Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Item
USG_A
(1)
Data
Interface number: GigabitEthernet 0/0/1
IP address: 10.1.1.1/24
Zone: Trust
(2)
(3)
(4)
Item
Data
IP address: 192.168.1.1/24
Zone: Trust
Configure USG_A.
Step#1
1.
d.
Click Apply.
e.
f.
g.
Click Apply.
Step#2
For the USG, configure interzone packet filtering to ensure normal network communication. For the USG BSR/HSR, this
operation is not required.
a.
Configure the security policy between the Local zone and the Untrust zone.
1. Choose Firewall > Security Policy > Local Policy.
2.
b.
Step#3
Configure a static route from USG_A to network B, with the next-hop IP address of 200.1.1.2.
a.
b.
c.
d.
Click Apply.
Step#4
Configure IKE phase 1 and IKE phase 2.
a.
b.
c.
d.
Click Apply.
e.
f.
Click
of ike_a to create IKE phase 2.
Configure IKE phase 2 parameters on the Add Phase 2 page, as shown in Figure 10-13.
Figure 10-13 Configuring IKE phase 2 of USG_A
g.
Click Apply.
Step#5
Apply the IPSec policy.
a.
b.
c.
d.
Click Apply.
Step#6
Bind the IPSec policy to interfaces.
a.
b.
c.
d.
Configure USG_B.
Step#1
1.
c.
d.
of GE0/0/1.
Click Apply.
f.
g.
h.
Click Apply.
Step#2
2.
For the USG, configure interzone packet filtering to ensure normal network communication. For the USG BSR/HSR,
this operation is not required.
a. Configure the security policy between the Local zone and the Untrust zone.
1. Choose Firewall > Security Policy > Local Policy.
2. In Local Policy, click Add to configure the following parameters:
Source Zone: untrust
Source Address: 200.1.1.0/24
Action: permit
3. Click Apply.
b. Configure the security policy between the Trust zone and the Untrust zone.
0. Choose Firewall > Security Policy > Forward Policy.
1. In Forward Policy List, click Add to configure the following parameters:
Source Zone: trust
Destination Zone: untrust
Source Address: 192.168.1.0/24
Destination Address: 10.1.1.0/24
Action: permit
2. Click Apply.
3. Choose Firewall > Security Policy > Forward Policy.
4. In Forward Policy List, click Add to configure the following parameters:
Source Zone: untrust
Destination Zone: trust
Source Address: 10.1.1.0/24
Destination Address: 192.168.1.0/24
Action: permit
5. Click Apply.
Step#3
3.
configure a static route from USG_B to network A, with the next-hop IP address of 200.10.1.2.
a. Choose Route > Static > Static Route.
b. In Static Route List, click Add.
c. On the Add Static Route page, configure the following parameters:
Destination Address: 10.1.1.0
Mask: 255.255.255.0
Next Hop: 200.10.1.2
Other parameters are set to the default values.
d.
Click Apply.
Step#4
4.
d.
Click Apply.
e.
f.
Click
of ike_b to create IKE phase 2.
Configure IKE phase 2 parameters on the Add Phase 2 page, as shown in Figure 10-16.
Figure 10-16 Configuring IKE phase 2 of USG_B
g.
Click Apply.
Step#5
5.
d.
Click Apply.
Step#6
6.
Configuration Verification
Item
USG_A
(1)
Data
Interface: GigabitEthernet 0/0/1
IP address: 10.1.1.1/24
(2)
(3)
(4)
Item
Data
ESP authentication algorithm: SHA1
ESP encryption algorithm: AES
IKE negotiation mode: main mode
IKE pre-shared key: abcde
IKE authentication type: IP
IKE peer address: 202.38.163.1
IKE version: IKEv2
Step#1
For the USG, add interfaces to corresponding security zones and configure interzone packet filtering to ensure normal network
communication. Details are omitted. For the USG BSR/HSR, these operations are not required.
Step#2
Set the IP addresses of interfaces as shown in Figure 10-5 and the table that follows. Details are omitted.
Step#3
Create an advanced ACL on USG_A and USG_B to define the data flow to be protected.
# Create an ACL on USG_A to permit the traffic destined from 10.1.1.0/24 to 10.1.2.0/24.
[USG_A] acl 3000
[USG_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255
[USG_A-acl-adv-3000] quit
# Create an ACL on USG_B to permit the traffic destined from 10.1.2.0/24 to 10.1.1.0/24.
[USG_B] acl 3000
[USG_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0
0.0.0.255
[USG_B-acl-adv-3000] quit
Step#4
Create a static route on USG_A and USG_B.
# Create on USG_A a static route to Network B, and set the next hop to 202.38.163.2
[USG_A] ip route-static 10.1.2.0 255.255.255.0 202.38.163.2
# Create on USG_B a static route to Network A, and set the next hop to 202.38.169.2
[USG_B] ip route-static 10.1.1.0 255.255.255.0 202.38.169.2
Step#5
Configure an IPSec proposal on USG_A and USG_B.
# Configure an IPSec proposal on USG_A.
[USG_A] ipsec proposal tran1
[USG_A-ipsec-proposal-tran1] encapsulation-mode tunnel
# By default, the encapsulation mode is tunnel mode. If you use the default mode, skip the command for configuring the
encapsulation mode.
[USG_A-ipsec-proposal-tran1] transform esp
[USG_A-ipsec-proposal-tran1] esp authentication-algorithm sha1
[USG_A-ipsec-proposal-tran1] esp encryption-algorithm aes
[USG_A-ipsec-proposal-tran1] quit
# By default, the security protocol is ESP, the ESP authentication algorithm is SHA1, and the ESP encryption algorithm is AES.
If you use the default settings, skip the commands for configuring the security protocol, authentication algorithm, and encryption
algorithm.
# Configure an IPSec proposal on USG_B.
[USG_B] ipsec proposal tran1
[USG_B-ipsec-proposal-tran1] encapsulation-mode tunnel
# By default, the encapsulation mode is tunnel mode. If you use the default mode, skip the command for configuring the
encapsulation mode.
[USG_B-ipsec-proposal-tran1] transform esp
[USG_B-ipsec-proposal-tran1] esp authentication-algorithm sha1
[USG_B-ipsec-proposal-tran1] esp encryption-algorithm aes
[USG_B-ipsec-proposal-tran1] quit
# By default, the security protocol is ESP, the ESP authentication algorithm is SHA1, and the ESP encryption algorithm is AES.
If you use the default settings, skip the commands for configuring the security protocol, authentication algorithm, and encryption
algorithm.
Step#6
Configure an IKE proposal on USG_A and USG_B.
# Configure an IKE proposal on USG_A.
[USG_A] ike proposal 10
[USG_A-ike-proposal-10] authentication-method pre-share
# The default IKE authentication method is pre-shared key authentication. If you choose to use the default IKE authentication
method, skip the command for specifying the authentication method.
[USG_A-ike-proposal-10] authentication-algorithm sha1
# The default IKE authentication algorithm is SHA1. If you choose to use the default authentication algorithm, skip the command
for specifying the authentication algorithm.
[USG_A-ike-proposal-10] integrity-algorithm hmac-sha1-96
# The default IKE integrity algorithm is HMAC-SHA1-96. If you choose to use the default integrity algorithm, skip the
command for specifying the integrity algorithm.
[USG_A-ike-proposal-10] quit
# The default IKE integrity algorithm is HMAC-SHA1-96. If you choose to use the default integrity algorithm, skip the
command for specifying the integrity algorithm.
[USG_B-ike-proposal-10] quit
Sep#7
Configure the IKE peer.
By default, IKE peers use IKEv2.
# Configure the IKE peer on USG_A.
[USG_A] ike peer b
[USG_A-ike-peer-b] ike-proposal 10
[USG_A-ike-peer-b] remote-address 202.38.169.1
[USG_A-ike-peer-b] pre-shared-key abcde
[USG_A-ike-peer-b] quit
# Configure the IKE peer on USG_B.
[USG_B] ike peer a
[USG_B-ike-peer-a] ike-proposal 10
[USG_B-ike-peer-a] remote-address 202.38.163.1
[USG_B-ike-peer-a] pre-shared-key abcde
[USG_B-ike-peer-a] quit
Step#8
Create an IPSec policy on USG_A and USG_B.
# Create an IPSec policy on USG_A.
[USG_A] ipsec policy map1 10 isakmp
[USG_A-ipsec-policy-isakmp-map1-10]
[USG_A-ipsec-policy-isakmp-map1-10]
[USG_A-ipsec-policy-isakmp-map1-10]
[USG_A-ipsec-policy-manual-map1-10]
Step#9
Apply the IPSec policies.
# On USG_A, apply the IPSec policy on interface (2).
[USG_A] interface GigabitEthernet 0/0/2
[USG_A-GigabitEthernet0/0/2] ipsec policy map1
# On USG_B, apply the IPSec policy on interface (3).
[USG_B] interface GigabitEthernet 0/0/2
Configuration Verification
If the configurations are correct, Network A can ping network B, and after you run the display ike sa and display ipsec sa
commands on USG_A and USG_B, the output indicates that the data is encrypted. Take USG_B as an example. If the following
information is displayed, the IKE SA and IPSec SA are successfully established.