https://support.huawei.com/enterprise/zh/doc/EDOC1100203254/554f39d9
配置总部采用一个Tunnel接口对应一个分支的方式与分支建立IPSec隧道示例
组网需求
如图5-41所示,Router_B和Router_C为企业分支网关,Router_A为企业总部网关,分支与总部通过公网建立通信。
企业现要求对分支与总部之间相互访问的流量进行IPSec保护,并且总部采用多个Tunnel接口借用同一个物理接口地址,并且一个Tunnel接口对应一个分支。
图5-41 配置总部采用一个Tunnel接口对应一个分支的方式与分支建立IPSec隧道组网图
[Router_A] acl 3000[Router_A-acl-adv-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255[Router_A-acl-adv-3000] quit[Router_A] acl 3001[Router_A-acl-adv-3001] rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255[Router_A-acl-adv-3001] quit
配置思路
采用如下思路配置总部采用一个Tunnel接口对应一个分支的方式与分支建立IPSec隧道:
配置接口的IP地址和到对端的静态路由,保证两端路由可达。
配置ISAKMP方式安全策略,包括配置待保护的数据流、安全提议的协商参数。
因为总部采用多个Tunnel接口借用同一个物理接口地址分别与分支建立IPSec隧道,所以这里总部通过IKE对等体中的对端IP来识别分支接入的Tunnel接口。因此,总部需要配置多个IKE对等体、创建多个IPSec策略,并在Tunnel接口上应用不同的IPSec策略。
[Router_A] acl 3000[Router_A-acl-adv-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255[Router_A-acl-adv-3000] quit[Router_A] acl 3001[Router_A-acl-adv-3001] rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255[Router_A-acl-adv-3001] quit配置IPSec安全提议。
[Router_A] ipsec proposal tran1[Router_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256[Router_A-ipsec-proposal-tran1] esp encryption-algorithm aes-256[Router_A-ipsec-proposal-tran1] quit
配置IKE安全提议。
[Router_A] ike proposal 10[Router_A-ike-proposal-10] authentication-method pre-share[Router_A-ike-proposal-10] prf hmac-sha2-256[Router_A-ike-proposal-10] encryption-algorithm aes-256[Router_A-ike-proposal-10] dh group14[Router_A-ike-proposal-10] integrity-algorithm hmac-sha2-256[Router_A-ike-proposal-10] quit
配置IKE对等体。
[Router_A] ike peer b[Router_A-ike-peer-b] ike-proposal 10[Router_A-ike-peer-b] remote-address 1.1.5.1[Router_A-ike-peer-b] pre-shared-key cipher YsHsjx_202206[Router_A-ike-peer-b] quit[Router_A] ike peer c[Router_A-ike-peer-c] ike-proposal 10[Router_A-ike-peer-c] remote-address 1.1.6.1[Router_A-ike-peer-c] pre-shared-key cipher YsHsjx_202206[Router_A-ike-peer-c] quit
创建安全策略。
[Router_A] ipsec policy map1 10 isakmp[Router_A-ipsec-policy-isakmp-map1-10] proposal tran1[Router_A-ipsec-policy-isakmp-map1-10] ike-peer b[Router_A-ipsec-policy-isakmp-map1-10] security acl 3000[Router_A-ipsec-policy-isakmp-map1-10] quit[Router_A] ipsec policy map2 10 isakmp[Router_A-ipsec-policy-isakmp-map2-10] proposal tran1[Router_A-ipsec-policy-isakmp-map2-10] ike-peer c[Router_A-ipsec-policy-isakmp-map2-10] security acl 3001[Router_A-ipsec-policy-isakmp-map2-10] quit
在接口上应用安全策略 。
[Router_A] interface tunnel 0/0/0[Router_A-Tunnel0/0/0] ipsec policy map1[Router_A-Tunnel0/0/0] quit[Router_A] interface tunnel 0/0/1[Router_A-Tunnel0/0/1] ipsec policy map2[Router_A-Tunnel0/0/1] quit
配置接口IP地址。
<Huawei> system-view[Huawei] sysname Router_A[Router_A] interface gigabitethernet 1/0/3[Router_A-GigabitEthernet1/0/3] ip address 10.1.1.1 24[Router_A-GigabitEthernet1/0/3] quit[Router_A] interface gigabitethernet 1/0/1[Router_A-GigabitEthernet1/0/1] ip address 1.1.3.1 24[Router_A-GigabitEthernet1/0/1] quit[Router_A] interface tunnel 0/0/0[Router_A-Tunnel0/0/0] tunnel-protocol ipsec[Router_A-Tunnel0/0/0] ip address unnumbered interface gigabitethernet 1/0/1[Router_A-Tunnel0/0/0] quit[Router_A] interface tunnel 0/0/1[Router_A-Tunnel0/0/1] tunnel-protocol ipsec[Router_A-Tunnel0/0/1] ip address unnumbered interface gigabitethernet 1/0/1[Router_A-Tunnel0/0/1] quit
配置到达分支机构的静态路由,此处假设下一跳地址为1.1.3.2。
[Router_A] ip route-static 0.0.0.0 0.0.0.0 1.1.3.2[Router_A] ip route-static 10.1.2.0 255.255.255.0 tunnel 0/0/0[Router_A] ip route-static 10.1.3.0 255.255.255.0 tunnel 0/0/1
配置接口IP地址和静态路由。
配置IPSec策略。
配置Router_B,Router_C的配置与Router_B类似,这里不再赘述
定义被保护的数据流。
[Router_B] acl 3000[Router_B-acl-adv-3000] rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255[Router_B-acl-adv-3000] quit
配置IPSec安全提议。
[Router_B] ipsec proposal tran1[Router_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256[Router_B-ipsec-proposal-tran1] esp encryption-algorithm aes-256[Router_B-ipsec-proposal-tran1] quit
配置IKE安全提议。
[Router_B] ike proposal 10[Router_B-ike-proposal-10] authentication-method pre-share[Router_B-ike-proposal-10] prf hmac-sha2-256[Router_B-ike-proposal-10] encryption-algorithm aes-256[Router_B-ike-proposal-10] dh group14[Router_B-ike-proposal-10] integrity-algorithm hmac-sha2-256[Router_B-ike-proposal-10] quit
配置IKE对等体。
[Router_B] ike peer a[Router_B-ike-peer-a] ike-proposal 10[Router_B-ike-peer-a] remote-address 1.1.3.1[Router_B-ike-peer-a] pre-shared-key cipher YsHsjx_202206[Router_B-ike-peer-a] quit
创建IPSec策略。
[Router_B] ipsec policy map1 10 isakmp[Router_B-ipsec-policy-isakmp-map1-10] security acl 3000[Router_B-ipsec-policy-isakmp-map1-10] proposal tran1[Router_B-ipsec-policy-isakmp-map1-10] ike-peer a[Router_B-ipsec-policy-isakmp-map1-10] quit
在接口上应用IPSec策略。
[Router_B] interface tunnel 0/0/0[Router_B-Tunnel0/0/0] ipsec policy map1[Router_B-Tunnel0/0/0] quit
配置接口IP地址。
<Huawei> system-view[Huawei] sysname Router_B[Router_B] interface gigabitethernet 1/0/3[Router_B-GigabitEthernet1/0/3] ip address 10.1.2.1 24[Router_B-GigabitEthernet1/0/3] quit[Router_B] interface gigabitethernet 1/0/1[Router_B-GigabitEthernet1/0/1] ip address 1.1.5.1 24[Router_B-GigabitEthernet1/0/1] quit[Router_B] interface tunnel 0/0/0[Router_B-Tunnel0/0/0] tunnel-protocol ipsec[Router_B-Tunnel0/0/0] ip address unnumbered interface gigabitethernet 1/0/1[Router_B-Tunnel0/0/0] quit
配置到达总部的静态路由,此处假设下一跳地址为1.1.5.2。
[Router_B] ip route-static 0.0.0.0 0.0.0.0 1.1.5.2[Router_B] ip route-static 10.1.1.0 255.255.255.0 tunnel 0/0/0
配置接口IP地址和静态路由。
配置IPSec
验证配置结果
# 执行命令ping -a source-ip-address host进行私网地址Ping测试,总部和分支可以相互Ping通,说明总部和分支的业务可达,以Router_A为例。
[Router_A] ping -a 10.1.1.1 10.1.2.2 PING 10.1.2.2: 56 data bytes, press CTRL_C to break Reply from 10.1.2.2: bytes=56 Sequence=1 ttl=255 time=89 ms Reply from 10.1.2.2: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.1.2.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.1.2.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.1.2.2: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.1.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/18/89 ms
[Router_A] ping -a 10.1.1.1 10.1.3.2 PING 10.1.3.2: 56 data bytes, press CTRL_C to break Reply from 10.1.3.2: bytes=56 Sequence=1 ttl=255 time=89 ms Reply from 10.1.3.2: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.1.3.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.1.3.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.1.3.2: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.1.3.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/18/89 ms
# 执行命令display ike sa会显示IKE SA和IPSec SA信息,说明两端IPSec隧道建立成功,以Router_A为例。
[Router_A] display ike sa IKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID ------------------------------------------------------------------------------ 50336907 1.1.5.1:500 RD|ST|A v2:2 IP 1.1.5.1 50336906 1.1.5.1:500 RD|ST|A v2:1 IP 1.1.5.1 33554436 1.1.6.1:500 RD|ST|A v2:2 IP 1.1.6.1 33554435 1.1.6.1:500 RD|ST|A v2:1 IP 1.1.6.1 Number of IKE SA : 4 ------------------------------------------------------------------------------ Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
配置文件
Router_A的配置文件
# sysname Router_A # acl number 3000 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 acl number 3001 rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 # ike proposal 10 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer b pre-shared-key cipher %^%#W)04NhZ:bP=~"=KQu\CN6KcK#NE5:(Os2L57]r5I%^%# ike-proposal 10 remote-address 1.1.5.1 ike peer c pre-shared-key cipher %^%#W)04NhZ:bP=~"=KQu\CN6KcK#NE5:(Os2L57]r5I%^%# ike-proposal 10 remote-address 1.1.6.1 # ipsec policy map1 10 isakmp security acl 3000 ike-peer b proposal tran1 ipsec policy map2 10 isakmp security acl 3001 ike-peer c proposal tran1 # interface GigabitEthernet1/0/1 ip address 1.1.3.1 255.255.255.0 # interface GigabitEthernet1/0/3 ip address 10.1.1.1 255.255.255.0 # interface Tunnel0/0/0 ip address unnumbered interface GigabitEthernet1/0/1 tunnel-protocol ipsec ipsec policy map1 # interface Tunnel0/0/1 ip address unnumbered interface GigabitEthernet1/0/1 tunnel-protocol ipsec ipsec policy map2 # ip route-static 0.0.0.0 0.0.0.0 1.1.3.2 ip route-static 10.1.2.0 255.255.255.0 Tunnel0/0/0 ip route-static 10.1.3.0 255.255.255.0 Tunnel0/0/1 # return
Router_B的配置文件
# sysname Router_B # acl number 3000 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 # ike proposal 10 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer a pre-shared-key cipher %^%#W)04NhZ:bP=~"=KQu\CN6KcK#NE5:(Os2L57]r5I%^%# ike-proposal 10 remote-address 1.1.3.1 # ipsec policy map1 10 isakmp security acl 3000 ike-peer a proposal tran1 # interface GigabitEthernet1/0/1 ip address 1.1.5.1 255.255.255.0 # interface GigabitEthernet1/0/3 ip address 10.1.2.1 255.255.255.0 # interface Tunnel0/0/0 ip address unnumbered interface GigabitEthernet1/0/1 tunnel-protocol ipsec ipsec policy map1 # ip route-static 0.0.0.0 0.0.0.0 1.1.5.2 ip route-static 10.1.1.0 255.255.255.0 Tunnel0/0/0 # return
Router_C的配置文件
# sysname Router_C # acl number 3000 rule 5 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 # ike proposal 10 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer a pre-shared-key cipher %^%#W)04NhZ:bP=~"=KQu\CN6KcK#NE5:(Os2L57]r5I%^%# ike-proposal 10 remote-address 1.1.3.1 # ipsec policy map1 10 isakmp security acl 3000 ike-peer a proposal tran1 # interface GigabitEthernet1/0/1 ip address 1.1.6.1 255.255.255.0 # interface GigabitEthernet1/0/3 ip address 10.1.3.1 255.255.255.0 # interface Tunnel0/0/1 ip address unnumbered interface GigabitEthernet1/0/1 tunnel-protocol ipsec ipsec policy map1 # ip route-static 0.0.0.0 0.0.0.0 1.1.6.2 ip route-static 10.1.1.0 255.255.255.0 Tunnel0/0/1 # return
推荐本站淘宝优惠价购买喜欢的宝贝:
本文链接:https://hqyman.cn/post/4434.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
微信支付宝扫一扫,打赏作者吧~休息一下~~
作者:hqy | 分类:Network | 浏览:491 | 评论:0
发表评论:
◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。
官码2024000195号
萌ICP备20248119号
