IPSEC  ×××   野蛮模式  与  DCHP的结合！

   [一]、野蛮模式

 

   [二]、相关配置参数；

ike local-name  id-name             名称

ike peer peer-name                 peer对等体的声明；

pre-shared-key  string              共享密钥

remote-address  x.x.x.x             对端地址

exchange-mode aggressive           密钥交换模式：野蛮模式

id-type name                      id类型：基于名称

remote-name id-name              对端名称

   [三]、案例

拓扑：

 

案例说明：

 

(1)、案例说明：

  使用到的设备：  三台h3c的防火墙；一台三层交换机作为dhcp服务器使用！

  (2)、实验的目的：

     实现×××中IPSEC的野蛮模式和dhcp的结合！

  (3)、案例的说明：

     内网的地址都属于192.168.0.0   网段

     外网的地址都属于193.168.0.0   网段

 

配置信息：

 

Firewall 1:

为相应的接口配置相应的地址；

<F1>system-view

System View: return to User View with Ctrl+Z.

[F1]interface eth 0/2

[F1-Ethernet0/2]ip address 192.168.10.1 255.255.255.0

[F1-Ethernet0/2]interface eth 0/1

[F1-Ethernet0/1]ip address 193.168.10.1 255.255.255.0

 

 

[F1]firewall zone trust

[F1-zone-trust]add eth 

[F1-zone-trust]add interface eth0/1

[F1-zone-trust]add interface eth0/2

 

配置默认路由：

[F1]ip route-static 0.0.0.0 0 193.168.10.2

 

ike peer peer1                           

 exchange-mode aggressive                 

 pre-shared-key 1234                     

 id-type name                            

 remote-name fw2                         

 remote-address 192.168.20.1             

 local-address 193.168.10.1

 

 

ipsec proposal hanyu

 

acl number 3000                           

 rule 0 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

 rule 1 deny ip                          

acl number 3001                          

 rule 0 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255

 rule 1 deny ip    

 

 

Firwall  2

 

<F2>system-view

System View: return to User View with Ctrl+Z.

[F2]interface eth 0/2

[F2-Ethernet0/2]ip address 192.168.20.1 255.255.255.0

[F2-Ethernet0/2]interface eth 0/1

 [F2-Ethernet0/1]ip address dhcp-alloc          使用动态的地址获得方式！

 

 

[F2]firewall zone trust

[F2-zone-trust]add interface eth 0/1

[F2-zone-trust]add interface eth 0/2

 

默认路由

[F2]ip route-static 0.0.0.0 0 193.168.20.2

 

 

Firewall4

<F4>system-view

System View: return to User View with Ctrl+Z.

[F4]interface eth 0/2

[F4-Ethernet0/2]ip address 192.168.30.1 255.255.255.0

[F4-Ethernet0/2]

[F4-Ethernet0/2]

[F4-Ethernet0/2]interface eth 0/1

[F4-Ethernet0/1]ip address dhc   

[F4-Ethernet0/1]ip address dhcp-alloc

[F4-Ethernet0/1]

[F4-Ethernet0/1]

[F4-Ethernet0/1]quit

[F4]ip route 

[F4]ip route-static 0.0.0.0 0 193.168.30.2

 

 

 

[F4]fire    

[F4]firewall zone tr 

[F4]firewall zone trust

[F4-zone-trust]add eth

[F4-zone-trust]add interface eth 

[F4-zone-trust]add interface Ethernet 0/1

[F4-zone-trust]add interface Ethernet 0/2

 

 

 

SW   交换机的配置；

<SW13>system-view

Enter system view, return to user view with Ctrl+Z.

[SW13]vlan 5

[SW13]vlan 5

[SW13-vlan5]port eth

[SW13-vlan5]port Ethernet 0/5

[SW13-vlan5]vlan 10

[SW13-vlan10]port ethernet 0/10

[SW13-vlan10]vlan 15

[SW13-vlan15]port ethernet 0/15

[SW13-vlan15]inter vlan 5

[SW13-Vlan-interface5]ip add 193.168.10.2 255.255.255.0

[SW13-Vlan-interface5]inter vlan 10

[SW13-Vlan-interface10]ip address 193.168.20.2 255.255.255.0

[SW13-Vlan-interface10]inter vlan 15

[SW13-Vlan-interface15]ip address 193.168.30.2 255.255.255.0

 

 

 

[SW13]dhcp enable

[SW13]dhcp server ip-pool fw2

[SW13-dhcp-fw2]network 193.168.20.0

[SW13-dhcp-fw2]dhcp server ip-pool fw3

[SW13-dhcp-fw3]network 193.168.30.0

[SW13]dhcp server forbidden-ip 193.168.20.2

[SW13]dhcp server forbidden-ip 193.168.30.2

 

 详细的配置信息：

请查看附件

                                     

验证结果：