Ниже скрипты для варианта двух DFL + IPsec, опубликованные ранее офисом D-Link.
Проверено - работает.
Частым камнем преткновения является то, что есть необходимость назначать явный IP адрес на туннель.
Код:
set Device Name=Firewall-1
set Interface Ethernet wan1 DHCPEnabled=No
set Address IP4Address InterfaceAddresses/wan1_ip Address=1.1.1.1
set Address IP4Address InterfaceAddresses/wan1net Address=1.1.1.0/24
set Address IP4Address InterfaceAddresses/dmz_ip Address=5.5.5.254
set Address IP4Address InterfaceAddresses/dmznet Address=5.5.5.0/24
add PSK ipsec-psk Type=ASCII PSKAscii=testtest
add Interface IPsecTunnel ipsec-if AuthMethod=PSK PSK=ipsec-psk IKEAlgorithms=Medium IPsecAlgorithms=Medium LocalNetwork=all-nets RemoteNetwork=all-nets RemoteEndpoint=1.1.1.254 AddRouteToRemoteNet=No AutoInterfaceNetworkRoute=No OriginatorIPType=Manual OriginatorIP=192.168.55.1
cc RoutingTable main
add Route Interface=ipsec-if Network=192.168.55.2
cc
add OSPFProcess as100 LogEnabled=Yes
cc OSPFProcess as100
add OSPFArea area0 AreaID=0.0.0.0
cc OSPFArea area0
add OSPFInterface ipsec-if Network=192.168.55.0/30 Type=Point-to-point
add OSPFInterface dmz
add OSPFNeighbor Interface=as100/area0/ipsec-if IPAddress=192.168.55.2
cc
add DynamicRoutingRule OSPFProcess=as100 From=OSPF LogEnabled=Yes Name=routing-from-OSPF-as100
cc DynamicRoutingRule 1(routing-from-OSPF-as100)
add DynamicRoutingRuleAddRoute Destination=main
cc
add Interface InterfaceGroup ipsec-dmz Members=ipsec-if,dmz
add IPRule Action=Allow SourceInterface=ipsec-dmz SourceNetwork=all-nets DestinationInterface=ipsec-dmz DestinationNetwork=all-nets Service=all_services Index=1 LogEnabled=Yes Name=ipsec-dmz-allow
set OSPFProcess as100 -disable
set OSPFProcess as100 -enable
Код:
set Device Name=Firewall-2
set Interface Ethernet wan1 DHCPEnabled=No
set Address IP4Address InterfaceAddresses/wan1_ip Address=1.1.1.254
set Address IP4Address InterfaceAddresses/wan1net Address=1.1.1.0/24
set Address IP4Address InterfaceAddresses/dmz_ip Address=55.55.55.254
set Address IP4Address InterfaceAddresses/dmznet Address=55.55.55.248/29
add PSK ipsec-psk Type=ASCII PSKAscii=testtest
add Interface IPsecTunnel ipsec-if AuthMethod=PSK PSK=ipsec-psk IKEAlgorithms=Medium IPsecAlgorithms=Medium LocalNetwork=all-nets RemoteNetwork=all-nets RemoteEndpoint=1.1.1.1 AddRouteToRemoteNet=No AutoInterfaceNetworkRoute=No OriginatorIPType=Manual OriginatorIP=192.168.55.2
cc RoutingTable main
add Route Interface=ipsec-if Network=192.168.55.1
cc
add OSPFProcess as100 LogEnabled=Yes
cc OSPFProcess as100
add OSPFArea area0 AreaID=0.0.0.0
cc OSPFArea area0
add OSPFInterface ipsec-if Network=192.168.55.0/30 Type=Point-to-point
add OSPFInterface dmz
add OSPFNeighbor Interface=as100/area0/ipsec-if IPAddress=192.168.55.1
cc
add DynamicRoutingRule OSPFProcess=as100 From=OSPF LogEnabled=Yes Name=routing-from-OSPF-as100
cc DynamicRoutingRule 1(routing-from-OSPF-as100)
add DynamicRoutingRuleAddRoute Destination=main
cc
add Interface InterfaceGroup ipsec-dmz Members=ipsec-if,dmz
add IPRule Action=Allow SourceInterface=ipsec-dmz SourceNetwork=all-nets DestinationInterface=ipsec-dmz DestinationNetwork=all-nets Service=all_services Index=1 LogEnabled=Yes Name=ipsec-dmz-allow
set OSPFProcess as100 -disable
set OSPFProcess as100 -enable
_________________
Хотите хороший девайс? D-Link DFL!
Хотите считать с него трафик?
http://www.raresoftware.ru/products/lan/dfltc
Вход
Регистрация
FAQ
Поиск
