总部与分支机构之间建立点到点IPSec VPN（预共享密钥认证）（要保证一个公司总部与其分支机构的）

总部与分支机构之间建立点到点IPSec VPN（预共享密钥认证）（要保证一个公司总部与其分支机构的）

配置思路NGFW_A和NGFW_B的配置思路相同。1.配置接口IP地址并将接口加入到安全区域。2.配置安全策略。3.配置到对端内网的路由。4.配置IPSec策略。包括配置IPSec策略的基本信息、配置待加密的数据流、配置安全提议的协商参数。

操作步骤•配置NGFW_A（总部）。 1.配置接口IP地址。 system-view[sysname] sysname NGFW_A[NGFW_A] interface GigabitEthernet 1/0/3[NGFW_A-GigabitEthernet1/0/3] ip address 10.1.1.1 24[NGFW_A-GigabitEthernet1/0/3] quit[NGFW_A] interface GigabitEthernet 1/0/1[NGFW_A-GigabitEthernet1/0/1] ip address 1.1.3.1 24[NGFW_A-GigabitEthernet1/0/1] quit

2.配置接口加入相应安全区域。 [NGFW_A] firewall zone trust[NGFW_A-zone-trust] add interface GigabitEthernet 1/0/3[NGFW_A-zone-trust] quit[NGFW_A] firewall zone untrust[NGFW_A-zone-untrust] add interface GigabitEthernet 1/0/1[NGFW_A-zone-untrust] quit

3.配置安全策略。

a.配置Trust域与Untrust域的安全策略，允许封装前和解封后的报文能通过NGFW_A。[NGFW_A] security-policy[NGFW_A-policy-security] rule name policy_ipsec_1[NGFW_A-policy-security-rule-policy_ipsec_1] source-zone trust[NGFW_A-policy-security-rule-policy_ipsec_1] destination-zone untrust[NGFW_A-policy-security-rule-policy_ipsec_1] source-address 10.1.1.0 24[NGFW_A-policy-security-rule-policy_ipsec_1] destination-address 10.1.2.0 24 [NGFW_A-policy-security-rule-policy_ipsec_1] action permit[NGFW_A-policy-security-rule-policy_ipsec_1] quit[NGFW_A-policy-security] rule name policy_ipsec_2[NGFW_A-policy-security-rule-policy_ipsec_2] source-zone untrust[NGFW_A-policy-security-rule-policy_ipsec_2] destination-zone trust[NGFW_A-policy-security-rule-policy_ipsec_2] source-address 10.1.2.0 24 [NGFW_A-policy-security-rule-policy_ipsec_2] destination-address 10.1.1.0 24 [NGFW_A-policy-security-rule-policy_ipsec_2] action permit[NGFW_A-policy-security-rule-policy_ipsec_2] quit

b.配置Local域与Untrust域的安全策略，允许IKE协商报文能正常通过NGFW_A。[NGFW_A-policy-security] rule name policy_ipsec_3[NGFW_A-policy-security-rule-policy_ipsec_3] source-zone local[NGFW_A-policy-security-rule-policy_ipsec_3] destination-zone untrust[NGFW_A-policy-security-rule-policy_ipsec_3] source-address 1.1.3.1 32 [NGFW_A-policy-security-rule-policy_ipsec_3] destination-address 1.1.5.1 32[NGFW_A-policy-security-rule-policy_ipsec_3] action permit[NGFW_A-policy-security-rule-policy_ipsec_3] quit[NGFW_A-policy-security] rule name policy_ipsec_4[NGFW_A-policy-security-rule-policy_ipsec_4] source-zone untrust[NGFW_A-policy-security-rule-policy_ipsec_4] destination-zone local[NGFW_A-policy-security-rule-policy_ipsec_4] source-address 1.1.5.1 32 [NGFW_A-policy-security-rule-policy_ipsec_4] destination-address 1.1.3.1 32[NGFW_A-policy-security-rule-policy_ipsec_4] action permit[NGFW_A-policy-security-rule-policy_ipsec_4] quit[NGFW_A-policy-security] quit

4.配置到达对端私网的路由。假设NGFW_A通往NGFW_B侧的下一跳设备的IP地址为1.1.3.2。 [NGFW_A] ip route-static 10.1.2.0 24 1.1.3.2

5.配置NGFW_A的IPSec隧道。 a.配置访问控制列表，定义需要保护的数据流。[NGFW_A] acl 3000 [NGFW_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255[NGFW_A-acl-adv-3000] quit

b.配置序号为10的IKE安全提议。[NGFW_A] ike proposal 10[NGFW_A-ike-proposal-10] authentication-method pre-share[NGFW_A-ike-proposal-10] authentication-algorithm sha2-256[NGFW_A-ike-proposal-10] quit

c.配置IKE Peer。[NGFW_A] ike peer b[NGFW_A-ike-peer-b] ike-proposal 10[NGFW_A-ike-peer-b] remote-address 1.1.5.1[NGFW_A-ike-peer-b] pre-shared-key Admin@123[NGFW_A-ike-peer-b] undo version 2[NGFW_A-ike-peer-b] quit

d.配置名称为tran1的IPSec安全提议。[NGFW_A] ipsec proposal tran1[NGFW_A-ipsec-proposal-tran1] encapsulation-mode tunnel[NGFW_A-ipsec-proposal-tran1] transform esp[NGFW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256[NGFW_A-ipsec-proposal-tran1] esp encryption-algorithm aes[NGFW_A-ipsec-proposal-tran1] quit

e.配置IPSec安全策略组map1。[NGFW_A] ipsec policy map1 10 isakmp[NGFW_A-ipsec-policy-isakmp-map1-10] security acl 3000[NGFW_A-ipsec-policy-isakmp-map1-10] proposal tran1[NGFW_A-ipsec-policy-isakmp-map1-10] ike-peer b[NGFW_A-ipsec-policy-isakmp-map1-10] quit

f.在出接口GigabitEthernet 1/0/1上应用安全策略组map1。[NGFW_A] interface GigabitEthernet 1/0/1[NGFW_A-GigabitEthernet1/0/1] ipsec policy map1 auto-neg[NGFW_A-GigabitEthernet1/0/1] quit

•配置NGFW_B（分支）。 1.配置接口IP地址。 system-view[sysname] sysname NGFW_B[NGFW_B] interface GigabitEthernet 1/0/3[NGFW_B-GigabitEthernet1/0/3] ip address 10.1.2.1 24[NGFW_B-GigabitEthernet1/0/3] quit[NGFW_B] interface GigabitEthernet 1/0/1[NGFW_B-GigabitEthernet1/0/1] ip address 1.1.5.1 24[NGFW_B-GigabitEthernet1/0/1] quit

2.配置接口加入相应安全区域。 [NGFW_B] firewall zone trust[NGFW_B-zone-trust] add interface GigabitEthernet 1/0/3[NGFW_B-zone-trust] quit[NGFW_B] firewall zone untrust[NGFW_B-zone-untrust] add interface GigabitEthernet 1/0/1[NGFW_B-zone-untrust] quit

3.配置安全策略。

a.配置Trust域与Untrust域的安全策略，允许封装前和解封后的报文能通过NGFW_B。[NGFW_B] security-policy[NGFW_B-policy-security] rule name policy_ipsec_1[NGFW_B-policy-security-rule-policy_ipsec_1] source-zone trust[NGFW_B-policy-security-rule-policy_ipsec_1] destination-zone untrust[NGFW_B-policy-security-rule-policy_ipsec_1] source-address 10.1.2.0 24[NGFW_B-policy-security-rule-policy_ipsec_1] destination-address 10.1.1.0 24 [NGFW_B-policy-security-rule-policy_ipsec_1] action permit[NGFW_B-policy-security-rule-policy_ipsec_1] quit[NGFW_B-policy-security] rule name policy_ipsec_2[NGFW_B-policy-security-rule-policy_ipsec_2] source-zone untrust[NGFW_B-policy-security-rule-policy_ipsec_2] destination-zone trust[NGFW_B-policy-security-rule-policy_ipsec_2] source-address 10.1.1.0 24 [NGFW_B-policy-security-rule-policy_ipsec_2] destination-address 10.1.2.0 24 [NGFW_B-policy-security-rule-policy_ipsec_2] action permit[NGFW_B-policy-security-rule-policy_ipsec_2] quit

b.配置Local域与Untrust域的安全策略，允许IKE协商报文能正常通过NGFW_B。[NGFW_B-policy-security] rule name policy_ipsec_3[NGFW_B-policy-security-rule-policy_ipsec_3] source-zone local[NGFW_B-policy-security-rule-policy_ipsec_3] destination-zone untrust[NGFW_B-policy-security-rule-policy_ipsec_3] source-address 1.1.5.1 32 [NGFW_B-policy-security-rule-policy_ipsec_3] destination-address 1.1.3.1 32[NGFW_B-policy-security-rule-policy_ipsec_3] action permit[NGFW_B-policy-security-rule-policy_ipsec_3] quit[NGFW_B-policy-security] rule name policy_ipsec_4[NGFW_B-policy-security-rule-policy_ipsec_4] source-zone untrust[NGFW_B-policy-security-rule-policy_ipsec_4] destination-zone local[NGFW_B-policy-security-rule-policy_ipsec_4] source-address 1.1.3.1 32 [NGFW_B-policy-security-rule-policy_ipsec_4] destination-address 1.1.5.1 32[NGFW_B-policy-security-rule-policy_ipsec_4] action permit[NGFW_B-policy-security-rule-policy_ipsec_4] quit[NGFW_B-policy-security] quit

4.配置到达对端私网的路由。假设NGFW_B通往NGFW_A侧的下一跳设备的IP地址为1.1.5.2。 [NGFW_B] ip route-static 10.1.1.0 24 1.1.5.2

5.配置NGFW_B的IPSec隧道。 a.配置访问控制列表，定义需要保护的数据流。[NGFW_B] acl 3000 [NGFW_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255[NGFW_B-acl-adv-3000] quit

b.配置序号为10的IKE安全提议。[NGFW_B] ike proposal 10[NGFW_B-ike-proposal-10] authentication-method pre-share[NGFW_B-ike-proposal-10] authentication-algorithm sha2-256[NGFW_B-ike-proposal-10] quit

c.配置IKE Peer。[NGFW_B] ike peer a[NGFW_B-ike-peer-a] ike-proposal 10[NGFW_B-ike-peer-a] remote-address 1.1.3.1[NGFW_B-ike-peer-a] pre-shared-key Admin@123[NGFW_B-ike-peer-a] undo version 2[NGFW_B-ike-peer-a] quit

d.配置名称为tran1的IPSec安全提议。[NGFW_B] ipsec proposal tran1[NGFW_B-ipsec-proposal-tran1] encapsulation-mode tunnel[NGFW_B-ipsec-proposal-tran1] transform esp[NGFW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256[NGFW_B-ipsec-proposal-tran1] esp encryption-algorithm aes[NGFW_B-ipsec-proposal-tran1] quit

e.配置IPSec安全策略组map1。[NGFW_B] ipsec policy map1 10 isakmp[NGFW_B-ipsec-policy-isakmp-map1-10] security acl 3000[NGFW_B-ipsec-policy-isakmp-map1-10] proposal tran1[NGFW_B-ipsec-policy-isakmp-map1-10] ike-peer a[NGFW_B-ipsec-policy-isakmp-map1-10] quit

f.在出接口GigabitEthernet 1/0/1上应用安全策略组map1。[NGFW_B] interface GigabitEthernet 1/0/1[NGFW_B-GigabitEthernet1/0/1] ipsec policy map1 auto-neg[NGFW_B-GigabitEthernet1/0/1] quit

结果验证

1.配置成功后，在NGFW_A上执行display ike sa命令，查看IKE安全联盟的建立情况，出现以下显示说明IKE安全联盟建立成功。[NGFW_A] display ike sa current ike sa number: 2

conn-id peer flag phase vpn

3 1.1.5.1 RD|ST|A v1:2 public 2 1.1.5.1 RD|ST|A v1:1 public

flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD M--ACTIVE S--STANDBY A--ALONE

2.在NGFW_A上执行display ipsec sa命令，查看IPSec安全联盟的建立情况，出现以下显示说明IPSec安全联盟建立成功。[NGFW_A] display ipsec sa=============================== Interface: GigabitEthernet 1/0/1 path MTU: 1500 ===============================

IPsec policy name: "map1"sequence number: 10 mode: isakmp vpn: 0

connection id: 3 rule number: 5 encapsulation mode: tunnel holding time: 0d 0h 0m 12s tunnel local : 1.1.3.1 tunnel remote: 1.1.5.1 flow source: 10.1.1.0/255.255.255.0 0/0 flow destination: 10.1.2.0/255.255.255.0 0/0 [inbound ESP SAs] spi: 3715780278 (0xdd7a4eb6) vpn: public said: 0 cpuid: 0x0000 proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256 sa remaining key duration (kilobytes/sec): 1843200/3588 max received sequence-number: 1 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 3312146193 (0xc56b5711) vpn: public said: 1 cpuid: 0x0000 proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256 sa remaining key duration (kilobytes/sec): 1843200/3588 max sent sequence-number: 1 udp encapsulation used for nat traversal: N

配置脚本

•NGFW_A（总部）的配置脚本

#acl number 3000rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255#ike proposal 10authentication-algorithm sha2-256integrity-algorithm hmac-sha2-256#ike peer bpre-shared-key %$%$g6]1Md'q_QwX%A,v7]c1;md[%$%$ike-proposal 10 undo version 2remote-address 1.1.5.1#ipsec proposal tran1 esp authentication-algorithm sha2-256 #ipsec policy map1 10 isakmpsecurity acl 3000 ike-peer b alias map1_10 proposal tran1 #interface GigabitEthernet1/0/3ip address 10.1.1.1 255.255.255.0#interface GigabitEthernet1/0/1ip address 1.1.3.1 255.255.255.0ipsec policy map1 auto-neg#firewall zone trustset priority 85add interface GigabitEthernet1/0/3#firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1#ip route-static 10.1.2.0 255.255.255.0 1.1.3.2#security-policyrule name policy_ipsec_1source-zone trustdestination-zone untrustsource-address 10.1.1.0 24destination-address 10.1.2.0 24action permitrule name policy_ipsec_2source-zone untrustdestination-zone trustsource-address 10.1.2.0 24destination-address 10.1.1.0 24action permitrule name policy_ipsec_3source-zone localdestination-zone untrustsource-address 1.1.3.1 32destination-address 1.1.5.1 32action permitrule name policy_ipsec_4source-zone untrustdestination-zone localsource-address 1.1.5.1 32destination-address 1.1.3.1 32action permit

•NGFW_B（分支）的配置脚本

#acl number 3000rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255#ike proposal 10authentication-algorithm sha2-256integrity-algorithm hmac-sha2-256#ike peer apre-shared-key %$%$g6]1Md'q_QwX%A,v7]c1;md[%$%$ike-proposal 10 undo version 2remote-address 1.1.3.1#ipsec proposal tran1 esp authentication-algorithm sha2-256 #ipsec policy map1 10 isakmpsecurity acl 3000 ike-peer a proposal tran1 #interface GigabitEthernet1/0/3ip address 10.1.2.1 255.255.255.0#interface GigabitEthernet1/0/1ip address 1.1.5.1 255.255.255.0ipsec policy map1 auto-neg#firewall zone trustset priority 85add interface GigabitEthernet1/0/3#firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1#ip route-static 10.1.1.0 255.255.255.0 1.1.5.2#security-policyrule name policy_ipsec_1source-zone trustdestination-zone untrustsource-address 10.1.2.0 24destination-address 10.1.1.0 24action permitrule name policy_ipsec_2source-zone untrustdestination-zone trustsource-address 10.1.1.0 24destination-address 10.1.2.0 24action permitrule name policy_ipsec_3source-zone localdestination-zone untrustsource-address 1.1.5.1 32destination-address 1.1.3.1 32action permitrule name policy_ipsec_4source-zone untrustdestination-zone localsource-address 1.1.3.1 32destination-address 1.1.5.1 32action permit

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。