模拟环境:eNSP
废话:通过命令配置此实验,做了一星期没做通,只好采用WEB配置生成配置信息学习,才有了此内容。
此文为模拟成功后,通过分析配置代码完成,有部分代码做了美化处理,可能存在一定的BUG。
网络拓扑图如下:
网络营运商内部
- 这里不是本次实验的重点,这里先采用OSPF,保证内网路由可达
AR1配置 | AR2配置 | AR3配置 |
sysname AR1 | sysname AR2 | sysname AR3 |
interface GigabitEthernet0/0/0 ip address 100.1.1.2 24 | interface GigabitEthernet0/0/0 ip address 200.1.1.2 24 | |
interface GigabitEthernet0/0/1 ip address 118.122.120.1 24 | interface GigabitEthernet0/0/1 ip address 100.1.1.1 24 | interface GigabitEthernet0/0/1 ip address 101.207.142.1 24 |
interface GigabitEthernet0/0/2 ip address 200.1.1.1 24 | ||
interface LoopBack0 ip address 11.11.11.11 32 | interface LoopBack0 ip address 22.22.22.22 32 | interface LoopBack0 ip address 33.33.33.33 32 |
ospf 1 router-id 11.11.11.11 area 0.0.0.0 network 100.1.1.2 0.0.0.0 network 118.122.120.0 0.0.0.255 | ospf 1 router-id 22.22.22.22 area 0.0.0.0 network 100.1.1.1 0.0.0.0 network 200.1.1.1 0.0.0.0 | ospf 1 router-id 33.33.33.33 area 0.0.0.0 network 200.1.1.2 0.0.0.0 network 101.207.142.0 0.0.0.254 |
配置防火墙接口
接口 | IP/MAC地址 | 安全区域 | 对端 |
A公司防火墙(全部开启PING 、 HTTP 、 HTTPS服务) | |||
GE 0/0/0 | 192.168.0.1/24 | trust | 管理PC |
GE 1/0/0 | 118.112.120.83/24 | untrust | 互联网 |
GE 1/0/1 | 10.1.1.1/24 | trust | 内网PC |
GE 1/0/2 | 10.1.2.1/24 | DMZ | 内外服务器 |
B公司防火墙(全部开启PING 、 HTTP 、 HTTPS服务) | |||
GE 0/0/0 | 192.168.0.1/24 | trust | 管理PC |
GE 1/0/0 | 101.207.142.18/24 | untrust | 互联网 |
GE 1/0/1 | 10.2.1.1/24 | trust | 内网PC |
GE 1/0/2 | 10.2.2.1/24 | trust | 内网客户端 |
WEB配置如下:
生成配置代码如下:
A公司防火墙 | B公司防火墙 |
interface GigabitEthernet0/0/0 // 方便登录WEB配置 undo shutdown ip binding vpn-instance default ip address 192.168.0.1 255.255.255.0 alias GE0/METH // HTTP服务 // HTTPS服务 // PING服务 | interface GigabitEthernet0/0/0 undo shutdown ip binding vpn-instance default ip address 192.168.0.1 255.255.255.0 alias GE0/METH service-manage http permit service-manage https permit service-manage ping permit |
interface GigabitEthernet1/0/0 undo shutdown ip address 118.122.120.83 255.255.255.0 alias 外网 service-manage http permit service-manage https permit service-manage ping permit | interface GigabitEthernet1/0/0 undo shutdown ip address 101.207.142.18 255.255.255.0 alias 外网 service-manage http permit service-manage https permit service-manage ping permit |
interface GigabitEthernet1/0/1 undo shutdown ip address 10.1.1.1 255.255.255.0 alias 内网 service-manage http permit service-manage https permit service-manage ping permit | interface GigabitEthernet1/0/1 undo shutdown ip address 10.2.1.1 255.255.255.0 alias 内网 service-manage http permit service-manage https permit service-manage ping permit |
interface GigabitEthernet1/0/2 undo shutdown ip address 10.1.2.1 255.255.255.0 alias 服务器 service-manage http permit service-manage https permit service-manage ping permit | interface GigabitEthernet1/0/2 undo shutdown ip address 10.2.2.1 255.255.255.0 alias 客户端 service-manage http permit service-manage https permit service-manage ping permit |
将防火墙对应接口加入对应安全区域 | |
firewall zone trust add interface GigabitEthernet0/0/0 // 内网PC1 | firewall zone trust add interface GigabitEthernet0/0/0 // 内网PC2 // 内网客户端 |
firewall zone untrust // 互联网 | firewall zone untrust // 互联网 |
firewall zone dmz // 服务器 | |
创建GRE隧道接口
隧道GRE接口 | A公司 | B 公司 |
接口名称 | gre-ipsec | gre-ipsec |
安全区域 | untrust | untrust |
IP/MAC地址 | 192.168.168.1/24 | 192.168.168.2/24 |
本端(外网)IP地址 | 118.122.120.83 | 101.207.142.18 |
对端(外网)IP地址 | 101.207.142.18 | 118.122.120.83 |
WEB配置
生成配置代码如下:
A公司防火墙 | B公司防火墙 |
interface Tunnel0 // 启动该接口(UP) // 隧道协议 // 源地址 // 目标地址 // 别名 undo service-manage enable | interface Tunnel0 ip address 192.168.168.2 255.255.255.0 tunnel-protocol gre source 101.207.142.18 destination 118.122.120.83 alias gre-ipsec undo service-manage enable |
将接口加入对应安全区域 | |
firewall zone untrust add interface Tunnel0 | firewall zone untrust add interface Tunnel0 |
创建IPSec安全策略
IPSec安全策略 | A公司 | B公司 |
IPSec使用场景(默认Site to Site) | ||
场景 | 点到点 | 点到点 |
IPSec安全策略基本配置 | ||
策略名称 | gre-ipsec | gre-ipsec |
本端(外网)接口 | GE 1/0/0 | GE 1/0/0 |
本端(外网)地址 | 118.122.120.83 | 101.207.142.18 |
对端(外网)地址 | 101.207.142.18 | 118.122.120.83 |
认证方式 | 预共享秘钥 | 预共享秘钥 |
认证秘钥(密码) | huawei@123 | huawei@123 |
本端ID | 118.122.120.83 | 101.207.142.18 |
对端IP | 101.207.142.18 | 118.122.120.83 |
IPSec加密的报文 | ||
源地址 | 118.122.120.83 | 101.207.142.18 |
目标地址 | 101.207.142.18 | 118.122.120.83 |
动作 | 加密 | 加密 |
IPSec安全提议(保持一致,这里选择默认) | ||
WEB配置:
IPSec安全策略基本配置:
IPSec加密的报文配置:
IPSec安全提议(这里选择默认)
生成配置代码如下:
A公司防火墙 | B公司防火墙 |
创建IKE安全提议(默认配置) | |
ike proposal 1 // 需要创建,默认配置 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 | ike proposal 1 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 |
创建IKE对等体,配置预共享秘钥,应用IKE安全提议,指定本端和对端 | |
ike peer ike2049354776 exchange-mode auto // 预共享秘钥,此处应为乱码 // 关联 IKE安全提议 // 对端ID类型 // 对端ID // 本端ID dpd type periodic // 对端地址 | ike peer ike20410038931 exchange-mode auto pre-shared-key huawei@123 ike-proposal 1 remote-id-type ip remote-id 118.122.120.83 local-id 101.207.142.18 dpd type periodic remote-address 118.122.120.83 |
创建感兴趣流(高级访问控制列表,原地址为本端外网地址,目的地址为对端外网地址) | |
acl number 3000 rule 5 permit ip source 118.122.120.83 0.0.0.0 destination 101.207.142.18 0.0.0.0 | acl number 3000 rule 5 permit ip source 101.207.142.18 0.0.0.0 destination 118.122.120.83 0.0.0.0 |
创建IPSec 安全提议(默认配置) | |
ipsec proposal prop2049354776 // 需要创建 encapsulation-mode auto esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 | ipsec proposal prop20410038931 encapsulation-mode auto esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 |
创建IPSec 安全策略,应用感兴趣流、IKE对等体和IPSec 安全提议 | |
ipsec policy ipsec2049354676 1 isakmp // 需要创建 security acl 3000 // 关联 IKE 对等体 // 关联IPSec 安全提议 tunnel local applied-interface alias gre-ipsec sa trigger-mode auto sa duration traffic-based 10485760 sa duration time-based 3600 | ipsec policy ipsec2041003883 1 isakmp security acl 3000 ike-peer ike20410038931 proposal prop20410038931 tunnel local applied-interface alias gre-ipsec sa trigger-mode auto sa duration traffic-based 10485760 sa duration time-based 3600 |
外网出接口绑定IPSec 安全策略 | |
interface GigabitEthernet1/0/0 // 绑定 IPSec 策略 | interface GigabitEthernet1/0/0 ipsec policy ipsec2041003883 |
配置静态路由
静态路由配置 | A公司 | B 公司 | |
默认 静态 路由 | 目标地址 | 0.0.0.0/0 | 0.0.0.0/0 |
出接口 | GE 1/0/0 | GE 1/0/0 | |
下一跳地址 | 118.122.120.1 | 101.207.142.1 | |
对端 公司 内网 | 目标地址 | 10.2.1.0/24 | 10.1.1.0/24 |
出接口 | gre-to-ipsec | gre-to-ipsec | |
下一跳地址 | (空) | (空) | |
对端 公司 内网 | 目标地址 | 10.2.2.0/24 | 10.1.2.100/32 |
出接口 | gre-to-ipsec | gre-to-ipsec | |
下一跳地址 | (空) | (空) | |
WEB配置:
生成配置代码如下:
A公司防火墙 | B公司防火墙 |
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0 118.122.120.1 description 默认静态路由 | ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0 101.207.142.1 description 默认静态路由 |
ip route-static 10.2.1.0 255.255.255.0 Tunnel0 description 访问 FW2 内网 | ip route-static 10.1.1.0 255.255.255.0 Tunnel0 description 访问 FW1 内网 |
ip route-static 10.2.2.0 255.255.255.0 Tunnel0 description 访问 FW2 内网 | ip route-static 10.1.2.100 255.255.255.255 Tunnel0 description 访问 FW1 内网服务器 |
创建地址组
(可以不做配置,这里是为了可视化操作方便)
WEB配置:
生成配置代码如下:
A公司防火墙 | B公司防火墙 |
ip address-set "FW1 外网接口地址" type group address 0 118.122.120.83 mask 32 | ip address-set "FW1 外网接口地址" type group address 0 118.122.120.83 mask 32 |
ip address-set "FW1 内网地址" type group address 0 10.1.1.0 mask 24 | ip address-set "FW1 内网地址" type group address 0 10.1.1.0 mask 24 |
ip address-set "FW1 内网服务器" type group address 0 10.1.2.100 mask 32 | ip address-set "FW1 内网服务器" type group address 0 10.1.2.100 mask 32 |
ip address-set "FW2 外网接口地址" type group address 0 101.207.142.18 mask 32 | ip address-set "FW2 外网接口地址" type group address 0 101.207.142.18 mask 32 |
ip address-set "FW2 内网地址" type group address 0 10.2.1.0 mask 24 address 1 10.2.2.0 mask 24 | ip address-set "FW2 内网地址" type group address 0 10.2.1.0 mask 24 address 1 10.2.2.0 mask 24 |
配置安全策略
WEB配置:
生成配置代码如下:
A公司防火墙 | B公司防火墙 |
IPSec自协商的安全策略 | |
security-policy | security-policy |
rule name gre-ipsec description IPSEC 自协商报文交互 policy logging session logging traffic logging enable // 此为多个安全区域 destination-zone local trust untrust source-address address-set "FW1 外网接口地址" source-address address-set "FW2 外网接口地址" destination-address address-set "FW1 外网接口地址" destination-addressaddress-set "FW2 外网接口地址" action permit | rule name gre-ipsec description IPSEC 自协商报文交互 policy logging session logging traffic logging enable source-zone local trust untrust destination-zone local trust untrust source-address address-set "FW1 外网接口地址" source-address address-set "FW2 外网接口地址" destination-address address-set "FW1 外网接口地址" destination-address address-set "FW2 外网接口地址" action permit |
内网访问互联网的安全策略 | |
rule name to-Internet description 访问互联网 policy logging session logging traffic logging enable source-zone trust destination-zone untrust source-address address-set "FW1 内网地址" action permit | rule name to-Internet description 访问互联网 policy logging session logging traffic logging enable source-zone trust destination-zone untrust source-address address-set "FW2 内网地址" action permit |
外网访问内网的安全策略(A公司存在服务器访问内网) | |
rule name to-trust description 访问内网 policy logging session logging traffic logging enable source-zone dmz untrust destination-zone trust destination-address address-set "FW1 内网地址" action permit | rule name to-trust description 访问内网 policy logging session logging traffic logging enable source-zone untrust destination-zone trust destination-address address-set "FW2 内网地址" action permit |
A公司存在内网和外网访问服务器安全策略,B公司不存在服务器(DMZ) | |
rule name to-dmz description 访问内网服务器 policy logging session logging traffic logging enable source-zone trust untrust destination-zone dmz destination-address address-set "FW1 内网服务器" action permit | |
配置NAT策略
WEB配置:
生成配置代码如下:
A公司防火墙 | B公司防火墙 |
配置通过GRE隧道访问的NAT,放在首位,优先匹配顺序为从上到下 | |
nat-policy | nat-policy |
rule name gre-ipsec description 不作地址转换 source-zone local trust destination-zone untrust destination-address address-set "FW2 内网地址" destination-address address-set "FW2 外网接口地址" action no-nat | rule name gre-ipsec description 不作地址转换 source-zone local trust destination-zone untrust destination-address address-set "FW1 内网地址" destination-address address-set "FW1 内网服务器" destination-address address-set "FW1 外网接口地址" action no-nat |
配置访问互联网的NAT(内网地址转换为外网地址) | |
rule name to-Internet description 转换为外网地址 source-zone trust destination-zone untrust action source-nat easy-ip | rule name to-Internet description 转换为外网地址 source-zone trust destination-zone untrust action source-nat easy-ip |
至此所有配置已全部完成!
检查验证
检查数据是否通畅
B公司PC2 访问 A公司PC1结果:
B公司客户端访问A公司服务器结果:
B公司防火墙IPSec 诊断结果:
B公司防火墙GRE 监控结果:
对互联网进行抓包结果:
