USG防火墙IPSec-VPN配置
场景
公司的网络分为总部区域、分部网络和分支办公室三个部分。要求分部Trust区域的用户和分支办公室能够访问总部Trust区域。传输的数据需要加密。
步骤一:基本配置
[Huawei]sysname R1
[R1]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet 0/0/1]ip address 10.0.10.2 24
[R1-GigabitEthernet 0/0/1]interface Serial 1/0/0
[R1- Serial 1/0/0]ip address 10.0.12.1 24
[R1- Serial 1/0/0]interface loopback 0
[R1-LoopBack0]ip address 10.0.1.1 24
[Huawei]sysname R2
[R2]interface GigabitEthernet 0/0/2
[R2-GigabitEthernet 0/0/2]ip address 10.0.20.1 24
[R2-GigabitEthernet 0/0/2]interface Serial 1/0/0
[R2- Serial 1/0/0]ip address 10.0.12.2 24
[R2- Serial 1/0/0]interface loopback 0
[R2-LoopBack0]ip address 10.0.2.2 24
[Huawei]sysname R3
[R3]interface Serial2/0/0
[R3- Serial 2/0/0]ip address 10.0.23.3 24
[R3- Serial 2/0/0]interface loopback 0
[R3-LoopBack0]ip address 10.0.3.3 24
配置FW1和FW2防火墙
[FW1]interface Ethernet 0/0/0
[FW1-Ethernet 0/0/0]ip address 10.0.100.1 24
[FW1-Ethernet 0/0/0]interface Ethernet 2/0/0
[FW1-Ethernet 2/0/0]ip address 10.0.10.1 24
[FW1-Ethernet 2/0/0]interface vlanif 1
[FW1-Vlanf1]undo ip address
[USG2100]sysname FW2
[FW2]interface Ethernet 0/0/0
[FW2-Ethernet 0/0/0]ip address 10.0.200.1 24
[FW2-Ethernet 0/0/0]interface Ethernet 2/0/0
[FW2-Ethernet 2/0/0]ip address 10.0.20.1 24
[FW2-Ethernet 2/0/0]interface vlanif 1
[FW2-Vlanf1]undo ip address
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface Ethernet 2/0/0
[FW1-zone-untrust]undo add interface Ethernet0/0/0
[FW1-zone-untrust]quit
[FW1]firewall zone trust
[FW1-zone-trust]add interface Ethernet 0/0/0
[FW2]firewall zone untrust
[FW2-zone-untrust]add interface Ethernet 2/0/0
[FW2-zone-untrust]undo add interface Ethernet0/0/0
[FW2-zone-untrust]quit
[FW2]firewall zone trust
[FW2-zone-trust]add interface Ethernet 0/0/0
步骤二:配置区域的安全过滤
[FW1]firewall packet-filter default permit interzone trust untrust//允许trust访untrust区域
[FW1]firewall packet-filter default permit interzone local untrust
[FW2]firewall packet-filter default permit interzone trust untrust
[FW2firewall packet-filter default permit interzone local untrust
步骤三:配置路由
[R1]ospf 1
[R1-ospf-1]area 0.0.0.0
[R1-ospf-1-area-0.0.0.0]network 10.0.10.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255
[R2]ospf 1
[R2-ospf-1]area 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255
[R3]ospf 1
[R3-ospf-1]area 0.0.0.0
[R3-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255
[FW1]ospf 1
[FW1-ospf-1]area 0.0.0.0
[FW1-ospf-1-area-0.0.0.0]network 10.0.10.0 0.0.0.255
[FW2]ospf 1
[FW2-ospf-1]area 0.0.0.0
[FW2-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255
步骤四:配置IPSec VPV
[FW1]acl 3000
[FW1-cal-adv-3000]rule permit ip source 10.0.100.0 0.0.0.255 destination 10.0.200.0 0.0.0.255
[FW2]acl 3000
[FW2-cal-adv-3000]rule permit ip source 10.0.200.0 0.0.0.255 destination 10.0.200.0 0.0.0.255
[FW1]ip router-static 10.0.200.0 24 10.0.10.2 //配置静态路由
[FW2]ip router-static 10.0.100.0 24 10.0.20.2
[FW1]ipsec proposal tran1
[FW1-ipsec-proposal-tran1]encapsulation-mode tunnel
[FW1-ipsec-proposal-tran1]transform sep
[FW1-ipsec-proposal-tran1]esp authentication-algorithm sha1 //验证算法使用SHA1 [FW1-ipsec-proposal-tran1]esp encryption-algorithm des //加密算法为DES
[FW2]ipsec proposal tranl
[FW2-ipsec-proposal-tran1]encapsulation-mode tunnel
[FW2-ipsec-proposal-tran1]transform sep
[FW2-ipsec-proposal-tran1]esp authentication-algorithm sha1
[FW2-ipsec-proposal-tran1]esp encryption-algorithm des
[FW1]ike proposal 10
[FW1-ike-proposal-10]authentication-algorithm sha1
[FW1-ike-proposal-10]encryption-algorithm des
[FW2]ike proposal 10
[FW2-ike-proposal-10]authentication-algorithm sha1
[FW2-ike-proposal-10]encryption-algorithm des
[FW1]ike peer fw12
[FW1-ike-peer-fw12]ise-proposal 10
[FW1-ike-peer-fw12]remote-address 10.0.20.2 //配置IKE安全提议,定义对端IP地址和与共享密码
[FW1-ike-peer-fw12]pre-shared-key abcde
[FW2]ike peer fw21
[FW2-ike-peer-fw21]ise-proposal 10
[FW2-ike-peer-fw21]remote-address 10.0.10.1
[FW2-ike-peer-fw21]pre-shared-key abcde
将ACL、IPSec安全提议及IKE对等体绑定
[FW1]ipsec policy map1 10 isakmp
[FW1-ipsec-policy-map1-10]security acl 3000
[FW1-ipsec-policy-map1-10]proposal
[FW1-ipsec-policy-map1-10]ike-peer fw12
[FW2]ipsec policy map1 10 isakmp
[FW2-ipsec-policy-map1-10]security acl 3000
[FW2-ipsec-policy-map1-10]proposal
[FW2-ipsec-policy-map1-10]ike-peer fw21
[FW1]interface Ethernet2/0/0
[FW1-Ethernet2/0/0]ipsec policy map1 //应用安全策略
[FW2]interface Ethernet2/0/0
[FW2-Ethernet2/0/0]ipsec policy map1
步骤五:配置GRE over IPSec VPN
[FW2]interface tunnel 2
[FW2-Tunnel2]tunnel-protocol ger
[FW2-Tunnel2]ip address 40.1.1.1 24
[FW2-Tunnel2]source 10.0.20.2
[FW2-Tunnel2]destination 10.0.23.3
[FW2-Tunnel2]firewall zone untrust
[FW2—zone-untrust]add interface Tunnel 2