devbox
我家自动化
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

玩转华为ENSP模拟器系列 | 两个网关之间利用Tunnel接口实现IPSec VdPdNd隧道多链路备份_ensp tunnel

作者:我家自动化 | 2024-04-25 22:48:33

ensp tunnel

素材来源:华为防火墙配置指南

一边学习一边整理试验笔记,并与大家分享,侵权即删,谢谢支持!

附上汇总贴:玩转华为ENSP模拟器系列 | 合集_COCOgsta的博客-CSDN博客_华为模拟器实验

目标

介绍采用IPSec隧道化方式配置两点之间IPSec隧道的配置举例。请使用命令行完成本举例的配置。

组网需求

图1所示,网络A与网络B通过FW_A和FW_B连接到Internet。

FW_A和FW_B之间有多条链路路由可达。

要求实现如下组网需求:

  • 主机PC1与PC2之间可以通过IPSec隧道安全的通信。
  • 在FW_A和FW_B之间可以实现链路备份,当有一条链路发生问题时,仍然可以通过其他的链路进行IPSec通信。

配置思路

  1. 基本配置,包括配置接口IP地址,将接口加入相应的安全区域,配置安全策略。
  1. 创建并配置Tunnel接口,并将Tunnel接口加入相应的安全区域。
  1. 配置公网路由,一般情况下,FW上配置静态路由。
  1. 配置IPSec。

操作步骤

配置FW_A。

  1. 配置接口IP地址。
  1. <sysname> system-view
  2. [sysname] sysname FW_A
  3. [FW_A] interface gigabitethernet 1 / 0 / 3
  4. [FW_A-GigabitEthernet1/0/3] ip address 10.3.0.1  24
  5. [FW_A-GigabitEthernet1/0/3] quit [FW_A] interface gigabitethernet 1 / 0 / 1
  6. [FW_A-GigabitEthernet1/0/1] ip address 1.1.1.1  24
  7. [FW_A-GigabitEthernet1/0/1] quit [FW_A] interface gigabitethernet 1 / 0 / 2
  8. [FW_A-GigabitEthernet1/0/2] ip address 2.2.2.2  24
  9. [FW_A-GigabitEthernet1/0/2] quit [FW_A] interface gigabitethernet 1 / 0 / 4
  10. [FW_A-GigabitEthernet1/0/4] ip address 3.3.3.3  24
  11. [FW_A-GigabitEthernet1/0/4] quit
  12. 复制代码
  1. 创建并配置Tunnel接口。
  1. [FW_A] interface tunnel 0
  2. [FW_A-tunnel0] tunnel-protocol ipsec
  3. [FW_A-tunnel0] ip address 1.1.0.2  24
  4. [FW_A-tunnel0] quit
  5. 复制代码
  1. 开启域间安全策略。

开启Trust和Untrust安全区域的域间策略,保证报文能够正常发送。

  1. [FW_A] security-policy
  2. [FW_A-policy-security] rule name policy_ipsec_1
  3. [FW_A-policy-security-rule-policy_ipsec_1] source-zone trust
  4. [FW_A-policy-security-rule-policy_ipsec_1] destination-zone untrust
  5. [FW_A-policy-security-rule-policy_ipsec_1] source-address 10.3.0.0  24
  6. [FW_A-policy-security-rule-policy_ipsec_1] destination-address 10.4.0.0  24 
  7. [FW_A-policy-security-rule-policy_ipsec_1] action permit
  8. [FW_A-policy-security-rule-policy_ipsec_1] quit
  9. [FW_A-policy-security] rule name policy_ipsec_2
  10. [FW_A-policy-security-rule-policy_ipsec_2] source-zone untrust
  11. [FW_A-policy-security-rule-policy_ipsec_2] destination-zone trust
  12. [FW_A-policy-security-rule-policy_ipsec_2] source-address 10.4.0.0  24 
  13. [FW_A-policy-security-rule-policy_ipsec_2] destination-address 10.3.0.0  24 
  14. [FW_A-policy-security-rule-policy_ipsec_2] action permit
  15. [FW_A-policy-security-rule-policy_ipsec_2] quit
  16. 复制代码

开启Local和Untrust安全区域的域间策略,保证隧道正常建立。

  1. [FW_A-policy-security] rule name policy_ipsec_3
  2. [FW_A-policy-security-rule-policy_ipsec_3] source-zone local
  3. [FW_A-policy-security-rule-policy_ipsec_3] destination-zone untrust
  4. [FW_A-policy-security-rule-policy_ipsec_3] source-address 1.1.1.1  32 
  5. [FW_A-policy-security-rule-policy_ipsec_3] source-address 2.2.2.2  32 
  6. [FW_A-policy-security-rule-policy_ipsec_3] source-address 3.3.3.3  32 
  7. [FW_A-policy-security-rule-policy_ipsec_3] source-address 1.1.0.2  32 
  8. [FW_A-policy-security-rule-policy_ipsec_3] destination-address 4.4.4.4  32 
  9. [FW_A-policy-security-rule-policy_ipsec_3] action permit
  10. [FW_A-policy-security-rule-policy_ipsec_3] quit
  11. [FW_A-policy-security] rule name policy_ipsec_4
  12. [FW_A-policy-security-rule-policy_ipsec_4] source-zone untrust
  13. [FW_A-policy-security-rule-policy_ipsec_4] destination-zone local
  14. [FW_A-policy-security-rule-policy_ipsec_4] source-address 4.4.4.4  32 
  15. [FW_A-policy-security-rule-policy_ipsec_4] destination-address 1.1.1.1  32
  16. [FW_A-policy-security-rule-policy_ipsec_4] destination-address 2.2.2.2  32
  17. [FW_A-policy-security-rule-policy_ipsec_4] destination-address 3.3.3.3  32
  18. [FW_A-policy-security-rule-policy_ipsec_4] destination-address 1.1.0.2  32
  19. [FW_A-policy-security-rule-policy_ipsec_4] action permit
  20. [FW_A-policy-security-rule-policy_ipsec_4] quit
  21. [FW_A-policy-security] quit
  22. 复制代码
  1. 配置到网络B的静态路由,此处假设到达网络B的出接口为Tunnel 0接口。
  1. [FW_A] ip route- static  10.4.0.0  255.255.255.0 tunnel 0
  2. 复制代码
  1. 配置到FW_B的3条等价路由(假设下一跳所配置中所示)。
  1. [FW_A] ip route- static  4.4.4.4  32  1.1.1.254
  2. [FW_A] ip route- static  4.4.4.4  32  2.2.2.254
  3. [FW_A] ip route- static  4.4.4.4  32  3.3.3.254
  4. 复制代码
  1. 定义IPSec中被保护的数据流。
  1. [FW_A] acl 3000
  2. [FW_A-acl-adv-3000] rule 5 permit ip source 10.3.0.0  0.0.0.255 destination 10.4.0.0  0.0.0.255
  3. [FW_A-acl-adv-3000] quit
  4. 复制代码
  1. 配置名称为tran1的IPSec安全提议。
  1. [FW_A] ipsec proposal tran1
  2. [FW_A-ipsec-proposal-tran1] encapsulation-mode tunnel
  3. [FW_A-ipsec-proposal-tran1] transform esp
  4. [FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2- 256
  5. [FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes- 256
  6. [FW_A-ipsec-proposal-tran1] quit
  7. 复制代码
  1. 配置序号为10的IKE安全提议。
  1. [FW_A] ike proposal 10
  2. [FW_A-ike-proposal-10] authentication-method pre-share
  3. [FW_A-ike-proposal-10] quit
  4. 复制代码
  1. 配置IKE Peer。
  1. [FW_A] ike peer b
  2. [FW_A-ike-peer-b] ike-proposal 10
  3. [FW_A-ike-peer-b] remote-address 4.4.4.4
  4. [FW_A-ike-peer-b] pre-shared-key Test ! 123
  5. [FW_A-ike-peer-b] quit
  6. 复制代码
  1. 配置IPSec策略map1。
  1. [FW_A] ipsec policy map1 10 isakmp
  2. [FW_A-ipsec-policy-isakmp-map1-10] security acl 3000
  3. [FW_A-ipsec-policy-isakmp-map1-10] proposal tran1
  4. [FW_A-ipsec-policy-isakmp-map1-10] ike-peer b
  5. [FW_A-ipsec-policy-isakmp-map1-10] quit
  6. 复制代码
  1. 在Tunnel接口上应用安全策略map1。
  1. [FW_A] interface tunnel 0
  2. [FW_A-tunnel0] ipsec policy map1
  3. [FW_A-tunnel0] quit
  4. 复制代码

配置FW_B。

  1. 基础配置。 请根据图1的数据配置接口IP地址。将接口GE1/0/3加入Trust区域,接口GE1/0/1加入Untrust区域。详细步骤可参见FW_A的配置。
  1. 开启域间安全策略。

开启Trust和Untrust安全区域的域间策略,保证报文能够正常发送。

  1. [FW_B] security-policy
  2. [FW_B-policy-security] rule name policy_ipsec_1
  3. [FW_B-policy-security-rule-policy_ipsec_1] source-zone trust
  4. [FW_B-policy-security-rule-policy_ipsec_1] destination-zone untrust
  5. [FW_B-policy-security-rule-policy_ipsec_1] source-address 10.4.0.0  24
  6. [FW_B-policy-security-rule-policy_ipsec_1] destination-address 10.3.0.0  24 
  7. [FW_B-policy-security-rule-policy_ipsec_1] action permit
  8. [FW_B-policy-security-rule-policy_ipsec_1] quit
  9. [FW_B-policy-security] rule name policy_ipsec_2
  10. [FW_B-policy-security-rule-policy_ipsec_2] source-zone untrust
  11. [FW_B-policy-security-rule-policy_ipsec_2] destination-zone trust
  12. [FW_B-policy-security-rule-policy_ipsec_2] source-address 10.3.0.0  24 
  13. [FW_B-policy-security-rule-policy_ipsec_2] destination-address 10.4.0.0  24 
  14. [FW_B-policy-security-rule-policy_ipsec_2] action permit
  15. [FW_B-policy-security-rule-policy_ipsec_2] quit
  16. 复制代码

开启Local和Untrust安全区域的域间策略,保证隧道正常建立。

  1. [FW_B-policy-security] rule name policy_ipsec_3
  2. [FW_B-policy-security-rule-policy_ipsec_3] source-zone local
  3. [FW_B-policy-security-rule-policy_ipsec_3] destination-zone untrust
  4. [FW_B-policy-security-rule-policy_ipsec_3] source-address 4.4.4.4  32 
  5. [FW_B-policy-security-rule-policy_ipsec_3] destination-address 1.1.1.1  32 
  6. [FW_B-policy-security-rule-policy_ipsec_3] destination-address 2.2.2.2  32 
  7. [FW_B-policy-security-rule-policy_ipsec_3] destination-address 3.3.3.3  32 
  8. [FW_B-policy-security-rule-policy_ipsec_3] destination-address 1.1.0.2  32 
  9. [FW_B-policy-security-rule-policy_ipsec_3] action permit
  10. [FW_B-policy-security-rule-policy_ipsec_3] quit
  11. [FW_B-policy-security] rule name policy_ipsec_4
  12. [FW_B-policy-security-rule-policy_ipsec_4] source-zone untrust
  13. [FW_B-policy-security-rule-policy_ipsec_4] destination-zone local
  14. [FW_B-policy-security-rule-policy_ipsec_4] source-address 1.1.1.1  32 
  15. [FW_B-policy-security-rule-policy_ipsec_4] source-address 2.2.2.2  32 
  16. [FW_B-policy-security-rule-policy_ipsec_4] source-address 3.3.3.3  32 
  17. [FW_B-policy-security-rule-policy_ipsec_4] source-address 1.1.0.2  32 
  18. [FW_B-policy-security-rule-policy_ipsec_4] destination-address 4.4.4.4  32 
  19. [FW_B-policy-security-rule-policy_ipsec_4] action permit
  20. [FW_B-policy-security-rule-policy_ipsec_4] quit
  21. [FW_B-policy-security] quit
  22. 复制代码
  1. 配置到达网络A的静态路由,此处假设下一跳地址为4.4.4.254。
  1. [FW_B] ip route- static  10.3.0.0  255.255.255.0  4.4.4.254
  2. 复制代码
  1. 配置到FW_A的Tunnel接口的路由。
  1. [FW_B] ip route- static  1.1.0.2  255.255.255.255  4.4.4.254
  2. 复制代码
  1. 定义IPSec中被保护的数据流。
  1. [FW_B] acl 3000
  2. [FW_B-acl-adv-3000] rule 5 permit ip source 10.4.0.0  0.0.0.255 destination 10.3.0.0  0.0.0.255
  3. [FW_B-acl-adv-3000] quit
  4. 复制代码
  1. 配置名称为tran1的IPSec安全提议。
  1. [FW_B] ipsec proposal tran1
  2. [FW_B-ipsec-proposal-tran1] encapsulation-mode tunnel
  3. [FW_B-ipsec-proposal-tran1] transform esp
  4. [FW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2- 256
  5. [FW_B-ipsec-proposal-tran1] esp encryption-algorithm aes- 256
  6. [FW_B-ipsec-proposal-tran1] quit
  7. 复制代码
  1. 配置序号为10的IKE安全提议。
  1. [FW_B] ike proposal 10 
  2. [FW_B-ike-proposal-10] authentication-method pre-share 
  3. [FW_B-ike-proposal-10] quit
  4. 复制代码
  1. 配置名称为a的IKE peer。
  1. [FW_B] ike peer a 
  2. [FW_B-ike-peer-a] ike-proposal 10 
  3. [FW_B-ike-peer-a] remote-address 1.1.0.2 
  4. [FW_B-ike-peer-a] pre-shared-key Test ! 123 
  5. [FW_B-ike-peer-a] quit
  6. 复制代码
  1. 配置名称为map1序号为10的安全策略。
  1. [FW_B] ipsec policy map1 10 isakmp 
  2. [FW_B-ipsec-policy-isakmp-map1-10] security acl 3000 
  3. [FW_B-ipsec-policy-isakmp-map1-10] proposal tran1 
  4. [FW_B-ipsec-policy-isakmp-map1-10] ike-peer a 
  5. [FW_B-ipsec-policy-isakmp-map1-10] quit
  6. 复制代码
  1. 在接口GE1/0/1上应用安全策略map1。
  1. [FW_B] interface gigabitethernet 1 / 0 / 1 
  2. [FW_B-GigabitEthernet1/0/1] ipsec policy map1
  3. [FW_B-GigabitEthernet1/0/1] quit
  4. 复制代码

结果验证

  1. 配置完成后,在PC1执行ping命令,看能否ping通PC2。如果配置正确,则PC1和PC2可以相互ping通。如果有步骤2、3、4的显示信息,则说明PC1和PC2之间的通信经过了IPSec隧道封装。
  1. 分别在FW_A、FW_B上执行display ike sa命令会显示IKE安全联盟的建立情况。以FW_A为例,出现以下显示说明IKE安全联盟建立成功。
  1. <FW_A> display ike sa      
  2.  
  3. Ike sa number: 2
  4. -----------------------------------------------------------------------------
  5. Conn-ID         Peer          VPN    Flag(s)     Phase 
  6. -----------------------------------------------------------------------------
  7. 20002          4.4.4.4              RD|ST|A        v2:2 
  8. 20001          4.4.4.4              RD|ST|A        v2:1  
  9.                                                                                 
  10.   Number of SA entries  : 2                                                     
  11.                                                                                 
  12.   Number of SA entries of all cpu : 2                                           
  13.                                                                                 
  14.   Flag Description:                                                             
  15.   RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  16.   HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  17.   M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING
  18. 复制代码
  1. 分别在FW_A、FW_B上执行display ipsec sa命令会显示IPSec安全联盟的建立情况。以FW_A为例,出现以下显示说明IPSec安全联盟建立成功。
  1. <FW_A> display ipsec sa 
  2.  
  3. ===============================
  4. Interface: Tunnel0
  5. ===============================
  6.  
  7.   -----------------------------                                                 
  8.   IPSec policy name: "map1"                                                     
  9.   Sequence number  : 10                                                           
  10.   Acl group        : 3000                                                       
  11.   Acl rule         : 5                                                          
  12.   Mode             : ISAKMP 
  13.   -----------------------------  
  14.     Connection ID: 40002
  15.     Encapsulation mode: Tunnel  
  16.     Tunnel local      : 1.1.0.2    
  17.     Tunnel remote     : 4.4.4.4                        
  18.     Flow source       : 10.3.0.0/255.255.255.0 0/0                      
  19.     Flow destination  : 10.4.0.0/255.255.255.0 0/0    
  20.  
  21.     [Outbound ESP SAs] 
  22.       SPI: 228290096 (0xd9b6e30)
  23.       Proposal: ESP-ENCRYPT-AES-256 SHA2-256-128                                      
  24.       SA remaining key duration (bytes/sec): 1887436464/3549
  25.       Max sent sequence-number: 5
  26.       UDP encapsulation used for NAT traversal: N     
  27.       SA decrypted packets (number/kilobytes): 4/0
  28.  
  29.     [Inbound ESP SAs] 
  30.       SPI: 38742361 (0x24f2959)
  31.       Proposal: ESP-ENCRYPT-AES-256 SHA2-256-128                                  
  32.       SA remaining key duration (bytes/sec): 1887436464/3549
  33.       Max received sequence-number: 4
  34.       UDP encapsulation used for NAT traversal: N       
  35.       SA decrypted packets (number/kilobytes): 4/0                        
  36.       Anti-replay : Enable                                                      
  37.       Anti-replay window size: 1024   
  38. 复制代码
  1. 执行命令display ipsec statistics可以查看被加密的数据包的变化,即它们之间的数据传输将被加密。以FW_A为例。
  1. <FW_A>display ipsec statistics     
  2.   the security packet statistics:                                               
  3.     input/output security packets: 4/4                                          
  4.     input/output security bytes: 400/400                                         
  5.     input/output dropped security packets: 0/0                                  
  6.     the encrypt packet statistics                                               
  7.       send sae:0, recv sae:0, send err:0                                        
  8.       local cpu:0, other cpu:0, recv other cpu:0                                
  9.       intact packet:0, first slice:0, after slice:0                             
  10.     the decrypt packet statistics                                               
  11.       send sae:0, recv sae:0, send err:0                                        
  12.       local cpu:0, other cpu:0, recv other cpu:0                                
  13.       reass  first slice:0, after slice:0, len err:0                            
  14.     dropped security packet detail:                                             
  15.       no enough memory: 0, too long: 0                                          
  16.       can't find SA: 0, wrong SA: 0                                             
  17.       authentication: 0, replay: 0                                              
  18.       front recheck: 0, after recheck: 0                                        
  19.       exceed byte limit: 0, exceed packet limit: 0                              
  20.       change cpu enc: 0, dec change cpu: 0                                      
  21.       change datachan: 0, fib search: 0                                         
  22.       rcv enc(dec) form sae said err: 0, 0                                      
  23.       send port: 0, output l3: 0, l2tp input: 0                                 
  24.   negotiate about packet statistics:                                            
  25.     IP packet  ok:0, err:0, drop:0                                              
  26.     IP rcv other cpu   to ike:0, drop:0                                          
  27.     IKE packet inbound   ok:0, err:0                                            
  28.     IKE packet outbound  ok:0, err:0                                            
  29.     SoftExpr:0, HardExpr:0, DPDOper:0, SwapSa:0                                 
  30.     ModpCnt: 0, SaeSucc: 0, SoftwareSucc: 0  
  31. 复制代码

  1. 断开FW_A的GE1/0/1、GE1/0/2和GE1/0/4中任意一个接口,查看IPSec隧道依然不会断开。保证了多条链路之间的备份。 通过以下操作来判断:

    1. 执行display ike sadisplay ipsec sa命令,查看到安全联盟依然存在。
    2. 网络A和网络B之间依然能够成功发送和接收报文。且执行display ipsec statistics命令,能看到报文数量在增长。

 

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/我家自动化/article/detail/487603
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号