一、拓扑图
FW1作为Master设备与FW3建立IPSec隧道,FW2作为备份设备。
二、底层配置
R1:
接口IP地址、OSPF配置
sysname R1#interface GigabitEthernet0/0/0 ip address 10.1.1.1 255.255.255.0#interface GigabitEthernet0/0/1 ip address 10.1.121.1 255.255.255.0#interface GigabitEthernet0/0/2 ip address 10.1.131.1 255.255.255.0#ospf 1 area 0.0.0.0 network 10.1.0.0 0.0.255.255#
FW1:
接口配置IP地址、划分安全区域,配置OSPF并下放默认路由,
配置HRP,FW1为主设备,追踪下行接口状态
配置安全策略,放行USG本省发起的流量
配置静态路由
sysname FW1#hrp enablehrp interface GigabitEthernet1/0/1 remote 10.0.0.13 hrp track interface GigabitEthernet1/0/2#interface GigabitEthernet1/0/0 undo shutdown ip address 155.1.1.12 255.255.255.0#interface GigabitEthernet1/0/1 ip address 10.0.0.12 255.255.255.0 service-manage ping permit#interface GigabitEthernet1/0/2 undo shutdown ip address 10.1.121.12 255.255.255.0#firewall zone trust add interface GigabitEthernet1/0/2#firewall zone untrust add interface GigabitEthernet1/0/0#firewall zone dmz add interface GigabitEthernet1/0/1#ospf 1 default-route-advertise area 0.0.0.0 network 10.1.0.0 0.0.255.255#ip route-static 0.0.0.0 0.0.0.0 155.1.1.2#security-policy rule name local->any source-zone local action permit#
FW2:
接口配置IP地址、划分安全区域,配置OSPF并下放默认路由,
配置HRP,FW2为备设备
配置安全策略,放行USG本省发起的流量
配置静态路由
sysname FW2# hrp enable hrp standby-device hrp interface GigabitEthernet1/0/1 remote 10.0.0.12#interface GigabitEthernet1/0/0 undo shutdown ip address 155.1.1.13 255.255.255.0#interface GigabitEthernet1/0/1 undo shutdown ip address 10.0.0.13 255.255.255.0 service-manage ping permit#interface GigabitEthernet1/0/2 undo shutdown ip address 10.1.131.13 255.255.255.0#firewall zone dmz add interface GigabitEthernet1/0/1#ospf 1 default-route-advertise area 0.0.0.0 network 10.1.0.0 0.0.255.255#ip route-static 0.0.0.0 0.0.0.0 155.1.1.2#security-policy rule name local->any source-zone local action permit#
R2:
sysname R2#interface GigabitEthernet0/0/0 ip address 155.1.1.2 255.255.255.0#interface GigabitEthernet0/0/1 ip address 155.1.2.2 255.255.255.0#
FW3:
sysname FW3#interface GigabitEthernet1/0/0 undo shutdown ip address 155.1.2.14 255.255.255.0 ipsec policy POL1#interface GigabitEthernet1/0/1 undo shutdown ip address 10.1.2.14 255.255.255.0#firewall zone trust add interface GigabitEthernet1/0/1#firewall zone untrust add interface GigabitEthernet1/0/0#ip route-static 0.0.0.0 0.0.0.0 155.1.2.2#security-policy rule name local->any source-zone local action permit#
查看HRP状态
如果配置未同步,可以手动同步配置
hrp sync config
查看OSPF邻居状态及路由
三、配置VRRP
FW1作为Master,FW2作为Backup
FW1:
interface GigabitEthernet1/0/0 vrrp vrid 1 virtual-ip 155.1.1.254 active #
FW2:
interface GigabitEthernet1/0/0 vrrp vrid 1 virtual-ip 155.1.1.254 standby#
查看VRRP主备状态
四、配置IPSec VPN
注意FW1、FW2使用VRRP虚拟地址建立VPN,FW1为主,FW为备
在FW1上配置,会同步配置到FW2
FW1:
acl number 3000 rule 5 permit ip source 10.1.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255#ipsec proposal PRO1 esp authentication-algorithm sha1 esp encryption-algorithm 3des#ike proposal 10 encryption-algorithm 3des dh group2 authentication-algorithm sha1 authentication-method pre-share#ike peer FW3 pre-shared-key huawei@123 ike-proposal 10 dpd type periodic remote-address 155.1.2.14#ipsec policy POL1 10 isakmp security acl 3000 ike-peer FW3 proposal PRO1 tunnel local 155.1.1.254#interface GigabitEthernet1/0/0 ipsec policy POL1 master#
FW3:
acl number 3000 rule 5 permit ip source 10.1.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255#ipsec proposal PRO1 esp authentication-algorithm sha1 esp encryption-algorithm 3des#ike proposal 10 encryption-algorithm 3des dh group2 authentication-algorithm sha1 authentication-method pre-share#ike peer Hub pre-shared-key huawei@123 ike-proposal 10 dpd type periodic remote-address 155.1.1.254#ipsec policy POL1 10 isakmp security acl 3000 ike-peer Hub proposal PRO1#interface GigabitEthernet1/0/0 ipsec policy POL1 #
五、配置安全策略
放行IKE协商流量、ESP流量
放行主机互访的流量
FW1的安全策略会同步到FW2
FW1、FW3:
security-policy rule name vpn source-zone untrust destination-zone local service esp service protocol udp destination-port 500 action permit rule name in->out source-zone trust destination-zone untrust source-address 10.1.0.0 mask 255.255.0.0 destination-address 10.1.0.0 mask 255.255.0.0 action permit rule name out->in source-zone untrust destination-zone trust source-address 10.1.0.0 mask 255.255.0.0 destination-address 10.1.0.0 mask 255.255.0.0 action permit#
测试PC互访
查看IKE SA
此时FW1为VPN的主设备
查看IPSec SA
模拟故障
模拟下行链路故障
去掉FW1与R1的连线
PC1长pingPC2,故障期间丢失几个包后,流量恢复
查看HRP状态,FW2已成为主设备
查看IKE SA,FW1为VPN的备设备,FW2成为主设备,流量走FW2
开启防火墙的icmp超时发送,trace路径,可以看出此时流量走FW2设备
icmp ttl-exceeded send
上行链路故障也可以正常切换,与上面情况相似,此处不再赘述。
故障恢复后,HRP抢占延迟默认为60s。
推荐本站淘宝优惠价购买喜欢的宝贝:
本文链接:https://hqyman.cn/post/8756.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
打赏
微信支付宝扫一扫,打赏作者吧~
休息一下~~