pfSense IPsec 站点到站点VPN拓扑图

 云计算, 路由与交换技术  No Responses »
7 月 282020
 

防火墙IPSEC规则方向:入站方向

Firewall -> Rules -> IPsec

[SITE A][10.25.100.0/22] 
Allow Protocol IPv4 * Source 10.25.112.0/22 Port * to Destination 10.25.100.0/22 Port *

[SITE B][10.25.112.0/22]
Allow Protocol IPv4 * Source 10.25.100.0/22 Port * to Destination 10.25.112.0/22 Port *

基于隧道的路由测试A节点

[A][10.25.100.4]

[root@test ~]# ip route add 10.25.112.0/22 via 10.25.100.3 dev ens7 metric 101 proto static

[root@test ~]# ping -c 4 10.25.100.3
PING 10.25.100.3 (10.25.100.3) 56(84) bytes of data.
64 bytes from 10.25.100.3: icmp_seq=1 ttl=64 time=0.455 ms
64 bytes from 10.25.100.3: icmp_seq=2 ttl=64 time=0.540 ms
64 bytes from 10.25.100.3: icmp_seq=3 ttl=64 time=0.465 ms
64 bytes from 10.25.100.3: icmp_seq=4 ttl=64 time=0.455 ms

--- 10.25.100.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 116ms
rtt min/avg/max/mdev = 0.455/0.478/0.540/0.044 ms
[root@test ~]#
[root@test ~]# ping -c 4 10.25.112.3
PING 10.25.112.3 (10.25.112.3) 56(84) bytes of data.
64 bytes from 10.25.112.3: icmp_seq=1 ttl=63 time=36.0 ms
64 bytes from 10.25.112.3: icmp_seq=2 ttl=63 time=35.9 ms
64 bytes from 10.25.112.3: icmp_seq=3 ttl=63 time=35.9 ms
64 bytes from 10.25.112.3: icmp_seq=4 ttl=63 time=35.9 ms

--- 10.25.112.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 7ms
rtt min/avg/max/mdev = 35.860/35.922/36.009/0.145 ms
[root@test ~]#

基于隧道的路由测试B节点

[B][10.25.112.4]

[root@test2 ~]# ip route add 10.25.100.0/22 via 10.25.112.3 dev ens7 metric 101 proto static

[root@test2 ~]# ping -c 4 10.25.112.3
PING 10.25.112.3 (10.25.112.3) 56(84) bytes of data.
64 bytes from 10.25.112.3: icmp_seq=1 ttl=64 time=0.573 ms
64 bytes from 10.25.112.3: icmp_seq=2 ttl=64 time=0.558 ms
64 bytes from 10.25.112.3: icmp_seq=3 ttl=64 time=0.458 ms
64 bytes from 10.25.112.3: icmp_seq=4 ttl=64 time=0.469 ms

--- 10.25.112.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 93ms
rtt min/avg/max/mdev = 0.458/0.514/0.573/0.056 ms
[root@test2 ~]#
[root@test2 ~]# ping -c 4 10.25.100.3
PING 10.25.100.3 (10.25.100.3) 56(84) bytes of data.
64 bytes from 10.25.100.3: icmp_seq=1 ttl=63 time=35.9 ms
64 bytes from 10.25.100.3: icmp_seq=2 ttl=63 time=35.8 ms
64 bytes from 10.25.100.3: icmp_seq=3 ttl=63 time=35.7 ms
64 bytes from 10.25.100.3: icmp_seq=4 ttl=63 time=35.7 ms

--- 10.25.100.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 5ms
rtt min/avg/max/mdev = 35.663/35.783/35.947/0.170 ms
[root@test2 ~]#
[root@test2 ~]# ping -c 4 10.25.100.4
PING 10.25.100.4 (10.25.100.4) 56(84) bytes of data.
64 bytes from 10.25.100.4: icmp_seq=1 ttl=62 time=36.5 ms
64 bytes from 10.25.100.4: icmp_seq=2 ttl=62 time=36.5 ms
64 bytes from 10.25.100.4: icmp_seq=3 ttl=62 time=36.3 ms
64 bytes from 10.25.100.4: icmp_seq=4 ttl=62 time=36.5 ms

--- 10.25.100.4 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 8ms
rtt min/avg/max/mdev = 36.300/36.448/36.535/0.162 ms
[root@test2 ~]#

节点A与节点B均需要配置静态路由,即必须有双向路由,节点间才可正常通信。

使用Cisco NBAR封锁对特定网站的访问

 路由与交换技术  No Responses »
1 月 132015
 

Router#conf t
Router(config)#class-map BLK_360CN
Router(config-cmap)#match protocol http host *360.cn*
Router(config-cmap)#exit
Router(config)#policy-map BLK_360CN
Router(config-pmap)#class BLK_360CN
Router(config-pmap-c)#drop
Router(config-pmap-c)#exit
Router(config-pmap)#exit
Router(config)#interface dialer 100
Router(config-if)#service-policy output BLK_360CN
Router#sh class-map
Class Map match-all BLK_360CN (id 1)
Match protocol  http host “*360.cn*”

Class Map match-any class-default (id 0)
Match any

Router#
Router#show policy-map interface dialer 200
Dialer200

Service-policy output: BLK_360CN

Class-map: BLK_360CN (match-all)
2708 packets, 2049602 bytes
5 minute offered rate 1000 bps, drop rate 1000 bps
Match: protocol http host “*360.cn*”
drop

Class-map: class-default (match-any)
275032 packets, 173524452 bytes
5 minute offered rate 2212000 bps, drop rate 0000 bps
Match: any
Router#show policy-map interface dialer 100
Dialer100

Service-policy output: BLK_360CN

Class-map: BLK_360CN (match-all)
4948 packets, 1523026 bytes
5 minute offered rate 3000 bps, drop rate 3000 bps
Match: protocol http host “*360.cn*”
drop

Class-map: class-default (match-any)
1925298 packets, 496629618 bytes
5 minute offered rate 1438000 bps, drop rate 0000 bps
Match: any
Router#

Cisco 2911路由器及802.1Q VLAN

 路由与交换技术  No Responses »
8 月 202014
 

Router#sh run
Building configuration…

Current configuration : 4088 bytes
!
! Last configuration change at 06:56:36 UTC Tue Aug 19 2014
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable password cisco
!
no aaa new-model
!
ip cef
!
!
!
ip dhcp excluded-address 192.168.100.1 192.168.100.50
ip dhcp excluded-address 192.168.200.1 192.168.200.50
ip dhcp excluded-address 192.168.150.1 192.168.150.50
ip dhcp excluded-address 192.168.200.66
!
ip dhcp pool 100
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 202.96.134.133 202.96.128.68
lease 8
!
ip dhcp pool 200
network 192.168.200.0 255.255.255.0
default-router 192.168.200.1
dns-server 202.96.134.133 202.96.128.68
lease 8
!
ip dhcp pool 150
network 192.168.150.0 255.255.255.0
default-router 192.168.150.1
dns-server 202.96.134.133 202.96.128.68
lease 8
!
!
!
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2911/K9 sn FGL18081058
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
ip accounting output-packets
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
no ip address
ip accounting output-packets
ip nat inside
ip virtual-reassembly in
ip policy route-map load
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map load
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 100
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map load
!
interface GigabitEthernet0/1.15
encapsulation dot1Q 150
ip address 192.168.150.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map load
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 200
ip address 192.168.200.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map load
!
interface GigabitEthernet0/2
no ip address
ip accounting output-packets
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface Dialer100
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 20
ppp authentication pap callin
ppp chap hostname 075512345678@163.gd
ppp chap password 0 87654321
ppp pap sent-username 075512345678@163.gd password 0 87654321
!
interface Dialer200
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 2
dialer-group 22
ppp authentication pap callin
ppp chap hostname 075587654321@163.gd
ppp chap password 0 12345678
ppp pap sent-username 075587654321@163.gd password 0 12345678
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 10 interface Dialer100 overload
ip nat inside source list 15 interface Dialer100 overload
ip nat inside source list 20 interface Dialer200 overload
ip route 0.0.0.0 0.0.0.0 Dialer100
ip route 0.0.0.0 0.0.0.0 Dialer200
!
access-list 10 permit 192.168.100.0 0.0.0.255
access-list 15 permit 192.168.150.0 0.0.0.255
access-list 20 permit 192.168.200.0 0.0.0.255
dialer-list 20 protocol ip permit
dialer-list 22 protocol ip permit
!
route-map load permit 100
match ip address 10
set default interface Dialer100
!
route-map load permit 200
match ip address 20
set default interface Dialer200
!
route-map load permit 300
match ip address 15
set default interface Dialer100
!
!
!
control-plane
!
!
!
line con 0
password cisco
logging synchronous
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0
password cisco
login
transport input all
line vty 1 4
login
transport input all
!
scheduler allocate 20000 1000
!
end