多厂商系列之十五：华为USG防火墙实现IPSEC 的实验【模拟器可作】

时间 2021-03-14 标签安全网络 app ide ui 加密 spa orm blog 接口

拓扑

本实验介绍总部和分支机构的出口网关同时为NAT设备时，创建IPSec隧道，使总部和分支能够互访，总部和分支都可以访问公网。安全

1、路由器的做用使FW1和FW2之间路由可达，配置以下：

interface GigabitEthernet0/0/0
ip address 220.163.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 220.163.200.1 255.255.255.0网络

2、FW1配置以下：

一、配置接口IP地址。
interface GigabitEthernet0/0/0
ip address 192.168.10.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 220.163.100.2 255.255.255.0app

二、将接口加入相应的安全区域。
firewall zone trust
add interface GigabitEthernet0/0/0
#
firewall zone untrust
add interface GigabitEthernet0/0/1ide

三、开启域间包过滤，这里为了实验方便，开放全部域间包过滤，实际当中请根据要求开放相应的域间策略
firewall packet-filter default permit allui

四、配置静态路由
ip route-static 0.0.0.0 0.0.0.0 220.163.100.1加密

五、定义被保护的数据流。
acl number 3000
rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255spa

六、配置IPSec安全提议tran1。
ipsec proposal tran1
esp authentication-algorithm sha1
esp encryption-algorithm aesorm

七、配置IKE安全提议。
ike proposal 10
authentication-method pre-share
authentication-algorithm sha1blog

八、配置IKE Peer。
ike peer c
pre-shared-key ccieh3c.com
ike-proposal 10
remote-address 220.163.200.2接口

九、配置IPSec安全策略。
ipsec policy map1 10 isakmp
security acl 3000
ike-peer c
proposal tran1

十、在接口GigabitEthernet 0/0/1上应用IPSec策略map1。
interface GigabitEthernet0/0/1
ip address 220.163.100.2 255.255.255.0
ipsec policy map1

十一、配置NAT，定义用于NAT的数据流，先deny掉须要IPSec加密的数据流，再定义用于NAT的数据流，这里须要deny的数据流必须和IPSec加密的数据流严格一致。
nat-policy interzone trust untrust outbound
policy 1
action no-nat
policy source 192.168.10.0 0.0.0.255
policy destination 192.168.20.0 0.0.0.255
policy 2
action source-nat
easy-ip GigabitEthernet0/0/1

2、FW2的配置以下：

一、配置接口IP地址。
interface GigabitEthernet0/0/0
ip address 192.168.20.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 220.163.200.2 255.255.255.0

二、将接口加入相应的安全区域。
firewall zone trust
add interface GigabitEthernet0/0/0
#
firewall zone untrust
add interface GigabitEthernet0/0/1

三、开启域间包过滤，这里为了实验方便，开放全部域间包过滤，实际当中请根据要求开放相应的域间策略
firewall packet-filter default permit all

四、配置静态路由
ip route-static 0.0.0.0 0.0.0.0 220.163.200.1

五、定义被保护的数据流。
acl number 3000
rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

六、配置IPSec安全提议tran1。
ipsec proposal tran1
esp authentication-algorithm sha1
esp encryption-algorithm aes

七、配置IKE安全提议。
ike proposal 10
authentication-method pre-share
authentication-algorithm sha1

八、配置IKE Peer。
ike peer c
pre-shared-key ccieh3c.com
ike-proposal 10
remote-address 220.163.100.2

九、配置IPSec安全策略。
ipsec policy map1 10 isakmp
security acl 3000
ike-peer c
proposal tran1

十、在接口GigabitEthernet 0/0/1上应用IPSec策略map1。
interface GigabitEthernet0/0/1
ip address 220.163.200.2 255.255.255.0
ipsec policy map1

十一、配置NAT，定义用于NAT的数据流，先deny掉须要IPSec加密的数据流，再定义用于NAT的数据流，这里须要deny的数据流必须和IPSec加密的数据流严格一致。
nat-policy interzone trust untrust outbound
policy 1
action no-nat
policy source 192.168.20.0 0.0.0.255
policy destination 192.168.10.0 0.0.0.255
policy 2
action source-nat
easy-ip GigabitEthernet0/0/1

3、验证结果

一、FW1上能够查看到对应的IKE SA。
dis ike sa
23:30:22 2014/03/19
current ike sa number: 2
—————————————————————————–
conn-id peer flag phase ***
—————————————————————————–
40001 220.163.200.2 RD|ST v2:2 public
1 220.163.200.2 RD|ST

v2:1 public
flag meaning
RD–READY ST–STAYALIVE RL–REPLACED FD–FADING
TO–TIMEOUT TD–DELETING NEG–NEGOTIATING D–DPD

二、FW2上也能够查看到对应的IKE SA。
dis ike sa
23:31:10 2014/03/19
current ike sa number: 2
—————————————————————————–
conn-id peer flag phase ***
—————————————————————————–
40001 220.163.100.2 RD v2:2 public
1 220.163.100.2 RD v2:1 public
flag meaning
RD–READY ST–STAYALIVE RL–REPLACED FD–FADING
TO–TIMEOUT TD–DELETING NEG–NEGOTIATING D–DPD

三、FW1上查看IPSEC SA。
dis ipsec sa
23:33:03 2014/03/19
===============================
Interface: GigabitEthernet0/0/1
path MTU: 1500
===============================
—————————–
IPsec policy name: “map1”
sequence number: 10
mode: isakmp
***: public
—————————–
connection id: 40001
rule number: 5
encapsulation mode: tunnel
holding time: 0d 0h 23m 33s
tunnel local : 220.163.100.2 tunnel remote: 220.163.200.2
flow source: 192.168.10.0-192.168.10.255 0-65535 0
flow destination: 192.168.20.0-192.168.20.255 0-65535 0
[inbound ESP SAs]
spi: 2133279372 (0x7f27428c)
***: public said: 0 cpuid: 0x0000
proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887277260/2187
max received sequence-number: 2659
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 3334597115 (0xc6c1e9fb)
***: public said: 1 cpuid: 0x0000
proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887277200/2187
max sent sequence-number: 2661
udp encapsulation used for nat traversal: N

四、FW2上查看IPSEC SA。
dis ipsec sa
23:34:06 2014/03/19
===============================
Interface: GigabitEthernet0/0/1
path MTU: 1500
===============================
—————————–
IPsec policy name: “map1”
sequence number: 10
mode: isakmp
***: public
—————————–
connection id: 40001
rule number: 5
encapsulation mode: tunnel
holding time: 0d 0h 24m 36s
tunnel local : 220.163.200.2 tunnel remote: 220.163.100.2
flow source: 192.168.20.0-192.168.20.255 0-65535 0
flow destination: 192.168.10.0-192.168.10.255 0-65535 0
[inbound ESP SAs]
spi: 3334597115 (0xc6c1e9fb)
***: public said: 0 cpuid: 0x0000
proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887270000/2124
max received sequence-number: 2780
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 2133279372 (0x7f27428c)
***: public said: 1 cpuid: 0x0000
proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887270060/2124
max sent sequence-number: 2780
udp encapsulation used for nat traversal: N

五、二台PC的互ping的状况。
PC>ping 192.168.20.20
Ping 192.168.20.20: 32 data bytes, Press Ctrl_C to break
From 192.168.20.20: bytes=32 seq=1 ttl=126 time=31 ms
From 192.168.20.20: bytes=32 seq=2 ttl=126 time=31 ms
From 192.168.20.20: bytes=32 seq=3 ttl=126 time=32 ms
From 192.168.20.20: bytes=32 seq=4 ttl=126 time=78 ms
From 192.168.20.20: bytes=32 seq=5 ttl=126 time=94 ms
— 192.168.20.20 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/53/94 ms

PC>ping 192.168.10.10
Ping 192.168.10.10: 32 data bytes, Press Ctrl_C to break
From 192.168.10.10: bytes=32 seq=1 ttl=126 time=32 ms
From 192.168.10.10: bytes=32 seq=2 ttl=126 time=62 ms
From 192.168.10.10: bytes=32 seq=3 ttl=126 time=63 ms
From 192.168.10.10: bytes=32 seq=4 ttl=126 time=47 ms
From 192.168.10.10: bytes=32 seq=5 ttl=126 time=62 ms
— 192.168.10.10 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 32/53/63 ms

本文转载于公众号：网络之路博客