玩转华为ENSP模拟器系列 | 两个网关之间利用Tunnel接口实现IPSec VdPdNd隧道多链路备份

Posted COCOgsta

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了玩转华为ENSP模拟器系列 | 两个网关之间利用Tunnel接口实现IPSec VdPdNd隧道多链路备份相关的知识,希望对你有一定的参考价值。

素材来源:华为防火墙配置指南

一边学习一边整理试验笔记,并与大家分享,侵权即删,谢谢支持!

附上汇总贴:玩转华为ENSP模拟器系列 | 合集_COCOgsta的博客-CSDN博客_华为模拟器实验


目标

介绍采用IPSec隧道化方式配置两点之间IPSec隧道的配置举例。请使用命令行完成本举例的配置。

组网需求

图1所示,网络A与网络B通过FW_A和FW_B连接到Internet。

FW_A和FW_B之间有多条链路路由可达。

要求实现如下组网需求:

  • 主机PC1与PC2之间可以通过IPSec隧道安全的通信。
  • 在FW_A和FW_B之间可以实现链路备份,当有一条链路发生问题时,仍然可以通过其他的链路进行IPSec通信。

配置思路

  1. 基本配置,包括配置接口IP地址,将接口加入相应的安全区域,配置安全策略。
  1. 创建并配置Tunnel接口,并将Tunnel接口加入相应的安全区域。
  1. 配置公网路由,一般情况下,FW上配置静态路由。
  1. 配置IPSec。

操作步骤

配置FW_A。

  1. 配置接口IP地址。
<sysname> system-view
[sysname] sysname FW_A
[FW_A] interface gigabitethernet 1 / 0 / 3
[FW_A-GigabitEthernet1/0/3] ip address 10.3.0.1  24
[FW_A-GigabitEthernet1/0/3] quit [FW_A] interface gigabitethernet 1 / 0 / 1
[FW_A-GigabitEthernet1/0/1] ip address 1.1.1.1  24
[FW_A-GigabitEthernet1/0/1] quit [FW_A] interface gigabitethernet 1 / 0 / 2
[FW_A-GigabitEthernet1/0/2] ip address 2.2.2.2  24
[FW_A-GigabitEthernet1/0/2] quit [FW_A] interface gigabitethernet 1 / 0 / 4
[FW_A-GigabitEthernet1/0/4] ip address 3.3.3.3  24
[FW_A-GigabitEthernet1/0/4] quit
复制代码
  1. 创建并配置Tunnel接口。
[FW_A] interface tunnel 0
[FW_A-tunnel0] tunnel-protocol ipsec
[FW_A-tunnel0] ip address 1.1.0.2  24
[FW_A-tunnel0] quit
复制代码
  1. 开启域间安全策略。

开启Trust和Untrust安全区域的域间策略,保证报文能够正常发送。

[FW_A] security-policy
[FW_A-policy-security] rule name policy_ipsec_1
[FW_A-policy-security-rule-policy_ipsec_1] source-zone trust
[FW_A-policy-security-rule-policy_ipsec_1] destination-zone untrust
[FW_A-policy-security-rule-policy_ipsec_1] source-address 10.3.0.0  24
[FW_A-policy-security-rule-policy_ipsec_1] destination-address 10.4.0.0  24 
[FW_A-policy-security-rule-policy_ipsec_1] action permit
[FW_A-policy-security-rule-policy_ipsec_1] quit
[FW_A-policy-security] rule name policy_ipsec_2
[FW_A-policy-security-rule-policy_ipsec_2] source-zone untrust
[FW_A-policy-security-rule-policy_ipsec_2] destination-zone trust
[FW_A-policy-security-rule-policy_ipsec_2] source-address 10.4.0.0  24 
[FW_A-policy-security-rule-policy_ipsec_2] destination-address 10.3.0.0  24 
[FW_A-policy-security-rule-policy_ipsec_2] action permit
[FW_A-policy-security-rule-policy_ipsec_2] quit
复制代码

开启Local和Untrust安全区域的域间策略,保证隧道正常建立。

[FW_A-policy-security] rule name policy_ipsec_3
[FW_A-policy-security-rule-policy_ipsec_3] source-zone local
[FW_A-policy-security-rule-policy_ipsec_3] destination-zone untrust
[FW_A-policy-security-rule-policy_ipsec_3] source-address 1.1.1.1  32 
[FW_A-policy-security-rule-policy_ipsec_3] source-address 2.2.2.2  32 
[FW_A-policy-security-rule-policy_ipsec_3] source-address 3.3.3.3  32 
[FW_A-policy-security-rule-policy_ipsec_3] source-address 1.1.0.2  32 
[FW_A-policy-security-rule-policy_ipsec_3] destination-address 4.4.4.4  32 
[FW_A-policy-security-rule-policy_ipsec_3] action permit
[FW_A-policy-security-rule-policy_ipsec_3] quit
[FW_A-policy-security] rule name policy_ipsec_4
[FW_A-policy-security-rule-policy_ipsec_4] source-zone untrust
[FW_A-policy-security-rule-policy_ipsec_4] destination-zone local
[FW_A-policy-security-rule-policy_ipsec_4] source-address 4.4.4.4  32 
[FW_A-policy-security-rule-policy_ipsec_4] destination-address 1.1.1.1  32
[FW_A-policy-security-rule-policy_ipsec_4] destination-address 2.2.2.2  32
[FW_A-policy-security-rule-policy_ipsec_4] destination-address 3.3.3.3  32
[FW_A-policy-security-rule-policy_ipsec_4] destination-address 1.1.0.2  32
[FW_A-policy-security-rule-policy_ipsec_4] action permit
[FW_A-policy-security-rule-policy_ipsec_4] quit
[FW_A-policy-security] quit
复制代码
  1. 配置到网络B的静态路由,此处假设到达网络B的出接口为Tunnel 0接口。
[FW_A] ip route- static  10.4.0.0  255.255.255.0 tunnel 0
复制代码
  1. 配置到FW_B的3条等价路由(假设下一跳所配置中所示)。
[FW_A] ip route- static  4.4.4.4  32  1.1.1.254
[FW_A] ip route- static  4.4.4.4  32  2.2.2.254
[FW_A] ip route- static  4.4.4.4  32  3.3.3.254
复制代码
  1. 定义IPSec中被保护的数据流。
[FW_A] acl 3000
[FW_A-acl-adv-3000] rule 5 permit ip source 10.3.0.0  0.0.0.255 destination 10.4.0.0  0.0.0.255
[FW_A-acl-adv-3000] quit
复制代码
  1. 配置名称为tran1的IPSec安全提议。
[FW_A] ipsec proposal tran1
[FW_A-ipsec-proposal-tran1] encapsulation-mode tunnel
[FW_A-ipsec-proposal-tran1] transform esp
[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2- 256
[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes- 256
[FW_A-ipsec-proposal-tran1] quit
复制代码
  1. 配置序号为10的IKE安全提议。
[FW_A] ike proposal 10
[FW_A-ike-proposal-10] authentication-method pre-share
[FW_A-ike-proposal-10] quit
复制代码
  1. 配置IKE Peer。
[FW_A] ike peer b
[FW_A-ike-peer-b] ike-proposal 10
[FW_A-ike-peer-b] remote-address 4.4.4.4
[FW_A-ike-peer-b] pre-shared-key Test ! 123
[FW_A-ike-peer-b] quit
复制代码
  1. 配置IPSec策略map1。
[FW_A] ipsec policy map1 10 isakmp
[FW_A-ipsec-policy-isakmp-map1-10] security acl 3000
[FW_A-ipsec-policy-isakmp-map1-10] proposal tran1
[FW_A-ipsec-policy-isakmp-map1-10] ike-peer b
[FW_A-ipsec-policy-isakmp-map1-10] quit
复制代码
  1. 在Tunnel接口上应用安全策略map1。
[FW_A] interface tunnel 0
[FW_A-tunnel0] ipsec policy map1
[FW_A-tunnel0] quit
复制代码

配置FW_B。

  1. 基础配置。 请根据图1的数据配置接口IP地址。将接口GE1/0/3加入Trust区域,接口GE1/0/1加入Untrust区域。详细步骤可参见FW_A的配置。
  1. 开启域间安全策略。

开启Trust和Untrust安全区域的域间策略,保证报文能够正常发送。

[FW_B] security-policy
[FW_B-policy-security] rule name policy_ipsec_1
[FW_B-policy-security-rule-policy_ipsec_1] source-zone trust
[FW_B-policy-security-rule-policy_ipsec_1] destination-zone untrust
[FW_B-policy-security-rule-policy_ipsec_1] source-address 10.4.0.0  24
[FW_B-policy-security-rule-policy_ipsec_1] destination-address 10.3.0.0  24 
[FW_B-policy-security-rule-policy_ipsec_1] action permit
[FW_B-policy-security-rule-policy_ipsec_1] quit
[FW_B-policy-security] rule name policy_ipsec_2
[FW_B-policy-security-rule-policy_ipsec_2] source-zone untrust
[FW_B-policy-security-rule-policy_ipsec_2] destination-zone trust
[FW_B-policy-security-rule-policy_ipsec_2] source-address 10.3.0.0  24 
[FW_B-policy-security-rule-policy_ipsec_2] destination-address 10.4.0.0  24 
[FW_B-policy-security-rule-policy_ipsec_2] action permit
[FW_B-policy-security-rule-policy_ipsec_2] quit
复制代码

开启Local和Untrust安全区域的域间策略,保证隧道正常建立。

[FW_B-policy-security] rule name policy_ipsec_3
[FW_B-policy-security-rule-policy_ipsec_3] source-zone local
[FW_B-policy-security-rule-policy_ipsec_3] destination-zone untrust
[FW_B-policy-security-rule-policy_ipsec_3] source-address 4.4.4.4  32 
[FW_B-policy-security-rule-policy_ipsec_3] destination-address 1.1.1.1  32 
[FW_B-policy-security-rule-policy_ipsec_3] destination-address 2.2.2.2  32 
[FW_B-policy-security-rule-policy_ipsec_3] destination-address 3.3.3.3  32 
[FW_B-policy-security-rule-policy_ipsec_3] destination-address 1.1.0.2  32 
[FW_B-policy-security-rule-policy_ipsec_3] action permit
[FW_B-policy-security-rule-policy_ipsec_3] quit
[FW_B-policy-security] rule name policy_ipsec_4
[FW_B-policy-security-rule-policy_ipsec_4] source-zone untrust
[FW_B-policy-security-rule-policy_ipsec_4] destination-zone local
[FW_B-policy-security-rule-policy_ipsec_4] source-address 1.1.1.1  32 
[FW_B-policy-security-rule-policy_ipsec_4] source-address 2.2.2.2  32 
[FW_B-policy-security-rule-policy_ipsec_4] source-address 3.3.3.3  32 
[FW_B-policy-security-rule-policy_ipsec_4] source-address 1.1.0.2  32 
[FW_B-policy-security-rule-policy_ipsec_4] destination-address 4.4.4.4  32 
[FW_B-policy-security-rule-policy_ipsec_4] action permit
[FW_B-policy-security-rule-policy_ipsec_4] quit
[FW_B-policy-security] quit
复制代码
  1. 配置到达网络A的静态路由,此处假设下一跳地址为4.4.4.254。
[FW_B] ip route- static  10.3.0.0  255.255.255.0  4.4.4.254
复制代码
  1. 配置到FW_A的Tunnel接口的路由。
[FW_B] ip route- static  1.1.0.2  255.255.255.255  4.4.4.254
复制代码
  1. 定义IPSec中被保护的数据流。
[FW_B] acl 3000
[FW_B-acl-adv-3000] rule 5 permit ip source 10.4.0.0  0.0.0.255 destination 10.3.0.0  0.0.0.255
[FW_B-acl-adv-3000] quit
复制代码
  1. 配置名称为tran1的IPSec安全提议。
[FW_B] ipsec proposal tran1
[FW_B-ipsec-proposal-tran1] encapsulation-mode tunnel
[FW_B-ipsec-proposal-tran1] transform esp
[FW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2- 256
[FW_B-ipsec-proposal-tran1] esp encryption-algorithm aes- 256
[FW_B-ipsec-proposal-tran1] quit
复制代码
  1. 配置序号为10的IKE安全提议。
[FW_B] ike proposal 10 
[FW_B-ike-proposal-10] authentication-method pre-share 
[FW_B-ike-proposal-10] quit
复制代码
  1. 配置名称为a的IKE peer。
[FW_B] ike peer a 
[FW_B-ike-peer-a] ike-proposal 10 
[FW_B-ike-peer-a] remote-address 1.1.0.2 
[FW_B-ike-peer-a] pre-shared-key Test ! 123 
[FW_B-ike-peer-a] quit
复制代码
  1. 配置名称为map1序号为10的安全策略。
[FW_B] ipsec policy map1 10 isakmp 
[FW_B-ipsec-policy-isakmp-map1-10] security acl 3000 
[FW_B-ipsec-policy-isakmp-map1-10] proposal tran1 
[FW_B-ipsec-policy-isakmp-map1-10] ike-peer a 
[FW_B-ipsec-policy-isakmp-map1-10] quit
复制代码
  1. 在接口GE1/0/1上应用安全策略map1。
[FW_B] interface gigabitethernet 1 / 0 / 1 
[FW_B-GigabitEthernet1/0/1] ipsec policy map1
[FW_B-GigabitEthernet1/0/1] quit
复制代码

结果验证

  1. 配置完成后,在PC1执行ping命令,看能否ping通PC2。如果配置正确,则PC1和PC2可以相互ping通。如果有步骤2、3、4的显示信息,则说明PC1和PC2之间的通信经过了IPSec隧道封装。
  1. 分别在FW_A、FW_B上执行display ike sa命令会显示IKE安全联盟的建立情况。以FW_A为例,出现以下显示说明IKE安全联盟建立成功。
<FW_A> display ike sa      

Ike sa number: 2
-----------------------------------------------------------------------------
Conn-ID         Peer          VPN    Flag(s)     Phase 
-----------------------------------------------------------------------------
20002          4.4.4.4              RD|ST|A        v2:2 
20001          4.4.4.4              RD|ST|A        v2:1  
                                                                                
  Number of SA entries  : 2                                                     
                                                                                
  Number of SA entries of all cpu : 2                                           
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING
复制代码
  1. 分别在FW_A、FW_B上执行display ipsec sa命令会显示IPSec安全联盟的建立情况。以FW_A为例,出现以下显示说明IPSec安全联盟建立成功。
<FW_A> display ipsec sa 

===============================
Interface: Tunnel0
===============================

  -----------------------------                                                 
  IPSec policy name: "map1"                                                     
  Sequence number  : 10                                                           
  Acl group        : 3000                                                       
  Acl rule         : 5                                                          
  Mode             : ISAKMP 
  -----------------------------  
    Connection ID: 40002
    Encapsulation mode: Tunnel  
    Tunnel local      : 1.1.0.2    
    Tunnel remote     : 4.4.4.4                        
    Flow source       : 10.3.0.0/255.255.255.0 0/0                      
    Flow destination  : 10.4.0.0/255.255.255.0 0/0    

    [Outbound ESP SAs] 
      SPI: 228290096 (0xd9b6e30)
      Proposal: ESP-ENCRYPT-AES-256 SHA2-256-128                                      
      SA remaining key duration (bytes/sec): 1887436464/3549
      Max sent sequence-number: 5
      UDP encapsulation used for NAT traversal: N     
      SA decrypted packets (number/kilobytes): 4/0

    [Inbound ESP SAs] 
      SPI: 38742361 (0x24f2959)
      Proposal: ESP-ENCRYPT-AES-256 SHA2-256-128                                  
      SA remaining key duration (bytes/sec): 1887436464/3549
      Max received sequence-number: 4
      UDP encapsulation used for NAT traversal: N       
      SA decrypted packets (number/kilobytes): 4/0                        
      Anti-replay : Enable                                                      
      Anti-replay window size: 1024   
复制代码
  1. 执行命令display ipsec statistics可以查看被加密的数据包的变化,即它们之间的数据传输将被加密。以FW_A为例。
<FW_A>display ipsec statistics     
  the security packet statistics:                                               
    input/output security packets: 4/4                                          
    input/output security bytes: 400/400                                         
    input/output dropped security packets: 0/0                                  
    the encrypt packet statistics                                               
      send sae:0, recv sae:0, send err:0                                        
      local cpu:0, other cpu:0, recv other cpu:0                                
      intact packet:0, first slice:0, after slice:0                             
    the decrypt packet statistics                                               
      send sae:0, recv sae:0, send err:0                                        
      local cpu:0, other cpu:0, recv other cpu:0                                
      reass  first slice:0, after slice:0, len err:0                            
    dropped security packet detail:                                             
      no enough memory: 0, too long: 0                                          
      can't find SA: 0, wrong SA: 0                                             
      authentication: 0, replay: 0                                              
      front recheck: 0, after recheck: 0                                        
      exceed byte limit: 0, exceed packet limit: 0                              
      change cpu enc: 0, dec change cpu: 0                                      
      change datachan: 0, fib search: 0                                         
      rcv enc(dec) form sae said err: 0, 0                                      
      send port: 0, output l3: 0, l2tp input: 0                                 
  negotiate about packet statistics:                                            
    IP packet  ok:0, err:0, drop:0                                              
    IP rcv other cpu   to ike:0, drop:0                                          
    IKE packet inbound   ok:0, err:0                                            
    IKE packet outbound  ok:0, err:0                                            
    SoftExpr:0, HardExpr:0, DPDOper:0, SwapSa:0                                 
    ModpCnt: 0, SaeSucc: 0, SoftwareSucc: 0  
复制代码
  1. 断开FW_A的GE1/0/1、GE1/0/2和GE1/0/4中任意一个接口,查看IPSec隧道依然不会断开。保证了多条链路之间的备份。 通过以下操作来判断:

    1. 执行display ike sadisplay ipsec sa命令,查看到安全联盟依然存在。
    2. 网络A和网络B之间依然能够成功发送和接收报文。且执行display ipsec statistics命令,能看到报文数量在增长。

 

以上是关于玩转华为ENSP模拟器系列 | 两个网关之间利用Tunnel接口实现IPSec VdPdNd隧道多链路备份的主要内容,如果未能解决你的问题,请参考以下文章

玩转华为ENSP模拟器系列 | 两个网关之间通过手工方式创建IPSec VdPdNd隧道

玩转华为ENSP模拟器系列 | 两个网关之间通过IKE方式协商IPSec VdPdNd隧道(采用证书认证)

玩转华为ENSP模拟器系列 | 两个网关之间通过IPSec VdPdNd互联并通过总部IPSec网关进行NAT后上网

玩转华为ENSP模拟器系列 | 两个网关之间通过IPSec VdPdNd互联并通过总部IPSec网关进行NAT后上网

玩转华为ENSP模拟器系列 | 两个网关之间在二层接口上建立IPSec VdPdNd隧道

玩转华为ENSP模拟器系列 | 两个网关之间在二层接口上建立IPSec VdPdNd隧道