本文共 8097 字，大约阅读时间需要 26 分钟。

组网需求：

如图所示，网络A和网络B分别通过USG5300 A和USG5300 B与Internet相连。网络环境描述如下：

网络A属于10.1.1.0/24子网，通过接口GigabitEthernet 0/0/0与USG5300 A连接。 网络B属于10.1.3.0/24子网，通过接口GigabitEthernet 0/0/0与USG5300 B连接。 USG5300 A和USG5300 B路由可达。Network A 可以ping通Network B

网络拓扑

操作步骤：

1、配置USG5300A

• 配置接口IP地址

[SRG]sysname USGA[USGA]interface GigabitEthernet 0/0/0[USGA-GigabitEthernet0/0/0]ip address  10.1.1.1 24[USGA-GigabitEthernet0/0/0]quit[USGA]interface  GigabitEthernet  0/0/1[USGA-GigabitEthernet0/0/1]ip address  192.13.2.1 24[USGA-GigabitEthernet0/0/1]quit

• 配置接口加入相应安全区域

[USGA]firewall zone  trust[USGA-zone-trust]add  interface  GigabitEthernet  0/0/0[USGA-zone-trust]quit [USGA]firewall zone  untrust[USGA-zone-untrust]add  interface  GigabitEthernet  0/0/1[USGA-zone-untrust]quit

• 配置域间包过滤规则

[USGA]firewall packet-filter default permit  interzone  trust  untrust[USGA]firewall packet-filter default permit  interzone  untrust local

既可以打开Trust域和Untrust域的域间缺省包过滤规则,也可以通过ACL定义包过滤规则。

配置Local域和Untrust域的域间缺省包过滤规则的目的为允许IPSec隧道两端设备通信，使其能够进行隧道协商。

• 配置到达分支机构的静态路由，下一跳192.13.2.2

[USGA]ip route-static 0.0.0.0 0.0.0.0 192.13.2.2

• 定义被保护的数据流

[USGA-acl-adv-3000]rule  permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255

为了实现分支的互通，高级ACL的源地址（Source）定义为包括总部和分支的所有网段，目的地址（Destination）定义为各个分支的精确网段。

• 配置名称为tran1的IPSec安全提议

[USGA]ipsec proposal tran1[USGA-ipsec-proposal-tran1]encapsulation-mode tunnel[USGA-ipsec-proposal-tran1]transform esp[USGA-ipsec-proposal-tran1]esp authentication-algorithm  md5[USGA-ipsec-proposal-tran1]esp encryption-algorithm des[USGA-ipsec-proposal-tran1]quit

其中，ESP为默认的安全协议，Tunnel为默认的封装模式，可以不配置。MD5为ESP默认的认证算法，DES为ESP默认的加密算法，可以不配置。

• 配置序号为10的IKE安全提议

[USGA]ike  proposal  10[USGA-ike-proposal-10]authentication-method pre-share[USGA-ike-proposal-10]authentication-algorithm sha1[USGA-ike-proposal-10]quit

pre-shared-key验证方法为IKE默认的验证方法，SHA1为默认验证算法，可以不配置。

• 配置IKE Peer

[USGA]ike  peer  b[USGA-ike-peer-b]ike-proposal  10[USGA-ike-peer-b]remote-address 131.108.5.2[USGA-ike-peer-b]pre-shared-key abcde[USGA-ike-peer-b]quit

USG5300同时开启IKEv1和IKEv2，缺省情况下采用IKEv2进行协商，若对端不支持IKEv2，请禁用IKEv2，采用IKEv1进行协商。请在IKE Peer视图下执行命令[ undo ] version { 1 | 2 }进行配置。

隧道对端IP地址分别为USG5300 B与Internet相连的接口的IP地址。 验证字的配置需要与对端设备相同

• 配置IPSec安全策略组map1

[USGA]ipsec  policy map1 10 isakmp[USGA-ipsec-policy-isakmp-map1-10]security  acl  3000[USGA-ipsec-policy-isakmp-map1-10]proposal tran1[USGA-ipsec-policy-isakmp-map1-10]ike-peer  b[USGA-ipsec-policy-isakmp-map1-10]quit

在接口G0/0/1上应用安全策略组map1

[USGA]interface  GigabitEthernet  0/0/1[USGA-GigabitEthernet0/0/1]ipsec  policy map1[USGA-GigabitEthernet0/0/1]quit

2、配置USG5300B

• 配置接口IP地址

[SRG]sysname USGB[USGB]interface  GigabitEthernet  0/0/0[USGB-GigabitEthernet0/0/0]ip address  10.1.3.1 24[USGB-GigabitEthernet0/0/0]quit[USGB]interface  GigabitEthernet  0/0/1[USGB-GigabitEthernet0/0/1]ip address  131.108.5.2 24[USGB-GigabitEthernet0/0/1]quit

• 配置接口加入相应安全区域

[USGB]firewall zone  trust[USGB-zone-trust]add  interface  GigabitEthernet  0/0/0[USGB-zone-trust]quit[USGB]firewall zone  untrust[USGB-zone-untrust]add  interface  GigabitEthernet  0/0/1[USGB-zone-untrust]quit

• 配置域间包过滤规则

[USGB]firewall packet-filter  default  permit  interzone  trust  untrust[USGB]firewall packet-filter  default  permit  interzone  untrust  local

• 配置到达分支机构的静态路由，下一跳131.108.5.1

[USGB]ip route-static 0.0.0.0 0.0.0.0 131.108.5.1

• 定义被保护的数据流

[USGB-acl-adv-3000]rule  permit  ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

• 配置名称为tran1的IPSec安全提议

[USGB]ipsec  proposal tran1[USGB-ipsec-proposal-tran1]encapsulation-mode tunnel[USGB-ipsec-proposal-tran1]transform esp[USGB-ipsec-proposal-tran1]esp authentication-algorithm md5[USGB-ipsec-proposal-tran1]esp encryption-algorithm des[USGB-ipsec-proposal-tran1]quit

• 配置序号为10的IKE安全提议

[USGB]ike proposal 10[USGB-ike-proposal-10]authentication-method pre-share[USGB-ike-proposal-10]authentication-algorithm sha1[USGB-ike-proposal-10]quit

• 配置IKE Peer

[USGB]ike peer  a[USGB-ike-peer-a]ike-proposal  10[USGB-ike-peer-a]remote-address 192.13.2.1[USGB-ike-peer-a]pre-shared-key abcde[USGB-ike-peer-a]quit

• 配置IPSec安全策略组map1

[USGB]ipsec  policy map1 10 isakmp[USGB-ipsec-policy-isakmp-map1-10]security  acl  3000[USGB-ipsec-policy-isakmp-map1-10]proposal tran1	[USGB-ipsec-policy-isakmp-map1-10]ike-peer a	[USGB-ipsec-policy-isakmp-map1-10]quit

• 在接口G0/0/1上应用安全策略组map1

[USGB]interface  GigabitEthernet  0/0/1[USGB-GigabitEthernet0/0/1]ipsec  policy map1[USGB-GigabitEthernet0/0/1]quit

3、配置ISP

   
    system-view[Huawei]sysname ISP[ISP]interface  GigabitEthernet  0/0/0[ISP-GigabitEthernet0/0/0]ip address  192.13.2.2 24[ISP-GigabitEthernet0/0/0]quit[ISP]interface  GigabitEthernet  0/0/1[ISP-GigabitEthernet0/0/1]ip address  131.108.5.1 24[ISP-GigabitEthernet0/0/1]quit[ISP]ip route-static 10.1.1.0 24 192.13.2.1[ISP]ip route-static 10.1.3.0 24 131.108.5.2
   

4、验证结果

• USGA

   
    display  ike  sa11:14:05  2019/03/17current ike sa number: 2-----------------------------------------------------------------------------conn-id    peer                    flag          phase vpn-----------------------------------------------------------------------------40001      131.108.5.2             RD|ST         v2:2  public1          131.108.5.2             RD|ST         v2:1  public  flag meaning  RD--READY    ST--STAYALIVE  RL--REPLACED      FD--FADING  TO--TIMEOUT  TD--DELETING   NEG--NEGOTIATING  D--DPD
    
     display  ipsec sa 11:14:12  2019/03/17===============================Interface: GigabitEthernet0/0/1    path MTU: 1500===============================  -----------------------------  IPsec policy name: "map1"  sequence number: 10  mode: isakmp  vpn: public  -----------------------------    connection id: 40001    rule number: 5    encapsulation mode: tunnel    holding time: 0d 0h 0m 16s    tunnel local : 192.13.2.1    tunnel remote: 131.108.5.2    flow      source: 10.1.1.0-10.1.1.255 0-65535 0    flow destination: 10.1.3.0-10.1.3.255 0-65535 0    [inbound ESP SAs]       spi: 2200317640 (0x83262ec8)      vpn: public  said: 0  cpuid: 0x0000      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5      sa remaining key duration (bytes/sec): 1887436680/3584      max received sequence-number: 2      udp encapsulation used for nat traversal: N    [outbound ESP SAs]       spi: 2376952271 (0x8dad69cf)      vpn: public  said: 1  cpuid: 0x0000      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5      sa remaining key duration (bytes/sec): 1887436620/3584      max sent sequence-number: 4      udp encapsulation used for nat traversal: N
    
   

• USGB

[USGB]display  ike sa 11:15:32  2019/03/17current ike sa number: 2-----------------------------------------------------------------------------conn-id    peer                    flag          phase vpn-----------------------------------------------------------------------------40001      192.13.2.1              RD            v2:2  public1          192.13.2.1              RD            v2:1  public  flag meaning  RD--READY    ST--STAYALIVE  RL--REPLACED      FD--FADING  TO--TIMEOUT  TD--DELETING   NEG--NEGOTIATING  D--DPD	[USGB]display  ipsec  sa 11:15:37  2019/03/17===============================Interface: GigabitEthernet0/0/1    path MTU: 1500===============================  -----------------------------  IPsec policy name: "map1"  sequence number: 10  mode: isakmp  vpn: public  -----------------------------    connection id: 40001    rule number: 5    encapsulation mode: tunnel    holding time: 0d 0h 1m 40s    tunnel local : 131.108.5.2    tunnel remote: 192.13.2.1    flow      source: 10.1.3.0-10.1.3.255 0-65535 0    flow destination: 10.1.1.0-10.1.1.255 0-65535 0    [inbound ESP SAs]       spi: 2376952271 (0x8dad69cf)      vpn: public  said: 0  cpuid: 0x0000      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5      sa remaining key duration (bytes/sec): 1887436620/3500      max received sequence-number: 3      udp encapsulation used for nat traversal: N    [outbound ESP SAs]       spi: 2200317640 (0x83262ec8)      vpn: public  said: 1  cpuid: 0x0000      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5      sa remaining key duration (bytes/sec): 1887436680/3500      max sent sequence-number: 3      udp encapsulation used for nat traversal: N

 

转载地址：http://jfuqi.baihongyu.com/