IPSec配置模板方式配置思路

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了IPSec配置模板方式配置思路相关的知识,希望对你有一定的参考价值。

配置模板方式配置思路
ike peer fw2
 exchange-mode aggressive  修改模式为野蛮

其它部分同主模式
注意: 野蛮模式也必须指定remote-address , 必须配置远端地址或者域名 华为不建议野蛮模式,推荐使用模板方式

[FW1-ipsec-policy-isakmp-ipsec_policy-10]ike-peer fw2
Error: ike peer‘s remote addresses or domain name should be configed.

技术图片

第一步:基本配置

FW1防火墙的配置

#
 sysname FW1
#
interface GigabitEthernet0/0/0
 ip address 202.1.1.1 255.255.255.0 
service-manage ping permit
#
interface GigabitEthernet1/0/0
 ip address 192.168.1.254 255.255.255.0 
 service-manage ping permit
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.254
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/0
#
security-policy
 default action permit
#

FW2路由器的配置

#
 sysname FW2
#
interface GigabitEthernet0/0/0
 ip address 101.1.1.1 255.255.255.0 
service-manage ping permit
#
interface GigabitEthernet1/0/0
 ip address 192.168.2.254 255.255.255.0 
service-manage ping permit
#
ip route-static 0.0.0.0 0.0.0.0 101.1.1.254
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/0
#
security-policy
 default action permit
#

internet的配置

#
interface GigabitEthernet0/0/0
 ip address 202.1.1.254 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 101.1.1.254 255.255.255.0 
#

检查如下:
检查FW1和PC1的通信

<FW1>ping 192.168.1.1
  PING 192.168.1.1: 56  data bytes, press CTRL_C to break
    Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=128 time=40 ms
    Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=128 time=60 ms
    Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=128 time=40 ms
    Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=128 time=60 ms
    Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=128 time=50 ms

  --- 192.168.1.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 40/50/60 ms

检查FW2和PC2的通信

[FW2]ping 192.168.2.2
  PING 192.168.2.2: 56  data bytes, press CTRL_C to break
    Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=128 time=45 ms
    Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=128 time=53 ms
    Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=128 time=51 ms
    Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=128 time=52 ms
    Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=128 time=32 ms

  --- 192.168.2.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 32/46/53 ms

检查FW1和FW2的通信

<FW1>ping 101.1.1.1
  PING 101.1.1.1: 56  data bytes, press CTRL_C to break
    Reply from 101.1.1.1: bytes=56 Sequence=1 ttl=254 time=30 ms
    Reply from 101.1.1.1: bytes=56 Sequence=2 ttl=254 time=20 ms
    Reply from 101.1.1.1: bytes=56 Sequence=3 ttl=254 time=40 ms
    Reply from 101.1.1.1: bytes=56 Sequence=4 ttl=254 time=20 ms
    Reply from 101.1.1.1: bytes=56 Sequence=5 ttl=254 time=30 ms

  --- 101.1.1.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 20/28/40 ms

检查PC1和PC2的通信

PC>ping  192.168.2.2

Ping 192.168.2.2: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!

--- 192.168.2.2 ping statistics ---
  5 packet(s) transmitted
  0 packet(s) received
  100.00% packet loss

第二步:IPSEC 阶段一配置

IKE安全提议

在FW1和FW2分别配置如下

ike proposal 10       注意:安全提议是有默认配置,可以修改
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256       IKEv1中不用这个参数 IKEv2中使用这个参数
 prf hmac-sha2-256
#

检查:

[FW1]display ike proposal 
2020-03-14 14:25:22.420 

Number of IKE Proposals: 2

-------------------------------------------
 IKE Proposal: 10
   Authentication Method      : PRE_SHARED
   Authentication Algorithm   : SHA2-256 
   Encryption Algorithm       : AES-256 
   Diffie-Hellman Group       : MODP-2048 
   SA Duration(Seconds)       : 86400
   Integrity Algorithm        : HMAC-SHA2-256 
   Prf Algorithm              : HMAC-SHA2-256 
-------------------------------------------

配置IKE对等体(PEER)

FW1配置 注意: 模板方式不需要配置remote-address 也可以配置网段,也可以不配置

ike peer fw2  -----------取名
 pre-shared-key  Huawei@123---------------如果采用预共享方式,配置密钥
 ike-proposal 10 -----------------------------调用安全提议
 undo version 2-------------------------------关闭V2版本,默认就是V2版本

FW2配置

ike peer fw1
 pre-shared-key Huawei@123
 ike-proposal 10
 undo version 2
 remote-address 202.1.1.1

检查如下:

[FW1]display ike peer brief 
2020-03-14 14:31:19.910 

Current ike peer number: 1

---------------------------------------------------------------------------
Peer name        Version  Exchange-mode   Proposal   Id-type   RemoteAddr
---------------------------------------------------------------------------
fw2              v1       main            10         IP        

第三步:IPSEC阶段二配置

配置感兴趣流(就是实际通信点)

FW1:
acl number 3000
 rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 

FW2
acl number 3000
 rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 

注意:IKEV1感兴趣流要互为镜像,必须是相互匹配的,不是包含或者不一样的,都不能协商成功

IPSEC安全提议

在FW1和FW2配置

ipsec proposal 10
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256

检查:

[FW1]display ipsec proposal
2020-03-14 14:33:58.850 

Number of proposals: 1

IPSec proposal name: 10                                
 Encapsulation mode: Tunnel                                
 Transform         : esp-new
 ESP protocol      : Authentication SHA2-HMAC-256 
                     Encryption AES-256 
[FW1]

配置IPSEC安全策略

FW1

#
ipsec policy-template 10 10     第一个10是名称   第二个10是序号
 security acl 3000-----------------------调用感兴趣流
 ike-peer fw2---------------------------调用IKE PEER
 proposal 10---------------------------调用IPSEC安全
#
ipsec policy ipsec_policy 10 isakmp template 10

FW2

ipsec policy ipsec_policy 10 isakmp          后面接isakmp的话是自动方式
 security acl 3000  -----------------------调用感兴趣流 
 ike-peer fw1 ---------------------------调用IKE PEER 
 alias ipsec_policy_10  
 proposal 10  ---------------------------调用IPSEC安全

物理接口调用

在FW1和FW2上配置

interface GigabitEthernet0/0/0
 ipsec policy ipsec_policy 

放行安全策略

FW1的配置

#
security-policy
 rule name ipsec1
  source-zone local
  destination-zone untrust
  source-address 202.1.1.0 mask 255.255.255.0
  action permit
 rule name ipsec2
  source-zone untrust
  destination-zone local
  destination-address 202.1.1.0 mask 255.255.255.0
  action permit
 rule name ipsec3
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  destination-address 192.168.2.0 mask 255.255.255.0
  action permit
 rule name ipsec4
  source-zone untrust
  destination-zone trust
  source-address 192.168.2.0 mask 255.255.255.0
  destination-address 192.168.1.0 mask 255.255.255.0
  action permit
#

FW2的配置

#
security-policy
 rule name ipsec1
  source-zone local
  destination-zone untrust
  destination-address 202.1.1.0 mask 255.255.255.0
  action permit
 rule name ipsec2
  source-zone untrust
  destination-zone local
  source-address 202.1.1.0 mask 255.255.255.0
  action permit
 rule name ipsec3
  source-zone trust
  destination-zone untrust
  source-address 192.168.2.0 mask 255.255.255.0
  destination-address 192.168.1.0 mask 255.255.255.0
  action permit
 rule name ipsec4
  source-zone untrust
  destination-zone trust
  source-address 192.168.1.0 mask 255.255.255.0
  destination-address 192.168.2.0 mask 255.255.255.0
  action permit
#

测试如下

默认如果没有配置 auto-neg ,需要手动触发(触发感兴趣流)

[FW1]display ike sa                 检查IKE SA,阶段一的问题
2020-03-14 14:46:10.170 

IKE SA information :
 Conn-ID    Peer         ***              Flag(s)               Phase  RemoteType  RemoteID        
------------------------------------------------------------------------------------------------------------------------------------
 2     101.1.1.1:500                     RD|ST|A               v1:2   IP          101.1.1.1       
 1     101.1.1.1:500                     RD|ST|A               v1:1   IP          101.1.1.1       

  Number of IKE SA : 2
--------------------------------------------------------------------------------------------

 Flag Description:
 RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
 HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
 M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

查看IPsec SA信息

[FW1]display ipsec sa 
2020-03-14 15:16:47.650 

ipsec sa information:

===============================
Interface: GigabitEthernet0/0/0
===============================

  -----------------------------
  IPSec policy name: "ipsec_policy"
  Sequence number  : 10
  Acl group        : 3000
  Acl rule         : 5
  Mode             : Template
  -----------------------------
    Connection ID     : 2
    Encapsulation mode: Tunnel
    Holding time      : 0d 0h 11m 51s
    Tunnel local      : 202.1.1.1:500
    Tunnel remote     : 101.1.1.1:500
    Flow source       : 192.168.1.0/255.255.255.0 0/0-65535
    Flow destination  : 192.168.2.0/255.255.255.0 0/0-65535

    [Outbound ESP SAs] 
      SPI: 190568358 (0xb5bd7a6)
      Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
      SA remaining key duration (kilobytes/sec): 10485760/2889
      Max sent sequence-number: 7         
      UDP encapsulation used for NAT traversal: N
      SA encrypted packets (number/bytes): 6/360

    [Inbound ESP SAs] 
      SPI: 194468180 (0xb975954)
      Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
      SA remaining key duration (kilobytes/sec): 10485760/2889
      Max received sequence-number: 1
      UDP encapsulation used for NAT traversal: N
      SA decrypted packets (number/bytes): 4/240
      Anti-replay : Enable
      Anti-replay window size: 1024
[FW1]

查看加密解密信息

[FW1]display ipsec statistics 
2020-03-14 15:17:20.770 
 IPSec statistics information:
 Number of IPSec tunnels: 1
 Number of standby IPSec tunnels: 0
 the security packet statistics:
   input/output security packets: 4/6 
   input/output security bytes: 240/360 
   input/output dropped security packets: 0/5  
   the encrypt packet statistics: 
     send chip: 6, recv chip: 6, send err: 0
     local cpu: 6, other cpu: 0, recv other cpu: 0
     intact packet: 6, first slice: 0, after slice: 0
   the decrypt packet statistics:
     send chip: 4, recv chip: 4, send err: 0
     local cpu: 4, other cpu: 0, recv other cpu: 0
     reass  first slice: 0, after slice: 0
   dropped security packet detail:
     can not find SA: 0, wrong SA: 0
     authentication: 0, replay: 0 
     front recheck: 0, after recheck: 0
     change cpu enc: 0, dec change cpu: 0 
     fib search: 0, output l3: 0
     flow err: 5, slice err: 0, byte limit: 0
     slave drop: 0
   negotiate about packet statistics:
     IKE fwd packet ok: 5, err: 0         
     IKE ctrl packet inbound ok: 5, outbound ok: 4
     SoftExpr: 0, HardExpr: 0, DPDOper: 0
     trigger ok: 0, switch sa: 1, sync sa: 0  
     recv IKE nat keepalive: 0, IKE input: 0

[FW1]

注意:如果对接华为路由器的话

ipsec proposal 10
 esp authentication-algorithm sha1 --------注意路由器VS FW,ESP认证算法采用SHA1
 esp encryption-algorithm aes-128

以上是关于IPSec配置模板方式配置思路的主要内容,如果未能解决你的问题,请参考以下文章

使用 Protocol-L2TP/IPsec android 开源代码以编程方式配置 ***。

总部与分支机构之间建立点到点IPSec ***(预共享密钥认证)

IPsec入门篇讲解(第四篇)

配置采用手工方式建立IPSec隧道

模板方式配置多站点思路

IPsec VPN详解--nat穿越内网