https://support.huawei.com/enterprise/zh/doc/EDOC1100262550/3e6b3819
组网需求
如图3-21所示,总部和两个分支网络分别通过DeviceA、DeviceB和DeviceC接入Internet,DeviceA和DeviceB、DeviceA和DeviceC之间路由可达。DeviceA和DeviceB、DeviceA和DeviceC之间通过公网接口分别建立IPsec隧道,采用不同的预共享密钥进行身份认证,保护总部网络和两个分支网络之间特定网段数据流的安全传输。
图3-21 通过策略模板方式建立IPsec隧道(分支采用不同的预共享密钥认证)
本例中interface1和interface2分别代表DeviceA的10GE0/0/1和10GE0/0/2,interface3和interface4分别代表DeviceB的10GE0/0/1和10GE0/0/2,interface5和interface6分别代表DeviceC的10GE0/0/1和10GE0/0/2。
项目
数据 | |
|---|---|
DeviceA | 接口号:10GE0/0/1 IP地址:1.1.1.1/24 |
接口号:10GE0/0/2 IP地址:10.1.0.1/24 | |
IPsec配置 对端地址:指定对端设备DeviceB和DeviceC用于建立IPsec隧道的公网接口IP地址 认证方式:预共享密钥 预共享密钥:YsHsjx_202206、Admin@456 | |
DeviceB | 接口号:10GE0/0/1 IP地址:2.2.2.2/24 |
接口号:10GE0/0/2 IP地址:10.1.1.1/24 | |
IPsec配置 对端地址:1.1.1.1 认证方式:预共享密钥 预共享密钥:YsHsjx_202206 本端ID类型:IP 对端ID类型:Any | |
DeviceC | 接口号:10GE0/0/1 IP地址:3.3.3.3/24 |
接口号:10GE0/0/2 IP地址:10.1.2.1/24 | |
IPsec配置 对端地址:1.1.1.1 认证方式:预共享密钥 预共享密钥:Admin@456 本端ID类型:IP 对端ID类型:Any |
配置思路
DeviceA、DeviceB和DeviceC均需要按照如下配置思路进行配置,隧道两端设备的协商参数必须完全一致。
本例中IPsec使用的算法均为缺省的安全算法。
出于安全性考虑,不建议使用该特性的弱安全算法或弱安全协议。如果确实需要使用,请执行命令install feature-software WEAKEA安装弱安全算法/协议特性包WEAKEA。
采用如下思路通过策略模板方式建立IPsec隧道(分支采用不同的预共享密钥认证):
配置接口。
配置静态路由,对隧道协商报文以及通过隧道传输的加密数据报文进行引流。
配置IPsec策略,并在接口上应用IPsec策略组。其中,总部设备DeviceA需要配置策略模板方式的IPsec策略,分支设备DeviceB和DeviceC则需要分别配置ISAKMP方式的IPsec策略。由于分支使用不同的预共享密钥接入总部,所以需要在DeviceA上配置IKE用户表,针对不同的分支配置不同的预共享密钥,使分支可以采用不同的预共享密钥发起隧道协商。
操作步骤
配置DeviceA的公网接口和私网接口。
# 配置公网接口10GE0/0/1。
<HUAWEI> system-view [HUAWEI] sysname DeviceA [DeviceA] interface 10ge 0/0/1 [DeviceA-10GE0/0/1] undo portswitch [DeviceA-10GE0/0/1] ip address 1.1.1.1 24 [DeviceA-10GE0/0/1] quit
# 配置私网接口10GE0/0/2。
[DeviceA] interface 10ge 0/0/2 [DeviceA-10GE0/0/2] undo portswitch [DeviceA-10GE0/0/2] ip address 10.1.0.1 24 [DeviceA-10GE0/0/2] quit
配置DeviceA的缺省静态路由,对隧道协商报文以及通过隧道传输的加密数据报文进行引流。
此处假设DeviceA到Internet的下一跳IP地址为1.1.1.254。
[DeviceA] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254
在DeviceA中配置策略模板方式的IPsec策略,并在接口10GE0/0/1上应用IPsec策略组。
配置IPsec安全提议。
[DeviceA] ipsec proposal tran1 [DeviceA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 [DeviceA-ipsec-proposal-tran1] esp encryption-algorithm aes-256-gcm-128 [DeviceA-ipsec-proposal-tran1] quit
配置IKE安全提议。
[DeviceA] ike proposal 10 [DeviceA-ike-proposal-10] authentication-method pre-share [DeviceA-ike-proposal-10] prf hmac-sha2-256 [DeviceA-ike-proposal-10] encryption-algorithm aes-gcm-256 [DeviceA-ike-proposal-10] dh group14 [DeviceA-ike-proposal-10] integrity-algorithm hmac-sha2-256 [DeviceA-ike-proposal-10] quit
配置IKE用户表,为不同的分支配置不同的预共享密钥。
采用主模式的IKEv1和预共享密钥认证时,id-type只能配置成ip,且在NAT穿越场景中,IP地址应配置成NAT转换后的地址。如果分支动态获取IP地址,则需采用野蛮模式的IKEv1或采用IKEv2,且建议id-type配置成fqdn。
[DeviceA] ike user-table 10 [DeviceA-ike-user-table-10] user deviceb [DeviceA-ike-user-table-10-deviceb] id-type ip 2.2.2.2 [DeviceA-ike-user-table-10-deviceb] pre-shared-key YsHsjx_202206 [DeviceA-ike-user-table-10-deviceb] quit [DeviceA-ike-user-table-10] user devicec [DeviceA-ike-user-table-10-devicec] id-type ip 3.3.3.3 [DeviceA-ike-user-table-10-devicec] pre-shared-key Admin@456 [DeviceA-ike-user-table-10-devicec] quit
配置IKE peer。
[DeviceA] ike peer b [DeviceA-ike-peer-b] ike-proposal 10 [DeviceA-ike-peer-b] user-table 10 [DeviceA-ike-peer-b] quit
配置IPsec策略模板。
[DeviceA] ipsec policy-template map_temp 1 [DeviceA-ipsec-policy-templet-map_temp-1] proposal tran1 [DeviceA-ipsec-policy-templet-map_temp-1] ike-peer b [DeviceA-ipsec-policy-templet-map_temp-1] quit
在IPsec策略组map1的序号为10的IPsec策略中引用IPsec策略模板map_temp。
[DeviceA] ipsec policy map1 10 isakmp template map_temp
在接口10GE0/0/1上应用IPsec策略组。
[DeviceA] interface 10ge 0/0/1 [DeviceA-10GE0/0/1] ipsec policy map1 [DeviceA-10GE0/0/1] quit
配置DeviceB的公网接口和私网接口。
# 配置公网接口10GE0/0/1。
<HUAWEI> system-view [HUAWEI] sysname DeviceB [DeviceB] interface 10ge 0/0/1 [DeviceB-10GE0/0/1] undo portswitch [DeviceB-10GE0/0/1] ip address 2.2.2.2 24 [DeviceB-10GE0/0/1] quit
# 配置私网接口10GE0/0/2。
[DeviceB] interface 10ge 0/0/2 [DeviceB-10GE0/0/2] undo portswitch [DeviceB-10GE0/0/2] ip address 10.1.1.1 24 [DeviceB-10GE0/0/2] quit
配置DeviceB的缺省静态路由,对隧道协商报文以及通过隧道传输的加密数据报文进行引流。
此处假设DeviceB到Internet的下一跳IP地址为2.2.2.254。
[DeviceB] ip route-static 0.0.0.0 0.0.0.0 2.2.2.254
在DeviceB中配置ISAKMP方式的IPsec策略,并在接口10GE0/0/1上应用IPsec策略组。
创建高级ACL 3000,定义被保护的数据流,允许10.1.1.0/24网段访问10.1.0.0/24网段。
[DeviceB] acl 3000 [DeviceB-acl4-advance-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.0.0 0.0.0.255 [DeviceB-acl4-advance-3000] quit
配置IPsec安全提议。
[DeviceB] ipsec proposal tran1 [DeviceB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 [DeviceB-ipsec-proposal-tran1] esp encryption-algorithm aes-256-gcm-128 [DeviceB-ipsec-proposal-tran1] quit
配置IKE安全提议。
[DeviceB] ike proposal 10 [DeviceB-ike-proposal-10] authentication-method pre-share [DeviceB-ike-proposal-10] prf hmac-sha2-256 [DeviceB-ike-proposal-10] encryption-algorithm aes-gcm-256 [DeviceB-ike-proposal-10] dh group14 [DeviceB-ike-proposal-10] integrity-algorithm hmac-sha2-256 [DeviceB-ike-proposal-10] quit
配置IKE peer。
[DeviceB] ike peer a [DeviceB-ike-peer-a] ike-proposal 10 [DeviceB-ike-peer-a] remote-address 1.1.1.1 [DeviceB-ike-peer-a] pre-shared-key YsHsjx_202206 [DeviceB-ike-peer-a] quit
配置IPsec策略。
[DeviceB] ipsec policy map1 10 isakmp [DeviceB-ipsec-policy-isakmp-map1-10] security acl 3000 [DeviceB-ipsec-policy-isakmp-map1-10] proposal tran1 [DeviceB-ipsec-policy-isakmp-map1-10] ike-peer a [DeviceB-ipsec-policy-isakmp-map1-10] sa trigger-mode auto [DeviceB-ipsec-policy-isakmp-map1-10] quit
缺省情况下,IPsec隧道建立的触发方式是流量触发。如果希望自动触发协商建立IPsec隧道,请执行sa trigger-mode auto命令。
在接口10GE0/0/1上应用IPsec策略组。
[DeviceB] interface 10ge 0/0/1 [DeviceB-10GE0/0/1] ipsec policy map1 [DeviceB-10GE0/0/1] quit
配置DeviceC的公网接口和私网接口。
# 配置公网接口10GE0/0/1。
<HUAWEI> system-view [HUAWEI] sysname DeviceC [DeviceC] interface 10ge 0/0/1 [DeviceC-10GE0/0/1] undo portswitch [DeviceC-10GE0/0/1] ip address 3.3.3.3 24 [DeviceC-10GE0/0/1] quit
# 配置私网接口10GE0/0/2。
[DeviceC] interface 10ge 0/0/2 [DeviceC-10GE0/0/2] undo portswitch [DeviceC-10GE0/0/2] ip address 10.1.2.1 24 [DeviceC-10GE0/0/2] quit
配置DeviceC的缺省静态路由,对隧道协商报文以及通过隧道传输的加密数据报文进行引流。
此处假设DeviceC到Internet的下一跳IP地址为3.3.3.254。
[DeviceC] ip route-static 0.0.0.0 0.0.0.0 3.3.3.254
在DeviceC中配置ISAKMP方式的IPsec策略,并在接口10GE0/0/1上应用IPsec策略组。
创建高级ACL 3000,定义被保护的数据流,允许10.1.2.0/24网段访问10.1.0.0/24网段。
[DeviceC] acl 3000 [DeviceC-acl4-advance-3000] rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.0.0 0.0.0.255 [DeviceC-acl4-advance-3000] quit
配置IPsec安全提议。
[DeviceC] ipsec proposal tran1 [DeviceC-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 [DeviceC-ipsec-proposal-tran1] esp encryption-algorithm aes-256-gcm-128 [DeviceC-ipsec-proposal-tran1] quit
配置IKE安全提议。
[DeviceC] ike proposal 10 [DeviceC-ike-proposal-10] authentication-method pre-share [DeviceC-ike-proposal-10] prf hmac-sha2-256 [DeviceC-ike-proposal-10] encryption-algorithm aes-gcm-256 [DeviceC-ike-proposal-10] dh group14 [DeviceC-ike-proposal-10] integrity-algorithm hmac-sha2-256 [DeviceC-ike-proposal-10] quit
配置IKE peer。
[DeviceC] ike peer a [DeviceC-ike-peer-a] ike-proposal 10 [DeviceC-ike-peer-a] remote-address 1.1.1.1 [DeviceC-ike-peer-a] pre-shared-key Admin@456 [DeviceC-ike-peer-a] quit
配置IPsec策略。
[DeviceC] ipsec policy map1 10 isakmp [DeviceC-ipsec-policy-isakmp-map1-10] security acl 3000 [DeviceC-ipsec-policy-isakmp-map1-10] proposal tran1 [DeviceC-ipsec-policy-isakmp-map1-10] ike-peer a [DeviceC-ipsec-policy-isakmp-map1-10] sa trigger-mode auto [DeviceC-ipsec-policy-isakmp-map1-10] quit
缺省情况下,IPsec隧道建立的触发方式是流量触发。如果希望自动触发协商建立IPsec隧道,请执行sa trigger-mode auto命令。
在接口10GE0/0/1上应用IPsec策略组。
[DeviceC] interface 10ge 0/0/1 [DeviceC-10GE0/0/1] ipsec policy map1 [DeviceC-10GE0/0/1] quit
检查配置结果
配置完成后,在分支1和分支2中处于保护网段的设备上执行ping命令,触发IKE协商。
若IKE协商成功,则隧道两端处于保护网段中的设备之间可以互相ping通。反之,则IKE协商失败。
在总部的DeviceA上可以查看到两对IKE SA和IPsec SA。
<DeviceA> display ike sa Total number of IKE SA in all CPU : 4 Total number of phase 1 SA in all CPU : 2 Total number of phase 2 SA in all CPU : 2 Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING Slot 0, cpu 0 IKE SA information : Number of IKE SA : 4, number of IKE SA1: 2, number of IKE SA2: 2 ------------------------------------------------------------------------------------ Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID ------------------------------------------------------------------------------------ 83886142 2.2.2.2/500 RD|A v2:2 IP 2.2.2.2 83886137 2.2.2.2/500 RD|A v2:1 IP 2.2.2.2 134217773 3.3.3.3/500 RD|A v2:2 IP 3.3.3.3 134217765 3.3.3.3/500 RD|A v2:1 IP 3.3.3.3 ------------------------------------------------------------------------------------
<DeviceA> display ipsec sa brief Slot 0, cpu 0 IPSec SA information: Src address Dst address SPI VPN Protocol Algorithm ------------------------------------------------------------------------------- 1.1.1.1 2.2.2.2 16423687 ESP E:AES-256-GCM-128 2.2.2.2 1.1.1.1 274624861 ESP E:AES-256-GCM-128 1.1.1.1 3.3.3.3 7787885 ESP E:AES-256-GCM-128 3.3.3.3 1.1.1.1 15539132 ESP E:AES-256-GCM-128 Number of IPSec SA : 4 ------------------------------------------------------------------------------- Total number of IPSec SA in all CPU : 4
在分支的DeviceB和DeviceC上可以查看到对端为总部的IKE SA和IPsec SA。以DeviceB为例,显示以下信息表明IKE安全联盟、IPsec安全联盟建立成功。
<DeviceB> display ike sa Total number of IKE SA in all CPU : 2 Total number of phase 1 SA in all CPU : 1 Total number of phase 2 SA in all CPU : 1 Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING Slot 0, cpu 0 IKE SA information : Number of IKE SA : 2, number of IKE SA1: 1, number of IKE SA2: 1 ------------------------------------------------------------------------------------ Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID ------------------------------------------------------------------------------------ 16782416 1.1.1.1/500 RD|ST|A v2:2 IP 1.1.1.1 16782415 1.1.1.1/500 RD|ST|A v2:1 IP 1.1.1.1 ------------------------------------------------------------------------------------
<DeviceB> display ipsec sa brief Slot 0, cpu 0 IPSec SA information: Src address Dst address SPI VPN Protocol Algorithm ------------------------------------------------------------------------------- 1.1.1.1 2.2.2.2 16423687 ESP E:AES-256-GCM-128 2.2.2.2 1.1.1.1 274624861 ESP E:AES-256-GCM-128 Number of IPSec SA : 2 ------------------------------------------------------------------------------- Total number of IPSec SA in all CPU : 2
配置脚本
DeviceA
# sysname DeviceA # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256-gcm-128 # ike proposal 10 encryption-algorithm aes-gcm-256 dh group14 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike user-table 10 user deviceb id-type ip 2.2.2.2 pre-shared-key %+%#W)04NhZ:bP=~"=KQu\CN6KcK#NE5:(Os2L57]r5I%+%# user devicec id-type ip 3.3.3.3 pre-shared-key %+%#Z"m.4U|TGN$'4c7~m'7FFo\A9q-smXqS8B"w;=w~%+%# # ike peer b ike-proposal 10 user-table 10 # ipsec policy-template map_temp 1 proposal tran1 ike-peer b # ipsec policy map1 10 isakmp template map_temp # interface 10GE0/0/2 ip address 10.1.0.1 255.255.255.0 # interface 10GE0/0/1 ip address 1.1.1.1 255.255.255.0 ipsec policy map1 # ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 # return
DeviceB
# sysname DeviceB # acl number 3000 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.0.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256-gcm-128 # ike proposal 10 encryption-algorithm aes-gcm-256 dh group14 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer a pre-shared-key %+%#W)04NhZ:bP=~"=KQu\CN6KcK#NE5:(Os2L57]r5I%+%# ike-proposal 10 remote-address 1.1.1.1 # ipsec policy map1 10 isakmp security acl 3000 ike-peer a proposal tran1 sa trigger-mode auto # interface 10GE0/0/2 ip address 10.1.1.1 255.255.255.0 # interface 10GE0/0/1 ip address 2.2.2.2 255.255.255.0 ipsec policy map1 # ip route-static 0.0.0.0 0.0.0.0 2.2.2.254 # return
DeviceC
# sysname DeviceC # acl number 3000 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.0.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256-gcm-128 # ike proposal 10 encryption-algorithm aes-gcm-256 dh group14 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer a pre-shared-key %+%#Z"m.4U|TGN$'4c7~m'7FFo\A9q-smXqS8B"w;=w~%+%# ike-proposal 10 remote-address 1.1.1.1 # ipsec policy map1 10 isakmp security acl 3000 ike-peer a proposal tran1 sa trigger-mode auto # interface 10GE0/0/2 ip address 10.1.2.1 255.255.255.0 # interface 10GE0/0/1 ip address 3.3.3.3 255.255.255.0 ipsec policy map1 # ip route-static 0.0.0.0 0.0.0.0 3.3.3.254 # return
推荐本站淘宝优惠价购买喜欢的宝贝:
本文链接:https://hqyman.cn/post/4656.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
微信支付宝扫一扫,打赏作者吧~休息一下~~
官码2024000195号
萌ICP备20248119号
