HUAWEI篇 NGFW与AR网关建立GRE over IPSec隧道

转载

wangheyu1 2019-01-03 08:59:02 博主文章分类：网络

组网需求

如图1-1所示，企业希望总部和分支的内网可以安全互访，且分支和总部间要能够传送组播数据（例如企业内网部部署了动态路由，动态路由交互过程中存在组播报文交互）。由于单纯的IPSec隧道不能传送组播数据，而GRE隧道具备传送组播数据的能力，为了满足用户需求，需要在NGFW和AR设备间建立GRE over IPSec隧道。

图1-1 GRE over IPSec对接组网

HUAWEI篇 NGFW与AR网关建立GRE over IPSec隧道_GRE

配置项		NGFW	AR
设备信息		l 设备型号：USG6330 l 软件版本：V100R001C30	l 设备型号：AR2220 l 软件版本：V200R007C00
IPSec安全提议	封装模式	隧道模式	隧道模式
	安全协议	ESP	ESP
	ESP协议验证算法	SHA2-256	SHA2-256
	ESP协议加密算法	AES-128	AES-128
	DH Group	GROUP2	GROUP2
IKE对等体	协商模式	主模式	主模式
	加密算法	AES-128	AES-128
	认证算法	SHA2-256	SHA2-256
	预共享密钥	Key123	Key123
	身份类型	IP地址	IP地址
	版本	V1	V1

操作步骤

步骤 1 配置NGFW。

1. 配置接口IP地址，并将接口加入安全区域。

[NGFW] interface GigabitEthernet 1/0/1
[NGFW-GigabitEthernet1/0/1] ip address 10.1.1.1 24
[NGFW-GigabitEthernet1/0/1] quit
[NGFW] interface GigabitEthernet 1/0/2
[NGFW-GigabitEthernet1/0/2] ip address 1.1.3.1 24
[NGFW-GigabitEthernet1/0/2] quit
[NGFW] firewall zone trust
[NGFW-zone-trust] add interface GigabitEthernet 1/0/1
[NGFW-zone-trust] quit
[NGFW] firewall zone untrust
[NGFW-zone-untrust] add interface GigabitEthernet 1/0/2
[NGFW-zone-untrust] quit

2. 配置到NGFW连接到Internet的缺省路由，假设下一跳为1.1.3.2。

[NGFW] ip route-static 0.0.0.0 0.0.0.0 1.1.3.2

3. 配置域间安全策略。

a. 配置Trust域与Untrust域的安全策略，允许IPSec封装前和解封装后的原始报文能通过NGFW。

[NGFW] security-policy
[NGFW-policy-security] rule name 1
[NGFW-policy-security-rule-1] source-zone untrust
[NGFW-policy-security-rule-1] destination-zone trust
[NGFW-policy-security-rule-1] source-address 10.1.3.0 24
[NGFW-policy-security-rule-1] destination-address 10.1.1.0 24
[NGFW-policy-security-rule-1] action permit
[NGFW-policy-security-rule-1] quit
[NGFW-policy-security] rule name 2
[NGFW-policy-security-rule-2] source-zone trust
[NGFW-policy-security-rule-2] destination-zone untrust
[NGFW-policy-security-rule-2] source-address 10.1.1.0 24
[NGFW-policy-security-rule-2] destination-address 10.1.3.0 24
[NGFW-policy-security-rule-2] action permit
[NGFW-policy-security-rule-2] quit

b. 配置Local域与Untrust域的安全策略，允许IKE协商报文能正常通过NGFW。

[NGFW-policy-security] rule name 3
[NGFW-policy-security-rule-3] source-zone local
[NGFW-policy-security-rule-3] destination-zone untrust
[NGFW-policy-security-rule-3] source-address 1.1.3.1 32
[NGFW-policy-security-rule-3] destination-address 1.1.5.1 32
[NGFW-policy-security-rule-3] action permit
[NGFW-policy-security-rule-3] quit
[NGFW-policy-security] rule name 4
[NGFW-policy-security-rule-4] source-zone untrust
[NGFW-policy-security-rule-4] destination-zone local
[NGFW-policy-security-rule-4] source-address 1.1.5.1 32
[NGFW-policy-security-rule-4] destination-address 1.1.3.1 32
[NGFW-policy-security-rule-4] action permit
[NGFW-policy-security-rule-4] quit

4. 配置GRE隧道。

[NGFW] interface tunnel 1
[NGFW-Tunnel1] tunnel-protocol gre
[NGFW-Tunnel1] ip address 172.16.1.1 24
[NGFW-Tunnel1] source 1.1.3.1
[NGFW-Tunnel1] destination 1.1.5.1
[NGFW-Tunnel1] quit
[NGFW] firewall zone untrust
[NGFW-zone-untrust] add interface tunnel 1
[NGFW-zone-untrust] quit

5. 配置IPSec策略。

a. 配置访问控制列表，定义需要保护的数据流。

[NGFW] acl 3000
[NGFW-acl-adv-3000] rule permit ip source 1.1.3.1 0 destination 1.1.5.1 0
[NGFW-acl-adv-3000] quit

b. 配置IPSec安全提议。

[NGFW] ipsec proposal tran1
[NGFW-ipsec-proposal-tran1] transform esp
[NGFW-ipsec-proposal-tran1] encapsulation-mode tunnel
[NGFW-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[NGFW-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[NGFW-ipsec-proposal-tran1] quit

c. 创建IKE安全提议。

[NGFW] ike proposal 1
[NGFW-ike-proposal-1] encryption-algorithm aes-128
[NGFW-ike-proposal-1] authentication-algorithm sha2-256
[NGFW-ike-proposal-1] dh group2
[NGFW-ike-proposal-1] quit

d. 配置IKE对等体。

[NGFW] ike peer ar
[NGFW-ike-peer-ar] undo version 2
[NGFW-ike-peer-ar] exchange-mode main
[NGFW-ike-peer-ar] ike-proposal 1
[NGFW-ike-peer-ar] pre-shared-key Key123
[NGFW-ike-peer-ar] remote-address 1.1.5.1
[NGFW-ike-peer-ar] quit

e. 配置isakmp方式的IPSec策略。

[NGFW] ipsec policy map1 1 isakmp
[NGFW-ipsec-policy-isakmp-map1-1] ike-peer ar
[NGFW-ipsec-policy-isakmp-map1-1] proposal tran1
[NGFW-ipsec-policy-isakmp-map1-1] security acl 3000
[NGFW-ipsec-policy-isakmp-map1-1] quit

f. 在接口GigabitEthernet 1/0/2上应用IPSec策略。

[NGFW] interface GigabitEthernet 1/0/2
[NGFW-GigabitEthernet1/0/2] ipsec policy map1
[NGFW-GigabitEthernet1/0/2] quit

步骤 2 配置AR设备。

1. 配置AR接口的IP地址。

<Huawei> system-view
[Huawei] sysname AR
[AR] interface GigabitEthernet 0/0/1
[AR-GigabitEthernet0/0/1] ip address 10.1.3.1 24
[AR-GigabitEthernet0/0/1] quit
[AR] interface GigabitEthernet 0/0/2
[AR-GigabitEthernet0/0/2] ip address 1.1.5.1 24
[AR-GigabitEthernet0/0/2] quit

2. 配置GRE隧道。

[AR] interface tunnel 0/0/2
[AR-Tunnel0/0/2] tunnel-protocol gre
[AR-Tunnel0/0/2] ip address 172.16.1.2 24
[AR-Tunnel0/0/2] source 1.1.5.1
[AR-Tunnel0/0/2] destination 1.1.3.1
[AR-Tunnel0/0/2] quit

3. 配置AR路由。

#配置AR连接到Internet的缺省路由，假设下一跳地址为1.1.5.2。

[AR] ip route-static 0.0.0.0 0.0.0.0 1.1.5.2

#配置AR到总部内网的路由，出接口为Tunnel0/0/2接口。

[AR] ip route-static 10.1.1.0 24 tunnel 0/0/2

4. 配置IPSec策略。

a. 配置访问控制列表，定义需要保护的数据流。

[AR] acl 3000
[AR-acl-adv-3000] rule permit ip source 1.1.5.1 0 destination 1.1.3.1 0
[AR-acl-adv-3000] quit

b. 配置IPSec安全提议。

[AR] ipsec proposal tran1
[AR-ipsec-proposal-tran1] transform esp
[AR-ipsec-proposal-tran1] encapsulation-mode tunnel
[AR-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[AR-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[AR-ipsec-proposal-tran1] quit

c. 创建IKE安全提议。

[AR] ike proposal 1
[AR-ike-proposal-1] encryption-algorithm aes-cbc-128
[AR-ike-proposal-1] authentication-algorithm sha2-256
[AR-ike-proposal-1] dh group2
[AR-ike-proposal-1] quit

d. 配置和对端相同的SHA2加解密方式。

[AR] ipsec authentication sha2 compatible enable

e. 配置IKE对等体。

[AR] ike peer ngfw v1 /*参数v1表示IKE使用v1版本进行IKE协商。/
[AR-ike-peer-ngfw] exchange-mode main
[AR-ike-peer-ngfw] ike-proposal 1
[AR-ike-peer-ngfw] pre-shared-key cipher Key123
[AR-ike-peer-ngfw] remote-address 1.1.3.1
[AR-ike-peer-ngfw] nat traversal
[AR-ike-peer-ngfw] quit

f. 配置isakmp方式的IPSec策略。

[AR] ipsec policy map1 1 isakmp
[AR-ipsec-policy-isakmp-map1-1] ike-peer ngfw
[AR-ipsec-policy-isakmp-map1-1] proposal tran1
[AR-ipsec-policy-isakmp-map1-1] security acl 3000
[AR-ipsec-policy-isakmp-map1-1] quit

g. 在接口GigabitEthernet 0/0/2上应用IPSec策略。

[AR] interface GigabitEthernet 0/0/2
[AR-GigabitEthernet0/0/2] ipsec policy map1
[AR-GigabitEthernet0/0/2] quit

----结束

结果验证

1. 配置完成后，使用分支下的用户Ping总部下的用户。

2. 正常情况下，分支访问总部的数据流将会触发两台网关之间建立IPSec隧道。此处在NGFW上查看IKE SA的建立情况，可以看到IKE SA已经建立成功。

<NGFW> display ike sa
current ike sa number: 2
--------------------------------------------------------------------------------------------------
conn-id    peer                                    flag          phase vpn
--------------------------------------------------------------------------------------------------
84125     1.1.5.1                                 RD|A          v1:2 public
84121      1.1.5.1                                 RD|D|A        v1:1 public


   flag meaning
   RD--READY      ST--STAYALIVE     RL--REPLACED    FD--FADING    TO--TIMEOUT
   TD--DELETING   NEG--NEGOTIATING D--DPD          M--ACTIVE     S--STANDBY
   A--ALONE

3. 使用display ipsec sa命令查看IPSec的建立情况，可以看到IPSec SA也已建立成功。

<NGFW> display ipsec sa
===============================
Interface: GigabitEthernet1/0/2
     path MTU: 1500
===============================

   -----------------------------
   IPsec policy name: "map1"
   sequence number: 1
   mode: isakmp
   vpn: public
   -----------------------------
     connection id: 84125
     rule number: 5
     encapsulation mode: tunnel
     holding time: 0d 0h 25m 51s
     tunnel local : 1.1.3.1   tunnel remote: 1.1.5.1
     flow      source: 1.1.3.1/255.255.255.255 0/0
     flow destination: 1.1.3.2/255.255.255.255 0/0

     [inbound ESP SAs]
       spi: 3481684812 (0xcf864b4c)
       vpn: public said: 2580 cpuid: 0x0000
       proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256
       sa remaining key duration (kilobytes/sec): 1843200/2049
       max received sequence-number: 5
       udp encapsulation used for nat traversal: N

     [outbound ESP SAs]
       spi: 592143329 (0x234b63e1)
       vpn: public said: 2581 cpuid: 0x0000
       proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256
       sa remaining key duration (kilobytes/sec): 1843200/2049
       max sent sequence-number: 6
       udp encapsulation used for nat traversal: N

强叔点评

l 在GRE over IPSec场景中，GRE隧道和IPSec共同使用公网接口建立隧道。因此GRE隧道的源地址就是建立IPSec隧道的公网接口IP地址。

l 由于本例中AR使用的是V200R007C00软件版本，该版本与NGFW通过SHA2认证算法进行IPSec对接时，会存在SHA2算法不一致的问题。SHA2算法不一致会造成报文加解密失败，进而造成业务不通的现象。因此，在本例中ipsec authentication sha2 compatible enable是必配命令。