...
vlan 5
force-up
exit
vlan 6
force-up
exit
vlan 7
force-up
exit
Содаем зоны безопасности:
...
Настраиваем политики безопасности:
security zone-pair trusted self
rule 100
action permit
match protocol any
match source-address any
match destination-address any
enable
exit
exit
security zone-pair user self
rule 10
action permit
match protocol udp
match source-address any
match destination-address any
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 20
action permit
match protocol tcp
match source-address any
match destination-address any
match source-port any
match destination-port redirect
enable
exit
exit
security zone-pair gre self
rule 10
action permit
match protocol any
match source-address ipsec_remote_address
match destination-address gre_termination
enable
exit
exit
security zone-pair user trusted
rule 10
action permit
match protocol udp
match source-address any
match destination-address any
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
exit
security zone-pair ipsec self
rule 1
action permit
match protocol icmp
match source-address any
match destination-address any
enable
exit
rule 11
action permit
match protocol udp
match source-address any
match destination-address any
match source-port any
match destination-port ipsec_ports
enable
exit
rule 12
action permit
match protocol esp
match source-address any
match destination-address any
enable
exit
rule 13
action permit
match protocol gre
match source-address ipsec_remote_address
match destination-address gre_termination
enable
exit
rule 14
action permit
match protocol icmp
match source-address ipsec_remote_address
match destination-address gre_termination
enable
exit
exit
security zone-pair trusted trusted
rule 100
action permit
match protocol any
match source-address any
match destination-address any
enable
exit
exit
security zone-pair user untrusted
rule 100
action permit
match protocol any
match source-address any
match destination-address any
enable
exit
exit
security zone-pair untrusted self
rule 10
action permit
match protocol udp
match source-address any
match destination-address any
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
rule 20
action permit
match protocol icmp
match source-address any
match destination-address any
enable
exit
exit
security zone-pair ipsec gre-vrf1
rule 10
action permit
match protocol any
match source-address ipsec_remote_address
match destination-address gre_termination
enable
exit
exit
security zone-pair gre-vrf1 ipsec
rule 10
action permit
match protocol any
match source-address gre_termination
match destination-address ipsec_remote_address
enable
exit
exit
security zone-pair gre-vrf1 self
rule 100
action permit
match protocol any
match source-address any
match destination-address any
enable
exit
exit
security zone-pair trusted untrusted
rule 100
action permit
match protocol any
match source-address any
match destination-address any
enable
exit
exit
Создаем пул адресов и параметров, выдаваемых ТД по mode config:
address-assignment pool ipsec_pool_1
ip prefix 172.31.0.0/21
data-tunnel address 192.168.7.2
management-tunnel address 192.168.7.1
exit
Настраиваем IKE предложение, политику, шлюз:
security ike proposal dh1_md5_aes128
authentication algorithm md5
encryption algorithm aes128
exit
security ike proposal dh1_sha1_aes128
encryption algorithm aes128
exit
security ike policy psk_xauth1
lifetime seconds 86400
pre-shared-key ascii-text encrypted 88B11079B9014FAAF7B9
authentication method xauth-psk-key
authentication mode radius
proposal dh1_md5_aes128
proposal dh1_sha1_aes128
exit
security ike policy only_psk
lifetime seconds 86400
pre-shared-key ascii-text encrypted 88B11079B9014FAAF7B9
proposal dh1_md5_aes128
exit
security ike gateway ike1_from_inet
ike-policy psk_xauth1
local address 188.237.154.25
local network 192.168.7.0/29
remote address any
remote network dynamic pool ipsec_pool_1
mode policy-based
dead-peer-detection action clear
dead-peer-detection interval 10
exitsecurity ike gateway load_test
ike-policy only_psk
local address 188.237.154.25
local network 192.168.7.0/29
remote address any
remote network 10.100.0.0/16
mode policy-based
dead-peer-detection action clear
dead-peer-detection interval 60
dead-peer-detection timeout 180
exit
security ike gateway load_test_2
ike-policy only_psk
local address 192.168.108.171
local network 192.168.7.0/29
remote address any
remote network 10.100.0.0/16
mode policy-based
dead-peer-detection action clear
dead-peer-detection interval 60
dead-peer-detection timeout 180
exit
security
Настраиваем IPsec предложением, политику и VPN. В настройках VPN указыаем, что он работает в VRF ipsec1:
security ipsec proposal md5_aes128_esp
authentication algorithm md5
encryption algorithm aes128
exit
security ipsec proposal md5_esp_null
authentication algorithm md5
encryption algorithm null
exit
security ipsec proposal sha1_esp_null
encryption algorithm null
exit
security ipsec policy vpn1_pol1
proposal md5_aes128_esp
exit
security ipsec policy ipsec_pol2
proposal md5_esp_null
exit
security ipsec policy ipsec_pol3
proposal sha1_esp_null
exit
security ipsec policy ipsec_all_props
proposal md5_esp_null
proposal md5_aes128_esp
proposal sha1_esp_null
exit
security ipsec vpn for_INET_1
mode ike
ip vrf forwarding ipsec1
ike establish-tunnel by-request
ike gateway ike1_from_inet
ike ipsec-policy ipsec_pol2
exit
security ipsec vpn load_test
mode ike
ip vrf forwarding ipsec1
ike establish-tunnel by-request
ike gateway load_test
ike ipsec-policy vpn1_pol1
enable
exitsecurity ipsec vpn load_test_2
mode ike
ike establish-tunnel by-request
ike gateway load_test_2
ike ipsec-policy vpn1_pol1
exit
Включаем DHCP-релей:
ip dhcp-relay
Настраиваем статические маршруты для передачи пакетов через петлевой интерфейс:
ip route 172.31.0.0/21 192.168.7.3
ip route vrf ipsec1 192.168.15.54/32 188.237.154.24
ip route vrf ipsec1 100.64.0.0/31 188.237.154.24
ip route vrf ipsec1 10.128.0.0/16 188.237.154.24
ip route vrf ipsec1 10.129.0.0/16 188.237.154.24
ip route vrf ipsec1 10.130.0.0/16 188.237.154.24
ip route vrf ipsec1 10.131.0.0/16 188.237.154.24
ip route vrf ipsec1 10.12.20.0/28 188.237.154.24
ip route 10.100.0.0/16 192.168.7.3
wireless-controller
nas-ip-address 10.255.0.2
data-tunnel configuration radius
aaa das-profile COA
aaa radius-profile PCRF
enable
exit
ip telnet server
ip telnet server vrf ipsec1
ip ssh server
ip ssh server vrf ipsec1
clock timezone gmt +7
ntp enable
ntp server 101.0.0.24
prefer
exit