总部与分支机构之间建立点到点IPSec ***(预共享密钥认证)

企业开发 2020-03-16 23:10:18 阅读次数: 0

总部与分支机构之间建立点到点IPSec ***(预共享密钥认证)
微信公众号: 网络民工

本例介绍预共享密钥认证方式下的IPSec隧道配置方法。
组网需求
如图1所示,网络A和网络B通过NGFW_A和NGFW_B连接到Internet,NGFW_A和NGFW_B公网路由可达。现需要在NGFW_A和NGFW_B之间建立IKE方式的IPSec隧道,使网络A和网络B的用户可通过IPSec隧道安全互访。
总部与分支机构之间建立点到点IPSec ***(预共享密钥认证)
图1 IKE协商方式的点到点IPSec隧道举例组网图

数据规划
总部与分支机构之间建立点到点IPSec ***(预共享密钥认证)

配置思路
NGFW_A和NGFW_B的配置思路相同。1.配置接口IP地址并将接口加入到安全区域。
2.配置安全策略。
3.配置到对端内网的路由。
4.配置IPSec策略。包括配置IPSec策略的基本信息、配置待加密的数据流、配置安全提议的协商参数。

操作步骤
•配置NGFW_A(总部)。 1.配置接口IP地址。
<sysname> system-view
[sysname] sysname NGFW_A
[NGFW_A] interface GigabitEthernet 1/0/3
[NGFW_A-GigabitEthernet1/0/3] ip address 10.1.1.1 24
[NGFW_A-GigabitEthernet1/0/3] quit
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ip address 1.1.3.1 24
[NGFW_A-GigabitEthernet1/0/1] quit

2.配置接口加入相应安全区域。
[NGFW_A] firewall zone trust
[NGFW_A-zone-trust] add interface GigabitEthernet 1/0/3
[NGFW_A-zone-trust] quit
[NGFW_A] firewall zone untrust
[NGFW_A-zone-untrust] add interface GigabitEthernet 1/0/1
[NGFW_A-zone-untrust] quit

3.配置安全策略。

a.配置Trust域与Untrust域的安全策略,允许封装前和解封后的报文能通过NGFW_A。
[NGFW_A] security-policy
[NGFW_A-policy-security] rule name policy_ipsec_1
[NGFW_A-policy-security-rule-policy_ipsec_1] source-zone trust
[NGFW_A-policy-security-rule-policy_ipsec_1] destination-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_1] source-address 10.1.1.0 24
[NGFW_A-policy-security-rule-policy_ipsec_1] destination-address 10.1.2.0 24
[NGFW_A-policy-security-rule-policy_ipsec_1] action permit
[NGFW_A-policy-security-rule-policy_ipsec_1] quit
[NGFW_A-policy-security] rule name policy_ipsec_2
[NGFW_A-policy-security-rule-policy_ipsec_2] source-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_2] destination-zone trust
[NGFW_A-policy-security-rule-policy_ipsec_2] source-address 10.1.2.0 24
[NGFW_A-policy-security-rule-policy_ipsec_2] destination-address 10.1.1.0 24
[NGFW_A-policy-security-rule-policy_ipsec_2] action permit
[NGFW_A-policy-security-rule-policy_ipsec_2] quit

b.配置Local域与Untrust域的安全策略,允许IKE协商报文能正常通过NGFW_A。
[NGFW_A-policy-security] rule name policy_ipsec_3
[NGFW_A-policy-security-rule-policy_ipsec_3] source-zone local
[NGFW_A-policy-security-rule-policy_ipsec_3] destination-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_3] source-address 1.1.3.1 32
[NGFW_A-policy-security-rule-policy_ipsec_3] destination-address 1.1.5.1 32
[NGFW_A-policy-security-rule-policy_ipsec_3] action permit
[NGFW_A-policy-security-rule-policy_ipsec_3] quit
[NGFW_A-policy-security] rule name policy_ipsec_4
[NGFW_A-policy-security-rule-policy_ipsec_4] source-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_4] destination-zone local
[NGFW_A-policy-security-rule-policy_ipsec_4] source-address 1.1.5.1 32
[NGFW_A-policy-security-rule-policy_ipsec_4] destination-address 1.1.3.1 32
[NGFW_A-policy-security-rule-policy_ipsec_4] action permit
[NGFW_A-policy-security-rule-policy_ipsec_4] quit
[NGFW_A-policy-security] quit

4.配置到达对端私网的路由。假设NGFW_A通往NGFW_B侧的下一跳设备的IP地址为1.1.3.2。
[NGFW_A] ip route-static 10.1.2.0 24 1.1.3.2

5.配置NGFW_A的IPSec隧道。
a.配置访问控制列表,定义需要保护的数据流。[NGFW_A] acl 3000
[NGFW_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[NGFW_A-acl-adv-3000] quit

b.配置序号为10的IKE安全提议。[NGFW_A] ike proposal 10
[NGFW_A-ike-proposal-10] authentication-method pre-share
[NGFW_A-ike-proposal-10] authentication-algorithm sha2-256
[NGFW_A-ike-proposal-10] quit

c.配置IKE Peer。[NGFW_A] ike peer b
[NGFW_A-ike-peer-b] ike-proposal 10
[NGFW_A-ike-peer-b] remote-address 1.1.5.1
[NGFW_A-ike-peer-b] pre-shared-key Admin@123
[NGFW_A-ike-peer-b] undo version 2
[NGFW_A-ike-peer-b] quit

d.配置名称为tran1的IPSec安全提议。[NGFW_A] ipsec proposal tran1
[NGFW_A-ipsec-proposal-tran1] encapsulation-mode tunnel
[NGFW_A-ipsec-proposal-tran1] transform esp
[NGFW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[NGFW_A-ipsec-proposal-tran1] esp encryption-algorithm aes
[NGFW_A-ipsec-proposal-tran1] quit

e.配置IPSec安全策略组map1。[NGFW_A] ipsec policy map1 10 isakmp
[NGFW_A-ipsec-policy-isakmp-map1-10] security acl 3000
[NGFW_A-ipsec-policy-isakmp-map1-10] proposal tran1
[NGFW_A-ipsec-policy-isakmp-map1-10] ike-peer b
[NGFW_A-ipsec-policy-isakmp-map1-10] quit

f.在出接口GigabitEthernet 1/0/1上应用安全策略组map1。[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ipsec policy map1 auto-neg
[NGFW_A-GigabitEthernet1/0/1] quit

•配置NGFW_B(分支)。 1.配置接口IP地址。
<sysname> system-view
[sysname] sysname NGFW_B
[NGFW_B] interface GigabitEthernet 1/0/3
[NGFW_B-GigabitEthernet1/0/3] ip address 10.1.2.1 24
[NGFW_B-GigabitEthernet1/0/3] quit
[NGFW_B] interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1] ip address 1.1.5.1 24
[NGFW_B-GigabitEthernet1/0/1] quit

2.配置接口加入相应安全区域。
[NGFW_B] firewall zone trust
[NGFW_B-zone-trust] add interface GigabitEthernet 1/0/3
[NGFW_B-zone-trust] quit
[NGFW_B] firewall zone untrust
[NGFW_B-zone-untrust] add interface GigabitEthernet 1/0/1
[NGFW_B-zone-untrust] quit

3.配置安全策略。

a.配置Trust域与Untrust域的安全策略,允许封装前和解封后的报文能通过NGFW_B。
[NGFW_B] security-policy
[NGFW_B-policy-security] rule name policy_ipsec_1
[NGFW_B-policy-security-rule-policy_ipsec_1] source-zone trust
[NGFW_B-policy-security-rule-policy_ipsec_1] destination-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_1] source-address 10.1.2.0 24
[NGFW_B-policy-security-rule-policy_ipsec_1] destination-address 10.1.1.0 24
[NGFW_B-policy-security-rule-policy_ipsec_1] action permit
[NGFW_B-policy-security-rule-policy_ipsec_1] quit
[NGFW_B-policy-security] rule name policy_ipsec_2
[NGFW_B-policy-security-rule-policy_ipsec_2] source-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_2] destination-zone trust
[NGFW_B-policy-security-rule-policy_ipsec_2] source-address 10.1.1.0 24
[NGFW_B-policy-security-rule-policy_ipsec_2] destination-address 10.1.2.0 24
[NGFW_B-policy-security-rule-policy_ipsec_2] action permit
[NGFW_B-policy-security-rule-policy_ipsec_2] quit

b.配置Local域与Untrust域的安全策略,允许IKE协商报文能正常通过NGFW_B。
[NGFW_B-policy-security] rule name policy_ipsec_3
[NGFW_B-policy-security-rule-policy_ipsec_3] source-zone local
[NGFW_B-policy-security-rule-policy_ipsec_3] destination-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_3] source-address 1.1.5.1 32
[NGFW_B-policy-security-rule-policy_ipsec_3] destination-address 1.1.3.1 32
[NGFW_B-policy-security-rule-policy_ipsec_3] action permit
[NGFW_B-policy-security-rule-policy_ipsec_3] quit
[NGFW_B-policy-security] rule name policy_ipsec_4
[NGFW_B-policy-security-rule-policy_ipsec_4] source-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_4] destination-zone local
[NGFW_B-policy-security-rule-policy_ipsec_4] source-address 1.1.3.1 32
[NGFW_B-policy-security-rule-policy_ipsec_4] destination-address 1.1.5.1 32
[NGFW_B-policy-security-rule-policy_ipsec_4] action permit
[NGFW_B-policy-security-rule-policy_ipsec_4] quit
[NGFW_B-policy-security] quit

4.配置到达对端私网的路由。假设NGFW_B通往NGFW_A侧的下一跳设备的IP地址为1.1.5.2。
[NGFW_B] ip route-static 10.1.1.0 24 1.1.5.2

5.配置NGFW_B的IPSec隧道。
a.配置访问控制列表,定义需要保护的数据流。[NGFW_B] acl 3000
[NGFW_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[NGFW_B-acl-adv-3000] quit

b.配置序号为10的IKE安全提议。[NGFW_B] ike proposal 10
[NGFW_B-ike-proposal-10] authentication-method pre-share
[NGFW_B-ike-proposal-10] authentication-algorithm sha2-256
[NGFW_B-ike-proposal-10] quit

c.配置IKE Peer。[NGFW_B] ike peer a
[NGFW_B-ike-peer-a] ike-proposal 10
[NGFW_B-ike-peer-a] remote-address 1.1.3.1
[NGFW_B-ike-peer-a] pre-shared-key Admin@123
[NGFW_B-ike-peer-a] undo version 2
[NGFW_B-ike-peer-a] quit

d.配置名称为tran1的IPSec安全提议。[NGFW_B] ipsec proposal tran1
[NGFW_B-ipsec-proposal-tran1] encapsulation-mode tunnel
[NGFW_B-ipsec-proposal-tran1] transform esp
[NGFW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[NGFW_B-ipsec-proposal-tran1] esp encryption-algorithm aes
[NGFW_B-ipsec-proposal-tran1] quit

e.配置IPSec安全策略组map1。[NGFW_B] ipsec policy map1 10 isakmp
[NGFW_B-ipsec-policy-isakmp-map1-10] security acl 3000
[NGFW_B-ipsec-policy-isakmp-map1-10] proposal tran1
[NGFW_B-ipsec-policy-isakmp-map1-10] ike-peer a
[NGFW_B-ipsec-policy-isakmp-map1-10] quit

f.在出接口GigabitEthernet 1/0/1上应用安全策略组map1。[NGFW_B] interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1] ipsec policy map1 auto-neg
[NGFW_B-GigabitEthernet1/0/1] quit

结果验证

1.配置成功后,在NGFW_A上执行display ike sa命令,查看IKE安全联盟的建立情况,出现以下显示说明IKE安全联盟建立成功。[NGFW_A] display ike sa
current ike sa number: 2

conn-id peer flag phase ***

3 1.1.5.1 RD|ST|A v1:2 public
2 1.1.5.1 RD|ST|A v1:1 public

flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
TD--DELETING NEG--NEGOTIATING D--DPD M--ACTIVE S--STANDBY
A--ALONE

2.在NGFW_A上执行display ipsec sa命令,查看IPSec安全联盟的建立情况,出现以下显示说明IPSec安全联盟建立成功。[NGFW_A] display ipsec sa
===============================
Interface: GigabitEthernet 1/0/1
path MTU: 1500
===============================

IPsec policy name: "map1"
sequence number: 10
mode: isakmp
***: 0 

connection id: 3       
rule number: 5         
encapsulation mode: tunnel                                                  
holding time: 0d 0h 0m 12s                                                  
tunnel local : 1.1.3.1    tunnel remote: 1.1.5.1                            
flow      source: 10.1.1.0/255.255.255.0 0/0                             
flow destination: 10.1.2.0/255.255.255.0 0/0                             

[inbound ESP SAs]      
  spi: 3715780278 (0xdd7a4eb6)                                              
  ***: public  said: 0  cpuid: 0x0000                                       
  proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256                               
  sa remaining key duration (kilobytes/sec): 1843200/3588                   
  max received sequence-number: 1                                           
  udp encapsulation used for nat traversal: N                               

[outbound ESP SAs]     
  spi: 3312146193 (0xc56b5711)                                              
  ***: public  said: 1  cpuid: 0x0000                                       
  proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256                               
  sa remaining key duration (kilobytes/sec): 1843200/3588                   
  max sent sequence-number: 1                                               
  udp encapsulation used for nat traversal: N

配置脚本

•NGFW_A(总部)的配置脚本

#
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ike proposal 10
authentication-algorithm sha2-256
integrity-algorithm hmac-sha2-256
#
ike peer b
pre-shared-key %$%$g6]1Md'q_QwX%A,v7]c1;md[%$%$
ike-proposal 10
undo version 2
remote-address 1.1.5.1
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
#
ipsec policy map1 10 isakmp
security acl 3000
ike-peer b
alias map1_10
proposal tran1
#
interface GigabitEthernet1/0/3
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
ip address 1.1.3.1 255.255.255.0
ipsec policy map1 auto-neg
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ip route-static 10.1.2.0 255.255.255.0 1.1.3.2
#
security-policy
rule name policy_ipsec_1
source-zone trust
destination-zone untrust
source-address 10.1.1.0 24
destination-address 10.1.2.0 24
action permit
rule name policy_ipsec_2
source-zone untrust
destination-zone trust
source-address 10.1.2.0 24
destination-address 10.1.1.0 24
action permit
rule name policy_ipsec_3
source-zone local
destination-zone untrust
source-address 1.1.3.1 32
destination-address 1.1.5.1 32
action permit
rule name policy_ipsec_4
source-zone untrust
destination-zone local
source-address 1.1.5.1 32
destination-address 1.1.3.1 32
action permit

•NGFW_B(分支)的配置脚本

#
acl number 3000
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ike proposal 10
authentication-algorithm sha2-256
integrity-algorithm hmac-sha2-256
#
ike peer a
pre-shared-key %$%$g6]1Md'q_QwX%A,v7]c1;md[%$%$
ike-proposal 10
undo version 2
remote-address 1.1.3.1
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
#
ipsec policy map1 10 isakmp
security acl 3000
ike-peer a
proposal tran1
#
interface GigabitEthernet1/0/3
ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet1/0/1
ip address 1.1.5.1 255.255.255.0
ipsec policy map1 auto-neg
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ip route-static 10.1.1.0 255.255.255.0 1.1.5.2
#
security-policy
rule name policy_ipsec_1
source-zone trust
destination-zone untrust
source-address 10.1.2.0 24
destination-address 10.1.1.0 24
action permit
rule name policy_ipsec_2
source-zone untrust
destination-zone trust
source-address 10.1.1.0 24
destination-address 10.1.2.0 24
action permit
rule name policy_ipsec_3
source-zone local
destination-zone untrust
source-address 1.1.5.1 32
destination-address 1.1.3.1 32
action permit
rule name policy_ipsec_4
source-zone untrust
destination-zone local
source-address 1.1.3.1 32
destination-address 1.1.5.1 32
action permit

总部与分支机构之间建立点到点IPSec ***(预共享密钥认证)
微信公众号:网络民工

猜你喜欢

转载自blog.51cto.com/jiajunjie/2478884
今日推荐
国产云输入法——仅华为无云端数据上传安全问题
开源日报 | 工业开源项目OGG 1.0;姐姐,你要和我一起配置火狐吗;苹果AI遥遥落后?Fedora 40
开放签电子签章:停止新增,优化体验,前进更进(五一假期前工作)
开源日报 | 中学生开源前端动画引擎;全球首个Llama3 8B中文版开源模型;联想电脑恐出局;Linus讽刺AI炒作
“百模大战”必有一战 | 2024中国“百模大战”竞争格局分析
最强开源大模型 Llama 3 上架 Gitee AI
周排行
自媒体文章如何提高原创度以及如何检测原创度
开启qq邮箱的smtp服务
Qt程序单次启动(QSingleApplication类)
国外的外包网站
更新IDEA主题——放飞代码风格
cocos2dx 实现搓牌效果(翻牌效果),包括铺平动画
dict和json之间的互相转换
angular的一些思考
. Fibonacci数列是这样定义的: F[0] = 0 F[1] = 1 for each i ≥ 2: F[i] = F[i-1] + F[i-2] 因此,Fibonacci数列就形如:0, 1
洛谷P1064 金明的预算方案
每日归档
更多
2024-04-25(22)
2024-04-24(36)
2024-04-23(26)
2024-04-22(39)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(5)
2024-04-16(70)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022