總部與分支機構之間創建點到點IPSec ***(預共享密鑰認證)
組網需求
安全
如圖1所示,網絡A和網絡B經過NGFW_A和NGFW_B鏈接到Internet,NGFW_A和NGFW_B公網路由可達。現須要在NGFW_A和NGFW_B之間創建IKE方式的IPSec隧道,使網絡A和網絡B的用戶可經過IPSec隧道安全互訪。網絡
圖1 IKE協商方式的點到點IPSec隧道舉例組網圖 app
數據規劃
ide
配置思路
NGFW_A和NGFW_B的配置思路相同。ui
1. 配置接口IP地址並將接口加入到安全區域。加密
2. 配置安全策略。spa
3. 配置到對端內網的路由。code
4. 配置IPSec策略。包括配置IPSec策略的基本信息、配置待加密的數據流、配置安全提議的協商參數。orm
操做步驟
· 配置NGFW_A(總部)。blog
1. 配置接口IP地址。
<sysname> system-view
[sysname] sysname NGFW_A
[NGFW_A] interface GigabitEthernet 1/0/3
[NGFW_A-GigabitEthernet1/0/3] ip address 10.1.1.1 24
[NGFW_A-GigabitEthernet1/0/3] quit
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ip address 1.1.3.1 24
[NGFW_A-GigabitEthernet1/0/1] quit
2. 配置接口加入相應安全區域。
[NGFW_A] firewall zone trust
[NGFW_A-zone-trust] add interface GigabitEthernet 1/0/3
[NGFW_A-zone-trust] quit
[NGFW_A] firewall zone untrust
[NGFW_A-zone-untrust] add interface GigabitEthernet 1/0/1
[NGFW_A-zone-untrust] quit
3. 配置安全策略。
a. 配置Trust域與Untrust域的安全策略,容許封裝前和解封后的報文能經過NGFW_A。
[NGFW_A] security-policy
[NGFW_A-policy-security] rule name policy_ipsec_1
[NGFW_A-policy-security-rule-policy_ipsec_1] source-zone trust
[NGFW_A-policy-security-rule-policy_ipsec_1] destination-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_1] source-address 10.1.1.0 24
[NGFW_A-policy-security-rule-policy_ipsec_1] destination-address 10.1.2.0 24
[NGFW_A-policy-security-rule-policy_ipsec_1] action permit
[NGFW_A-policy-security-rule-policy_ipsec_1] quit
[NGFW_A-policy-security] rule name policy_ipsec_2
[NGFW_A-policy-security-rule-policy_ipsec_2] source-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_2] destination-zone trust
[NGFW_A-policy-security-rule-policy_ipsec_2] source-address 10.1.2.0 24
[NGFW_A-policy-security-rule-policy_ipsec_2] destination-address 10.1.1.0 24
[NGFW_A-policy-security-rule-policy_ipsec_2] action permit
[NGFW_A-policy-security-rule-policy_ipsec_2] quit
b. 配置Local域與Untrust域的安全策略,容許IKE協商報文能正常經過NGFW_A。
[NGFW_A-policy-security] rule name policy_ipsec_3
[NGFW_A-policy-security-rule-policy_ipsec_3] source-zone local
[NGFW_A-policy-security-rule-policy_ipsec_3] destination-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_3] source-address 1.1.3.1 32
[NGFW_A-policy-security-rule-policy_ipsec_3] destination-address 1.1.5.1 32
[NGFW_A-policy-security-rule-policy_ipsec_3] action permit
[NGFW_A-policy-security-rule-policy_ipsec_3] quit
[NGFW_A-policy-security] rule name policy_ipsec_4
[NGFW_A-policy-security-rule-policy_ipsec_4] source-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_4] destination-zone local
[NGFW_A-policy-security-rule-policy_ipsec_4] source-address 1.1.5.1 32
[NGFW_A-policy-security-rule-policy_ipsec_4] destination-address 1.1.3.1 32
[NGFW_A-policy-security-rule-policy_ipsec_4] action permit
[NGFW_A-policy-security-rule-policy_ipsec_4] quit
[NGFW_A-policy-security] quit
4. 配置到達對端私網的路由。假設NGFW_A通往NGFW_B側的下一跳設備的IP地址爲1.1.3.2。
[NGFW_A] ip route-static 10.1.2.0 24 1.1.3.2
5. 配置NGFW_A的IPSec隧道。
a. 配置訪問控制列表,定義須要保護的數據流。
[NGFW_A] acl 3000
[NGFW_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[NGFW_A-acl-adv-3000] quit
b. 配置序號爲10的IKE安全提議。
[NGFW_A] ike proposal 10
[NGFW_A-ike-proposal-10] authentication-method pre-share
[NGFW_A-ike-proposal-10] authentication-algorithm sha2-256
[NGFW_A-ike-proposal-10] quit
c. 配置IKE Peer。
[NGFW_A] ike peer b
[NGFW_A-ike-peer-b] ike-proposal 10
[NGFW_A-ike-peer-b] remote-address 1.1.5.1
[NGFW_A-ike-peer-b] pre-shared-key Admin@123
[NGFW_A-ike-peer-b] undo version 2
[NGFW_A-ike-peer-b] quit
d. 配置名稱爲tran1的IPSec安全提議。
[NGFW_A] ipsec proposal tran1
[NGFW_A-ipsec-proposal-tran1] encapsulation-mode tunnel
[NGFW_A-ipsec-proposal-tran1] transform esp
[NGFW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[NGFW_A-ipsec-proposal-tran1] esp encryption-algorithm aes
[NGFW_A-ipsec-proposal-tran1] quit
e. 配置IPSec安全策略組map1。
[NGFW_A] ipsec policy map1 10 isakmp
[NGFW_A-ipsec-policy-isakmp-map1-10] security acl 3000
[NGFW_A-ipsec-policy-isakmp-map1-10] proposal tran1
[NGFW_A-ipsec-policy-isakmp-map1-10] ike-peer b
[NGFW_A-ipsec-policy-isakmp-map1-10] quit
f. 在出接口GigabitEthernet 1/0/1上應用安全策略組map1。
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ipsec policy map1 auto-neg
[NGFW_A-GigabitEthernet1/0/1] quit
· 配置NGFW_B(分支)。
1. 配置接口IP地址。
<sysname> system-view
[sysname] sysname NGFW_B
[NGFW_B] interface GigabitEthernet 1/0/3
[NGFW_B-GigabitEthernet1/0/3] ip address 10.1.2.1 24
[NGFW_B-GigabitEthernet1/0/3] quit
[NGFW_B] interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1] ip address 1.1.5.1 24
[NGFW_B-GigabitEthernet1/0/1] quit
2. 配置接口加入相應安全區域。
[NGFW_B] firewall zone trust
[NGFW_B-zone-trust] add interface GigabitEthernet 1/0/3
[NGFW_B-zone-trust] quit
[NGFW_B] firewall zone untrust
[NGFW_B-zone-untrust] add interface GigabitEthernet 1/0/1
[NGFW_B-zone-untrust] quit
3. 配置安全策略。
a. 配置Trust域與Untrust域的安全策略,容許封裝前和解封后的報文能經過NGFW_B。
[NGFW_B] security-policy
[NGFW_B-policy-security] rule name policy_ipsec_1
[NGFW_B-policy-security-rule-policy_ipsec_1] source-zone trust
[NGFW_B-policy-security-rule-policy_ipsec_1] destination-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_1] source-address 10.1.2.0 24
[NGFW_B-policy-security-rule-policy_ipsec_1] destination-address 10.1.1.0 24
[NGFW_B-policy-security-rule-policy_ipsec_1] action permit
[NGFW_B-policy-security-rule-policy_ipsec_1] quit
[NGFW_B-policy-security] rule name policy_ipsec_2
[NGFW_B-policy-security-rule-policy_ipsec_2] source-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_2] destination-zone trust
[NGFW_B-policy-security-rule-policy_ipsec_2] source-address 10.1.1.0 24
[NGFW_B-policy-security-rule-policy_ipsec_2] destination-address 10.1.2.0 24
[NGFW_B-policy-security-rule-policy_ipsec_2] action permit
[NGFW_B-policy-security-rule-policy_ipsec_2] quit
b. 配置Local域與Untrust域的安全策略,容許IKE協商報文能正常經過NGFW_B。
[NGFW_B-policy-security] rule name policy_ipsec_3
[NGFW_B-policy-security-rule-policy_ipsec_3] source-zone local
[NGFW_B-policy-security-rule-policy_ipsec_3] destination-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_3] source-address 1.1.5.1 32
[NGFW_B-policy-security-rule-policy_ipsec_3] destination-address 1.1.3.1 32
[NGFW_B-policy-security-rule-policy_ipsec_3] action permit
[NGFW_B-policy-security-rule-policy_ipsec_3] quit
[NGFW_B-policy-security] rule name policy_ipsec_4
[NGFW_B-policy-security-rule-policy_ipsec_4] source-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_4] destination-zone local
[NGFW_B-policy-security-rule-policy_ipsec_4] source-address 1.1.3.1 32
[NGFW_B-policy-security-rule-policy_ipsec_4] destination-address 1.1.5.1 32
[NGFW_B-policy-security-rule-policy_ipsec_4] action permit
[NGFW_B-policy-security-rule-policy_ipsec_4] quit
[NGFW_B-policy-security] quit
4. 配置到達對端私網的路由。假設NGFW_B通往NGFW_A側的下一跳設備的IP地址爲1.1.5.2。
[NGFW_B] ip route-static 10.1.1.0 24 1.1.5.2
5. 配置NGFW_B的IPSec隧道。
a. 配置訪問控制列表,定義須要保護的數據流。
[NGFW_B] acl 3000
[NGFW_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[NGFW_B-acl-adv-3000] quit
b. 配置序號爲10的IKE安全提議。
[NGFW_B] ike proposal 10
[NGFW_B-ike-proposal-10] authentication-method pre-share
[NGFW_B-ike-proposal-10] authentication-algorithm sha2-256
[NGFW_B-ike-proposal-10] quit
c. 配置IKE Peer。
[NGFW_B] ike peer a
[NGFW_B-ike-peer-a] ike-proposal 10
[NGFW_B-ike-peer-a] remote-address 1.1.3.1
[NGFW_B-ike-peer-a] pre-shared-key Admin@123
[NGFW_B-ike-peer-a] undo version 2
[NGFW_B-ike-peer-a] quit
d. 配置名稱爲tran1的IPSec安全提議。
[NGFW_B] ipsec proposal tran1
[NGFW_B-ipsec-proposal-tran1] encapsulation-mode tunnel
[NGFW_B-ipsec-proposal-tran1] transform esp
[NGFW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[NGFW_B-ipsec-proposal-tran1] esp encryption-algorithm aes
[NGFW_B-ipsec-proposal-tran1] quit
e. 配置IPSec安全策略組map1。
[NGFW_B] ipsec policy map1 10 isakmp
[NGFW_B-ipsec-policy-isakmp-map1-10] security acl 3000
[NGFW_B-ipsec-policy-isakmp-map1-10] proposal tran1
[NGFW_B-ipsec-policy-isakmp-map1-10] ike-peer a
[NGFW_B-ipsec-policy-isakmp-map1-10] quit
f. 在出接口GigabitEthernet 1/0/1上應用安全策略組map1。
[NGFW_B] interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1] ipsec policy map1 auto-neg
[NGFW_B-GigabitEthernet1/0/1] quit
結果驗證
1. 配置成功後,在NGFW_A上執行display ike sa命令,查看IKE安全聯盟的創建狀況,出現如下顯示說明IKE安全聯盟創建成功。
[NGFW_A] display ike sa
current ike sa number: 2
---------------------------------------------------------------------------
conn-id peer flag phase ***
---------------------------------------------------------------------------
3 1.1.5.1 RD|ST|A v1:2 public
2 1.1.5.1 RD|ST|A v1:1 public
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
TD--DELETING NEG--NEGOTIATING D--DPD M--ACTIVE S--STANDBY
A--ALONE
2. 在NGFW_A上執行display ipsec sa命令,查看IPSec安全聯盟的創建狀況,出現如下顯示說明IPSec安全聯盟創建成功。
[NGFW_A] display ipsec sa
===============================
Interface: GigabitEthernet 1/0/1
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "map1"
sequence number: 10
mode: isakmp
***: 0
-----------------------------
connection id: 3
rule number: 5
encapsulation mode: tunnel
holding time: 0d 0h 0m 12s
tunnel local : 1.1.3.1 tunnel remote: 1.1.5.1
flow source: 10.1.1.0/255.255.255.0 0/0
flow destination: 10.1.2.0/255.255.255.0 0/0
[inbound ESP SAs]
spi: 3715780278 (0xdd7a4eb6)
***: public said: 0 cpuid: 0x0000
proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256
sa remaining key duration (kilobytes/sec): 1843200/3588
max received sequence-number: 1
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 3312146193 (0xc56b5711)
***: public said: 1 cpuid: 0x0000
proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256
sa remaining key duration (kilobytes/sec): 1843200/3588
max sent sequence-number: 1
udp encapsulation used for nat traversal: N
配置腳本
· NGFW_A(總部)的配置腳本
#
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ike proposal 10
authentication-algorithm sha2-256
integrity-algorithm hmac-sha2-256
#
ike peer b
pre-shared-key %$%$g6]1Md'q_QwX%A,v7]c1;md[%$%$
ike-proposal 10
undo version 2
remote-address 1.1.5.1
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
#
ipsec policy map1 10 isakmp
security acl 3000
ike-peer b
alias map1_10
proposal tran1
#
interface GigabitEthernet1/0/3
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
ip address 1.1.3.1 255.255.255.0
ipsec policy map1 auto-neg
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ip route-static 10.1.2.0 255.255.255.0 1.1.3.2
#
security-policy
rule name policy_ipsec_1
source-zone trust
destination-zone untrust
source-address 10.1.1.0 24
destination-address 10.1.2.0 24
action permit
rule name policy_ipsec_2
source-zone untrust
destination-zone trust
source-address 10.1.2.0 24
destination-address 10.1.1.0 24
action permit
rule name policy_ipsec_3
source-zone local
destination-zone untrust
source-address 1.1.3.1 32
destination-address 1.1.5.1 32
action permit
rule name policy_ipsec_4
source-zone untrust
destination-zone local
source-address 1.1.5.1 32
destination-address 1.1.3.1 32
action permit
· NGFW_B(分支)的配置腳本
#acl number 3000 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255#ike proposal 10 authentication-algorithm sha2-256 integrity-algorithm hmac-sha2-256#ike peer a pre-shared-key %$%$g6]1Md'q_QwX%A,v7]c1;md[%$%$ ike-proposal 10 undo version 2 remote-address 1.1.3.1#ipsec proposal tran1 esp authentication-algorithm sha2-256#ipsec policy map1 10 isakmp security acl 3000 ike-peer a proposal tran1#interface GigabitEthernet1/0/3 ip address 10.1.2.1 255.255.255.0#interface GigabitEthernet1/0/1 ip address 1.1.5.1 255.255.255.0 ipsec policy map1 auto-neg#firewall zone trust set priority 85 add interface GigabitEthernet1/0/3#firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1# ip route-static 10.1.1.0 255.255.255.0 1.1.5.2#security-policy rule name policy_ipsec_1 source-zone trust destination-zone untrust source-address 10.1.2.0 24 destination-address 10.1.1.0 24 action permit rule name policy_ipsec_2 source-zone untrust destination-zone trust source-address 10.1.1.0 24 destination-address 10.1.2.0 24 action permit rule name policy_ipsec_3 source-zone local destination-zone untrust source-address 1.1.5.1 32 destination-address 1.1.3.1 32 action permit rule name policy_ipsec_4 source-zone untrust destination-zone local source-address 1.1.3.1 32 destination-address 1.1.5.1 32 action permit
相關文章
- 1. 用Cisco路由器和預共享密鑰創建多條 IPSec ×××
- 2. 預共享密鑰的IPSec實驗
- 3. OpenSSH 基於密鑰認證 跨多個主機密鑰共享
- 4. ASA 8.4 ikev2 預共享密鑰加證書認證和雙方都用證書認證
- 5. 站點到站點預共享密鑰V.P.N(基於思科ASA防火牆)
- 6. Wifi 開放系統認證和共享密鑰身份認證
- 7. 在GRE隧道上配置基於預共享密鑰的IPsec
- 8. 基於Windows Server 2008 R2架設L2TP/IPsec ×××(預共享密鑰)
- 9. 密鑰認證
- 10. 啓用L2TP方式預共享的密鑰模式訪問
- 更多相關文章...
- • XML DOM 創建節點 - XML DOM 教程
- • SVN分支 - SVN 教程
- • 漫談MySQL的鎖機制
- • 算法總結-二分查找法
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
