溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
獲取短信驗證碼
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
登 錄 注冊有禮
云服務器 香港服務器 高防服務器
最新更新 網站標簽 地圖導航
產品

華為設備上的安全技術總結之ipsec

發布時間:2020-07-13 19:58:47 來源:網絡 閱讀:349 作者:落寞小小 欄目:安全技術

ipsec

I IPSec 是一系列網絡安全協議的總稱,它是由IETF(Internet 工程任務組)開發的,可為通訊雙方提供訪問控制、無連接的完整性、數據來源認證、反重放、加密以及對數據流分類加密等服務。它是網絡層的安全機制,通過對網絡層包信息的保護,上層應用程序即使沒有實現安全性,也能夠自動從網絡層提供的安全性中獲益。這打消了人們對×××安全性的顧慮,使得××× 得以廣泛應用。IPSec的工作方式有兩種;傳輸方式;隧道方式。而且ipsec的工作模式有兩種 手動配置 和自動協商

【實驗目的】

 運用ipsec 的一系列網絡協議建立×××管道模式保證信息的安全

【實驗拓撲】

華為設備上的安全技術總結之ipsec

【實驗配置】

交換機上的基本配置

dis cu

#

sysname Quidway

#

radius scheme system

server-type huawei

primary authentication 127.0.0.1 1645

primary accounting 127.0.0.1 1646

user-name-format without-domain

domain system

radius-scheme system

access-limit disable

state active

vlan-assignment-mode integer

idle-cut disable

self-service-url disable

messenger time disable

domain default enable system

#

local-server nas-ip 127.0.0.1 key huawei

#

vlan 1

#

vlan 10

#

vlan 20

#

vlan 30

#

interface Vlan-interface1

#

interface Vlan-interface10

ip address 1.1.1.2 255.255.255.0

#

interface Vlan-interface20

ip address 1.1.2.2 255.255.255.0

#

interface Vlan-interface30

ip address 1.1.3.2 255.255.255.0

#

interface Aux0/0

#

interface Ethernet0/1

#

interface Ethernet0/2

#

interface Ethernet0/3

#

interface Ethernet0/4

#

interface Ethernet0/5

#

interface Ethernet0/6

#

interface Ethernet0/7

#

interface Ethernet0/8

#

interface Ethernet0/9

#

interface Ethernet0/10

port access vlan 10

#

interface Ethernet0/11

#

interface Ethernet0/12

#

interface Ethernet0/13

#

interface Ethernet0/14

#

interface Ethernet0/15

#

interface Ethernet0/16

#

interface Ethernet0/17

#

interface Ethernet0/18

#

interface Ethernet0/19

#

interface Ethernet0/20

port access vlan 20

#

interface Ethernet0/21

#

interface Ethernet0/22

#

interface Ethernet0/23

#

interface Ethernet0/24

port access vlan 30

#

interface NULL0

#

user-interface aux 0

user-interface vty 0 4

#

return

手工配置

[h4c1]dis cu

#

sysname h4c1

#

firewall packet-filter enable

firewall packet-filter default permit

#

insulate

#

firewall statistic system enable

#

radius scheme system

server-type extended

#

domain system

#

local-user admin

password cipher .]@USE=B,53Q=^Q`MAF4<1!!<>

service-type telnet terminal

level 3

service-type ftp

#

ipsec proposal tran1

#

ipsec policy policy1 10 manual

security acl 3000

proposal tran1

tunnel local 1.1.1.1

tunnel remote 1.1.2.1

sa spi inbound esp 54321

sa string-key inbound esp dcba

sa spi outbound esp 12345

sa string-key outbound esp abcd

#

acl number 3000 match-order auto

rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

#

interface Aux0

async mode flow

#

interface Ethernet0/0

loopback

ip address 192.168.1.1 255.255.255.0

#

interface Ethernet0/1

#

interface Ethernet0/2

#

interface Ethernet0/3

#

interface Ethernet0/4

ip address 1.1.1.1 255.255.255.0

ipsec policy policy1

#

interface Encrypt1/0

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust

add interface Ethernet0/0

set priority 85

#

firewall zone untrust

add interface Ethernet0/4

set priority 5

#

firewall zone DMZ

set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

FTP server enable

#

ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 preference 60

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

[h4c2]dis cu

#

sysname h4c2

#

firewall packet-filter enable

firewall packet-filter default permit

#

insulate

#

firewall statistic system enable

#

radius scheme system

server-type extended

#

domain system

#

local-user admin

password cipher .]@USE=B,53Q=^Q`MAF4<1!!<>

service-type telnet terminal

level 3

service-type ftp

#

ipsec proposal tran1

#

ipsec policy policy1 10 manual

security acl 3000

proposal tran1

tunnel local 1.1.2.1

tunnel remote 1.1.1.1

sa spi inbound esp 12345

sa string-key inbound esp abcd

sa spi outbound esp 54321

sa string-key outbound esp dcba

#

acl number 3000 match-order auto

rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

rule 20 deny ip

#

interface Aux0

async mode flow

#

interface Ethernet0/0

loopback

ip address 192.168.2.1 255.255.255.0

#

interface Ethernet0/1

#

interface Ethernet0/2

#  

interface Ethernet0/3

#

interface Ethernet0/4

ip address 1.1.2.1 255.255.255.0

ipsec policy policy1

#

interface Encrypt1/0

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust

add interface Ethernet0/0

set priority 85

#

firewall zone untrust

add interface Ethernet0/4

set priority 5

#

firewall zone DMZ

set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

FTP server enable

#

ip route-static 0.0.0.0 0.0.0.0 1.1.2.2 preference 60

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

自動協商

[h4c1]dis cu

#

sysname h4c1

#

firewall packet-filter enable

firewall packet-filter default permit

#

insulate

#

firewall statistic system enable

#

radius scheme system

server-type extended

#

domain system

#

local-user admin

password cipher .]@USE=B,53Q=^Q`MAF4<1!!<>

service-type telnet terminal

level 3

service-type ftp

#

ike peer fw3

pre-shared-key 1234567

remote-address 1.1.3.1

#

ipsec proposal tran1

#

ipsec proposal tran2

#

ipsec policy policy1 11 isakmp

security acl 3001

ike-peer fw3

proposal tran2

#

ipsec policy policy1 10 manual

security acl 3000

proposal tran1

tunnel local 1.1.1.1

tunnel remote 1.1.2.1

sa spi inbound esp 54321

sa string-key inbound esp dcba

sa spi outbound esp 12345

sa string-key outbound esp abcd

#

acl number 3000 match-order auto

rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

acl number 3001 match-order auto

rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

rule 20 deny ip

#

interface Aux0

async mode flow

#

interface Ethernet0/0

loopback

ip address 192.168.1.1 255.255.255.0

#

interface Ethernet0/1

#

interface Ethernet0/2

#

interface Ethernet0/3

#

interface Ethernet0/4

ip address 1.1.1.1 255.255.255.0

ipsec policy policy1

#

interface Encrypt1/0

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust

add interface Ethernet0/0

set priority 85

#

firewall zone untrust

add interface Ethernet0/4

set priority 5

#

firewall zone DMZ

set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

FTP server enable

#

ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 preference 60

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

[h4c3]dis cu

#

sysname h4c3

#

firewall packet-filter enable

firewall packet-filter default permit

#

insulate

#

firewall statistic system enable

#

radius scheme system

server-type extended

#

domain system

#

local-user admin

password cipher .]@USE=B,53Q=^Q`MAF4<1!!<>

service-type telnet terminal

level 3

service-type ftp

#

ike peer fw11

pre-shared-key 1234567

remote-address 1.1.1.1

#

ipsec proposal tran2

#

ipsec policy policy1 11 isakmp

security acl 3000

ike-peer fw11

proposal tran2

#

acl number 3000 match-order auto

rule 10 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

rule 20 deny ip

#

interface Aux0

async mode flow

#

interface Ethernet0/0

loopback

ip address 192.168.3.1 255.255.255.0

#

interface Ethernet0/1

#

interface Ethernet0/2

#

interface Ethernet0/3

#

interface Ethernet0/4

ip address 1.1.3.1 255.255.255.0

ipsec policy policy1

#

interface Encrypt1/0

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust

add interface Ethernet0/0

set priority 85

#

firewall zone untrust

add interface Ethernet0/4

set priority 5

#

firewall zone DMZ

set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

FTP server enable

#

ip route-static 0.0.0.0 0.0.0.0 1.1.3.2 preference 60

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

【實驗驗證】

  手動配置的測試

華為設備上的安全技術總結之ipsec

自動協商的測試

華為設備上的安全技術總結之ipsec


向AI問一下細節
推薦閱讀:
  1. 華為設備FTP拷貝
  2. 華為設備VRRP浮動路由實戰

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

ipsec 設備安全 上的

猜你喜歡

最新資訊
相關推薦

相關標簽

typescript ipython gzip ip協議 ip地址空間不足 zip()函數 pipenv actionscript iphone6 swiper ipmitool zip函數 script命令 jhipster ip連接 noscript swiper組件 mip 共享ip vip域名
AI

產品服務
地區劃分
專題活動
幫助支持
關于我們
售后咨詢
7*24小時在線電話:400-100-2938
7*24小時在線 QQ:800811969
關注億速云

億速云公眾號

手機網站二維碼

Copyright ? Yisu Cloud Ltd. All Rights Reserved. 2018 版權所有

廣州億速云計算有限公司粵ICP備17096448號-1 粵公網安備 44010402001142號增值電信業務經營許可證編號:B1-20181529

亚洲午夜精品一区二区_中文无码日韩欧免_久久香蕉精品视频_欧美主播一区二区三区美女