来源:蜘蛛抓取(WebSpider)
时间:2017-08-03 08:16
标签:
packet filter命令
华为USG防火墙实现IPSEC&VPN的实
华为USG防火墙实现IPSEC VPN的实验【模拟器可做】
更多资料访问尽在网络之路空间;
http://user.qzone.qq.com//
http://Url.cn/KUCqX2
本实验介绍总部和分支机构的出口网关同时为NAT设备时,建立IPSec隧道,使总部和分支可以互访,总部和分支均可以访问公网。华为模拟器下载,点击这
【最新华为模拟器】
一、路由器的作用使FW1和FW2之间路由可达,配置如下:
interface GigabitEthernet0/0/0
ip address 220.163.100.1 255.255.255.0
interface GigabitEthernet0/0/1
ip address 220.163.200.1 255.255.255.0
二、FW1配置如下:
1、配置接口IP地址。
interface GigabitEthernet0/0/0
ip address 192.168.10.1 255.255.255.0
interface GigabitEthernet0/0/1
ip address 220.163.100.2 255.255.255.0
2、将接口加入相应的安全区域。
firewall zone trust
add interface GigabitEthernet0/0/0
firewall zone untrust
add interface GigabitEthernet0/0/1
3、开启域间包过滤,这里为了实验方便,开放所有域间包过滤,实际当中请根据要求开放相应的域间策略
firewall packet-filter default permit all
4、配置静态路由
ip route-static 0.0.0.0 0.0.0.0 220.163.100.1
5、定义被保护的数据流。
acl number 3000
rule 5 permit ip source 192.168.10.0 0.0.0.255 destination
192.168.20.0 0.0.0.255
6、配置IPSec安全提议tran1。
ipsec proposal tran1
esp authentication-algorithm sha1
esp encryption-algorithm aes
7、配置IKE安全提议。
ike proposal 10
authentication-method pre-share
authentication-algorithm sha1
8、配置IKE Peer。
ike peer c
pre-shared-key ccieh3c.taobao.com
ike-proposal 10
remote-address 220.163.200.2
9、配置IPSec安全策略。
ipsec policy map1 10 isakmp
security acl 3000
ike-peer c
proposal tran1
10、在接口GigabitEthernet 0/0/1上应用IPSec策略map1。
interface GigabitEthernet0/0/1
ip address 220.163.100.2 255.255.255.0
ipsec policy map1
11、配置NAT,定义用于NAT的数据流,先deny掉需要IPSec加密的数据流,再定义用于NAT的数据流,这里需要deny的数据流必须和IPSec加密的数据流严格一致。
nat-policy interzone trust untrust outbound
action no-nat
policy source 192.168.10.0 0.0.0.255
policy destination 192.168.20.0 0.0.0.255
action source-nat
easy-ip GigabitEthernet0/0/1
二、FW2的配置如下:
1、配置接口IP地址。
interface GigabitEthernet0/0/0
ip address 192.168.20.1 255.255.255.0
interface GigabitEthernet0/0/1
ip address 220.163.200.2 255.255.255.0
2、将接口加入相应的安全区域。
firewall zone trust
add interface GigabitEthernet0/0/0
firewall zone untrust
add interface GigabitEthernet0/0/1
3、开启域间包过滤,这里为了实验方便,开放所有域间包过滤,实际当中请根据要求开放相应的域间策略
firewall packet-filter default permit all
4、配置静态路由
ip route-static 0.0.0.0 0.0.0.0 220.163.200.1
5、定义被保护的数据流。
acl number 3000
rule 5 permit ip source 192.168.20.0 0.0.0.255 destination
192.168.10.0 0.0.0.255
6、配置IPSec安全提议tran1。
ipsec proposal tran1
esp authentication-algorithm sha1
esp encryption-algorithm aes
7、配置IKE安全提议。
ike proposal 10
authentication-method pre-share
authentication-algorithm sha1
8、配置IKE Peer。
ike peer c
pre-shared-key ccieh3c.taobao.com
ike-proposal 10
remote-address 220.163.100.2
9、配置IPSec安全策略。
ipsec policy map1 10 isakmp
security acl 3000
ike-peer c
proposal tran1
10、在接口GigabitEthernet 0/0/1上应用IPSec策略map1。
interface GigabitEthernet0/0/1
ip address 220.163.200.2 255.255.255.0
ipsec policy map1
11、配置NAT,定义用于NAT的数据流,先deny掉需要IPSec加密的数据流,再定义用于NAT的数据流,这里需要deny的数据流必须和IPSec加密的数据流严格一致。
nat-policy interzone trust untrust outbound
action no-nat
policy source 192.168.20.0 0.0.0.255
policy destination 192.168.10.0 0.0.0.255
action source-nat
easy-ip GigabitEthernet0/0/1
三、验证结果
1、FW1上可以查看到对应的IKE SA。
&FW1&dis ike sa
current ike sa number: 2
-----------------------------------------------------------------------------
conn-id peer flag phase vpn
-----------------------------------------------------------------------------
3.200.2 RD ST v2:2 public
1 220.163.200.2 RD ST v2:1 public
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING
TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD
2、FW2上也可以查看到对应的IKE SA。
&FW2&dis ike sa
current ike sa number: 2
-----------------------------------------------------------------------------
conn-id peer flag phase vpn
-----------------------------------------------------------------------------
3.100.2 RD v2:2 public
1 220.163.100.2 RD v2:1 public
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING
TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD
3、FW1上查看IPSEC SA。
&FW1&dis ipsec sa
===============================
Interface: GigabitEthernet0/0/1
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "map1"
sequence number: 10
mode: isakmp
vpn: public
-----------------------------
connection id: 40001
rule number: 5
encapsulation mode: tunnel
holding time: 0d 0h 23m 33s
tunnel local : 220.163.100.2 tunnel remote: 220.163.200.2
flow source: 192.168.10.0-192.168.10.255 0-65535 0
flow destination: 192.168.20.0-192.168.20.255 0-65535 0
[inbound ESP SAs]
(0x7f27428c)
vpn: public said: 0 cpuid: 0x0000
proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): /2187
max received sequence-number: 2659
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
(0xc6c1e9fb)
vpn: public said: 1 cpuid: 0x0000
proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): /2187
max sent sequence-number: 2661
udp encapsulation used for nat traversal: N
4、FW2上查看IPSEC SA。
&FW2&dis ipsec sa
===============================
Interface: GigabitEthernet0/0/1
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "map1"
sequence number: 10
mode: isakmp
vpn: public
-----------------------------
connection id: 40001
rule number: 5
encapsulation mode: tunnel
holding time: 0d 0h 24m 36s
tunnel local : 220.163.200.2 tunnel remote: 220.163.100.2
flow source: 192.168.20.0-192.168.20.255 0-65535 0
flow destination: 192.168.10.0-192.168.10.255 0-65535 0
[inbound ESP SAs]
(0xc6c1e9fb)
vpn: public said: 0 cpuid: 0x0000
proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): /2124
max received sequence-number: 2780
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
(0x7f27428c)
vpn: public said: 1 cpuid: 0x0000
proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): /2124
max sent sequence-number: 2780
udp encapsulation used for nat traversal: N
5、二台PC的互ping的情况。
PC&ping 192.168.20.20
Ping 192.168.20.20: 32 data bytes, Press Ctrl_C to break
From 192.168.20.20: bytes=32 seq=1 ttl=126 time=31 ms
From 192.168.20.20: bytes=32 seq=2 ttl=126 time=31 ms
From 192.168.20.20: bytes=32 seq=3 ttl=126 time=32 ms
From 192.168.20.20: bytes=32 seq=4 ttl=126 time=78 ms
From 192.168.20.20: bytes=32 seq=5 ttl=126 time=94 ms
--- 192.168.20.20 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/53/94 ms
PC&ping 192.168.10.10
Ping 192.168.10.10: 32 data bytes, Press Ctrl_C to break
From 192.168.10.10: bytes=32 seq=1 ttl=126 time=32 ms
From 192.168.10.10: bytes=32 seq=2 ttl=126 time=62 ms
From 192.168.10.10: bytes=32 seq=3 ttl=126 time=63 ms
From 192.168.10.10: bytes=32 seq=4 ttl=126 time=47 ms
From 192.168.10.10: bytes=32 seq=5 ttl=126 time=62 ms
--- 192.168.10.10 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 32/53/63 ms
已投稿到:
以上网友发言只代表其个人观点,不代表新浪网的观点或立场。加载中,请稍后...
华为P9(EVA-AL00/标准版/全网通)
>> PART:DetailVer4/Part/Detail/RightTopic >>> -->
>> PART:DetailVer4/Part/Detail/RightParamRank >>> -->
>> PART:DetailVer4/Part/Detail/RightRelPk >>> -->
>> PART:DetailVer4/Part/Detail/RightHotTag >>> -->
>> PART:DetailVer4/Part/Detail/AboutManu >>> -->博主最新文章
博主热门文章
您举报文章:
举报原因:
原文地址:
原因补充:
(最多只允许输入30个字)博客访问: 2416570
博文数量: 411
博客积分: 5771
博客等级: 大校
技术积分: 4316
注册时间:
认证徽章:
分类: 网络与安全 18:06:09
说明:模拟器 使用的是1200系列,路由器之间互联使用的是G口,电脑使用的是以太网口,电脑接虚拟接口vlan1。
关键配置:
#配置访问控制列表,定义vpn的数据流,注意在没有建立vpn之前,两个客户端是不通的。
acl number 3000&
&rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
&rule 10 deny ip
#创建安全提议tran1,默认是隧道模式和esp的封装,加密算法是des,总之两端一样就行了。
ipsec proposal tran1
&esp authentication-algorithm sha1
#配置对等体,共享密钥,对端的ip地址
ike peer peer v2
&pre-shared-key simple
&remote-address 222.1.1.2
#创建安全策略map1,
ipsec policy map1 10 isakmp
&security acl 3000 引用acl
&ike-peer peer& 引用ike的对待体
&proposal tran1 引用安全提议
#在wan口上应用安全策略。
interface GigabitEthernet0/0/0
&ip address 211.1.1.2 255.255.255.0
&ipsec policy map1
中间的路由器只需要接口配个ip即可,模拟公网。
对端的路由器配置参考以上配置。
在client1上ping对端的client2:
PC>ping 172.16.10.10
Ping 172.16.10.10: 32 data bytes, Press Ctrl_C to break
From 172.16.10.10: bytes=32 seq=1 ttl=127 time=16 ms
From 172.16.10.10: bytes=32 seq=2 ttl=127 time=31 ms
From 172.16.10.10: bytes=32 seq=3 ttl=127 time=15 ms
From 172.16.10.10: bytes=32 seq=4 ttl=127 time=15 ms
From 172.16.10.10: bytes=32 seq=5 ttl=127 time=15 ms
遗憾的是在vpn路由器上无法进行这样的ping。
查看安全联盟
[r1]dis ipsec sa
===============================
Interface: GigabitEthernet0/0/0
&Path MTU: 1500& 注意vpn经常因为mtu的原因导致不稳定,可以修改适合的mtu
===============================
& -----------------------------
& IPSec policy name: "map1"
& Sequence number& : 10
& Acl Group&&&&&&& : 3000
& Acl rule&&&&&&&& : 5
& Mode&&&&&&&&&&&& : ISAKMP
& -----------------------------
&&& Connection ID&&&& : 8
&&& Encapsulation mode: Tunnel
&&& Tunnel local&&&&& : 211.1.1.2
&&& Tunnel remote&&&& : 222.1.1.2
&&& Flow source&&&&&& : 192.168.10.0/255.255.255.0 0/0
&&& Flow destination& : 172.16.10.0/255.255.255.0 0/0
&&& Qos pre-classify& : Disable
&&& [Outbound ESP SAs]
&&&&& SPI:
(0xbc2923b)
&&&&& Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
&SA remaining key duration (bytes/sec): /2480
&&&&& Max received sequence-number: 30
&&&&& Anti-replay window size: 32
&&&&& UDP encapsulation used for NAT traversal: N
查看安全提议,这里没有建立成vpn也能查看
[r1]dis ipsec proposal
Number of proposals: 1
IPSec proposal name: tran1&&&&&&&&&&&&&&&&&&&&&&&&&&&
&Encapsulation mode: Tunnel&&&&&&&&&&&&&&&&&&&&&&&&&&&
&Transform&&&&&&&& : esp-new
&ESP protocol&&&&& : Authentication SHA1-HMAC-96&&&&&&&&&&&&&&&&&&&&&&&&&&&&
&&&&&&&&&&&&&&&&&&&& Encryption&&&& DES
查看安全策略
[r1]dis ipsec policy
===========================================
IPSec policy group: "map1"
Using interface: GigabitEthernet0/0/0
===========================================
&&& Sequence number: 10
&&& Security data flow: 3000
&&& Peer name&&& :& peer
&&& Perfect forward secrecy: None
&&& Proposal name:& tran1
&&& IPSec SA local duration(time based): 3600 seconds
&&& IPSec SA local duration(traffic based): 1843200 kilobytes
&&& Anti-replay window size: 32
&&& SA trigger mode: Automatic
&&& Route inject: None
&&& Qos pre-classify: Disable
查看ike安全联盟(第二阶段)
[r1]dis ike sa v2
&&& Conn-ID& Peer&&&&&&&&&&& VPN&& Flag(s)&&&&&&&&&&&&&&& Phase&
& ---------------------------------------------------------------
&&&&&&& 8&&& 222.1.1.2&&&&&& 0&&&& RD&&&&&&&&&&&&&&&&&&&& 2&&&&
&&&&&&& 7&&& 222.1.1.2&&&&&& 0&&&& RD&&&&&&&&&&&&&&&&&&&& 1&&&&
& Flag Description:
& RD--READY&& ST--STAYALIVE&& RL--REPLACED&& FD--FADING&& TO--TIMEOUT
& HRT--HEARTBEAT&& LKG--LAST KNOWN GOOD SEQ NO.&& BCK--BACKED UP
查看ike安全安全提议,注意这里是使用的华为默认的ike安全提议,也可以自己建一个,默认的优先级是最低的。为了兼容其他品牌的设备,往往可以建立多个ike安全提议。
[r1]dis ike propo
Number of IKE Proposals: 1
-------------------------------------------
&IKE Proposal: Default
&& Authentication method&&&&& : pre-shared
&& Authentication algorithm&& : SHA1
&& Encryption algorithm&&&&&& : DES-CBC
&& DH group&&&&&&&&&&&&&&&&&& : MODP-768
&& SA duration&&&&&&&&&&&&&&& : 86400
&& PRF&&&&&&&&&&&&&&&&&&&&&&& : PRF-HMAC-SHA
-------------------------------------------
扩展:如果总部还有个网段10.10.10.0的话也需要互通怎么弄?很简单。在acl中加入兴趣流就行了,经过测试了。
dis acl all
&Total quantity of nonempty ACL number is 1
Advanced ACL 3000, 3 rules
Acl's step is 5
&rule 5 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
&rule 6 permit ip source 10.10.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
&rule 10 deny ip
dis ipsec sa
===============================
Interface: GigabitEthernet0/0/0
&Path MTU: 1500
===============================
& -----------------------------
& IPSec policy name: "use1"
& Sequence number& : 10
& Acl Group&&&&&&& : 3000
& Acl rule&&&&&&&& : 5
& Mode&&&&&&&&&&&& : ISAKMP
& -----------------------------
&&& Connection ID&&&& : 11
&&& Encapsulation mode: Tunnel
&&& Tunnel local&&&&& : 222.1.1.2
&&& Tunnel remote&&&& : 211.1.1.2
&&& Flow source&&&&&& : 172.16.10.0/255.255.255.0 0/0
&&& Flow destination& : 192.168.10.0/255.255.255.0 0/0
&&& Qos pre-classify& : Disable
&&& [Outbound ESP SAs]
&&&&& SPI:
(0xcb9dfdb7)
&&&&& Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
&&&&& SA remaining key duration (bytes/sec): /2357
&&&&& Max sent sequence-number: 0
&&&&& UDP encapsulation used for NAT traversal: N
&&& [Inbound ESP SAs]
&&&&& SPI:
(0x39648c7a)
&&&&& Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
&&&&& SA remaining key duration (bytes/sec): /2357
&&&&& Max received sequence-number: 0
&&&&& Anti-replay window size: 32
&&&&& UDP encapsulation used for NAT traversal: N
& -----------------------------
& IPSec policy name: "use1"
& Sequence number& : 10
& Acl Group&&&&&&& : 3000
& Acl rule&&&&&&&& : 6
& Mode&&&&&&&&&&&& : ISAKMP
& -----------------------------
&&& Connection ID&&&& : 14
&&& Encapsulation mode: Tunnel
&&& Tunnel local&&&&& : 222.1.1.2
&&& Tunnel remote&&&& : 211.1.1.2
&&& Flow source&&&&&& : 10.10.10.0/255.255.255.0 0/0
&&& Flow destination& : 192.168.10.0/255.255.255.0 0/0
&&& Qos pre-classify& : Disable
&&& [Outbound ESP SAs]
&&&&& SPI:
(0xadfe40aa)
&&&&& Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
&&&&& SA remaining key duration (bytes/sec): /3424
&&&&& Max sent sequence-number: 3
&&&&& UDP encapsulation used for NAT traversal: N
&&& [Inbound ESP SAs]
&&&&& SPI:
(0x284a4cc6)
&&&&& Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
&&&&& SA remaining key duration (bytes/sec): /3424
&&&&& Max received sequence-number: 3
&&&&& Anti-replay window size: 32
&&&&& UDP encapsulation used for NAT traversal: N
阅读(7671) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~
请登录后评论。
