置Ethernet0/0/0加入Untrust区域。[USG2110A-zone-untrust]addinterfaceEthernet0/0/0#退回系统视图。[USG2110A-zone-untrust]quit#配置到达Host2的静态路由。[USG2110A]iproute-static172.70.2.024202.39.169.1#配置ACL规则,允许Host1所在网段的主机访问Host2所在网段的主机。[USG2110A]acl3000[USG2110A-acl-adv-3000]rulepermitipsource202.39.1.00.0.0.255destination172.70.2.00.0.0.255#退回系统视图。[USG2110A-acl-adv-3000]quit#配置ACL规则,允许Host2所在网段的主机访问。[USG2110A]acl3001[USG2110A-acl-adv-3001]rulepermitipsource172.70.2.00.0.0.255#退回系统视图。[USG2110A-acl-adv-3001]quit#进入Trust和Untrust域间视图。[USG2110A]firewallinterzonetrustuntrust#配置域间包过滤规则。[USG2110A-interzone-trust-untrust]packet-filter3000outbound[USG2110A-interzone-trust-untrust]packet-filter3001inbound#退回系统视图。[USG2110A-interzone-trust-untrust]quit#配置域间缺省包过滤规则。[USG2110A]firewallpacket-filterdefaultpermitinterzonelocaluntrust配置Local和Untrust域间缺省包过滤规则的目的为允许IPSec隧道两端设备通信,使其能够协商SA。#配置名为tran1的IPSec提议。[USG2110A]ipsecproposaltran1#配置安全协议。[USG2110A-ipsec-proposal-tran1]transformesp#配置报文封装类型。[USG2110A-ipsec-proposal-tran1]encapsulation-modetunnel#配置ESP协议的认证算法。[USG2110A-ipsec-proposal-tran1]espauthentication-algorithmmd5#配置ESP协议的加密算法。[USG2110A-ipsec-proposal-tran1]espencryption-algorithmdes#退回系统视图。[USG2110A-ipsec-proposal-tran1]quit#创建IKE提议10。[USG2110A]ikeproposal10#配置使用pre-shared-key验证方法。[USG2110A-ike-proposal-10]authentication-methodpre-share#配置使用MD5验证算法。[USG2110A-ike-proposal-10]authentication-algorithmmd5#配置ISAKMPSA的生存周期为5000秒。[USG2110A-ike-proposal-10]saduration5000#退回系统视图。[USG2110A-ike-proposal-10]quit#进入IKEPeer视图。[USG2110A]ikepeera#引用IKE安全提议。[USG2110A-ike-peer-a]ike-proposal10#配置隧道对端IP地址。[USG2110A-ike-peer-a]remote-address202.39.169.1#配置验证字为“abcde”。[USG2110A-ike-peer-a]pre-shared-keyabcde验证字的配置需要与对端设备相同。#退回系统视图。[USG2110A-ike-peer-a]quit#创建安全策略。[USG2110A]ipsecpolicymap110isakmp#引用ike-peera。[USG2110A-ipsec-policy-isakmp-map1-10]ike-peera#引用名为tran1的安全提议。[USG2110A-ipsec-policy-isakmp-map1-10]proposaltran1#引用组号为3000的ACL。[USG2110A-ipsec-policy-isakmp-map1-10]securityacl3000#退回系统视图。[USG2110A-ipsec-policy-isakmp-map1-10]quit#进入以太网接口视图。[USG2110A]interfaceEthernet0/0/0#引用IPSec策略。[USG2110A-Ethernet0/0/0]ipsecpolicymap1步骤2配置USG2110B。#进入系统视图。USG2110system-view#配置本端设备的名称。[USG2110]sysnameUSG2110B#进入Ethernet0/0/0视图。[USG2110B]interfaceEthernet0/0/0#配置Ethernet0/0/0的IP地址。[USG2110B-Ethernet0/0/0]ipaddress202.39.169.116#关闭接口的快速转发功能。[USG2110B-Ethernet0/0/0]undoipfast-forwardingqff#退回系统视图。[USG2110B-Ethernet0/0/0]quit#进入Ethernet0/0/1视图。[USG2110B]interfaceEthernet0/0/1#配置Ethernet0/0/1的IP地址。[USG2110B-Ethernet0/0/1]ipaddress172.70.2.124#关闭接口的快速转发功能。[USG2110B-Ethernet0/0/1]undoipfast-forwardingqff#退回系统视图。[USG2110B-Ethernet0/0/1]quit#进入Trust区域视图。[USG2110B]firewallzonetrust#配置Ethernet0/0/1加入Trust区域。[USG2110B-zone-trust]addinterfaceEthernet0/0/1#退回系统视图。[USG2110B-zone-trust]quit#进入Untrust区域视图。[USG2110B]firewallzoneuntrust#配置Ethernet0/0/0加入Untrust区域。[USG2110B-zone-untrust]addinterfaceEthernet0/0/0#退回系统视图。[USG2110B-zone-untrust]quit#配置到达Host1的静态路由。[USG2110B]iproute-static202.39.1.024202.39.160.1#配置ACL规则,允许Host2所在网段的主机访问Host1所在网段的主机。[USG2110B]acl3000[USG2110B-acl-adv-3000]rulepermitipsource172.70.2.00.0.0.255destination202.39.1.00.0.0.255#退回系统视图。[USG2110B-acl-adv-3000]quit#配置ACL规则,允许Host1所在网段的主机访问。[USG2110B]acl3001[USG2110B-acl-adv-3001]rulepermitipsource202.39.1.00.0.0.255#退回系统视图。[USG2110B-acl-adv-3001]quit#进入Trust和Untrust域间视图。[USG2110B]firewallinterzonetrustuntrust#配置域间包过滤规则。[USG2110B-interzone-trust-untrust]packet-filter3000outbound[USG2110B-interzone-trust-untrust]packet-filter3001inbound#退回系统视图。[USG2110B-interzone-trust-untrust]quit#配置域间缺省包过滤规则。[USG2110B]firewallpacket-filterdefaultpermitinterzonelocaluntrust配置Local和Untrust域间缺省包过滤规则的目的为允许IPSec隧道两端设备通信,使其能够协商SA。#创建名为tran1的IPSec提议。[USG2110B]ipsecproposaltran1#配置安全协议。[USG2110B-ipsec-proposal-tran1]transformesp#配置报文封装形式。[USG2110B-ipsec-proposal-tran1]encapsulation-modetunnel#配置ESP协议认证算法。[USG2110B-ipsec-proposal-tran1]espauthentication-algorithmmd5#配置ESP协议加密算法。[USG2110B-ipsec-proposal-tran1]espencryption-algorithmdes#退回系统视图。[USG2110B-ipsec-proposal-tran1]quit#创建号码为10的IKE提议。[USG2110B]ikeproposal10#配置使用pre-sharedkey验证方法。[USG2110B-ike-proposal-10]authentication-methodpre-share#配置采用MD5验证算法。[U