公司总部(网络A)和两个分公司(网络B、网络C)分别通过USG5500 A、USG5500 B和USG5500 C连接到Internet。USG5500 A和USG5500 B、USG5500 C路由可达。
配置接口IP地址
system-view
[USG5500A]interface GigabitEthernet 0/0/2
[USG5500A-GigabitEthernet0/0/2]ip address 10.1.1.1 24
[USG5500A-GigabitEthernet0/0/2]quit
[USG5500A]interface GigabitEthernet 0/0/1
[USG5500A-GigabitEthernet0/0/1]ip address 200.1.1.1 30
[USG5500A-GigabitEthernet0/0/1]quit
配置接口加入相对应安全区域
[USG5500A]firewall zone trust
[USG5500A-zone-trust]add interface GigabitEthernet 0/0/2
[USG5500A-zone-trust]quit
[USG5500A]firewall zone untrust
[USG5500A-zone-untrust]add interface GigabitEthernet 0/0/1
[USG5500A-zone-untrust]quit
打开Trust域与Untrust域的域间过滤规则
[USG5500A]policy interzone trust untrust outbound
[USG5500A-policy-interzone-trust-untrust-outbound]policy 1
[USG5500A-policy-interzone-trust-untrust-outbound-1]policy source 10.1.1.0 0.0.0.255
[USG5500A-policy-interzone-trust-untrust-outbound-1]policy destination 10.1.2.0 0.0.0.255
[USG5500A-policy-interzone-trust-untrust-outbound-1]policy destination 10.1.3.0 0.0.0.255
[USG5500A-policy-interzone-trust-untrust-outbound-1]action permit
[USG5500A-policy-interzone-trust-untrust-outbound-1]quit
[USG5500A]policy interzone trust untrust inbound
[USG5500A-policy-interzone-trust-untrust-inbound]policy 1
[USG5500A-policy-interzone-trust-untrust-inbound-1]policy source 10.1.2.0 0.0.0.255
[USG5500A-policy-interzone-trust-untrust-inbound-1]policy source 10.1.3.0 0.0.0.255
[USG5500A-policy-interzone-trust-untrust-inbound-1]policy destination 10.1.1.0 0.0.0.255
[USG5500A-policy-interzone-trust-untrust-inbound-1]action permit
[USG5500A-policy-interzone-trust-untrust-inbound-1]quit
打开Local域与Untrust域的域间过滤规则
[USG5500A]policy interzone local untrust inbound
[USG5500A-policy-interzone-local-untrust-inbound]policy 1
[USG5500A-policy-interzone-local-untrust-inbound-1]policy source 200.1.2.0 0.0.0.3
[USG5500A-policy-interzone-local-untrust-inbound-1]policy source 200.1.3.0 0.0.0.3
[USG5500A-policy-interzone-local-untrust-inbound-1]action permit
[USG5500A-policy-interzone-local-untrust-inbound-1]quit
说明:
[USG5500A] ip route-static 0.0.0.0 0.0.0.0 200.1.1.2
配置高级ACL 3000,定义总部到网络B的数据流
[USG5500A] acl 3000
[USG5500A-acl-adv-3000] rule permit ip source 10.1.0.0 0.0.255.255 destination 10.1.2.0 0.0.0.255
[USG5500A-acl-adv-3000] quit
配置高级ACL 3001,定义总部到网络C的数据流
[USG5500A] acl 3001
[USG5500A-acl-adv-3001] rule permit ip source 10.1.0.0 0.0.255.255 destination 10.1.3.0 0.0.0.255
[USG5500A-acl-adv-3001] quit
说明:
[USG5500A] ipsec proposal tran1
[USG5500A-ipsec-proposal-tran1] encapsulation-mode tunnel
[USG5500A-ipsec-proposal-tran1] transform esp
[USG5500A-ipsec-proposal-tran1] esp authentication-algorithm md5
[USG5500A-ipsec-proposal-tran1] esp encryption-algorithm des
[USG5500A-ipsec-proposal-tran1] quit
或者简单配置:
[USG5500A] ipsec proposal tran1
[USG5500A-ipsec-proposal-tran1] quit
[USG5500A] ike proposal 10
[USG5500A-ike-proposal-10] authentication-method pre-share
[USG5500A-ike-proposal-10] authentication-algorithm sha1
[USG5500A-ike-proposal-10] quit
或者简单配置:
[USG5500A] ike proposal 10
[USG5500A-ike-proposal-10] quit
说明:
配置名称为b的IKE Peer
[USG5500A] ike peer b
[USG5500A-ike-peer-b] ike-proposal 10
[USG5500A-ike-peer-b] remote-address 200.1.2.1
[USG5500A-ike-peer-b] pre-shared-key abcde
[USG5500A-ike-peer-b] quit
配置名称为c的IKE Peer
[USG5500A] ike peer c
[USG5500A-ike-peer-b] ike-proposal 10
[USG5500A-ike-peer-b] remote-address 200.1.3.1
[USG5500A-ike-peer-b] pre-shared-key abcde
[USG5500A-ike-peer-b] quit
说明:
USG5500同时开启IKEv1和IKEv2,缺省情况下采用IKEv2进行协商,若对端不支持IKEv2,请禁用IKEv2,采用IKEv1进行协商。请在IKE
Peer视图下执行命令[ undo ] version { 1 | 2 }进行配置。
隧道对端IP地址分别为USG5500 B、USG5500 C与Internet相连的接口的IP地址。
验证字的配置需要与对端设备相同。
配置序号为10的安全策略
[USG5500A] ipsec policy map1 10 isakmp
[USG5500A-ipsec-policy-isakmp-map1-10] security acl 3000
[USG5500A-ipsec-policy-isakmp-map1-10] proposal tran1
[USG5500A-ipsec-policy-isakmp-map1-10] ike-peer b
[USG5500A-ipsec-policy-isakmp-map1-10] quit
配置序号为20的安全策略
[USG5500A] ipsec policy map1 20 isakmp
[USG5500A-ipsec-policy-isakmp-map1-20] security acl 3001
[USG5500A-ipsec-policy-isakmp-map1-20] proposal tran1
[USG5500A-ipsec-policy-isakmp-map1-20] ike-peer c
[USG5500A-ipsec-policy-isakmp-map1-20] quit
[USG5500A] interface GigabitEthernet 0/0/1
[USG5500A-GigabitEthernet0/0/1] ipsec policy map1
[USG5500A-GigabitEthernet0/0/1] quit
配置接口IP地址
system-view
[USG5500B] interface GigabitEthernet 0/0/2
[USG5500B-GigabitEthernet0/0/2] ip address 10.1.2.1 24
[USG5500B-GigabitEthernet0/0/2] quit
[USG5500B] interface GigabitEthernet 0/0/1
[USG5500B-GigabitEthernet0/0/1] ip address 200.1.2.1 30
[USG5500B-GigabitEthernet0/0/1] quit
配置接口加入相对应安全区域
[USG5500B] firewall zone trust
[USG5500B-zone-trust] add interface GigabitEthernet 0/0/2
[USG5500B-zone-trust] quit
[USG5500B] firewall zone untrust
[USG5500B-zone-untrust] add interface GigabitEthernet 0/0/1
[USG5500B-zone-untrust] quit
打开Trust域与Untrust域的域间过滤规则
[USG5500B]policy interzone trust untrust outbound
[USG5500B-policy-interzone-trust-untrust-outbound]policy 1
[USG5500B-policy-interzone-trust-untrust-outbound-1]policy source 10.1.2.0 0.0.0.255
[USG5500B-policy-interzone-trust-untrust-outbound-1]policy destination 10.1.0.0 0.0.255.255
[USG5500B-policy-interzone-trust-untrust-outbound-1]action permit
[USG5500B-policy-interzone-trust-untrust-outbound-1]quit
[USG5500B]policy interzone trust untrust inbound
[USG5500B-policy-interzone-trust-untrust-inbound]policy 1
[USG5500B-policy-interzone-trust-untrust-inbound-1]policy source 10.1.0.0 0.0.255.255
[USG5500B-policy-interzone-trust-untrust-inbound-1]policy destination 10.1.2.0 0.0.0.255
[USG5500B-policy-interzone-trust-untrust-inbound-1]action permit
[USG5500B-policy-interzone-trust-untrust-inbound-1]quit
打开Local域与Untrust域的域间过滤规则
[USG5500B]policy interzone local untrust inbound
[USG5500B-policy-interzone-local-untrust-inbound]policy 1
[USG5500B-policy-interzone-local-untrust-inbound-1]policy source 200.1.1.0 0.0.0.3
[USG5500B-policy-interzone-local-untrust-inbound-1]action permit
[USG5500B-policy-interzone-local-untrust-inbound-1]quit
说明:
[USG5500B] ip route-static 0.0.0.0 0.0.0.0 200.1.2.2
配置高级ACL 3000,定义总部到网络B的数据流
[USG5500B] acl 3000
[USG5500B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.0.0 0.0.255.255
[USG5500B-acl-adv-3000] quit
说明:
[USG5300B] ipsec proposal tran1
[USG5300B-ipsec-proposal-tran1] encapsulation-mode tunnel
[USG5300B-ipsec-proposal-tran1] transform esp
[USG5300B-ipsec-proposal-tran1] esp authentication-algorithm md5
[USG5300B-ipsec-proposal-tran1] esp encryption-algorithm des
[USG5300B-ipsec-proposal-tran1] quit
[USG5300B] ike proposal 10
[USG5300B-ike-proposal-10] authentication-method pre-share
[USG5300B-ike-proposal-10] authentication-algorithm sha1
[USG5300B-ike-proposal-10] quit
[USG5300B] ike peer a
[USG5300B-ike-peer-a] ike-proposal 10
[USG5300B-ike-peer-a] remote-address 200.1.1.1
[USG5300B-ike-peer-a] pre-shared-key abcde
[USG5300B-ike-peer-a] quit
[USG5300B] ipsec policy map1 10 isakmp
[USG5300B-ipsec-policy-isakmp-map1-10] security acl 3000
[USG5300B-ipsec-policy-isakmp-map1-10] proposal tran1
[USG5300B-ipsec-policy-isakmp-map1-10] ike-peer a
[USG5300B-ipsec-policy-isakmp-map1-10] quit
[USG5300B] interface GigabitEthernet 0/0/1
[USG5300B-GigabitEthernet0/0/1] ipsec policy map1
[USG5300B-GigabitEthernet0/0/1] quit
USG5500 C的配置参考USG5500B的配置
PC1 ping PC2
PC1 ping PC3
PC1 ping PC2 抓包过程,数据是通过ESP协议加密
PC1 ping PC3 抓包过程,数据是通过ESP协议加密
不需要额外配置NAT策略,ike peer默认NAT traversal
PC1 ping PC2
PC1 ping PC2
PC1 ping PC3 增加