试验拓扑如下:
FW1与FW2之间配置IPSec,使用ah-esp 认证与加密
FW1部分关键代码:
acl number 3000
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
#
ipsec proposal xk
transform ah-esp
ah authentication-algorithm sha2-256
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ipsec policy map1 10 manual
security acl 3000
proposal xk
tunnel local 1.1.1.1
tunnel remote 1.1.1.2
sa spi inbound ah 678 // ah 与 esp 的 名称不能一样,实际配置如果配成ah 54321 IPSec不生效。
sa string-key inbound ah %@%@N[vuP^XI)=Bd$x:8b3=>73Li%@%@
sa spi outbound ah 876 //同理,不能配置成 ah 12345
sa string-key outbound ah %@%@N4_gA5ncE;PMW0;8%JYPOu4(%@%@
sa spi inbound esp 54321
sa string-key inbound esp %@%@v<Y|U<c*vY0cmE>Qg/8Z*[R;%@%@
sa spi outbound esp 12345
sa string-key outbound esp %@%@T4P~VpoC[<lTC>:UI)$F61T)%@%@
ip route-static 10.0.0.0 255.255.255.0 1.1.1.2
#
security-policy // 四个方向的策略必须配置
rule name kk
source-zone untrust
destination-zone dmz
action permit
rule name xu
source-zone dmz
destination-zone untrust
action permit
rule name untrust_to_local
source-zone untrust
destination-zone local
action permit
rule name local_to_untrust
source-zone local
destination-zone untrust
action permit
#
FW2 的关键配置:
acl number 3000
rule 10 permit ip source 10.0.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec proposal map2
transform ah-esp
ah authentication-algorithm sha2-256
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ipsec policy use1 10 manual
security acl 3000
proposal map2
tunnel local 1.1.1.2
tunnel remote 1.1.1.1
sa spi inbound ah 876
sa string-key inbound ah %@%@"Vx6-]jc#:VC`EH#^SP!rX`I%@%@
sa spi outbound ah 678
sa string-key outbound ah %@%@Lv^.8SpMe.kf;\)"`j_Yo)%X%@%@
sa spi inbound esp 12345
sa string-key inbound esp %@%@xGG~8H/AV3a0W!XK)7]Kl#+#%@%@
sa spi outbound esp 54321
sa string-key outbound esp %@%@ZG*qGtx=m"72#=Zy8/WX;kP'%@%@
#
ip route-static 192.168.1.0 255.255.255.0 1.1.1.1 // 配置选路
security-policy rule name xk source-zone untrust destination-zone dmz action permit rule name dmz_to_untrust source-zone dmz destination-zone untrust action permit rule name untrust_to_loca source-zone untrust destination-zone local action permit rule name local_to_untrust source-zone local destination-zone untrust action permit