https://support.huawei.com/enterprise/zh/doc/EDOC1100317272/ee8570fe
https://www.bilibili.com/video/BV12pDAYpEtn
组网需求
如图5-59所示,企业分支与总部通过公网建立通信,并且分支和总部网络经常发生变动。企业希望对分支与总部之间相互访问的流量进行安全保护,并且IPSec配置不随网络变动而受影响。
由于分支与总部通过公网建立通信,可以在分支网关RouterA与总部网关RouterB之间建立一个IPSec隧道来实施安全保护。
由于分支和总部网络经常发生变动,可基于虚拟隧道接口方式建立IPSec隧道,只需定义本端需要IPSec保护的子网信息和接口地址。
配置思路
采用如下思路配置虚拟隧道模板接口方式建立IPSec隧道:
配置接口的IP地址和到对端的静态路由,保证两端公网路由可达。
配置ACL,定义本端需要IPSec保护的子网信息。
配置AAA业务方案,定义本端需要IPSec推送的子网信息和接口地址。
配置IPSec安全提议,定义IPSec的保护方法。
配置IKE对等体,定义对等体间IKE协商时的属性。
配置安全框架,并引用安全提议和IKE对等体,确定对哪些数据流采取哪种保护方法。
总部在Tunnel-Template接口上应用安全框架,分支在Tunnel接口上应用安全框架,使接口具有IPSec的保护功能。
操作步骤
分别在RouterA和RouterB上配置接口的IP地址和到对端的静态路由
# 在RouterA上配置接口的IP地址。
<Huawei> system-view[Huawei] sysname RouterA[RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0[RouterA-GigabitEthernet1/0/0] quit[RouterA] interface gigabitethernet 2/0/0[RouterA-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0[RouterA-GigabitEthernet2/0/0] quit
# 在RouterA上配置到对端的静态路由,此处假设到对端的下一跳地址为1.1.1.2。
[RouterA] ip route-static 2.1.1.0 255.255.255.0 1.1.1.2
# 在RouterB上配置接口的IP地址。
<Huawei> system-view[Huawei] sysname RouterB[RouterB] interface gigabitethernet 1/0/0 [RouterB-GigabitEthernet1/0/0] ip address 2.1.1.1 255.255.255.0[RouterB-GigabitEthernet1/0/0] quit[RouterB] interface gigabitethernet 2/0/0[RouterB-GigabitEthernet2/0/0] ip address 10.1.2.1 255.255.255.0[RouterB-GigabitEthernet2/0/0] quit
# 在RouterB上配置到对端的静态路由,此处假设到对端下一跳地址为2.1.1.2。
[RouterB] ip route-static 1.1.1.0 255.255.255.0 2.1.1.2
配置ACL,定义本端需要IPSec保护的子网信息。
# 在RouterA上配置ACL,定义源地址为10.1.1.0/24的数据流。
[RouterA] acl number 3001[RouterA-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255[RouterA-acl-adv-3001] quit
# 在RouterB上配置ACL,定义源地址为10.1.2.0/24的数据流。
[RouterB] acl number 3001[RouterB-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255[RouterB-acl-adv-3001] quit
配置AAA业务方案,定义本端需要IPSec推送的子网路由资源。
# 在RouterA上通过AAA业务方案配置要推送的子网路由资源。
[RouterA] aaa[RouterA-aaa] service-scheme schemetest [RouterA-aaa-service-schemetest] route set acl 3001[RouterA-aaa-service-schemetest] route set interface[RouterA-aaa-service-schemetest] quit[RouterA-aaa] quit
# 在RouterB上通过AAA业务方案配置要推送的子网路由资源。
[RouterB] aaa[RouterB-aaa] service-scheme schemetest[RouterB-aaa-service-schemetest] route set acl 3001[RouterB-aaa-service-schemetest] route set interface[RouterB-aaa-service-schemetest] quit[RouterB-aaa] quit
分别在RouterA和RouterB上创建IPSec安全提议
# 在RouterA上配置IPSec安全提议。
[RouterA] ipsec proposal prop1[RouterA-ipsec-proposal-prop1] esp authentication-algorithm sha2-256[RouterA-ipsec-proposal-prop1] esp encryption-algorithm aes-128[RouterA-ipsec-proposal-prop1] quit
# 在RouterB上配置IPSec安全提议。
[RouterB] ipsec proposal prop1[RouterB-ipsec-proposal-prop1] esp authentication-algorithm sha2-256[RouterB-ipsec-proposal-prop1] esp encryption-algorithm aes-128[RouterB-ipsec-proposal-prop1] quit
此时分别在RouterA和RouterB上执行display ipsec proposal会显示所配置的信息。
分别在RouterA和RouterB上配置IKE对等体
# 在RouterA上配置IKE安全提议。[RouterA] ike proposal 5[RouterA-ike-proposal-5] authentication-algorithm sha2-256[RouterA-ike-proposal-5] encryption-algorithm aes-128[RouterA-ike-proposal-5] dh group14[RouterA-ike-proposal-5] quit
# 在RouterA上配置IKE对等体。
[RouterA] ike peer peer2[RouterA-ike-peer-peer2] undo version 1[RouterA-ike-peer-peer2] ike-proposal 5[RouterA-ike-peer-peer2] pre-shared-key cipher YsHsjx_202206[RouterA-ike-peer-peer2] service-scheme schemetest[RouterA-ike-peer-peer2] config-exchange request[RouterA-ike-peer-peer2] config-exchange set accept[RouterA-ike-peer-peer2] config-exchange set send[RouterA-ike-peer-peer2] route accept[RouterA-ike-peer-peer2] quit
# 在RouterB上配置IKE安全提议。
[RouterB] ike proposal 5[RouterB-ike-proposal-5] authentication-algorithm sha2-256[RouterB-ike-proposal-5] encryption-algorithm aes-128[RouterB-ike-proposal-5] dh group14[RouterB-ike-proposal-5] quit
# 在RouterB上配置IKE对等体。
[RouterB] ike peer peer2[RouterB-ike-peer-peer2] undo version 1[RouterB-ike-peer-peer2] ike-proposal 5[RouterB-ike-peer-peer2] pre-shared-key cipher YsHsjx_202206[RouterB-ike-peer-peer2] service-scheme schemetest[RouterB-ike-peer-peer2] config-exchange set accept[RouterB-ike-peer-peer2] config-exchange set send[RouterB-ike-peer-peer2] route accept[RouterB-ike-peer-peer2] quit
分别在RouterA和RouterB上创建安全框架
# 在RouterA上配置安全框架。
[RouterA] ipsec profile profile1[RouterA-ipsec-profile-profile1] proposal prop1[RouterA-ipsec-profile-profile1] ike-peer peer2[RouterA-ipsec-profile-profile1] quit
# 在RouterB上配置安全框架。
[RouterB] ipsec profile profile1[RouterB-ipsec-profile-profile1] proposal prop1[RouterB-ipsec-profile-profile1] ike-peer peer2[RouterB-ipsec-profile-profile1] quit
分别在RouterA和RouterB的接口上应用各自的安全框架
# 在RouterA的接口上应用安全框架。
[RouterA] interface tunnel 0/0/0[RouterA-Tunnel0/0/0] ip address 192.168.1.1 255.255.255.0[RouterA-Tunnel0/0/0] tunnel-protocol ipsec[RouterA-Tunnel0/0/0] source gigabitethernet1/0/0[RouterA-Tunnel0/0/0] destination 2.1.1.1[RouterA-Tunnel0/0/0] ipsec profile profile1[RouterA-Tunnel0/0/0] quit
# 在RouterB的接口上应用安全框架。
[RouterB] interface loopback0[RouterB-LoopBack0] ip address 192.168.1.2 255.255.255.255[RouterB-LoopBack0] quit[RouterB] interface tunnel-template 0[RouterB-Tunnel-Template0] ip address unnumbered interface loopback0[RouterB-Tunnel-Template0] tunnel-protocol ipsec[RouterB-Tunnel-Template0] source gigabitethernet1/0/0[RouterB-Tunnel-Template0] ipsec profile profile1[RouterB-Tunnel-Template0] quit
# 此时在RouterA和RouterB上执行display ipsec profile会显示所配置的信息。
检查配置结果
# 配置成功后,分别在RouterA和RouterB上执行display ike sa会显示所配置的信息,以RouterA为例。
[RouterA] display ike saIKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID -------------------------------------------------------------------------------- 16 2.1.1.1:500 RD|ST v1:2 IP 2.1.1.1 14 2.1.1.1:500 RD|ST v1:1 IP 2.1.1.1 Number of IKE SA : 2 -------------------------------------------------------------------------------- RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
# 配置成功后,分别在RouterA和RouterB上执行命令display ip routing-table会显示路由信息,下面只列出示例中推送成功的子网路由信息。
[RouterA] display ip routing-tableRoute Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 16 Routes : 16 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.2.0/24 Unr 0 0 D 192.168.1.2 Tunnel0/0/0
[RouterB] display ip routing-tableRoute Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 16 Routes : 16 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/24 Unr 62 0 RD 192.168.1.1 Tunnel-Template0
配置文件
RouterA的配置文件
# sysname RouterA # acl number 3001 rule 5 permit ip source 10.1.1.0 0.0.0.255 # ipsec proposal prop1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ike proposal 5 encryption-algorithm aes-128 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer peer2 undo version 1 pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# ike-proposal 5 service-scheme schemetest route accept config-exchange request config-exchange set accept config-exchange set send # ipsec profile profile1 ike-peer peer2 proposal prop1 # aaa service-scheme schemetest route set acl 3001 route set interface # interface GigabitEthernet1/0/0 ip address 1.1.1.1 255.255.255.0 # interface Tunnel0/0/0 ip address 192.168.1.1 255.255.255.0 tunnel-protocol ipsec source GigabitEthernet1/0/0 destination 2.1.1.1 ipsec profile profile1 # interface GigabitEthernet2/0/0 ip address 10.1.1.1 255.255.255.0 # ip route-static 2.1.1.0 255.255.255.0 1.1.1.2 # return
RouterB的配置文件
# sysname RouterB # acl number 3001 rule 5 permit ip source 10.1.2.0 0.0.0.255 # ipsec proposal prop1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ike proposal 5 encryption-algorithm aes-128 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer peer2 undo version 1 pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# ike-proposal 5 service-scheme schemetest route accept config-exchange set accept config-exchange set send # ipsec profile profile1 ike-peer peer2 proposal prop1 # aaa service-scheme schemetest route set acl 3001 route set interface # interface GigabitEthernet1/0/0 ip address 2.1.1.1 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 10.1.2.1 255.255.255.0 # interface Tunnel-Template0 ip address unnumbered interface LoopBack0 tunnel-protocol ipsec source GigabitEthernet1/0/0 ipsec profile profile1 # interface LoopBack0 ip address 192.168.1.2 255.255.255.255 # ip route-static 1.1.1.0 255.255.255.0 2.1.1.2 # return
推荐本站淘宝优惠价购买喜欢的宝贝:
本文链接:https://hqyman.cn/post/8787.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
休息一下~~