防火墙IPSec (无固定IP地址---一对多)
目录
前言
一、场景:
二、实现
1.拓扑图
2.配置思路
①基础通信配置
②PPPoE配置
③总部的模版IPSec配置
④分部的IPSec配置
⑤NAT配置
3.具体配置
①基础配置
②详细配置和顺序
效果测试:
③PPPOE
①配置PPPoE
②策略放行
③IPSec与NAT的配置
④NAT配置
效果测试:
前言
IPSec VPN的概述与配置可查看这篇文章
【华为】IPSec VPN(动态)的原理与配置
(此篇文章的配置可配合链接中的配置对比理解)
一、场景:
以FW1所在的站点为总部,以FW2、FW3、FW4所在的站点为分部
目的:实现三个分部能够通过IPSec VPN访问总部(FW1),但三个分部之间无法通信
其中分部(FW4)所在的防火墙通过PPPoE获取IP地址,实现分部为无固定IP地址与总部固定IP地址通信
分部(FW2、FW3)假设为无固定地址去与总部固定IP地址通信
二、实现
1.拓扑图
2.配置思路
(详细的配置和顺序等都在具体配置体现出来了)
①基础通信配置
(此基础配置部分可看文章开头的链接)
②PPPoE配置
(此配置本文章先是将其他分部的IPSec配置结束之后才进行此分部的PPPoE与IPSec VPN配置)
③总部的模版IPSec配置
因为分部的设备都是无固定IP地址,所以总部无法得知分部具体的公网IP地址所以在配置里不能体现
④分部的IPSec配置
因为分部的设备都是无固定IP地址,所以分部的配置中不能体现本端公网的IP地址,但总部的IP地址需要体现
⑤NAT配置
3.具体配置
①基础配置
测试通信
②详细配置和顺序
FW1总部:
[FW1]acl number 3002
[FW1-acl-adv-3002]rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[FW1-acl-adv-3002]rule 20 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[FW1-acl-adv-3002]rule 20 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.4.0 0.0.0.255
#创建IKE安全提议
[FW1-acl-adv-3002]ike proposal 5
[FW1-ike-proposal-5]encryption-algorithm aes-256
[FW1-ike-proposal-5]dh group14
[FW1-ike-proposal-5]authentication-algorithm sha2-512
[FW1-ike-proposal-5]authentication-method pre-share
[FW1-ike-proposal-5]integrity-algorithm hmac-sha2-256
[FW1-ike-proposal-5]prf hmac-sha2-256
#创建IKE邻居分支
[FW1]ike peer branch
[FW1-ike-peer-branch]undo version 2
[FW1-ike-peer-branch]pre-shared-key Huawei@123
[FW1-ike-peer-branch]ike-proposal 5
[FW1-ike-peer-branch]exchange-mode main
#创建IPSec 安全提议
[FW1]ipsec proposal p
[FW1-ipsec-proposal-p]transform ah-esp
[FW1-ipsec-proposal-p]ah authentication-algorithm sha2-256
[FW1-ipsec-proposal-p]esp authentication-algorithm sha2-512
[FW1-ipsec-proposal-p]esp encryption-algorithm aes-256
配置IPSec模版
[FW1]ipsec policy-template branch_tem 10
[FW1-ipsec-policy-templet-branch_tem-10]security acl 3002
[FW1-ipsec-policy-templet-branch_tem-10]ike-peer branch
[FW1-ipsec-policy-templet-branch_tem-10]proposal p
绑定
[FW1]ipsec policy po 5 isakmp template branch_tem
[FW1]interface GigabitEthernet1/0/0
[FW1-GigabitEthernet1/0/0] ipsec policy po
nat策略配置
[FW1]nat-policy
[FW1-policy-nat]rule name ipsec_onat
[FW1-policy-nat-rule-ipsec_onat] source-zone trust
[FW1-policy-nat-rule-ipsec_onat] destination-zone untrust
[FW1-policy-nat-rule-ipsec_onat] source-address 192.168.1.0 mask 255.255.255.0
[FW1-policy-nat-rule-ipsec_onat] destination-address 192.168.2.0 mask 255.255.255.0
[FW1-policy-nat-rule-ipsec_onat] destination-address 192.168.3.0 mask 255.255.255.0
[FW1-policy-nat-rule-ipsec_onat] destination-address 192.168.4.0 mask 255.255.255.0
[FW1-policy-nat-rule-ipsec_onat] action no-nat
FW2:分部
#匹配感兴趣流量
[FW2]acl number 3001
[FW2-acl-adv-3001]rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#创建安全IKE提议
[FW2-acl-adv-3001]ike proposal 5
[FW2-ike-proposal-5]encryption-algorithm aes-256
[FW2-ike-proposal-5]dh group14
[FW2-ike-proposal-5]authentication-algorithm sha2-512
[FW2-ike-proposal-5]authentication-method pre-share
[FW2-ike-proposal-5]integrity-algorithm hmac-sha2-256
[FW2-ike-proposal-5]prf hmac-sha2-256
#创建IKE
[FW2]ike peer B
[FW2-ike-peer-B]undo version 2
[FW2-ike-peer-B]pre-shared-key Huawei@123
[FW2-ike-peer-B]ike-proposal 5
[FW2-ike-peer-B]remote-address 15.15.15.15
#总部固定 IP 地址
[FW2]exchange-mode main
[FW2-ike-peer-B]ipsec proposal p
[FW2-ipsec-proposal-p]transform ah-esp
[FW2-ipsec-proposal-p]ah authentication-algorithm sha2-256
[FW2-ipsec-proposal-p]esp authentication-algorithm sha2-512
[FW2-ipsec-proposal-p]esp encryption-algorithm aes-256
创建IPSec安全策略
[FW2]ipsec policy po 10 isakmp
[FW2-ipsec-policy-isakmp-po-10]security acl 3001
[FW2-ipsec-policy-isakmp-po-10]ike-peer B
[FW2-ipsec-policy-isakmp-po-10]proposal p
[FW2-ipsec-policy-isakmp-po-10]interface GigabitEthernet1/0/0
[FW2-GigabitEthernet1/0/0] ipsec policy po
FW3:分部
[FW3]#匹配感兴趣流量
[FW3]acl number 3001
[FW3-acl-adv-3001]rule 10 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#创建安全IKE提议
[FW3]ike proposal 5
[FW3-ike-proposal-5]encryption-algorithm aes-256
[FW3-ike-proposal-5]dh group14
[FW3-ike-proposal-5]authentication-algorithm sha2-512
[FW3-ike-proposal-5]authentication-method pre-share
[FW3-ike-proposal-5]integrity-algorithm hmac-sha2-256
[FW3-ike-proposal-5]prf hmac-sha2-256
#创建IKE
[FW3]ike peer C
[FW3-ike-peer-C]undo version 2
[FW3-ike-peer-C]pre-shared-key Huawei@123
[FW3-ike-peer-C]ike-proposal 5
[FW3-ike-peer-C]remote-address 15.15.15.15
#总部固定 IP 地址
[FW3]exchange-mode main
[FW3-ike-peer-C]ipsec proposal p
[FW3-ipsec-proposal-p]transform ah-esp
[FW3-ipsec-proposal-p]ah authentication-algorithm sha2-256
[FW3-ipsec-proposal-p]esp authentication-algorithm sha2-512
[FW3-ipsec-proposal-p]esp encryption-algorithm aes-256
#创建IPSec安全策略
[FW3]ipsec policy po 10 isakmp
[FW3-ipsec-policy-isakmp-po-10]security acl 3001
[FW3-ipsec-policy-isakmp-po-10]ike-peer C
[FW3-ipsec-policy-isakmp-po-10]proposal p
接口调用策略
[FW3]interface GigabitEthernet1/0/0
[FW3-GigabitEthernet1/0/0] ipsec policy po效果测试:
但总部无法主动访问分部,只有当分部访问之后总部才能被动的访问分布
③PPPOE
配置
①配置PPPoE
R5:ISP
[R5]ip pool D
[R5-ip-pool-D]network 45.45.45.0 mask 255.255.255.0
[R5]aaa
[R5-aaa]local-user huawei password cipher Huawei@123
[R5-aaa]local-user huawei service-type ppp
[R5]int Virtual-Template 1
[R5-Virtual-Template1]ppp authentication-mode chap
[R5-Virtual-Template1]remote address pool D
[R5-Virtual-Template1]ip add 45.45.45.5 24
[R5]int g1/0/0
[R5-GigabitEthernet1/0/0]pppoe-server bind virtual-template 1
FW4 出口防火墙
[FW4]int Dialer 1
[FW4-Dialer1]link-protocol ppp
[FW4-Dialer1]ppp chap user huawei
[FW4-Dialer1]ppp chap password cipher Huawei@123
[FW4-Dialer1]ip address ppp-negotiate
[FW4-Dialer1]dialer user huawei
[FW4-Dialer1]dialer bundle 1
[FW4-Dialer1]dialer-group 1
[FW4]dialer-rule 1 ip permit
[FW4]int g1/0/0
[FW4-GigabitEthernet1/0/0]pppoe-client dial-bundle-number 1
[FW4-GigabitEthernet1/0/0]undo shutdown
[FW4]ip route-static 0.0.0.0 0.0.0.0 Dialer 1
[FW4]firewall zone untrust
[FW4-zone-untrust]add interface Dialer 1
②策略放行
FW4
同时也记得在总部放行此分部的策略
[FW4]security-policy
[FW4-policy-security] rule name ike_l2u
[FW4-policy-security-rule-ike_l2u] source-zone local
[FW4-policy-security-rule-ike_l2u] destination-zone untrust
[FW4-policy-security-rule-ike_l2u] destination-address 15.15.15.0 mask 255.255.255.0
[FW4-policy-security-rule-ike_l2u] action permit
[FW4-policy-security] rule name ike_u2l
[FW4-policy-security-rule-ike_u2l] source-zone untrust
[FW4-policy-security-rule-ike_u2l] destination-zone local
[FW4-policy-security-rule-ike_u2l] source-address 15.15.15.0 mask 255.255.255.0
[FW4-policy-security-rule-ike_u2l] action permit
[FW4-policy-security] rule name t2u
[FW4-policy-security-rule-t2u] source-zone trust
[FW4-policy-security-rule-t2u] destination-zone untrust
[FW4-policy-security-rule-t2u] source-address 192.168.4.0 mask 255.255.255.0
[FW4-policy-security-rule-t2u] destination-address 192.168.1.0 mask 255.255.255.0
[FW4-policy-security-rule-t2u] action permit
[FW4-policy-security] rule name u2t
[FW4-policy-security-rule-u2t] source-zone untrust
[FW4-policy-security-rule-u2t] destination-zone trust
[FW4-policy-security-rule-u2t] source-address 192.168.1.0 mask 255.255.255.0
[FW4-policy-security-rule-u2t] destination-address 192.168.4.0 mask 255.255.255.0
[FW4-policy-security-rule-u2t] action permit
③IPSec与NAT的配置
FW4
[FW4]acl 3001
[FW4-acl-adv-3001] rule 15 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
IKE安全提议
[FW4]ike proposal 5
[FW4-ike-proposal-5]encryption-algorithm aes-256
[FW4-ike-proposal-5]dh group14
[FW4-ike-proposal-5]authentication-algorithm sha2-512
[FW4-ike-proposal-5]authentication-method pre-share
[FW4-ike-proposal-5]integrity-algorithm hmac-sha2-256
[FW4-ike-proposal-5]prf hmac-sha2-256
[FW4]ike peer D
[FW4-ike-peer-D]undo version 2
[FW4-ike-peer-D]pre-shared-key Huawei@123
[FW4-ike-peer-D]ike-proposal 5
[FW4-ike-peer-D]remote-address 15.15.15.15
[FW4-ike-peer-D]exchange-mode main
[FW4]ipsec proposal p
[FW4-ipsec-proposal-p]transform ah-esp
[FW4-ipsec-proposal-p]ah authentication-algorithm sha2-256
[FW4-ipsec-proposal-p]esp authentication-algorithm sha2-512
[FW4-ipsec-proposal-p]esp encryption-algorithm aes-256
[FW4]ipsec policy po 100 isakmp
[FW4-ipsec-policy-isakmp-po-100]security acl 3001
[FW4-ipsec-policy-isakmp-po-100]ike-peer D
[FW4-ipsec-policy-isakmp-po-100]proposal p
[FW4]int Dialer 1
[FW4-Dialer1] ipsec policy po
[FW1-acl-adv-3002]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.4.0 0.0.0.255④NAT配置
安全策略放行
[FW4-policy-security-rule-nat] rule name nat
[FW4-policy-security-rule-nat] source-zone trust
[FW4-policy-security-rule-nat] destination-zone untrust
[FW4-policy-security-rule-nat] source-address 192.168.4.0 mask 255.255.255.0
[FW4-policy-security-rule-nat] action permit
NAT策略
[FW4-policy-nat]nat-policy
[FW4-policy-nat] rule name nat
[FW4-policy-nat-rule-nat] source-zone trust
[FW4-policy-nat-rule-nat] destination-zone untrust
[FW4-policy-nat-rule-nat] source-address 192.168.4.0 mask 255.255.255.0
[FW4-policy-nat-rule-nat] action source-nat easy-ip
[FW4-policy-nat-rule-nat] rule name ipsec_nonat
[FW4-policy-nat-rule-ipsec_nonat] source-zone trust
[FW4-policy-nat-rule-ipsec_nonat] destination-zone untrust
[FW4-policy-nat-rule-ipsec_nonat] source-address 192.168.4.0 mask 255.255.255.0
[FW4-policy-nat-rule-ipsec_nonat] destination-address 192.168.1.0 mask 255.255.255.0
[FW4-policy-nat-rule-ipsec_nonat] action no-nat
[FW4-policy-nat]rule move ipsec_nonat before nat效果测试:
