HCIP-security-IPSec虚拟专用网络主备链路1

一,网络拓扑

 二,规划说明

   10.1.1.0/24是FW1的trust区域的内网网段,10.1.2.0/24是FW2的trust区域的内网网段。AR1是ISP设备,假设FW1是总部,FW2是分支。FW1和FW2通过公网建立IPSec虚拟专用网络,通过GE1/0/0和GE1/0/1达到主备链路冗余的效果。在GE1/0/0的链路发生故障时,也能切换到GE1/0/1来建立IPSec虚拟专用网络。

三,配置部分

3.1创建IP-LINK,静态路由联动IP-LINK

#开启ip-link

[FW1]ip-link check enable
#配置ip-link
[FW1]ip-link name link1
[FW1-iplink-link1]destination 202.100.1.254 interface GigabitEthernet 1/0/0 mode icmp next-hop 202.100.1.254
[FW1-iplink-link1]tx-interval 3
[FW1-iplink-link1]times 2
#静态路由联动ip-link
[FW1]ip route-static 0.0.0.0 0 202.100.1.254 track ip-link link1
[FW1]ip route-static 0.0.0.0 0 202.100.2.254 preference 70

3.2配置IPSEC_VPN#配置ike提议

[FW1-ike-proposal-1]dis this
2022-03-29 01:15:00.400
#
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
return
#配置IKE对等体
[FW1]ike peer HA1
[FW1-ike-peer-HA1]pre-shared-key Huawei@123
[FW1-ike-peer-HA1]ike-proposal 1
[FW1-ike-peer-HA1]remote-address 202.100.3.20
[FW1-ike-peer-HA1]quit
[FW1]ike peer HA2
[FW1-ike-peer-HA2]pre-shared-key Huawei@123
[FW1-ike-peer-HA2]ike-proposal 1
[FW1-ike-peer-HA2]remote-address 202.100.3.20
#配置IPSec提议
[FW1]ipsec proposal 1
[FW1-ipsec-proposal-1]dis this
2022-03-29 01:18:09.690
#
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
Return
#配置感兴趣流
[FW1]acl number 3000
[FW1-acl-adv-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[FW1-acl-adv-3000]acl number 3001
[FW1-acl-adv-3001] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#配置IPSec策略
[FW1]ipsec policy map1 10 isakmp
[FW1-ipsec-policy-isakmp-map1-10]security acl 3000
[FW1-ipsec-policy-isakmp-map1-10]ike-peer HA1
[FW1-ipsec-policy-isakmp-map1-10]proposal 1
[FW1-ipsec-policy-isakmp-map1-10]quit
[FW1]ipsec policy map2 10 isakmp
[FW1-ipsec-policy-isakmp-map2-10]security acl 3001
[FW1-ipsec-policy-isakmp-map2-10]ike-peer HA2
[FW1-ipsec-policy-isakmp-map2-10]proposal 1
#在接口调用策略
[FW1-ipsec-policy-isakmp-map2-10]interface GigabitEthernet1/0/0
[FW1-GigabitEthernet1/0/0] ipsec policy map1
[FW1-GigabitEthernet1/0/0]
[FW1-GigabitEthernet1/0/0]interface GigabitEthernet1/0/1
[FW1-GigabitEthernet1/0/1] ipsec policy map2

3.3安全策略

#创建IP地址

[FW1] ip address-set ipsec type object
[FW1-object-address-set-ipsec]address 202.100.1.10 mask 32
[FW1-object-address-set-ipsec]address 202.100.2.10 mask 32
[FW1-object-address-set-ipsec]address 202.100.3.20 mask 32
[FW1]ip address-set pc type object
[FW1-object-address-set-pc]address 10.1.1.0 mask 24
[FW1-object-address-set-pc]address 10.1.2.0 mask 24
#
[FW1]ip service-set ISAKMP type object
[FW1-object-service-set-ISAKMP]service 0 protocol udp source-port 500 destination-port 500
#
[FW1]security-policy
[FW1-policy-security]rule name ipsec
[FW1-policy-security-rule-ipsec]source-zone local untrust
[FW1-policy-security-rule-ipsec]destination-zone local untrust
[FW1-policy-security-rule-ipsec]source-address address-set ipsec
[FW1-policy-security-rule-ipsec]destination-address address-set ipsec
[FW1-policy-security-rule-ipsec]service ISAKMP esp
[FW1-policy-security-rule-ipsec]action permit
#
[FW1-policy-security]rule name pc
[FW1-policy-security-rule-pc]source-zone untrust trust
[FW1-policy-security-rule-pc]destination-zone untrust trust
[FW1-policy-security-rule-pc]source-address address-set pc
[FW1-policy-security-rule-pc]destination-address address-set pc
[FW1-policy-security-rule-pc]action permit
#

3.4FW2配置tunnel口

#配置Tunnel口
[FW2]interface Tunnel 1
[FW2-Tunnel1]tunnel-protocol ipsec
[FW2-Tunnel1]ip address unnumbered interface GigabitEthernet 1/0/0
[FW2-Tunnel1]interface Tunnel2
[FW2-Tunnel2]tunnel-protocol ipsec
[FW2-Tunnel2]ip address unnumbered interface GigabitEthernet 1/0/0
#创建的Tunnel口加入zone
[FW2]firewall zone untrust
[FW2-zone-untrust] add interface Tunnel1
[FW2-zone-untrust] add interface Tunnel2
五,规划路由
[FW2]ip route-static 10.1.1.0 255.255.255.0 Tunnel1
[FW2]ip route-static 10.1.1.0 255.255.255.0 Tunnel2 preference 70

[FW2]ip-link check enable
[FW2]ip-link name link1
[FW2-iplink-link1]destination 202.100.1.254 mode icmp
[FW2-iplink-link1]qu
[FW2]ip route-static 10.1.1.0 24 tunnel 1 track ip-link link1

3.5配置IPSec VPN

#配置IKE提议
[FW2]ike proposal 1
[FW2-ike-proposal-1]dis this
2022-03-29 01:37:05.510
#
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
#配置对等体
[FW2]ike peer HA1
[FW2-ike-peer-HA1] pre-shared-key Huawei@123
[FW2-ike-peer-HA1] ike-proposal 1
[FW2-ike-peer-HA1] remote-address 202.100.1.10
[FW2-ike-peer-HA1]ike peer HA2
[FW2-ike-peer-HA2] pre-shared-key Huawei@123
[FW2-ike-peer-HA2] ike-proposal 1
[FW2-ike-peer-HA2] remote-address 202.100.2.10
#配置感兴趣流
[FW2]acl number 3000
[FW2-acl-adv-3000] rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[FW2-acl-adv-3000]acl number 3001
[FW2-acl-adv-3001] rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#配置服务
[FW2]ip service-set ISAKMP type object
[FW2-object-service-set-ISAKMP]service 0 protocol udp source-port 500 destination-port 500
#配置ipsec提议
[FW2]ipsec proposal 1
[FW2-ipsec-proposal-1]dis this
2022-03-29 01:39:33.680
#
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
return
#配置ipsec策略
[FW2]ipsec policy map1 10 isakmp
[FW2-ipsec-policy-isakmp-map1-10]security acl 3000
[FW2-ipsec-policy-isakmp-map1-10]ike-peer HA1
[FW2-ipsec-policy-isakmp-map1-10]proposal 1
[FW2-ipsec-policy-isakmp-map1-10]qu
[FW2]ipsec policy map2 10 isakmp
[FW2-ipsec-policy-isakmp-map2-10]security acl 3001
[FW2-ipsec-policy-isakmp-map2-10]ike-peer HA2
[FW2-ipsec-policy-isakmp-map2-10]proposal 1
#在接口调用策略
[FW2]interface Tunnel1
[FW2-Tunnel1] ipsec policy map1
[FW2-Tunnel1]interface Tunnel2

3.6安全策略

#创建地址
[FW2]ip address-set ipsec type object
[FW2-object-address-set-ipsec]address 202.100.1.10 mask 32
[FW2-object-address-set-ipsec]address 202.100.2.10 mask 32
[FW2-object-address-set-ipsec]address 202.100.3.20 mask 32
[FW2-object-address-set-ipsec]quit
[FW2]ip address-set pc type object
[FW2-object-address-set-pc]address 10.1.1.0 mask 24
[FW2-object-address-set-pc]address 10.1.2.0 mask 24
#放行VPN协商的流量
[FW2]security-policy
[FW2-policy-security]rule name ipsec
[FW2-policy-security-rule-ipsec]source-zone local untrust
[FW2-policy-security-rule-ipsec]destination-zone local untrust
[FW2-policy-security-rule-ipsec]source-address address-set ipsec
[FW2-policy-security-rule-ipsec]destination-address address-set ipsec
[FW2-policy-security-rule-ipsec]service ISAKMP esp
[FW2-policy-security-rule-ipsec]action permit
#放行VPN业务流量
[FW2-policy-security]rule name pc
[FW2-policy-security-rule-pc]source-zone untrust trust
[FW2-policy-security-rule-pc]destination-zone untrust trust
[FW2-policy-security-rule-pc]source-address address-set pc
[FW2-policy-security-rule-pc]destination-address address-set pc
[FW2-policy-security-rule-pc]action permit

HCIP_Security

相关

HCIP-security-IPSec虚拟专用网络主备链路2(隧道化)

HCIP-Security1.1多出口选路3(智能选路之全局与策略路由)

标签