在三个据点之间进行连接

本结构中,三个办公室各自分别连接到互联网的同时,在办公室之间建立安全的VPN连接。各据点通过RTX1200,建立由Ipsec加密的高安全性的VPN连接。

标准配备硬件处理方式的VPN(IPsec)功能

企业内部和企业之间的网络中,安全性和高速化是必须的。能够通过VPN(IPsec)进行数据加密及认证,防止数据的“窃听”“篡改”和“欺骗”,提高安全性。RTX1200中,通过IPsec的硬件处理使互联网VPN高速化,实现最大200Mbit/s(双向)的VPN吞吐量。不仅能够简单地构建安全且高速的多据点网络,而且还能通过提高通信速度从而控制运行成本。

RTX1200(1)的设置范例

能够只导出下述的设置部分。

ConfigDownload

LAN的
接口的设置
(使用LAN1端口)
ip lan1 address 192.168.1.1/24
WAN的
接口的设置
(光钎直连)
ip lan2 address (ISP1提供的全局地址1)
ip lan2 nat descriptor 1
ip route default gateway (ISP1提供的网关地址1)
NAT的设置 nat descriptor type 1 masquerade
nat descriptor address outer 1 (全局地址1)
nat descriptor masquerade static 1 1 192.168.1.1 udp 500
nat descriptor masquerade static 1 2 192.168.1.1 esp
DHCP的设置 dhcp service server
dhcp scope 1 192.168.1.2-192.168.1.100/24
DNS的设置 dns server (ISP1所指定的DNS服务器的IP地址)
dns private address spoof on
VPN(IPsec)的设置
(共通项目)
ipsec auto refresh on
连接据点2
VPN(IPsec)的设置
ipsec ike keepalive use 1 on
ipsec ike local address 1 192.168.1.1
ipsec ike pre-shared-key 1 text (密码1)
ipsec ike remote address 1 (全局地址2)
ipsec sa policy 101 1 esp 3des-cbc sha-hmac
tunnel select 1
ipsec tunnel 101
ipsec ike hash 1 sha
tunnel enable 1
ip route 192.168.2.0/24 gateway tunnel 1
连接据点3
VPN(IPsec)的设置
ipsec ike keepalive use 2 on
ipsec ike local address 2 192.168.1.1
ipsec ike pre-shared-key 2 text (密码2)
ipsec ike remote address 2 any # 注释1
ipsec ike remote name 2 (名称1) # 注释1
ipsec sa policy 102 2 esp 3des-cbc sha-hmac
tunnel select 2
ipsec tunnel 102
ipsec ike hash 2 sha
tunnel enable 2
ip route 192.168.3.0/24 gateway tunnel 2
Inbound过滤的设置 ip filter source-route on
ip filter directed-broadcast on
ip inbound filter 1001 reject-nolog * * tcp,udp * 135
ip inbound filter 1002 reject-nolog * * tcp,udp 135 *
ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
ip inbound filter 1005 reject-nolog * * tcp,udp * 445
ip inbound filter 1006 reject-nolog * * tcp,udp 445 *
ip inbound filter 1007 reject-nolog 192.168.1.0/24 * * * *
ip inbound filter 1008 pass-nolog * * * * *
ip lan2 inbound filter list 1001 1002 1003 1004 1005 1006 1007 1008
策略过滤的设置 ip policy interface group 101 name=Private local lan1
ip policy address group 101 name=Private 192.168.1.0/24
ip policy address group 102 name=Any *
ip policy service group 101 name="Open Services"
ip policy service group 102 name=General dns
ip policy service group 103 name=Mail pop3 smtp
ip policy service group 104 name=IPsec ike esp
ip policy filter 1100 reject-nolog lan1 * * * *
ip policy filter 1110 pass-nolog * * * * 102
ip policy filter 1122 static-pass-nolog * lan1 * * *
ip policy filter 1123 static-pass-nolog * local * * *
ip policy filter 1124 static-pass-log * * 192.168.1.0/24 * http
ip policy filter 1130 pass-nolog * tunnel* * * *
ip policy filter 1600 reject-nolog tunnel* * * * *
ip policy filter 1630 pass-nolog * tunnel* * * *
ip policy filter 1640 pass-nolog * local * * *
ip policy filter 1650 pass-nolog * lan1 * * *
ip policy filter 1660 reject-nolog * lan2 * * *
ip policy filter 1700 pass-nolog local * * * *
ip policy filter 1710 static-pass-nolog * lan1 * * *
ip policy filter 1730 static-pass-nolog * lan2 * * 104
ip policy filter 1900 pass-nolog * lan2 * * *
ip policy filter 1950 reject-nolog lan2 * * * *
ip policy filter 1960 static-pass-nolog * local * * 104
ip policy filter 1970 pass-log * lan1 * * 101
ip policy filter 2000 reject-nolog * * * * *
ip policy filter set 101 name="Internet Access" 1100 [1110 1123 [1124] 1122 1900 1130] 1950 [1970 1960] 1600 [1640 1650 1660 1630] 1700 [1710 1730] 2000
ip policy filter set enable 101

RTX1200(2)的设置范例

能够只导出下述的设置部分。

ConfigDownload

LAN的
接口的设置
(使用LAN1端口)
ip lan1 address 192.168.2.1/24
WAN的
接口的设置
(PPPoE拨号,固定IP地址)
pp select 1
pp always-on on
pppoe use lan2
pp auth accept pap chap
pp auth myname (连接ISP2的ID) (连接ISP2的密码)
ppp lcp mru on 1454
ppp ipcp msext on
ip pp address (全局地址2)
ip pp mtu 1454
ip pp nat descriptor 1
pp enable 1
ip route default gateway pp 1
NAT的设置 nat descriptor type 1 masquerade
nat descriptor address outer 1 (全局地址2)
nat descriptor masquerade static 1 1 192.168.2.1 udp 500
nat descriptor masquerade static 1 2 192.168.2.1 esp
DHCP的设置 dhcp service server
dhcp scope 1 192.168.2.2-192.168.2.100/24
DNS的设置 dns server (ISP2所指定的DNS服务器的IP地址)
dns private address spoof on
VPN(IPsec)的设置
(共通项目)
ipsec auto refresh on
连接据点1
VPN(IPsec)的设置
ipsec ike keepalive use 1 on
ipsec ike local address 1 192.168.2.1
ipsec ike pre-shared-key 1 text (密码1)
ipsec ike remote address 1 (全局地址1)
ipsec sa policy 101 1 esp 3des-cbc sha-hmac
tunnel select 1
ipsec tunnel 101
ipsec ike hash 1 sha
tunnel enable 1
ip route 192.168.1.0/24 gateway tunnel 1
连接据点3
VPN(IPsec)的设置
ipsec ike keepalive use 2 on
ipsec ike local address 2 192.168.2.1
ipsec ike pre-shared-key 2 text (密码3)
ipsec ike remote address 2 any # 注释1
ipsec ike remote name 2 (名称2) # 注释1
ipsec sa policy 102 2 esp 3des-cbc sha-hmac
tunnel select 2
ipsec tunnel 102
ipsec ike hash 2 sha
tunnel enable 2
ip route 192.168.3.0/24 gateway tunnel 2
Inbound过滤的设置 ip filter source-route on
ip filter directed-broadcast on
ip inbound filter 1001 reject-nolog * * tcp,udp * 135
ip inbound filter 1002 reject-nolog * * tcp,udp 135 *
ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
ip inbound filter 1005 reject-nolog * * tcp,udp * 445
ip inbound filter 1006 reject-nolog * * tcp,udp 445 *
ip inbound filter 1007 reject-nolog 192.168.2.0/24 * * * *
ip inbound filter 1008 pass-nolog * * * * *
pp select 1
ip pp inbound filter list 1001 1002 1003 1004 1005 1006 1007 1008
pp enable 1
策略过滤的设置 ip policy interface group 101 name=Private local lan1
ip policy address group 101 name=Private 192.168.2.0/24
ip policy address group 102 name=Any *
ip policy service group 101 name="Open Services"
ip policy service group 102 name=General dns
ip policy service group 103 name=Mail pop3 smtp
ip policy service group 104 name=IPsec ike esp
ip policy filter 1100 reject-nolog lan1 * * * *
ip policy filter 1110 pass-nolog * * * * 102
ip policy filter 1122 static-pass-nolog * lan1 * * *
ip policy filter 1123 static-pass-nolog * local * * *
ip policy filter 1124 static-pass-log * * 192.168.2.0/24 * http
ip policy filter 1130 pass-nolog * tunnel* * * *
ip policy filter 1140 pass-nolog * pp1 * * *
ip policy filter 1500 reject-nolog pp* * * * *
ip policy filter 1520 pass-log * lan1 * * 101
ip policy filter 1530 static-pass-nolog * local * * 104
ip policy filter 1600 reject-nolog tunnel* * * * *
ip policy filter 1630 pass-nolog * tunnel* * * *
ip policy filter 1640 pass-nolog * local * * *
ip policy filter 1650 pass-nolog * lan1 * * *
ip policy filter 1680 reject-nolog * pp* * * *
ip policy filter 1700 pass-nolog local * * * *
ip policy filter 1710 static-pass-nolog * lan1 * * *
ip policy filter 1750 static-pass-nolog * pp* * * 104
ip policy filter 2000 reject-nolog * * * * *
ip policy filter set 101 name="Internet Access" 1100 [1110 1123 [1124] 1122 1140 1130] 1500 [1520 1530] 1600 [1640 1650 1680 1630] 1700 [1710 1750] 2000
ip policy filter set enable 101

RTX1200(3)的设置范例

能够只导出下述的设置部分。

ConfigDownload

LAN的
接口的设置
(使用LAN1端口)
ip lan1 address 192.168.3.1/24
WAN的
接口的设置
(PPPoE拨号,不固定IP地址)
pp select 1
pp always-on on
pppoe use lan2
pp auth accept pap chap
pp auth myname (连接ISP3的ID) (连接ISP3的密码)
ppp lcp mru on 1454
ppp ipcp msext on
ppp ipcp ipaddress on
ip pp mtu 1454
ip pp nat descriptor 1
pp enable 1
ip route default gateway pp 1
NAT的设置 nat descriptor type 1 masquerade
nat descriptor address outer 1 ipcp
nat descriptor masquerade static 1 1 192.168.3.1 udp 500
nat descriptor masquerade static 1 2 192.168.3.1 esp
DHCP的设置 dhcp service server
dhcp scope 1 192.168.3.2-192.168.3.100/24
DNS的设置 dns server pp 1
dns private address spoof on
VPN(IPsec)的设置
(共通项目)
ipsec auto refresh on
连接据点1
VPN(IPsec)的设置
ipsec ike keepalive use 1 on
ipsec ike local name 1 (名称1)# 注释1
ipsec ike pre-shared-key 1 text (密码2)
ipsec ike remote address 1 (全局地址1)
ipsec sa policy 101 1 esp 3des-cbc sha-hmac
tunnel select 1
ipsec tunnel 101
ipsec ike hash 1 sha
tunnel enable 1
ip route 192.168.1.0/24 gateway tunnel 1
连接据点2
VPN(IPsec)的设置
ipsec ike keepalive use 2 on
ipsec ike local name 2 (名称2)# 注释1
ipsec ike pre-shared-key 2 text (密码3)
ipsec ike remote address 2 (全局地址2)
ipsec sa policy 102 2 esp 3des-cbc sha-hmac
tunnel select 2
ipsec tunnel 102
ipsec ike hash 2 sha
tunnel enable 2
ip route 192.168.2.0/24 gateway tunnel 2
Inbound过滤的设置 ip filter source-route on
ip filter directed-broadcast on
ip inbound filter 1001 reject-nolog * * tcp,udp * 135
ip inbound filter 1002 reject-nolog * * tcp,udp 135 *
ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
ip inbound filter 1005 reject-nolog * * tcp,udp * 445
ip inbound filter 1006 reject-nolog * * tcp,udp 445 *
ip inbound filter 1007 reject-nolog 192.168.3.0/24 * * * *
ip inbound filter 1008 pass-nolog * * * * *
pp select 1
ip pp inbound filter list 1001 1002 1003 1004 1005 1006 1007 1008
pp enable 1
策略过滤的设置 ip policy interface group 101 name=Private local lan1
ip policy address group 101 name=Private 192.168.3.0/24
ip policy address group 102 name=Any *
ip policy service group 101 name="Open Services"
ip policy service group 102 name=General dns
ip policy service group 103 name=Mail pop3 smtp
ip policy service group 104 name=IPsec ike esp
ip policy filter 1100 reject-nolog lan1 * * * *
ip policy filter 1110 pass-nolog * * * * 102
ip policy filter 1122 static-pass-nolog * lan1 * * *
ip policy filter 1123 static-pass-nolog * local * * *
ip policy filter 1124 static-pass-log * * 192.168.3.0/24 * http
ip policy filter 1130 pass-nolog * tunnel* * * *
ip policy filter 1140 pass-nolog * pp1 * * *
ip policy filter 1500 reject-nolog pp* * * * *
ip policy filter 1520 pass-log * lan1 * * 101
ip policy filter 1530 static-pass-nolog * local * * 104
ip policy filter 1600 reject-nolog tunnel* * * * *
ip policy filter 1630 pass-nolog * tunnel* * * *
ip policy filter 1640 pass-nolog * local * * *
ip policy filter 1650 pass-nolog * lan1 * * *
ip policy filter 1680 reject-nolog * pp* * * *
ip policy filter 1700 pass-nolog local * * * *
ip policy filter 1710 static-pass-nolog * lan1 * * *
ip policy filter 1750 static-pass-nolog * pp* * * 104
ip policy filter 2000 reject-nolog * * * * *
ip policy filter set 101 name="Internet Access" 1100 [1110 1123 [1124] 1122 1140 1130] 1500 [1520 1530] 1600 [1640 1650 1680 1630] 1700 [1710 1750] 2000
ip policy filter set enable 101
[注释的说明]

注释1:
由于据点3为不固定IP,所以设置为aggressive mode,即通过名称来识别。名称1和名称2可以自由设置。

返回顶部