HQY 一个和谐有爱的空间

USG6000(V100R001)和linux服务器建IPsec,USG和linux服务器如何配置?

一、USG和linux两端的配置脚本
linux侧IPsec的配置
1、ipsec.conf配置:
conn CSL
    type=tunnel
    authby=secret
  #
    left=%defaultroute
    leftnexthop=%defaultroute
    leftsubnet=A.A.A.A/32
    leftid=B.B.B.B(需要替换成现网openswan接口IP)
    leftsourceip=B.B.B.B(需要替换成现网openswan接口IP)
  #
    right=C.C.C.C(需要替换成现网fw接口IP)
    rightid=C.C.C.C(需要替换成现网fw接口IP)
    rightsubnets={D.D.D.D/32,E.E.E.E/32}
  #
    keyexchange=ike
    ike=3des-sha1;modp1024
    phase2=esp
    pfs=no
    aggrmode=no
    ikelifetime=86400s
    salifetime=10000s
    forceencaps=yes
    auto=start
    dpdaction=restart
  #

2、ipsec.secrets配置:
B.B.B.B(需要替换成现网openswan接口IP) C.C.C.C(需要替换成现网fw接口IP): PSK ”admin@123”

防火墙侧的配置

ike proposal 1
   encryption-algorithm 3des-cbc
   authentication-algorithm sha1
   integrity-algorithm aes-xcbc-96 hmac-sha2-512 hmac-sha2-384 hmac-sha2-256 hmac-sha1-96 hmac-md5-96
  #
  ike peer 1
   pre-shared-key admin@123
   ike-proposal 1
  ike negotiate compatible
   undo version 2
   remote-address B.B.B.B(需要替换成现网openswan接口IP)
  #
  ipsec proposal 1
   encapsulation-mode auto
   esp authentication-algorithm sha2-512 sha2-384 sha2-256 sha1 md5
   esp encryption-algorithm aes-256  aes-192  aes-128  3des des
  #
  acl number 3001
   rule 5 permit ip source D.D.D.D 0 destination A.A.A.A 0
   rule 10 permit ip source E.E.E.E 0 destination A.A.A.A 0
  #
  ipsec policy 1 1 isakmp
   security acl 3001
   ike-peer 1
   alias 1_1
   proposal 1
   sa duration time-based 10000
  #
  interface GigabitEthernet1/0/6
   ip address C.C.C.C 255.255.255.128
   ipsec policy 1 auto-neg
   undo service-manage enable
  #

二、设备上配置路由:(需要按照现网需求添加)
  [yangwei]ip route-static A.A.A.A 32 4.1.42.x
  [yangwei]dis ip routing
  20:26:57  2016/05/16
  Route Flags: R - relay, D - download to fib
  ------------------------------------------------------------------------------
 Routing Tables: Public
   Destinations : 8 Routes : 8

Destination/Mask    Proto   Pre  Cost     Flags NextHop         Interface

        4.0.0.0/8   Static  60   0          RD  4.1.42.x      GigabitEthernet1/0/6
       4.1.42.128/25  Direct  0    0           D  C.C.C.C      GigabitEthernet1/0/6
       C.C.C.C/32  Direct  0    0           D  127.0.0.1       InLoopBack0
     A.A.A.A/32  Static  60   0          RD  4.1.42.x      GigabitEthernet1/0/6
      202.4.198.0/24  Direct  0    0           D  D.D.D.D   GigabitEthernet2/0/0
    D.D.D.D/32  Direct  0    0           D  127.0.0.1       InLoopBack0

三、在防火墙上使用私网地址长ping openswan私网地址验证结果
[yangwei]ping -a D.D.D.D -c 10 A.A.A.A
  20:32:03  2016/05/16
    PING A.A.A.A: 56  data bytes, press CTRL_C to break
      Reply from A.A.A.A: bytes=56 Sequence=1 ttl=64 time=10 ms

        .........
  --- A.A.A.A ping statistics ---
      10 packet(s) transmitted
      10 packet(s) received
      0.00% packet loss
      round-trip min/avg/max = 1/1/10 ms