龙空技术网

龙空技术网

华为防火墙与H3C安全网关对接建立IPSec隧道

鸿鹄论坛 106

前言:

此刻各位老铁们对“ipsec服务器对接ipsec服务器”大约比较关切,兄弟们都需要分析一些“ipsec服务器对接ipsec服务器”的相关内容。那么小编也在网络上汇集了一些对于“ipsec服务器对接ipsec服务器””的相关文章,希望我们能喜欢,你们快快来了解一下吧!

组网需求

如下图所示,NGFW和H3C SecPath M9006分别作为总部和分支的企业网关连接Internet。现企业需要在NGFW和M9006之间建立IPSec隧道,实现总部和分支内网安全互通。

由于NGFW与和M9006的出口公网地址固定,可以采用策略方式建立IPSec隧道。此方式下,两端都可以主动发起协商建立IPSec隧道。

操作步骤

步骤1配置NGFW。

1、配置接口,并将接口加入安全区域。

# 配置口GE1/0/9接口,并将接口加入untrust安全区域。

<NGFW> system-view

[NGFW] interface GigabitEthernet 1/0/9

[NGFW-GigabitEthernet1/0/9] ip address 1.1.1.1 24

[NGFW-GigabitEthernet1/0/9] quit

[NGFW] firewall zone untrust

[NGFW-zone-untrust] add interface GigabitEthernet 1/0/9

[NGFW-zone-untrust] quit

# 配置GE1/0/5接口,并将接口加入trust安全区域。

[NGFW] interface GigabitEthernet 1/0/5

[NGFW-GigabitEthernet1/0/5] ip address 192.168.10.1 24

[NGFW-GigabitEthernet1/0/5] quit

[NGFW] firewall zone trust

[NGFW-zone-trust] add interface GigabitEthernet 1/0/5

[NGFW-zone-trust] quit

2、配置安全策略。

# 配置untrust和trust之间的安全策略。

# 配置策略1,保证分支能够访问总部,配置策略2,保证总部能够访问分支。

[NGFW] security-policy

[NGFW-policy-security] rule name 1

[NGFW-policy-security-rule-1] source-zone untrust

[NGFW-policy-security-rule-1] destination-zone trust

[NGFW-policy-security-rule-1] source-address 192.168.0.0 24

[NGFW-policy-security-rule-1] destination-address 192.168.10.0 24

[NGFW-policy-security-rule-1] action permit

[NGFW-policy-security-rule-1] quit

[NGFW-policy-security] rule name 2

[NGFW-policy-security-rule-2] source-zone trust

[NGFW-policy-security-rule-2] destination-zone untrust

[NGFW-policy-security-rule-2] source-address 192.168.10.0 24

[NGFW-policy-security-rule-2] destination-address 192.168.0.0 24

[NGFW-policy-security-rule-2] action permit

[NGFW-policy-security-rule-2] quit

# 配置local与untrust之间的安全策略。

# 配置策略3,保证NGFW能够发起IPSec隧道建立请求,配置策略4,保证NGFW能够接收IPSec隧道建立请求,源、目的IP地址为两端的出口公网地址。

[NGFW-policy-security] rule name 3

[NGFW-policy-security-rule-3] source-zone local

[NGFW-policy-security-rule-3] destination-zone untrust

[NGFW-policy-security-rule-3] source-address 1.1.1.1 24

[NGFW-policy-security-rule-3] destination-address 2.2.2.2 24

[NGFW-policy-security-rule-3] action permit

[NGFW-policy-security-rule-3] quit

[NGFW-policy-security] rule name 4

[NGFW-policy-security-rule-4] source-zone untrust

[NGFW-policy-security-rule-4] destination-zone local

[NGFW-policy-security-rule-4] source-address 2.2.2.2 24

[NGFW-policy-security-rule-4] destination-address 1.1.1.1 24

[NGFW-policy-security-rule-4] action permit

[NGFW-policy-security-rule-4] quit

3、配置路由。

# 配置连接到Internet的缺省路由,假设下一跳为1.1.1.2。

[NGFW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2

4、配置ACL,定义被保护的流量。

# 源地址为192.168.10.0/24,目的地址为192.168.0.0/24的报文,需要经过IPSec隧道传输。

[NGFW] acl 3000

[NGFW-acl-adv-3000] rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.0.0 0.0.0.255

[NGFW-acl-adv-3000] quit

5、配置IKE SA。

# 配置IKE安全协议,指定加密算法、认证算法、DH。此举例中采用IKEV1,不需要配置完整性算法。

[NGFW] ike proposal 1

[NGFW-ike-proposal-1] encryption-algorithm 3des

[NGFW-ike-proposal-1] authentication-algorithm sha1

[NGFW-ike-proposal-1] dh group2

[NGFW-ike-proposal-1] quit

# 配置IKE对等体,指定协商模式、IKE版本、预共享密钥,对端IP地址。

[NGFW] ike peer h3c

[NGFW-ike-peer-h3c] exchange-mode main

[NGFW-ike-peer-h3c] undo version 2

[NGFW-ike-peer-h3c] ike-proposal 1

[NGFW-ike-peer-h3c] pre-shared-key Key@123

[NGFW-ike-peer-h3c] remote-address 2.2.2.2

[NGFW-ike-peer-h3c] quit

6、配置IPSec安全提议,指定封装模式、安全协议,加密算法、认证算法。

[NGFW] ipsec proposal tran1

[NGFW-ipsec-proposal-tran1] transform esp

[NGFW-ipsec-proposal-tran1] encapsulation-mode tunnel

[NGFW-ipsec-proposal-tran1] esp encryption-algorithm 3des

[NGFW-ipsec-proposal-tran1] esp authentication-algorithm sha1

[NGFW-ipsec-proposal-tran1] quit

7、配置isakmp方式的IPSec策略,绑定IKE对等体、IPSec安全提议、ACL。

[NGFW] ipsec policy map1 1 isakmp

[NGFW-ipsec-policy-isakmp-map1-1] ike-peer h3c

[NGFW-ipsec-policy-isakmp-map1-1] proposal tran1

[NGFW-ipsec-policy-isakmp-map1-1] security acl 3000

[NGFW-ipsec-policy-isakmp-map1-1] quit

8、在接口上应用IPSec策略。

[NGFW] interface GigabitEthernet 1/0/9

[NGFW-GigabitEthernet1/0/9] ipsec policy map1

[NGFW-GigabitEthernet1/0/9] quit

步骤2:配置M9006。

:1、配置接口,并将接口加入安全区域。

# 配置接口GE2/0/10接口,并将接口加入untrust安全区域。

<H3C> system-view

[H3C] interface Ten-GigabitEthernet2/0/10

[H3C-Ten-GigabitEthernet2/0/10] port link-mode route

[H3C-Ten-GigabitEthernet2/0/10] ip address 2.2.2.2 255.255.255.0

[H3C-Ten-GigabitEthernet2/0/10] quit

[H3C] security-zone name Untrust

[H3C-security-zone-Untrust] import interface Ten-GigabitEthernet 2/0/10

[H3C-security-zone-Untrust] quit

# 配置接口GE2/0/9接口,并将接口加入trust安全区域。

[H3C] interface Ten-GigabitEthernet2/0/9

[H3C-Ten-GigabitEthernet2/0/9] ip address 192.168.0.1 24

[H3C-Ten-GigabitEthernet2/0/9] quit

[H3C] security-zone name Trust

[H3C-security-zone-Trust] import interface Ten-GigabitEthernet 2/0/9

[H3C-security-zone-Trust] quit

2、配置安全策略。

# 配置总部网络、分支网络两个对象组。

[H3C] object-group ip address trust1

[H3C-obj-grp-ip-trust1] network subnet 192.168.0.0 24

[H3C-obj-grp-ip-trust1] quit

[H3C] object-group ip address untrust1

[H3C-obj-grp-ip-untrust1] network subnet 192.168.10.0 24

[H3C-obj-grp-ip-untrust1] quit

# 配置对象策略。

[H3C] object-policy ip trust-untrust

[H3C-object-policy-ip-trust-untrust] rule pass source-ip trust1 destination-ip untrust1

[H3C-object-policy-ip-trust-untrust] quit

[H3C] object-policy ip untrust-trust

[H3C-object-policy-ip-untrust-trust] rule pass source-ip untrust1 destination-ip trust1

[H3C-object-policy-ip-untrust-trust] quit

# 配置untrust和trust之间的安全策略,保证总部网络和分支网络能够互通。

[H3C] zone-pair security source trust destination untrust

[H3C-zone-pair-security-Trust-Untrust] object-policy apply ip trust-untrust

[H3C-zone-pair-security-Trust-Untrust] quit

[H3C] zone-pair security source untrust destination trust

[H3C-zone-pair-security-Untrust-Trust] object-policy apply ip untrust-trust

[H3C-zone-pair-security-Untrust-Trust] quit

# 配置ACL,用于local与untrust间的安全策略。

[H3C] acl advanced 3999

[H3C-acl-ipv4-adv-3999] rule 0 permit ip

[H3C-acl-ipv4-adv-3999] quit

# 配置local与untrust之间的安全策略。

[H3C] zone-pair security source untrust destination local

[H3C-zone-pair-security-Untrust-Local] packet-filter 3999

[H3C-zone-pair-security-Untrust-Local] quit

[H3C] zone-pair security source local destination untrust

[H3C-zone-pair-security-Local-Untrust] packet-filter 3999

[H3C-zone-pair-security-Local-Untrust] quit

3、配置路由。

# 配置连接到Internet的缺省路由,假设下一跳为2.2.2.3。

[H3C] ip route-static 0.0.0.0 0.0.0.0 2.2.2.3

4、配置ACL,定义被保护的流量。

# 源地址为192.168.0.0/24,目的地址为192.168.10.0/24的报文,需要经过IPSec隧道传输。定义的流量要与NGFW中定义的流量互为镜像,否则协商失败。

[H3C] acl advanced 3000

[H3C-acl-ipv4-adv-3000] rule permit ip source 192.168.0.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

[H3C-acl-ipv4-adv-3000] quit

5、配置IKE安全提议。

# 配置IKE安全协议,指定加密算法、认证算法、DH、认证方法,取值要与NGFW的配置值严格一致。

# 配置认证算法时,设置为sha,M9006中sha也就是sha1。

[H3C] ike proposal 1

[H3C-ike-proposal-1] encryption-algorithm 3des

[H3C-ike-proposal-1] authentication-method pre-share

[H3C-ike-proposal-1] authentication-algorithm sha

[H3C-ike-proposal-1] dh group2

[H3C-ike-proposal-1] quit

6、配置keychain。

[H3C] ike keychain keychain1

[H3C-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.255.0 key simple Key@123

[H3C-ike-keychain-keychain1] quit

7、配置profile。

[H3C] ike profile profile1

[H3C-ike-profile-profile1] keychain keychain1

[H3C-ike-profile-profile1] proposal 1

[H3C-ike-profile-profile1] exchange-mode main

[H3C-ike-profile-profile1] local-identity address 2.2.2.2

[H3C-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0

[H3C-ike-profile-profile1] match local address Ten-GigabitEthernet2/0/10

[H3C-ike-profile-profile1] quit

8、配置IPSec安全提议。

# 指定封装模式、安全协议,加密算法、认证算法,取值要与NGFW的配置值严格一致。

[H3C] ipsec transform-set tran1

[H3C-ipsec-transform-set-tran1] encapsulation-mode tunnel

[H3C-ipsec-transform-set-tran1] protocol esp

[H3C-ipsec-transform-set-tran1] esp encryption-algorithm 3des

[H3C-ipsec-transform-set-tran1] esp authentication-algorithm sha1

[H3C-ipsec-transform-set-tran1] quit

9、配置IPSec策略。

[H3C] ipsec policy map1 1 isakmp

[H3C-ipsec-policy-isakmp-map1-1] remote-address 1.1.1.1

[H3C-ipsec-policy-isakmp-map1-1] security acl 3000

[H3C-ipsec-policy-isakmp-map1-1] transform-set tran1

[H3C-ipsec-policy-isakmp-map1-1] ike-profile profile1

[H3C-ipsec-policy-isakmp-map1-1] quit

10、在接口上应用IPSec策略。

[H3C] interface Ten-GigabitEthernet2/0/10

[H3C-Ten-GigabitEthernet2/0/10] ipsec apply policy map1

[H3C-Ten-GigabitEthernet2/0/10] quit

总结

· IPSec的对接关键在于通信双方所设置的参数必须完全一致,配置时两端不要采用默认值(基本不一致),必须按照数据规划表,保持两端参数一致。

· M9006中配置profile时,match local address用来指定profile的使用范围,H3C的配置指导中该命令是可选的,但是跟NGFW对接时如果不配置该命令,M9006则找不到profile适用的接口,因此建议执行该命令,否则隧道协商失败。

版权声明: 本站文章均来自互联网搜集,如有侵犯您的权益,请联系我们删除,谢谢。

标签: #ipsec服务器对接ipsec服务器

上一篇网盘不再限速!8家企业共同承诺

下一篇星际蜗牛j1900在ESXI6.7跑LEDE实现单臂路由(单线复用)方法教程

相关文章