完整教程：ipsec 多数据流进行加密 也是隧道引流的方法

1 拓扑

2 配置

fw1 的配置

acl number 3000
rule 1 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255
rule 2 permit ip source 3.3.3.0 0.0.0.255 destination 4.4.4.0 0.0.0.255
#
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer fw2
pre-shared-key %^%#m}]*V3H~kW53b"J{d\IU_;gpA7TMiVr,XcM~f)cB%^%#
ike-proposal 1
remote-address 10.1.1.2
#
ipsec policy 1 1 isakmp
security acl 3000
ike-peer fw2
proposal 1
#
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authorization-scheme default
accounting-scheme default
domain default
service-type internetaccess ssl-vpn l2tp ike
internet-access mode password
reference user current-domain
manager-user audit-admin
password cipher @%@%fM7+'3}w09QtJb~LgdH<KGQ8|:h:&HiywIKYDyU=P(T-GQ;K@%@%
service-type web terminal
level 15

manager-user api-admin
password cipher @%@%8-b)MietTW^<OVFJ>d0$l:K':p0C(Lk2y'.2[vYFuTW&:K*l@%@%
level 15

manager-user admin
password cipher @%@%L(hY2E~dm&%){iUtCKj#o*]dV+#~VQ@x:H;NebT7rhS1*]go@%@%
service-type web terminal
level 15

role system-admin
role device-admin
role device-admin(monitor)
role audit-admin
bind manager-user audit-admin role audit-admin
bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
alias GE0/METH
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/1
undo shutdown
#
interface GigabitEthernet1/0/2
undo shutdown
#
interface GigabitEthernet1/0/3
undo shutdown
#
interface GigabitEthernet1/0/4
undo shutdown
#
interface GigabitEthernet1/0/5
undo shutdown
#
interface GigabitEthernet1/0/6
undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.0
#
interface LoopBack2
ip address 3.3.3.3 255.255.255.0
#
interface Tunnel1
ip address unnumbered interface GigabitEthernet1/0/0
tunnel-protocol ipsec
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
ipsec policy 1
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
add interface Tunnel1
#
firewall zone dmz
set priority 50
#
ip route-static 2.2.2.0 255.255.255.0 Tunnel1
ip route-static 4.4.4.0 255.255.255.0 Tunnel1
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
#
firewall detect ftp
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-linkif
mode proportion-of-weight
#
right-manager server-group
#
device-classification
device-group pc
device-group mobile-terminal
device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
rule name 10.1.1.0
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
destination-address 10.1.1.0 mask 255.255.255.0
action permit
rule name t1
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 1.1.1.0 mask 255.255.255.0
source-address 2.2.2.0 mask 255.255.255.0
destination-address 1.1.1.0 mask 255.255.255.0
destination-address 2.2.2.0 mask 255.255.255.0
action permit
rule name 2
action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return

fw2 的配置

#
acl number 3000
rule 1 permit ip source 2.2.2.0 0.0.0.255 destination 1.1.1.0 0.0.0.255
rule 2 permit ip source 4.4.4.0 0.0.0.255 destination 3.3.3.0 0.0.0.255
#

#
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer fw1
pre-shared-key %^%#(MHh<]s+eBy$Ni/jXf_HS#>S:1gbQ@/6}B.kb':4%^%#
ike-proposal 1
remote-address 10.1.1.1
#
ipsec policy 1 1 isakmp
security acl 3000
ike-peer fw1
proposal 1
#
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authorization-scheme default
accounting-scheme default
domain default
service-type internetaccess ssl-vpn l2tp ike
internet-access mode password
reference user current-domain
manager-user audit-admin
password cipher @%@%YSB93x[S&$>0</NGbyR.icpf)HbC7EB|U$,k@VDbxkpAcpii@%@%
service-type web terminal
level 15

manager-user api-admin
password cipher @%@%3=`K1Pbc!%UTjHMSY%a%s$%'_=C@V,X3R*RwNlQJY'x+$%*s@%@%
level 15

manager-user admin
password cipher @%@%2:5qAE$yNBw6;]74e's/BKz>*VX;!cxhJRa_nlJ10SUIKzAB@%@%
service-type web terminal
level 15

role system-admin
role device-admin
role device-admin(monitor)
role audit-admin
bind manager-user audit-admin role audit-admin
bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
alias GE0/METH
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.2 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/1
undo shutdown
#
interface GigabitEthernet1/0/2
undo shutdown
#
interface GigabitEthernet1/0/3
undo shutdown
#
interface GigabitEthernet1/0/4
undo shutdown
#
interface GigabitEthernet1/0/5
undo shutdown
#
interface GigabitEthernet1/0/6
undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.0
#
interface LoopBack3
ip address 4.4.4.4 255.255.255.0
#
interface Tunnel1
ip address unnumbered interface GigabitEthernet1/0/0
tunnel-protocol ipsec
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
ipsec policy 1
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
add interface Tunnel1
#
firewall zone dmz
set priority 50
#
ip route-static 1.1.1.0 255.255.255.0 Tunnel1
ip route-static 3.3.3.0 255.255.255.0 Tunnel1
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
#
firewall detect ftp
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-linkif
mode proportion-of-weight
#
right-manager server-group
#
device-classification
device-group pc
device-group mobile-terminal
device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
rule name 10.1.1.0
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
destination-address 10.1.1.0 mask 255.255.255.0
action permit
rule name t1
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 1.1.1.0 mask 255.255.255.0
source-address 2.2.2.0 mask 255.255.255.0
source-address 3.3.3.0 mask 255.255.255.0
source-address 4.4.4.0 mask 255.255.255.0
destination-address 1.1.1.0 mask 255.255.255.0
destination-address 2.2.2.0 mask 255.255.255.0
destination-address 3.3.3.0 mask 255.255.255.0
destination-address 4.4.4.0 mask 255.255.255.0
action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return

3 验证

成功