华为IPSec VPN站点对站点配置方法
防火墙配置思路: 1 接口配置 1.1接口配置IP地址 1.2接口加入安全域内 2 配置路由(去往对方通信点及加密点)本案例直接用缺省路由 3 配置IPSec 3.1通过ACL定义IPSec“感兴趣流” 这里是配置IPSec需要保护的数据 3.2创建IKE(互联网密钥交换协议)提议 3.3创建IPSec安全提议 3.4配置IKE对等体 本配置的作用是配置和哪一台设备建立IPSEC连接 调用IKE提议 3.5创建IPSec策略 此配置的作用是关联前面配置好的各个参数 调用定义好的IPSec安全提议 调用定义好的IKE提议 调用定义好的“感兴趣流” 3.6出接口调用IPSec策略 4 配置安全策略 放行Local到Untrust;Untrust到Local的流量(udp500和ESP端口服务) 放行Trust到Untrust;Untrust到Trust的流量(端口根据情况)
防火墙SH(上海) 1 配置接口地址并接口加入安全域 <USG6000V2>system-view [USG6000V2]sysname SH [SH]undo info-center enable [SH]interface gigabitethernet 1/0/0 [SH-GigabitEthernet1/0/0]ip address 1.1.1.2 24 [SH-G 1/0/0]interface gigabitethernet 1/0/1 [SH-GigabitEthernet1/0/1]ip address 172.16.0.1 24 [SH-GigabitEthernet1/0/1]quit [SH]firewall zone trust [SH-zone-trust]add interface gigabitethernet 1/0/1 [SH-zone-trust]firewall zone untrust [SH-zone-untrust]add interface gigabitethernet 1/0/0 [SH-zone-untrust]quit
2 配置路由(去对方通信点及加密点)这里直接使用默认路由完成 [SH]ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
3 配置IPSec VPN 3.1配置ACL定义IPSec需要保护的数据流(感兴趣流) [SH]acl number 3000 [SH-acl-adv-3000]step 20 [SH-acl-adv-3000]rule 20permit ip source 172.16.0.0 0.0.0.255 destination 172.16.1.0 0.0.0.255 [SH-acl-adv-3000]quit
3.2配置IPSec安全提议(配置如何保护关键数据) [SH]ipsec proposal ZURKJ //创建一个ZURKJ安全提议 [SH-ipsec-proposal-ZURKJ]encapsulation-modetunnel //使用隧道模式 [SH-ipsec-proposal-ZURKJ]transformesp //封装模式为esp;esp为加密,ah非加密 [SH-ipsec-proposal-ZURKJ]espencryption-algorithm aes-256 //加密算法使用aes-256 [SH-ipsec-proposal-ZURKJ]espauthentication-algorithm sha2-256 //完整性校验算法使用sha2-256 以上配置参数其实已经是IPSec安全提议中的默认参数了,此举为了解提议参数的主要内容。 3.3配置IKE提议(互联网密钥交换协议) [SH]ike proposal 10 //创建编号为10的ike提议 [SH-ike-proposal-10]authentication-methodpre-share //使用预共享密钥进行身份认证 [SH-ike-proposal-10]dhgroup14 //协商密钥的过程,使用dh group14算法进行加密 [SH -ike-proposal-10]quit (以上两个配置已经是默认,可以不做配置) 3.4配置IKE对等体(作用配置与哪台设备建立IPSec连接) [SH]ike peer HF //IKE对等体名称 [SH-ike-peer-HF]exchange-mode main //使用主模式建议IPSec;当双方都有固定IP地址使用main主模式;如果一方无固定IP,可以使用野蛮模式aggressive。(默认为main模式) [SH-ike-peer-HF]ike-proposal 10 //调用ike提议 [SH-ike-peer-HF]pre-shared-key Admin@zurkj //配置预共享密钥,两端必须一样 [SH-ike-peer-HF]local-id-type ip //通过IP地址来互相识别对方,也可以使用域名(默认是IP识别) [SH-ike-peer-HF]remote-address 2.2.2.2 //配置IPSec对等端的IP地址 [SH-ike-peer-HF]quit
3.5配置IPSec策略(把前面配置的参数关联到一起) [SH]ipsec policy IPSEC10 isakmp //创建名为IPSEC的IPSec策略,10表示序列号;isakmp表示周期性动态更新密钥 [SH-ipsec-policy-isakmp-IPSEC-10]ike-peerHF //调用前面定义好的HF对等端 [SH-ipsec-policy-isakmp-IPSEC-10]proposalZURKJ //调用前面定义好的IPSec安全提议 [SH -ipsec-policy-isakmp-IPSEC-10]securityacl 3000 //调用前面定义的感兴趣流 [SH-ipsec-policy-isakmp-IPSEC-10]quit
3.6 接口调用 [SH]interfacegigabitethernet 1/0/0 [SH-GigabitEthernet1/0/0]ipsecpolicy IPSEC //调用IPSEC策略 [SH-GigabitEthernet1/0/0]quit 其实就是创建参数模块,再调用参数模块,最后出接口上应用IPSec的过程。 4 配置安全策略(行放流量) [SH]ip service-set ISAKMP type object //创建一个ISAKMP的自定义服务 [SH-object-service-set-ISAKMP]service protocol udpsource-port 500 destination-port 500 //端口是UDP500 [SH-object-service-set-ISAKMP]quit [SH]security-policy //安全策略 [SH-policy-security]rule name IPSEC //配置规则名称为IPSEC [SH-policy-security-rule-IPSEC]source-zone local untrust //源区域 [SH-policy-security-rule-IPSEC]destination-zone untrustlocal //目标 [SH-policy-security-rule-IPSEC]source-address 1.1.1.1 32 //源IP [SH-policy-security-rule-IPSEC]destination-address 2.2.2.232 //目标 [SH-policy-security-rule-IPSEC]source-address 2.2.2.2 32 [SH-policy-security-rule-IPSEC]destination-address 1.1.1.232 [SH-policy-security-rule-IPSEC]service ISAKMP //调用ISAKMP服务 [SH-policy-security-rule-IPSEC]service esp //esp服务 [SH-policy-security-rule-IPSEC]action permit //动作为放行 [SH-policy-security-rule-IPSEC]quit [SH-policy-security]quit [SH]security-policy [SH-policy-security]rule name T-U [SH-policy-security-rule-T-U]source-zone trust [SH-policy-security-rule-T-U]destination-zone untrust [SH-policy-security-rule-T-U]action permit [SH-policy-security-rule-T-U]quit [HF-policy-security]rule name U-T [SH-policy-security-rule-U-T]source-zone untrust [SH-policy-security-rule-U-T]destination-zone trust [SH-policy-security-rule-U-T]action permit [SH-policy-security-rule-U-T]quit [SH-policy-security]quit
防火墙HF(合肥) 接口 <USG6000V2>system-view [HF]sysname HF [HF]undo info-center enable [HF]interface gigabitethernet 1/0/0 [HF-GigabitEthernet1/0/0]ip address 2.2.2.2 24 [HF-GigabitEthernet1/0/0]interface gigabitethernet 1/0/1 [HF-GigabitEthernet1/0/1]ip address 172.16.1.1 24 [HF-GigabitEthernet1/0/1]quit [HF]firewall zone trust [HF-zone-trust]add interface gigabitethernet 1/0/1 [HF-zone-trust]firewall zone untrust [HF-zone-untrust]add interface gigabitethernet 1/0/0 [HF-zone-untrust]quit
[HF]ip route-static 0.0.0.0 0.0.0.0 2.2.2.1
感兴趣流 [HF]acl number 3000 [HF-acl-adv-3000]step 20 [HF-acl-adv-3000]rule 20 permit ip source 172.16.1.00.0.0.255 destination 172.16.0.0 0.0.0.255 [HF-acl-adv-3000]quit
IKE提议 [HF]ike proposal 10 [HF-ike-proposal-10]authentication-method pre-share [HF-ike-proposal-10]dh group14 [HF-ike-proposal-10]quit
IPSec安全提议 [HF]ipsec proposal ZURKJ [HF-ipsec-proposal-ZURKJ]encapsulation-mode tunnel [HF-ipsec-proposal-ZURKJ]transform esp [HF-ipsec-proposal-ZURKJ]esp encryption-algorithm aes-256 [HF-ipsec-proposal-ZURKJ]esp authentication-algorithmsha2-256 [HF-ipsec-proposal-ZURKJ]quit
IKE对等端 [HF]ike peer SH [HF-ike-peer- SH]exchange-mode main [HF-ike-peer- SH]ike-proposal 10 [HF-ike-peer- SH]pre-shared-key Admin@zurkj [HF-ike-peer- SH]local-id-type ip [HF-ike-peer- SH]remote-address 1.1.1.2 [HF-ike-peer- SH]quit
IPSec策略 [HF]ipsec policy IPSEC 10 isakmp [HF-ipsec-policy-isakmp-IPSEC-10]ike-peer SH [HF-ipsec-policy-isakmp-IPSEC-10]proposal ZURKJ [HF-ipsec-policy-isakmp-IPSEC-10]security acl 3000 [HF-ipsec-policy-isakmp-IPSEC-10]quit
安全(流量)策略 [HF]ip service-set ISAKMP type object [HF-object-service-set-ISAKMP]service protocol udpsource-port 500 destination-port 500 [HF-object-service-set-ISAKMP]quit
[HF]security-policy [HF-policy-security]rule name IPSEC [HF-policy-security-rule-IPSEC]source-zone local untrust [HF-policy-security-rule-IPSEC]destination-zone untrustlocal [HF-policy-security-rule-IPSEC]source-address 1.1.1.2 32 [HF-policy-security-rule-IPSEC]destination-address 2.2.2.232 [HF-policy-security-rule-IPSEC]source-address 2.2.2.2 32 [HF-policy-security-rule-IPSEC]destination-address 1.1.1.232 [HF-policy-security-rule-IPSEC]service ISAKMP [HF-policy-security-rule-IPSEC]service esp [HF-policy-security-rule-IPSEC]action permit [HF-policy-security-rule-IPSEC]quit [HF]security-policy [HF-policy-security]rule name T-U [HF-policy-security-rule-T-U]source-zone trust [HF-policy-security-rule-T-U]destination-zone untrust [HF-policy-security-rule-T-U]action permit [HF-policy-security-rule-T-U]quit [HF-policy-security]rule name U-T [HF-policy-security-rule-U-T]source-zone untrust [HF-policy-security-rule-U-T]destination-zone trust [HF-policy-security-rule-U-T]action permit [HF-policy-security-rule-U-T]quit [HF-policy-security]quit | 
|Archiver|手机版|小黑屋|祖瑞科技 全国计算机 网络IT运维社区!
( 沪ICP备16021636号-2 )
发表于 2025-1-14 22:14:36
