1.实验目的
2.实验环境
2.1.VPN网络拓扑结构图
2.2.中心VPN设备PIX515基本端口信息
2.3.各分之NETGEAR VPN设备端口信息
3.中心VPN设备CISCO PIX515 配置
3.1.配置PIX 515的基本信息
3.2.配置PIX 515的NAT并实现访问Internet
3.3.配置ISAKMP Policy(配置IKE的policy)
3.4.配置加密IPSec transforms-set集合和Access List列表
3.5.设置加密动态map
4.分支机构各NETGEAR VPN设备的配置
4.1.FVS114配置
4.2.FVX538配置
4.3.FVS338的配置
4.4.FVS124G配置
4.5.FVS318v3配置
5.PIX515与FVS318v3点对点的配置
5.1.VPN网络拓扑结构图
5.2.PIX515配置
5.3.FVS318v3配置
随着NETGEAR的快速发展,越来越多的用户将性能价格比较好的NETGEAR的产品作为以后网络扩展的重点选择之一,但是需要考虑到与原来环境中的网络产品是否具备兼容性的问题,本文就NETGEAR的VPN网络产品与第三方的网络产品的对接的配置方面进行详细描述。NETGEAR的VPN网络产品与众多厂家兼容,其中包括CISCO、NETSCREEN、FORTIGATE、SONICWALL等著名厂商的VPN网络产品,本文就以CISCO的PIX 515作为例子进行阐述。
本问适用于NETGEAR的产品包括:
FVS114/FWG114P/FVS318v3/FVS124G/FVS328/FVL328/FVS338/FVX538
与NETSCREEN、FORTIGATE、SONICWALL配置可以参考:
http://www.netgear.com.cn/support/vpnfirewall/FVL328.htm
此实验中,我们以CISCO PIX 515作为VPN的中心设备,各分之机构分别采用NETGEAR的FVS318V3,FVS124G,FVS338,FVX538,FVS114;
TOP
2.2.中心VPN设备PIX515基本端口信息:
PIX 515 LAN口 IP地址:192.168.1.1/255.255.255.0
PIX 515 WAN 口IP地址:58.62.221.131/255.255.255.248,网关:58.62.221.129
2.3.各分之NETGEAR VPN设备端口信息:
产品型号 |
内网 |
外网 |
FVS114 |
LAN IP:192.168.0.1/255.255.255.0 |
WAN IP:ADSL动态获取公网IP |
FVX538 |
LAN IP:192.168.2.1/255.255.255.0 |
WAN IP:ADSL动态获取公网IP |
FVS338 |
LAN IP:192.168.3.1/255.255.255.0 |
WAN IP:ADSL动态获取公网IP |
FVS124G |
LAN IP:192.168.4.1/255.255.255.0 |
WAN IP:ADSL动态获取公网IP |
FVS318v3 |
LAN IP:192.168.5.1/255.255.255.0 |
WAN IP:ADSL动态获取公网IP |
3.中心VPN设备CISCO PIX515 配置
PIX515的configure模式下,输入setup即开始配置pix515的基本信息,如Inside IP地址、host name、Domain name等信息,如下图所示:
留意上红圈的内容,在NETGEAR 的VPN配置中需要用到。
TOP
3.2.配置PIX 515的NAT并实现访问Internet
1).在PIX 515系统默认情况下ethernet0是属外部网卡outside, ethernet1是属内部网卡inside, inside在初始化配置成功的情况下已经被激活生效了,但是outside必须命令配置激活:
pix515e(config)#interface ethernet0 auto
pix515e(config)#interface ethernet1 auto
2)采用命令nameif定义outside和inside安全级别:
pix515e(config)#nameif ethernet0 outside security0
pix515e(config)#nameif ethernet0 inside security100
security0是外部端口outside的安全级别
security100是内部端口inside的安全级别
3)配置外网口IP地址:
pix515e(config)#ip address outside 58.62.221.131 255.255.255.248
4)实现NAT地址转换:
pix515e(config)#Global (outside) 1 interface
pix515e(config)#nat (inside) 1 192.168.1.0 255.255.255.0
5)允许ping命令的操作:
pix515e(config)#conduit permit icmp any any
6)添加缺省静由
pix515e(config)#route outside 0.0.0.0 0.0.0.0 58.62.221.129
如下图所示:
TOP
3.3.配置ISAKMP Policy(配置IKE的policy)
1) 在外部接口上启用ISAKMP策略。
pix515e(config)#isakmp enable outside
2) 定义编号为9的ISAKMP策略,认证方式使用预共享密钥:Pre-Share Key
pix515e(config)#isakmp policy 9 authentication pre-share
3) 针对分支机构的动态公有IP,配置ISAKMP预共享密钥,如12345678,0.0.0.0表示适合于所有的公有IP地址。(注:如果对方是静态的IP则直接替换即可,但是则不需要用到下列说明的动态map了,而是要使用静态map)
pix515e(config)#isakmp key 12345678 address 0.0.0.0 netmask 0.0.0.0
4) 对于编号为9的ISAKMP策略的加密算法使用3des (注:可更改,与分支对应即可)
pix515e(config)#isakmp policy 9 encryption 3des
5) 对于编号为9的ISAKMP策略的hash完整性算法使用md5 (注:可更改,与分支对应即可)
pix515e(config)#isakmp policy 9 hash md5
6) 对于编号为9的ISAKMP策略,密钥交换组DH(Diffie-Hellman)长度为group 1
(注:group1提供768 位的密钥生成资料,可更改,与分支对应即可;该协议会决定IPsec 节点为IPsec 连接的第二阶段建立彼此使用的临时会话钥匙的方法)
pix515e(config)#isakmp policy 9 group 1
如下图所示:
TOP
3.4.配置加密IPSec transforms-set集合和Access List列表
1) 定义加密ipsec的名字为netgear的transform-set集合,采用3des加密算法和sha完整性算法
pix515e(config)#crypto ipsec transform-set netgear esp-3des esp-sha-hmac
2) 定义中心LAN与各分支LAN之间的访问列表(编号为90)
access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
3) 通过VPN传输的数据包不需要做NAT,因此,将这些数据包定义到nat 0,nat 0不对数据包进行地址转换,nat0的处理优先始终在其他nat(例如nat1、nat2、nat3……)之前。
对于刚才定义的90号访问列表不做NAT转换
pix515e(config)#nat (inside) 0 access-list 90
如下图所示:
TOP
由于分支机构的公网IP随时回变动,因此动态的对应加密必须具备在中心的VPN设备上:
1)定义名称为tofvs318,编号为10的加密动态map并匹配于90号access-list
(注:如果对方VPN公有IP是静态的IP则可使用静态map)
pix515e(config)#crypto dynamic-map tofvs318 10 match address 90
2) 对于第10号加密动态map,在IPSEC第二阶段使用PFS,DH长度为group 2(1024)
{注:使用PFS(Perfect Forward Secrecy) 来增加安全性,VPN通讯虽然慢点,但是它可以确保为每个IKE第二阶段(phase-II)进行DH交换;该项也为可选,需要和各分支机构对应}
pix515e(config)#crypto dynamic-map tofvs318 10 set pfs group2
3) 第10号加密动态map归到名字为netgear IPSEC加密集合
pix515e(config)# crypto dynamic-map tofvs318 10 set transform-set netgear
4) 定义名字为mymap编号为200的静态加密map, 将名字为tofvs318的动态加密map 映射到静态加密map mymap 上.
pix515e(config)#crypto map mymap 200 ipsec-isakmp dynamic tofvs318
5) 将静态加密map应用在外部接口上
pix515e(config)#crypto map mymap interface outside
6、打开IPSec的绿色通道并保存配置
1)指定IPsec的流量是可信任的,即打开IPSec的绿色通道。
pix515e(config)#sysopt connection permit-ipsec
2) 保存配置
pix515e(config)#wr mem
如下图所示:
如果想清除所有配置,可以用命令:’clear config all’ 如下
pix515e(config)#clear config all
TOP
7、PIX515配置:
pix515# show run
Saved:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix515
domain-name pix515.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 58.62.221.131 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 90
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 58.62.221.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set netgear esp-3des esp-sha-hmac
crypto dynamic-map tofvs318 10 match address 90
crypto dynamic-map tofvs318 10 set pfs group2
crypto dynamic-map tofvs318 10 set transform-set netgear
crypto map mymap 200 ipsec-isakmp dynamic tofvs318
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash md5
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:9c7fe2af17b050e7ecc7d4a1eb37012d
: end
pix515#
TOP
4.分支机构各NETGEAR VPN设备的配置
1)创建IKE Polices
2)创建 VPN Polices
TOP
1)创建IKE Polices
2) 创建 VPN Polices
TOP
1) 创建IKE Polices
同FVX538
2) 创建 VPN Polices
同FVX538,但是注意,LOCAL IP为FVS338的LAN 网络号即可。
1) 创建IKE Polices
注:红色圈内容需要与3.1章节定义的信息一致,参考3.1信息中红色圈部分内容;
2) 创建 VPN Polices
TOP
1) 创建IKE Polices
注:红色圈内容需要与3.1章节定义的信息一致,参考3.1信息中红色圈部分内容;
2) 创建 VPN Polices
TOP
前面章节说明了以CISCO PIX 515作为中心以固定IP接入INTERNET,各NETGEAR VPN设备以普通ADSL线路接入INTERNET的配置方式。该章节将描述双方都是固定公网IP的时候分别的配置方式。
pix515(config)# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix515
domain-name pix515.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 58.62.221.131 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 90
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 58.62.221.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set netgear esp-3des esp-sha-hmac
/*使用的是静态加密map*/
crypto map tofvs318 20 ipsec-isakmp
crypto map tofvs318 20 match address 90
crypto map tofvs318 20 set peer 121.32.17.207
crypto map tofvs318 20 set transform-set netgear
crypto map tofvs318 interface outside
crypto map fvs318 20 ipsec-isakmp
crypto map fvs318 20 set pfs group2
! Incomplete
isakmp enable outside
/*FVS318V3的WAN IP为121.32.17.207 */
isakmp key ******** address 121.32.17.207 netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 2
isakmp policy 9 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:f6ac69765d18b7ac0c3024295a82fe79
: end
pix515(config)#
TOP
1) 创建IKE Police
2.创建VPN Police
|