HUAWEI-防火墙USG6000 与 Windows2008 R2配置IPSec(防火墙篇)

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了HUAWEI-防火墙USG6000 与 Windows2008 R2配置IPSec(防火墙篇)相关的知识,希望对你有一定的参考价值。

HUAWEI-防火墙USG6000 与 Windows2008 R2配置IPSec(USG篇)

HUAWEI-防火墙USG6000

背景说明:某公司想实现总部和分部之间构建一条IPSec实现内部通讯,同时为节约成本不想购置一台用于IPSec的网络设备。于是通过思考使用Windows Server2008 来建立IPSec。实现IPSec的协商构建隧道通信。

IP地址接口规划表:

本端设备

接口

IP地址

对端设备

接口

IP地址

FW

GE 1/0/0

202.1.1.2/30

Win2008

GE 0/0/1

202.1.1.1/30

FW

GE 1/0/1

192.168.6.1/24

PC3

Ethernet 0/0/1

192.168.6.3/24

Win2008

Ethernet 0/0/1

192.168.5.1/24

PC4

Ethernet 0/0/1

192.168.5.2/24

TIPS:华为USG防火墙的GE 0/0/0 接口默认是管理接口,建议在投入使用时是尽量避免作为数据端口。

数据规划:

配置项


华为USG6000

Windows Sever 2008 R2

IPSEC 安全提议

封装模式

隧道模式 (Tunnel)

隧道模式 (Tunnel)


安全协议

ESP

ESP


ESP协议 验证算法

SHA1

SHA1


ESP协议 加密算法

3DES

3DES

IKE 安全提议

身份验证方法

预共享密钥

预共享密钥


加密算法

SHA1

SHA1


认证算法

3DES

3DES


DH Group

GROUP2

GROUP2

IKE对等体

协商模式

主模式

主模式


预共享密钥

ruankao@huawei

ruankao@huawei


身份类型

IP地址

IP地址


IKE版本

V1

V1

防火墙配置步骤:

  • [ ] 配置接口IP地址,并将接口加入安全区域;
  • [ ] 配置华为F防火前到Internet的缺省路由;
  • [ ] 配置域间安全策略,允许IKE协商报文、IPSec封装前和解封装后的原始报文能通过华为防火墙;
  • [ ] 定义需要保护的数据流、配置IPSec安全提议、创建IKE安全提议、配置IKE对等体;
  • [ ] 配置IPSec策略,在接口上应用IPSec策略。

项目实施:

一、配置接口IP地址,并将接口加入安全区域

  1. 配置接口地址
[USG6000V1]interface GigabitEthernet1/0/0
[USG6000V1-GigabitEthernet1/0/0] ip address 202.1.1.2 255.255.255.252
#
[USG6000V1-GigabitEthernet1/0/0]interface GigabitEthernet1/0/1
[USG6000V1-GigabitEthernet1/0/1] ip address 192.168.6.1 255.255.255.0
  1. 配置接口安全区域
[USG6000V1] firewall zone trust
[USG6000V1-zone-trust] add interface GigabitEthernet1/0/1
#
[USG6000V1-zone-trust]firewall zone untrust
[USG6000V1-zone-untrust] add interface GigabitEthernet1/0/0

二、配置去往Internet的缺省路由

[USG6000V1]ip route-static 0.0.0.0 0.0.0.0 202.1.1.1

三、配置域间安全策略

[USG6000V1]security-policy
#
[USG6000V1-policy-security] rule name ipsec-polic-out
[USG6000V1-policy-security-rule-ipsec-polic-out]source-zone trust
[USG6000V1-policy-security-rule-ipsec-polic-out]destination-zone untrust
[USG6000V1-policy-security-rule-ipsec-polic-out]source-address 192.168.6.3 mask 255.255.255.255
[USG6000V1-policy-security-rule-ipsec-polic-out]destination-address 192.168.5.2 mask 255.255.255.255
[USG6000V1-policy-security-rule-ipsec-polic-out]action permit
#
[USG6000V1-policy-security-rule-ipsec-polic-out]rule name ipsec-policy-in
[USG6000V1-policy-security-rule-ipsec-policy-in]source-zone untrust
[USG6000V1-policy-security-rule-ipsec-policy-in]destination-zone trust
[USG6000V1-policy-security-rule-ipsec-policy-in]source-address 192.168.5.2 mask 255.255.255.255
[USG6000V1-policy-security-rule-ipsec-policy-in]destination-address 192.168.6.3 mask 255.255.255.255
[USG6000V1-policy-security-rule-ipsec-policy-in]action permit
#
[USG6000V1-policy-security-rule-ipsec-policy-in]rule name ike-policy-out
[USG6000V1-policy-security-rule-ike-policy-out]source-zone local
[USG6000V1-policy-security-rule-ike-policy-out]destination-zone untrust
[USG6000V1-policy-security-rule-ike-policy-out]source-address 202.1.1.2 mask 255.255.255.255
[USG6000V1-policy-security-rule-ike-policy-out]destination-address 202.1.1.1 mask 255.255.255.255
[USG6000V1-policy-security-rule-ike-policy-out]action permit
#
[USG6000V1-policy-security-rule-ike-policy-out]rule name ike-policy-in
[USG6000V1-policy-security-rule-ike-policy-in]source-zone untrust
[USG6000V1-policy-security-rule-ike-policy-in]destination-zone local
[USG6000V1-policy-security-rule-ike-policy-in]source-address 202.1.1.1 mask 255.255.255.255
[USG6000V1-policy-security-rule-ike-policy-in]destination-address 202.1.1.2 mask 255.255.255.255
[USG6000V1-policy-security-rule-ike-policy-in]action permit

四、定义需要保护的数据流、配置IPSec安全提议

[USG6000V1]acl 3000 
[USG6000V1-acl-adv-3000]rule 5 permit ip source 192.168.6.3 0 destination 192.168.5.2 0
#
[USG6000V1]ipsec proposal FW-win2008
[USG6000V1-ipsec-proposal-FW-win2008]encapsulation-mode tunnel
[USG6000V1-ipsec-proposal-FW-win2008]transform esp
[USG6000V1-ipsec-proposal-FW-win2008]esp authentication-algorithm sha1
[USG6000V1-ipsec-proposal-FW-win2008]esp encryption-algorithm 3des

五、创建IKE安全提议、配置IKE对等体

[USG6000V1]ike proposal 10 
[USG6000V1-ike-proposal-10]authentication-method pre-share
[USG6000V1-ike-proposal-10]encryption-algorithm 3des
Warning: The security level of des/3des is low.
[USG6000V1-ike-proposal-10] dh group2
Warning: The security level of group1/group2/group5 is low.
[USG6000V1-ike-proposal-10] authentication-algorithm sha1
Warning: The security level of md5/sha1 is low.
#
[USG6000V1]ike peer win2008
[USG6000V1-ike-peer-win2008]undo version 2
[USG6000V1-ike-peer-win2008]exchange-mode main
[USG6000V1-ike-peer-win2008]pre-shared-key ruankao@huawei
[USG6000V1-ike-peer-win2008]ike-proposal 10
[USG6000V1-ike-peer-win2008]remote-address 202.1.1.1

六、配置IPSec策略,在接口上应用IPSec策略

[USG6000V1]ipsec policy map1 10 isakmp 
[USG6000V1-ipsec-policy-isakmp-map1-10]ipsec policy map1 10 isakmp
[USG6000V1-ipsec-policy-isakmp-map1-10]security acl 3000
[USG6000V1-ipsec-policy-isakmp-map1-10]ike-peer win2008
[USG6000V1-ipsec-policy-isakmp-map1-10]proposal FW-win2008
#
[USG6000V1]int GigabitEthernet 1/0/0
[USG6000V1-GigabitEthernet1/0/0] ipsec policy map1

项目验证:

接口安全区域验证:
[USG6000V1]dis zone 
2022-05-01 01:30:37.180
local
priority is 100
interface of the zone is (0):
#
trust
priority is 85
interface of the zone is (2):
GigabitEthernet0/0/0
GigabitEthernet1/0/1
#
untrust
priority is 5
interface of the zone is (1):
GigabitEthernet1/0/0
#
dmz
priority is 50
interface of the zone is (0):
#
IKE-SA(安全联盟)验证:
[USG6000V1]dis ike sa
2022-04-30 16:25:35.160

IKE SA information :
Conn-ID Peer VPN Flag(s Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------
8 202.1.1.1:500 RD|A v1:1 IP 202.1.1.1

Number of IKE SA : 1
--------------------------------------------------------------------------------
----------------------------------------------------

Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
IPSec-SA(安全联盟)验证:
[USG6000V1]dis ipsec sa
2022-04-30 14:22:23.630

ipsec sa information:

===============================
Interface: GigabitEthernet1/0/0
===============================

-----------------------------
IPSec policy name: "map1"
Sequence number : 10
Acl group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 5
Encapsulation mode: Tunnel
Holding time : 0d 3h 27m 19s
Tunnel local : 202.1.1.2:500
Tunnel remote : 202.1.1.1:500
Flow source : 192.168.6.3/255.255.255.255 0/0-65535
Flow destination : 192.168.5.2/255.255.255.255 0/0-65535

[Outbound ESP SAs]
SPI: 197255367 (0xbc1e0c7)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/883
Max sent sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 0/0

[Inbound ESP SAs]
SPI: 193813908 (0xb8d5d94)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/883
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 0/0
Anti-replay : Enable
Anti-replay window size: 1024
抓包验证协商过程和数据加密:

HUAWEI-防火墙USG6000

相关参考链接:

[1] :​​http://www.wj64.net/?post=12​

以上是关于HUAWEI-防火墙USG6000 与 Windows2008 R2配置IPSec(防火墙篇)的主要内容,如果未能解决你的问题,请参考以下文章

win10电脑ensp的防火墙导入vfw_usg显示文件格式错误,是怎么回事啊?

管理华为防火墙 USG6000V

华为防火墙USG6000有IDS和IPS?

Huawei USG6530防火墙

USG6000V防火墙Web登录&OSPFRIP单臂路由综合实验

华为USG6000硬件防火墙设置问题