二十一、小项目(IPSec+PPPOE)
程序员文章站
2022-07-14 08:25:08
...
本次实验主要是通过PPPOE和IPSec实现的,拓扑图如下:
PC2、PC3可代表为内网,R2、R3可表示为网关路由器,连接外网用。R4为运营商路由器,与公司网关路由器相连。在R4和R2、R3的链路上配置PPPOE+IPSec抱枕了网络的安全性和冗余。配置如下:
R1:
[V200R003C00]
#
sysname R1
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
set cpu-usage threshold 80 restore 75
#
acl number 3000
rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 10 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 15 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.4.0 0.0.0.255
rule 20 permit ip
#
ipsec proposal test
esp encryption-algorithm aes-128
#
ike proposal 1
encryption-algorithm aes-cbc-128
authentication-algorithm md5
#
ike peer test v1
pre-shared-key cipher %$%${"@aaa@qq.com,4=J.,.2n%$%$
ike-proposal 1
#
ipsec policy-template test 1
ike-peer test
proposal test
#
ipsec policy 1 10 isakmp template test
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 192.168.1.254 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 14.1.1.1 255.255.255.0
ipsec policy 1
nat outbound 3000
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 14.1.1.4
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
R2
[V200R003C00]
#
sysname R2
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
set cpu-usage threshold 80 restore 75
#
acl number 3000
rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 10 permit ip
acl number 3001
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec proposal 1
esp encryption-algorithm aes-128
#
ike proposal 1
encryption-algorithm aes-cbc-128
authentication-algorithm md5
#
ike peer test v1
pre-shared-key cipher %$%${"@aaa@qq.com,4=J.,.2n%$%$
ike-proposal 1
remote-address 14.1.1.1
#
ipsec policy test 10 isakmp
security acl 3001
ike-peer test
proposal 1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 42.1.1.2 255.255.255.0
ipsec policy test
nat outbound 3000
#
interface GigabitEthernet0/0/1
ip address 192.168.2.254 255.255.255.0
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 42.1.1.4
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
R3
[V200R003C00]
#
sysname R3
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
set cpu-usage threshold 80 restore 75
#
acl number 3000
rule 5 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 10 permit ip
acl number 3001
rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec proposal 1
esp encryption-algorithm aes-128
#
ike proposal 1
encryption-algorithm aes-cbc-128
authentication-algorithm md5
#
ike peer test v1
pre-shared-key cipher %$%${"@aaa@qq.com,4=J.,.2n%$%$
ike-proposal 1
remote-address 14.1.1.1
#
ipsec policy test 10 isakmp
security acl 3001
ike-peer test
proposal 1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
nat address-group 1 43.1.1.1 43.1.1.1
#
interface Dialer1
link-protocol ppp
ppp chap user huawei
ppp chap password cipher %$%$8`>^Y.wWz1'u2Y90IQ9Y,"|&%$%$
ip address ppp-negotiate
dialer user user1
dialer bundle 1
dialer queue-length 8
dialer timer idle 300
dialer-group 1
ipsec policy test
nat outbound 3000
#
interface GigabitEthernet0/0/0
pppoe-client dial-bundle-number 1
#
interface GigabitEthernet0/0/1
ip address 192.168.3.254 255.255.255.0
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
dialer-rule
dialer-rule 1 ip permit
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
R4
[V200R003C00]
#
sysname R4
#
board add 0/2 4GET
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
set cpu-usage threshold 80 restore 75
#
ip pool pool1
gateway-list 43.1.1.254
network 43.1.1.0 mask 255.255.255.0
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
local-user huawei password cipher %$%$ST#,;aaa@qq.com"4NfJ:"}#DJXW7O%$%$
local-user huawei service-type ppp
#
firewall zone Local
priority 15
#
interface Virtual-Template1
ppp authentication-mode chap
remote address pool pool1
ip address 43.1.1.254 255.255.255.0
#
interface GigabitEthernet0/0/0
ip address 14.1.1.4 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 42.1.1.4 255.255.255.0
#
interface GigabitEthernet0/0/2
pppoe-server bind Virtual-Template 1
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet2/0/1
#
interface GigabitEthernet2/0/2
#
interface GigabitEthernet2/0/3
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 Virtual-Template1
ip route-static 192.168.1.0 255.255.255.0 14.1.1.1
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
图中有个小方框有标注,IPSec应用应该在PPPOE的虚拟接口中指定,包括NAT转换。
上一篇: 面向对象B/S有关JavaSE总结
下一篇: JAVA中的final关键字