您的位置:360文档中心› USG防火墙IPSec-VPN配置

USG防火墙IPSec-VPN配置

USG防火墙IPSec-VPN配置
USG防火墙IPSec-VPN配置

场景

公司的网络分为总部区域、分部网络和分支办公室三个部分。要求分部Trust区域的用户和分支办公室能够访问总部Trust区域。传输的数据需要加密。

步骤一:基本配置

system-view

[Huawei]sysname R1

[R1]interface GigabitEthernet 0/0/1

[R1-GigabitEthernet 0/0/1]ip address 10.0.10.2 24

[R1-GigabitEthernet 0/0/1]interface Serial 1/0/0

[R1- Serial 1/0/0]ip address 10.0.12.1 24

[R1- Serial 1/0/0]interface loopback 0

[R1-LoopBack0]ip address 10.0.1.1 24

[Huawei]sysname R2

[R2]interface GigabitEthernet 0/0/2

[R2-GigabitEthernet 0/0/2]ip address 10.0.20.1 24

[R2-GigabitEthernet 0/0/2]interface Serial 1/0/0

[R2- Serial 1/0/0]ip address 10.0.12.2 24

[R2- Serial 1/0/0]interface loopback 0

[R2-LoopBack0]ip address 10.0.2.2 24

[Huawei]sysname R3

[R3]interface Serial2/0/0

[R3- Serial 2/0/0]ip address 10.0.23.3 24

[R3- Serial 2/0/0]interface loopback 0

[R3-LoopBack0]ip address 10.0.3.3 24

配置FW1和FW2防火墙

[FW1]interface Ethernet 0/0/0

[FW1-Ethernet 0/0/0]ip address 10.0.100.1 24

[FW1-Ethernet 0/0/0]interface Ethernet 2/0/0

[FW1-Ethernet 2/0/0]ip address 10.0.10.1 24

[FW1-Ethernet 2/0/0]interface vlanif 1

[FW1-Vlanf1]undo ip address

system-view

[USG2100]sysname FW2

[FW2]interface Ethernet 0/0/0

[FW2-Ethernet 0/0/0]ip address 10.0.200.1 24

[FW2-Ethernet 0/0/0]interface Ethernet 2/0/0

[FW2-Ethernet 2/0/0]ip address 10.0.20.1 24

[FW2-Ethernet 2/0/0]interface vlanif 1

[FW2-Vlanf1]undo ip address

[FW1]firewall zone untrust

[FW1-zone-untrust]add interface Ethernet 2/0/0

[FW1-zone-untrust]undo add interface Ethernet0/0/0

[FW1-zone-untrust]quit

[FW1]firewall zone trust

[FW1-zone-trust]add interface Ethernet 0/0/0

[FW2]firewall zone untrust

[FW2-zone-untrust]add interface Ethernet 2/0/0

[FW2-zone-untrust]undo add interface Ethernet0/0/0

[FW2-zone-untrust]quit

[FW2]firewall zone trust

[FW2-zone-trust]add interface Ethernet 0/0/0

步骤二:配置区域的安全过滤

[FW1]firewall packet-filter default permit interzone trust untrust//允许trust访untrust区域

[FW1]firewall packet-filter default permit interzone local untrust

[FW2]firewall packet-filter default permit interzone trust untrust

[FW2firewall packet-filter default permit interzone local untrust

步骤三:配置路由

[R1]ospf 1

[R1-ospf-1]area 0.0.0.0

[R1-ospf-1-area-0.0.0.0]network 10.0.10.0 0.0.0.255

[R1-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255

[R2]ospf 1

[R2-ospf-1]area 0.0.0.0

[R2-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255

[R2-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255

[R2-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255

[R3]ospf 1

[R3-ospf-1]area 0.0.0.0

[R3-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255

[FW1]ospf 1

[FW1-ospf-1]area 0.0.0.0

[FW1-ospf-1-area-0.0.0.0]network 10.0.10.0 0.0.0.255

[FW2]ospf 1

[FW2-ospf-1]area 0.0.0.0

[FW2-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255

步骤四:配置IPSec VPV

[FW1]acl 3000

[FW1-cal-adv-3000]rule permit ip source 10.0.100.0 0.0.0.255 destination 10.0.200.0 0.0.0.255

[FW2]acl 3000

[FW2-cal-adv-3000]rule permit ip source 10.0.200.0 0.0.0.255 destination 10.0.200.0 0.0.0.255

[FW1]ip router-static 10.0.200.0 24 10.0.10.2 //配置静态路由

[FW2]ip router-static 10.0.100.0 24 10.0.20.2

[FW1]ipsec proposal tran1

[FW1-ipsec-proposal-tran1]encapsulation-mode tunnel

[FW1-ipsec-proposal-tran1]transform sep

[FW1-ipsec-proposal-tran1]esp authentication-algorithm sha1 //验证算法使用SHA1 [FW1-ipsec-proposal-tran1]esp encryption-algorithm des //加密算法为DES

[FW2]ipsec proposal tranl

[FW2-ipsec-proposal-tran1]encapsulation-mode tunnel

[FW2-ipsec-proposal-tran1]transform sep

[FW2-ipsec-proposal-tran1]esp authentication-algorithm sha1

[FW2-ipsec-proposal-tran1]esp encryption-algorithm des

[FW1]ike proposal 10

[FW1-ike-proposal-10]authentication-algorithm sha1

[FW1-ike-proposal-10]encryption-algorithm des

[FW2]ike proposal 10

[FW2-ike-proposal-10]authentication-algorithm sha1

[FW2-ike-proposal-10]encryption-algorithm des

[FW1]ike peer fw12

[FW1-ike-peer-fw12]ise-proposal 10

[FW1-ike-peer-fw12]remote-address 10.0.20.2 //配置IKE安全提议,定义对端IP地址和与共享密码

[FW1-ike-peer-fw12]pre-shared-key abcde

[FW2]ike peer fw21

[FW2-ike-peer-fw21]ise-proposal 10

[FW2-ike-peer-fw21]remote-address 10.0.10.1

[FW2-ike-peer-fw21]pre-shared-key abcde

将ACL、IPSec安全提议及IKE对等体绑定

[FW1]ipsec policy map1 10 isakmp

[FW1-ipsec-policy-map1-10]security acl 3000

[FW1-ipsec-policy-map1-10]proposal

[FW1-ipsec-policy-map1-10]ike-peer fw12

[FW2]ipsec policy map1 10 isakmp

[FW2-ipsec-policy-map1-10]security acl 3000

[FW2-ipsec-policy-map1-10]proposal

[FW2-ipsec-policy-map1-10]ike-peer fw21

[FW1]interface Ethernet2/0/0

[FW1-Ethernet2/0/0]ipsec policy map1 //应用安全策略

[FW2]interface Ethernet2/0/0

[FW2-Ethernet2/0/0]ipsec policy map1

步骤五:配置GRE over IPSec VPN

[FW2]interface tunnel 2

[FW2-Tunnel2]tunnel-protocol ger

[FW2-Tunnel2]ip address 40.1.1.1 24

[FW2-Tunnel2]source 10.0.20.2

[FW2-Tunnel2]destination 10.0.23.3

[FW2-Tunnel2]firewall zone untrust

[FW2—zone-untrust]add interface Tunnel 2

相关主题
相关文档
最新文档