设为首页收藏本站
切换到宽版

祖瑞科技 全国计算机 网络IT运维社区!

 找回密码
 立即注册

QQ登录

只需一步,快速开始

搜索
热搜: 活动 交友 discuz
祖瑞科技 全国计算机 网络IT运维社区!»论坛 网络工程 VPN防火墙 H3C 华三IPSec VPN配置方法
返回列表 发新帖
查看: 109|回复: 0

华三IPSec VPN配置方法

[复制链接]
admin

212

主题

226

帖子

1371

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
1371
发表于 6 天前 | 显示全部楼层 |阅读模式
华三IPSec VPN配置方法

防火墙配置思路:
ISP路由器
<USG6000V2>system-view
<H3C>system-view
[H3C]sysname ISP
[ISP]interface gigabitethernet 0/1
[ISP-GigabitEthernet0/1]ip address 200.1.1.1 24
[ISP-GigabitEthernet0/1]interface gigabitethernet 0/2
[ISP-GigabitEthernet0/2]ip address 200.1.2.1 24
[ISP-GigabitEthernet0/2]return
<ISP>save force
防火墙(总部)
1    配置接口地址并接口加入安全域
<H3C>system-view
[H3C]sysname FW1
[FW1]interface gigabitethernet 1/0/1
[FW1-GigabitEthernet1/0/1]ip address 200.1.1.2 24
[FW1-GigabitEthernet1/0/1]manage ping inbound
[FW1-GigabitEthernet1/0/1]manage ping outbound
[FW1-GigabitEthernet1/0/1]interface gigabitethernet 1/0/2
[FW1-GigabitEthernet1/0/2]ip address 10.1.1.1 24
[FW1-GigabitEthernet1/0/2]manage ping inbound
[FW1-GigabitEthernet1/0/2]manage ping outbound
[FW1-GigabitEthernet1/0/2]quit
[FW1]security-zone name trust  //配置trust安全域
[FW1-security-zone-Trust]import interface gigabitethernet1/0/2
[FW1-security-zone-Trust]quit  //接口加入安全域
[FW1]security-zone name untrust  //配置untrust安全域
[FW1-security-zone-Untrust]import interface gigabitethernet1/0/3
[FW1-security-zone-Untrust]quit  //接口加入安全域
2    配置缺省路由
[FW1]ip route-static 0.0.0.0 0 200.1.1.1  //下一跳为公网网关的缺省路由
3    配置NAT策略
[FW1]nat global-policy  //配置NAT策略
[FW1-nat-global-policy]rule name ipsec  //IPSEC流量不做NAT转换
[FW1-nat…-ipsec]source-zone trust  //源安全域
[FW1-nat…-ipsec]destination-zone untrust  //目标安全域
[FW1-nat-…ipsec]source-ip subnet 10.1.1.0 24  //指定源地址
[FW1-nat-…ipsec]destination-ip subnet 10.1.2.0 24  //指定目标地址
[FW1-nat…sec]action snat no-nat  //动作为不执行源NAT转换
[FW1-nat-global-policy-rule-nat44-ipsec]quit
[FW1-nat-global-policy]quit
[FW1]nat global-policy //配置NAT策略
[FW1-nat-global-policy]rule name intelnet
[FW1-nat…-intelnet]source-zone trust
[FW1-nat…-intelnet]destination-zone untrust
[FW1-nat…-intelnet]source-ip subnet 10.1.1.0 24
[FW1-nat…telnet]action snat easy-ip  //动作源地址做EASY-IP地址转换
[FW1-nat…t44-intelnet]quit
[FW1-nat-global-policy]quit
5    配置安全域策略
[FW1]security-policy ip //放行Trust到Untrust的流量
[FW1-security-policy-ip]rule 0 name t-u
[FW1-security-policy-ip-0-t-u]source-zone trust
[FW1-security-policy-ip-0-t-u]destination-zone untrust
[FW1-security-policy-ip-0-t-u]service any
[FW1-security-policy-ip-0-t-u]action pass
[FW1-security-policy-ip-0-t-u]quit
[FW1-security-policy-ip]quit
[FW1]security-policy ip //放行Untrust到Trust的流量
[FW1-security-policy-ip]rule 1 name u-t
[FW1-security-policy-ip-1-u-t]source-zone untrust
[FW1-security-policy-ip-1-u-t]destination-zone trust
[FW1-security-policy-ip-1-u-t]service any
[FW1-security-policy-ip-1-u-t]action pass
[FW1-security-policy-ip-1-u-t]quit
[FW1-security-policy-ip]quit
[FW1]security-policy ip //放行Untrust至Local的流量
[FW1-security-policy-ip]rule 2 name u-l
[FW1-security-policy-ip-2-u-l]source-zone untrust
[FW1-security-policy-ip-2-u-l]destination-zone local
[FW1-security-policy-ip-2-u-l]service any
[FW1-security-policy-ip-2-u-l]action pass
[FW1-security-policy-ip-2-u-l]quit
[FW1-security-policy-ip]quit
[FW1-security-policy-ip]rule 3 name l-u  //放行Local到Untrust
[FW1-security-policy-ip-3-l-u]source-zone local
[FW1-security-policy-ip-3-l-u]destination-zone untrust
[FW1-security-policy-ip-3-l-u]service any
[FW1-security-policy-ip-3-l-u]action pass
[FW1-security-policy-ip-3-l-u]quit
[FW1-security-policy-ip]quit

进入IPSEC配置流程
1    配置IPSEC的“感兴趣流“
[fw1]acl advanced 3001 //配置3001高级ACL
[fw1-acl-ipv4-adv-3001]step 20
[fw1-acl-ipv4-adv-3001]rule permit ip source 10.1.1.00.0.0.255 destination 10.1.2.0 0.0.0.255
2    配置IKE提议
[fw1]ike proposal 1 //创建ike提议进程号为1
[fw1-…]encryption-algorithm aes-cbc-128  //加密算法
[fw1-…]authentication-method pre-share  //认证方法为对预共享秘钥
[fw1-…]authentication-algorithm sha  //认证算法sha
[fw1-ike-proposal-1]quit
3    配置ike keychain(IKE秘钥)
[fw1]ike keychain zurkj //创建预共享秘钥
[fw1-ike-keychain-zurkj]pre-shared-key address 200.1.1.2255.255.255.255 key simple zurkj.com //指定对端地址并设置秘钥为zurkj.com
[fw1-ike-keychain-zurkj]quit
4    配置IKE Profile(IKE模板)
[fw1]ike profile zurkj //创建IKE模板zurkj
[fw1-…]keychain zurkj.com  //指定使用秘钥
[fw1-…]local-identity address 200.1.1.2  //指定使用IP地址标识本端身份
[fw1-ike-profile-zurkj]match remote identity address200.1.2.2 255.255.255.255  //指定匹配对端身份类型为IP地址
[fw1-ike-profile-zurkj]proposal 1  //指定使用的提议Proposal 1
[fw1-ike-profile-zurkj]quit
5    配置IPSEC transform-set(IPSEC转换集/模板)
[fw1]ipsec transform-set zurkj  //创建IPSEC转换集zurkj
[fw1-…]protocol esp //指定安全协议为ESP(默认)
[fw1-…]encapsulation-mode tunnel  //指定封装协议为隧道模式(默认)
[fw1-…]esp encryption-algorithm aes-cbc-128  //指定ESP加密算法
[fw1-ipsec-transform-set-zurkj]esp authentication-algorithmsha1  //指定ESP认证算法
[fw1-ipsec-transform-set-zurkj]quit
6    配置IPSEC策略
[fw1]ipsec policy zurkj 10 isakmp
[fw1-ipsec-policy-isakmp-zurkj-10]transform-set zurkj
[fw1-ipsec-policy-isakmp-zurkj-10]security acl 3001
[fw1-ipsec-policy-isakmp-zurkj-10]local-address 200.1.1.2
[fw1-ipsec-policy-isakmp-zurkj-10]remote-address 200.1.2.2
[fw1-ipsec-policy-isakmp-zurkj-10]ike-profile zurkj
[fw1-ipsec-policy-isakmp-zurkj-10]quit
7    接口调用IPSEC策略
[fw1]interface gigabitethernet 1/0/3
[fw1-GigabitEthernet1/0/3]ipsec apply policy 1
[fw1-GigabitEthernet1/0/3]quit

以下为配置脚本:
FW1配置脚本
  1. security-zone name trust
  2. import interface gigabitethernet 1/0/2
  3. quit
  4. security-zone name untrust
  5. import interface gigabitethernet 1/0/3
  6. quit
  7. ip route-static 0.0.0.0 0 200.1.1.1
  8. nat global-policy
  9. rule name ipsec
  10. source-zone trust
  11. destination-zone untrust
  12. source-ip subnet 10.1.1.0 24
  13. destination-ip subnet 10.1.2.0 24
  14. action snat no-nat
  15. quit
  16. quit
  17. nat global-policy
  18. rule name internet
  19. source-zone trust
  20. destination-zone untrust
  21. source-ip subnet 10.1.1.0 24
  22. action snat easy-ip
  23. quit
  24. quit
  25. security-policy ip
  26. rule 0 name t-u
  27. source-zone trust
  28. destination-zone untrust
  29. service any
  30. action pass
  31. quit
  32. quit
  33. security-policy ip
  34. rule 1 name u-t
  35. source-zone untrust
  36. destination-zone trust
  37. service any
  38. action pass
  39. quit
  40. quit
  41. security-policy ip
  42. rule 2 name u-l
  43. source-zone untrust
  44. destination-zone local
  45. service any
  46. action pass
  47. quit
  48. quit
  49. security-policy ip
  50. rule 3 name l-u
  51. source-zone local
  52. destination-zone untrust
  53. service any
  54. action pass
  55. quit
  56. quit
  57. acl advanced 3001
  58. step 20
  59. rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
  60. quit
  61. ike proposal 1
  62. encryption-algorithm aes-cbc-128
  63. authentication-method pre-share
  64. quit
  65. ike keychain zurkj
  66. pre-shared-key address 200.1.2.2 255.255.255.255 key simple zurkj.com
  67. quit
  68. ike profile zurkj
  69. keychain zurkj.com
  70. local-identity address 200.1.1.2
  71. match remote identity address 200.1.2.2 255.255.255.255
  72. proposal 1
  73. quit
  74. ipsec transform-set zurkj
  75. protocol esp
  76. encapsulation-mode tunnel
  77. esp encryption-algorithm aes-cbc-128
  78. esp authentication-algorithm sha1
  79. quit
  80. ipsec policy zurkj 10 isakmp
  81. transform-set zurkj
  82. security acl 3001
  83. local-address 200.1.1.2
  84. remote-address 200.1.2.2
  85. ike-profile zurkj
  86. quit
  87. interface gigabitethernet 1/0/3
  88. ipsec apply policy 1
  89. quit
复制代码
FW2配置脚本
  1. system-view
  2. sysname FW2
  3. interface gigabitethernet 1/0/3
  4. ip address 200.1.2.2 24
  5. manage ping inbound
  6. manage ping outbound
  7. interface gigabitethernet 1/0/2
  8. ip address 10.1.2.1 24
  9. manage ping inbound
  10. manage ping outbound
  11. quit
  12. security-zone name trust
  13. import interface gigabitethernet 1/0/2
  14. quit
  15. security-zone name untrust
  16. import interface gigabitethernet 1/0/3
  17. quit
  18. ip route-static 0.0.0.0 0 200.1.2.1
  19. nat global-policy
  20. rule name ipsec
  21. source-zone trust
  22. destination-zone untrust
  23. source-ip subnet 10.1.2.0 24
  24. destination-ip subnet 10.1.1.0 24
  25. action snat no-nat
  26. quit
  27. quit
  28. nat global-policy
  29. rule name internet
  30. source-zone trust
  31. destination-zone untrust
  32. source-ip subnet 10.1.2.0 24
  33. action snat easy-ip
  34. quit
  35. quit
  36. security-policy ip
  37. rule 0 name t-u
  38. source-zone trust
  39. destination-zone untrust
  40. service any
  41. action pass
  42. quit
  43. quit
  44. security-policy ip
  45. rule 1 name u-t
  46. source-zone untrust
  47. destination-zone trust
  48. service any
  49. action pass
  50. quit
  51. quit
  52. security-policy ip
  53. rule 2 name u-l
  54. source-zone untrust
  55. destination-zone local
  56. service any
  57. action pass
  58. quit
  59. quit
  60. security-policy ip
  61. rule 3 name l-u
  62. source-zone local
  63. destination-zone untrust
  64. service any
  65. action pass
  66. quit
  67. quit
  68. acl advanced 3001
  69. step 20
  70. rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
  71. quit
  72. ike proposal 1
  73. encryption-algorithm aes-cbc-128
  74. authentication-method pre-share
  75. quit
  76. ike keychain zurkj
  77. pre-shared-key address 200.1.1.2 255.255.255.255 key simple zurkj.com
  78. quit
  79. ike profile zurkj
  80. keychain zurkj.com
  81. local-identity address 200.1.2.2
  82. match remote identity address 200.1.1.2 255.255.255.255
  83. proposal 1
  84. quit
  85. ipsec transform-set zurkj
  86. protocol esp
  87. encapsulation-mode tunnel
  88. esp encryption-algorithm aes-cbc-128
  89. esp authentication-algorithm sha1
  90. quit
  91. ipsec policy zurkj 10 isakmp
  92. transform-set zurkj
  93. security acl 3001
  94. local-address 200.1.2.2
  95. remote-address 200.1.1.2
  96. ike-profile zurkj
  97. quit
  98. interface gigabitethernet 1/0/3
  99. ipsec apply policy 1
  100. quit
复制代码




本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有账号?立即注册

x
祖瑞(上海)网络科技有限公司
我们在全国范围提供企业IT运维、网络工程、弱电安装、监控安防、计算机产品收售、办公设备耗材等服务!
期待与您的合作!
邮箱:sanne@zurkj.com
电话:021-51850021 18918292296
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

公司网站

QQ|Archiver|手机版|小黑屋|祖瑞科技 全国计算机 网络IT运维社区! ( 沪ICP备16021636号-2 )

GMT+8, 2025-6-14 13:45 , Processed in 0.037739 second(s), 20 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表