总部网关和分支机构网关之间建立点到点IPSec隧道
总部网关和分支机构网关之间建立可以互相访问的IPSec VPN。总部网关IP地址固定,总部经过NAT转换后访问Internet。分支机构通过ADSL获取IP地址,每次获取的IP地址不同。
组网需求
如图1所示,USG_A连接总部(HQ),USG_B连接分支机构(Branch)。USG_A的IP地址固定,总部可通过NAT转换后访问Internet;分支机构通过ADSL接口上网,IP地址不固定。分支机构的内网设备通过DHCP方式从USG_B接口获取IP地址。
要求通过配置IKE自动协商建立IPSec隧道,实现分支机构与总部之间可以互相访问。
图1分支机构通过域名访问总部(ADSL拨号)组网图
配置思路
根据组网需求,配置思路如下:
-
分支机构设备配置ADSL接口,实现设备上网。
-
隧道两端设备分别通过NAT策略区分是上网数据或IPSec数据,仅对上网数据进行NAT处理。
-
总部采用模板方式配置IPSec,以响应多个分支机构的需求;分支机构采用非模板方式配置IPSec。
-
分支机构要访问总部,需要在USG_B上开启域名解析以及DDNS策略,以便将获取的IP地址与网络中的DNS服务器中的域名建立对应关系,并及时更新。
操作步骤
- 配置USG_A
# 配置GigabitEthernet 0/0/1接口。
<USG_A> system-view [USG_A] interface GigabitEthernet 0/0/1 [USG_A-GigabitEthernet0/0/1] ip address 10.1.1.1 24 [USG_A-GigabitEthernet0/0/1] quit# 将GigabitEthernet 0/0/1接口加入Trust区域。
[USG_A] firewall zone trust [USG_A-zone-trust] add interface GigabitEthernet 0/0/1 [USG_A-zone-trust] quit
# 配置GigabitEthernet 0/0/2接口。<USG_A> system-view [USG_A] interface GigabitEthernet 0/0/2 [USG_A-GigabitEthernet0/0/2] ip address 202.10.12.1 24 [USG_A-GigabitEthernet0/0/2] quit# 将GigabitEthernet 0/0/2接口加入Untrust区域。
[USG_A] firewall zone untrust [USG_A-zone-untrust] add interface GigabitEthernet 0/0/2 [USG_A-zone-untrust] quit
# 配置Trust和Untrust域间包过滤。
[USG_A] policy interzone trust untrust inbound [USG_A-policy-interzone-trust-untrust-inbound] policy 1 [USG_A-policy-interzone-trust-untrust-inbound-1] policy source 10.1.3.0 0.0.0.255 [USG_A-policy-interzone-trust-untrust-inbound-1] policy destination 10.1.1.0 0.0.0.255 [USG_A-policy-interzone-trust-untrust-inbound-1] action permit [USG_A-policy-interzone-trust-untrust-inbound-1] quit [USG_A-policy-interzone-trust-untrust-inbound] quit [USG_A] policy interzone trust untrust outbound [USG_A-policy-interzone-trust-untrust-outbound] policy 1 [USG_A-policy-interzone-trust-untrust-outbound-1] policy source 10.1.1.0 0.0.0.255 [USG_A-policy-interzone-trust-untrust-outbound-1] policy destination 10.1.3.0 0.0.0.255 [USG_A-policy-interzone-trust-untrust-outbound-1] action permit [USG_A-policy-interzone-trust-untrust-outbound-1] quit [USG_A-policy-interzone-trust-untrust-outbound] quit
# Untrust和Local域间的包过滤。
[USG_A] policy interzone local untrust inbound [USG_A-policy-interzone-local-untrust-inbound] policy 1 [USG_A-policy-interzone-local-untrust-inbound-1] action permit [USG_A-policy-interzone-local-untrust-inbound-1] quit [USG_A-policy-interzone-local-untrust-inbound] quit [USG_A] policy interzone local untrust outbound [USG_A-policy-interzone-local-untrust-outbound] policy 1 [USG_A-policy-interzone-local-untrust-outbound-1] policy source 202.10.12.0 0.0.0.255 [USG_A-policy-interzone-local-untrust-outbound-1] action permit [USG_A-policy-interzone-local-untrust-outbound-1] quit [USG_A-policy-interzone-local-untrust-outbound] quit
# 配置缺省路由,假设下一跳是202.10.12.2。
[USG_A] ip route-static 0.0.0.0 0 202.10.12.2
# 配置ACL,匹配IPSec流量。
[USG_A] acl 3001 [USG_A-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.1 0.0.0.255 [USG_A-acl-adv-3001] quit
# 配置IPSec安全提议,参数使用缺省值。
[USG_A] ipsec proposal 1 [USG_A-ipsec-proposal-1] quit# 配置IKE安全提议,参数使用缺省值。
[USG_A] ike proposal 1 [USG_A-ike-proposal-1] quit# 配置IKE Peer。
[USG_A] ike peer 1 [USG_A-ike-peer-1] exchange-mode aggressive [USG_A-ike-peer-1] ike-proposal 1 [USG_A-ike-peer-1] local-id-type ip [USG_A-ike-peer-1] remote-domain www.adsl.3322.org [USG_A-ike-peer-1] pre-shared-key abcde [USG_A-ike-peer-1] quit
# 配置IPSec安全策略map。
[USG_A] ipsec policy map 1 isakmp [USG_A-ipsec-policy-isakmp-map-1] security acl 3001 [USG_A-ipsec-policy-isakmp-map-1] proposal 1 [USG_A-ipsec-policy-isakmp-map-1] ike-peer 1 [USG_A-ipsec-policy-manual-map-1] quit
# 应用IPSec安全策略map到接口。
[USG_A] interface GigabitEthernet 0/0/2 [USG_A-GigabitEthernet0/0/2] ipsec policy map [USG_A-GigabitEthernet0/0/2] quit
# 配置NAT,对上网流量进行NAT,对IPSec流量不进行NAT。
[USG_A] nat-policy interzone trust untrust outbound [USG_A-nat-policy-interzone-trust-untrust-outbound] policy 1 [USG_A-nat-policy-interzone-trust-untrust-outbound-1] policy source 10.1.1.0 0.0.0.255 [USG_A-nat-policy-interzone-trust-untrust-outbound-1] policy destination 10.1.3.0 0.0.0.255 [USG_A-nat-policy-interzone-trust-untrust-outbound-1] action no-nat [USG_A-nat-policy-interzone-trust-untrust-outbound-1] quit [USG_A-nat-policy-interzone-trust-untrust-outbound] policy 2 [USG_A-nat-policy-interzone-trust-untrust-outbound-1] policy source 10.1.1.0 0.0.0.255 [USG_A-nat-policy-interzone-trust-untrust-outbound-2] action source-nat [USG_A-nat-policy-interzone-trust-untrust-outbound-2] easy-ip GigabitEthernet 0/0/2 [USG_A-nat-policy-interzone-trust-untrust-outbound-2] quit [USG_A-nat-policy-interzone-trust-untrust-outbound] quit
- 配置USG_B
# 配置GigabitEthernet 0/0/1接口,开启DHCP,对内网用户自动分配IP地址。
<USG_B> system-view [USG_B] interface GigabitEthernet 0/0/1 [USG_B-GigabitEthernet0/0/1] ip address 10.1.3.1 24 [USG_B-GigabitEthernet0/0/1] dhcp select interface [USG_B-GigabitEthernet0/0/1] quit# 配置ADSL接口,实现上网。
[USG_B] dialer-rule 10 ip permit [USG_B] interface Dialer 1 [USG_B-Dialer1] dialer user adsluser [USG_B-Dialer1] dialer bundle 5 [USG_B-Dialer1] dialer-group 10 [USG_B-Dialer1] ip address ppp-negotiate [USG_B-Dialer1] ppp pap local-user adsluser password cipher Admin@123 [USG_B-Dialer1] ppp chap user adsluser [USG_B-Dialer1] ppp chap password cipher Admin@123 [USG_B-Dialer1] quit [USG_B] firewall zone untrust [USG_B-zone-untrust] add interface Dialer 1 [USG_B-zone-untrust] quit [USG_B] interface Atm 2/0/0 [USG_B-Atm2/0/0] pppoe-client dial-bundle-number 5 [USG_B-Atm2/0/0] quit
# 配置Trust和Untrust域间包过滤。
[USG_B] policy interzone trust untrust inbound [USG_B-policy-interzone-trust-untrust-inbound] policy 1 [USG_B-policy-interzone-trust-untrust-inbound-1] policy source 10.1.1.0 0.0.0.255 [USG_B-policy-interzone-trust-untrust-inbound-1] policy destination 10.1.3.0 0.0.0.255 [USG_B-policy-interzone-trust-untrust-inbound-1] action permit [USG_B-policy-interzone-trust-untrust-inbound-1] quit [USG_B-policy-interzone-trust-untrust-inbound] quit [USG_B] policy interzone trust untrust outbound [USG_B-policy-interzone-trust-untrust-outbound] policy 1 [USG_B-policy-interzone-trust-untrust-outbound-1] policy source 10.1.3.0 0.0.0.255 [USG_B-policy-interzone-trust-untrust-outbound-1] policy destination 10.1.1.0 0.0.0.255 [USG_B-policy-interzone-trust-untrust-outbound-1] action permit [USG_B-policy-interzone-trust-untrust-outbound-1] quit [USG_B-policy-interzone-trust-untrust-outbound] quit
# 配置Untrust和Local域间包过滤。
[USG_B] policy interzone local untrust inbound [USG_B-policy-interzone-local-untrust-inbound] policy 1 [USG_B-policy-interzone-local-untrust-inbound-1] policy source 202.10.12.0 0.0.0.255 [USG_B-policy-interzone-local-untrust-inbound-1] action permit [USG_B-policy-interzone-local-untrust-inbound-1] quit [USG_B-policy-interzone-local-untrust-inbound] quit [USG_B] policy interzone local untrust outbound [USG_B-policy-interzone-local-untrust-outbound] policy 1 [USG_B-policy-interzone-local-untrust-outbound-1] action permit [USG_B-policy-interzone-local-untrust-outbound-1] quit [USG_B-policy-interzone-local-untrust-outbound] quit
# 配置缺省路由。
[USG_B] ip route-static 0.0.0.0 0 Dialer1
# 配置ACL,匹配IPSec流量。
[USG_B] acl 3001 [USG_B-acl-adv-3001] rule permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [USG_B-acl-adv-3001] quit
# 配置IPSec安全提议1。参数使用缺省值。
[USG_B] ipsec proposal 1 [USG_B-ipsec-proposal-1] quit
# 配置IKE安全提议。参数使用缺省值。
[USG_B] ike proposal 1 [USG_B-ike-proposal-1] quit
# 配置IKE对等体。
[USG_B] ike peer 1 [USG_B-ike-peer-1] exchange-mode aggressive [USG_B-ike-peer-1] ike-proposal 1 [USG_B-ike-peer-1] remote-address 202.10.12.1 [USG_B-ike-peer-1] pre-shared-key abcde [USG_B-ike-peer-1] quit
# 配置IPSec安全策略。
[USG_B] ipsec policy map 1 isakmp [USG_B-ipsec-policy-template-map-1] security acl 3001 [USG_B-ipsec-policy-template-map-1] proposal 1 [USG_B-ipsec-policy-template-map-1] ike-peer 1 [USG_B-ipsec-policy-template-map-1] quit
# 在Dialer1接口上应用安全策略。
[USG_B] interface Dialer 1 [USG_B-Dialer1] ipsec policy map [USG_B-Dialer1] quit
# 开启域名解析,USG_B通过域名能访问DDNS Server。
[USG_B] dns resolve [USG_B] dns server 200.1.1.1
# 向DDNS服务提供商申请DDNS服务。
请联系DDNS服务提供商,并根据DDNS服务提供商的说明操作。假设选择的DDNS服务提供商为:www.3322.org;申请得到的用户名和密码都为:abc123;DDNS Client的域名为:www.adsl.3322.org。
# 配置DDNS策略。
[USG_B] ddns policy abc [USG_B-ddns-policy-abc] ddns client www.adsl.3322.org [USG_B-ddns-policy-abc] ddns server www.3322.org [USG_B-ddns-policy-abc] ddns username abc123 password abc123 [USG_B-ddns-policy-abc] quit
# 应用DDNS策略。
[USG_B] ddns client enable [USG_B] interface Dialer 1 [USG_B-Dialer1] ddns apply policy abc [USG_B-Dialer1] quit
配置脚本
USG_A配置脚本
#
ike local-name client
#
acl number 3001
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.1 0.0.0.255
#
ike proposal 1
encryption-algorithm aes-cbc
dh group2
#
ike peer 1
exchange-mode aggressive
pre-shared-key %$%$E=6)6HJ)RLhy+2TB[Fr4jQH~%$%$
ike-proposal 1
remote-domain www.adsl.3322.org
#
ipsec proposal 1
esp authentication-algorithm sha1
esp encryption-algorithm aes
#
ipsec policy map 1 isakmp
security acl 3001
ike-peer 1
proposal 1
#
interface GigabitEthernet0/0/1
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 202.10.12.1 255.255.255.0
ipsec policy map
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/2
#
ip route-static 0.0.0.0 0.0.0.0 202.10.12.2
#
policy interzone local untrust inbound
policy 1
action permit
#
policy interzone local untrust outbound
policy 1
action permit
policy source 202.10.12.0 0.0.0.255
#
policy interzone trust untrust inbound
policy 1
action permit
policy source 10.1.3.0 0.0.0.255
policy destination 10.1.3.0 0.0.0.255
#
policy interzone trust untrust outbound
policy 1
action permit
policy source 10.1.1.0 0.0.0.255
policy destination 10.1.3.0 0.0.0.255
#
nat-policy interzone trust untrust outbound
policy 1
policy source 10.1.1.0 0.0.0.255
policy destination 10.1.3.0 0.0.0.255
action no-nat
policy 2
policy source 10.1.1.0 0.0.0.255
action source-nat
easy-ip GigabitEthernet 0/0/2
#
return
USG_B配置脚本
# dialer-rule 10 ip permit # dns resolve dns server 200.1.1.1 # ddns client enable # acl number 3001 rule 5 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 # ike proposal 1 encryption-algorithm aes-cbc dh group2 # ike peer 1 exchange-mode aggressive pre-shared-key %$%$E=6)6HJ)RLhy+2TB[Fr4jQH~%$%$ ike-proposal 1 remote-address 202.10.12.1 # ipsec proposal 1 esp authentication-algorithm sha1 esp encryption-algorithm aes # ipsec policy map 1 isakmp security acl 3001 ike-peer 1 proposal 1 # interface Dialer1 link-protocol ppp ppp chap user adsluser ppp chap password cipher %$%$Gal~X`28S/.m]\*fuO|',{ri%$%$ ppp pap local-user adsluser password cipher %$%$Gal~X`28S/.m]\*fuO|',{ri%$%$ ip address ppp-negotiate dialer user adsluser dialer-group 10 dialer bundle 5 ipsec policy map ddns apply policy abc # interface GigabitEthernet0/0/1 ip address 10.1.3.1 255.255.255.0 dhcp select interface # interface Atm2/0/0 pppoe-client dial-bundle-number 5 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/1 # firewall zone untrust set priority 5 add interface Dialer1 # ip route-static 0.0.0.0 0.0.0.0 Dialer1 # ddns policy abc ddns username abc123 password %$%$F\seVlS7YVU8DT"wpee,kYPG%$%$ ddns client www.adsl.3322.org ddns server www.3322.org ddns apply policy Dialer1 # policy interzone local untrust inbound policy 1 action permit policy source 202.10.12.0 0.0.0.255 # policy interzone local untrust outbound policy 1 action permit # policy interzone trust untrust inbound policy 1 action permit policy source 10.1.1.0 0.0.0.255 policy destination 10.1.3.0 0.0.0.255 # policy interzone trust untrust outbound policy 1 action permit policy source 10.1.3.0 0.0.0.255 policy destination 10.1.1.0 0.0.0.255 # return
相关推荐
华为Secoway USG2000防火墙配置说明,1、 该型号防火墙默认配置端口IP地址为:192.168.0.1;首先将自己的电脑通过:网络和共享中心>更改适配器设置>本地连接>属性>Internet协议版本4,将电脑IP设置成192.168.0.* 。
华为USG2000防火墙配置.doc
华为防火墙IPSEC点到多点(SA+NAT穿越)策略模板方式成功配置 全命令
华为赛门铁克硬件防火墙USG5000配置入门
华赛USG5000配置入门
华为USG5120防火墙配置手册,很详细的配置举例
Secoway USG2100&2200&5100 BSR&HSR & USG2000&5000 V300R001 配置指南-Web方式 05.pdf
HUAWEI USG6000, USG6000E, USG9500, NGFW Module 快速配置指南(旧界面版) HUAWEI USG6000, USG6000E, USG9500, NGFW Module 快速配置指南(新界面版)
华为USG5500防火墙配置实验一.pdf
配置ACL # acl number 2000 description acl2000 rule 0 permit # acl number 3000 description acl3000 rule 5 permit ip source 192.168.0.0 0.0.255.255 # 资源管理/ACL 5. 安全管理/包过滤:全部转为允许...
USG2000USG5000系列设备配置只读Web管理员
华为9000系列防火墙配置描述,详细介绍了每一步配置,很全面
华为Usg6000配置文档
Secoway USG2100&2200&5100 BSR&HSR & USG2000&5000 V300R001 典型配置案例-Web方式 03.pdf
华为Secoway USG2000&5000系列统一安全网关技术建议书范本,用于写解决方案的.
USG5500 统一安全网关 典型配置案例
华赛防火墙USG2200&5500web配置方式
华为USG2100防火墙配置文档-配置安全策略参考.pdf
华为usg3000配置案例,
HUAWEI USG6000, USG6000E, USG9500, NGFW Module 快速配置指南