华三防火墙采用IKEV2,总部采用IPsec安全策略模板方式与分支建立
- 0关注
- 0收藏,156浏览
问题描述:
华三防火墙采用IKEV2,总部采用IPsec安全策略模板方式与分支建立。这个配置案例谁能发下
- 2025-11-01提问
- 举报
-
(0)
1.7 总部采用IPsec安全策略模板方式与分支建立保护IPv4报文的IPsec隧道配置举例(总部为华为设备)
1.7.1 适用产品和版本
本举例是在H3C防火墙F5000-AI160的E8371版本,华为防火墙USG6600E的V600R007C20SPC500版本上进行配置和验证的。
1.7.2 组网需求
企业分支通过IPsec VPN接入企业总部,有如下具体需求:
· Device A是华为设备。
· 总部网关Device A和各分支网关Device B、Device C之间建立IPsec隧道,对总部网络4.4.4.0/24分别与分支网络5.5.5.0/24和6.6.6.0/24之间的数据进行安全保护。
· 安全协议采用ESP协议,加密算法采用256比特CBC模式的AES算法,认证算法采用256比特的HMAC-SHA-256算法。
· IKE协商方式建立IPsec SA。
· IKE协商采用预共享密钥认证方式,加密算法采用256比特CBC模式的AES算法,认证算法采用256比特的HMAC-SHA-256算法。
· 总部网关Device A采用IPsec安全策略模板方式,分支网关Device B和DeviceC采用IPsec安全策略方式。
图1-6 IPsec安全策略模板方式配置组网图
1.7.3 配置步骤
1. 配置Device A
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设到达对端网关设备和分支网络的下一跳IP地址为1.1.1.2,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceA] ip route-static 2.2.2.0 24 1.1.1.2
[DeviceA] ip route-static 3.3.3.0 24 1.1.1.2
[DeviceA] ip route-static 5.5.5.0 24 1.1.1.2
[DeviceA] ip route-static 6.6.6.0 24 1.1.1.2
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceA] firewall zone trust
[DeviceA-zone-trust] add interface gigabitethernet 1/0/2
[DeviceA-zone-trust] quit
[DeviceA] firewall zone untrust
[DeviceA-zone-untrust] add interface gigabitethernet 1/0/1
[DeviceA-zone-untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout1的安全策规则,使Device A可以向Device B发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceA] security-policy
[DeviceA-policy-security] rule name ipseclocalout1
[DeviceA-policy-security-rule-ipseclocalout1] source-zone local
[DeviceA-policy-security-rule-ipseclocalout1] destination-zone untrust
[DeviceA-policy-security-rule-ipseclocalout1] source-address 1.1.1.1 24
[DeviceA-policy-security-rule-ipseclocalout1] destination-address 2.2.2.2 24
[DeviceA-policy-security-rule-ipseclocalout1] action permit
[DeviceA-policy-security-rule-ipseclocalout1] quit
# 配置名称为ipseclocalin1的安全策略规则,使Device A可以接收和处理来自Device B的IPsec隧道协商报文,具体配置步骤如下。
[DeviceA-policy-security] rule name ipseclocalin1
[DeviceA-policy-security-rule-ipseclocalin1] source-zone untrust
[DeviceA-policy-security-rule-ipseclocalin1] destination-zone local
[DeviceA-policy-security-rule-ipseclocalin1] source-address 2.2.2.2 24
[DeviceA-policy-security-rule-ipseclocalin1] destination-address 1.1.1.1 24
[DeviceA-policy-security-rule-ipseclocalin1] action permit
[DeviceA-policy-security-rule-ipseclocalin1] quit
# 配置名称为ipseclocalout2的安全策规则,使Device A可以向Device C发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceA-policy-security] rule name ipseclocalout2
[DeviceA-policy-security-rule-ipseclocalout2] source-zone local
[DeviceA-policy-security-rule-ipseclocalout2] destination-zone untrust
[DeviceA-policy-security-rule-ipseclocalout2] source-address 1.1.1.1 24
[DeviceA-policy-security-rule-ipseclocalout2] destination-address 3.3.3.3 24
[DeviceA-policy-security-rule-ipseclocalout2] action permit
[DeviceA-policy-security-rule-ipseclocalout2] quit
# 配置名称为ipseclocalin2的安全策略规则,使Device A可以接收和处理来自Device C的IPsec隧道协商报文,具体配置步骤如下。
[DeviceA-policy-security] rule name ipseclocalin2
[DeviceA-policy-security-rule-ipseclocalin2] source-zone untrust
[DeviceA-policy-security-rule-ipseclocalin2] destination-zone local
[DeviceA-policy-security-rule-ipseclocalin2] source-address 3.3.3.3 24
[DeviceA-policy-security-rule-ipseclocalin2] destination-address 1.1.1.1 24
[DeviceA-policy-security-rule-ipseclocalin2] action permit
[DeviceA-policy-security-rule-ipseclocalin2] quit
b. 配置安全策略放行Host A与Host B、Host C之间的流量
# 配置名称为trust-untrust1的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceA-policy-security] rule name trust-untrust1
[DeviceA-policy-security-rule-trust-untrust1] source-zone trust
[DeviceA-policy-security-rule-trust-untrust1] destination-zone untrust
[DeviceA-policy-security-rule-trust-untrust1] source-address 4.4.4.0 24
[DeviceA-policy-security-rule-trust-untrust1] destination-address 5.5.5.0 24
[DeviceA-policy-security-rule-trust-untrust1] action permit
[DeviceA-policy-security-rule-trust-untrust1] quit
# 配置名称为untrust-trust1的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceA-policy-security] rule name untrust-trust1
[DeviceA-policy-security-rule-untrust-trust1] source-zone untrust
[DeviceA-policy-security-rule-untrust-trust1] destination-zone trust
[DeviceA-policy-security-rule-untrust-trust1] source-address 5.5.5.0 24
[DeviceA-policy-security-rule-untrust-trust1] destination-address 4.4.4.0 24
[DeviceA-policy-security-rule-untrust-trust1] action permit
[DeviceA-policy-security-rule-untrust-trust1] quit
# 配置名称为trust-untrust2的安全策略规则,使Host A访问Host C的报文可通,具体配置步骤如下。
[DeviceA-policy-security] rule name trust-untrust2
[DeviceA-policy-security-rule-trust-untrust2] source-zone trust
[DeviceA-policy-security-rule-trust-untrust2] destination-zone untrust
[DeviceA-policy-security-rule-trust-untrust2] source-address 4.4.4.0 24
[DeviceA-policy-security-rule-trust-untrust2] destination-address 6.6.6.0 24
[DeviceA-policy-security-rule-trust-untrust2] action permit
[DeviceA-policy-security-rule-trust-untrust2] quit
# 配置名称为untrust-trust2的安全策略规则,使Host C访问Host A的报文可通,具体配置步骤如下。
[DeviceA-policy-security] rule name untrust-trust2
[DeviceA-policy-security-rule-untrust-trust2] source-zone untrust
[DeviceA-policy-security-rule-untrust-trust2] destination-zone trust
[DeviceA-policy-security-rule-untrust-trust2] source-address 6.6.6.0 24
[DeviceA-policy-security-rule-untrust-trust2] destination-address 4.4.4.0 24
[DeviceA-policy-security-rule-untrust-trust2] action permit
[DeviceA-policy-security-rule-untrust-trust2] quit
[DeviceA-policy-security] quit
(5) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceA ipsec proposal transform1
[DeviceA-ipsec-proposal-transform1] encapsulation-mode tunnel
[DeviceA-ipsec-proposal-transform1] transform esp
[DeviceA-ipsec-proposal-transform1] esp encryption-algorithm aes-256
[DeviceA-ipsec-proposal-transform1] esp authentication-algorithm sha2-256
[DeviceA-ipsec-proposal-transform1] quit
(6) 配置IKE安全提议,指定加密算法、认证算法、DH
# 创建并配置IKE安全提议,双方必须至少有一条匹配的IKE安全提议才能协商成功,具体配置步骤如下。
[DeviceA] ike proposal 1
[DeviceA-ike-proposal-1] authentication-method pre-share
[DeviceA-ike-proposal-1] encryption-algorithm aes-256
[DeviceA-ike-proposal-1] dh group14
[DeviceA-ike-proposal-1] authentication-algorithm sha2-256
[DeviceA-ike-proposal-1] quit
(7) 配置IKE对等体,指定协商模式、IKE版本、预共享密钥,对端IP地址。
[DeviceA] ike peer h3c
[DeviceA-ike-peer-h3c] exchange-mode main
[DeviceA-ike-peer-h3c] undo version 2
[DeviceA-ike-peer-h3c] ike-proposal 1
[DeviceA-ike-peer-h3c] pre-shared-key 123456TESTplat&!
[DeviceA-ike-peer-h3c] quit
(8) 配置IPsec安全策略模板,用于创建IPsec安全策略
# 创建并配置名为temp1的IPsec安全策略模板,引用安全提议transform1
[DeviceA] ipsec policy-template temp1 10
[DeviceA-ipsec-policy-templet-temp1-1] proposal transform1
[DeviceA-ipsec-policy-templet-temp1-1] ike-peer h3c
[DeviceA-ipsec-policy-templet-temp1-1] quit
(9) 引用安全策略模板temp1创建一条IKE协商方式的安全策略map1,建立IPsec隧道,保护需要防护的数据流
[DeviceA] ipsec policy map1 1 isakmp template temp1
(10) 在接口下引用IPsec安全策略,对接口上的流量进行保护
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ipsec policy map1
[DeviceA-GigabitEthernet1/0/1] quit
2. 配置Device B
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 2.2.2.2 255.255.255.0
[DeviceB-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设到达对端网关设备和总部网络的下一跳IP地址为2.2.2.3,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceB] ip route-static 4.4.4.0 24 2.2.2.3
[DeviceB] ip route-static 1.1.1.1 24 2.2.2.3
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Untrust] quit
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Trust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策规则,使Device B可以向Device A发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name ipseclocalout
[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.2
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1
[DeviceB-security-policy-ip-1-ipseclocalout] action pass
[DeviceB-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device B可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name ipseclocalin
[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1
[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.2
[DeviceB-security-policy-ip-2-ipseclocalin] action pass
[DeviceB-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host B与Host A之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 5.5.5.0 24
[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 4.4.4.0 24
[DeviceB-security-policy-ip-3-trust-untrust] action pass
[DeviceB-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 4.4.4.0 24
[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 5.5.5.0 24
[DeviceB-security-policy-ip-4-untrust-trust] action pass
[DeviceB-security-policy-ip-4-untrust-trust] quit
[DeviceB-security-policy-ip] quit
(5) 配置ACL,定义需要保护的数据流
# 配置IPv4高级ACL 3000,定义要保护由子网5.5.5.0/24去往子网4.4.4.0/24的数据流。
[DeviceB] acl advanced 3000
[DeviceB-acl-ipv4-adv-3000] rule permit ip source 5.5.5.0 0.0.0.255 destination 4.4.4.0 0.0.0.255
[DeviceB-acl-ipv4-adv-3000] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceB] ipsec transform-set tran1
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceB-ipsec-transform-set-tran1] protocol esp
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-256
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha256
[DeviceB-ipsec-transform-set-tran1] quit
(7) 配置IKE keychain,约定通信双方使用的密钥信息
# 创建并配置名为key1的IKE keychain,指定与地址为1.1.1.1的对端使用的预共享密钥为明文123456TESTplat&!。
[DeviceB] ike keychain key1
[DeviceB-ike-keychain-key1] pre-shared-key address 1.1.1.1 key simple 123456TESTplat&!
[DeviceB-ike-keychain-key1] quit
(8) 配置IKE提议,定义双方进行IKE协商所需的安全参数
# 创建并配置IKE提议1,指定预共享密钥认证方式、加密算法、认证算法。
[DeviceB] ike proposal 1
[DeviceB-ike-proposal-1] authentication-method pre-share
[DeviceB-ike-proposal-1] encryption-algorithm aes-cbc-256
[DeviceB-ike-proposal-1] dh group14
[DeviceB-ike-proposal-1] authentication-algorithm sha256
[DeviceB-ike-proposal-1] quit
(9) 配置IKE profile,约定建立IKE SA所需的安全参数
[DeviceB] ike profile profile1
[DeviceB-ike-profile-profile1] keychain key1
[DeviceB-ike-profile-profile1] proposal 1
[DeviceB-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0
[DeviceB-ike-profile-profile1] quit
(10) 配置ISAKMP方式的安全策略,建立IPsec隧道,保护需要防护的数据流
# 创建并配置名为map1的IPsec安全策略,引用安全提议tran1,引用ACL 3000,并指定IPsec隧道的对端地址为1.1.1.1。
[DeviceB] ipsec policy map1 10 isakmp
[DeviceB-ipsec-policy-isakmp-map1-10] transform-set tran1
[DeviceB-ipsec-policy-isakmp-map1-10] security acl 3000
[DeviceB-ipsec-policy-isakmp-map1-10] local-address 2.2.2.2
[DeviceB-ipsec-policy-isakmp-map1-10] remote-address 1.1.1.1
[DeviceB-ipsec-policy-isakmp-map1-10] ike-profile profile1
[DeviceB-ipsec-policy-isakmp-map1-10] quit
(11) 在接口上应用IPsec安全策略,对接口上的流量进行保护
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ipsec apply policy map1
[DeviceB-GigabitEthernet1/0/1] quit
3. 配置Device C
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceC> system-view
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] ip address 3.3.3.3 255.255.255.0
[DeviceC-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设到达对端网关设备和总部网络的下一跳IP地址为3.3.3.4,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceC] ip route-static 4.4.4.0 24 3.3.3.4
[DeviceC] ip route-static 1.1.1.1 24 3.3.3.4
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceC] security-zone name untrust
[DeviceC-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceC-security-zone-Untrust] quit
[DeviceC] security-zone name trust
[DeviceC-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceC-security-zone-Trust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策规则,使Device C可以向Device A发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceC] security-policy ip
[DeviceC-security-policy-ip] rule name ipseclocalout
[DeviceC-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceC-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceC-security-policy-ip-1-ipseclocalout] source-ip-host 3.3.3.3
[DeviceC-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1
[DeviceC-security-policy-ip-1-ipseclocalout] action pass
[DeviceC-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device C可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下。
[DeviceC-security-policy-ip] rule name ipseclocalin
[DeviceC-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceC-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceC-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1
[DeviceC-security-policy-ip-2-ipseclocalin] destination-ip-host 3.3.3.3
[DeviceC-security-policy-ip-2-ipseclocalin] action pass
[DeviceC-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host C与Host A之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host C访问Host A的报文可通,具体配置步骤如下。
[DeviceC-security-policy-ip] rule name trust-untrust
[DeviceC-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceC-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceC-security-policy-ip-3-trust-untrust] source-ip-subnet 6.6.6.0 24
[DeviceC-security-policy-ip-3-trust-untrust] destination-ip-subnet 4.4.4.0 24
[DeviceC-security-policy-ip-3-trust-untrust] action pass
[DeviceC-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host A访问Host C的报文可通,具体配置步骤如下。
[DeviceC-security-policy-ip] rule name untrust-trust
[DeviceC-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceC-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceC-security-policy-ip-4-untrust-trust] source-ip-subnet 4.4.4.0 24
[DeviceC-security-policy-ip-4-untrust-trust] destination-ip-subnet 6.6.6.0 24
[DeviceC-security-policy-ip-4-untrust-trust] action pass
[DeviceC-security-policy-ip-4-untrust-trust] quit
[DeviceC-security-policy-ip] quit
(5) 配置ACL,定义需要保护的数据流
# 配置IPv4高级ACL 3000,定义要保护由子网6.6.6.0/24去往子网4.4.4.0/24的数据流。
[DeviceC] acl advanced 3000
[DeviceC-acl-ipv4-adv-3000] rule permit ip source 6.6.6.0 0.0.0.255 destination 4.4.4.0 0.0.0.255
[DeviceC-acl-ipv4-adv-3000] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceC] ipsec transform-set tran1
[DeviceC-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceC-ipsec-transform-set-tran1] protocol esp
[DeviceC-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-256
[DeviceC-ipsec-transform-set-tran1] esp authentication-algorithm sha256
[DeviceC-ipsec-transform-set-tran1] quit
(7) 配置IKE keychain,约定通信双方使用的密钥信息
# 创建并配置名为key1的IKE keychain,指定与地址为1.1.1.1的对端使用的预共享密钥为明文123456TESTplat&!。
[DeviceC] ike keychain key1
[DeviceC-ike-keychain-key1] pre-shared-key address 1.1.1.1 key simple 123456TESTplat&!
[DeviceC-ike-keychain-key1] quit
(8) 配置IKE提议,定义双方进行IKE协商所需的安全参数
# 创建并配置IKE提议1,指定预共享密钥认证方式、加密算法、认证算法。
[DeviceC] ike proposal 1
[DeviceC-ike-proposal-1] authentication-method pre-share
[DeviceC-ike-proposal-1] encryption-algorithm aes-cbc-256
[DeviceC-ike-proposal-1] dh group14
[DeviceC-ike-proposal-1] authentication-algorithm sha256
[DeviceC-ike-proposal-1] quit
(9) 配置IKE profile,约定建立IKE SA所需的安全参数
[DeviceC] ike profile profile1
[DeviceC-ike-profile-profile1] keychain key1
[DeviceC-ike-profile-profile1] proposal 1
[DeviceC-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0
[DeviceC-ike-profile-profile1] quit
(10) 配置ISAKMP方式的安全策略,建立IPsec隧道,保护需要防护的数据流
# 创建并配置名为map1的IPsec安全策略,引用安全提议tran1,引用ACL 3000,并指定IPsec隧道的对端地址为1.1.1.1。
[DeviceC] ipsec policy map1 10 isakmp
[DeviceC-ipsec-policy-isakmp-map1-10] transform-set tran1
[DeviceC-ipsec-policy-isakmp-map1-10] security acl 3000
[DeviceC-ipsec-policy-isakmp-map1-10] local-address 3.3.3.3
[DeviceC-ipsec-policy-isakmp-map1-10] remote-address 1.1.1.1
[DeviceC-ipsec-policy-isakmp-map1-10] ike-profile profile1
[DeviceC-ipsec-policy-isakmp-map1-10] quit
(11) 在接口上应用IPsec安全策略,对接口上的流量进行保护
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] ipsec apply policy map1
[DeviceC-GigabitEthernet1/0/1] quit
1.7.4 验证配置
# 以上配置完成后,当分支子网5.5.5.0/24向总部网络4.4.4.0/24发起数据连接时,将触发Device B和Device A之间进行IKE协商。IKE成功协商出IPsec SA后,企业总部与分支子网之间的数据流传输将受到IPsec SA的保护。
# 可通过如下显示信息查看到Device A上IKE第一阶段协商成功后生成的IKE SA。
[DeviceA]display ike sa
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------
2 2.2.2.2:500 RD|A v1:2 IP 2.2.2.2
1 2.2.2.2:500 RD|A v1:1 IP 2.2.2.2
Number of IKE SA : 2
------------------------------------------------------------------------------------------------------------------------------------
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
# 可通过如下显示信息查看到Device A上协商生成的IPsec SA。
[DeviceA]display ipsec sa
ipsec sa information:
===============================
Interface: GigabitEthernet1/0/1
===============================
-----------------------------
IPSec policy name: "map1"
Sequence number : 1
Acl group : 0
Acl rule : 0
Mode : Template
-----------------------------
Connection ID : 2
Encapsulation mode: Tunnel
Holding time : 0d 0h 17m 2s
Tunnel local : 1.1.1.1:500
Tunnel remote : 2.2.2.2:500
Flow source : 4.4.4.0/255.255.255.0 0/0-65535
Flow destination : 5.5.5.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 200509728 (0xbf38920)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/2578
Max sent sequence-number: 5
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 4/336
[Inbound ESP SAs]
SPI: 191596935 (0xb6b8987)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/2578
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 4/336
Anti-replay : Enable
Anti-replay window size: 1024
1.7.5 配置文件
1. Device A
#
ipsec proposal transform1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
#
ike peer h3c
undo version 2
pre-shared-key 123456TESTplat&!
ike-proposal 1
#
ipsec policy-template temp1 10
ike-peer h3c
proposal transform1
#
ipsec policy map1 1 isakmp template temp1
#
interface GigabitEthernet1/0/1
ip address 1.1.1.1 255.255.255.0
ipsec policy map1
#
interface GigabitEthernet1/0/2
ip address 4.4.4.1 255.255.255.0
#
firewall zone trust
add interface GigabitEthernet1/0/2
#
firewall zone untrust
add interface GigabitEthernet1/0/1
#
ip route-static 2.2.2.0 255.255.255.0 1.1.1.2
ip route-static 3.3.3.0 255.255.255.0 1.1.1.2
ip route-static 5.5.5.0 255.255.255.0 1.1.1.2
ip route-static 6.6.6.0 255.255.255.0 1.1.1.2
#
security-policy
rule name ipseclocalout1
source-zone local
destination-zone untrust
source-address 1.1.1.0 mask 255.255.255.0
destination-address 2.2.2.0 mask 255.255.255.0
action permit
rule name ipseclocalin1
source-zone untrust
destination-zone local
source-address 2.2.2.0 mask 255.255.255.0
destination-address 1.1.1.0 mask 255.255.255.0
action permit
rule name ipseclocalout2
source-zone local
destination-zone untrust
source-address 1.1.1.0 mask 255.255.255.0
destination-address 3.3.3.0 mask 255.255.255.0
action permit
rule name ipseclocalin2
source-zone untrust
destination-zone local
source-address 3.3.3.0 mask 255.255.255.0
destination-address 1.1.1.0 mask 255.255.255.0
action permit
rule name trust-untrust1
source-zone trust
destination-zone untrust
source-address 4.4.4.0 mask 255.255.255.0
destination-address 5.5.5.0 mask 255.255.255.0
action permit
rule name untrust-trust1
source-zone untrust
destination-zone trust
source-address 5.5.5.0 mask 255.255.255.0
destination-address 4.4.4.0 mask 255.255.255.0
action permit
rule name trust-untrust2
source-zone trust
destination-zone untrust
source-address 4.4.4.0 mask 255.255.255.0
destination-address 6.6.6.0 mask 255.255.255.0
action permit
rule name untrust-trust2
source-zone untrust
destination-zone trust
source-address 6.6.6.0 mask 255.255.255.0
destination-address 4.4.4.0 mask 255.255.255.0
action permit
#
2. Device B
#
interface GigabitEthernet1/0/1
ip address 2.2.2.2 255.255.255.0
ipsec apply policy map1
#
interface GigabitEthernet1/0/2
ip address 5.5.5.1 255.255.255.0
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
ip route-static 1.1.1.0 24 2.2.2.3
ip route-static 4.4.4.0 24 2.2.2.3
#
acl advanced 3000
rule 0 permit ip source 5.5.5.0 0.0.0.255 destination 4.4.4.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha256
#
ipsec policy map1 10 isakmp
transform-set tran1
security acl 3000
local-address 2.2.2.2
remote-address 1.1.1.1
ike-profile profile1
#
ike profile profile1
keychain key1
match remote identity address 1.1.1.1 255.255.255.0
proposal 1
#
ike proposal 1
encryption-algorithm aes-cbc-256
dh group14
authentication-algorithm sha256
#
ike keychain key1
pre-shared-key address 1.1.1.1 255.255.255.255 key simple 123456TESTplat&!
#
security-policy ip
rule 1 name ipseclocalout
action pass
source-zone local
destination-zone untrust
source-ip-host 2.2.2.2
destination-ip-host 1.1.1.1
rule 2 name ipseclocalin
action pass
source-zone untrust
destination-zone local
source-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
rule 3 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 5.5.5.0 255.255.255.0
destination-ip-subnet 4.4.4.0 255.255.255.0
rule 4 name untrust-trust
action pass
source-zone untrust
destination-zone trust
source-ip-subnet 4.4.4.0 255.255.255.0
destination-ip-subnet 5.5.5.0 255.255.255.0
#
3. Device C
#
interface GigabitEthernet1/0/1
ip address 3.3.3.3 255.255.255.0
ipsec apply policy map1
#
interface GigabitEthernet1/0/2
ip address 6.6.6.1 255.255.255.0
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
ip route-static 1.1.1.0 24 3.3.3.4
ip route-static 4.4.4.0 24 3.3.3.4
#
acl advanced 3000
rule 0 permit ip source 6.6.6.0 0.0.0.255 destination 4.4.4.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha256
#
ipsec policy map1 10 isakmp
transform-set tran1
security acl 3000
local-address 3.3.3.3
remote-address 1.1.1.1
ike-profile profile1
#
ike profile profile1
keychain key1
match remote identity address 1.1.1.1 255.255.255.0
proposal 1
#
ike proposal 1
encryption-algorithm aes-cbc-256
dh group14
authentication-algorithm sha256
#
ike keychain key1
pre-shared-key address 1.1.1.1 255.255.255.255 key simple 123456TESTplat&!
#
security-policy ip
rule 1 name ipseclocalout
action pass
source-zone local
destination-zone untrust
source-ip-host 3.3.3.3
destination-ip-host 1.1.1.1
rule 2 name ipseclocalin
action pass
source-zone untrust
destination-zone local
source-ip-host 1.1.1.1
destination-ip-host 3.3.3.3
rule 3 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 6.6.6.0 255.255.255.0
destination-ip-subnet 4.4.4.0 255.255.255.0
rule 4 name untrust-trust
action pass
source-zone untrust
destination-zone trust
source-ip-subnet 4.4.4.0 255.255.255.0
destination-ip-subnet 6.6.6.0 255.255.255.0
#
- 2025-11-03回答
- 评论(1)
- 举报
-
(0)
你这还是IKE1的版本
你这还是IKE1的版本
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
https://www.h3c.com/cn/pub/Document_Center/2023/08/WebHelp_H3C_SecPath_FHQCP_DXPZALJ(V7)/default_auto.htm?CHID=904195