下面就以一个简单的实例给大家呈现三星Ubigate iBG系列产品的VPN配置方法。
配置实例如下:
配置IPSec VPN
配置分公司端设备
配置端口地址
Ibg01/configure# interface ethernet 0/2
Ibg01/configure/interface/ethernet (0/2)#
Ibg01/configure/interface/ethernet (0/2)# ip address 160.0.1.1/24
Ibg01/configure/interface/ethernet (0/2)# end
Ibg01/configure# interface ethernet 2/0
Ibg01/configure/interface/ethernet (2/0)#
Ibg01/configure/interface/ethernet (2/0)# ip address 170.0.1.1/24
Ibg01/configure/interface/ethernet (2/0)# end
启用防火墙策略
Ibg01/configure# firewall internet
Ibg01/configure/firewall internet# interface ethernet0/2
Ibg01/configure/firewall internet# policy 1022 in self
ibg01/configure/firewall internet/policy 1022 in# exit
ibg01/configure/firewall internet#
ibg01/configure# firewall corp
ibg01/configure/firewall corp# interface ethernet2/0
ibg01/configure/firewall corp# policy 1021 in
ibg01/configure/firewall corp/policy 1021 in# exit
ibg01/configure/firewall corp#
查看端口在防火墙的网络类型
ibg01# show firewall interface all
Interface Map Name
--------- --------
ethernet0/2 internet
ethernet2/0 corp
配置crypto ike策略
Ibg01/configure# crypto
Ibg01/configure/crypto# ike policy pol1 160.0.1.2
Ibg01/configure/crypto/ike/policy pol1 160.0.1.2# local-address 160.0.1.1
Default proposal created with priority1-des-sha1-pre_shared-g1
Key String has to be configured by the user
配置crypto ike策略密钥
Ibg01/configure/crypto/ike/policy pol1 160.0.1.2# key samsung123
查看IKE信息
ibg01/configure/crypto/ike/policy pol1 160.0.1.2# show crypto ike policy pol1 detail
Policy name pol1, Local addr 160.0.1.1, Peer addr 160.0.1.2
Main mode, Initiator and Responder, PFS is not enabled, Shared Key is *****
Local ident 160.0.1.1 (ip-address), Remote Ident 160.0.1.2 (ip-address)
NGM attributes not configured
OCSP is not enabled
Proposal of priority 1
Encryption algorithm: des
Hash Algorithm: sha1
Authentication Mode: pre-shared-key
DH Group: group1
Lifetime in seconds: 86400
Lifetime in kilobytes: unlimited
配置crypto ipsec策略
ibg01/configure# crypto
ibg01/configure/crypto# ipsec policy pol1 160.0.1.2
ibg01/configure/crypto/ipsec/policy pol1 160.0.1.2# match address 170.0.1.0/24 170.0.5.0/24
ibg01/configure/crypto/ipsec/policy pol1 160.0.1.2# proposal 1
查看ipsec策略
ibg01/configure/crypto/ipsec/policy pol1 160.0.1.2# show crypto ipsec policy pol1
Policy Peer Match Proto Transform
------ ---- ----- ----- ---------
pol1 160.0.1.2 S 170.0.1.0/24/any Any P1 esp-3des-sha1-tunl
D 170.0.5.0/24/any
总公司端设备作同样的配置如下:
Ibg01/configure# interface ethernet 0/2
Ibg01/configure/interface/ethernet (0/2)#
Ibg01/configure/interface/ethernet (0/2)# ip address 160.0.1.2/24
Ibg01/configure/interface/ethernet (0/2)#exit
Ibg01/configure# interface ethernet 2/0
Ibg01/configure/interface/ethernet (2/0)#
Ibg01/configure/interface/ethernet (2/0)# ip address 170.0.5.1/24
Ibg01/configure/interface/ethernet (2/0)# exit
Ibg02/configure# firewall internet
Ibg02/configure/firewall internet# interface ethernet0/2
Ibg02/configure/firewall internet# policy 1022 in self
ibg02/configure/firewall internet/policy 100 in# exit
ibg02/configure/firewall internet#exit
ibg02/configure# firewall corp
ibg02/configure/firewall corp# interface ethernet2/0
ibg02/configure/firewall corp# policy 1021 in
ibg02/configure/firewall corp/policy 1021 in# exit 3
ibg02/configure/firewall corp#exit
ibg02/configure# crypto
ibg02/configure/crypto#
ibg02/configure/crypto# ike policy pol1 160.0.1.1
ibg02/configure/crypto/ike/policy pol1 160.0.1.1# local-address 160.0.1.2
ibg02/configure/crypto/ike/policy pol1 160.0.1.1# key samsung123
ibg02/configure/crypto/ike/policy pol1 160.0.1.1#exit
ibg02/configure# crypto
ibg02/configure/crypto# ipsec policy pol1 160.0.1.1
ibg02/configure/crypto/ipsec/policy pol1 160.0.1.1# match address 170.0.5.0/24 170.0.1.0/24
ibg01/configure/crypto/ipsec/policy pol1 160.0.1.1# proposal 1
检查Ipsec VPN的详细情况
show crypto ike policy poll detail
show crypto ipsec policy poll
debug crypto all
DEBUG Crypto 所有信息
ibg02# debug crypto all
