1.实验拓扑
2.基础配置(每一步后续都有结果对应)
a,基础配置(IP地址,路由等)
AR1:
#
interface GigabitEthernet0/0/0
ip address 100.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 100.1.2.2 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 100.1.3.2 255.255.255.0
#
ip route-static 10.1.1.0 255.255.255.0 100.1.1.1
ip route-static 10.1.2.0 255.255.255.0 100.1.1.1
ip route-static 10.1.3.0 255.255.255.0 100.1.2.1
ip route-static 10.1.4.0 255.255.255.0 100.1.2.1
ip route-static 10.1.5.0 255.255.255.0 100.1.3.1
ip route-static 10.1.6.0 255.255.255.0 100.1.3.1
#
AR2:
#
interface GigabitEthernet0/0/0
ip address 10.1.12.2 255.255.255.0
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 10.1.2.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.1.12.1
AR3:
#
interface GigabitEthernet0/0/0
ip address 10.1.23.3 255.255.255.0
#
interface LoopBack0
ip address 10.1.3.1 255.255.255.0
#
interface LoopBack1
ip address 10.1.4.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.1.23.2
AR4:
#
interface GigabitEthernet0/0/0
ip address 10.1.34.4 255.255.255.0
#
interface LoopBack0
ip address 10.1.5.1 255.255.255.0
#
interface LoopBack1
ip address 10.1.6.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.1.34.3FW1:
FW2:
FW3:
b.防火墙策略配置(三台防火墙均可以如下配置)
c.IPsec隧道建立
FW1:
FW2:
FW3:
3.结果验证
a.IPsec VPN隧道是否建立
b.是否可以ping通并走隧道
4.总结
a.为什么防火墙之间建立会有4条隧道
因为隧道数量和感兴趣流acl是对应的
b.为什么一条隧道有两个SA
因为一条出方向,一条入方向SA