LAN TO LAN VPNWord文件下载.docx

1、- to bypass the Network Address Translation （NAT） processaccess-list nonat permit ip 10.0.25.0 255.255.255.0 10.0.3.0 255.255.255.0pager lines 24logging onlogging timestamplogging buffered debuggingicmp permit any insidemtu outside 1500mtu inside 1500- IP addresses on the interfacesip address outsid

2、e 172.18.124.96 255.255.255.0ip address inside 10.0.25.254 255.255.255.0ip audit info action alarmip audit attack action alarmpdm logging informational 100pdm history enablearp timeout 14400global （outside） 1 interface- Bypass of NAT for IPSec interesting inside network trafficnat （inside） 0 access-

3、list nonatnat （inside） 1 0.0.0.0 0.0.0.0 0 0- Default gateway to the Internetroute outside 0.0.0.0 0.0.0.0 172.18.124.1 1timeout xlate 0:05:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:00 h225 1:timeout h323 0:00 mgcp 0:00 sip 0:30:00 sip_media 0:timeout uauth 0:00 absoluteaaa-server

4、 TACACS+ protocol tacacs+aaa-server RADIUS protocol radiusaaa-server LOCAL protocol localhttp 10.0.0.0 255.0.0.0 insideno snmp-server locationno snmp-server contactsnmp-server community publicno snmp-server enable trapsfloodguard enable- This command avoids applied ACLs or conduits on encrypted pack

5、etssysopt connection permit-ipsec- Configuration of IPSec Phase 2crypto ipsec transform-set mytrans esp-3des esp-sha-hmaccrypto map mymap 10 ipsec-isakmpcrypto map mymap 10 match address nonatcrypto map mymap 10 set pfs group2crypto map mymap 10 set peer 172.18.173.85crypto map mymap 10 set transfor

6、m-set mytranscrypto map mymap interface outside- Configuration of IPSec Phase 1isakmp enable outside- Internet Key Exchange （IKE） pre-shared key- that the peers will use to authenticateisakmp key testme address 172.18.173.85 netmask 255.255.255.255isakmp identity addressisakmp policy 10 authenticati

7、on pre-shareisakmp policy 10 encryption 3desisakmp policy 10 hash shaisakmp policy 10 group 2isakmp policy 10 lifetime 86400telnet timeout 5ssh timeout 5console timeout 0dhcpd lease 3600dhcpd ping_timeout 750terminal width 80配置NetScreen防火墙Follow the steps below to configure the NetScreen Firewall.Go

8、 to Lists Address, click the Trusted tab, and click New Address.Add the Netscreen internal network that will be encrypted on the tunnel, then click OK.Note:Ensure that the Trust option is selected.The example below uses network 10.0.3.0 with a mask of 255.255.255.0. Address, click the Untrusted tab,

9、 and click New Address.Add the remote network that NetScreen Firewall will use when encrypting packets, then click OK.The example below uses network 10.0.25.0 with a mask of 255.255.255.0.To configure the VPN gateway （Phase 1 and Phase 2 IPSec policies）, go to Network VPN, select the Gateway tab, an

10、d click New Remote Tunnel Gateway.Use the IP address of the PIXs outside interface to terminate the tunnel, and configure the Phase 1 IKE options to bind. Click OK when you are finished.This example uses the following fields and values.Gateway Name: To501Static IP Address: 172.18.124.96Mode: Main （I

11、D Protection）Preshared Key: “testme”Phase 1 proposal: pre-g2-3des-shaWhen you have successfully created the remote tunnel gateway, you should see a screen similar to the following example.To configure Proposal 1, select the P1 Proposal tab, and then click New Phase 1 Proposal.Enter the configuration

12、 information for the Phase 1 Proposal, and then click OK.This example uses the following fields and values Phase 1 exchange.Name: ToPix501Authentication: PreshareDH Group: Group 2Encryption: 3DES-CBCHash: SHA-1Lifetime: 3600 Sec.When you have successfully added Phase 1 to the NetScreen configuration

13、, you should see a screen similar to the following example.To configure Phase 2, select the P2 Proposal tab, and then click New Phase 2 Proposal.Enter the configuration information for the Phase 2 Proposal, and then click OK.This example uses the following fields and values for Phase 2 exchange.Perf

14、ect Forward Secrecy: DH-2 （1024 bits）Encryption Algorithm:Authentication Algorithm: 26400 SecWhen you have successfully added Phase 2 to the NetScreen configuration, you should see a screen similar to the following example.To create and configure AutoKeys IKE, select the AutoKey IKE tab, and then cl

15、ick New AutoKey IKE Entry.Enter the configuration information for AutoKey IKE, and then click OK.This example uses the following fields and values for AutoKey IKE. VPN-1Remote Gateway Tunnel Name:（This was previously created on the Gateway tab.）Phase 2 Proposal:（This was previously created on the P2

16、 Proposal tab.）VPN Monitor: Enable（This enables the NetScreen device to set Simple Network Management Protocol SNMP traps to monitor the condition of the VPN Monitor.）When you have successfully configured the VPN-1 rule, you should see a screen similar to the following example.To configure the rules

17、 that allow encryption of the IPSec traffic, go to Network Policy, select the Outgoing tab, and click New Policy.Enter the configuration information for the policy, and then click OK.This example uses the following fields and values for the policy. The Name field is optional and is not used in this

18、example.Source Address: InsideNetwork（This was previously defined on the Trusted tab.）Destination Address: RemoteNetwork（This was previously defined under the Untrusted tab.）Service: AnyAction: TunnelVPN Tunnel:（This was previously defined as the VPN tunnel on the AutoKey IKE tab.）Modify matching in

19、coming VPN policy: Checked（This option automatically creates an inbound rule that matches the outside network VPN traffic.）When you have added the policy, ensure that the outbound VPN rule is first in the list of policies. （The rule that was created automatically for inbound traffic is on the Incomi

20、ng tab.）If you need to change the order of the policies, follow these steps.Click the Outgoing tab.Click the circular arrows in the Configure column to display the Move Policy Micro window.Change the order of the policies so that the VPN policy is above policy ID 0 （so that the VPN policy is at the

21、top of the list）.You can view the rule for inbound traffic by clicking on the Incoming tab.验证配置ping - Diagnoses basic network connectivity.show crypto ipsec sa - Shows the Phase 2 security associations.show crypto isakmp sa - Shows the Phase 1 security associations.验证示例Sample output from ping and sh

22、ow commands is show below.This ping was initiated from a host behind the NetScreen Firewall.C:ping 10.0.25.1 -tRequest timed out.Reply from 10.0.25.1: bytes=32 time105ms TTL=128114ms TTL=128106ms TTL=128121ms TTL=128110ms TTL=128116ms TTL=128109ms TTL=128118ms TTL=128Output from the show crypto ipse

23、c sa command is shown below.pixfirewall（config）# show crypto ipsec sainterface: outside Crypto map tag: mymap, local addr. 172.18.124.96 local ident （addr/mask/prot/port）: （10.0.25.0/255.255.255.0/0/0） remote ident （addr/mask/prot/port）: （10.0.3.0/255.255.255.0/0/0） current_peer: 172.18.173.85:500 P

24、ERMIT, flags=origin_is_acl, #pkts encaps: 11, #pkts encrypt: 11, #pkts digest 11 #pkts decaps: 11, #pkts decrypt: 13, #pkts verify 13 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0, #send errors 0, #recv errors 1 local crypto en

25、dpt.: 172.18.124.96, remote crypto endpt.: 172.18.173.85 path mtu 1500, ipsec overhead 56, media mtu 1500 current outbound spi: f0f376eb inbound esp sas: spi: 0x1225ce5c（304467548） transform: esp-3des esp-sha-hmac , in use settings =Tunnel, slot: 0, conn id: 3, crypto map: mymap sa timing: remaining

26、 key lifetime （k/sec）: （4607974/24637） IV size: 8 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: 0xf0f376eb（4042487531） 4, crypto map: （4607999/24628） outbound ah sas: outbound pcp sas:Output from the show crypto isakmp sa command is shown below.pixfirewall（conf

27、ig）# show crypto isakmp saTotal : 1Embryonic : dst src state pending created 172.18.124.96 172.18.173.85 QM_IDLE 0 1TroubleshootThis section provides information you can use to troubleshoot your configuration.调试命令debug crypto engine - Displays messages about crypto engines.debug crypto ipsec - Displays information about IPSec events.debug crypto