HCIP-security-IPSec虚拟专用网络主备链路2(隧道化)

一,网络拓扑

 二,规划说明

后面补充

三,配置部分

3.1FW1的配置

①创建Tunel口并加入安全区域
[FW1]interface Tunnel 1
[FW1-Tunnel1]ip address 1.1.1.1 24
[FW1-Tunnel1]tunnel-protocol ipsec
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface tunnel 1

②静态路由与bfd联动,静态路由60优先级和70优先级(浮动路由),VPN业务流量指向Tunnel口
[FW1]bfd
[FW1-bfd]bfd 1 bind peer-ip 202.100.1.254
[FW1-bfd-session-1]discriminator local 1
[FW1-bfd-session-1]discriminator remote 2
[FW1-bfd-session-1] commit
[FW1]ip route-static 0.0.0.0 0 GigabitEthernet 1/0/0 202.100.1.254 track bfd-session 1
[FW1]ip route-static 0.0.0.0 0 GigabitEthernet 1/0/1 202.100.2.254 preference 70
[FW1]ip route-static 10.1.2.0 24 Tunnel 1

 ③配置IKE提议

[FW1-ike-proposal-1]dis this
2022-03-29 11:49:38.200
#
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#

④配置IKE对等体
[FW1]ike peer fw2
[FW1-ike-peer-fw2]ike-proposal 1
[FW1-ike-peer-fw2]pre-shared-key Huawei@123
[FW1-ike-peer-fw2]remote-address 202.100.3.20

⑤感兴趣流
[FW1]acl number 3000
[FW1-acl-adv-3000]rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

⑥IPSec提议
[FW1]ipsec proposal 1
[FW1-ipsec-proposal-1]dis this
2022-03-29 11:52:41.810
#
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
return

⑦配置IPSec策略,调用感兴趣流,提议,对等体
[FW1]ipsec policy ipsec 10 isakmp
[FW1-ipsec-policy-isakmp-ipsec-10]security acl 3000
[FW1-ipsec-policy-isakmp-ipsec-10]proposal 1
[FW1-ipsec-policy-isakmp-ipsec-10]ike-peer fw2

⑧在Tunnel口调用,此时Tunnel口变为UP
[FW1]interface Tunnel 1
[FW1-Tunnel1]ipsec policy ipsec

⑨安全策略
[FW1]ip service-set ISAKMP type object
[FW1-object-service-set-ISAKMP]service 0 protocol udp source-port 500 destination-port 500
[FW1] ip address-set ipsec type object
[FW1-object-address-set-ipsec]address 1.1.1.1 mask 32
[FW1-object-address-set-ipsec]address 202.100.3.20 mask 32
[FW1]ip address-set pc type object
[FW1-object-address-set-pc]address 10.1.1.0 mask 24
[FW1-object-address-set-pc]address 10.1.2.0 mask 24
[FW1]security-policy
[FW1-policy-security]rule name ipsec
[FW1-policy-security-rule-ipsec]source-zone local untrust
[FW1-policy-security-rule-ipsec]destination-zone local untrust
[FW1-policy-security-rule-ipsec]source-address address-set ipsec
[FW1-policy-security-rule-ipsec]destination-address address-set ipsec
[FW1-policy-security-rule-ipsec]service ISAKMP esp
[FW1-policy-security-rule-ipsec]action permit
[FW1-policy-security]rule name vpnpc
[FW1-policy-security-rule-vpnpc]source-zone untrust trust
[FW1-policy-security-rule-vpnpc]destination-zone untrust trust
[FW1-policy-security-rule-vpnpc]source-address address-set pc
[FW1-policy-security-rule-vpnpc]destination-address address-set pc
[FW1-policy-security-rule-vpnpc]action permit
[FW1-policy-security]rule name icmp
[FW1-policy-security-rule-icmp]source-zone local
[FW1-policy-security-rule-icmp]destination-zone untrust
[FW1-policy-security-rule-icmp]service icmp
[FW1-policy-security-rule-icmp]action permit

3.2AR1配置

[R1]bfd
[R1-bfd]bfd 1 bind peer-ip 202.100.1.10
[R1-bfd-session-1]discriminator local 2
[R1-bfd-session-1]discriminator remote 1
[R1-bfd-session-1]commit
[R1]ip route-static 1.1.1.1 32 GigabitEthernet 0/0/0 202.100.1.10 track bfd-session 1
[R1]ip route-static 1.1.1.1 32 GigabitEthernet 0/0/1 202.100.2.10 preference 70

3.3FW2配置

①IKE提议
[FW2]ike proposal 1
[FW2-ike-proposal-1]dis this
2022-03-29 12:06:38.060
#
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
return
②配置IKE对等体
[FW2]ike peer fw1
[FW2-ike-peer-fw1]pre-shared-key Huawei@123
[FW2-ike-peer-fw1]ike-proposal 1
[FW2-ike-peer-fw1]remote-address 1.1.1.1
③配置感兴趣流
[FW2]acl number 3000
[FW2-acl-adv-3000]rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
④IPSec提议
[FW2]ipsec proposal 1
[FW2-ipsec-proposal-1]dis this
2022-03-29 12:08:38.150
#
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
return
⑤配置IPSec策略
[FW2]ipsec policy ipsec 10 isakmp
[FW2-ipsec-policy-isakmp-ipsec-10]security acl 3000
[FW2-ipsec-policy-isakmp-ipsec-10]ike-peer fw1
[FW2-ipsec-policy-isakmp-ipsec-10]proposal 1
⑥在接口调用策略
[FW2]int g1/0/0
[FW2-GigabitEthernet1/0/0]ipsec policy ipsec
⑦默认路由指向网关
[FW2]ip route-static 0.0.0.0 0 202.100.3.254
⑧安全策略
[FW2]ip service-set ISAKMP type object
[FW12-object-service-set-ISAKMP]service 0 protocol udp source-port 500 destination-port 500
[FW2] ip address-set ipsec type object
[FW2-object-address-set-ipsec]address 1.1.1.1 mask 32
[FW2-object-address-set-ipsec]address 202.100.3.20 mask 32
[FW2]ip address-set pc type object
[FW2-object-address-set-pc]address 10.1.1.0 mask 24
[FW2-object-address-set-pc]address 10.1.2.0 mask 24
[FW2]security-policy
[FW2-policy-security]rule name ipsec
[FW2-policy-security-rule-ipsec]source-zone local untrust
[FW2-policy-security-rule-ipsec]destination-zone local untrust
[FW2-policy-security-rule-ipsec]source-address address-set ipsec
[FW2-policy-security-rule-ipsec]destination-address address-set ipsec
[FW2-policy-security-rule-ipsec]service ISAKMP esp
[FW2-policy-security-rule-ipsec]action permit
[FW2-policy-security]rule name vpnpc
[FW2-policy-security-rule-vpnpc]source-zone untrust trust
[FW2-policy-security-rule-vpnpc]destination-zone untrust trust
[FW2-policy-security-rule-vpnpc]source-address address-set pc
[FW2-policy-security-rule-vpnpc]destination-address address-set pc
[FW2-policy-security-rule-vpnpc]action permit
[FW2-policy-security]rule name icmp
[FW2-policy-security-rule-icmp]source-zone local
[FW2-policy-security-rule-icmp]destination-zone untrust
[FW2-policy-security-rule-icmp]service icmp
[FW2-policy-security-rule-icmp]action permit

HCIP_Security

相关

HCIP-Security1.1多出口选路3(智能选路之全局与策略路由)

标签