模拟环境:eNSP
废话:通过命令配置此实验,做了一星期没做通,只好采用WEB配置生成配置信息学习,才有了此内容。
此文为模拟成功后,通过分析配置代码完成,有部分代码做了美化处理,可能存在一定的BUG。
网络拓扑图如下:
-
网络营运商内部
- 这里不是本次实验的重点,这里先采用OSPF,保证内网路由可达
-
AR1配置
AR2配置
AR3配置
sysname AR1
sysname AR2
sysname AR3
interface GigabitEthernet0/0/0
ip address 100.1.1.2 24
interface GigabitEthernet0/0/0
ip address 200.1.1.2 24
interface GigabitEthernet0/0/1
ip address 118.122.120.1 24
interface GigabitEthernet0/0/1
ip address 100.1.1.1 24
interface GigabitEthernet0/0/1
ip address 101.207.142.1 24
interface GigabitEthernet0/0/2
ip address 200.1.1.1 24
interface LoopBack0
ip address 11.11.11.11 32
interface LoopBack0
ip address 22.22.22.22 32
interface LoopBack0
ip address 33.33.33.33 32
ospf 1 router-id 11.11.11.11
area 0.0.0.0
network 100.1.1.2 0.0.0.0
network 118.122.120.0 0.0.0.255
ospf 1 router-id 22.22.22.22
area 0.0.0.0
network 100.1.1.1 0.0.0.0
network 200.1.1.1 0.0.0.0
ospf 1 router-id 33.33.33.33
area 0.0.0.0
network 200.1.1.2 0.0.0.0
network 101.207.142.0 0.0.0.254
-
配置防火墙接口
-
接口
IP/MAC地址
安全区域
对端
A公司防火墙(全部开启PING 、 HTTP 、 HTTPS服务)
GE 0/0/0
192.168.0.1/24
trust
管理PC
GE 1/0/0
118.112.120.83/24
untrust
互联网
GE 1/0/1
10.1.1.1/24
trust
内网PC
GE 1/0/2
10.1.2.1/24
DMZ
内外服务器
B公司防火墙(全部开启PING 、 HTTP 、 HTTPS服务)
GE 0/0/0
192.168.0.1/24
trust
管理PC
GE 1/0/0
101.207.142.18/24
untrust
互联网
GE 1/0/1
10.2.1.1/24
trust
内网PC
GE 1/0/2
10.2.2.1/24
trust
内网客户端
-
WEB配置如下:
生成配置代码如下:
A公司防火墙 |
B公司防火墙 |
interface GigabitEthernet0/0/0 // 方便登录WEB配置 undo shutdown ip binding vpn-instance default ip address 192.168.0.1 255.255.255.0 alias GE0/METH service-manage http permit // HTTP服务 service-manage https permit // HTTPS服务 service-manage ping permit // PING服务 |
interface GigabitEthernet0/0/0 undo shutdown ip binding vpn-instance default ip address 192.168.0.1 255.255.255.0 alias GE0/METH service-manage http permit service-manage https permit service-manage ping permit |
interface GigabitEthernet1/0/0 undo shutdown ip address 118.122.120.83 255.255.255.0 alias 外网 service-manage http permit service-manage https permit service-manage ping permit |
interface GigabitEthernet1/0/0 undo shutdown ip address 101.207.142.18 255.255.255.0 alias 外网 service-manage http permit service-manage https permit service-manage ping permit |
interface GigabitEthernet1/0/1 undo shutdown ip address 10.1.1.1 255.255.255.0 alias 内网 service-manage http permit service-manage https permit service-manage ping permit |
interface GigabitEthernet1/0/1 undo shutdown ip address 10.2.1.1 255.255.255.0 alias 内网 service-manage http permit service-manage https permit service-manage ping permit |
interface GigabitEthernet1/0/2 undo shutdown ip address 10.1.2.1 255.255.255.0 alias 服务器 service-manage http permit service-manage https permit service-manage ping permit |
interface GigabitEthernet1/0/2 undo shutdown ip address 10.2.2.1 255.255.255.0 alias 客户端 service-manage http permit service-manage https permit service-manage ping permit |
将防火墙对应接口加入对应安全区域 |
|
firewall zone trust add interface GigabitEthernet0/0/0 add interface GigabitEthernet1/0/1 // 内网PC1 |
firewall zone trust add interface GigabitEthernet0/0/0 add interface GigabitEthernet1/0/1 // 内网PC2 add interface GigabitEthernet1/0/2 // 内网客户端 |
firewall zone untrust add interface GigabitEthernet1/0/0 // 互联网 |
firewall zone untrust add interface GigabitEthernet1/0/0 // 互联网 |
firewall zone dmz add interface GigabitEthernet1/0/2 // 服务器 |
创建GRE隧道接口
隧道GRE接口 |
A公司 |
B 公司 |
接口名称 |
gre-ipsec |
gre-ipsec |
安全区域 |
untrust |
untrust |
IP/MAC地址 |
192.168.168.1/24 |
192.168.168.2/24 |
本端(外网)IP地址 |
118.122.120.83 |
101.207.142.18 |
对端(外网)IP地址 |
101.207.142.18 |
118.122.120.83 |
WEB配置
生成配置代码如下:
A公司防火墙 |
B公司防火墙 |
interface Tunnel0 ip address 192.168.168.1 255.255.255.0 // 启动该接口(UP) tunnel-protocol gre // 隧道协议 source 118.122.120.83 // 源地址 destination 101.207.142.18 // 目标地址 alias gre-ipsec // 别名 undo service-manage enable |
interface Tunnel0 ip address 192.168.168.2 255.255.255.0 tunnel-protocol gre source 101.207.142.18 destination 118.122.120.83 alias gre-ipsec undo service-manage enable |
将接口加入对应安全区域 |
|
firewall zone untrust add interface Tunnel0 |
firewall zone untrust add interface Tunnel0 |
创建IPSec安全策略
IPSec安全策略 |
A公司 |
B公司 |
IPSec使用场景(默认Site to Site) |
||
场景 |
点到点 |
点到点 |
IPSec安全策略基本配置 |
||
策略名称 |
gre-ipsec |
gre-ipsec |
本端(外网)接口 |
GE 1/0/0 |
GE 1/0/0 |
本端(外网)地址 |
118.122.120.83 |
101.207.142.18 |
对端(外网)地址 |
101.207.142.18 |
118.122.120.83 |
认证方式 |
预共享秘钥 |
预共享秘钥 |
认证秘钥(密码) |
huawei@123 |
huawei@123 |
本端ID |
118.122.120.83 |
101.207.142.18 |
对端IP |
101.207.142.18 |
118.122.120.83 |
IPSec加密的报文 |
||
源地址 |
118.122.120.83 |
101.207.142.18 |
目标地址 |
101.207.142.18 |
118.122.120.83 |
动作 |
加密 |
加密 |
IPSec安全提议(保持一致,这里选择默认) |
WEB配置:
IPSec安全策略基本配置:
IPSec加密的报文配置:
IPSec安全提议(这里选择默认)
生成配置代码如下:
A公司防火墙 |
B公司防火墙 |
创建IKE安全提议(默认配置) |
|
ike proposal 1 // 需要创建,默认配置 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 |
ike proposal 1 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 |
创建IKE对等体,配置预共享秘钥,应用IKE安全提议,指定本端和对端 |
|
ike peer ike2049354776 exchange-mode auto pre-shared-key huawei@123 // 预共享秘钥,此处应为乱码 ike-proposal 1 // 关联 IKE安全提议 remote-id-type ip // 对端ID类型 remote-id 101.207.142.18 // 对端ID local-id 118.122.120.83 // 本端ID dpd type periodic remote-address 101.207.142.18 // 对端地址 |
ike peer ike20410038931 exchange-mode auto pre-shared-key huawei@123 ike-proposal 1 remote-id-type ip remote-id 118.122.120.83 local-id 101.207.142.18 dpd type periodic remote-address 118.122.120.83 |
创建感兴趣流(高级访问控制列表,原地址为本端外网地址,目的地址为对端外网地址) |
|
acl number 3000 rule 5 permit ip source 118.122.120.83 0.0.0.0 destination 101.207.142.18 0.0.0.0 |
acl number 3000 rule 5 permit ip source 101.207.142.18 0.0.0.0 destination 118.122.120.83 0.0.0.0 |
创建IPSec 安全提议(默认配置) |
|
ipsec proposal prop2049354776 // 需要创建 encapsulation-mode auto esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 |
ipsec proposal prop20410038931 encapsulation-mode auto esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 |
创建IPSec 安全策略,应用感兴趣流、IKE对等体和IPSec 安全提议 |
|
ipsec policy ipsec2049354676 1 isakmp // 需要创建 security acl 3000 ike-peer ike2049354776 // 关联 IKE 对等体 proposal prop2049354776 // 关联IPSec 安全提议 tunnel local applied-interface alias gre-ipsec sa trigger-mode auto sa duration traffic-based 10485760 sa duration time-based 3600 |
ipsec policy ipsec2041003883 1 isakmp security acl 3000 ike-peer ike20410038931 proposal prop20410038931 tunnel local applied-interface alias gre-ipsec sa trigger-mode auto sa duration traffic-based 10485760 sa duration time-based 3600 |
外网出接口绑定IPSec 安全策略 |
|
interface GigabitEthernet1/0/0 ipsec policy ipsec2049354676 // 绑定 IPSec 策略 |
interface GigabitEthernet1/0/0 ipsec policy ipsec2041003883 |
配置静态路由
静态路由配置 |
A公司 |
B 公司 |
|
默认 静态 路由 |
目标地址 |
0.0.0.0/0 |
0.0.0.0/0 |
出接口 |
GE 1/0/0 |
GE 1/0/0 |
|
下一跳地址 |
118.122.120.1 |
101.207.142.1 |
|
对端 公司 内网 |
目标地址 |
10.2.1.0/24 |
10.1.1.0/24 |
出接口 |
gre-to-ipsec |
gre-to-ipsec |
|
下一跳地址 |
(空) |
(空) |
|
对端 公司 内网 |
目标地址 |
10.2.2.0/24 |
10.1.2.100/32 |
出接口 |
gre-to-ipsec |
gre-to-ipsec |
|
下一跳地址 |
(空) |
(空) |
WEB配置:
生成配置代码如下:
A公司防火墙 |
B公司防火墙 |
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0 118.122.120.1 description 默认静态路由 |
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0 101.207.142.1 description 默认静态路由 |
ip route-static 10.2.1.0 255.255.255.0 Tunnel0 description 访问 FW2 内网 |
ip route-static 10.1.1.0 255.255.255.0 Tunnel0 description 访问 FW1 内网 |
ip route-static 10.2.2.0 255.255.255.0 Tunnel0 description 访问 FW2 内网 |
ip route-static 10.1.2.100 255.255.255.255 Tunnel0 description 访问 FW1 内网服务器 |
创建地址组
(可以不做配置,这里是为了可视化操作方便)
WEB配置:
生成配置代码如下:
A公司防火墙 |
B公司防火墙 |
ip address-set "FW1 外网接口地址" type group address 0 118.122.120.83 mask 32 |
ip address-set "FW1 外网接口地址" type group address 0 118.122.120.83 mask 32 |
ip address-set "FW1 内网地址" type group address 0 10.1.1.0 mask 24 |
ip address-set "FW1 内网地址" type group address 0 10.1.1.0 mask 24 |
ip address-set "FW1 内网服务器" type group address 0 10.1.2.100 mask 32 |
ip address-set "FW1 内网服务器" type group address 0 10.1.2.100 mask 32 |
ip address-set "FW2 外网接口地址" type group address 0 101.207.142.18 mask 32 |
ip address-set "FW2 外网接口地址" type group address 0 101.207.142.18 mask 32 |
ip address-set "FW2 内网地址" type group address 0 10.2.1.0 mask 24 address 1 10.2.2.0 mask 24 |
ip address-set "FW2 内网地址" type group address 0 10.2.1.0 mask 24 address 1 10.2.2.0 mask 24 |
配置安全策略
WEB配置:
生成配置代码如下:
A公司防火墙 |
B公司防火墙 |
IPSec自协商的安全策略 |
|
security-policy |
security-policy |
rule name gre-ipsec description IPSEC 自协商报文交互 policy logging session logging traffic logging enable source-zone local trust untrust // 此为多个安全区域 destination-zone local trust untrust source-address address-set "FW1 外网接口地址" source-address address-set "FW2 外网接口地址" destination-address address-set "FW1 外网接口地址" destination-addressaddress-set "FW2 外网接口地址" action permit |
rule name gre-ipsec description IPSEC 自协商报文交互 policy logging session logging traffic logging enable source-zone local trust untrust destination-zone local trust untrust source-address address-set "FW1 外网接口地址" source-address address-set "FW2 外网接口地址" destination-address address-set "FW1 外网接口地址" destination-address address-set "FW2 外网接口地址" action permit |
内网访问互联网的安全策略 |
|
rule name to-Internet description 访问互联网 policy logging session logging traffic logging enable source-zone trust destination-zone untrust source-address address-set "FW1 内网地址" action permit |
rule name to-Internet description 访问互联网 policy logging session logging traffic logging enable source-zone trust destination-zone untrust source-address address-set "FW2 内网地址" action permit |
外网访问内网的安全策略(A公司存在服务器访问内网) |
|
rule name to-trust description 访问内网 policy logging session logging traffic logging enable source-zone dmz untrust destination-zone trust destination-address address-set "FW1 内网地址" action permit |
rule name to-trust description 访问内网 policy logging session logging traffic logging enable source-zone untrust destination-zone trust destination-address address-set "FW2 内网地址" action permit |
A公司存在内网和外网访问服务器安全策略,B公司不存在服务器(DMZ) |
|
rule name to-dmz description 访问内网服务器 policy logging session logging traffic logging enable source-zone trust untrust destination-zone dmz destination-address address-set "FW1 内网服务器" action permit |
配置NAT策略
WEB配置:
生成配置代码如下:
A公司防火墙 |
B公司防火墙 |
配置通过GRE隧道访问的NAT,放在首位,优先匹配顺序为从上到下 |
|
nat-policy |
nat-policy |
rule name gre-ipsec description 不作地址转换 source-zone local trust destination-zone untrust destination-address address-set "FW2 内网地址" destination-address address-set "FW2 外网接口地址" action no-nat |
rule name gre-ipsec description 不作地址转换 source-zone local trust destination-zone untrust destination-address address-set "FW1 内网地址" destination-address address-set "FW1 内网服务器" destination-address address-set "FW1 外网接口地址" action no-nat |
配置访问互联网的NAT(内网地址转换为外网地址) |
|
rule name to-Internet description 转换为外网地址 source-zone trust destination-zone untrust action source-nat easy-ip |
rule name to-Internet description 转换为外网地址 source-zone trust destination-zone untrust action source-nat easy-ip |
至此所有配置已全部完成!
检查验证
检查数据是否通畅
B公司PC2 访问 A公司PC1结果:
B公司客户端访问A公司服务器结果:
B公司防火墙IPSec 诊断结果:
B公司防火墙GRE 监控结果:
对互联网进行抓包结果: