华为USG5300 采用IKE安全策略方式建立IPSec隧道

本文主要是介绍华为USG5300 采用IKE安全策略方式建立IPSec隧道，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

组网需求：

如图所示，网络A和网络B分别通过USG5300 A和USG5300 B与Internet相连。网络环境描述如下：
网络A属于10.1.1.0/24子网，通过接口GigabitEthernet 0/0/0与USG5300 A连接。
网络B属于10.1.3.0/24子网，通过接口GigabitEthernet 0/0/0与USG5300 B连接。
USG5300 A和USG5300 B路由可达。Network A 可以ping通Network B

网络拓扑

操作步骤：

1、配置USG5300A

配置接口IP地址

[SRG]sysname USGA
[USGA]interface GigabitEthernet 0/0/0
[USGA-GigabitEthernet0/0/0]ip address  10.1.1.1 24
[USGA-GigabitEthernet0/0/0]quit
[USGA]interface  GigabitEthernet  0/0/1
[USGA-GigabitEthernet0/0/1]ip address  192.13.2.1 24
[USGA-GigabitEthernet0/0/1]quit

配置接口加入相应安全区域

[USGA]firewall zone  trust
[USGA-zone-trust]add  interface  GigabitEthernet  0/0/0
[USGA-zone-trust]quit 
[USGA]firewall zone  untrust
[USGA-zone-untrust]add  interface  GigabitEthernet  0/0/1
[USGA-zone-untrust]quit

配置域间包过滤规则

[USGA]firewall packet-filter default permit  interzone  trust  untrust
[USGA]firewall packet-filter default permit  interzone  untrust local

既可以打开Trust域和Untrust域的域间缺省包过滤规则,也可以通过ACL定义包过滤规则。
配置Local域和Untrust域的域间缺省包过滤规则的目的为允许IPSec隧道两端设备通信，使其能够进行隧道协商。

配置到达分支机构的静态路由，下一跳192.13.2.2

[USGA]ip route-static 0.0.0.0 0.0.0.0 192.13.2.2

定义被保护的数据流

[USGA-acl-adv-3000]rule  permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255

为了实现分支的互通，高级ACL的源地址（Source）定义为包括总部和分支的所有网段，目的地址（Destination）定义为各个分支的精确网段。

配置名称为tran1的IPSec安全提议

[USGA]ipsec proposal tran1
[USGA-ipsec-proposal-tran1]encapsulation-mode tunnel
[USGA-ipsec-proposal-tran1]transform esp
[USGA-ipsec-proposal-tran1]esp authentication-algorithm  md5
[USGA-ipsec-proposal-tran1]esp encryption-algorithm des
[USGA-ipsec-proposal-tran1]quit

其中，ESP为默认的安全协议，Tunnel为默认的封装模式，可以不配置。MD5为ESP默认的认证算法，DES为ESP默认的加密算法，可以不配置。

配置序号为10的IKE安全提议

[USGA]ike  proposal  10
[USGA-ike-proposal-10]authentication-method pre-share
[USGA-ike-proposal-10]authentication-algorithm sha1
[USGA-ike-proposal-10]quit

pre-shared-key验证方法为IKE默认的验证方法，SHA1为默认验证算法，可以不配置。

配置IKE Peer

[USGA]ike  peer  b
[USGA-ike-peer-b]ike-proposal  10
[USGA-ike-peer-b]remote-address 131.108.5.2
[USGA-ike-peer-b]pre-shared-key abcde
[USGA-ike-peer-b]quit

USG5300同时开启IKEv1和IKEv2，缺省情况下采用IKEv2进行协商，若对端不支持IKEv2，请禁用IKEv2，采用IKEv1进行协商。请在IKE Peer视图下执行命令[ undo ] version { 1 | 2 }进行配置。
隧道对端IP地址分别为USG5300 B与Internet相连的接口的IP地址。
验证字的配置需要与对端设备相同

配置IPSec安全策略组map1

[USGA]ipsec  policy map1 10 isakmp
[USGA-ipsec-policy-isakmp-map1-10]security  acl  3000
[USGA-ipsec-policy-isakmp-map1-10]proposal tran1
[USGA-ipsec-policy-isakmp-map1-10]ike-peer  b
[USGA-ipsec-policy-isakmp-map1-10]quit

在接口G0/0/1上应用安全策略组map1

[USGA]interface  GigabitEthernet  0/0/1
[USGA-GigabitEthernet0/0/1]ipsec  policy map1
[USGA-GigabitEthernet0/0/1]quit

2、配置USG5300B

配置接口IP地址

[SRG]sysname USGB
[USGB]interface  GigabitEthernet  0/0/0
[USGB-GigabitEthernet0/0/0]ip address  10.1.3.1 24
[USGB-GigabitEthernet0/0/0]quit
[USGB]interface  GigabitEthernet  0/0/1
[USGB-GigabitEthernet0/0/1]ip address  131.108.5.2 24
[USGB-GigabitEthernet0/0/1]quit

配置接口加入相应安全区域

[USGB]firewall zone  trust
[USGB-zone-trust]add  interface  GigabitEthernet  0/0/0
[USGB-zone-trust]quit
[USGB]firewall zone  untrust
[USGB-zone-untrust]add  interface  GigabitEthernet  0/0/1
[USGB-zone-untrust]quit

配置域间包过滤规则

[USGB]firewall packet-filter  default  permit  interzone  trust  untrust
[USGB]firewall packet-filter  default  permit  interzone  untrust  local

配置到达分支机构的静态路由，下一跳131.108.5.1

[USGB]ip route-static 0.0.0.0 0.0.0.0 131.108.5.1

定义被保护的数据流

[USGB-acl-adv-3000]rule  permit  ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

配置名称为tran1的IPSec安全提议

[USGB]ipsec  proposal tran1
[USGB-ipsec-proposal-tran1]encapsulation-mode tunnel
[USGB-ipsec-proposal-tran1]transform esp
[USGB-ipsec-proposal-tran1]esp authentication-algorithm md5
[USGB-ipsec-proposal-tran1]esp encryption-algorithm des
[USGB-ipsec-proposal-tran1]quit

配置序号为10的IKE安全提议

[USGB]ike proposal 10
[USGB-ike-proposal-10]authentication-method pre-share
[USGB-ike-proposal-10]authentication-algorithm sha1
[USGB-ike-proposal-10]quit

配置IKE Peer

[USGB]ike peer  a
[USGB-ike-peer-a]ike-proposal  10
[USGB-ike-peer-a]remote-address 192.13.2.1
[USGB-ike-peer-a]pre-shared-key abcde
[USGB-ike-peer-a]quit

配置IPSec安全策略组map1

[USGB]ipsec  policy map1 10 isakmp
[USGB-ipsec-policy-isakmp-map1-10]security  acl  3000
[USGB-ipsec-policy-isakmp-map1-10]proposal tran1	
[USGB-ipsec-policy-isakmp-map1-10]ike-peer a	
[USGB-ipsec-policy-isakmp-map1-10]quit

在接口G0/0/1上应用安全策略组map1

[USGB]interface  GigabitEthernet  0/0/1
[USGB-GigabitEthernet0/0/1]ipsec  policy map1
[USGB-GigabitEthernet0/0/1]quit

3、配置ISP

<Huawei>system-view
[Huawei]sysname ISP
[ISP]interface  GigabitEthernet  0/0/0
[ISP-GigabitEthernet0/0/0]ip address  192.13.2.2 24
[ISP-GigabitEthernet0/0/0]quit
[ISP]interface  GigabitEthernet  0/0/1
[ISP-GigabitEthernet0/0/1]ip address  131.108.5.1 24
[ISP-GigabitEthernet0/0/1]quit[ISP]ip route-static 10.1.1.0 24 192.13.2.1
[ISP]ip route-static 10.1.3.0 24 131.108.5.2

4、验证结果

USGA

<USGA>display  ike  sa
11:14:05  2019/03/17
current ike sa number: 2
-----------------------------------------------------------------------------
conn-id    peer                    flag          phase vpn
-----------------------------------------------------------------------------
40001      131.108.5.2             RD|ST         v2:2  public
1          131.108.5.2             RD|ST         v2:1  publicflag meaningRD--READY    ST--STAYALIVE  RL--REPLACED      FD--FADINGTO--TIMEOUT  TD--DELETING   NEG--NEGOTIATING  D--DPD<USGA>display  ipsec sa 
11:14:12  2019/03/17
===============================
Interface: GigabitEthernet0/0/1path MTU: 1500
===============================-----------------------------IPsec policy name: "map1"sequence number: 10mode: isakmpvpn: public-----------------------------connection id: 40001rule number: 5encapsulation mode: tunnelholding time: 0d 0h 0m 16stunnel local : 192.13.2.1    tunnel remote: 131.108.5.2flow      source: 10.1.1.0-10.1.1.255 0-65535 0flow destination: 10.1.3.0-10.1.3.255 0-65535 0[inbound ESP SAs] spi: 2200317640 (0x83262ec8)vpn: public  said: 0  cpuid: 0x0000proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887436680/3584max received sequence-number: 2udp encapsulation used for nat traversal: N[outbound ESP SAs] spi: 2376952271 (0x8dad69cf)vpn: public  said: 1  cpuid: 0x0000proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887436620/3584max sent sequence-number: 4udp encapsulation used for nat traversal: N

USGB

[USGB]display  ike sa 
11:15:32  2019/03/17
current ike sa number: 2
-----------------------------------------------------------------------------
conn-id    peer                    flag          phase vpn
-----------------------------------------------------------------------------
40001      192.13.2.1              RD            v2:2  public
1          192.13.2.1              RD            v2:1  publicflag meaningRD--READY    ST--STAYALIVE  RL--REPLACED      FD--FADINGTO--TIMEOUT  TD--DELETING   NEG--NEGOTIATING  D--DPD[USGB]display  ipsec  sa 
11:15:37  2019/03/17
===============================
Interface: GigabitEthernet0/0/1path MTU: 1500
===============================-----------------------------IPsec policy name: "map1"sequence number: 10mode: isakmpvpn: public-----------------------------connection id: 40001rule number: 5encapsulation mode: tunnelholding time: 0d 0h 1m 40stunnel local : 131.108.5.2    tunnel remote: 192.13.2.1flow      source: 10.1.3.0-10.1.3.255 0-65535 0flow destination: 10.1.1.0-10.1.1.255 0-65535 0[inbound ESP SAs] spi: 2376952271 (0x8dad69cf)vpn: public  said: 0  cpuid: 0x0000proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887436620/3500max received sequence-number: 3udp encapsulation used for nat traversal: N[outbound ESP SAs] spi: 2200317640 (0x83262ec8)vpn: public  said: 1  cpuid: 0x0000proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887436680/3500max sent sequence-number: 3udp encapsulation used for nat traversal: N

这篇关于华为USG5300 采用IKE安全策略方式建立IPSec隧道的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！