本文共 8097 字,大约阅读时间需要 26 分钟。
如图所示,网络A和网络B分别通过USG5300 A和USG5300 B与Internet相连。网络环境描述如下:
网络A属于10.1.1.0/24子网,通过接口GigabitEthernet 0/0/0与USG5300 A连接。 网络B属于10.1.3.0/24子网,通过接口GigabitEthernet 0/0/0与USG5300 B连接。 USG5300 A和USG5300 B路由可达。Network A 可以ping通Network B[SRG]sysname USGA[USGA]interface GigabitEthernet 0/0/0[USGA-GigabitEthernet0/0/0]ip address 10.1.1.1 24[USGA-GigabitEthernet0/0/0]quit[USGA]interface GigabitEthernet 0/0/1[USGA-GigabitEthernet0/0/1]ip address 192.13.2.1 24[USGA-GigabitEthernet0/0/1]quit
[USGA]firewall zone trust[USGA-zone-trust]add interface GigabitEthernet 0/0/0[USGA-zone-trust]quit [USGA]firewall zone untrust[USGA-zone-untrust]add interface GigabitEthernet 0/0/1[USGA-zone-untrust]quit
[USGA]firewall packet-filter default permit interzone trust untrust[USGA]firewall packet-filter default permit interzone untrust local
既可以打开Trust域和Untrust域的域间缺省包过滤规则,也可以通过ACL定义包过滤规则。
配置Local域和Untrust域的域间缺省包过滤规则的目的为允许IPSec隧道两端设备通信,使其能够进行隧道协商。[USGA]ip route-static 0.0.0.0 0.0.0.0 192.13.2.2
[USGA-acl-adv-3000]rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255
为了实现分支的互通,高级ACL的源地址(Source)定义为包括总部和分支的所有网段,目的地址(Destination)定义为各个分支的精确网段。
[USGA]ipsec proposal tran1[USGA-ipsec-proposal-tran1]encapsulation-mode tunnel[USGA-ipsec-proposal-tran1]transform esp[USGA-ipsec-proposal-tran1]esp authentication-algorithm md5[USGA-ipsec-proposal-tran1]esp encryption-algorithm des[USGA-ipsec-proposal-tran1]quit
其中,ESP为默认的安全协议,Tunnel为默认的封装模式,可以不配置。MD5为ESP默认的认证算法,DES为ESP默认的加密算法,可以不配置。
[USGA]ike proposal 10[USGA-ike-proposal-10]authentication-method pre-share[USGA-ike-proposal-10]authentication-algorithm sha1[USGA-ike-proposal-10]quit
pre-shared-key验证方法为IKE默认的验证方法,SHA1为默认验证算法,可以不配置。
[USGA]ike peer b[USGA-ike-peer-b]ike-proposal 10[USGA-ike-peer-b]remote-address 131.108.5.2[USGA-ike-peer-b]pre-shared-key abcde[USGA-ike-peer-b]quit
USG5300同时开启IKEv1和IKEv2,缺省情况下采用IKEv2进行协商,若对端不支持IKEv2,请禁用IKEv2,采用IKEv1进行协商。请在IKE Peer视图下执行命令[ undo ] version { 1 | 2 }进行配置。
隧道对端IP地址分别为USG5300 B与Internet相连的接口的IP地址。 验证字的配置需要与对端设备相同[USGA]ipsec policy map1 10 isakmp[USGA-ipsec-policy-isakmp-map1-10]security acl 3000[USGA-ipsec-policy-isakmp-map1-10]proposal tran1[USGA-ipsec-policy-isakmp-map1-10]ike-peer b[USGA-ipsec-policy-isakmp-map1-10]quit
在接口G0/0/1上应用安全策略组map1
[USGA]interface GigabitEthernet 0/0/1[USGA-GigabitEthernet0/0/1]ipsec policy map1[USGA-GigabitEthernet0/0/1]quit
[SRG]sysname USGB[USGB]interface GigabitEthernet 0/0/0[USGB-GigabitEthernet0/0/0]ip address 10.1.3.1 24[USGB-GigabitEthernet0/0/0]quit[USGB]interface GigabitEthernet 0/0/1[USGB-GigabitEthernet0/0/1]ip address 131.108.5.2 24[USGB-GigabitEthernet0/0/1]quit
[USGB]firewall zone trust[USGB-zone-trust]add interface GigabitEthernet 0/0/0[USGB-zone-trust]quit[USGB]firewall zone untrust[USGB-zone-untrust]add interface GigabitEthernet 0/0/1[USGB-zone-untrust]quit
[USGB]firewall packet-filter default permit interzone trust untrust[USGB]firewall packet-filter default permit interzone untrust local
[USGB]ip route-static 0.0.0.0 0.0.0.0 131.108.5.1
[USGB-acl-adv-3000]rule permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[USGB]ipsec proposal tran1[USGB-ipsec-proposal-tran1]encapsulation-mode tunnel[USGB-ipsec-proposal-tran1]transform esp[USGB-ipsec-proposal-tran1]esp authentication-algorithm md5[USGB-ipsec-proposal-tran1]esp encryption-algorithm des[USGB-ipsec-proposal-tran1]quit
[USGB]ike proposal 10[USGB-ike-proposal-10]authentication-method pre-share[USGB-ike-proposal-10]authentication-algorithm sha1[USGB-ike-proposal-10]quit
[USGB]ike peer a[USGB-ike-peer-a]ike-proposal 10[USGB-ike-peer-a]remote-address 192.13.2.1[USGB-ike-peer-a]pre-shared-key abcde[USGB-ike-peer-a]quit
[USGB]ipsec policy map1 10 isakmp[USGB-ipsec-policy-isakmp-map1-10]security acl 3000[USGB-ipsec-policy-isakmp-map1-10]proposal tran1 [USGB-ipsec-policy-isakmp-map1-10]ike-peer a [USGB-ipsec-policy-isakmp-map1-10]quit
[USGB]interface GigabitEthernet 0/0/1[USGB-GigabitEthernet0/0/1]ipsec policy map1[USGB-GigabitEthernet0/0/1]quit
system-view[Huawei]sysname ISP[ISP]interface GigabitEthernet 0/0/0[ISP-GigabitEthernet0/0/0]ip address 192.13.2.2 24[ISP-GigabitEthernet0/0/0]quit[ISP]interface GigabitEthernet 0/0/1[ISP-GigabitEthernet0/0/1]ip address 131.108.5.1 24[ISP-GigabitEthernet0/0/1]quit[ISP]ip route-static 10.1.1.0 24 192.13.2.1[ISP]ip route-static 10.1.3.0 24 131.108.5.2
display ike sa11:14:05 2019/03/17current ike sa number: 2-----------------------------------------------------------------------------conn-id peer flag phase vpn-----------------------------------------------------------------------------40001 131.108.5.2 RD|ST v2:2 public1 131.108.5.2 RD|ST v2:1 public flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD display ipsec sa 11:14:12 2019/03/17===============================Interface: GigabitEthernet0/0/1 path MTU: 1500=============================== ----------------------------- IPsec policy name: "map1" sequence number: 10 mode: isakmp vpn: public ----------------------------- connection id: 40001 rule number: 5 encapsulation mode: tunnel holding time: 0d 0h 0m 16s tunnel local : 192.13.2.1 tunnel remote: 131.108.5.2 flow source: 10.1.1.0-10.1.1.255 0-65535 0 flow destination: 10.1.3.0-10.1.3.255 0-65535 0 [inbound ESP SAs] spi: 2200317640 (0x83262ec8) vpn: public said: 0 cpuid: 0x0000 proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887436680/3584 max received sequence-number: 2 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 2376952271 (0x8dad69cf) vpn: public said: 1 cpuid: 0x0000 proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887436620/3584 max sent sequence-number: 4 udp encapsulation used for nat traversal: N
[USGB]display ike sa 11:15:32 2019/03/17current ike sa number: 2-----------------------------------------------------------------------------conn-id peer flag phase vpn-----------------------------------------------------------------------------40001 192.13.2.1 RD v2:2 public1 192.13.2.1 RD v2:1 public flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD [USGB]display ipsec sa 11:15:37 2019/03/17===============================Interface: GigabitEthernet0/0/1 path MTU: 1500=============================== ----------------------------- IPsec policy name: "map1" sequence number: 10 mode: isakmp vpn: public ----------------------------- connection id: 40001 rule number: 5 encapsulation mode: tunnel holding time: 0d 0h 1m 40s tunnel local : 131.108.5.2 tunnel remote: 192.13.2.1 flow source: 10.1.3.0-10.1.3.255 0-65535 0 flow destination: 10.1.1.0-10.1.1.255 0-65535 0 [inbound ESP SAs] spi: 2376952271 (0x8dad69cf) vpn: public said: 0 cpuid: 0x0000 proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887436620/3500 max received sequence-number: 3 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 2200317640 (0x83262ec8) vpn: public said: 1 cpuid: 0x0000 proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887436680/3500 max sent sequence-number: 3 udp encapsulation used for nat traversal: N
转载地址:http://jfuqi.baihongyu.com/