上期实验分享的是IPSec over GRE ,那么今天分享的实验为基于路由的GRE over IPSec (IPSec安全框架方式),还有一种基于安全策略方式,下期再发
适用于点到点及点到多点场景
坑点,在基于防火墙的ipsec vpn 点到多点场景中最常见的两种部署方案
1、总部采用策略模板的方式与分部建立多条ips
2、总部采用安全策略组方式与分部建立多条ips
但是在over的场景中,以上两种方式并不适用,因为配置方式不同,所以在over的场景中像实现点到多点的部署,就需要将点到点的方式拼凑而成,举个例子,在不over的场景中,1个总部对应10个分部,那总部可以采用策略模板方式,节省配置量,如果在1v10的场景中加上over,那总部则需要写10组配置,分别1-1,1-2,1-3 。。。1-10,目前实验结果是这样的,上期实验中ips over gre 也是写了两组
下面为大家上实验
上正菜
sysname FW1
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike peer all
pre-shared-key huawei@123
ike-proposal 1
ipsec profile fw2
ike-peer all
proposal 1
ipsec profile fw3
ike-peer all
proposal 1
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.254 255.255.255.0
interface GigabitEthernet1/0/1
undo shutdown
ip address 172.16.0.254 255.255.255.0
interface GigabitEthernet1/0/3
undo shutdown
ip address 100.1.12.1 255.255.255.252
service-manage ping permit
interface Tunnel0
ip address 12.1.1.1 255.255.255.252
tunnel-protocol gre
keepalive
source 100.1.12.1
destination 100.1.12.6
ipsec profile fw2
interface Tunnel1
ip address 22.1.1.1 255.255.255.252
tunnel-protocol gre
keepalive
source 100.1.12.1
destination 100.1.12.10
ipsec profile fw3
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
add interface Tunnel0
add interface Tunnel1
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/3
ip route-static 0.0.0.0 0.0.0.0 100.1.12.2
ip route-static 10.191.10.0 255.255.255.0 Tunnel0
ip route-static 10.191.20.0 255.255.255.0 Tunnel1
security-policy
rule name t-un
source-zone trust
destination-zone untrust
source-address 172.16.0.0 mask 255.255.255.0
source-address 192.168.1.0 mask 255.255.255.0
destination-address 10.191.10.0 mask 255.255.255.0
destination-address 10.191.20.0 mask 255.255.255.0
action permit
rule name un-t
source-zone untrust
destination-zone trust
source-address 10.191.10.0 mask 255.255.255.0
source-address 10.191.20.0 mask 255.255.255.0
destination-address 172.16.0.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action permit
rule name ipsce
source-zone local
source-zone trust
source-zone untrust
destination-zone local
destination-zone trust
destination-zone untrust
action permit
rule name to-isp
source-zone trust
destination-zone untrust
source-address 172.16.0.0 mask 255.255.255.0
source-address 192.168.1.0 mask 255.255.255.0
action permit
nat-policy
rule name no-ips
source-zone trust
destination-zone untrust
source-address 172.16.0.0 mask 255.255.255.0
source-address 192.168.1.0 mask 255.255.255.0
destination-address 10.191.10.0 mask 255.255.255.0
destination-address 10.191.20.0 mask 255.255.255.0
action no-nat
rule name to-isp
source-zone trust
destination-zone untrust
source-address 172.16.0.0 mask 255.255.255.0
source-address 192.168.1.0 mask 255.255.255.0
action source-nat easy-ip
sysname FW2
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike peer fw1
pre-shared-key %%#)Z.#CKet>Feql,9H"c@,&5kz!q&CXXd6RrQKFDB%^%#
ike-proposal 1
ipsec profile ips
ike-peer fw1
proposal 1
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.191.10.254 255.255.255.0
interface GigabitEthernet1/0/3
undo shutdown
ip address 100.1.12.6 255.255.255.252
service-manage ping permit
interface Tunnel0
ip address 12.1.1.2 255.255.255.252
tunnel-protocol gre
keepalive
source 100.1.12.6
destination 100.1.12.1
ipsec profile ips
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
add interface Tunnel0
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/3
ip route-static 0.0.0.0 0.0.0.0 100.1.12.5
ip route-static 192.168.1.0 255.255.255.0 Tunnel0
security-policy
rule name t-un
source-zone trust
destination-zone untrust
source-address 10.191.10.0 mask 255.255.255.0
destination-address 172.16.0.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action permit
rule name un-t
source-zone untrust
destination-zone trust
source-address 172.16.0.0 mask 255.255.255.0
source-address 192.168.1.0 mask 255.255.255.0
destination-address 10.191.10.0 mask 255.255.255.0
action permit
rule name ipsce
source-zone local
source-zone trust
source-zone untrust
destination-zone local
destination-zone trust
destination-zone untrust
action permit
rule name to-isp
source-zone trust
destination-zone untrust
source-address 10.191.10.0 mask 255.255.255.0
action permit
nat-policy
rule name t-un
source-zone trust
destination-zone untrust
source-address 10.191.10.0 mask 255.255.255.0
destination-address 172.16.0.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action no-nat
rule name to-isp
source-zone trust
destination-zone untrust
source-address 10.191.10.0 mask 255.255.255.0
action source-nat easy-ip
sysname FW3
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike peer fw1
pre-shared-key huawei@123
ike-proposal 1
ipsec profile ips
ike-peer fw1
proposal 1
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.191.20.254 255.255.255.0
interface GigabitEthernet1/0/3
undo shutdown
ip address 100.1.12.10 255.255.255.252
service-manage ping permit
interface Tunnel0
ip address 22.1.1.2 255.255.255.252
tunnel-protocol gre
keepalive
source 100.1.12.10
destination 100.1.12.1
ipsec profile ips
firewall zone local
set priority 100
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
add interface Tunnel0
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/3
ip route-static 0.0.0.0 0.0.0.0 100.1.12.9
ip route-static 192.168.1.0 255.255.255.0 Tunnel0
security-policy
rule name t-un
source-zone trust
destination-zone untrust
source-address 10.191.20.0 mask 255.255.255.0
destination-address 172.16.0.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action permit
rule name un-t
source-zone untrust
destination-zone trust
source-address 172.16.0.0 mask 255.255.255.0
source-address 192.168.1.0 mask 255.255.255.0
destination-address 10.191.20.0 mask 255.255.255.0
action permit
rule name ipsce
source-zone local
source-zone trust
source-zone untrust
destination-zone local
destination-zone trust
destination-zone untrust
action permit
rule name to-isp
source-zone trust
destination-zone untrust
source-address 10.191.20.0 mask 255.255.255.0
action permit
nat-policy
rule name t-un
source-zone trust
destination-zone untrust
source-address 10.191.20.0 mask 255.255.255.0
destination-address 172.16.0.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action no-nat
rule name to-isp
source-zone trust
destination-zone untrust
source-address 10.191.20.0 mask 255.255.255.0
action source-nat easy-ip
验证
总部 ping 两个分部
查看防火墙的ike sa
从抓包中可以清晰的看见数据包被加密
那如可直到加密报文是否进隧道呢?
看ipsec sa 看接口为隧道口,入方向和出方向都有流量经过,源目ip和抓包也一一相对
仔细的同学会发现,基于路由的方式,ips中没有感兴趣流,是的,它的流量走向完全以靠静态路由的出接口,至于限制谁和谁不通,可以靠防火墙的安全策略来限制。
ips over gre 和gre over ipsec 两者各有优缺点,没法评判谁好谁不好,各需所爱吧