素材来源:华为防火墙配置指南
目标
介绍采用IPSec隧道化方式配置两点之间IPSec隧道的配置举例。请使用命令行完成本举例的配置。
组网需求
如图1所示,网络A与网络B通过FW_A和FW_B连接到Internet。
FW_A和FW_B之间有多条链路路由可达。
要求实现如下组网需求:
- 主机PC1与PC2之间可以通过IPSec隧道安全的通信。
- 在FW_A和FW_B之间可以实现链路备份,当有一条链路发生问题时,仍然可以通过其他的链路进行IPSec通信。
配置思路
- 基本配置,包括配置接口IP地址,将接口加入相应的安全区域,配置安全策略。
- 创建并配置Tunnel接口,并将Tunnel接口加入相应的安全区域。
- 配置公网路由,一般情况下,FW上配置静态路由。
- 配置IPSec。
操作步骤
配置FW_A。
- 配置接口IP地址。
<sysname> system-view
[sysname] sysname FW_A
[FW_A] interface gigabitethernet 1 / 0 / 3
[FW_A-GigabitEthernet1/0/3] ip address 10.3.0.1 24
[FW_A-GigabitEthernet1/0/3] quit [FW_A] interface gigabitethernet 1 / 0 / 1
[FW_A-GigabitEthernet1/0/1] ip address 1.1.1.1 24
[FW_A-GigabitEthernet1/0/1] quit [FW_A] interface gigabitethernet 1 / 0 / 2
[FW_A-GigabitEthernet1/0/2] ip address 2.2.2.2 24
[FW_A-GigabitEthernet1/0/2] quit [FW_A] interface gigabitethernet 1 / 0 / 4
[FW_A-GigabitEthernet1/0/4] ip address 3.3.3.3 24
[FW_A-GigabitEthernet1/0/4] quit
复制代码- 创建并配置Tunnel接口。
[FW_A] interface tunnel 0
[FW_A-tunnel0] tunnel-protocol ipsec
[FW_A-tunnel0] ip address 1.1.0.2 24
[FW_A-tunnel0] quit
复制代码- 开启域间安全策略。
开启Trust和Untrust安全区域的域间策略,保证报文能够正常发送。
[FW_A] security-policy
[FW_A-policy-security] rule name policy_ipsec_1
[FW_A-policy-security-rule-policy_ipsec_1] source-zone trust
[FW_A-policy-security-rule-policy_ipsec_1] destination-zone untrust
[FW_A-policy-security-rule-policy_ipsec_1] source-address 10.3.0.0 24
[FW_A-policy-security-rule-policy_ipsec_1] destination-address 10.4.0.0 24
[FW_A-policy-security-rule-policy_ipsec_1] action permit
[FW_A-policy-security-rule-policy_ipsec_1] quit
[FW_A-policy-security] rule name policy_ipsec_2
[FW_A-policy-security-rule-policy_ipsec_2] source-zone untrust
[FW_A-policy-security-rule-policy_ipsec_2] destination-zone trust
[FW_A-policy-security-rule-policy_ipsec_2] source-address 10.4.0.0 24
[FW_A-policy-security-rule-policy_ipsec_2] destination-address 10.3.0.0 24
[FW_A-policy-security-rule-policy_ipsec_2] action permit
[FW_A-policy-security-rule-policy_ipsec_2] quit
复制代码开启Local和Untrust安全区域的域间策略,保证隧道正常建立。
[FW_A-policy-security] rule name policy_ipsec_3
[FW_A-policy-security-rule-policy_ipsec_3] source-zone local
[FW_A-policy-security-rule-policy_ipsec_3] destination-zone untrust
[FW_A-policy-security-rule-policy_ipsec_3] source-address 1.1.1.1 32
[FW_A-policy-security-rule-policy_ipsec_3] source-address 2.2.2.2 32
[FW_A-policy-security-rule-policy_ipsec_3] source-address 3.3.3.3 32
[FW_A-policy-security-rule-policy_ipsec_3] source-address 1.1.0.2 32
[FW_A-policy-security-rule-policy_ipsec_3] destination-address 4.4.4.4 32
[FW_A-policy-security-rule-policy_ipsec_3] action permit
[FW_A-policy-security-rule-policy_ipsec_3] quit
[FW_A-policy-security] rule name policy_ipsec_4
[FW_A-policy-security-rule-policy_ipsec_4] source-zone untrust
[FW_A-policy-security-rule-policy_ipsec_4] destination-zone local
[FW_A-policy-security-rule-policy_ipsec_4] source-address 4.4.4.4 32
[FW_A-policy-security-rule-policy_ipsec_4] destination-address 1.1.1.1 32
[FW_A-policy-security-rule-policy_ipsec_4] destination-address 2.2.2.2 32
[FW_A-policy-security-rule-policy_ipsec_4] destination-address 3.3.3.3 32
[FW_A-policy-security-rule-policy_ipsec_4] destination-address 1.1.0.2 32
[FW_A-policy-security-rule-policy_ipsec_4] action permit
[FW_A-policy-security-rule-policy_ipsec_4] quit
[FW_A-policy-security] quit
复制代码- 配置到网络B的静态路由,此处假设到达网络B的出接口为Tunnel 0接口。
[FW_A] ip route- static 10.4.0.0 255.255.255.0 tunnel 0
复制代码- 配置到FW_B的3条等价路由(假设下一跳所配置中所示)。
[FW_A] ip route- static 4.4.4.4 32 1.1.1.254
[FW_A] ip route- static 4.4.4.4 32 2.2.2.254
[FW_A] ip route- static 4.4.4.4 32 3.3.3.254
复制代码- 定义IPSec中被保护的数据流。
[FW_A] acl 3000
[FW_A-acl-adv-3000] rule 5 permit ip source 10.3.0.0 0.0.0.255 destination 10.4.0.0 0.0.0.255
[FW_A-acl-adv-3000] quit
复制代码- 配置名称为tran1的IPSec安全提议。
[FW_A] ipsec proposal tran1
[FW_A-ipsec-proposal-tran1] encapsulation-mode tunnel
[FW_A-ipsec-proposal-tran1] transform esp
[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2- 256
[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes- 256
[FW_A-ipsec-proposal-tran1] quit
复制代码- 配置序号为10的IKE安全提议。
[FW_A] ike proposal 10
[FW_A-ike-proposal-10] authentication-method pre-share
[FW_A-ike-proposal-10] quit
复制代码- 配置IKE Peer。
[FW_A] ike peer b
[FW_A-ike-peer-b] ike-proposal 10
[FW_A-ike-peer-b] remote-address 4.4.4.4
[FW_A-ike-peer-b] pre-shared-key Test ! 123
[FW_A-ike-peer-b] quit
复制代码- 配置IPSec策略map1。
[FW_A] ipsec policy map1 10 isakmp
[FW_A-ipsec-policy-isakmp-map1-10] security acl 3000
[FW_A-ipsec-policy-isakmp-map1-10] proposal tran1
[FW_A-ipsec-policy-isakmp-map1-10] ike-peer b
[FW_A-ipsec-policy-isakmp-map1-10] quit
复制代码- 在Tunnel接口上应用安全策略map1。
[FW_A] interface tunnel 0
[FW_A-tunnel0] ipsec policy map1
[FW_A-tunnel0] quit
复制代码配置FW_B。
- 基础配置。 请根据图1的数据配置接口IP地址。将接口GE1/0/3加入Trust区域,接口GE1/0/1加入Untrust区域。详细步骤可参见FW_A的配置。
- 开启域间安全策略。
开启Trust和Untrust安全区域的域间策略,保证报文能够正常发送。
[FW_B] security-policy
[FW_B-policy-security] rule name policy_ipsec_1
[FW_B-policy-security-rule-policy_ipsec_1] source-zone trust
[FW_B-policy-security-rule-policy_ipsec_1] destination-zone untrust
[FW_B-policy-security-rule-policy_ipsec_1] source-address 10.4.0.0 24
[FW_B-policy-security-rule-policy_ipsec_1] destination-address 10.3.0.0 24
[FW_B-policy-security-rule-policy_ipsec_1] action permit
[FW_B-policy-security-rule-policy_ipsec_1] quit
[FW_B-policy-security] rule name policy_ipsec_2
[FW_B-policy-security-rule-policy_ipsec_2] source-zone untrust
[FW_B-policy-security-rule-policy_ipsec_2] destination-zone trust
[FW_B-policy-security-rule-policy_ipsec_2] source-address 10.3.0.0 24
[FW_B-policy-security-rule-policy_ipsec_2] destination-address 10.4.0.0 24
[FW_B-policy-security-rule-policy_ipsec_2] action permit
[FW_B-policy-security-rule-policy_ipsec_2] quit
复制代码开启Local和Untrust安全区域的域间策略,保证隧道正常建立。
[FW_B-policy-security] rule name policy_ipsec_3
[FW_B-policy-security-rule-policy_ipsec_3] source-zone local
[FW_B-policy-security-rule-policy_ipsec_3] destination-zone untrust
[FW_B-policy-security-rule-policy_ipsec_3] source-address 4.4.4.4 32
[FW_B-policy-security-rule-policy_ipsec_3] destination-address 1.1.1.1 32
[FW_B-policy-security-rule-policy_ipsec_3] destination-address 2.2.2.2 32
[FW_B-policy-security-rule-policy_ipsec_3] destination-address 3.3.3.3 32
[FW_B-policy-security-rule-policy_ipsec_3] destination-address 1.1.0.2 32
[FW_B-policy-security-rule-policy_ipsec_3] action permit
[FW_B-policy-security-rule-policy_ipsec_3] quit
[FW_B-policy-security] rule name policy_ipsec_4
[FW_B-policy-security-rule-policy_ipsec_4] source-zone untrust
[FW_B-policy-security-rule-policy_ipsec_4] destination-zone local
[FW_B-policy-security-rule-policy_ipsec_4] source-address 1.1.1.1 32
[FW_B-policy-security-rule-policy_ipsec_4] source-address 2.2.2.2 32
[FW_B-policy-security-rule-policy_ipsec_4] source-address 3.3.3.3 32
[FW_B-policy-security-rule-policy_ipsec_4] source-address 1.1.0.2 32
[FW_B-policy-security-rule-policy_ipsec_4] destination-address 4.4.4.4 32
[FW_B-policy-security-rule-policy_ipsec_4] action permit
[FW_B-policy-security-rule-policy_ipsec_4] quit
[FW_B-policy-security] quit
复制代码- 配置到达网络A的静态路由,此处假设下一跳地址为4.4.4.254。
[FW_B] ip route- static 10.3.0.0 255.255.255.0 4.4.4.254
复制代码- 配置到FW_A的Tunnel接口的路由。
[FW_B] ip route- static 1.1.0.2 255.255.255.255 4.4.4.254
复制代码- 定义IPSec中被保护的数据流。
[FW_B] acl 3000
[FW_B-acl-adv-3000] rule 5 permit ip source 10.4.0.0 0.0.0.255 destination 10.3.0.0 0.0.0.255
[FW_B-acl-adv-3000] quit
复制代码- 配置名称为tran1的IPSec安全提议。
[FW_B] ipsec proposal tran1
[FW_B-ipsec-proposal-tran1] encapsulation-mode tunnel
[FW_B-ipsec-proposal-tran1] transform esp
[FW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2- 256
[FW_B-ipsec-proposal-tran1] esp encryption-algorithm aes- 256
[FW_B-ipsec-proposal-tran1] quit
复制代码- 配置序号为10的IKE安全提议。
[FW_B] ike proposal 10
[FW_B-ike-proposal-10] authentication-method pre-share
[FW_B-ike-proposal-10] quit
复制代码- 配置名称为a的IKE peer。
[FW_B] ike peer a
[FW_B-ike-peer-a] ike-proposal 10
[FW_B-ike-peer-a] remote-address 1.1.0.2
[FW_B-ike-peer-a] pre-shared-key Test ! 123
[FW_B-ike-peer-a] quit
复制代码- 配置名称为map1序号为10的安全策略。
[FW_B] ipsec policy map1 10 isakmp
[FW_B-ipsec-policy-isakmp-map1-10] security acl 3000
[FW_B-ipsec-policy-isakmp-map1-10] proposal tran1
[FW_B-ipsec-policy-isakmp-map1-10] ike-peer a
[FW_B-ipsec-policy-isakmp-map1-10] quit
复制代码- 在接口GE1/0/1上应用安全策略map1。
[FW_B] interface gigabitethernet 1 / 0 / 1
[FW_B-GigabitEthernet1/0/1] ipsec policy map1
[FW_B-GigabitEthernet1/0/1] quit
复制代码结果验证
- 配置完成后,在PC1执行ping命令,看能否ping通PC2。如果配置正确,则PC1和PC2可以相互ping通。如果有步骤2、3、4的显示信息,则说明PC1和PC2之间的通信经过了IPSec隧道封装。
- 分别在FW_A、FW_B上执行display ike sa命令会显示IKE安全联盟的建立情况。以FW_A为例,出现以下显示说明IKE安全联盟建立成功。
<FW_A> display ike sa
Ike sa number: 2
-----------------------------------------------------------------------------
Conn-ID Peer VPN Flag(s) Phase
-----------------------------------------------------------------------------
20002 4.4.4.4 RD|ST|A v2:2
20001 4.4.4.4 RD|ST|A v2:1
Number of SA entries : 2
Number of SA entries of all cpu : 2
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
复制代码- 分别在FW_A、FW_B上执行display ipsec sa命令会显示IPSec安全联盟的建立情况。以FW_A为例,出现以下显示说明IPSec安全联盟建立成功。
<FW_A> display ipsec sa
===============================
Interface: Tunnel0
===============================
-----------------------------
IPSec policy name: "map1"
Sequence number : 10
Acl group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID: 40002
Encapsulation mode: Tunnel
Tunnel local : 1.1.0.2
Tunnel remote : 4.4.4.4
Flow source : 10.3.0.0/255.255.255.0 0/0
Flow destination : 10.4.0.0/255.255.255.0 0/0
[Outbound ESP SAs]
SPI: 228290096 (0xd9b6e30)
Proposal: ESP-ENCRYPT-AES-256 SHA2-256-128
SA remaining key duration (bytes/sec): 1887436464/3549
Max sent sequence-number: 5
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/kilobytes): 4/0
[Inbound ESP SAs]
SPI: 38742361 (0x24f2959)
Proposal: ESP-ENCRYPT-AES-256 SHA2-256-128
SA remaining key duration (bytes/sec): 1887436464/3549
Max received sequence-number: 4
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/kilobytes): 4/0
Anti-replay : Enable
Anti-replay window size: 1024
复制代码- 执行命令display ipsec statistics可以查看被加密的数据包的变化,即它们之间的数据传输将被加密。以FW_A为例。
<FW_A>display ipsec statistics
the security packet statistics:
input/output security packets: 4/4
input/output security bytes: 400/400
input/output dropped security packets: 0/0
the encrypt packet statistics
send sae:0, recv sae:0, send err:0
local cpu:0, other cpu:0, recv other cpu:0
intact packet:0, first slice:0, after slice:0
the decrypt packet statistics
send sae:0, recv sae:0, send err:0
local cpu:0, other cpu:0, recv other cpu:0
reass first slice:0, after slice:0, len err:0
dropped security packet detail:
no enough memory: 0, too long: 0
can't find SA: 0, wrong SA: 0
authentication: 0, replay: 0
front recheck: 0, after recheck: 0
exceed byte limit: 0, exceed packet limit: 0
change cpu enc: 0, dec change cpu: 0
change datachan: 0, fib search: 0
rcv enc(dec) form sae said err: 0, 0
send port: 0, output l3: 0, l2tp input: 0
negotiate about packet statistics:
IP packet ok:0, err:0, drop:0
IP rcv other cpu to ike:0, drop:0
IKE packet inbound ok:0, err:0
IKE packet outbound ok:0, err:0
SoftExpr:0, HardExpr:0, DPDOper:0, SwapSa:0
ModpCnt: 0, SaeSucc: 0, SoftwareSucc: 0
复制代码- 断开FW_A的GE1/0/1、GE1/0/2和GE1/0/4中任意一个接口,查看IPSec隧道依然不会断开。保证了多条链路之间的备份。 通过以下操作来判断:
- 执行display ike sa、display ipsec sa命令,查看到安全联盟依然存在。
- 网络A和网络B之间依然能够成功发送和接收报文。且执行display ipsec statistics命令,能看到报文数量在增长。
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
