NTD NETSEC DAY05
1 配置IPSec VPN
1.1 问题
研发小组可以通过VPN访问总公司研发服务器,但不能访问Internet。
1.2 方案
搭建实验环境,如图-1所示。
图-1
1.3 步骤
实现此案例需要按照如下步骤进行。
步骤一:配置R1路由器
1)配置路由
ip route-s 0.0.0.0 0.0.0.0 100.0.0.2
2)配置IPSec VPN
ike proposal 1 encryption-algorithm 3des-cbc authentication-algorithm md5 authentication-method pre-share dh group2 ike peer 200.0.0.1 v1 pre-shared-key simple tedu ike-proposal 1 remote-address 200.0.0.1 acl number 3000 rule 5 permit ip source 172.16.10.0 0.0.0.255 destination 10.10.33.0 0.0.0.255 ipsec proposal 1 transform esp ipsec policy yf 1 isakmp security acl 3000 ike-peer 200.0.0.1 proposal 1 interface GigabitEthernet0/0/0 ipsec policy yf
步骤二:配置R2路由器
1)配置路由
ip route-s 0.0.0.0 0.0.0.0 200.0.0.2
2)配置IPSec VPN
ike proposal 1 encryption-algorithm 3des-cbc authentication-algorithm md5 authentication-method pre-share dh group2 ike peer 100.0.0.1 v1 pre-shared-key simple tedu ike-proposal 1 remote-address 100.0.0.1 acl number 3000 rule 5 permit ip source 10.10.33.0 0.0.0.255 destination 172.16.10.0 0.0.0.255 ipsec proposal 1 transform esp ipsec policy yf 1 isakmp security acl 3000 ike-peer 100.0.0.1 proposal 1 interface GigabitEthernet0/0/0 ipsec policy yf
步骤三:测试
研发小组的主机可以ping通研发服务器,但不能ping通200.0.0.1。