USG防火墙ipsec穿越nat的示例分析,相信很多没有经验的人对此束手无策,为此本文总结了问题出现的原因和解决方法,通过这篇文章希望你能解决这个问题。
成都创新互联成立以来不断整合自身及行业资源、不断突破观念以使企业策略得到完善和成熟,建立了一套“以技术为基点,以客户需求中心、市场为导向”的快速反应体系。对公司的主营项目,如中高端企业网站企划 / 设计、行业 / 企业门户设计推广、行业门户平台运营、app软件开发、成都手机网站制作、微信网站制作、软件开发、成都二枢机房等实行标准化操作,让客户可以直观的预知到从成都创新互联可以获得的服务效果。
AR1:
acl number 3001
rule 1 deny ip source 10.1.2.0 0.0.0.255destination 10.1.1.0 0.0.0.255
rule 2 permit ip source 10.1.2.0 0.0.0.255
rule 3 permit ip source 172.16.1.0 0.0.0.255
interfaceGigabitEthernet0/0/0
ip address 202.100.1.2 255.255.255.0
nat outbound 3001
#
interfaceGigabitEthernet0/0/1
ip address 172.16.1.2 255.255.255.0
#
ip route-static10.1.2.0 255.255.255.0 172.16.1.1
################################################################
FW1:
acl number 3001
rule 1 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
ike proposal 1
#
ike peer 1
pre-shared-key %$%$Kvy%6e6}DWp&azElXM;@VMD;%$%$
ike-proposal 1
nat traversal
#
ipsec proposal 1
#
ipsec policy-template temp 1
security acl 3001
ike-peer 1
proposal 1
#
ipsec policy l2l 1 isakmp template temp
#
interface GigabitEthernet0/0/1
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 202.100.1.1 255.255.255.0
ipsec policy l2l
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/2
ip route-static 0.0.0.0 0.0.0.0 202.100.1.2
#
ip service-set natt type object
service 1 protocol udp destination-port 4500
#
ip service-set ike type object
service 0 protocol udp destination-port 500
#
policy interzone local untrust inbound
policy 0
action permit
policy service service-set ike
policy service service-set esp
policy service service-set natt
policy service service-set icmp
#
policy interzone trust untrust inbound
policy 0
action permit
policy source 10.1.2.0 mask 24
policy destination 10.1.1.0 mask 24
#
policy interzone trust untrust outbound
policy 0
action permit
policy source 10.1.1.0 mask 24
###########################################
FW2:
acl number 3001
rule 1 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ike proposal 1
#
ike peer 1
pre-shared-key %$%$a6XbSSW~L%o`:;YS:d}~V|sj%$%$
ike-proposal 1
remote-address 202.100.1.1
nat traversal
#
ipsec proposal 1
#
ipsec policy l2l 1 isakmp
security acl 3001
ike-peer 1
proposal 1
#
interface GigabitEthernet0/0/1
ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 172.16.1.1 255.255.255.0
ipsec policy l2l
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/2
#
ip route-static 0.0.0.0 0.0.0.0 172.16.1.2
ip service-set natt type object
service 1 protocol udp destination-port 4500
#
ip service-set ike type object
service 0 protocol udp destination-port 500
#
policy interzone local untrust inbound
policy 0
action permit
policy service service-set ike
policy service service-set esp
policy service service-set natt
policy service service-set icmp
#
policy interzone trust untrust inbound
policy 0
action permit
policy source 10.1.1.0 mask 24
policy destination 10.1.2.0 mask 24
#
policy interzone trust untrust outbound
policy 0
action permit
policy source 10.1.2.0 mask 24
#
###############################################################
[FW1]dis ike sa
15:49:39 2014/08/01
current ike sa number: 2
-----------------------------------------------------------------------------
conn-id peer flag phase ***
-----------------------------------------------------------------------------
40001 202.100.1.2:10244 RD v2:2 public
2 202.100.1.2:10244 RD v2:1 public
[FW1]dis ipsec sa brief
15:49:43 2014/08/01
current ipsec sa number: 2
current ipsec tunnel number: 1
------------------------------------------------------------------------------
Src Address Dst Address SPI Protocol Algorithm
------------------------------------------------------------------------------
202.100.1.2 202.100.1.1 268723444 ESP E
ES;A:HMAC-MD5-96;
202.100.1.1 202.100.1.2 3352737410 ESP EES;A:HMAC-MD5-96;
[FW1]display ipsec sa
15:51:44 2014/08/01
===============================
Interface: GigabitEthernet0/0/2
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "l2l"
sequence number: 1
mode: template
***: public
-----------------------------
connection id: 40001
rule number: 4294967295
encapsulation mode: tunnel
holding time: 0d 0h 20m 26s
tunnel local : 202.100.1.1 tunnel remote: 202.100.1.2
flow source: 10.1.1.0-10.1.1.255 0-65535 0
flow destination: 10.1.2.0-10.1.2.255 0-65535 0
[inbound ESP SAs]
spi: 268723444 (0x100464f4)
***: public said: 0 cpuid: 0x0000
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436260/2374
max received sequence-number: 9
udp encapsulation used for nat traversal: Y
[outbound ESP SAs]
spi: 3352737410 (0xc7d6b682)
***: public said: 1 cpuid: 0x0000
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436260/2374
max sent sequence-number: 10
udp encapsulation used for nat traversal: Y
################################################
[FW1]display ipsec statistics
15:53:57 2014/08/01
the security packet statistics:
input/output security packets: 76/9
input/output security bytes: 540/540
input/output dropped security packets: 67/0
the encrypt packet statistics
send sae:9, recv sae:9, send err:0
local cpu:9, other cpu:0, recv other cpu:0
intact packet:9, first slice:0, after slice:0
the decrypt packet statistics
send sae:9, recv sae:9, send err:0
local cpu:9, other cpu:0, recv other cpu:0
reass first slice:0, after slice:0, len err:0
dropped security packet detail:
no enough memory: 0, too long: 0
can't find SA: 67, wrong SA: 0
authentication: 0, replay: 0
front recheck: 0, after recheck: 0
exceed byte limit: 0, exceed packet limit: 0
change cpu enc: 0, dec change cpu: 0
change datachan: 0, fib search: 0
rcv enc(dec) form sae said err: 0, 0
port number error: 0
send port: 0, output l3: 0, l2tp input: 0
negotiate about packet statistics:
IP packet ok:0, err:0, drop:0
IP rcv other cpu to ike:0, drop:0
IKE packet inbound ok:3, err:0
IKE packet outbound ok:3, err:0
SoftExpr:0, HardExpr:0, DPDOper:0, SwapSa:0
ModpCnt: 4, SaeSucc: 0, SoftwareSucc: 4
看完上述内容,你们掌握USG防火墙ipsec穿越nat的示例分析的方法了吗?如果还想学到更多技能或想了解更多相关内容,欢迎关注创新互联行业资讯频道,感谢各位的阅读!
