總部與分支機構之間建立點到點IPSec VPN（預共享密鑰認證）

本例介紹預共享密鑰認證方式下的IPSec隧道配置方法。

組網需求

如圖1所示，網絡A和網絡B通過NGFW_A和NGFW_B連接到Internet，NGFW_A和NGFW_B公網路由可達。現需要在NGFW_A和NGFW_B之間建立IKE方式的IPSec隧道，使網絡A和網絡B的用戶可通過IPSec隧道安全互訪。

圖1 IKE協商方式的點到點IPSec隧道舉例組網圖

數據規劃

配置思路

NGFW_A和NGFW_B的配置思路相同。

1. 配置接口IP地址並將接口加入到安全區域。

2. 配置安全策略。

3. 配置到對端內網的路由。

4. 配置IPSec策略。包括配置IPSec策略的基本信息、配置待加密的數據流、配置安全提議的協商參數。

操作步驟

· 配置NGFW_A（總部）。

1. 配置接口IP地址。

<code><sysname> system-view
[sysname] sysname NGFW_A
[NGFW_A] interface GigabitEthernet 1/0/3
[NGFW_A-GigabitEthernet1/0/3] ip address 10.1.1.1 24
[NGFW_A-GigabitEthernet1/0/3] quit
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ip address 1.1.3.1 24
[NGFW_A-GigabitEthernet1/0/1] quit/<sysname>/<code>

2. 配置接口加入相應安全區域。

<code>[NGFW_A] firewall zone trust
[NGFW_A-zone-trust] add interface GigabitEthernet 1/0/3
[NGFW_A-zone-trust] quit
[NGFW_A] firewall zone untrust
[NGFW_A-zone-untrust] add interface GigabitEthernet 1/0/1 

[NGFW_A-zone-untrust] quit/<code>

3. 配置安全策略。

a. 配置Trust域與Untrust域的安全策略，允許封裝前和解封后的報文能通過NGFW_A。

<code>[NGFW_A] security-policy
[NGFW_A-policy-security] rule name policy_ipsec_1
[NGFW_A-policy-security-rule-policy_ipsec_1] source-zone trust
[NGFW_A-policy-security-rule-policy_ipsec_1] destination-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_1] source-address 10.1.1.0 24
[NGFW_A-policy-security-rule-policy_ipsec_1] destination-address 10.1.2.0 24 
[NGFW_A-policy-security-rule-policy_ipsec_1] action permit
[NGFW_A-policy-security-rule-policy_ipsec_1] quit
[NGFW_A-policy-security] rule name policy_ipsec_2
[NGFW_A-policy-security-rule-policy_ipsec_2] source-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_2] destination-zone trust
[NGFW_A-policy-security-rule-policy_ipsec_2] source-address 10.1.2.0 24 
[NGFW_A-policy-security-rule-policy_ipsec_2] destination-address 10.1.1.0 24 
[NGFW_A-policy-security-rule-policy_ipsec_2] action permit
[NGFW_A-policy-security-rule-policy_ipsec_2] quit/<code>

b. 配置Local域與Untrust域的安全策略，允許IKE協商報文能正常通過NGFW_A。

<code>[NGFW_A-policy-security] rule name policy_ipsec_3
[NGFW_A-policy-security-rule-policy_ipsec_3] source-zone local
[NGFW_A-policy-security-rule-policy_ipsec_3] destination-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_3] source-address 1.1.3.1 32 
[NGFW_A-policy-security-rule-policy_ipsec_3] destination-address 1.1.5.1 32
[NGFW_A-policy-security-rule-policy_ipsec_3] action permit
[NGFW_A-policy-security-rule-policy_ipsec_3] quit
[NGFW_A-policy-security] rule name policy_ipsec_4
[NGFW_A-policy-security-rule-policy_ipsec_4] source-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_4] destination-zone local
[NGFW_A-policy-security-rule-policy_ipsec_4] source-address 1.1.5.1 32 
[NGFW_A-policy-security-rule-policy_ipsec_4] destination-address 1.1.3.1 32
[NGFW_A-policy-security-rule-policy_ipsec_4] action permit
[NGFW_A-policy-security-rule-policy_ipsec_4] quit
[NGFW_A-policy-security] quit/<code>

4. 配置到達對端私網的路由。假設NGFW_A通往NGFW_B側的下一跳設備的IP地址為1.1.3.2。

<code>[NGFW_A] ip route-static 10.1.2.0 24 1.1.3.2/<code>

5. 配置NGFW_A的IPSec隧道。

a. 配置訪問控制列表，定義需要保護的數據流。

<code>[NGFW_A] acl 3000 
[NGFW_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[NGFW_A-acl-adv-3000] quit/<code>

b. 配置序號為10的IKE安全提議。

<code>[NGFW_A] ike proposal 10
[NGFW_A-ike-proposal-10] authentication-method pre-share
[NGFW_A-ike-proposal-10] authentication-algorithm sha2-256
[NGFW_A-ike-proposal-10] quit/<code>

c. 配置IKE Peer。

<code>[NGFW_A] ike peer b
[NGFW_A-ike-peer-b] ike-proposal 10
[NGFW_A-ike-peer-b] remote-address 1.1.5.1
[NGFW_A-ike-peer-b] pre-shared-key Admin@123
[NGFW_A-ike-peer-b] undo version 2
[NGFW_A-ike-peer-b] quit/<code>

d. 配置名稱為tran1的IPSec安全提議。

<code>[NGFW_A] ipsec proposal tran1
[NGFW_A-ipsec-proposal-tran1] encapsulation-mode tunnel
[NGFW_A-ipsec-proposal-tran1] transform esp
[NGFW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[NGFW_A-ipsec-proposal-tran1] esp encryption-algorithm aes
[NGFW_A-ipsec-proposal-tran1] quit/<code>

e. 配置IPSec安全策略組map1。

<code>[NGFW_A] ipsec policy map1 10 isakmp
[NGFW_A-ipsec-policy-isakmp-map1-10] security acl 3000
[NGFW_A-ipsec-policy-isakmp-map1-10] proposal tran1
[NGFW_A-ipsec-policy-isakmp-map1-10] ike-peer b
[NGFW_A-ipsec-policy-isakmp-map1-10] quit/<code>

f. 在出接口GigabitEthernet 1/0/1上應用安全策略組map1。

<code>[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ipsec policy map1 auto-neg
[NGFW_A-GigabitEthernet1/0/1] quit/<code>

· 配置NGFW_B（分支）。

1. 配置接口IP地址。

<code><sysname> system-view
[sysname] sysname NGFW_B
[NGFW_B] interface GigabitEthernet 1/0/3
[NGFW_B-GigabitEthernet1/0/3] ip address 10.1.2.1 24
[NGFW_B-GigabitEthernet1/0/3] quit
[NGFW_B] interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1] ip address 1.1.5.1 24
[NGFW_B-GigabitEthernet1/0/1] quit/<sysname>/<code>

2. 配置接口加入相應安全區域。

<code>[NGFW_B] firewall zone trust
[NGFW_B-zone-trust] add interface GigabitEthernet 1/0/3
[NGFW_B-zone-trust] quit
[NGFW_B] firewall zone untrust
[NGFW_B-zone-untrust] add interface GigabitEthernet 1/0/1
[NGFW_B-zone-untrust] quit/<code>

3. 配置安全策略。

a. 配置Trust域與Untrust域的安全策略，允許封裝前和解封后的報文能通過NGFW_B。

<code>[NGFW_B] security-policy
[NGFW_B-policy-security] rule name policy_ipsec_1
[NGFW_B-policy-security-rule-policy_ipsec_1] source-zone trust
[NGFW_B-policy-security-rule-policy_ipsec_1] destination-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_1] source-address 10.1.2.0 24
[NGFW_B-policy-security-rule-policy_ipsec_1] destination-address 10.1.1.0 24 
[NGFW_B-policy-security-rule-policy_ipsec_1] action permit
[NGFW_B-policy-security-rule-policy_ipsec_1] quit
[NGFW_B-policy-security] rule name policy_ipsec_2
[NGFW_B-policy-security-rule-policy_ipsec_2] source-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_2] destination-zone trust
[NGFW_B-policy-security-rule-policy_ipsec_2] source-address 10.1.1.0 24 
[NGFW_B-policy-security-rule-policy_ipsec_2] destination-address 10.1.2.0 24  

[NGFW_B-policy-security-rule-policy_ipsec_2] action permit
[NGFW_B-policy-security-rule-policy_ipsec_2] quit/<code>

b. 配置Local域與Untrust域的安全策略，允許IKE協商報文能正常通過NGFW_B。

<code>[NGFW_B-policy-security] rule name policy_ipsec_3
[NGFW_B-policy-security-rule-policy_ipsec_3] source-zone local
[NGFW_B-policy-security-rule-policy_ipsec_3] destination-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_3] source-address 1.1.5.1 32 
[NGFW_B-policy-security-rule-policy_ipsec_3] destination-address 1.1.3.1 32
[NGFW_B-policy-security-rule-policy_ipsec_3] action permit
[NGFW_B-policy-security-rule-policy_ipsec_3] quit
[NGFW_B-policy-security] rule name policy_ipsec_4
[NGFW_B-policy-security-rule-policy_ipsec_4] source-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_4] destination-zone local
[NGFW_B-policy-security-rule-policy_ipsec_4] source-address 1.1.3.1 32 
[NGFW_B-policy-security-rule-policy_ipsec_4] destination-address 1.1.5.1 32
[NGFW_B-policy-security-rule-policy_ipsec_4] action permit
[NGFW_B-policy-security-rule-policy_ipsec_4] quit
[NGFW_B-policy-security] quit/<code>

4. 配置到達對端私網的路由。假設NGFW_B通往NGFW_A側的下一跳設備的IP地址為1.1.5.2。

<code>[NGFW_B] ip route-static 10.1.1.0 24 1.1.5.2/<code>

5. 配置NGFW_B的IPSec隧道。

a. 配置訪問控制列表，定義需要保護的數據流。

<code>[NGFW_B] acl 3000 
[NGFW_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[NGFW_B-acl-adv-3000] quit/<code>

b. 配置序號為10的IKE安全提議。

<code>[NGFW_B] ike proposal 10
[NGFW_B-ike-proposal-10] authentication-method pre-share
[NGFW_B-ike-proposal-10] authentication-algorithm sha2-256
[NGFW_B-ike-proposal-10] quit/<code>

c. 配置IKE Peer。

<code>[NGFW_B] ike peer a
[NGFW_B-ike-peer-a] ike-proposal 10
[NGFW_B-ike-peer-a] remote-address 1.1.3.1
[NGFW_B-ike-peer-a] pre-shared-key Admin@123
[NGFW_B-ike-peer-a] undo version 2
[NGFW_B-ike-peer-a] quit/<code>

d. 配置名稱為tran1的IPSec安全提議。

<code>[NGFW_B] ipsec proposal tran1
[NGFW_B-ipsec-proposal-tran1] encapsulation-mode tunnel
[NGFW_B-ipsec-proposal-tran1] transform esp
[NGFW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[NGFW_B-ipsec-proposal-tran1] esp encryption-algorithm aes
[NGFW_B-ipsec-proposal-tran1] quit/<code>

e. 配置IPSec安全策略組map1。

<code>[NGFW_B] ipsec policy map1 10 isakmp
[NGFW_B-ipsec-policy-isakmp-map1-10] security acl 3000
[NGFW_B-ipsec-policy-isakmp-map1-10] proposal tran1
[NGFW_B-ipsec-policy-isakmp-map1-10] ike-peer a
[NGFW_B-ipsec-policy-isakmp-map1-10] quit/<code>

f. 在出接口GigabitEthernet 1/0/1上應用安全策略組map1。

<code>[NGFW_B] interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1] ipsec policy map1 auto-neg
[NGFW_B-GigabitEthernet1/0/1] quit/<code>

結果驗證

1. 配置成功後，在NGFW_A上執行display ike sa命令，查看IKE安全聯盟的建立情況，出現以下顯示說明IKE安全聯盟建立成功。

2. 在NGFW_A上執行display ipsec sa命令，查看IPSec安全聯盟的建立情況，出現以下顯示說明IPSec安全聯盟建立成功。

閱讀更多 Networking民工 的文章

關鍵字: proposal 密鑰 security