https://support.huawei.com/enterprise/zh/doc/EDOC1100320893/80997129
配置总部采用策略模板方式与分支建立多条IPSec隧道示例
组网需求
如图5-43所示,RouterA和RouterB为企业分支网关(RouterA使用固定地址接入公网,RouterB使用动态地址接入公网),RouterC为企业总部网关,分支与总部通过公网建立通信。
企业希望对分支与总部之间相互访问的流量进行安全保护,并且为了安全起见,总部网关能指定符合条件的分支网关接入。
由于分支与总部通过公网建立通信,可以在分支网关与总部网关之间建立IPSec隧道来实施安全保护。
图5-43 配置总部采用策略模板方式与分支建立多条IPSec隧道组网图
配置思路
由于总部网关难以指定分支网关的IP地址,只能响应分支网关发起的IPSec协商,在RouterC上部署策略模板,并配置安全策略引用该策略模板,就可以接入各分支网关发起的IPSec协商,完成多条IPSec隧道的建立。
配置接口的IP地址和到对端的静态路由,保证两端路由可达。
配置ACL,以定义需要IPSec保护的数据流。
配置IPSec安全提议,定义IPSec的保护方法。
配置IKE对等体,定义对等体间IKE协商时的属性。
因为RouterA使用固定地址接入,所以RouterA采用IP地址与RouterC进行验证。
因为RouterB使用动态地址接入,所以RouterB采用名称与RouterC进行验证。
在RouterC上配置身份过滤集,指定RouterA和RouterB接入,避免其他非法发起方与RouterC建立IPSec隧道。
对RouterA采用IP地址检查。
对RouterB采用名称检查。
分别在RouterA、RouterB和RouterC上创建安全策略,确定对何种数据流采取何种保护方法。其中RouterC采用策略模板方式创建安全策略。
在接口上应用安全策略组,使接口具有IPSec的保护功能。
操作步骤
分别在RouterA、RouterB和RouterC上配置各接口的IP地址和到对端的静态路由,使RouterA、RouterB和RouterC之间路由可达
# 在RouterA上配置接口的IP地址。
<Huawei> system-view[Huawei] sysname RouterA[RouterA] interface gigabitethernet 0/0/1[RouterA-GigabitEthernet0/0/1] ip address 60.1.1.1 255.255.255.0[RouterA-GigabitEthernet0/0/1] quit[RouterA] interface gigabitethernet 0/0/2[RouterA-GigabitEthernet0/0/2] ip address 192.168.1.2 255.255.255.0[RouterA-GigabitEthernet0/0/2] quit
# 在RouterA上配置到对端的静态路由,此处假设到达总部的下一跳地址为60.1.1.2。
[RouterA] ip route-static 60.1.3.0 255.255.255.0 60.1.1.2[RouterA] ip route-static 192.168.3.0 255.255.255.0 60.1.1.2
# 在RouterB上配置接口的IP地址。
<Huawei> system-view[Huawei] sysname RouterB[RouterB] interface gigabitethernet 0/0/1 [RouterB-GigabitEthernet0/0/1] ip address dhcp-alloc[RouterB-GigabitEthernet0/0/1] quit[RouterB] interface gigabitethernet 0/0/2[RouterB-GigabitEthernet0/0/2] ip address 192.168.2.2 255.255.255.0[RouterB-GigabitEthernet0/0/2] quit
# 在RouterB上配置到对端的静态路由,此处假设到达总部的出接口为GE0/0/1。
[RouterB] ip route-static 60.1.3.0 255.255.255.0 gigabitethernet 0/0/1[RouterB] ip route-static 192.168.3.0 255.255.255.0 gigabitethernet 0/0/1
# 在RouterC上配置接口的IP地址。
<Huawei> system-view[Huawei] sysname RouterC[RouterC] interface gigabitethernet 0/0/1 [RouterC-GigabitEthernet0/0/1] ip address 60.1.3.1 255.255.255.0[RouterC-GigabitEthernet0/0/1] quit[RouterC] interface gigabitethernet 0/0/2[RouterC-GigabitEthernet0/0/2] ip address 192.168.3.2 255.255.255.0[RouterC-GigabitEthernet0/0/2] quit
# 在RouterC上配置到对端的静态路由,此处假设到达分支A和分支B的下一跳地址均为60.1.3.2。
[RouterC] ip route-static 0.0.0.0 0.0.0.0 60.1.3.2
分别在RouterA和RouterB上配置ACL,定义各自要保护的数据流
[RouterA] acl number 3002[RouterA-acl-adv-3002] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255[RouterA-acl-adv-3002] quit
# 在RouterB上配置ACL,定义由192.168.2.0/24去192.168.3.0/24的数据流。
[RouterB] acl number 3002[RouterB-acl-adv-3002] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255[RouterB-acl-adv-3002] quit
分别在RouterA、RouterB和RouterC上创建IPSec安全提议
# 在RouterA上配置IPSec安全提议。
[RouterA] ipsec proposal tran1[RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256[RouterA-ipsec-proposal-tran1] esp encryption-algorithm aes-128[RouterA-ipsec-proposal-tran1] quit
# 在RouterB上配置IPSec安全提议。
[RouterB] ipsec proposal tran1[RouterB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256[RouterB-ipsec-proposal-tran1] esp encryption-algorithm aes-128[RouterB-ipsec-proposal-tran1] quit
# 在RouterC上配置IPSec安全提议。
[RouterC] ipsec proposal tran1[RouterC-ipsec-proposal-tran1] esp authentication-algorithm sha2-256[RouterC-ipsec-proposal-tran1] esp encryption-algorithm aes-128[RouterC-ipsec-proposal-tran1] quit
分别在RouterA、RouterB和RouterC上配置IKE对等体
# 在RouterA上配置IKE安全提议。
[RouterA] ike proposal 5[RouterA-ike-proposal-5] encryption-algorithm aes-128[RouterA-ike-proposal-5] authentication-algorithm sha2-256[RouterA-ike-proposal-5] dh group14[RouterA-ike-proposal-5] quit
# 在RouterA上配置IKE对等体。
[RouterA] ike peer rut1[RouterA-ike-peer-rut1] version 1[RouterA-ike-peer-rut1] undo version 2[RouterA-ike-peer-rut1] ike-proposal 5[RouterA-ike-peer-rut1] pre-shared-key cipher YsHsjx_202206[RouterA-ike-peer-rut1] remote-address 60.1.3.1[RouterA-ike-peer-rut1] quit
# 在RouterB上配置IKE安全提议。
[RouterB] ike proposal 5[RouterB-ike-proposal-5] encryption-algorithm aes-128[RouterB-ike-proposal-5] authentication-algorithm sha2-256[RouterB-ike-proposal-5] dh group14[RouterB-ike-proposal-5] quit
# 在RouterB上配置IKE对等体。
[RouterB] ike local-name huaweirt1[RouterB] ike peer rut1[RouterB-ike-peer-rut1] version 1[RouterB-ike-peer-rut1] undo version 2[RouterB-ike-peer-rut1] ike-proposal 5[RouterB-ike-peer-rut1] pre-shared-key cipher YsHsjx_202206[RouterB-ike-peer-rut1] local-id-type fqdn[RouterB-ike-peer-rut1] remote-address 60.1.3.1[RouterB-ike-peer-rut1] quit
# 在RouterC上配置IKE安全提议。
[RouterC] ike proposal 5[RouterC-ike-proposal-5] encryption-algorithm aes-128[RouterC-ike-proposal-5] authentication-algorithm sha2-256[RouterC-ike-proposal-5] dh group14[RouterC-ike-proposal-5] quit
# 在RouterC上配置IKE对等体。
[RouterC] ike peer rut1[RouterC-ike-peer-rut1] version 1[RouterC-ike-peer-rut1] undo version 2[RouterC-ike-peer-rut1] ike-proposal 5[RouterC-ike-peer-rut1] pre-shared-key cipher YsHsjx_202206[RouterC-ike-peer-rut1] quit
在RouterC上配置身份过滤集
[RouterC] ike identity identity1[RouterC-ike-identity-identity1] ip address 60.1.1.1 24[RouterC-ike-identity-identity1] fqdn huaweirt1[RouterC-ike-identity-identity1] quit
分别在RouterA、RouterB和RouterC上创建安全策略,其中RouterC采用策略模板方式创建安全策略
# 在RouterA上配置安全策略。
[RouterA] ipsec policy policy1 10 isakmp[RouterA-ipsec-policy-isakmp-policy1-10] ike-peer rut1[RouterA-ipsec-policy-isakmp-policy1-10] proposal tran1[RouterA-ipsec-policy-isakmp-policy1-10] security acl 3002[RouterA-ipsec-policy-isakmp-policy1-10] quit
# 在RouterB上配置安全策略。
[RouterB] ipsec policy policy1 10 isakmp[RouterB-ipsec-policy-isakmp-policy1-10] ike-peer rut1[RouterB-ipsec-policy-isakmp-policy1-10] proposal tran1[RouterB-ipsec-policy-isakmp-policy1-10] security acl 3002[RouterB-ipsec-policy-isakmp-policy1-10] quit
# 在RouterC上配置策略模板,并在安全策略中引用该策略模板。
[RouterC] ipsec policy-template use1 10[RouterC-ipsec-policy-templet-use1-10] ike-peer rut1[RouterC-ipsec-policy-templet-use1-10] proposal tran1[RouterC-ipsec-policy-templet-use1-10] match ike-identity identity1[RouterC-ipsec-policy-templet-use1-10] quit[RouterC] ipsec policy policy1 10 isakmp template use1
分别在RouterA、RouterB和RouterC的接口上应用各自的安全策略组,使接口具有IPSec的保护功能
# 在RouterA的接口上引用安全策略组。
[RouterA] interface gigabitethernet 0/0/1[RouterA-GigabitEthernet0/0/1] ipsec policy policy1[RouterA-GigabitEthernet0/0/1] quit
# 在RouterB的接口上引用安全策略组。
[RouterB] interface gigabitethernet 0/0/1[RouterB-GigabitEthernet0/0/1] ipsec policy policy1[RouterB-GigabitEthernet0/0/1] quit
# 在RouterC的接口上引用安全策略组。
[RouterC] interface gigabitethernet 0/0/1[RouterC-GigabitEthernet0/0/1] ipsec policy policy1[RouterC-GigabitEthernet0/0/1] quit
检查配置结果
# 配置成功后,分别在主机PC A和主机PC B执行ping操作仍然可以ping通主机PC C,它们之间的数据传输将被加密。
# 分别在RouterA和RouterB上执行display ike sa命令,会显示相应信息,以RouterA为例。
[RouterA] display ike saIKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID --------------------------------------------------------------------------- 24366 60.1.3.1:500 RD|ST v1:2 IP 60.1.3.1 24274 60.1.3.1:500 RD|ST v1:1 IP 60.1.3.1 Number of IKE SA : 2 --------------------------------------------------------------------------- Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
# 在RouterC上执行display ike sa命令,结果如下。
[RouterC] display ike saIKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID -------------------------------------------------------------------------- 961 60.1.2.1:500 RD v1:2 FQDN huaweirt1 933 60.1.2.1:500 RD v1:1 FQDN huaweirt1 937 60.1.1.1:500 RD v1:2 IP 60.1.1.1 936 60.1.1.1:500 RD v1:1 IP 60.1.1.1 Number of IKE SA : 4 -------------------------------------------------------------------------- Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
配置文件
RouterA的配置文件
# sysname RouterA # acl number 3002 rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ike proposal 5 encryption-algorithm aes-128 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer rut1 version 1 pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# ike-proposal 5 remote-address 60.1.3.1 # ipsec policy policy1 10 isakmp security acl 3002 ike-peer rut1 proposal tran1 # interface GigabitEthernet0/0/1 ip address 60.1.1.1 255.255.255.0 ipsec policy policy1 # interface GigabitEthernet0/0/2 ip address 192.168.1.2 255.255.255.0 # ip route-static 60.1.3.0 255.255.255.0 60.1.1.2 ip route-static 192.168.3.0 255.255.255.0 60.1.1.2 # return
RouterB的配置文件
# sysname RouterB # ike local-name huaweirt1 # acl number 3002 rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ike proposal 5 encryption-algorithm aes-128 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer rut1 version 1 pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# ike-proposal 5 local-id-type fqdn remote-address 60.1.3.1 # ipsec policy policy1 10 isakmp security acl 3002 ike-peer rut1 proposal tran1 # interface GigabitEthernet0/0/1 ip address dhcp-alloc ipsec policy policy1 # interface GigabitEthernet0/0/2 ip address 192.168.2.2 255.255.255.0 # ip route-static 60.1.3.0 255.255.255.0 GigabitEthernet0/0/1 ip route-static 192.168.3.0 255.255.255.0 GigabitEthernet0/0/1 # returnRouterC的配置文件
# sysname RouterC # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ike proposal 5 encryption-algorithm aes-128 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer rut1 version 1 pre-shared-key cipher %^%#IRFGEiFPJ1$&a'Qy,L*XQL_+*Grq-=yMb}ULZdS6%^%# ike-proposal 5 # ike identity identity1 fqdn huaweirt1 ip address 60.1.1.0 255.255.255.0 # ipsec policy-template use1 10 ike-peer rut1 proposal tran1 match ike-identity identity1 # ipsec policy policy1 10 isakmp template use1 # interface GigabitEthernet0/0/1 ip address 60.1.3.1 255.255.255.0 ipsec policy policy1 # interface GigabitEthernet0/0/2 ip address 192.168.3.2 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 60.1.3.2 # return
推荐本站淘宝优惠价购买喜欢的宝贝:
本文链接:https://hqyman.cn/post/4643.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
休息一下~~
作者:hqy | 分类:Network | 浏览:407 | 评论:0
微信支付宝扫一扫,打赏作者吧~发表评论:
◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。
官码2024000195号
萌ICP备20248119号
