配置就是这配置,已查官方也是这样配置,意外是完成后不通,待以后处理!
FW_A配置:
dhcp enable
ip-link check enable
ip-link name check_b
destination 2.2.2.2 interface GigabitEthernet1/0/0 mode icmp next-hop 202.38.163.2
acl number 3000
rule 5 permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255
acl number 3001
rule 5 permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255
ipsec proposal pro1
esp authentication-algorithm sha1
esp encryption-algorithm aes-128
ike proposal 10
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike peer fenbu
pre-shared-key admin123
ike-proposal 10
ipsec policy-template temp 1
security acl 3000
ike-peer fenbu
proposal pro1
ipsec policy-template temp2 1
security acl 3001
ike-peer fenbu
proposal pro1
ipsec policy policy1 1 isakmp template temp
ipsec policy policy2 1 isakmp template temp2
interface GigabitEthernet1/0/0
undo shutdown
ip address 202.38.163.1 255.255.255.0
service-manage ping permit
ipsec policy policy1
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.0.1 255.255.255.0
service-manage ping permit
dhcp select interface
interface GigabitEthernet1/0/2
undo shutdown
ip address 202.38.164.1 255.255.255.0
service-manage ping permit
ipsec policy policy2
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/1
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/2
firewall zone dmz
set priority 50
ip route-static 0.0.0.0 0.0.0.0 202.38.163.2 preference 10 track ip-link check_b
ip route-static 0.0.0.0 0.0.0.0 202.38.164.2 preference 20
ip route-static 172.16.0.0 255.255.255.0 202.38.163.2 preference 10 track ip-link check_b
ip route-static 172.16.0.0 255.255.255.0 202.38.164.2 preference 20
security-policy
default action permit
FW_B配置:
firewall dataplane to manageplane application-apperceive default-action drop
dhcp enable
ip-link check enable
ip-link name check_a
destination 202.38.163.1 interface GigabitEthernet1/0/0 mode icmp next-hop 2.2.2.1
acl number 3000
rule 5 permit ip source 172.16.0.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
acl number 3001
rule 5 permit ip source 172.16.0.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
ipsec proposal pro1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
ike proposal 10
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike peer a1
pre-shared-key admin123
ike-proposal 10
remote-address 202.38.163.1
ike peer a2
pre-shared-key admin123
ike-proposal 10
remote-address 202.38.164.2
ipsec policy policy1 1 isakmp
security acl 3000
ike-peer a1
proposal pro1
ipsec policy policy2 1 isakmp
security acl 3001
ike-peer a2
proposal pro1
interface GigabitEthernet1/0/0
undo shutdown
ip address 2.2.2.2 255.255.255.0
service-manage ping permit
interface GigabitEthernet1/0/1
undo shutdown
ip address 172.16.0.1 255.255.255.0
service-manage ping permit
dhcp select interface
interface Tunnel1
ip address unnumbered interface GigabitEthernet1/0/0
tunnel-protocol ipsec
ipsec policy policy1
interface Tunnel2
ip address unnumbered interface GigabitEthernet1/0/0
tunnel-protocol ipsec
ipsec policy policy2
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/1
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
add interface Tunnel1
add interface Tunnel2
ip route-static 0.0.0.0 0.0.0.0 2.2.2.1
ip route-static 192.168.0.0 255.255.255.0 Tunnel1 preference 10 track ip-link check_a
ip route-static 192.168.0.0 255.255.255.0 Tunnel2 preference 20
security-policy
default action permit