华为ipsec互通笔记

Posted ecopy

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了华为ipsec互通笔记相关的知识,希望对你有一定的参考价值。

fw1:


#
sysname fw1
#
 l2tp domain suffix-separator @
#
 ipsec sha2 compatible enable 
#
undo telnet server enable
undo telnet ipv6 server enable
#
 update schedule location-sdb weekly Sun 04:02
#
 firewall defend action discard
#
 banner enable
#
 user-manage web-authentication security port 8887
 undo privacy-statement english
 undo privacy-statement chinese
page-setting
 user-manage security version tlsv1.1 tlsv1.2
password-policy
 level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
 web-manager security version tlsv1.1 tlsv1.2
 web-manager enable
 web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
 undo ips log merge enable
#
 decoding uri-cache disable
#
 update schedule ips-sdb daily 07:39
 update schedule av-sdb daily 07:39
 update schedule sa-sdb daily 07:39
 update schedule cnc daily 07:39
 update schedule file-reputation daily 07:39
#
ip vpn-instance default
 ipv4-family
#
ip address-set 20.1.1.1/255.255.255.0 type object
 address 0 20.1.1.0 mask 255.255.255.0
#
ip address-set 20.1.1.2/255.255.255.0 type object
 address 0 20.1.1.0 mask 255.255.255.0
#
ip address-set 10.1.1.0/255.255.255.0 type object
 address 0 10.1.1.0 mask 255.255.255.0
#
ip address-set 10.1.2.0/255.255.255.0 type object
 address 0 10.1.2.0 mask 255.255.255.0
#
 time-range worktime
  period-range 08:00:00 to 18:00:00 working-day   
#
acl number 3000
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 
#
ipsec proposal propab
 encapsulation-mode auto
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256 
#
ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128 
 dh group14 
 authentication-algorithm sha2-512 sha2-384 sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
ike proposal 1
 encryption-algorithm aes-256 
 dh group14 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm aes-xcbc-96 
 prf hmac-sha2-256 
#
ike peer ikeab
 exchange-mode auto
 pre-shared-key ********************
 ike-proposal 1
 remote-id-type ip
 remote-id 20.1.1.2
 local-id 20.1.1.1
 remote-address 20.1.1.2 
#
ipsec policy ipsecab 1 isakmp
 security acl 3000
 ike-peer ikeab
 proposal propab
 tunnel local applied-interface
#
aaa
 authentication-scheme default
 authentication-scheme admin_local
 authentication-scheme admin_radius_local
 authentication-scheme admin_hwtacacs_local
 authentication-scheme admin_ad_local
 authentication-scheme admin_ldap_local
 authentication-scheme admin_radius
 authentication-scheme admin_hwtacacs
 authentication-scheme admin_ad
 authorization-scheme default
 accounting-scheme default
 domain default
  service-type internetaccess ssl-vpn l2tp ike
  internet-access mode password
  reference user current-domain
 manager-user audit-admin 
  password cipher *****************
  service-type web terminal 
  level 15 

 manager-user api-admin 
  password cipher *******************
  level 15 

 manager-user admin 
  password cipher ***************************
  service-type web terminal 
  level 15 

 role system-admin
 role device-admin
 role device-admin(monitor)
 role audit-admin
 bind manager-user audit-admin role audit-admin
 bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
 undo shutdown
 ip binding vpn-instance default
 ip address 192.168.0.1 255.255.255.0
 alias GE0/METH
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 20.1.1.1 255.255.255.0
 service-manage ping permit
 ipsec policy ipsecab
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
 service-manage ping permit
#
interface GigabitEthernet1/0/2
 undo shutdown
#
interface GigabitEthernet1/0/3
 undo shutdown
#
interface GigabitEthernet1/0/4
 undo shutdown
#
interface GigabitEthernet1/0/5
 undo shutdown
#
interface GigabitEthernet1/0/6
 undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/1
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/0
#
firewall zone dmz
 set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 20.1.1.2
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
#
firewall detect ftp
#
user-interface con 0
 authentication-mode aaa
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-linkif
 mode proportion-of-weight
#
right-manager server-group
#
device-classification
 device-group pc
 device-group mobile-terminal
 device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
 default action permit
 rule name ipsec1
  source-zone trust
  source-zone untrust
  destination-zone trust
  destination-zone untrust
  source-address 10.1.1.0 mask 255.255.255.0
  source-address 10.1.2.0 mask 255.255.255.0
  destination-address 10.1.1.0 mask 255.255.255.0
  destination-address 10.1.2.0 mask 255.255.255.0
  action permit
 rule name ipsec2
  source-zone local
  source-zone untrust
  destination-zone local
  destination-zone untrust
  source-address address-set 20.1.1.1/255.255.255.0
  source-address address-set 20.1.1.2/255.255.255.0
  destination-address address-set 20.1.1.1/255.255.255.0
  destination-address address-set 20.1.1.2/255.255.255.0
  action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
 rule name fw1_fw2_nat
  source-zone trust
  egress-interface GigabitEthernet1/0/0
  source-address address-set 10.1.1.0/255.255.255.0
  destination-address address-set 10.1.2.0/255.255.255.0
  action no-nat
 rule name local_nat
  source-zone trust
  egress-interface GigabitEthernet1/0/0
  source-address address-set 10.1.1.0/255.255.255.0
  action source-nat easy-ip
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return

fw2:


#
sysname fw2
#
 l2tp domain suffix-separator @
#
 ipsec sha2 compatible enable 
#
undo telnet server enable
undo telnet ipv6 server enable
#
 update schedule location-sdb weekly Sun 04:27
#
 firewall defend action discard
#
 banner enable
#
 user-manage web-authentication security port 8887
 undo privacy-statement english
 undo privacy-statement chinese
page-setting
 user-manage security version tlsv1.1 tlsv1.2
password-policy
 level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
 web-manager security version tlsv1.1 tlsv1.2
 web-manager enable
 web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
 undo ips log merge enable
#
 decoding uri-cache disable
#
 update schedule ips-sdb daily 04:56
 update schedule av-sdb daily 04:56
 update schedule sa-sdb daily 04:56
 update schedule cnc daily 04:56
 update schedule file-reputation daily 04:56
#
ip vpn-instance default
 ipv4-family
#
ip address-set 20.1.1.1/255.255.255.0 type object
 address 0 20.1.1.0 mask 255.255.255.0
#
ip address-set 20.1.1.2/255.255.255.0 type object
 address 0 20.1.1.0 mask 255.255.255.0
#
ip address-set 10.1.2.0/255.255.255.0 type object
 address 0 10.1.2.0 mask 255.255.255.0
#
ip address-set 10.1.1.0/255.255.255.0 type object
 address 0 10.1.1.0 mask 255.255.255.0
#
 time-range worktime
  period-range 08:00:00 to 18:00:00 working-day   
#
acl number 3000
 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 
#
ipsec proposal propba
 encapsulation-mode auto
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256 
#
ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128 
 dh group14 
 authentication-algorithm sha2-512 sha2-384 sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
ike proposal 1
 encryption-algorithm aes-256 
 dh group14 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm aes-xcbc-96 
 prf hmac-sha2-256 
#
ike peer ikeba
 exchange-mode auto
 pre-shared-key************************
 ike-proposal 1
 remote-id-type ip
 remote-id 20.1.1.1
 local-id 20.1.1.2
 remote-address 20.1.1.1 
#
ipsec policy ipsecba 1 isakmp
 security acl 3000
 ike-peer ikeba
 proposal propba
 tunnel local applied-interface
#
aaa
 authentication-scheme default
 authentication-scheme admin_local
 authentication-scheme admin_radius_local
 authentication-scheme admin_hwtacacs_local
 authentication-scheme admin_ad_local
 authentication-scheme admin_ldap_local
 authentication-scheme admin_radius
 authentication-scheme admin_hwtacacs
 authentication-scheme admin_ad
 authorization-scheme default
 accounting-scheme default
 domain default
  service-type internetaccess ssl-vpn l2tp ike
  internet-access mode password
  reference user current-domain
 manager-user audit-admin 
  password cipher ***********************
  service-type web terminal 
  level 15 

 manager-user api-admin 
  password cipher *********************
  level 15 

 manager-user admin 
  password cipher ******************************
  service-type web terminal 
  level 15 

 role system-admin
 role device-admin
 role device-admin(monitor)
 role audit-admin
 bind manager-user audit-admin role audit-admin
 bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
 undo shutdown
 ip binding vpn-instance default
 ip address 192.168.0.1 255.255.255.0
 alias GE0/METH
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 20.1.1.2 255.255.255.0
 service-manage ping permit
 ipsec policy ipsecba
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 10.1.2.2 255.255.255.0
 service-manage ping permit
#
interface GigabitEthernet1/0/2
 undo shutdown
#
interface GigabitEthernet1/0/3
 undo shutdown
#
interface GigabitEthernet1/0/4
 undo shutdown
#
interface GigabitEthernet1/0/5
 undo shutdown
#
interface GigabitEthernet1/0/6
 undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/1
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/0
#
firewall zone dmz
 set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 20.1.1.1
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
#
firewall detect ftp
#
user-interface con 0
 authentication-mode aaa
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-linkif
 mode proportion-of-weight
#
right-manager server-group
#
device-classification
 device-group pc
 device-group mobile-terminal
 device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
 rule name ipsec1
  source-zone trust
  source-zone untrust
  destination-zone trust
  destination-zone untrust
  source-address 10.1.1.0 mask 255.255.255.0
  source-address 10.1.2.0 mask 255.255.255.0
  destination-address 10.1.1.0 mask 255.255.255.0
  destination-address 10.1.2.0 mask 255.255.255.0
  action permit
 rule name ipsec2
  source-zone local
  source-zone untrust
  destination-zone local
  destination-zone untrust
  source-address address-set 20.1.1.1/255.255.255.0
  source-address address-set 20.1.1.2/255.255.255.0
  destination-address address-set 20.1.1.1/255.255.255.0
  destination-address address-set 20.1.1.2/255.255.255.0
  action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
 rule name fw2_fw1_nat
  source-zone trust
  egress-interface GigabitEthernet1/0/0
  source-address address-set 10.1.2.0/255.255.255.0
  destination-address address-set 10.1.1.0/255.255.255.0
  action no-nat
 rule name local_nat
  source-zone trust
  egress-interface GigabitEthernet1/0/0
  source-address address-set 10.1.1.0/255.255.255.0
  action source-nat easy-ip
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return



以上是关于华为ipsec互通笔记的主要内容,如果未能解决你的问题,请参考以下文章

华为防火墙实验8[配置两个网络之间的IPSec VPN隧道]

华为防火墙基础自学系列 | IPsec技术详解

玩转华为ENSP模拟器系列 | IPSec网关主备双机热备

玩转华为ENSP模拟器系列 | 两个网关之间通过IPSec VdPdNd互联并通过总部IPSec网关进行NAT后上网

玩转华为ENSP模拟器系列 | 两个网关之间通过IPSec VdPdNd互联并通过总部IPSec网关进行NAT后上网

玩转华为ENSP模拟器系列 | 两个网关之间通过IPSec VdPdNd互联并通过各自IPSec网关进行NAT后上网