总部网关和分支机构网关之间建立点到点IPSec隧道
总部网关和分支机构网关之间建立可以互相访问的IPSec VPN。总部网关IP地址固定,总部经过NAT转换后访问Internet。分支机构通过ADSL获取IP地址,每次获取的IP地址不同。
组网需求
如图1所示,USG_A连接总部(HQ),USG_B连接分支机构(Branch)。USG_A的IP地址固定,总部可通过NAT转换后访问Internet;分支机构通过ADSL接口上网,IP地址不固定。分支机构的内网设备通过DHCP方式从USG_B接口获取IP地址。
要求通过配置IKE自动协商建立IPSec隧道,实现分支机构与总部之间可以互相访问。
配置思路
根据组网需求,配置思路如下:
-
分支机构设备配置ADSL接口,实现设备上网。
-
隧道两端设备分别通过NAT策略区分是上网数据或IPSec数据,仅对上网数据进行NAT处理。
-
总部采用模板方式配置IPSec,以响应多个分支机构的需求;分支机构采用非模板方式配置IPSec。
-
分支机构要访问总部,需要在USG_B上开启域名解析以及DDNS策略,以便将获取的IP地址与网络中的DNS服务器中的域名建立对应关系,并及时更新。
操作步骤
- 配置USG_A
# 配置GigabitEthernet 0/0/1接口。
<USG_A> system-view [USG_A] interface GigabitEthernet 0/0/1 [USG_A-GigabitEthernet0/0/1] ip address 10.1.1.1 24 [USG_A-GigabitEthernet0/0/1] quit
# 将GigabitEthernet 0/0/1接口加入Trust区域。
[USG_A] firewall zone trust [USG_A-zone-trust] add interface GigabitEthernet 0/0/1 [USG_A-zone-trust] quit
# 配置GigabitEthernet 0/0/2接口。<USG_A> system-view [USG_A] interface GigabitEthernet 0/0/2 [USG_A-GigabitEthernet0/0/2] ip address 202.10.12.1 24 [USG_A-GigabitEthernet0/0/2] quit
# 将GigabitEthernet 0/0/2接口加入Untrust区域。
[USG_A] firewall zone untrust [USG_A-zone-untrust] add interface GigabitEthernet 0/0/2 [USG_A-zone-untrust] quit
# 配置Trust和Untrust域间包过滤。
[USG_A] policy interzone trust untrust inbound [USG_A-policy-interzone-trust-untrust-inbound] policy 1 [USG_A-policy-interzone-trust-untrust-inbound-1] policy source 10.1.3.0 0.0.0.255 [USG_A-policy-interzone-trust-untrust-inbound-1] policy destination 10.1.1.0 0.0.0.255 [USG_A-policy-interzone-trust-untrust-inbound-1] action permit [USG_A-policy-interzone-trust-untrust-inbound-1] quit [USG_A-policy-interzone-trust-untrust-inbound] quit [USG_A] policy interzone trust untrust outbound [USG_A-policy-interzone-trust-untrust-outbound] policy 1 [USG_A-policy-interzone-trust-untrust-outbound-1] policy source 10.1.1.0 0.0.0.255 [USG_A-policy-interzone-trust-untrust-outbound-1] policy destination 10.1.3.0 0.0.0.255 [USG_A-policy-interzone-trust-untrust-outbound-1] action permit [USG_A-policy-interzone-trust-untrust-outbound-1] quit [USG_A-policy-interzone-trust-untrust-outbound] quit
# Untrust和Local域间的包过滤。
[USG_A] policy interzone local untrust inbound [USG_A-policy-interzone-local-untrust-inbound] policy 1 [USG_A-policy-interzone-local-untrust-inbound-1] action permit [USG_A-policy-interzone-local-untrust-inbound-1] quit [USG_A-policy-interzone-local-untrust-inbound] quit [USG_A] policy interzone local untrust outbound [USG_A-policy-interzone-local-untrust-outbound] policy 1 [USG_A-policy-interzone-local-untrust-outbound-1] policy source 202.10.12.0 0.0.0.255 [USG_A-policy-interzone-local-untrust-outbound-1] action permit [USG_A-policy-interzone-local-untrust-outbound-1] quit [USG_A-policy-interzone-local-untrust-outbound] quit
# 配置缺省路由,假设下一跳是202.10.12.2。
[USG_A] ip route-static 0.0.0.0 0 202.10.12.2
# 配置ACL,匹配IPSec流量。
[USG_A] acl 3001 [USG_A-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.1 0.0.0.255 [USG_A-acl-adv-3001] quit
# 配置IPSec安全提议,参数使用缺省值。
[USG_A] ipsec proposal 1 [USG_A-ipsec-proposal-1] quit
# 配置IKE安全提议,参数使用缺省值。
[USG_A] ike proposal 1 [USG_A-ike-proposal-1] quit
# 配置IKE Peer。
[USG_A] ike peer 1 [USG_A-ike-peer-1] exchange-mode aggressive [USG_A-ike-peer-1] ike-proposal 1 [USG_A-ike-peer-1] local-id-type ip [USG_A-ike-peer-1] remote-domain www.adsl.3322.org [USG_A-ike-peer-1] pre-shared-key abcde [USG_A-ike-peer-1] quit
# 配置IPSec安全策略map。
[USG_A] ipsec policy map 1 isakmp [USG_A-ipsec-policy-isakmp-map-1] security acl 3001 [USG_A-ipsec-policy-isakmp-map-1] proposal 1 [USG_A-ipsec-policy-isakmp-map-1] ike-peer 1 [USG_A-ipsec-policy-manual-map-1] quit
# 应用IPSec安全策略map到接口。
[USG_A] interface GigabitEthernet 0/0/2 [USG_A-GigabitEthernet0/0/2] ipsec policy map [USG_A-GigabitEthernet0/0/2] quit
# 配置NAT,对上网流量进行NAT,对IPSec流量不进行NAT。
[USG_A] nat-policy interzone trust untrust outbound [USG_A-nat-policy-interzone-trust-untrust-outbound] policy 1 [USG_A-nat-policy-interzone-trust-untrust-outbound-1] policy source 10.1.1.0 0.0.0.255 [USG_A-nat-policy-interzone-trust-untrust-outbound-1] policy destination 10.1.3.0 0.0.0.255 [USG_A-nat-policy-interzone-trust-untrust-outbound-1] action no-nat [USG_A-nat-policy-interzone-trust-untrust-outbound-1] quit [USG_A-nat-policy-interzone-trust-untrust-outbound] policy 2 [USG_A-nat-policy-interzone-trust-untrust-outbound-1] policy source 10.1.1.0 0.0.0.255 [USG_A-nat-policy-interzone-trust-untrust-outbound-2] action source-nat [USG_A-nat-policy-interzone-trust-untrust-outbound-2] easy-ip GigabitEthernet 0/0/2 [USG_A-nat-policy-interzone-trust-untrust-outbound-2] quit [USG_A-nat-policy-interzone-trust-untrust-outbound] quit
- 配置USG_B
# 配置GigabitEthernet 0/0/1接口,开启DHCP,对内网用户自动分配IP地址。
<USG_B> system-view [USG_B] interface GigabitEthernet 0/0/1 [USG_B-GigabitEthernet0/0/1] ip address 10.1.3.1 24 [USG_B-GigabitEthernet0/0/1] dhcp select interface [USG_B-GigabitEthernet0/0/1] quit
# 配置ADSL接口,实现上网。
[USG_B] dialer-rule 10 ip permit [USG_B] interface Dialer 1 [USG_B-Dialer1] dialer user adsluser [USG_B-Dialer1] dialer bundle 5 [USG_B-Dialer1] dialer-group 10 [USG_B-Dialer1] ip address ppp-negotiate [USG_B-Dialer1] ppp pap local-user adsluser password cipher Admin@123 [USG_B-Dialer1] ppp chap user adsluser [USG_B-Dialer1] ppp chap password cipher Admin@123 [USG_B-Dialer1] quit [USG_B] firewall zone untrust [USG_B-zone-untrust] add interface Dialer 1 [USG_B-zone-untrust] quit [USG_B] interface Atm 2/0/0 [USG_B-Atm2/0/0] pppoe-client dial-bundle-number 5 [USG_B-Atm2/0/0] quit
# 配置Trust和Untrust域间包过滤。
[USG_B] policy interzone trust untrust inbound [USG_B-policy-interzone-trust-untrust-inbound] policy 1 [USG_B-policy-interzone-trust-untrust-inbound-1] policy source 10.1.1.0 0.0.0.255 [USG_B-policy-interzone-trust-untrust-inbound-1] policy destination 10.1.3.0 0.0.0.255 [USG_B-policy-interzone-trust-untrust-inbound-1] action permit [USG_B-policy-interzone-trust-untrust-inbound-1] quit [USG_B-policy-interzone-trust-untrust-inbound] quit [USG_B] policy interzone trust untrust outbound [USG_B-policy-interzone-trust-untrust-outbound] policy 1 [USG_B-policy-interzone-trust-untrust-outbound-1] policy source 10.1.3.0 0.0.0.255 [USG_B-policy-interzone-trust-untrust-outbound-1] policy destination 10.1.1.0 0.0.0.255 [USG_B-policy-interzone-trust-untrust-outbound-1] action permit [USG_B-policy-interzone-trust-untrust-outbound-1] quit [USG_B-policy-interzone-trust-untrust-outbound] quit
# 配置Untrust和Local域间包过滤。
[USG_B] policy interzone local untrust inbound [USG_B-policy-interzone-local-untrust-inbound] policy 1 [USG_B-policy-interzone-local-untrust-inbound-1] policy source 202.10.12.0 0.0.0.255 [USG_B-policy-interzone-local-untrust-inbound-1] action permit [USG_B-policy-interzone-local-untrust-inbound-1] quit [USG_B-policy-interzone-local-untrust-inbound] quit [USG_B] policy interzone local untrust outbound [USG_B-policy-interzone-local-untrust-outbound] policy 1 [USG_B-policy-interzone-local-untrust-outbound-1] action permit [USG_B-policy-interzone-local-untrust-outbound-1] quit [USG_B-policy-interzone-local-untrust-outbound] quit
# 配置缺省路由。
[USG_B] ip route-static 0.0.0.0 0 Dialer1
# 配置ACL,匹配IPSec流量。
[USG_B] acl 3001 [USG_B-acl-adv-3001] rule permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [USG_B-acl-adv-3001] quit
# 配置IPSec安全提议1。参数使用缺省值。
[USG_B] ipsec proposal 1 [USG_B-ipsec-proposal-1] quit
# 配置IKE安全提议。参数使用缺省值。
[USG_B] ike proposal 1 [USG_B-ike-proposal-1] quit
# 配置IKE对等体。
[USG_B] ike peer 1 [USG_B-ike-peer-1] exchange-mode aggressive [USG_B-ike-peer-1] ike-proposal 1 [USG_B-ike-peer-1] remote-address 202.10.12.1 [USG_B-ike-peer-1] pre-shared-key abcde [USG_B-ike-peer-1] quit
# 配置IPSec安全策略。
[USG_B] ipsec policy map 1 isakmp [USG_B-ipsec-policy-template-map-1] security acl 3001 [USG_B-ipsec-policy-template-map-1] proposal 1 [USG_B-ipsec-policy-template-map-1] ike-peer 1 [USG_B-ipsec-policy-template-map-1] quit
# 在Dialer1接口上应用安全策略。
[USG_B] interface Dialer 1 [USG_B-Dialer1] ipsec policy map [USG_B-Dialer1] quit
# 开启域名解析,USG_B通过域名能访问DDNS Server。
[USG_B] dns resolve [USG_B] dns server 200.1.1.1
# 向DDNS服务提供商申请DDNS服务。
请联系DDNS服务提供商,并根据DDNS服务提供商的说明操作。假设选择的DDNS服务提供商为:www.3322.org;申请得到的用户名和密码都为:abc123;DDNS Client的域名为:www.adsl.3322.org。
# 配置DDNS策略。
[USG_B] ddns policy abc [USG_B-ddns-policy-abc] ddns client www.adsl.3322.org [USG_B-ddns-policy-abc] ddns server www.3322.org [USG_B-ddns-policy-abc] ddns username abc123 password abc123 [USG_B-ddns-policy-abc] quit
# 应用DDNS策略。
[USG_B] ddns client enable [USG_B] interface Dialer 1 [USG_B-Dialer1] ddns apply policy abc [USG_B-Dialer1] quit
配置脚本
USG_A配置脚本
#
ike local-name client
#
acl number 3001
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.1 0.0.0.255
#
ike proposal 1
encryption-algorithm aes-cbc
dh group2
#
ike peer 1
exchange-mode aggressive
pre-shared-key %$%$E=6)6HJ)RLhy+2TB[Fr4jQH~%$%$
ike-proposal 1
remote-domain www.adsl.3322.org
#
ipsec proposal 1
esp authentication-algorithm sha1
esp encryption-algorithm aes
#
ipsec policy map 1 isakmp
security acl 3001
ike-peer 1
proposal 1
#
interface GigabitEthernet0/0/1
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 202.10.12.1 255.255.255.0
ipsec policy map
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/2
#
ip route-static 0.0.0.0 0.0.0.0 202.10.12.2
#
policy interzone local untrust inbound
policy 1
action permit
#
policy interzone local untrust outbound
policy 1
action permit
policy source 202.10.12.0 0.0.0.255
#
policy interzone trust untrust inbound
policy 1
action permit
policy source 10.1.3.0 0.0.0.255
policy destination 10.1.3.0 0.0.0.255
#
policy interzone trust untrust outbound
policy 1
action permit
policy source 10.1.1.0 0.0.0.255
policy destination 10.1.3.0 0.0.0.255
#
nat-policy interzone trust untrust outbound
policy 1
policy source 10.1.1.0 0.0.0.255
policy destination 10.1.3.0 0.0.0.255
action no-nat
policy 2
policy source 10.1.1.0 0.0.0.255
action source-nat
easy-ip GigabitEthernet 0/0/2
#
return
USG_B配置脚本
# dialer-rule 10 ip permit # dns resolve dns server 200.1.1.1 # ddns client enable # acl number 3001 rule 5 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 # ike proposal 1 encryption-algorithm aes-cbc dh group2 # ike peer 1 exchange-mode aggressive pre-shared-key %$%$E=6)6HJ)RLhy+2TB[Fr4jQH~%$%$ ike-proposal 1 remote-address 202.10.12.1 # ipsec proposal 1 esp authentication-algorithm sha1 esp encryption-algorithm aes # ipsec policy map 1 isakmp security acl 3001 ike-peer 1 proposal 1 # interface Dialer1 link-protocol ppp ppp chap user adsluser ppp chap password cipher %$%$Gal~X`28S/.m]\*fuO|',{ri%$%$ ppp pap local-user adsluser password cipher %$%$Gal~X`28S/.m]\*fuO|',{ri%$%$ ip address ppp-negotiate dialer user adsluser dialer-group 10 dialer bundle 5 ipsec policy map ddns apply policy abc # interface GigabitEthernet0/0/1 ip address 10.1.3.1 255.255.255.0 dhcp select interface # interface Atm2/0/0 pppoe-client dial-bundle-number 5 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/1 # firewall zone untrust set priority 5 add interface Dialer1 # ip route-static 0.0.0.0 0.0.0.0 Dialer1 # ddns policy abc ddns username abc123 password %$%$F\seVlS7YVU8DT"wpee,kYPG%$%$ ddns client www.adsl.3322.org ddns server www.3322.org ddns apply policy Dialer1 # policy interzone local untrust inbound policy 1 action permit policy source 202.10.12.0 0.0.0.255 # policy interzone local untrust outbound policy 1 action permit # policy interzone trust untrust inbound policy 1 action permit policy source 10.1.1.0 0.0.0.255 policy destination 10.1.3.0 0.0.0.255 # policy interzone trust untrust outbound policy 1 action permit policy source 10.1.3.0 0.0.0.255 policy destination 10.1.1.0 0.0.0.255 # return
相关推荐
华为USG2000防火墙配置.doc
华为Secoway USG2000防火墙配置说明,1、 该型号防火墙默认配置端口IP地址为:192.168.0.1;首先将自己的电脑通过:网络和共享中心>更改适配器设置>本地连接>属性>Internet协议版本4,将电脑IP设置成192.168.0.* 。
华为赛门铁克硬件防火墙USG5000配置入门
华为防火墙IPSEC点到多点(SA+NAT穿越)策略模板方式成功配置 全命令
华赛USG5000配置入门
华为USG5120防火墙配置手册,很详细的配置举例
在本文档中,我们主要探讨了如何配置USG2110路由器,这是一款功能强大的网络安全设备,常用于企业或组织的网络管理。以下是详细配置步骤及涉及的知识点: 1. **配置接口**: 在路由器的网络管理界面,我们需要配置...
华为usg3000配置案例,
HUAWEI USG6000, USG6000E, USG9500, NGFW Module 快速配置指南(旧界面版) HUAWEI USG6000, USG6000E, USG9500, NGFW Module 快速配置指南(新界面版)
USG2000USG5000系列设备配置只读Web管理员
华为USG5500防火墙配置实验一.pdf
华为Usg6000配置文档
Secoway USG2100&2200&5100 BSR&HSR & USG2000&5000 V300R001 典型配置案例-Web方式 03.pdf
华为Secoway USG2000&5000系列统一安全网关技术建议书范本,用于写解决方案的.
USG5500系列产品是华为技术有限公司面向大中型企业和下一代数据中心推出的新一代电信级统一安全网关设备。可广泛应用于运营商、企业、政府、金融、能源、学校等领域的网络边界。USG5500系列产品部署于网络出口处,...
华为9000系列防火墙配置描述,详细介绍了每一步配置,很全面
华为USG2100防火墙配置文档-配置安全策略参考.pdf
华赛防火墙USG2200&5500web配置方式