Eltex Documentation
Дерево страниц

Сравнение версий

Старая версия 3

changes.mady.by.user Сервисный центр Wi-Fi

Сохранено

по сравнению с

Новая версия 4

changes.mady.by.user Сервисный центр Wi-Fi

Сохранено

Ключ

  • Эта строка добавлена.
  • Эта строка удалена.
  • Изменено форматирование.

...

vlan 5
  force-up
exit
vlan 6
  force-up
exit
vlan 7
  force-up
exit

Содаем зоны безопасности:

...

Настраиваем политики безопасности:

security zone-pair trusted self
  rule 100
    action permit
    match protocol any
    match source-address any
    match destination-address any
    enable
  exit
exit
security zone-pair user self
  rule 10
    action permit
    match protocol udp
    match source-address any
    match destination-address any
    match source-port dhcp_client
    match destination-port dhcp_server
    enable
  exit
  rule 20
    action permit
    match protocol tcp
    match source-address any
    match destination-address any
    match source-port any
    match destination-port redirect
    enable
  exit
exit
security zone-pair gre self
  rule 10
    action permit
    match protocol any
    match source-address ipsec_remote_address
    match destination-address gre_termination
    enable
  exit
exit
security zone-pair user trusted
  rule 10
    action permit
    match protocol udp
    match source-address any
    match destination-address any
    match source-port dhcp_client
    match destination-port dhcp_server
    enable
  exit
exit
security zone-pair ipsec self
  rule 1
    action permit
    match protocol icmp
    match source-address any
    match destination-address any
    enable
  exit
  rule 11
    action permit
    match protocol udp
    match source-address any
    match destination-address any
    match source-port any
    match destination-port ipsec_ports
    enable
  exit
  rule 12
    action permit
    match protocol esp
    match source-address any
    match destination-address any
    enable
  exit
  rule 13
    action permit
    match protocol gre
    match source-address ipsec_remote_address
    match destination-address gre_termination
    enable
  exit
  rule 14
    action permit
    match protocol icmp
    match source-address ipsec_remote_address
    match destination-address gre_termination
    enable
  exit
exit
security zone-pair trusted trusted
  rule 100
    action permit
    match protocol any
    match source-address any
    match destination-address any
    enable
  exit
exit
security zone-pair user untrusted
  rule 100
    action permit
    match protocol any
    match source-address any
    match destination-address any
    enable
  exit
exit
security zone-pair untrusted self
  rule 10
    action permit
    match protocol udp
    match source-address any
    match destination-address any
    match source-port dhcp_server
    match destination-port dhcp_server
    enable
  exit
  rule 20
    action permit
    match protocol icmp
    match source-address any
    match destination-address any
    enable
  exit
exit
security zone-pair ipsec gre-vrf1
  rule 10
    action permit
    match protocol any
    match source-address ipsec_remote_address
    match destination-address gre_termination
    enable
  exit
exit
security zone-pair gre-vrf1 ipsec
  rule 10
    action permit
    match protocol any
    match source-address gre_termination
    match destination-address ipsec_remote_address
    enable
  exit
exit
security zone-pair gre-vrf1 self
  rule 100
    action permit
    match protocol any
    match source-address any
    match destination-address any
    enable
  exit
exit
security zone-pair trusted untrusted
  rule 100
    action permit
    match protocol any
    match source-address any
    match destination-address any
    enable
  exit
exit

Создаем пул адресов и параметров, выдаваемых ТД по mode config:

address-assignment pool ipsec_pool_1
  ip prefix 172.31.0.0/21
  data-tunnel address 192.168.7.2
  management-tunnel address 192.168.7.1
exit

Настраиваем IKE предложение, политику, шлюз:

security ike proposal dh1_md5_aes128
  authentication algorithm md5
  encryption algorithm aes128
exit
security ike proposal dh1_sha1_aes128
  encryption algorithm aes128
exit
security ike policy psk_xauth1
  lifetime seconds 86400
  pre-shared-key ascii-text encrypted 88B11079B9014FAAF7B9
  authentication method xauth-psk-key
  authentication mode radius
  proposal dh1_md5_aes128
  proposal dh1_sha1_aes128
exit
security ike policy only_psk
  lifetime seconds 86400
  pre-shared-key ascii-text encrypted 88B11079B9014FAAF7B9
  proposal dh1_md5_aes128
exit
security ike gateway ike1_from_inet
  ike-policy psk_xauth1
  local address 188.237.154.25
  local network 192.168.7.0/29
  remote address any
  remote network dynamic pool ipsec_pool_1
  mode policy-based
  dead-peer-detection action clear
  dead-peer-detection interval 10
exitsecurity ike gateway load_test
  ike-policy only_psk
  local address 188.237.154.25
  local network 192.168.7.0/29
  remote address any
  remote network 10.100.0.0/16
  mode policy-based
  dead-peer-detection action clear
  dead-peer-detection interval 60
  dead-peer-detection timeout 180
exit
security ike gateway load_test_2
  ike-policy only_psk
  local address 192.168.108.171
  local network 192.168.7.0/29
  remote address any
  remote network 10.100.0.0/16
  mode policy-based
  dead-peer-detection action clear
  dead-peer-detection interval 60
  dead-peer-detection timeout 180
exit
security

Настраиваем IPsec предложением, политику и VPN. В настройках VPN указыаем, что он работает в VRF ipsec1:

security ipsec proposal md5_aes128_esp
  authentication algorithm md5
  encryption algorithm aes128
exit
security ipsec proposal md5_esp_null
  authentication algorithm md5
  encryption algorithm null
exit
security ipsec proposal sha1_esp_null
  encryption algorithm null
exit
security ipsec policy vpn1_pol1
  proposal md5_aes128_esp
exit
security ipsec policy ipsec_pol2
  proposal md5_esp_null
exit
security ipsec policy ipsec_pol3
  proposal sha1_esp_null
exit
security ipsec policy ipsec_all_props
  proposal md5_esp_null
  proposal md5_aes128_esp
  proposal sha1_esp_null
exit
security ipsec vpn for_INET_1
  mode ike
  ip vrf forwarding ipsec1
  ike establish-tunnel by-request
  ike gateway ike1_from_inet
  ike ipsec-policy ipsec_pol2
exit
security ipsec vpn load_test
  mode ike
  ip vrf forwarding ipsec1
  ike establish-tunnel by-request
  ike gateway load_test
  ike ipsec-policy vpn1_pol1

  enable
exitsecurity ipsec vpn load_test_2
  mode ike
  ike establish-tunnel by-request
  ike gateway load_test_2
  ike ipsec-policy vpn1_pol1
exit

Включаем DHCP-релей:

ip dhcp-relay

Настраиваем статические маршруты для передачи пакетов через петлевой интерфейс:

ip route 172.31.0.0/21 192.168.7.3
ip route vrf ipsec1 192.168.15.54/32 188.237.154.24
ip route vrf ipsec1 100.64.0.0/31 188.237.154.24
ip route vrf ipsec1 10.128.0.0/16 188.237.154.24
ip route vrf ipsec1 10.129.0.0/16 188.237.154.24
ip route vrf ipsec1 10.130.0.0/16 188.237.154.24
ip route vrf ipsec1 10.131.0.0/16 188.237.154.24
ip route vrf ipsec1 10.12.20.0/28 188.237.154.24
ip route 10.100.0.0/16 192.168.7.3

wireless-controller
  nas-ip-address 10.255.0.2
  data-tunnel configuration radius
  aaa das-profile COA
  aaa radius-profile PCRF
  enable
exit
ip telnet server
ip telnet server vrf ipsec1
ip ssh server
ip ssh server vrf ipsec1

clock timezone gmt +7

ntp enable
ntp server 101.0.0.24
  prefer
exit