華爲USG防火牆 IPsec ***配置

實驗拓撲

使用華爲ensp 1.2.00.370模擬器

實驗需求

USG-1和USG-2模擬企業邊緣設備，分別在2臺設備上配置NAT和IPsec ×××實現2邊私網能夠經過×××互相通訊

實驗配置

R1 IP地址配置省略

USG-1配置

[USG-1]firewall zone trust          //配置trust區域

[USG-1-zone-trust]add interface g0/0/0    //將接口加入trust區域

[USG-1-zone-trust]quit

[USG-1]firewall zone untrust           //配置untrust區域

[USG-1-zone-untrust]add int g0/0/1          //將接口加入untrust區域

[USG-1-zone-untrust]quit

[USG-1]int g0/0/0

[USG-1-GigabitEthernet0/0/0]ip add 192.168.10.1 24

[USG-1-GigabitEthernet0/0/0]int g0/0/1

[USG-1-GigabitEthernet0/0/1]ip add 11.0.0.2 24

[USG-1-GigabitEthernet0/0/1]quit

[USG-1]ip route-static 0.0.0.0 0.0.0.0 11.0.0.1   //配置默認路由上公網

[USG-1]nat-policy interzone trust untrust outbound 

//進入trust到untrust區域out方向的策略視圖

[USG-1-nat-policy-interzone-trust-untrust-outbound]policy 1     //建立一個策略

[USG-1-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.10.0 0.0.0.255

[USG-1-nat-policy-interzone-trust-untrust-outbound-1]policy destination 192.168.20.0 0.0.0.255

[USG-1-nat-policy-interzone-trust-untrust-outbound-1]action no-nat 

//以上三條命令意思是不容許將源爲192.168.10.0/24網段目標爲192.168.20.0/24網段的數據包進行NAT

[USG-1-nat-policy-interzone-trust-untrust-outbound-1]quit

[USG-1-nat-policy-interzone-trust-untrust-outbound]policy 2  //建立策略2

[USG-1-nat-policy-interzone-trust-untrust-outbound-2]action source-nat

//容許對源IP進行NAT

[USG-1-nat-policy-interzone-trust-untrust-outbound-2]easy-ip g0/0/1

//對接口G0/0/1地址複用

[USG-1-nat-policy-interzone-trust-untrust-outbound-2]quit

[USG-1-nat-policy-interzone-trust-untrust-outbound]quit

---------------------------階段一-----------------------------------------------------

[USG-1]ike proposal 1     //配置一個安全提議

[USG-1-ike-proposal-1]authentication-method pre-share   //配置IKE認證方式爲預共享密鑰

[USG-1-ike-proposal-1]authentication-algorithm sha1   //配置IKE認證算法爲sha1

[USG-1-ike-proposal-1]integrity-algorithm aes-xcbc-96  //配置IKE完整性算法

[USG-1-ike-proposal-1]dh group2  //配置IKE密鑰協商DH組

[USG-1-ike-proposal-1]quit

[USG-1]ike peer USG-2             //建立一個IKE對等體名字爲USG-2

[USG-1-ike-peer-usg-2]pre-shared-key abc123    //配置預共享密鑰

[USG-1-ike-peer-usg-2]remote-address 12.0.0.2  //配置對等體IP地址

[USG-1-ike-peer-usg-2]ike-proposal 1       //調用ike安全提議

[USG-1-ike-peer-usg-2]quit

----------------------------階段二-----------------------------------------------------

[USG-1]ipsec proposal test        //配置一個ipsec安全提議

[USG-1-ipsec-proposal-test]encapsulation-mode tunnel    //封裝方式採用隧道

[USG-1-ipsec-proposal-test]transform esp    //配置IPSEC安全協議爲ESP

[USG-1-ipsec-proposal-test]esp encryption-algorithm aes   //配置ESP協議加密算法爲aes

[USG-1-ipsec-proposal-test]esp authentication-algorithm sha1  //配置ESP協議認證算法

[USG-1-ipsec-proposal-test]quit

[USG-1]acl 3000         //建立一個ACL定義感興趣流

[USG-1-acl-adv-3000]rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

[USG-1]ipsec policy map 1 isakmp    //建立一個安全策略，名稱爲map

[USG-1-ipsec-policy-isakmp-map-1]ike-peer USG-2    //調用ike對等體

[USG-1-ipsec-policy-isakmp-map-1]proposal test     //調用IPsec安全提議

[USG-1-ipsec-policy-isakmp-map-1]security acl 3000   //配置感興趣流

[USG-1-ipsec-policy-isakmp-map-1]quit

[USG-1]int g0/0/1

[USG-1-GigabitEthernet0/0/1]ipsec policy map     //在外網口上調用安全策略

區域間策略配置

[USG-1]policy interzone trust untrust outbound .

//進入trust到untrust區域out方向策略視圖

[USG-1-policy-interzone-trust-untrust-outbound]policy 1    //建立策略

[USG-1-policy-interzone-trust-untrust-outbound-1]action permit  

//容許trust區域全部主機訪問untrust區域 

[USG-1-policy-interzone-trust-untrust-outbound-1]quit

[USG-1-policy-interzone-trust-untrust-outbound]quit

[USG-1]policy interzone trust untrust inbound 

//進入trust區域到untrust區域的in方向策略視圖

[USG-1-policy-interzone-trust-untrust-inbound]policy 1

[USG-1-policy-interzone-trust-untrust-inbound-1]policy source 192.168.20.0 0.0.0.255

[USG-1-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.10.0 0.0.0.255

[USG-1-policy-interzone-trust-untrust-inbound-1]action permit 

//以上命令爲容許數據包源地址爲192.168.20.0/24網段和目標地址爲192.168.10.0/24網段的流量過

[USG-1-policy-interzone-trust-untrust-inbound-1]quit

[USG-1-policy-interzone-trust-untrust-inbound]quit

[USG-1]policy interzone local untrust inbound

//進入local區域到untrust區域的in方向策略視圖

[USG-1-policy-interzone-local-untrust-inbound]policy 1

[USG-1-policy-interzone-local-untrust-inbound-1]policy source 12.0.0.2 0

[USG-1-policy-interzone-local-untrust-inbound-1]policy destination 11.0.0.2 0

[USG-1-policy-interzone-local-untrust-inbound-1]action permit 

//容許源地址是12.0.0.2目標地址是11.0.0.2的數據包訪問

USG-2配置

[USG-2]firewall zone trust 

[USG-2-zone-trust]add int g0/0/0

[USG-2-zone-trust]quit

[USG-2]firewall zone untrust 

[USG-2-zone-untrust]add int g0/0/1

[USG-2-zone-untrust]quit

[USG-2]int g0/0/0

[USG-2-GigabitEthernet0/0/0]ip add 192.168.20.1 24

[USG-2-GigabitEthernet0/0/0]int g0/0/1

[USG-2-GigabitEthernet0/0/1]ip add 12.0.0.2 24

[USG-2-GigabitEthernet0/0/1]quit

[USG-2]ip route-static 0.0.0.0 0.0.0.0 12.0.0.1

[USG-2]nat-policy interzone trust untrust outbound 

[USG-2-nat-policy-interzone-trust-untrust-outbound]policy 1

[USG-2-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.20.0 0.0.0.255

[USG-2-nat-policy-interzone-trust-untrust-outbound-1]policy destination 192.168.10.0 0.0.0.255

[USG-2-nat-policy-interzone-trust-untrust-outbound-1]action no-nat 

[USG-2-nat-policy-interzone-trust-untrust-outbound-1]quit

[USG-2-nat-policy-interzone-trust-untrust-outbound]policy 2

[USG-2-nat-policy-interzone-trust-untrust-outbound-2]action source-nat 

[USG-2-nat-policy-interzone-trust-untrust-outbound-2]easy-ip GigabitEthernet0/0/1

[USG-2-nat-policy-interzone-trust-untrust-outbound-2]quit

[USG-2-nat-policy-interzone-trust-untrust-outbound]quit

[USG-2]ike proposal 1

[USG-2-ike-proposal-1]authentication-method pre-share 

[USG-2-ike-proposal-1]authentication-algorithm sha1 

[USG-2-ike-proposal-1]integrity-algorithm aes-xcbc-96 

[USG-2-ike-proposal-1]dh group2

[USG-2-ike-proposal-1]quit

[USG-2]ike peer USG-A

[USG-2-ike-peer-usg-a]pre-shared-key abc123

[USG-2-ike-peer-usg-a]ike-proposal 1

[USG-2-ike-peer-usg-a]remote-address 11.0.0.2

[USG-2-ike-peer-usg-a]quit

[USG-2]ipsec proposal test

[USG-2-ipsec-proposal-test]encapsulation-mode tunnel 

[USG-2-ipsec-proposal-test]transform esp 

[USG-2-ipsec-proposal-test]esp encryption-algorithm aes

[USG-2-ipsec-proposal-test]esp authentication-algorithm sha1 

[USG-2-ipsec-proposal-test]quit

[USG-2]acl 3000

[USG-2-acl-adv-3000]rule permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

[USG-2-acl-adv-3000]quit

[USG-2]ipsec policy map 1 isakmp 

[USG-2-ipsec-policy-isakmp-map-1]ike-peer USG-A

[USG-2-ipsec-policy-isakmp-map-1]proposal test

[USG-2-ipsec-policy-isakmp-map-1]security acl 3000

[USG-2-ipsec-policy-isakmp-map-1]quit

[USG-2]int g0/0/1

[USG-2-GigabitEthernet0/0/1]ipsec policy map

[USG-2-GigabitEthernet0/0/1]quit

[USG-2]policy interzone trust untrust outbound 

[USG-2-policy-interzone-trust-untrust-outbound]policy 1

[USG-2-policy-interzone-trust-untrust-outbound-1]action permit 

[USG-2-policy-interzone-trust-untrust-outbound-1]quit

[USG-2-policy-interzone-trust-untrust-outbound]quit

[USG-2]policy interzone trust untrust inbound 

[USG-2-policy-interzone-trust-untrust-inbound]policy 1

[USG-2-policy-interzone-trust-untrust-inbound-1]policy source 192.168.10.0 0.0.0.255

[USG-2-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.20.0 0.0.0.255

[USG-2-policy-interzone-trust-untrust-inbound-1]action permit 

[USG-2-policy-interzone-trust-untrust-inbound-1]quit

[USG-2-policy-interzone-trust-untrust-inbound]quit

[USG-2]policy interzone local untrust inbound 

[USG-2-policy-interzone-local-untrust-inbound]policy 1

[USG-2-policy-interzone-local-untrust-inbound-1]policy source 11.0.0.2 0

[USG-2-policy-interzone-local-untrust-inbound-1]policy destination 12.0.0.2 0

[USG-2-policy-interzone-local-untrust-inbound-1]action permit 

使用C1(192.168.10.10)去ping C2(192.168.20.10)

使用dispaly ike sa和display ipsec sa來查看鄰居創建狀況