本文主要是介绍华为USG5300 采用IKE安全策略方式建立IPSec隧道,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
组网需求:
如图所示,网络A和网络B分别通过USG5300 A和USG5300 B与Internet相连。网络环境描述如下:
网络A属于10.1.1.0/24子网,通过接口GigabitEthernet 0/0/0与USG5300 A连接。
网络B属于10.1.3.0/24子网,通过接口GigabitEthernet 0/0/0与USG5300 B连接。
USG5300 A和USG5300 B路由可达。Network A 可以ping通Network B
网络拓扑
操作步骤:
1、配置USG5300A
- 配置接口IP地址
[SRG]sysname USGA
[USGA]interface GigabitEthernet 0/0/0
[USGA-GigabitEthernet0/0/0]ip address 10.1.1.1 24
[USGA-GigabitEthernet0/0/0]quit
[USGA]interface GigabitEthernet 0/0/1
[USGA-GigabitEthernet0/0/1]ip address 192.13.2.1 24
[USGA-GigabitEthernet0/0/1]quit
- 配置接口加入相应安全区域
[USGA]firewall zone trust
[USGA-zone-trust]add interface GigabitEthernet 0/0/0
[USGA-zone-trust]quit
[USGA]firewall zone untrust
[USGA-zone-untrust]add interface GigabitEthernet 0/0/1
[USGA-zone-untrust]quit
- 配置域间包过滤规则
[USGA]firewall packet-filter default permit interzone trust untrust
[USGA]firewall packet-filter default permit interzone untrust local
既可以打开Trust域和Untrust域的域间缺省包过滤规则,也可以通过ACL定义包过滤规则。
配置Local域和Untrust域的域间缺省包过滤规则的目的为允许IPSec隧道两端设备通信,使其能够进行隧道协商。
- 配置到达分支机构的静态路由,下一跳192.13.2.2
[USGA]ip route-static 0.0.0.0 0.0.0.0 192.13.2.2
- 定义被保护的数据流
[USGA-acl-adv-3000]rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255
为了实现分支的互通,高级ACL的源地址(Source)定义为包括总部和分支的所有网段,目的地址(Destination)定义为各个分支的精确网段。
- 配置名称为tran1的IPSec安全提议
[USGA]ipsec proposal tran1
[USGA-ipsec-proposal-tran1]encapsulation-mode tunnel
[USGA-ipsec-proposal-tran1]transform esp
[USGA-ipsec-proposal-tran1]esp authentication-algorithm md5
[USGA-ipsec-proposal-tran1]esp encryption-algorithm des
[USGA-ipsec-proposal-tran1]quit
其中,ESP为默认的安全协议,Tunnel为默认的封装模式,可以不配置。MD5为ESP默认的认证算法,DES为ESP默认的加密算法,可以不配置。
- 配置序号为10的IKE安全提议
[USGA]ike proposal 10
[USGA-ike-proposal-10]authentication-method pre-share
[USGA-ike-proposal-10]authentication-algorithm sha1
[USGA-ike-proposal-10]quit
pre-shared-key验证方法为IKE默认的验证方法,SHA1为默认验证算法,可以不配置。
- 配置IKE Peer
[USGA]ike peer b
[USGA-ike-peer-b]ike-proposal 10
[USGA-ike-peer-b]remote-address 131.108.5.2
[USGA-ike-peer-b]pre-shared-key abcde
[USGA-ike-peer-b]quit
USG5300同时开启IKEv1和IKEv2,缺省情况下采用IKEv2进行协商,若对端不支持IKEv2,请禁用IKEv2,采用IKEv1进行协商。请在IKE Peer视图下执行命令[ undo ] version { 1 | 2 }进行配置。
隧道对端IP地址分别为USG5300 B与Internet相连的接口的IP地址。
验证字的配置需要与对端设备相同
- 配置IPSec安全策略组map1
[USGA]ipsec policy map1 10 isakmp
[USGA-ipsec-policy-isakmp-map1-10]security acl 3000
[USGA-ipsec-policy-isakmp-map1-10]proposal tran1
[USGA-ipsec-policy-isakmp-map1-10]ike-peer b
[USGA-ipsec-policy-isakmp-map1-10]quit
在接口G0/0/1上应用安全策略组map1
[USGA]interface GigabitEthernet 0/0/1
[USGA-GigabitEthernet0/0/1]ipsec policy map1
[USGA-GigabitEthernet0/0/1]quit
2、配置USG5300B
- 配置接口IP地址
[SRG]sysname USGB
[USGB]interface GigabitEthernet 0/0/0
[USGB-GigabitEthernet0/0/0]ip address 10.1.3.1 24
[USGB-GigabitEthernet0/0/0]quit
[USGB]interface GigabitEthernet 0/0/1
[USGB-GigabitEthernet0/0/1]ip address 131.108.5.2 24
[USGB-GigabitEthernet0/0/1]quit
- 配置接口加入相应安全区域
[USGB]firewall zone trust
[USGB-zone-trust]add interface GigabitEthernet 0/0/0
[USGB-zone-trust]quit
[USGB]firewall zone untrust
[USGB-zone-untrust]add interface GigabitEthernet 0/0/1
[USGB-zone-untrust]quit
- 配置域间包过滤规则
[USGB]firewall packet-filter default permit interzone trust untrust
[USGB]firewall packet-filter default permit interzone untrust local
- 配置到达分支机构的静态路由,下一跳131.108.5.1
[USGB]ip route-static 0.0.0.0 0.0.0.0 131.108.5.1
- 定义被保护的数据流
[USGB-acl-adv-3000]rule permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
- 配置名称为tran1的IPSec安全提议
[USGB]ipsec proposal tran1
[USGB-ipsec-proposal-tran1]encapsulation-mode tunnel
[USGB-ipsec-proposal-tran1]transform esp
[USGB-ipsec-proposal-tran1]esp authentication-algorithm md5
[USGB-ipsec-proposal-tran1]esp encryption-algorithm des
[USGB-ipsec-proposal-tran1]quit
- 配置序号为10的IKE安全提议
[USGB]ike proposal 10
[USGB-ike-proposal-10]authentication-method pre-share
[USGB-ike-proposal-10]authentication-algorithm sha1
[USGB-ike-proposal-10]quit
- 配置IKE Peer
[USGB]ike peer a
[USGB-ike-peer-a]ike-proposal 10
[USGB-ike-peer-a]remote-address 192.13.2.1
[USGB-ike-peer-a]pre-shared-key abcde
[USGB-ike-peer-a]quit
- 配置IPSec安全策略组map1
[USGB]ipsec policy map1 10 isakmp
[USGB-ipsec-policy-isakmp-map1-10]security acl 3000
[USGB-ipsec-policy-isakmp-map1-10]proposal tran1
[USGB-ipsec-policy-isakmp-map1-10]ike-peer a
[USGB-ipsec-policy-isakmp-map1-10]quit
- 在接口G0/0/1上应用安全策略组map1
[USGB]interface GigabitEthernet 0/0/1
[USGB-GigabitEthernet0/0/1]ipsec policy map1
[USGB-GigabitEthernet0/0/1]quit
3、配置ISP
<Huawei>system-view
[Huawei]sysname ISP
[ISP]interface GigabitEthernet 0/0/0
[ISP-GigabitEthernet0/0/0]ip address 192.13.2.2 24
[ISP-GigabitEthernet0/0/0]quit
[ISP]interface GigabitEthernet 0/0/1
[ISP-GigabitEthernet0/0/1]ip address 131.108.5.1 24
[ISP-GigabitEthernet0/0/1]quit[ISP]ip route-static 10.1.1.0 24 192.13.2.1
[ISP]ip route-static 10.1.3.0 24 131.108.5.2
4、验证结果
- USGA
<USGA>display ike sa
11:14:05 2019/03/17
current ike sa number: 2
-----------------------------------------------------------------------------
conn-id peer flag phase vpn
-----------------------------------------------------------------------------
40001 131.108.5.2 RD|ST v2:2 public
1 131.108.5.2 RD|ST v2:1 publicflag meaningRD--READY ST--STAYALIVE RL--REPLACED FD--FADINGTO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD<USGA>display ipsec sa
11:14:12 2019/03/17
===============================
Interface: GigabitEthernet0/0/1path MTU: 1500
===============================-----------------------------IPsec policy name: "map1"sequence number: 10mode: isakmpvpn: public-----------------------------connection id: 40001rule number: 5encapsulation mode: tunnelholding time: 0d 0h 0m 16stunnel local : 192.13.2.1 tunnel remote: 131.108.5.2flow source: 10.1.1.0-10.1.1.255 0-65535 0flow destination: 10.1.3.0-10.1.3.255 0-65535 0[inbound ESP SAs] spi: 2200317640 (0x83262ec8)vpn: public said: 0 cpuid: 0x0000proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887436680/3584max received sequence-number: 2udp encapsulation used for nat traversal: N[outbound ESP SAs] spi: 2376952271 (0x8dad69cf)vpn: public said: 1 cpuid: 0x0000proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887436620/3584max sent sequence-number: 4udp encapsulation used for nat traversal: N
- USGB
[USGB]display ike sa
11:15:32 2019/03/17
current ike sa number: 2
-----------------------------------------------------------------------------
conn-id peer flag phase vpn
-----------------------------------------------------------------------------
40001 192.13.2.1 RD v2:2 public
1 192.13.2.1 RD v2:1 publicflag meaningRD--READY ST--STAYALIVE RL--REPLACED FD--FADINGTO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD[USGB]display ipsec sa
11:15:37 2019/03/17
===============================
Interface: GigabitEthernet0/0/1path MTU: 1500
===============================-----------------------------IPsec policy name: "map1"sequence number: 10mode: isakmpvpn: public-----------------------------connection id: 40001rule number: 5encapsulation mode: tunnelholding time: 0d 0h 1m 40stunnel local : 131.108.5.2 tunnel remote: 192.13.2.1flow source: 10.1.3.0-10.1.3.255 0-65535 0flow destination: 10.1.1.0-10.1.1.255 0-65535 0[inbound ESP SAs] spi: 2376952271 (0x8dad69cf)vpn: public said: 0 cpuid: 0x0000proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887436620/3500max received sequence-number: 3udp encapsulation used for nat traversal: N[outbound ESP SAs] spi: 2200317640 (0x83262ec8)vpn: public said: 1 cpuid: 0x0000proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887436680/3500max sent sequence-number: 3udp encapsulation used for nat traversal: N
这篇关于华为USG5300 采用IKE安全策略方式建立IPSec隧道的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!