模板方式配置多站点思路
第一步:基本配置
FW1防火墙的配置
#
sysname FW1
#
interface GigabitEthernet0/0/0
ip address 202.1.1.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/0
ip address 192.168.1.254 255.255.255.0
service-manage ping permit
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.254
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
#
security-policy
default action permit
#
FW2路由器的配置
#
sysname FW2
#
interface GigabitEthernet0/0/0
ip address 101.1.1.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/0
ip address 192.168.2.254 255.255.255.0
service-manage ping permit
#
ip route-static 0.0.0.0 0.0.0.0 101.1.1.254
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
#
security-policy
default action permit
#
FW3路由器的配置
#
sysname FW3
#
interface GigabitEthernet0/0/0
ip address 60.1.1.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/0
ip address 192.168.3.254 255.255.255.0
service-manage ping permit
#
ip route-static 0.0.0.0 0.0.0.0 60.1.1.254
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
#
security-policy
default action permit
#
internet的配置
#
interface GigabitEthernet0/0/0
ip address 202.1.1.254 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 101.1.1.254 255.255.255.0
#
检查如下:
检查FW1和PC1的通信
ping 192.168.1.1
PING 192.168.1.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=128 time=40 ms
Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=128 time=60 ms
Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=128 time=40 ms
Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=128 time=60 ms
Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=128 time=50 ms
--- 192.168.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/50/60 ms
检查FW2和PC2的通信
[FW2]ping 192.168.2.2
PING 192.168.2.2: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=128 time=45 ms
Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=128 time=53 ms
Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=128 time=51 ms
Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=128 time=52 ms
Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=128 time=32 ms
--- 192.168.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 32/46/53 ms
检查FW3和PC3的通信
[FW3]ping 192.168.3.3
PING 192.168.3.3: 56 data bytes, press CTRL_C to break
Request time out
Reply from 192.168.3.3: bytes=56 Sequence=2 ttl=128 time=47 ms
Reply from 192.168.3.3: bytes=56 Sequence=3 ttl=128 time=42 ms
Reply from 192.168.3.3: bytes=56 Sequence=4 ttl=128 time=36 ms
Reply from 192.168.3.3: bytes=56 Sequence=5 ttl=128 time=27 ms
--- 192.168.3.3 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 27/38/47 ms
检查FW1和FW2的通信
ping 101.1.1.1
PING 101.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 101.1.1.1: bytes=56 Sequence=1 ttl=254 time=30 ms
Reply from 101.1.1.1: bytes=56 Sequence=2 ttl=254 time=20 ms
Reply from 101.1.1.1: bytes=56 Sequence=3 ttl=254 time=40 ms
Reply from 101.1.1.1: bytes=56 Sequence=4 ttl=254 time=20 ms
Reply from 101.1.1.1: bytes=56 Sequence=5 ttl=254 time=30 ms
--- 101.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/28/40 ms
检查FW1和FW3的通信
[FW1]ping 60.1.1.1
PING 60.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 60.1.1.1: bytes=56 Sequence=1 ttl=254 time=15 ms
Reply from 60.1.1.1: bytes=56 Sequence=2 ttl=254 time=11 ms
Reply from 60.1.1.1: bytes=56 Sequence=3 ttl=254 time=8 ms
Reply from 60.1.1.1: bytes=56 Sequence=4 ttl=254 time=9 ms
Reply from 60.1.1.1: bytes=56 Sequence=5 ttl=254 time=8 ms
--- 60.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 8/10/15 ms
检查PC1和PC2的通信
PC>ping 192.168.2.2
Ping 192.168.2.2: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.168.2.2 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
检查PC1和PC3的通信
PC>ping 192.168.3.3
Ping 192.168.3.3: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.168.3.3 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
第二步:IPSEC 阶段一配置
IKE安全提议
在FW1和FW2和FW3分别配置如下
ike proposal 10 注意:安全提议是有默认配置,可以修改
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256 IKEv1中不用这个参数 IKEv2中使用这个参数
prf hmac-sha2-256
#
检查:
[FW1]display ike proposal
2020-03-14 14:25:22.420
Number of IKE Proposals: 2
-------------------------------------------
IKE Proposal: 10
Authentication Method : PRE_SHARED
Authentication Algorithm : SHA2-256
Encryption Algorithm : AES-256
Diffie-Hellman Group : MODP-2048
SA Duration(Seconds) : 86400
Integrity Algorithm : HMAC-SHA2-256
Prf Algorithm : HMAC-SHA2-256
-------------------------------------------
配置IKE对等体(PEER)
FW1配置 注意: 模板方式不需要配置remote-address 也可以配置网段,也可以不配置
ike peer yuanduan -----------取名
pre-shared-key Huawei@123---------------如果采用预共享方式,配置密钥
ike-proposal 10 -----------------------------调用安全提议
undo version 2-------------------------------关闭V2版本,默认就是V2版本
FW2和FW3的配置
ike peer fw1
pre-shared-key Huawei@123
ike-proposal 10
undo version 2
remote-address 202.1.1.1
检查如下:
[FW1]display ike peer brief
2020-03-14 14:31:19.910
Current ike peer number: 1
---------------------------------------------------------------------------
Peer name Version Exchange-mode Proposal Id-type RemoteAddr
---------------------------------------------------------------------------
yuanduan v1 main 10 IP
第三步:IPSEC阶段二配置
配置感兴趣流(就是实际通信点)
FW1:
acl number 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
FW2
acl number 3000
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
FW3
acl number 3000
rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
注意:IKEV1感兴趣流要互为镜像,必须是相互匹配的,不是包含或者不一样的,都不能协商成功
IPSEC安全提议
在FW1和FW2和FW3配置
ipsec proposal 10
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
检查:
[FW1]display ipsec proposal
2020-03-14 14:33:58.850
Number of proposals: 1
IPSec proposal name: 10
Encapsulation mode: Tunnel
Transform : esp-new
ESP protocol : Authentication SHA2-HMAC-256
Encryption AES-256
[FW1]
配置IPSEC安全策略
FW1
#
ipsec policy-template 10 10 第一个10是名称 第二个10是序号
security acl 3000-----------------------调用感兴趣流
ike-peer fw2---------------------------调用IKE PEER
proposal 10---------------------------调用IPSEC安全
#
ipsec policy ipsec_policy 10 isakmp template 10
FW2和FW3的配置
ipsec policy ipsec_policy 10 isakmp 后面接isakmp的话是自动方式
security acl 3000 -----------------------调用感兴趣流
ike-peer fw1 ---------------------------调用IKE PEER
alias ipsec_policy_10
proposal 10 ---------------------------调用IPSEC安全
物理接口调用
在FW1和FW2和FW3上配置
interface GigabitEthernet0/0/0
ipsec policy ipsec_policy
放行安全策略
FW1的配置
#
security-policy
rule name ipsec1
source-zone local
destination-zone untrust
source-address 202.1.1.0 mask 255.255.255.0
action permit
rule name ipsec2
source-zone untrust
destination-zone local
destination-address 202.1.1.0 mask 255.255.255.0
action permit
rule name ipsec3
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
destination-address 192.168.2.0 mask 255.255.255.0
destination-address 192.168.3.0 mask 255.255.255.0
action permit
rule name ipsec4
source-zone untrust
destination-zone trust
source-address 192.168.3.0 mask 255.255.255.0
source-address 192.168.2.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action permit
#
FW2的配置
#
security-policy
rule name ipsec1
source-zone local
destination-zone untrust
destination-address 202.1.1.0 mask 255.255.255.0
action permit
rule name ipsec2
source-zone untrust
destination-zone local
source-address 202.1.1.0 mask 255.255.255.0
action permit
rule name ipsec3
source-zone trust
destination-zone untrust
source-address 192.168.2.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action permit
rule name ipsec4
source-zone untrust
destination-zone trust
source-address 192.168.1.0 mask 255.255.255.0
destination-address 192.168.2.0 mask 255.255.255.0
action permit
#
FW3的配置
#
security-policy
rule name ipsec1
source-zone local
destination-zone untrust
destination-address 202.1.1.0 mask 255.255.255.0
action permit
rule name ipsec2
source-zone untrust
destination-zone local
source-address 202.1.1.0 mask 255.255.255.0
action permit
rule name ipsec3
source-zone trust
destination-zone untrust
source-address 192.168.3.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action permit
rule name ipsec4
source-zone untrust
destination-zone trust
source-address 192.168.1.0 mask 255.255.255.0
destination-address 192.168.3.0 mask 255.255.255.0
action permit
#
测试如下:
在PC2上pingPC1
PC>ping 192.168.1.1
Ping 192.168.1.1: 32 data bytes, Press Ctrl_C to break
From 192.168.1.1: bytes=32 seq=1 ttl=126 time=94 ms
From 192.168.1.1: bytes=32 seq=2 ttl=126 time=78 ms
From 192.168.1.1: bytes=32 seq=3 ttl=126 time=94 ms
From 192.168.1.1: bytes=32 seq=4 ttl=126 time=78 ms
From 192.168.1.1: bytes=32 seq=5 ttl=126 time=62 ms
--- 192.168.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 62/81/94 ms
PC>
在PC3上pingPC1
PC>ping 192.168.1.1
Ping 192.168.1.1: 32 data bytes, Press Ctrl_C to break
From 192.168.1.1: bytes=32 seq=1 ttl=126 time=62 ms
From 192.168.1.1: bytes=32 seq=2 ttl=126 time=78 ms
From 192.168.1.1: bytes=32 seq=3 ttl=126 time=94 ms
From 192.168.1.1: bytes=32 seq=4 ttl=126 time=63 ms
From 192.168.1.1: bytes=32 seq=5 ttl=126 time=62 ms
--- 192.168.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 62/71/94 ms
在FW1上面查看ike sa
[FW1]display ike sa
2020-03-15 05:22:58.390
IKE SA information :
Conn-ID Peer *** Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------
2 101.1.1.1:500 RD|A v1:2 IP 101.1.1.1
1 101.1.1.1:500 RD|A v1:1 IP 101.1.1.1
4 60.1.1.1:500 RD|A v1:2 IP 60.1.1.1
3 60.1.1.1:500 RD|A v1:1 IP 60.1.1.1
Number of IKE SA : 4
------------------------------------------------------------------------------------------------------------------------------------
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
在FW1上面查看ipsec sa
[FW1]display ipsec sa
2020-03-15 05:23:01.660
ipsec sa information:
===============================
Interface: GigabitEthernet0/0/0
===============================
-----------------------------
IPSec policy name: "ipsec_policy"
Sequence number : 10
Acl group : 3000
Acl rule : 5
Mode : Template
-----------------------------
Connection ID : 2
Encapsulation mode: Tunnel
Holding time : 0d 0h 35m 23s
Tunnel local : 202.1.1.1:500
Tunnel remote : 101.1.1.1:500
Flow source : 192.168.1.0/255.255.255.0 0/0-65535
Flow destination : 192.168.2.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 187921672 (0xb337508)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/1476
Max sent sequence-number: 17
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 16/960
[Inbound ESP SAs]
SPI: 197430515 (0xbc48cf3)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485759/1476
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 19/1140
Anti-replay : Enable
Anti-replay window size: 1024
-----------------------------
IPSec policy name: "ipsec_policy"
Sequence number : 10
Acl group : 3000
Acl rule : 10
Mode : Template
-----------------------------
Connection ID : 4
Encapsulation mode: Tunnel
Holding time : 0d 0h 35m 10s
Tunnel local : 202.1.1.1:500
Tunnel remote : 60.1.1.1:500
Flow source : 192.168.1.0/255.255.255.0 0/0-65535
Flow destination : 192.168.3.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 197283812 (0xbc24fe4)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/1489
Max sent sequence-number: 14
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 13/780
[Inbound ESP SAs]
SPI: 187509375 (0xb2d2a7f)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/1489
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 14/840
Anti-replay : Enable
Anti-replay window size: 1024
在FW1上面查看ipsec加密解密情况
[FW1]display ipsec statistics
2020-03-15 05:23:12.690
IPSec statistics information:
Number of IPSec tunnels: 2
Number of standby IPSec tunnels: 0
the security packet statistics:
input/output security packets: 33/29
input/output security bytes: 1980/1740
input/output dropped security packets: 0/0
the encrypt packet statistics:
send chip: 29, recv chip: 29, send err: 0
local cpu: 29, other cpu: 0, recv other cpu: 0
intact packet: 29, first slice: 0, after slice: 0
the decrypt packet statistics:
send chip: 33, recv chip: 33, send err: 0
local cpu: 33, other cpu: 0, recv other cpu: 0
reass first slice: 0, after slice: 0
dropped security packet detail:
can not find SA: 0, wrong SA: 0
authentication: 0, replay: 0
front recheck: 0, after recheck: 0
change cpu enc: 0, dec change cpu: 0
fib search: 0, output l3: 0
flow err: 0, slice err: 0, byte limit: 0
slave drop: 0
negotiate about packet statistics:
IKE fwd packet ok: 10, err: 0
IKE ctrl packet inbound ok: 10, outbound ok: 8
SoftExpr: 0, HardExpr: 0, DPDOper: 0
trigger ok: 0, switch sa: 2, sync sa: 0
recv IKE nat keepalive: 0, IKE input: 0
[FW1]