《华为与做配置测试报告.doc》由会员分享,可在线阅读,更多相关《华为与做配置测试报告.doc(18页珍藏版)》请在金锄头文库上搜索。
1、USG与juniper IPSEC VPN 测试报告 USG与juniper IPSEC VPN 测试报告产品型号:USG5000产品名称:中端防火墙测试单位:华为技术有限公司目 录一、测试目标3二、测试拓扑及IP地址3三、测试过程31.IPSEC VPN配置主模式42.命令行配置73.IPSEC VPN野蛮模式中心端配置114.命令行配置15四、测试结果19一、 测试目标主要测试功能 华为USG 防火墙与juniper产品进行IPSEC VPN 对接。数据在中心端各分部都需要访问,分部接入主要有两种一种是有公网的一种是动态IP的所以采用IPSEC 主模式与野蛮模式两种VPN 接入方式。华为U
2、SG 为中心端,juniper模拟两种不同的VPN 。二、 测试拓扑及IP地址三、 测试过程1. IPSEC VPN配置主模式IPSEC VPN测试表本端对端设备名称USG5000设备名称juniper VPN模式公司to公司VPN模式公司to公司协商模式主模式协商模式主模式共享密钥123456共享密钥123456IKE阶段IKE阶段认证算法MD5认证算法MD5加密算法3DES加密算法3DESDH组DH-Group2DH组DH-Group2IPSEC阶段IPSEC阶段封装模式隧道模式封装模式隧道模式安全提议ESP安全提议ESPESP加密MD5ESP加密MD5ESP认证3DESESP认证3DES
3、NAT穿越noNAT穿越no本地网段10.10.10.0/24本地网段20.20.20.0/242. 命令行配置USGDISCUR18:16:052013/06/28#sysnameUSG#l2tpdomainsuffix-separator#firewallpacket-filterdefaultpermitinterzonelocaltrustdirectioninboundfirewallpacket-filterdefaultpermitinterzonelocaltrustdirectionoutboundfirewallpacket-filterdefaultpermitinter
4、zonelocaluntrustdirectioninboundfirewallpacket-filterdefaultpermitinterzonelocaluntrustdirectionoutboundfirewallpacket-filterdefaultpermitinterzonelocaldmzdirectioninboundfirewallpacket-filterdefaultpermitinterzonelocaldmzdirectionoutboundfirewallpacket-filterdefaultpermitinterzonetrustuntrustdirect
5、ioninboundfirewallpacket-filterdefaultpermitinterzonetrustuntrustdirectionoutboundfirewallpacket-filterdefaultpermitinterzonetrustdmzdirectioninboundfirewallpacket-filterdefaultpermitinterzonetrustdmzdirectionoutboundfirewallpacket-filterdefaultpermitinterzonedmzuntrustdirectioninboundfirewallpacket
6、-filterdefaultpermitinterzonedmzuntrustdirectionoutbound#ipdf-unreachablesenable#firewallipv6sessionlink-statecheckfirewallipv6statisticsystemenable#dnsresolve#vlanbatch1#firewallstatisticsystemenable#dnsproxyenable#license-#runmodefirewall#updatescheduleipsdaily0:55updatescheduleavdaily0:#web-manag
7、erenable#user-manageweb-authenticationport8888#l2fwdfastenable#aclnumber3000rule5permitipsource10.10.10.00.0.0.255destination20.20.20.00.0.0.255#ikeproposal1encryption-algorithm3des-cbcdhgroup2authentication-algorithmmd5#ikepeerike28618347778pre-shared-key%$%$(up5*Gp|#mItg84&7mFOG5%$%$ike-proposal1r
8、emote-address192.168.20.1undonattraversal#ipsecproposalprop28618347778espencryption-algorithm3des#ipsecpolicyipsec28618347771isakmpsecurityacl3000ike-peerike28618347778proposalprop28618347778local-address192.168.10.1#interfaceVlanif1ipaddress192.168.1.244255.255.255.0#interfaceCellular5/0/0link-prot
9、ocolppp#interfaceEthernet0/0/0ipaddress192.168.10.1255.255.255.0ipsecpolicyipsec2861834777auto-neg#interfaceEthernet1/0/0portswitchportlink-typeaccess#interfaceEthernet1/0/1portswitchportlink-typeaccess#interfaceEthernet1/0/2portswitchportlink-typeaccess#interfaceEthernet1/0/3portswitchportlink-type
10、access#interfaceEthernet1/0/4portswitchportlink-typeaccess#interfaceEthernet1/0/5portswitchportlink-typeaccess#interfaceEthernet1/0/6portswitchportlink-typeaccess#interfaceEthernet1/0/7portswitchportlink-typeaccess#interfaceNULL0#firewallzonelocalsetpriority100#firewallzonetrustsetpriority85addinter
11、faceEthernet1/0/0addinterfaceEthernet1/0/1addinterfaceEthernet1/0/2addinterfaceEthernet1/0/3addinterfaceEthernet1/0/4addinterfaceEthernet1/0/5addinterfaceEthernet1/0/6addinterfaceEthernet1/0/7addinterfaceVlanif1#firewallzoneuntrustsetpriority5addinterfaceEthernet0/0/0#firewallzonedmzsetpriority50#aa
12、alocal-useradminpasswordcipher%$%$2yA9)!l,#gel;VwZ&OjaX%$%$local-useradminservice-typewebterminaltelnetlocal-useradminlevel15authentication-schemedefault#authorization-schemedefault#accounting-schemedefault#domaindefaultdomaindot1x#nqa-jittertag-version1#iproute-static0.0.0.00.0.0.0192.168.10.2#bannerenable#user-interfacecon0user-interfacetty2authentication-modepasswordmodembothuser-interfacevty04authentication-modeaaaprotocolinboundall#slb#cwmp#