eNSP—防火墙+IPSec 站点到站点的虚拟专用网络_ensp路由器上ipsec

拓扑如下：

组网需求：
1、FW1内部网络172.16.1.0/24模拟站点一内部网络，pc1模拟站点一内部客户端。
2、FW2内部网络192.168.1.0/24模拟站点二内部网络，pc2模拟站点二内部客户端。
3、10.0.12.0/24和10.0.23.0/24网络模拟互联网，Internet路由器模拟互联网路由器。
4、本IPSec VPN组网的通信网络为192.168.1.0/24和172.16.1.0/24（感兴趣流），加密点为两个防火墙的外部接口地址。
4、PC1可以与PC2互通。

【1】FW1的配置命令：
#基本配置

[SRG]sysname fw1
[fw1]int g0/0/1
[fw1-GigabitEthernet0/0/1]ip add 172.16.1.254 24
[fw1-GigabitEthernet0/0/1]int g0/0/2
[fw1-GigabitEthernet0/0/2]ip add 10.0.12.1 24
[fw1-GigabitEthernet0/0/2]quit

[fw1]ip route-static 0.0.0.0 0.0.0.0 10.0.12.2
1
2
3
4
5
6
7
8

#配置接口加入到相应的安全区域

[fw1]firewall zone trust 
[fw1-zone-trust]add interface g0/0/1
[fw1-zone-trust]quit
[fw1]firewall zone untrust 
[fw1-zone-untrust]add interface g0/0/2
[fw1-zone-untrust]quit
1
2
3
4
5
6

【2】采用IKE安全策略方式建立IPSec隧道主要配置如下：

#配置访问控制列表匹配两端通信网络之间的IPSec VPN加密感兴趣流

[fw1]acl 3000
[fw1-acl-adv-3000]rule 5 permit ip source 172.16.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
1
2

#配置ike安全提议

[fw1]ike proposal 10
[fw1-ike-proposal-10]encryption-algorithm 3des-cbc 
[fw1-ike-proposal-10]dh group2
[fw1-ike-proposal-10]authentication-algorithm md5
[fw1-ike-proposal-10]quit
1
2
3
4
5

#配置ike Peer

[fw1]ike peer fw2	
[fw1-ike-peer-fw2]pre-shared-key qyt
[fw1-ike-peer-fw2]ike-proposal 10
[fw1-ike-peer-fw2]remote-address 10.0.23.1
[fw1-ike-peer-fw2]quit
1
2
3
4
5

#配置IPSec安全提议

[fw1]ipsec proposal qyt1	
[fw1-ipsec-proposal-qyt1]esp authentication-algorithm sha1 
[fw1-ipsec-proposal-qyt1]esp encryption-algorithm aes 
[fw1-ipsec-proposal-qyt1]quit
1
2
3
4

#配置IPSec安全策略组

[fw1]ipsec policy qytmap 10 isakmp 	
[fw1-ipsec-policy-isakmp-qytmap-10]security acl 3000
[fw1-ipsec-policy-isakmp-qytmap-10]ike-peer fw2
[fw1-ipsec-policy-isakmp-qytmap-10]proposal qyt1
[fw1-ipsec-policy-isakmp-qytmap-10]quit
1
2
3
4
5

#在接口上应用安全策略组

[fw1]int g0/0/2
[fw1-GigabitEthernet0/0/2]ipsec policy qytmap
[fw1-GigabitEthernet0/0/2]quit
1
2
3

【3】防火墙的域间策略主要配置如下：

#配置local区与untrust区的zone间策略
#放行untrust区到local区双方向的远端加密点到本端加密点的esp和ike流量

[fw1]policy interzone local untrust outbound 
[fw1-policy-interzone-local-untrust-outbound]policy 2	
[fw1-policy-interzone-local-untrust-outbound-2]policy source 10.0.12.1 0	
[fw1-policy-interzone-local-untrust-outbound-2]policy destination 10.0.23.1 0
[fw1-policy-interzone-local-untrust-outbound-2]policy service service-set ike 	
[fw1-policy-interzone-local-untrust-outbound-2]policy service service-set esp 
[fw1-policy-interzone-local-untrust-outbound-2]action permit 
[fw1-policy-interzone-local-untrust-outbound-2]quit
[fw1-policy-interzone-local-untrust-outbound]quit

[fw1]policy interzone untrust local inbound 
[fw1-policy-interzone-local-untrust-inbound]policy 2
[fw1-policy-interzone-local-untrust-inbound-2]policy source 10.0.23.1 0
[fw1-policy-interzone-local-untrust-inbound-2]policy destination 10.0.12.1 0
[fw1-policy-interzone-local-untrust-inbound-2]policy service service-set ike 	
[fw1-policy-interzone-local-untrust-inbound-2]policy service service-set esp 
[fw1-policy-interzone-local-untrust-inbound-2]action permit 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

#配置trust区与untrust区的zone间策略
#放行untrust区和trust区双方向上通信网络之间的流量

[fw1]policy interzone untrust trust inbound 	
[fw1-policy-interzone-trust-untrust-inbound]policy 1
[fw1-policy-interzone-trust-untrust-inbound-1]policy source 192.168.1.1 0	
[fw1-policy-interzone-trust-untrust-inbound-1]policy destination 172.16.1.1 0
[fw1-policy-interzone-trust-untrust-inbound-1]action permit 
[fw1-policy-interzone-trust-untrust-inbound-1]quit
[fw1-policy-interzone-trust-untrust-inbound]quit
[fw1]policy interzone trust untrust outbound 
[fw1-policy-interzone-trust-untrust-outbound]policy 1
[fw1-policy-interzone-trust-untrust-outbound-1]policy source 172.16.1.1 0
[fw1-policy-interzone-trust-untrust-outbound-1]policy destination 192.168.1.1 0	
[fw1-policy-interzone-trust-untrust-outbound-1]action permit
1
2
3
4
5
6
7
8
9
10
11
12

【4】FW2的配置命令：
#基本配置

[SRG]sysname fw2
[fw2]int g0/0/1
[fw2-GigabitEthernet0/0/1]ip add 192.168.1.254 24
[fw2-GigabitEthernet0/0/1]int g0/0/2
[fw2-GigabitEthernet0/0/2]ip add 10.0.23.1 24
[fw2-GigabitEthernet0/0/2]quit

[fw2] ip route-static 0.0.0.0 0.0.0.0 10.0.23.2
1
2
3
4
5
6
7
8

#配置接口加入到相应的安全区域

[fw2]firewall zone trust 
[fw2-zone-trust]add interface g0/0/1
[fw2-zone-trust]quit
[fw2]firewall zone untrust 
[fw2-zone-untrust]add interface g0/0/2
[fw2-zone-untrust]quit
1
2
3
4
5
6

【5】采用IKE安全策略方式建立IPSec隧道主要配置如下：

#配置访问控制列表匹配两端通信网络之间的IPSec VPN加密感兴趣流

[fw2]acl 3000
[fw2-acl-adv-3000]rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
[fw2-acl-adv-3000]quit
1
2
3

#配置ike安全提议

[fw2]ike proposal 10
[fw2-ike-proposal-10]encryption-algorithm 3des-cbc 	
[fw2-ike-proposal-10]dh group2
[fw2-ike-proposal-10]authentication-algorithm md5 
[fw2-ike-proposal-10]quit
1
2
3
4
5

#配置ike Peer

[fw2]ike peer fw1	
[fw2-ike-peer-fw1]pre-shared-key qyt
[fw2-ike-peer-fw1]ike-proposal 10
[fw2-ike-peer-fw1]remote-address 10.0.12.1
[fw2-ike-peer-fw1]quit
1
2
3
4
5

#配置IPSec安全提议

[fw2]ipsec proposal qyt1	
[fw2-ipsec-proposal-qyt1]esp authentication-algorithm sha1 
[fw2-ipsec-proposal-qyt1]esp encryption-algorithm aes 
[fw2-ipsec-proposal-qyt1]quit
1
2
3
4

#配置IPSec安全策略组

[fw2]ipsec policy qytmap 10 isakmp 	
[fw2-ipsec-policy-isakmp-qytmap-10]security acl 3000
[fw2-ipsec-policy-isakmp-qytmap-10]ike-peer fw1
[fw2-ipsec-policy-isakmp-qytmap-10]proposal qyt1
[fw2-ipsec-policy-isakmp-qytmap-10]quit
1
2
3
4
5

#在接口上应用安全策略组

[fw2]int g0/0/2
[fw2-GigabitEthernet0/0/2]ipsec policy qytmap
1
2

【6】防火墙的域间策略主要配置如下：

#配置local区与untrust区的zone间策略
#放行untrust区到local区双方向的远端加密点到本端加密点的esp和ike流量

[fw2]policy interzone local untrust outbound 
[fw2-policy-interzone-local-untrust-outbound]policy 2	
[fw2-policy-interzone-local-untrust-outbound-2]policy source 10.0.23.1 0	
[fw2-policy-interzone-local-untrust-outbound-2]policy destination 10.0.12.1 0
[fw2-policy-interzone-local-untrust-outbound-2]policy service service-set ike 
[fw2-policy-interzone-local-untrust-outbound-2]policy service service-set esp 	
[fw2-policy-interzone-local-untrust-outbound-2]action permit 
[fw2-policy-interzone-local-untrust-outbound-2]quit
[fw2-policy-interzone-local-untrust-outbound]quit
[fw2]policy interzone untrust local inbound 
[fw2-policy-interzone-local-untrust-inbound]policy 2
[fw2-policy-interzone-local-untrust-inbound-2]policy source 10.0.12.1 0
[fw2-policy-interzone-local-untrust-inbound-2]policy destination 10.0.23.1 0
[fw2-policy-interzone-local-untrust-inbound-2]policy service service-set ike 
[fw2-policy-interzone-local-untrust-inbound-2]policy service service-set esp 
[fw2-policy-interzone-local-untrust-inbound-2]action permit 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

#配置trust区与untrust区的zone间策略
#放行untrust区和trust区双方向上通信网络之间的流量

[fw2]policy interzone trust untrust outbound 
[fw2-policy-interzone-trust-untrust-outbound]policy 1
[fw2-policy-interzone-trust-untrust-outbound-1]policy source 192.168.1.1 0
[fw2-policy-interzone-trust-untrust-outbound-1]policy destination 172.16.1.1 0	
[fw2-policy-interzone-trust-untrust-outbound-1]action permit 
[fw2-policy-interzone-trust-untrust-outbound-1]quit
[fw2-policy-interzone-trust-untrust-outbound]quit
23:11:27  2022/03/02
[fw2]policy interzone untrust trust inbound 
[fw2-policy-interzone-trust-untrust-inbound]policy 1
[fw2-policy-interzone-trust-untrust-inbound-1]policy source 172.16.1.1 0
[fw2-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.1.1 0
[fw2-policy-interzone-trust-untrust-inbound-1]action permit 
1
2
3
4
5
6
7
8
9
10
11
12
13

【7】AR1的配置命令：

[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 10.0.12.2 24
[Huawei-GigabitEthernet0/0/1]quit
[Huawei]int g0/0/2
[Huawei-GigabitEthernet0/0/2]ip add 10.0.23.2 24
[Huawei-GigabitEthernet0/0/2]quit	

[Huawei]ip route-static 192.168.1.0 24 10.0.23.1	
[Huawei]ip route-static 172.16.1.0 24 10.0.12.1
1
2
3
4
5
6
7
8
9

实验结果：PC1可以ping通PC2

！！！
PS：在防火墙策略那边使用不了ike的解决方法(如果没有自定义ike服务，策略那边就会使用不了ike)，使用这两条命令去定义：
[FW1]ip service-set ike type object
[FW1-object-service-set-ike]service 0 protocol udp source-port 0 to 65535 destination-port 500