总部与分支机构之间建立点到点IPSec ***（预共享密钥认证）

2020-12-05 23:51:08 阅读：217 来源： 互联网

标签：zone 点到点 rule NGFW 密钥 policy security IPSec ipsec

组网需求

如图1所示，网络A和网络B通过NGFW_A和NGFW_B连接到Internet，NGFW_A和NGFW_B公网路由可达。现需要在NGFW_A和NGFW_B之间建立IKE方式的IPSec隧道，使网络A和网络B的用户可通过IPSec隧道安全互访。

图1 IKE协商方式的点到点IPSec隧道举例组网图

数据规划

配置思路

NGFW_A和NGFW_B的配置思路相同。

1. 配置接口IP地址并将接口加入到安全区域。

2. 配置安全策略。

3. 配置到对端内网的路由。

4. 配置IPSec策略。包括配置IPSec策略的基本信息、配置待加密的数据流、配置安全提议的协商参数。

操作步骤

· 配置NGFW_A（总部）。

1. 配置接口IP地址。

<sysname> system-view
[sysname] sysname NGFW_A
[NGFW_A] interface GigabitEthernet 1/0/3
[NGFW_A-GigabitEthernet1/0/3] ip address 10.1.1.1 24
[NGFW_A-GigabitEthernet1/0/3] quit
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ip address 1.1.3.1 24
[NGFW_A-GigabitEthernet1/0/1] quit

2. 配置接口加入相应安全区域。

[NGFW_A] firewall zone trust
[NGFW_A-zone-trust] add interface GigabitEthernet 1/0/3
[NGFW_A-zone-trust] quit
[NGFW_A] firewall zone untrust
[NGFW_A-zone-untrust] add interface GigabitEthernet 1/0/1
[NGFW_A-zone-untrust] quit

3. 配置安全策略。

a. 配置Trust域与Untrust域的安全策略，允许封装前和解封后的报文能通过NGFW_A。

[NGFW_A] security-policy
[NGFW_A-policy-security] rule name policy_ipsec_1
[NGFW_A-policy-security-rule-policy_ipsec_1] source-zone trust
[NGFW_A-policy-security-rule-policy_ipsec_1] destination-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_1] source-address 10.1.1.0 24
[NGFW_A-policy-security-rule-policy_ipsec_1] destination-address 10.1.2.0 24
[NGFW_A-policy-security-rule-policy_ipsec_1] action permit
[NGFW_A-policy-security-rule-policy_ipsec_1] quit
[NGFW_A-policy-security] rule name policy_ipsec_2
[NGFW_A-policy-security-rule-policy_ipsec_2] source-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_2] destination-zone trust
[NGFW_A-policy-security-rule-policy_ipsec_2] source-address 10.1.2.0 24
[NGFW_A-policy-security-rule-policy_ipsec_2] destination-address 10.1.1.0 24
[NGFW_A-policy-security-rule-policy_ipsec_2] action permit
[NGFW_A-policy-security-rule-policy_ipsec_2] quit

b. 配置Local域与Untrust域的安全策略，允许IKE协商报文能正常通过NGFW_A。

[NGFW_A-policy-security] rule name policy_ipsec_3
[NGFW_A-policy-security-rule-policy_ipsec_3] source-zone local
[NGFW_A-policy-security-rule-policy_ipsec_3] destination-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_3] source-address 1.1.3.1 32
[NGFW_A-policy-security-rule-policy_ipsec_3] destination-address 1.1.5.1 32
[NGFW_A-policy-security-rule-policy_ipsec_3] action permit
[NGFW_A-policy-security-rule-policy_ipsec_3] quit
[NGFW_A-policy-security] rule name policy_ipsec_4
[NGFW_A-policy-security-rule-policy_ipsec_4] source-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_4] destination-zone local
[NGFW_A-policy-security-rule-policy_ipsec_4] source-address 1.1.5.1 32
[NGFW_A-policy-security-rule-policy_ipsec_4] destination-address 1.1.3.1 32
[NGFW_A-policy-security-rule-policy_ipsec_4] action permit
[NGFW_A-policy-security-rule-policy_ipsec_4] quit
[NGFW_A-policy-security] quit

4. 配置到达对端私网的路由。假设NGFW_A通往NGFW_B侧的下一跳设备的IP地址为1.1.3.2。

[NGFW_A] ip route-static 10.1.2.0 24 1.1.3.2

5. 配置NGFW_A的IPSec隧道。

a. 配置访问控制列表，定义需要保护的数据流。

[NGFW_A] acl 3000
[NGFW_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[NGFW_A-acl-adv-3000] quit

b. 配置序号为10的IKE安全提议。

[NGFW_A] ike proposal 10
[NGFW_A-ike-proposal-10] authentication-method pre-share
[NGFW_A-ike-proposal-10] authentication-algorithm sha2-256
[NGFW_A-ike-proposal-10] quit

c. 配置IKE Peer。

[NGFW_A] ike peer b
[NGFW_A-ike-peer-b] ike-proposal 10
[NGFW_A-ike-peer-b] remote-address 1.1.5.1
[NGFW_A-ike-peer-b] pre-shared-key Admin@123
[NGFW_A-ike-peer-b] undo version 2
[NGFW_A-ike-peer-b] quit

d. 配置名称为tran1的IPSec安全提议。

[NGFW_A] ipsec proposal tran1
[NGFW_A-ipsec-proposal-tran1] encapsulation-mode tunnel
[NGFW_A-ipsec-proposal-tran1] transform esp
[NGFW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[NGFW_A-ipsec-proposal-tran1] esp encryption-algorithm aes
[NGFW_A-ipsec-proposal-tran1] quit

e. 配置IPSec安全策略组map1。

[NGFW_A] ipsec policy map1 10 isakmp
[NGFW_A-ipsec-policy-isakmp-map1-10] security acl 3000
[NGFW_A-ipsec-policy-isakmp-map1-10] proposal tran1
[NGFW_A-ipsec-policy-isakmp-map1-10] ike-peer b
[NGFW_A-ipsec-policy-isakmp-map1-10] quit

f. 在出接口GigabitEthernet 1/0/1上应用安全策略组map1。

[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ipsec policy map1 auto-neg
[NGFW_A-GigabitEthernet1/0/1] quit

· 配置NGFW_B（分支）。

1. 配置接口IP地址。

<sysname> system-view
[sysname] sysname NGFW_B
[NGFW_B] interface GigabitEthernet 1/0/3
[NGFW_B-GigabitEthernet1/0/3] ip address 10.1.2.1 24
[NGFW_B-GigabitEthernet1/0/3] quit
[NGFW_B] interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1] ip address 1.1.5.1 24
[NGFW_B-GigabitEthernet1/0/1] quit

2. 配置接口加入相应安全区域。

[NGFW_B] firewall zone trust
[NGFW_B-zone-trust] add interface GigabitEthernet 1/0/3
[NGFW_B-zone-trust] quit
[NGFW_B] firewall zone untrust
[NGFW_B-zone-untrust] add interface GigabitEthernet 1/0/1
[NGFW_B-zone-untrust] quit

3. 配置安全策略。

a. 配置Trust域与Untrust域的安全策略，允许封装前和解封后的报文能通过NGFW_B。

[NGFW_B] security-policy
[NGFW_B-policy-security] rule name policy_ipsec_1
[NGFW_B-policy-security-rule-policy_ipsec_1] source-zone trust
[NGFW_B-policy-security-rule-policy_ipsec_1] destination-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_1] source-address 10.1.2.0 24
[NGFW_B-policy-security-rule-policy_ipsec_1] destination-address 10.1.1.0 24
[NGFW_B-policy-security-rule-policy_ipsec_1] action permit
[NGFW_B-policy-security-rule-policy_ipsec_1] quit
[NGFW_B-policy-security] rule name policy_ipsec_2
[NGFW_B-policy-security-rule-policy_ipsec_2] source-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_2] destination-zone trust
[NGFW_B-policy-security-rule-policy_ipsec_2] source-address 10.1.1.0 24
[NGFW_B-policy-security-rule-policy_ipsec_2] destination-address 10.1.2.0 24
[NGFW_B-policy-security-rule-policy_ipsec_2] action permit
[NGFW_B-policy-security-rule-policy_ipsec_2] quit

b. 配置Local域与Untrust域的安全策略，允许IKE协商报文能正常通过NGFW_B。

[NGFW_B-policy-security] rule name policy_ipsec_3
[NGFW_B-policy-security-rule-policy_ipsec_3] source-zone local
[NGFW_B-policy-security-rule-policy_ipsec_3] destination-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_3] source-address 1.1.5.1 32
[NGFW_B-policy-security-rule-policy_ipsec_3] destination-address 1.1.3.1 32
[NGFW_B-policy-security-rule-policy_ipsec_3] action permit
[NGFW_B-policy-security-rule-policy_ipsec_3] quit
[NGFW_B-policy-security] rule name policy_ipsec_4
[NGFW_B-policy-security-rule-policy_ipsec_4] source-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_4] destination-zone local
[NGFW_B-policy-security-rule-policy_ipsec_4] source-address 1.1.3.1 32
[NGFW_B-policy-security-rule-policy_ipsec_4] destination-address 1.1.5.1 32
[NGFW_B-policy-security-rule-policy_ipsec_4] action permit
[NGFW_B-policy-security-rule-policy_ipsec_4] quit
[NGFW_B-policy-security] quit

4. 配置到达对端私网的路由。假设NGFW_B通往NGFW_A侧的下一跳设备的IP地址为1.1.5.2。

[NGFW_B] ip route-static 10.1.1.0 24 1.1.5.2

5. 配置NGFW_B的IPSec隧道。

a. 配置访问控制列表，定义需要保护的数据流。

[NGFW_B] acl 3000
[NGFW_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[NGFW_B-acl-adv-3000] quit

b. 配置序号为10的IKE安全提议。

[NGFW_B] ike proposal 10
[NGFW_B-ike-proposal-10] authentication-method pre-share
[NGFW_B-ike-proposal-10] authentication-algorithm sha2-256
[NGFW_B-ike-proposal-10] quit

c. 配置IKE Peer。

[NGFW_B] ike peer a
[NGFW_B-ike-peer-a] ike-proposal 10
[NGFW_B-ike-peer-a] remote-address 1.1.3.1
[NGFW_B-ike-peer-a] pre-shared-key Admin@123
[NGFW_B-ike-peer-a] undo version 2
[NGFW_B-ike-peer-a] quit

d. 配置名称为tran1的IPSec安全提议。

[NGFW_B] ipsec proposal tran1
[NGFW_B-ipsec-proposal-tran1] encapsulation-mode tunnel
[NGFW_B-ipsec-proposal-tran1] transform esp
[NGFW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[NGFW_B-ipsec-proposal-tran1] esp encryption-algorithm aes
[NGFW_B-ipsec-proposal-tran1] quit

e. 配置IPSec安全策略组map1。

[NGFW_B] ipsec policy map1 10 isakmp
[NGFW_B-ipsec-policy-isakmp-map1-10] security acl 3000
[NGFW_B-ipsec-policy-isakmp-map1-10] proposal tran1
[NGFW_B-ipsec-policy-isakmp-map1-10] ike-peer a
[NGFW_B-ipsec-policy-isakmp-map1-10] quit

f. 在出接口GigabitEthernet 1/0/1上应用安全策略组map1。

[NGFW_B] interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1] ipsec policy map1 auto-neg
[NGFW_B-GigabitEthernet1/0/1] quit

结果验证

1. 配置成功后，在NGFW_A上执行display ike sa命令，查看IKE安全联盟的建立情况，出现以下显示说明IKE安全联盟建立成功。

[NGFW_A] display ike sa
current ike sa number: 2
---------------------------------------------------------------------------
conn-id    peer                                flag          phase ***
---------------------------------------------------------------------------
3          1.1.5.1                             RD|ST|A       v1:2  public
2          1.1.5.1                             RD|ST|A       v1:1  public
  flag meaning
  RD--READY     ST--STAYALIVE     RL--REPLACED    FD--FADING    TO--TIMEOUT
  TD--DELETING  NEG--NEGOTIATING  D--DPD          M--ACTIVE     S--STANDBY
  A--ALONE

2. 在NGFW_A上执行display ipsec sa命令，查看IPSec安全联盟的建立情况，出现以下显示说明IPSec安全联盟建立成功。

[NGFW_A] display ipsec sa
===============================
Interface: GigabitEthernet 1/0/1
    path MTU: 1500
===============================
                           
  -----------------------------
  IPsec policy name: "map1"
  sequence number: 10
  mode: isakmp
  ***: 0
  -----------------------------
    connection id: 3
  rule number: 5
    encapsulation mode: tunnel
    holding time: 0d 0h 0m 12s
    tunnel local : 1.1.3.1    tunnel remote: 1.1.5.1
    flow      source: 10.1.1.0/255.255.255.0 0/0
    flow destination: 10.1.2.0/255.255.255.0 0/0
                           
    [inbound ESP SAs]
      spi: 3715780278 (0xdd7a4eb6)
    ***: public  said: 0  cpuid: 0x0000
      proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256
      sa remaining key duration (kilobytes/sec): 1843200/3588
      max received sequence-number: 1
      udp encapsulation used for nat traversal: N
                           
  [outbound ESP SAs]
     spi: 3312146193 (0xc56b5711)
      ***: public  said: 1  cpuid: 0x0000
      proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256
      sa remaining key duration (kilobytes/sec): 1843200/3588
      max sent sequence-number: 1
     udp encapsulation used for nat traversal: N

配置脚本

· NGFW_A（总部）的配置脚本

#
acl number 3000
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ike proposal 10
 authentication-algorithm sha2-256
 integrity-algorithm hmac-sha2-256
#
ike peer b
 pre-shared-key %$%$g6]1Md'q_QwX%A,v7]c1;md[%$%$
 ike-proposal 10
 undo version 2
 remote-address 1.1.5.1
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
#
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer b
 alias map1_10
 proposal tran1
#
interface GigabitEthernet1/0/3
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
 ip address 1.1.3.1 255.255.255.0
 ipsec policy map1 auto-neg
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
 add interface GigabitEthernet1/0/1
#
 ip route-static 10.1.2.0 255.255.255.0 1.1.3.2
#
security-policy
  rule name policy_ipsec_1
    source-zone trust
    destination-zone untrust
    source-address 10.1.1.0 24
    destination-address 10.1.2.0 24
    action permit
  rule name policy_ipsec_2
    source-zone untrust
    destination-zone trust
    source-address 10.1.2.0 24
    destination-address 10.1.1.0 24
    action permit
  rule name policy_ipsec_3
    source-zone local
    destination-zone untrust
    source-address 1.1.3.1 32
    destination-address 1.1.5.1 32
    action permit
  rule name policy_ipsec_4
    source-zone untrust
    destination-zone local
    source-address 1.1.5.1 32
    destination-address 1.1.3.1 32
    action permit

· NGFW_B（分支）的配置脚本

#
acl number 3000
 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ike proposal 10
 authentication-algorithm sha2-256
 integrity-algorithm hmac-sha2-256
#
ike peer a
 pre-shared-key %$%$g6]1Md'q_QwX%A,v7]c1;md[%$%$
 ike-proposal 10
 undo version 2
 remote-address 1.1.3.1
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
#
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer a
 proposal tran1
#
interface GigabitEthernet1/0/3
 ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet1/0/1
 ip address 1.1.5.1 255.255.255.0
 ipsec policy map1 auto-neg
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/1
#
 ip route-static 10.1.1.0 255.255.255.0 1.1.5.2
#
security-policy
  rule name policy_ipsec_1
    source-zone trust
    destination-zone untrust
    source-address 10.1.2.0 24
    destination-address 10.1.1.0 24
    action permit
  rule name policy_ipsec_2
    source-zone untrust
    destination-zone trust
    source-address 10.1.1.0 24
    destination-address 10.1.2.0 24
    action permit
  rule name policy_ipsec_3
    source-zone local
    destination-zone untrust
    source-address 1.1.5.1 32
    destination-address 1.1.3.1 32
    action permit
  rule name policy_ipsec_4
    source-zone untrust
    destination-zone local
    source-address 1.1.3.1 32
    destination-address 1.1.5.1 32
    action permit

标签：zone,点到点,rule,NGFW,密钥,policy,security,IPSec,ipsec
来源： https://blog.51cto.com/15047489/2560399

本站声明： 1. iCode9 技术分享网（下文简称本站）提供的所有内容，仅供技术学习、探讨和分享；
2. 关于本站的所有留言、评论、转载及引用，纯属内容发起人的个人观点，与本站观点和立场无关；
3. 关于本站的所有言论和文字，纯属内容发起人的个人观点，与本站观点和立场无关；
4. 本站文章均是网友提供，不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属；如您发现该文章侵犯了您的权益，可联系我们第一时间进行删除；
5. 本站为非盈利性的个人网站，所有内容不会用来进行牟利，也不会利用任何形式的广告来间接获益，纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。

ICode9

总部与分支机构之间建立点到点IPSec ***（预共享密钥认证）

配置思路

操作步骤

结果验证

配置脚本