IPSec配置模板方式配置思路（ipsec组网配置案例）

IPSec配置模板方式配置思路（ipsec组网配置案例）

配置模板方式配置思路

ike peer fw2 exchange-mode aggressive 修改模式为野蛮

其它部分同主模式注意： 野蛮模式也必须指定remote-address , 必须配置远端地址或者域名 华为不建议野蛮模式，推荐使用模板方式

[FW1-ipsec-policy-isakmp-ipsec_policy-10]ike-peer fw2 Error: ike peer's remote addresses or domain name should be configed.

第一步：基本配置

FW1防火墙的配置

# sysname FW1 # interface GigabitEthernet0/0/0 ip address 202.1.1.1 255.255.255.0 service-manage ping permit # interface GigabitEthernet1/0/0 ip address 192.168.1.254 255.255.255.0 service-manage ping permit # ip route-static 0.0.0.0 0.0.0.0 202.1.1.254 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/0 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/0 # security-policy default action permit #

FW2路由器的配置

# sysname FW2 # interface GigabitEthernet0/0/0 ip address 101.1.1.1 255.255.255.0 service-manage ping permit # interface GigabitEthernet1/0/0 ip address 192.168.2.254 255.255.255.0 service-manage ping permit # ip route-static 0.0.0.0 0.0.0.0 101.1.1.254 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/0 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/0 # security-policy default action permit #

internet的配置

# interface GigabitEthernet0/0/0 ip address 202.1.1.254 255.255.255.0 # interface GigabitEthernet0/0/1 ip address 101.1.1.254 255.255.255.0 #

检查如下：检查FW1和PC1的通信

ping 192.168.1.1 PING 192.168.1.1: 56 data bytes, press CTRL_C to break Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=128 time=40 ms Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=128 time=60 ms Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=128 time=40 ms Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=128 time=60 ms Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=128 time=50 ms --- 192.168.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 40/50/60 ms

检查FW2和PC2的通信

[FW2]ping 192.168.2.2 PING 192.168.2.2: 56 data bytes, press CTRL_C to break Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=128 time=45 ms Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=128 time=53 ms Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=128 time=51 ms Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=128 time=52 ms Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=128 time=32 ms --- 192.168.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 32/46/53 ms

检查FW1和FW2的通信

ping 101.1.1.1 PING 101.1.1.1: 56 data bytes, press CTRL_C to break Reply from 101.1.1.1: bytes=56 Sequence=1 ttl=254 time=30 ms Reply from 101.1.1.1: bytes=56 Sequence=2 ttl=254 time=20 ms Reply from 101.1.1.1: bytes=56 Sequence=3 ttl=254 time=40 ms Reply from 101.1.1.1: bytes=56 Sequence=4 ttl=254 time=20 ms Reply from 101.1.1.1: bytes=56 Sequence=5 ttl=254 time=30 ms --- 101.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 20/28/40 ms

检查PC1和PC2的通信

PC>ping 192.168.2.2 Ping 192.168.2.2: 32 data bytes, Press Ctrl_C to break Request timeout! Request timeout! Request timeout! Request timeout! Request timeout! --- 192.168.2.2 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss

第二步：IPSEC 阶段一配置

IKE安全提议

在FW1和FW2分别配置如下

ike proposal 10 注意：安全提议是有默认配置，可以修改 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 IKEv1中不用这个参数 IKEv2中使用这个参数 prf hmac-sha2-256 #

检查：

[FW1]display ike proposal 2020-03-14 14:25:22.420 Number of IKE Proposals: 2 ------------------------------------------- IKE Proposal: 10 Authentication Method : PRE_SHARED Authentication Algorithm : SHA2-256 Encryption Algorithm : AES-256 Diffie-Hellman Group : MODP-2048 SA Duration(Seconds) : 86400 Integrity Algorithm : HMAC-SHA2-256 Prf Algorithm : HMAC-SHA2-256 -------------------------------------------

配置IKE对等体（PEER）

FW1配置 注意: 模板方式不需要配置remote-address 也可以配置网段，也可以不配置

ike peer fw2 -----------取名 pre-shared-key Huawei@123---------------如果采用预共享方式，配置密钥 ike-proposal 10 -----------------------------调用安全提议 undo version 2-------------------------------关闭V2版本，默认就是V2版本

FW2配置

ike peer fw1 pre-shared-key Huawei@123 ike-proposal 10 undo version 2 remote-address 202.1.1.1

检查如下：

[FW1]display ike peer brief 2020-03-14 14:31:19.910 Current ike peer number: 1 --------------------------------------------------------------------------- Peer name Version Exchange-mode Proposal Id-type RemoteAddr --------------------------------------------------------------------------- fw2 v1 main 10 IP

第三步：IPSEC阶段二配置

配置感兴趣流（就是实际通信点）

FW1: acl number 3000 rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 FW2 acl number 3000 rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

注意：IKEV1感兴趣流要互为镜像，必须是相互匹配的，不是包含或者不一样的，都不能协商成功

IPSEC安全提议

在FW1和FW2配置

ipsec proposal 10 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256

检查：

[FW1]display ipsec proposal 2020-03-14 14:33:58.850 Number of proposals: 1 IPSec proposal name: 10 Encapsulation mode: Tunnel Transform : esp-new ESP protocol : Authentication SHA2-HMAC-256 Encryption AES-256 [FW1]

配置IPSEC安全策略

FW1

# ipsec policy-template 10 10 第一个10是名称 第二个10是序号 security acl 3000-----------------------调用感兴趣流 ike-peer fw2---------------------------调用IKE PEER proposal 10---------------------------调用IPSEC安全 # ipsec policy ipsec_policy 10 isakmp template 10

FW2

ipsec policy ipsec_policy 10 isakmp 后面接isakmp的话是自动方式 security acl 3000 -----------------------调用感兴趣流 ike-peer fw1 ---------------------------调用IKE PEER alias ipsec_policy_10 proposal 10 ---------------------------调用IPSEC安全

物理接口调用

在FW1和FW2上配置

interface GigabitEthernet0/0/0 ipsec policy ipsec_policy

放行安全策略

FW1的配置

# security-policy rule name ipsec1 source-zone local destination-zone untrust source-address 202.1.1.0 mask 255.255.255.0 action permit rule name ipsec2 source-zone untrust destination-zone local destination-address 202.1.1.0 mask 255.255.255.0 action permit rule name ipsec3 source-zone trust destination-zone untrust source-address 192.168.1.0 mask 255.255.255.0 destination-address 192.168.2.0 mask 255.255.255.0 action permit rule name ipsec4 source-zone untrust destination-zone trust source-address 192.168.2.0 mask 255.255.255.0 destination-address 192.168.1.0 mask 255.255.255.0 action permit #

FW2的配置

# security-policy rule name ipsec1 source-zone local destination-zone untrust destination-address 202.1.1.0 mask 255.255.255.0 action permit rule name ipsec2 source-zone untrust destination-zone local source-address 202.1.1.0 mask 255.255.255.0 action permit rule name ipsec3 source-zone trust destination-zone untrust source-address 192.168.2.0 mask 255.255.255.0 destination-address 192.168.1.0 mask 255.255.255.0 action permit rule name ipsec4 source-zone untrust destination-zone trust source-address 192.168.1.0 mask 255.255.255.0 destination-address 192.168.2.0 mask 255.255.255.0 action permit #

测试如下

默认如果没有配置 auto-neg ，需要手动触发（触发感兴趣流）

[FW1]display ike sa 检查IKE SA,阶段一的问题 2020-03-14 14:46:10.170 IKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID ------------------------------------------------------------------------------------------------------------------------------------ 2 101.1.1.1:500 RD|ST|A v1:2 IP 101.1.1.1 1 101.1.1.1:500 RD|ST|A v1:1 IP 101.1.1.1 Number of IKE SA : 2 -------------------------------------------------------------------------------------------- Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING

查看IPsec SA信息

[FW1]display ipsec sa 2020-03-14 15:16:47.650 ipsec sa information: =============================== Interface: GigabitEthernet0/0/0 =============================== ----------------------------- IPSec policy name: "ipsec_policy" Sequence number : 10 Acl group : 3000 Acl rule : 5 Mode : Template ----------------------------- Connection ID : 2 Encapsulation mode: Tunnel Holding time : 0d 0h 11m 51s Tunnel local : 202.1.1.1:500 Tunnel remote : 101.1.1.1:500 Flow source : 192.168.1.0/255.255.255.0 0/0-65535 Flow destination : 192.168.2.0/255.255.255.0 0/0-65535 [Outbound ESP SAs] SPI: 190568358 (0xb5bd7a6) Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128 SA remaining key duration (kilobytes/sec): 10485760/2889 Max sent sequence-number: 7 UDP encapsulation used for NAT traversal: N SA encrypted packets (number/bytes): 6/360 [Inbound ESP SAs] SPI: 194468180 (0xb975954) Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128 SA remaining key duration (kilobytes/sec): 10485760/2889 Max received sequence-number: 1 UDP encapsulation used for NAT traversal: N SA decrypted packets (number/bytes): 4/240 Anti-replay : Enable Anti-replay window size: 1024 [FW1]

查看加密解密信息

[FW1]display ipsec statistics 2020-03-14 15:17:20.770 IPSec statistics information: Number of IPSec tunnels: 1 Number of standby IPSec tunnels: 0 the security packet statistics: input/output security packets: 4/6 input/output security bytes: 240/360 input/output dropped security packets: 0/5 the encrypt packet statistics: send chip: 6, recv chip: 6, send err: 0 local cpu: 6, other cpu: 0, recv other cpu: 0 intact packet: 6, first slice: 0, after slice: 0 the decrypt packet statistics: send chip: 4, recv chip: 4, send err: 0 local cpu: 4, other cpu: 0, recv other cpu: 0 reass first slice: 0, after slice: 0 dropped security packet detail: can not find SA: 0, wrong SA: 0 authentication: 0, replay: 0 front recheck: 0, after recheck: 0 change cpu enc: 0, dec change cpu: 0 fib search: 0, output l3: 0 flow err: 5, slice err: 0, byte limit: 0 slave drop: 0 negotiate about packet statistics: IKE fwd packet ok: 5, err: 0 IKE ctrl packet inbound ok: 5, outbound ok: 4 SoftExpr: 0, HardExpr: 0, DPDOper: 0 trigger ok: 0, switch sa: 1, sync sa: 0 recv IKE nat keepalive: 0, IKE input: 0 [FW1]

注意：如果对接华为路由器的话

ipsec proposal 10 esp authentication-algorithm sha1 --------注意路由器VS FW，ESP认证算法采用SHA1 esp encryption-algorithm aes-128

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。