多廠商系列之十五：華爲USG防火牆實現IPSEC 的實驗【模擬器可作】

時間 2021-03-14 標籤安全網絡 app ide ui 加密 spa orm blog 接口

拓撲

本實驗介紹總部和分支機構的出口網關同時爲NAT設備時，創建IPSec隧道，使總部和分支能夠互訪，總部和分支都可以訪問公網。安全

1、路由器的做用使FW1和FW2之間路由可達，配置以下：

interface GigabitEthernet0/0/0
ip address 220.163.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 220.163.200.1 255.255.255.0網絡

2、FW1配置以下：

一、配置接口IP地址。
interface GigabitEthernet0/0/0
ip address 192.168.10.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 220.163.100.2 255.255.255.0app

二、將接口加入相應的安全區域。
firewall zone trust
add interface GigabitEthernet0/0/0
#
firewall zone untrust
add interface GigabitEthernet0/0/1ide

三、開啓域間包過濾，這裏爲了實驗方便，開放全部域間包過濾，實際當中請根據要求開放相應的域間策略
firewall packet-filter default permit allui

四、配置靜態路由
ip route-static 0.0.0.0 0.0.0.0 220.163.100.1加密

五、定義被保護的數據流。
acl number 3000
rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255spa

六、配置IPSec安全提議tran1。
ipsec proposal tran1
esp authentication-algorithm sha1
esp encryption-algorithm aesorm

七、配置IKE安全提議。
ike proposal 10
authentication-method pre-share
authentication-algorithm sha1blog

八、配置IKE Peer。
ike peer c
pre-shared-key ccieh3c.com
ike-proposal 10
remote-address 220.163.200.2接口

九、配置IPSec安全策略。
ipsec policy map1 10 isakmp
security acl 3000
ike-peer c
proposal tran1

十、在接口GigabitEthernet 0/0/1上應用IPSec策略map1。
interface GigabitEthernet0/0/1
ip address 220.163.100.2 255.255.255.0
ipsec policy map1

十一、配置NAT，定義用於NAT的數據流，先deny掉須要IPSec加密的數據流，再定義用於NAT的數據流，這裏須要deny的數據流必須和IPSec加密的數據流嚴格一致。
nat-policy interzone trust untrust outbound
policy 1
action no-nat
policy source 192.168.10.0 0.0.0.255
policy destination 192.168.20.0 0.0.0.255
policy 2
action source-nat
easy-ip GigabitEthernet0/0/1

2、FW2的配置以下：

一、配置接口IP地址。
interface GigabitEthernet0/0/0
ip address 192.168.20.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 220.163.200.2 255.255.255.0

二、將接口加入相應的安全區域。
firewall zone trust
add interface GigabitEthernet0/0/0
#
firewall zone untrust
add interface GigabitEthernet0/0/1

三、開啓域間包過濾，這裏爲了實驗方便，開放全部域間包過濾，實際當中請根據要求開放相應的域間策略
firewall packet-filter default permit all

四、配置靜態路由
ip route-static 0.0.0.0 0.0.0.0 220.163.200.1

五、定義被保護的數據流。
acl number 3000
rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

六、配置IPSec安全提議tran1。
ipsec proposal tran1
esp authentication-algorithm sha1
esp encryption-algorithm aes

七、配置IKE安全提議。
ike proposal 10
authentication-method pre-share
authentication-algorithm sha1

八、配置IKE Peer。
ike peer c
pre-shared-key ccieh3c.com
ike-proposal 10
remote-address 220.163.100.2

九、配置IPSec安全策略。
ipsec policy map1 10 isakmp
security acl 3000
ike-peer c
proposal tran1

十、在接口GigabitEthernet 0/0/1上應用IPSec策略map1。
interface GigabitEthernet0/0/1
ip address 220.163.200.2 255.255.255.0
ipsec policy map1

十一、配置NAT，定義用於NAT的數據流，先deny掉須要IPSec加密的數據流，再定義用於NAT的數據流，這裏須要deny的數據流必須和IPSec加密的數據流嚴格一致。
nat-policy interzone trust untrust outbound
policy 1
action no-nat
policy source 192.168.20.0 0.0.0.255
policy destination 192.168.10.0 0.0.0.255
policy 2
action source-nat
easy-ip GigabitEthernet0/0/1

3、驗證結果

一、FW1上能夠查看到對應的IKE SA。
dis ike sa
23:30:22 2014/03/19
current ike sa number: 2
—————————————————————————–
conn-id peer flag phase ***
—————————————————————————–
40001 220.163.200.2 RD|ST v2:2 public
1 220.163.200.2 RD|ST

v2:1 public
flag meaning
RD–READY ST–STAYALIVE RL–REPLACED FD–FADING
TO–TIMEOUT TD–DELETING NEG–NEGOTIATING D–DPD

二、FW2上也能夠查看到對應的IKE SA。
dis ike sa
23:31:10 2014/03/19
current ike sa number: 2
—————————————————————————–
conn-id peer flag phase ***
—————————————————————————–
40001 220.163.100.2 RD v2:2 public
1 220.163.100.2 RD v2:1 public
flag meaning
RD–READY ST–STAYALIVE RL–REPLACED FD–FADING
TO–TIMEOUT TD–DELETING NEG–NEGOTIATING D–DPD

三、FW1上查看IPSEC SA。
dis ipsec sa
23:33:03 2014/03/19
===============================
Interface: GigabitEthernet0/0/1
path MTU: 1500
===============================
—————————–
IPsec policy name: 「map1」
sequence number: 10
mode: isakmp
***: public
—————————–
connection id: 40001
rule number: 5
encapsulation mode: tunnel
holding time: 0d 0h 23m 33s
tunnel local : 220.163.100.2 tunnel remote: 220.163.200.2
flow source: 192.168.10.0-192.168.10.255 0-65535 0
flow destination: 192.168.20.0-192.168.20.255 0-65535 0
[inbound ESP SAs]
spi: 2133279372 (0x7f27428c)
***: public said: 0 cpuid: 0x0000
proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887277260/2187
max received sequence-number: 2659
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 3334597115 (0xc6c1e9fb)
***: public said: 1 cpuid: 0x0000
proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887277200/2187
max sent sequence-number: 2661
udp encapsulation used for nat traversal: N

四、FW2上查看IPSEC SA。
dis ipsec sa
23:34:06 2014/03/19
===============================
Interface: GigabitEthernet0/0/1
path MTU: 1500
===============================
—————————–
IPsec policy name: 「map1」
sequence number: 10
mode: isakmp
***: public
—————————–
connection id: 40001
rule number: 5
encapsulation mode: tunnel
holding time: 0d 0h 24m 36s
tunnel local : 220.163.200.2 tunnel remote: 220.163.100.2
flow source: 192.168.20.0-192.168.20.255 0-65535 0
flow destination: 192.168.10.0-192.168.10.255 0-65535 0
[inbound ESP SAs]
spi: 3334597115 (0xc6c1e9fb)
***: public said: 0 cpuid: 0x0000
proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887270000/2124
max received sequence-number: 2780
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 2133279372 (0x7f27428c)
***: public said: 1 cpuid: 0x0000
proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887270060/2124
max sent sequence-number: 2780
udp encapsulation used for nat traversal: N

五、二臺PC的互ping的狀況。
PC>ping 192.168.20.20
Ping 192.168.20.20: 32 data bytes, Press Ctrl_C to break
From 192.168.20.20: bytes=32 seq=1 ttl=126 time=31 ms
From 192.168.20.20: bytes=32 seq=2 ttl=126 time=31 ms
From 192.168.20.20: bytes=32 seq=3 ttl=126 time=32 ms
From 192.168.20.20: bytes=32 seq=4 ttl=126 time=78 ms
From 192.168.20.20: bytes=32 seq=5 ttl=126 time=94 ms
— 192.168.20.20 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/53/94 ms

PC>ping 192.168.10.10
Ping 192.168.10.10: 32 data bytes, Press Ctrl_C to break
From 192.168.10.10: bytes=32 seq=1 ttl=126 time=32 ms
From 192.168.10.10: bytes=32 seq=2 ttl=126 time=62 ms
From 192.168.10.10: bytes=32 seq=3 ttl=126 time=63 ms
From 192.168.10.10: bytes=32 seq=4 ttl=126 time=47 ms
From 192.168.10.10: bytes=32 seq=5 ttl=126 time=62 ms
— 192.168.10.10 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 32/53/63 ms

本文轉載於公衆號：網絡之路博客