USG防火墙IPSecVPN配置
U S G防火墙
I P S e c V P N配置
集团标准化工作小组 [Q8QX9QT-X8QQB8Q8-NQ8QJ8-M8QMN]
场景
公司的网络分为总部区域、分部网络和分支办公室三个部分。要求分部Trust区域的用户和分支办公室能够访问总部Trust区域。传输的数据需要加密。
步骤一:基本配置
[Huawei]sysname R1
[R1]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet 0/0/1]ip address 24
[R1-GigabitEthernet 0/0/1]interface Serial 1/0/0
[R1- Serial 1/0/0]ip address 24
[R1- Serial 1/0/0]interface loopback 0
[R1-LoopBack0]ip address 24
[Huawei]sysname R2
[R2]interface GigabitEthernet 0/0/2
[R2-GigabitEthernet 0/0/2]ip address 24
[R2-GigabitEthernet 0/0/2]interface Serial 1/0/0
[R2- Serial 1/0/0]ip address 24
[R2- Serial 1/0/0]interface loopback 0
[R2-LoopBack0]ip address 24
[Huawei]sysname R3
[R3]interface Serial2/0/0
[R3- Serial 2/0/0]ip address 24
[R3- Serial 2/0/0]interface loopback 0
[R3-LoopBack0]ip address 24
配置FW1和FW2防火墙
[USG2100]sysname FW1
[FW1]interface Ethernet 0/0/0
[FW1-Ethernet 0/0/0]ip address 24
[FW1-Ethernet 0/0/0]interface Ethernet 2/0/0
[FW1-Ethernet 2/0/0]ip address 24
[FW1-Ethernet 2/0/0]interface vlanif 1
[FW1-Vlanf1]undo ip address
[USG2100]sysname FW2
[FW2]interface Ethernet 0/0/0
[FW2-Ethernet 0/0/0]ip address 24
[FW2-Ethernet 0/0/0]interface Ethernet 2/0/0
[FW2-Ethernet 2/0/0]ip address 24
[FW2-Ethernet 2/0/0]interface vlanif 1
[FW2-Vlanf1]undo ip address
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface Ethernet 2/0/0
[FW1-zone-untrust]undo add interface Ethernet0/0/0
[FW1-zone-untrust]quit
[FW1]firewall zone trust
[FW1-zone-trust]add interface Ethernet 0/0/0
[FW2]firewall zone untrust
[FW2-zone-untrust]add interface Ethernet 2/0/0
[FW2-zone-untrust]undo add interface Ethernet0/0/0
[FW2-zone-untrust]quit
[FW2]firewall zone trust
[FW2-zone-trust]add interface Ethernet 0/0/0
步骤二:配置区域的安全过滤
[FW1]firewall packet-filter default permit interzone trust untrust//允许trust访untrust区域
[FW1]firewall packet-filter default permit interzone local untrust [FW2]firewall packet-filter default permit interzone trust untrust [FW2firewall packet-filter default permit interzone local untrust
步骤三:配置路由
[R1]ospf 1
[R1-ospf-1]area 1
[R2-ospf-1]area 1
[R3-ospf-1]area 1
[FW1-ospf-1]area 1
[FW2-ospf-1]area 步骤四:配置IPSec VPV
[FW1]acl 3000
[FW1-cal-adv-3000]rule permit ip source destination 3000
[FW2-cal-adv-3000]rule permit ip source destination router-static 24 //配置静态路由
[FW2]ip router-static 24 proposal tran1
[FW1-ipsec-proposal-tran1]encapsulation-mode tunnel
[FW1-ipsec-proposal-tran1]transform sep
[FW1-ipsec-proposal-tran1]esp authentication-algorithm sha1 //验证算
法使用SHA1
[FW1-ipsec-proposal-tran1]esp encryption-algorithm des //
加密算法为DES
[FW2]ipsec proposal tranl
[FW2-ipsec-proposal-tran1]encapsulation-mode tunnel
[FW2-ipsec-proposal-tran1]transform sep
[FW2-ipsec-proposal-tran1]esp authentication-algorithm sha1
[FW2-ipsec-proposal-tran1]esp encryption-algorithm des
[FW1]ike proposal 10
[FW1-ike-proposal-10]authentication-algorithm sha1
[FW1-ike-proposal-10]encryption-algorithm des
[FW2]ike proposal 10
[FW2-ike-proposal-10]authentication-algorithm sha1
[FW2-ike-proposal-10]encryption-algorithm des
[FW1]ike peer fw12
[FW1-ike-peer-fw12]ise-proposal 10
[FW1-ike-peer-fw12]remote-address //配置IKE安全提议,定义对端IP地址和与共享密码
[FW1-ike-peer-fw12]pre-shared-key abcde
[FW2]ike peer fw21
[FW2-ike-peer-fw21]ise-proposal 10
[FW2-ike-peer-fw21]remote-address abcde
将ACL、IPSec安全提议及IKE对等体绑定
[FW1]ipsec policy map1 10 isakmp
[FW1-ipsec-policy-map1-10]security acl 3000
[FW1-ipsec-policy-map1-10]proposal
[FW1-ipsec-policy-map1-10]ike-peer fw12
[FW2]ipsec policy map1 10 isakmp
[FW2-ipsec-policy-map1-10]security acl 3000
[FW2-ipsec-policy-map1-10]proposal
[FW2-ipsec-policy-map1-10]ike-peer fw21
[FW1]interface Ethernet2/0/0
[FW1-Ethernet2/0/0]ipsec policy map1 //应用安全策略
[FW2]interface Ethernet2/0/0
[FW2-Ethernet2/0/0]ipsec policy map1
步骤五:配置GRE over IPSec VPN
[FW2]interface tunnel 2
[FW2-Tunnel2]tunnel-protocol ger
[FW2-Tunnel2]ip address 24
[FW2-Tunnel2]source zone untrust
[FW2—zone-untrust]add interface Tunnel 2
[FW2]rip //配置RIP
[FW2-rip-1]version 2
[FW2-rip-1]network
[R3-rip-1]version 2
[R3-rip-1]network 配置安全策略,绑定新的ACL、IPSec安全提议[R3]acl 3001
[R3-acl-adv-3001]rule permit gre source 0 destination 0
[R3-acl-adv-3001]quit
[R3]ipsec policy map1 20 ikakmp
[R3-ipsec-policy-ikakmp-map1-20]security acl 3001
[R3-ipsec-policy-ikakmp-map1-20]proposal tran1
[R3-ipsec-policy-ikakmp-map1-20]ike-peer r32
[FW2]acl 3003
[FW2-acl-adv-3003]rule permit gre source 0 destination 0 [FW2-acl-adv-3003]quit
[FW2]ipsec policy map1 20 ikakmp
[FW2-ipsec-policy-ikakmp-map1-20]security acl 3003
[FW2-ipsec-policy-ikakmp-map1-20]proposal tran1
[FW2-ipsec-policy-ikakmp-map1-20]ike-peer fw23