当前位置:首页 >> 信息与通信 >>

lan to lan vpn 重叠地址(dip)


南京捷荣科技有限公司 WWW . ESAFEZONE . CN

LAN到LAN的VPN的设置(重叠地址空间) LAN到LAN的VPN的设置(重叠地址空间) 的设置
使用DIP映射来实现: 使用DIP映射来实现: DIP映射来实现
拓扑图:

其中netscreen B的ethernet3口的地址是动态获取的公网地址,而

netscreen A的 ethernet3口的地址是固定的公网地址. 实验环境: Netscreen A
ethernet1 ethernet2 ethernet3 ethernet4 tunnel.2 192.168.160.1/24 0.0.0.0/0 218.94.100.12 0.0.0.0/0 10.10.1.1/24 Trust DMZ Untrust Null Untrust Layer3 Layer3 Layer3 Unused Tunnel up down up down ready Edit Edit Edit Edit Edit

Netscreen B
ethernet1 ethernet2 ethernet3 ethernet4 tunnel.1 192.168.160.1/24 0.0.0.0/0 222.95.52.21/32 192.168.3.1/24 10.20.1.1/24 Trust DMZ Untrust Trust Untrust Layer3 Layer3 Layer3 Layer3 Tunnel up down up up ready Edit Edit Edit Edit Edit

TEL:025-84819660 FAX:025-84812129

84819661

84812185

1

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

WebUI ( NetScreen-A)
1.对接口进行设置:
Network > Interfaces > Edit ( 对于 ethernet1 ): 输入以下内容,然后单击 Apply: Zone Name: Trust Static IP: ( 出现时选择此选项) IP Address/Netmask: 192.168.160.1/24 选择以下内容,然后单击 OK: Interface Mode: NAT

Network > Interfaces > Edit ( 对于 ethernet3 ): 输入以下内容,然后单击 OK: Zone Name: Untrust Static IP: ( 出现时选择此选项) IP Address/Netmask: 218.94.100.12

TEL:025-84819660 FAX:025-84812129

84819661

84812185

2

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

下面是添加一条通道: Network > Interfaces > New Tunnel IF: 输入以下内容,然后单击 OK: Tunnel Interface Name: tunnel.1 Zone (VR): Untrust (trust-vr) Fixed IP: ( 选择) IP Address/Netmask: 10.10.1.1/24

TEL:025-84819660 FAX:025-84812129

84819661

84812185

3

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

做DIP映射 Network > Interfaces>tunnel.1>edit>dip>new: 输入以下内容,然后单击 OK IP Address Range:10.10.1.2~10.10.1.2

TEL:025-84819660 FAX:025-84812129

84819661

84812185

4

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

3. VPN
VPNs > AutoKey advance >gateway>new: 输入以下内容,然后单击 OK: VPN Name: xiaoyuan_p1 Security Level: Compatible Remote Gateway type: Dynamic IP Address: ( 选择) Peer ID:qc@qc.com Preshared Key: 123456789

TEL:025-84819660 FAX:025-84812129

84819661

84812185

5

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

选择advance选项: Mode (Initiator):选择aggressive

TEL:025-84819660 FAX:025-84812129

84819661

84812185

6

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

VPNs > AutoKey IKE>new: 输入以下内容,然后单击 OK VPN Name: xiaoyuan_p2 Security Level: Compatible Remote Gateway: Predefined (选择xiaoyuan_p1)

TEL:025-84819660 FAX:025-84812129

84819661

84812185

7

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

> Advanced: 输入以下高级设置,然后单击Return,返回基本AutoKey IKE 配置页: Bind To: Tunnel Interface, tunnel.1 Proxy-ID: ( 选择) Local IP/Netmask: 10.10.1.0/24 Remote IP/Netmask: 10.20.1.0/24 Service: ANY

TEL:025-84819660 FAX:025-84812129

84819661

84812185

8

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

4. 路由
Network > Routing > Routing Entries > trust-vr New: 输入以下内容,然后单击 OK: Network Address/Netmask: 10.20.1.0/24 Gateway: ( 选择) Interface: tunnel.2 Gateway IP Address: 0.0.0.0 Network > Routing > Routing Entries > trust-vr New: 输入以下内容,然后单击 OK: Network Address/Netmask: 10.10.1.5/32 Gateway: ( 选择) Interface: interface1 Gateway IP Address: 0.0.0.0

TEL:025-84819660 FAX:025-84812129

84819661

84812185

9

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

TEL:025-84819660 FAX:025-84812129

84819661

84812185

10

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

5. 策略
Policies > (From: Trust, To: Untrust) New: 输入以下内容,然后单击 OK: Source Address: Address Book Entry: ( 选择)Any Destination Address: Address Book Entry: ( 选择),Any Service:any

TEL:025-84819660 FAX:025-84812129

84819661

84812185

11

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

Policies > (From: Trust, To: Untrust) New: 输入以下内容,然后单击 OK: Source Address: Address Book Entry: ( 选择),192.168.160.0/24 Destination Address: Address Book Entry: ( 选择),10.20.1.5/32 Service: ANY Action: Permit Position at Top: ( 选择)

TEL:025-84819660 FAX:025-84812129

84819661

84812185

12

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

> Advanced: 输入以下高级设置,然后单击 Return,返回基本 Policy 配置页: NAT: Source Translation: ( 选择) (dip on)选择:4(10.10.1.2~10.10.1.2)/prot-xlate (选择此项后,将自动转换为DIP地址池中的地址出去了)

TEL:025-84819660 FAX:025-84812129

84819661

84812185

13

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

Policies > (From: Untrust, To: Trust) New: 输入以下内容,然后单击 OK: Source Address: Address Book Entry: ( 选择), 10.20.1.2/32 Destination Address: Address Book Entry: ( 选择), 10.10.1.5/32 Service: any Action: Permit Position at Top: ( 选择)

TEL:025-84819660 FAX:025-84812129

84819661

84812185

14

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

> Advanced: 输入以下高级设置,然后单击 Return,返回基本 Policy 配置页: NAT: Destination Translation : ( 选择) Translate to IP:192.168.160.5

TEL:025-84819660 FAX:025-84812129

84819661

84812185

15

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

WebUI ( NetScreen-B)
1. 接口
Network > Interfaces > Edit ( 对于 ethernet1 ): 输入以下内容,然后单击 Apply: Zone Name: Trust Static IP: ( 出现时选择此选项) IP Address/Netmask:192.168.160.1/24 选择以下内容,然后单击 OK: Interface Mode: NAT

TEL:025-84819660 FAX:025-84812129

84819661

84812185

16

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

Network > Interfaces > Edit ( 对于 ethernet3 ): 输入以下内容,然后单击 OK: Zone Name: Untrust Obtain IP using PPPoE:(选择) (本例为自动获取ip地址.)

TEL:025-84819660 FAX:025-84812129

84819661

84812185

17

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

Network > Interfaces > New Tunnel IF: 输入以下内容,然后单击 OK: Tunnel Interface Name: tunnel.1 Zone (VR): Untrust (trust-vr) Fixed IP: ( 选择) IP Address/Netmask: 10.20.1.1/24

TEL:025-84819660 FAX:025-84812129

84819661

84812185

18

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

做DIP映射:
Network > Interfaces>tunnel.1>edit>dip>new: 输入以下内容,然后单击 OK IP Address Range:10.20.1.2~10.20.1.2

TEL:025-84819660 FAX:025-84812129

84819661

84812185

19

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

2. VPN
VPNs > AutoKey advance >gateway>new: 输入以下内容,然后单击 OK: VPN Name: vpn_1 Security Level: Compatible Remote Gateway type: Static IP Address: ( 选择) IP Address/Hostname:218.94.100.12 Preshared Key: 123456789 Local ID:qc@qc.com

TEL:025-84819660 FAX:025-84812129

84819661

84812185

20

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

选择advance选项: Mode (Initiator):选择aggressive

TEL:025-84819660 FAX:025-84812129

84819661

84812185

21

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

VPNs > AutoKey IKE>new: 输入以下内容,然后单击 OK VPN Name: vpn_2 Security Level: Compatible Remote Gateway: Predefined (选择vpn_1)

TEL:025-84819660 FAX:025-84812129

84819661

84812185

22

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

> Advanced: 输入以下高级设置,然后单击Return,返回基本AutoKey IKE 配置页: Bind To: Tunnel Interface, tunnel.1 Proxy-ID: ( 选择) Local IP/Netmask: 10.20.1.0/24 Remote IP/Netmask: 10.10.1.0/24 Service: ANY

TEL:025-84819660 FAX:025-84812129

84819661

84812185

23

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

3. 路由
Network > Routing > Routing Entries > trust-vr New: 输入以下内容,然后单击 OK: Network Address/Netmask: 10.10.1.0/24 Gateway: ( 选择) Interface: tunnel.1 Gateway IP Address: 0.0.0.0 Network > Routing > Routing Entries > trust-vr New: 输入以下内容,然后单击 OK: Network Address/Netmask: 10.20.1.5/32 Gateway: ( 选择) Interface: interface1 Gateway IP Address: 0.0.0.0

TEL:025-84819660 FAX:025-84812129

84819661

84812185

24

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

TEL:025-84819660 FAX:025-84812129

84819661

84812185

25

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

4. 策略
Policies > (From: Trust, To: Untrust) New: 输入以下内容,然后单击 OK: Source Address: Address Book Entry: ( 选择)Any Destination Address: Address Book Entry: ( 选择),Any Service:any

TEL:025-84819660 FAX:025-84812129

84819661

84812185

26

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

Policies > (From: Trust, To: Untrust) New: 输入以下内容,然后单击 OK: Source Address: Address Book Entry: ( 选择),192.168.160.0/24 Destination Address: Address Book Entry: ( 选择),10.10.1.5/32 Service: ANY Action: Permit Position at Top: ( 选择)

TEL:025-84819660 FAX:025-84812129

84819661

84812185

27

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

> Advanced: 输入以下高级设置,然后单击 Return,返回基本 Policy 配置页: NAT: Source Translation: ( 选择) (dip on)选择:4(10.20.1.2~10.20.1.2)/prot-xlate (选择此项后,将自动转换为DIP地址池中的地址出去了)

TEL:025-84819660 FAX:025-84812129

84819661

84812185

28

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

Policies > (From: Untrust, To: Trust) New: 输入以下内容,然后单击 OK: Source Address: Address Book Entry: ( 选择), 10.10.1.2/32 Destination Address: Address Book Entry: ( 选择), 10.20.1.5/32 Service: any Action: Permit Position at Top: ( 选择)

TEL:025-84819660 FAX:025-84812129

84819661

84812185

29

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

> Advanced: 输入以下高级设置,然后单击 Return,返回基本 Policy 配置页: NAT: Source Translation: ( 选择) 192.168.160.5

TEL:025-84819660 FAX:025-84812129

84819661

84812185

30

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

试验结果: 当完成以上设置后,请在运行中写入 cmd,按回车,在跳出的新窗口的提示光标中写入: Ping 10.10.1.5 若出现下面的图示,就代表你已经成功了.

TEL:025-84819660 FAX:025-84812129

84819661

84812185

31

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

此时查看 netscreen A 防火墙的日志文件 即出现以下显示
IKE<222.95.52.21> Phase 2 msg ID <b2a5718a>: Completed negotiations with SPI <f30dfec4>, tunnel ID <74>, and lifetime <3600> seconds/<0> KB. IKE<222.95.52.21>: Received a notification message for DOI <1> <40001> <NOTI FY_NS_NHTB_INFORM>. IKE<222.95.52.21> Phase 2 msg ID <b2a5718a>: Responded to the peer's first me ssage. IKE<222.95.52.21> Phase 1: Completed Aggressive mode negotiations with a <288 00>-second lifetime. IKE<222.95.52.21> Phase 1: Responder starts AGGRESSIVE mode negotiations.

则代表成功的建立了 lan 到 lan 的 vpn 通道.

下图是 netscreen A 防火墙的日志截图:

TEL:025-84819660 FAX:025-84812129

84819661

84812185

32

南京捷荣科技有限公司 WWW . ESAFEZONE . CN

TEL:025-84819660 FAX:025-84812129

84819661

84812185

33


相关文章:
lan to lan vpn 重叠地址(dip)
CN LANLANVPN的设置(重叠地址空间) LANLANVPN的设置(重叠地址空间) 的设置使用DIP映射来实现: 使用DIP映射来实现: DIP映射来实现拓扑图: 其中netscreen ...
lan to lan vpn 重叠地址(mip)
lan to lan vpn重叠地址... 20页 免费 LAN TO LAN VPN 20页 2财富值...( 选择) (dip on)选择:none(use egress interface ip) (选择此项后,将自动...
ASA LAN -to-LAN VPN配置实例
LAN to LAN VPN Config 拓扑图如下: 要求:ASA 的 e0 口为 inside 口,e1 口为 outside 口 R2 R1 上均配置默认路由 R3 不用配置默 认路由,在 R1 上配置...
Juniper 重叠地址的对等方站点VPN的实现
Juniper 重叠地址的对等方站点VPN的实现_IT/计算机_专业资料。Juniper 重叠地址的对等方站点VPN的实现重叠地址的对等方站点 VPN 的实现 E1: E3: Tunnel.1: Dip:...
IPSEC VPN(LAN to LAN)搭建与NAT兼容实战
IPSEC VPN(LAN to LAN)搭建与 NAT 兼容实战 () IPSEC VPN 的工作原理和配置命令,想必大家去厂商官网上搜就可以找到答案,这里我就 不多叙述了,这篇文档着重讲...
LAN to LAN VPN
构建 VPN 隧道,R1 和 R3 的 LAN 之间的流量使用预共享密钥方式进行 VPN 加密...lan to lan vpn 重叠地址... 33页 免费 LAN-TO-LAN IPSEC-VPN 4页 3下载...
通过VPN中转连接两个局域网
通过VPN 中转连接两个局域网 网络拓扑: Router A TUNE WAN: 10.10.10.1 LAN1: 192.168.100.1 Tunnel A~B (LAN1 to LAN2) Router B TUNE WAN: 10....
VPN配置
Dynamic LAN-to-LAN VPN 能够接受任何地址连接的设备,我们称为 Hub 端,对端称为 spoke 端,可见 Hub 端就应用了通配符认证配置方法与 dynamic map, 但 spoke ...
VPN笔记完整版
58 IPsec LAN-to-LAN VPN(LAN-to-LAN VPN) ......我们就思考着想办法将数据包原来的私有 IP 地址先隐藏 起来,在外部封装上公网 IP,等数据包通过公网 IP ...
两端都是固定IP Vigor to Vigor lan to lan VPN(IPSEC PPTP)
两端都是固定 IP Vigor to Vigor lan to lan VPN(IPSEC PPTP) 上海技术部:戚举东 2011/12/14 拓扑图如下: 需求:PC:192.168.1.2 能通过 lan to lan V...
更多相关标签:
lan to lan vpn | lan to lan ipsec vpn | openvpn lan to lan | wan子网和lan子网重叠 | 路由器 lan1走vpn | dipyrrinato | dip to | dip6 to smd6 socket |