The topology is as shown in the figure ↓
Equipment model
FW1:DCFW-1800 Version 4.5
PCA:DCRS-5650 Version 7.0.3.1
PCB:DCRS-5650 Version 7.0.3.1
RT1:DCR-2655 Version 0.4.2
Configure IP and routing
DCRS-5650 analog PCA
DCRS-5650-28(R4)(config)#hostname PCA PCA(config)#vlan 233 PCA(config-vlan233)#int vlan 233 PCA(config-if-vlan233)#ip add 172.16.1.1 255.255.255.0 PCA(config-if-vlan233)#exit PCA(config)#interface ethernet 1/0/1 PCA(config-if-ethernet1/0/1)#switchport access vlan 233 Set the port Ethernet1/0/1 access vlan 233 successfully PCA(config-if-ethernet1/0/1)#exit PCA(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.254
RT1
Router_config#hostname RT1 RT1_config#interface gigaEthernet 0/4 RT1_config_g0/4#ip address 172.16.1.254 255.255.255.0 RT1_config_g0/4#interface gigaEthernet 0/3 RT1_config_g0/3#ip address 10.1.1.1 255.255.255.252 RT1_config_g0/3#exit RT1_config#ip route 0.0.0.0 0.0.0.0 10.1.1.2
FW1
DCFW-1800(config)# hostname FW1 FW1(config)# interface ethernet0/1 FW1(config-if-eth0/1)# zone untrust FW1(config-if-eth0/1)# manage http FW1(config-if-eth0/1)# manage ping FW1(config-if-eth0/1)# manage telnet FW1(config-if-eth0/1)# ip address 10.1.1.2 255.255.255.252 FW1(config-if-eth0/1)# exit FW1(config)# interface ethernet0/2 FW1(config-if-eth0/2)# zone trust FW1(config-if-eth0/2)# manage http FW1(config-if-eth0/2)# manage ping FW1(config-if-eth0/2)# manage telnet FW1(config-if-eth0/2)# ip address 172.16.2.254 255.255.255.0 FW1(config-if-eth0/2)# exit FW1(config)# ip vrouter trust-vr FW1(config-vrouter)# ip route 0.0.0.0 0.0.0.0 10.1.1.1 FW1(config-vrouter)# exit
DCRS-5650 analog PCB
DCRS-5650-28(R4)(config)#hostname PCB PCB(config)#vlan 233 PCB(config-vlan233)#int vlan 233 PCB(config-if-vlan233)#ip address 172.16.2.1 255.255.255.0 PCB(config-if-vlan233)#exit PCB(config)#interface ethernet 1/0/1 PCB(config-if-ethernet1/0/1)#switchport access vlan 233 PCB(config-if-ethernet1/0/1)#exit PCB(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.254
FW1 Configuration Policy
test
PCB#ping 172.16.1.1 Type ^c to abort. Sending 5 56-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds. !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/6/33 ms PCA#ping 172.16.2.1 Type ^c to abort. Sending 5 56-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds. ..... Success rate is 0 percent (0/5), round-trip min/avg/max = 0/0/0 ms
At this time, the PCB can ping the PCA, but the PCA cannot ping the PCB, because now the firewall only allows the data stream from Trust to Untrust to pass through, and the firewall default setting rejects all data streams to pass through
Configure IPSEC VPN
RT1
RT1_config#ip access-list extended 1 RT1_config_ext_nacl # allow ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0//Match the data stream to be IPSEC VPN RT1_config_ext_nacl#exit RT1_config # crypto isakmp policy 1//Set the IKE encryption policy. The configuration must be consistent with the firewall P1 proposal RT1_config_isakmp # group 2//DH group RT1_config_isakmp # authentication pre share//Set the encryption mode: shared key RT1_config_isakmp # hash md5//Verification algorithm RT1_config_isakmp # encryption 3des//Encryption algorithm RT1_config_isakmp#exit RT1_config # crypto isakmp key 123456789 10.1.1.2//Set the shared key RT1_config # crypto ipsec transform set 1//Set the tunnel encryption algorithm. The configuration must be consistent with the firewall P2 proposal RT1_config_crypto_trans # mode tunnel//Set to tunnel mode RT1_config_crypto_trans # transform type esp-3des esp-md5-hmac//Set 3des encryption, md5 verification RT1_config_crypto_trans#exit RT1_config # crypto map 1 10 ipsec isakmp//Set the encryption mapping table RT1_config_crypto_map # match address 1//Bind ACL RT1_config_crypto_map # set peer 10.1.1.2//Set VPN peer address RT1_config_crypto_map # set transform set 1//Bind the exchange set RT1_config_crypto_map#exit RT1_config#interface gigaEthernet 0/3 RT1_config_g0/3 # crypto map 1//Apply encryption mapping table RT1_config_g0/3#exit
FW1 (P1 proposal)
FW1 (P2 proposal)
FW1 (VPN peer list)
FW1 (IKE VPN configuration)
FW1 (tunnel encryption configuration)
The proxy is the data stream to be encrypted, and the router matches the encrypted data stream for ACL
FW1 (Tunnel Binding Configuration)
Since the firewall cannot configure the encryption mapping table on E0/1, it can only be bound with the tunnel interface, so the next hop of a route to 172.16.1.0/24 should be directed to the tunnel interface, so that it can encrypt the IPSEC VPN
FW1 (static route to configure )
FW1 (VPN address pool configuration )
FW1 (VPN policy configuration )
test
PCB#ping 172.16.1.1 Type ^c to abort. Sending 5 56-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds. .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 0/0/0 ms PCA#ping 172.16.2.1 Type ^c to abort. Sending 5 56-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds. !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
View IPSEC SA
RT1#show crypto ipsec sa Interface: GigaEthernet0/3 Crypto map name:1 , local addr. 10.1.1.1 local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0) local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.1.2 inbound esp sas: spi:0xa61580e(174151694) transform: esp-3des esp-md5-hmac in use settings ={ Tunnel } sa timing: remaining key lifetime (k/sec): (4607999/3443) outbound esp sas: spi:0x746972f8(1953067768) transform: esp-3des esp-md5-hmac in use settings ={ Tunnel } sa timing: remaining key lifetime (k/sec): (4607999/3443)
View ISAKMP SA
RT1#show crypto isakmp sa dst src state state-id conn 10.1.1.2 10.1.1.1 <R>Q_SA_SETUP 3 6 1 10 10.1.1.2 10.1.1.1 <R>M_SA_SETUP 2 6 1 10