• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

防火墙IPSec多分支互通配置

2014-01-14 发表
  • -1关注 ,1876浏览
粉丝: 关注:

防火墙IPSec多分支互通配置

一、 组网需求:

总部对多个分支提供IPSec VPN接入,总部和分支之间先行建立IPSec隧道,分支侧与总部建立正常的IPSec VPN后,有分支侧通过总部进行中转互通的需求,则通过手工添加相应ACL,由一端分支进行触发,分支侧流量通过总部进行中转,实现IPSec互通。

设备清单:V5防火墙3台,V5交换机1

二、 组网图:

三、   配置步骤:

Center:

#//配置IKE对等体

ike peer fw1

 pre-shared-key cipher $c$3$754hAry0EnjWEqGdksbhunWYBARXLg==

 remote-address 10.0.0.1

 local-address 10.0.0.2

#

ike peer fw2

 pre-shared-key cipher $c$3$byPkqK6aQu0KJcOKvsR5A0bTjsrnJQ==

 remote-address 10.0.0.3

 local-address 10.0.0.1

#//配置IPSec提议

ipsec transform-set fw1

 encapsulation-mode tunnel

 transform esp

 esp authentication-algorithm md5

 esp encryption-algorithm 3des

#

ipsec transform-set fw2

 encapsulation-mode tunnel

 transform esp

 esp authentication-algorithm md5

 esp encryption-algorithm 3des

#//配置感兴趣流

acl number 3000 name to_FW1

 rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.1 0

 rule 5 permit ip source 3.3.3.3 0 destination 1.1.1.1 0

acl number 3001 name to_FW2

 rule 0 permit ip source 2.2.2.2 0 destination 3.3.3.3 0

 rule 5 permit ip source 1.1.1.1 0 destination 3.3.3.3 0

#//配置IPSec策略

ipsec policy center 1 isakmp

 security acl 3000

 ike-peer fw1

 transform-set fw1

#

ipsec policy center 2 isakmp

 security acl 3001

 ike-peer fw2

 transform-set fw2

#//配置接口

interface LoopBack0

 ip address 2.2.2.2 255.255.255.255

#

interface GigabitEthernet0/0

 port link-mode route

 ip address 10.0.0.2 255.255.255.0

 ipsec policy center

#//接口加入安全域

zone name Trust id 2

 priority 85

 import interface GigabitEthernet0/0

#//配置到分支侧VPN内部地址路由

 ip route-static 1.1.1.1 255.255.255.255 10.0.0.1

 ip route-static 3.3.3.3 255.255.255.255 10.0.0.3

#

Branch1:

#//配置IKE对等体

ike peer center

 pre-shared-key cipher $c$3$+4m41AS2S8FvKHzR0R077qEr21gl2A==

 remote-address 10.0.0.2

 local-address 10.0.0.1

#//配置IPSec提议

ipsec transform-set center

 encapsulation-mode tunnel

 transform esp

 esp authentication-algorithm md5

 esp encryption-algorithm 3des

#//配置感兴趣流

acl number 3000

 rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0

 rule 5 permit ip source 1.1.1.1 0 destination 3.3.3.3 0

#//配置IPSec策略

ipsec policy 1 1 isakmp

 security acl 3000

 ike-peer center

 transform-set center

#//配置接口

interface LoopBack0

 ip address 1.1.1.1 255.255.255.255

#

interface GigabitEthernet0/1

 port link-mode route

 ip address 10.0.0.1 255.255.255.0

 ipsec policy 1

#//接口加入安全域

zone name Trust id 2

 priority 85

 import interface GigabitEthernet0/1

#//配置网关路由

ip route-static 0.0.0.0 0.0.0.0 10.0.0.2

#

Branch2:

#//配置IKE对等体

ike peer center

 pre-shared-key cipher $c$3$cMb0kYdUI/oPRr73cb9nYCEYIZ+YMg==

 remote-address 10.0.0.2

 local-address 10.0.0.3

#//配置IPSec提议

ipsec transform-set center

 encapsulation-mode tunnel

 transform esp

 esp authentication-algorithm md5

 esp encryption-algorithm 3des

#//配置感兴趣流

acl number 3000

 rule 0 permit ip source 3.3.3.3 0 destination 2.2.2.2 0

 rule 5 permit ip source 3.3.3.3 0 destination 1.1.1.1 0

#//配置ipsec策略

ipsec policy 1 1 isakmp

 security acl 3000

 ike-peer center

 transform-set center

#//配置接口

interface LoopBack0

 ip address 3.3.3.3 255.255.255.255

#

interface GigabitEthernet0/1

 port link-mode route

 ip address 10.0.0.3 255.255.255.0

 ipsec policy 1

#//接口加入安全域

zone name Trust id 2

 priority 85

 import interface GigabitEthernet0/1

#//配置网关路由

 ip route-static 0.0.0.0 0.0.0.0 10.0.0.1

#

四、 验证结果:

Center:

 

display ike sa verbose

    ---------------------------------------------

    connection id: 1

    vpn-instance:

    transmitting entity: responder

    ---------------------------------------------

    local ip: 10.0.0.2

    local id type: IPV4_ADDR

    local id: 10.0.0.2

 

    remote ip: 10.0.0.1

    remote id type: IPV4_ADDR

    remote id: 10.0.0.1

 

    authentication-method: PRE_SHARED

    authentication-algorithm: SHA

    encryption-algorithm: DES_CBC

 

    life duration(sec): 86400

    remaining key duration(sec): 84261

    exchange-mode: MAIN

    diffie-hellman group: GROUP1

    nat traversal: NO

 

    ---------------------------------------------

    connection id: 4

    vpn-instance:

    transmitting entity: responder

    ---------------------------------------------

    local ip: 10.0.0.2

    local id type: IPV4_ADDR

    local id: 10.0.0.2

 

    remote ip: 10.0.0.3

    remote id type: IPV4_ADDR

    remote id: 10.0.0.3

 

    authentication-method: PRE_SHARED

    authentication-algorithm: SHA

    encryption-algorithm: DES_CBC

 

    life duration(sec): 86400

    remaining key duration(sec): 86240

    exchange-mode: MAIN

    diffie-hellman group: GROUP1

nat traversal: NO

display ipsec sa   

===============================

Interface: GigabitEthernet0/0

    path MTU: 1500

===============================

 

  -----------------------------

  IPsec policy name: "center"

  sequence number: 1

  acl version: ACL4

  mode: isakmp

  -----------------------------

    connection id: 1

    encapsulation mode: tunnel

    perfect forward secrecy:

    tunnel:

        local  address: 10.0.0.2

        remote address: 10.0.0.1

    flow:

        sour addr: 2.2.2.2/255.255.255.255  port: 0  protocol: IP

        dest addr: 1.1.1.1/255.255.255.255  port: 0  protocol: IP

 

    [inbound ESP SAs]

      spi: 714338904 (0x2a93f258)

      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

      sa duration (kilobytes/sec): 1843200/3600

      sa remaining duration (kilobytes/sec): 1843199/1454

      max sequence number received: 9

      anti-replay check enable: Y

      anti-replay window size: 32

      udp encapsulation used for nat traversal: N

 

    [outbound ESP SAs]

      spi: 1574221484 (0x5dd4b6ac)

      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

      sa duration (kilobytes/sec): 1843200/3600

      sa remaining duration (kilobytes/sec): 1843199/1454

      max sequence number sent: 10

      udp encapsulation used for nat traversal: N

 

  -----------------------------

  IPsec policy name: "center"

  sequence number: 1

  acl version: ACL4

  mode: isakmp

  -----------------------------

    connection id: 4

    encapsulation mode: tunnel

    perfect forward secrecy:

    tunnel:

        local  address: 10.0.0.2

        remote address: 10.0.0.1

    flow:

        sour addr: 3.3.3.3/255.255.255.255  port: 0  protocol: IP

        dest addr: 1.1.1.1/255.255.255.255  port: 0  protocol: IP

 

    [inbound ESP SAs]

      spi: 2412168457 (0x8fc6c509)

      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

      sa duration (kilobytes/sec): 1843200/3600

      sa remaining duration (kilobytes/sec): 1843199/3479

      max sequence number received: 3

      anti-replay check enable: Y

      anti-replay window size: 32

      udp encapsulation used for nat traversal: N

 

    [outbound ESP SAs]

      spi: 3965919098 (0xec631f7a)

      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

      sa duration (kilobytes/sec): 1843200/3600

      sa remaining duration (kilobytes/sec): 1843199/3479

      max sequence number sent: 4

      udp encapsulation used for nat traversal: N

===============================

Interface: GigabitEthernet0/0

    path MTU: 1500

===============================

 

  -----------------------------

  IPsec policy name: "center"

  sequence number: 2

  acl version: ACL4

  mode: isakmp

  -----------------------------

    connection id: 2

    encapsulation mode: tunnel

    perfect forward secrecy:

    tunnel:

        local  address: 10.0.0.2

        remote address: 10.0.0.3

    flow:

        sour addr: 2.2.2.2/255.255.255.255  port: 0  protocol: IP

        dest addr: 3.3.3.3/255.255.255.255  port: 0  protocol: IP

               

    [inbound ESP SAs]

      spi: 2065185006 (0x7b1838ee)

      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

      sa duration (kilobytes/sec): 1843200/3600

      sa remaining duration (kilobytes/sec): 1843199/3432

      max sequence number received: 4

      anti-replay check enable: Y

      anti-replay window size: 32

      udp encapsulation used for nat traversal: N

 

    [outbound ESP SAs]

      spi: 3613849620 (0xd766f814)

      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

      sa duration (kilobytes/sec): 1843200/3600

      sa remaining duration (kilobytes/sec): 1843199/3432

      max sequence number sent: 5

      udp encapsulation used for nat traversal: N

 

  -----------------------------

  IPsec policy name: "center"

  sequence number: 2

  acl version: ACL4

  mode: isakmp 

  -----------------------------

    connection id: 3

    encapsulation mode: tunnel

    perfect forward secrecy:

    tunnel:

        local  address: 10.0.0.2

        remote address: 10.0.0.3

    flow:

        sour addr: 1.1.1.1/255.255.255.255  port: 0  protocol: IP

        dest addr: 3.3.3.3/255.255.255.255  port: 0  protocol: IP

 

    [inbound ESP SAs]

      spi: 2287353061 (0x88563ce5)

      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

      sa duration (kilobytes/sec): 1843200/3600

      sa remaining duration (kilobytes/sec): 1843199/3476

      max sequence number received: 4

      anti-replay check enable: Y

      anti-replay window size: 32

      udp encapsulation used for nat traversal: N

 

    [outbound ESP SAs]

      spi: 457680622 (0x1b47a6ee)

      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

      sa duration (kilobytes/sec): 1843200/3600

      sa remaining duration (kilobytes/sec): 1843199/3476

      max sequence number sent: 4

      udp encapsulation used for nat traversal: N

Branch1:

 

display ike sa verbose

    ---------------------------------------------

    connection id: 1

    vpn-instance:

    transmitting entity: initiator

    ---------------------------------------------

    local ip: 10.0.0.1

    local id type: IPV4_ADDR

    local id: 10.0.0.1

 

    remote ip: 10.0.0.2

    remote id type: IPV4_ADDR

    remote id: 10.0.0.2

 

    authentication-method: PRE_SHARED

    authentication-algorithm: SHA

    encryption-algorithm: DES_CBC

 

    life duration(sec): 86400

    remaining key duration(sec): 84294

    exchange-mode: MAIN

    diffie-hellman group: GROUP1

nat traversal: NO

display ipsec sa   

===============================

Interface: GigabitEthernet0/1

    path MTU: 1500

===============================

 

  -----------------------------

  IPsec policy name: "1"

  sequence number: 1

  acl version: ACL4

  mode: isakmp

  -----------------------------

    connection id: 1

    encapsulation mode: tunnel

    perfect forward secrecy:

    tunnel:

        local  address: 10.0.0.1

        remote address: 10.0.0.2

    flow:

        sour addr: 1.1.1.1/255.255.255.255  port: 0  protocol: IP

        dest addr: 2.2.2.2/255.255.255.255  port: 0  protocol: IP

 

    [inbound ESP SAs]

      spi: 1574221484 (0x5dd4b6ac)

      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

      sa duration (kilobytes/sec): 1843200/3600

      sa remaining duration (kilobytes/sec): 1843199/1489

      max sequence number received: 9

      anti-replay check enable: Y

      anti-replay window size: 32

      udp encapsulation used for nat traversal: N

 

    [outbound ESP SAs]

      spi: 714338904 (0x2a93f258)

      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

      sa duration (kilobytes/sec): 1843200/3600

      sa remaining duration (kilobytes/sec): 1843199/1489

      max sequence number sent: 10

      udp encapsulation used for nat traversal: N

 

  -----------------------------

  IPsec policy name: "1"

  sequence number: 1

  acl version: ACL4

  mode: isakmp

  -----------------------------

    connection id: 2

    encapsulation mode: tunnel

    perfect forward secrecy:

    tunnel:

        local  address: 10.0.0.1

        remote address: 10.0.0.2

    flow:

        sour addr: 1.1.1.1/255.255.255.255  port: 0  protocol: IP

        dest addr: 3.3.3.3/255.255.255.255  port: 0  protocol: IP

 

    [inbound ESP SAs]

      spi: 3965919098 (0xec631f7a)

      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

      sa duration (kilobytes/sec): 1843200/3600

      sa remaining duration (kilobytes/sec): 1843199/3513

      max sequence number received: 3

      anti-replay check enable: Y

      anti-replay window size: 32

      udp encapsulation used for nat traversal: N

 

    [outbound ESP SAs]

      spi: 2412168457 (0x8fc6c509)

      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

      sa duration (kilobytes/sec): 1843200/3600

      sa remaining duration (kilobytes/sec): 1843199/3513

      max sequence number sent: 4

      udp encapsulation used for nat traversal: N

Branch2:

 

display ike sa verbose

    ---------------------------------------------

    connection id: 4

    vpn-instance:

    transmitting entity: initiator

    ---------------------------------------------

    local ip: 10.0.0.3

    local id type: IPV4_ADDR

    local id: 10.0.0.3

 

    remote ip: 10.0.0.2

    remote id type: IPV4_ADDR

    remote id: 10.0.0.2

 

    authentication-method: PRE_SHARED

    authentication-algorithm: SHA

    encryption-algorithm: DES_CBC

 

    life duration(sec): 86400

    remaining key duration(sec): 86201

    exchange-mode: MAIN

    diffie-hellman group: GROUP1

nat traversal: NO

display ipsec sa

===============================

Interface: GigabitEthernet0/1

    path MTU: 1500

===============================

 

  -----------------------------

  IPsec policy name: "1"

  sequence number: 1

  acl version: ACL4

  mode: isakmp

  -----------------------------

    connection id: 1

    encapsulation mode: tunnel

    perfect forward secrecy:

    tunnel:

        local  address: 10.0.0.3

        remote address: 10.0.0.2

    flow:

        sour addr: 3.3.3.3/255.255.255.255  port: 0  protocol: IP

        dest addr: 2.2.2.2/255.255.255.255  port: 0  protocol: IP

 

    [inbound ESP SAs]

      spi: 3613849620 (0xd766f814)

      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

      sa duration (kilobytes/sec): 1843200/3600

      sa remaining duration (kilobytes/sec): 1843199/3399

      max sequence number received: 4

      anti-replay check enable: Y

      anti-replay window size: 32

      udp encapsulation used for nat traversal: N

 

    [outbound ESP SAs]

      spi: 2065185006 (0x7b1838ee)

      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

      sa duration (kilobytes/sec): 1843200/3600

      sa remaining duration (kilobytes/sec): 1843199/3399

      max sequence number sent: 5

      udp encapsulation used for nat traversal: N

 

  -----------------------------

  IPsec policy name: "1"

  sequence number: 1

  acl version: ACL4

  mode: isakmp

  -----------------------------

    connection id: 2

    encapsulation mode: tunnel

    perfect forward secrecy:

    tunnel:

        local  address: 10.0.0.3

        remote address: 10.0.0.2

    flow:

        sour addr: 3.3.3.3/255.255.255.255  port: 0  protocol: IP

        dest addr: 1.1.1.1/255.255.255.255  port: 0  protocol: IP

 

    [inbound ESP SAs]

      spi: 457680622 (0x1b47a6ee)

      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

      sa duration (kilobytes/sec): 1843200/3600

      sa remaining duration (kilobytes/sec): 1843199/3442

      max sequence number received: 3

      anti-replay check enable: Y

      anti-replay window size: 32

      udp encapsulation used for nat traversal: N

 

    [outbound ESP SAs]

      spi: 2287353061 (0x88563ce5)

      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

      sa duration (kilobytes/sec): 1843200/3600

      sa remaining duration (kilobytes/sec): 1843199/3442

      max sequence number sent: 5

      udp encapsulation used for nat traversal: N

五、 配置关键点:

1)总部侧不推荐使用模板方式

2)总部侧需要配置精确ACL进行匹配分支侧互通流量

3)分支侧需要配置精确的ACL

4)用于转发的物理口需要加入安全域

5)总部侧如配置模板方式,需分支侧均向对端发起连接,此时总部侧IPSec SA已经建立,才能互通。

6)若中间存在nat设备,则IPSec需要配置为野蛮模式,同时配置nat穿越,两侧同时向总部进行触发动作。

0 个评论

该案例暂时没有网友评论

编辑评论

举报

×

侵犯我的权益 >
对根叔知了社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔知了社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明

提出建议

    +

亲~登录后才可以操作哦!

确定

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作