配置总部采用安全策略组方式与分支建立多条IPSec隧道示例

组网需求

如图1所示,RouterA和RouterB为企业分支网关,RouterC为企业总部网关,分支与总部通过公网建立通信,并且各网关的IP地址均固定。分支A子网为192.168.1.0/24,分支B子网为192.168.2.0/24,总部子网为192.168.3.0/24。

企业希望对分支子网与总部子网之间相互访问的流量进行安全保护。分支与总部通过公网建立通信,可以在分支网关与总部网关之间建立IPSec隧道来实施安全保护。由于总部网关可以指定分支网关的IP地址,在RouterC上部署安全策略组,就可以向各分支网关发起IPSec协商或接入各分支网关发起的IPSec协商,完成多条IPSec隧道的建立。

**图1 **配置总部采用安全策略方式与分支建立多条IPSec隧道组网图


image

配置思路

采用如下思路配置采用IKE协商方式建立多条IPSec隧道(安全策略组):

  1. 配置接口的IP地址和到对端的静态路由,保证两端路由可达。

  2. 配置ACL,以定义需要IPSec保护的数据流。

  3. 配置IPSec安全提议,定义IPSec的保护方法。

  4. 配置IKE对等体,定义对等体间IKE协商时的属性。

  5. 分别在RouterA和RouterB上创建安全策略,确定对何种数据流采取何种保护方法。在RouterC上创建安全策略组,分别确定对RouterA与RouterC、RouterB与RouterC之间的数据流采取何种保护方法。

  6. 在接口上应用安全策略组,使接口具有IPSec的保护功能。

操作步骤

  1. 分别在RouterA、RouterB和RouterC上配置各接口的IP地址和到对端的静态路由,使RouterA、RouterB和RouterC之间路由可达

    在RouterA上配置接口的IP地址。

     system-view
    [Huawei] sysname RouterA
    [RouterA] interface gigabitethernet 0/0/1
    [RouterA-GigabitEthernet0/0/1] undo portswitch [RouterA-GigabitEthernet0/0/1] ip address 60.1.1.1 255.255.255.0
    [RouterA-GigabitEthernet0/0/1] quit
    [RouterA] interface gigabitethernet 0/0/2
    [RouterA-GigabitEthernet0/0/2] undo portswitch [RouterA-GigabitEthernet0/0/2] ip address 192.168.1.2 255.255.255.0
    [RouterA-GigabitEthernet0/0/2] quit

    在RouterA上配置到对端的静态路由,此处假设到达总部子网的下一跳地址为60.1.1.2。

    [RouterA] ip route-static 60.1.3.0 255.255.255.0 60.1.1.2
    [RouterA] ip route-static 192.168.3.0 255.255.255.0 60.1.1.2

    在RouterB上配置接口的IP地址。

     system-view
    [Huawei] sysname RouterB
    [RouterB] interface gigabitethernet 0/0/1
    [RouterB-GigabitEthernet0/0/1] undo portswitch [RouterB-GigabitEthernet0/0/1] ip address 60.1.2.1 255.255.255.0
    [RouterB-GigabitEthernet0/0/1] quit
    [RouterB] interface gigabitethernet 0/0/2
    [RouterB-GigabitEthernet0/0/2] undo portswitch [RouterB-GigabitEthernet0/0/2] ip address 192.168.2.2 255.255.255.0
    [RouterB-GigabitEthernet0/0/2] quit

    在RouterB上配置到对端的静态路由,此处假设到达总部子网的下一跳地址为60.1.2.2。

    [RouterB] ip route-static 60.1.3.0 255.255.255.0 60.1.2.2
    [RouterB] ip route-static 192.168.3.0 255.255.255.0 60.1.2.2

    在RouterC上配置接口的IP地址。

     system-view
    [Huawei] sysname RouterC
    [RouterC] interface gigabitethernet 0/0/1
    [RouterC-GigabitEthernet0/0/1] undo portswitch [RouterC-GigabitEthernet0/0/1] ip address 60.1.3.1 255.255.255.0
    [RouterC-GigabitEthernet0/0/1] quit
    [RouterC] interface gigabitethernet 0/0/2
    [RouterC-GigabitEthernet0/0/2] undo portswitch [RouterC-GigabitEthernet0/0/2] ip address 192.168.3.2 255.255.255.0
    [RouterC-GigabitEthernet0/0/2] quit

    在RouterC上配置到对端的静态路由,此处假设到达分支A子网和分支B子网的下一跳地址均为60.1.3.2。

    [RouterC] ip route-static 60.1.1.0 255.255.255.0 60.1.3.2
    [RouterC] ip route-static 60.1.2.0 255.255.255.0 60.1.3.2
    [RouterC] ip route-static 192.168.1.0 255.255.255.0 60.1.3.2
    [RouterC] ip route-static 192.168.2.0 255.255.255.0 60.1.3.2

  2. 分别在RouterA、RouterB和RouterC上配置ACL,定义各自要保护的数据流。

    在RouterA上配置ACL,定义由子网192.168.1.0/24去子网192.168.3.0/24的数据流。

    [RouterA] acl number 3002
    [RouterA-acl-adv-3002] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
    [RouterA-acl-adv-3002] quit

    在RouterB上配置ACL,定义由子网192.168.2.0/24去子网192.168.3.0/24的数据流。

    [RouterB] acl number 3002
    [RouterB-acl-adv-3002] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
    [RouterB-acl-adv-3002] quit

    在RouterC上配置ACL,定义由子网192.168.3.0/24分别去子网192.168.1.0/24和子网192.168.2.0/24的数据流。

    [RouterC] acl number 3002
    [RouterC-acl-adv-3002] rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
    [RouterC-acl-adv-3002] quit
    [RouterC] acl number 3003
    [RouterC-acl-adv-3003] rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
    [RouterC-acl-adv-3003] quit

  3. 分别在RouterA、RouterB和RouterC上创建IPSec安全提议

    在RouterA上配置IPSec安全提议。

    [RouterA] ipsec proposal tran1
    [RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [RouterA-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [RouterA-ipsec-proposal-tran1] quit

    在RouterB上配置IPSec安全提议。

    [RouterB] ipsec proposal tran1
    [RouterB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [RouterB-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [RouterB-ipsec-proposal-tran1] quit

    在RouterC上配置IPSec安全提议。

    [RouterC] ipsec proposal tran1
    [RouterC-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [RouterC-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [RouterC-ipsec-proposal-tran1] quit

    此时分别在RouterA、RouterB和RouterC上执行display ipsec proposal会显示所配置的信息,以RouterA为例。

    [RouterA] display ipsec proposal name tran1

    IPSec proposal name: tran1
    Encapsulation mode: Tunnel
    Transform : esp-new
    ESP protocol : Authentication SHA2-HMAC-256
    Encryption AES-128

  4. 分别在RouterA、RouterB和RouterC上配置IKE对等体

    在RouterA上配置IKE安全提议。

    [RouterA] ike proposal 5
    [RouterA-ike-proposal-5] encryption-algorithm aes-128
    [RouterA-ike-proposal-5] authentication-algorithm sha2-256
    [RouterA-ike-proposal-5] dh group14
    [RouterA-ike-proposal-5] quit

    在RouterA上配置IKE对等体。

    [RouterA] ike peer rut1
    [RouterA-ike-peer-rut1] undo version 2
    [RouterA-ike-peer-rut1] ike-proposal 5
    [RouterA-ike-peer-rut1] pre-shared-key cipher huawei@123
    [RouterA-ike-peer-rut1] remote-address 60.1.3.1
    [RouterA-ike-peer-rut1] quit

    在RouterB上配置IKE安全提议。

    [RouterB] ike proposal 5
    [RouterB-ike-proposal-5] encryption-algorithm aes-128
    [RouterB-ike-proposal-5] authentication-algorithm sha2-256
    [RouterB-ike-proposal-5] dh group14
    [RouterB-ike-proposal-5] quit

    在RouterB上配置IKE对等体。

    [RouterB] ike peer rut1
    [RouterB-ike-peer-rut1] undo version 2
    [RouterB-ike-peer-rut1] ike-proposal 5
    [RouterB-ike-peer-rut1] pre-shared-key cipher huawei@123
    [RouterB-ike-peer-rut1] remote-address 60.1.3.1
    [RouterB-ike-peer-rut1] quit

    在RouterC上配置IKE安全提议。

    [RouterC] ike proposal 5
    [RouterC-ike-proposal-5] encryption-algorithm aes-128
    [RouterC-ike-proposal-5] authentication-algorithm sha2-256
    [RouterC-ike-proposal-5] dh group14
    [RouterC-ike-proposal-5] quit

    在RouterC上配置IKE对等体。

    [RouterC] ike peer rut1
    [RouterC-ike-peer-rut1] undo version 2
    [RouterC-ike-peer-rut1] ike-proposal 5
    [RouterC-ike-peer-rut1] pre-shared-key cipher huawei@123
    [RouterC-ike-peer-rut1] remote-address 60.1.1.1
    [RouterC-ike-peer-rut1] quit
    [RouterC] ike peer rut2
    [RouterC-ike-peer-rut2] undo version 2
    [RouterC-ike-peer-rut2] ike-proposal 5
    [RouterC-ike-peer-rut2] pre-shared-key cipher huawei@123
    [RouterC-ike-peer-rut2] remote-address 60.1.2.1
    [RouterC-ike-peer-rut2] quit

  5. 分别在RouterA和RouterB上创建安全策略,在RouterC上创建安全策略组

    在RouterA上配置安全策略。

    [RouterA] ipsec policy policy1 10 isakmp
    [RouterA-ipsec-policy-isakmp-policy1-10] ike-peer rut1
    [RouterA-ipsec-policy-isakmp-policy1-10] proposal tran1
    [RouterA-ipsec-policy-isakmp-policy1-10] security acl 3002
    [RouterA-ipsec-policy-isakmp-policy1-10] quit

    在RouterB上配置安全策略。

    [RouterB] ipsec policy policy1 10 isakmp
    [RouterB-ipsec-policy-isakmp-policy1-10] ike-peer rut1
    [RouterB-ipsec-policy-isakmp-policy1-10] proposal tran1
    [RouterB-ipsec-policy-isakmp-policy1-10] security acl 3002
    [RouterB-ipsec-policy-isakmp-policy1-10] quit

    在RouterC上配置安全策略组。

    [RouterC] ipsec policy policy1 10 isakmp
    [RouterC-ipsec-policy-isakmp-policy1-10] ike-peer rut1
    [RouterC-ipsec-policy-isakmp-policy1-10] proposal tran1
    [RouterC-ipsec-policy-isakmp-policy1-10] security acl 3002
    [RouterC-ipsec-policy-isakmp-policy1-10] quit
    [RouterC] ipsec policy policy1 11 isakmp
    [RouterC-ipsec-policy-isakmp-policy1-11] ike-peer rut2
    [RouterC-ipsec-policy-isakmp-policy1-11] proposal tran1
    [RouterC-ipsec-policy-isakmp-policy1-11] security acl 3003
    [RouterC-ipsec-policy-isakmp-policy1-11] quit

    此时分别在RouterA和RouterB上执行display ipsec policy会显示所配置的信息。

    此时在RouterC上执行display ipsec policy会显示所配置的信息。

  6. 分别在RouterA、RouterB和RouterC的接口上应用各自的安全策略组,使接口具有IPSec的保护功能

    在RouterA的接口上引用安全策略组。

    [RouterA] interface gigabitethernet 0/0/1
    [RouterA-GigabitEthernet0/0/1] ipsec policy policy1
    [RouterA-GigabitEthernet0/0/1] quit

    在RouterB的接口上引用安全策略组。

    [RouterB] interface gigabitethernet 0/0/1
    [RouterB-GigabitEthernet0/0/1] ipsec policy policy1
    [RouterB-GigabitEthernet0/0/1] quit

    在RouterC的接口上引用安全策略组。

    [RouterC] interface gigabitethernet 0/0/1
    [RouterC-GigabitEthernet0/0/1] ipsec policy policy1
    [RouterC-GigabitEthernet0/0/1] quit

  7. 检查配置结果

    配置成功后,分别在主机PC A和主机PC B执行ping操作仍然可以ping通主机PC C,它们之间的数据传输将被加密。

    分别在RouterA和RouterB上执行display ike sa操作,会显示相应信息,以RouterA为例。

    [RouterA] display ike sa
    IKE SA information :
    Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID


    24366 60.1.3.1:500 RD|ST v1:2 IP 60.1.3.1
    24274 60.1.3.1:500 RD|ST v1:1 IP 60.1.3.1

    Number of IKE SA : 2

    Flag Description:
    RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
    HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
    M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING

    在RouterC上执行display ike sa操作,结果如下。

    [RouterC] display ike sa
    IKE SA information :
    Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID


    961 60.1.2.1:500 RD v1:2 IP 60.1.2.1
    933 60.1.2.1:500 RD v1:1 IP 60.1.2.1
    937 60.1.1.1:500 RD v1:2 IP 60.1.1.1
    936 60.1.1.1:500 RD v1:1 IP 60.1.1.1

    Number of IKE SA : 4

    Flag Description:
    RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
    HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
    M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING

配置文件

  • RouterA的配置文件

    #
    sysname RouterA

    acl number 3002
    rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

    ipsec proposal tran1
    esp authentication-algorithm sha2-256
    esp encryption-algorithm aes-128

    ike proposal 5
    encryption-algorithm aes-128
    dh group14
    authentication-algorithm sha2-256
    authentication-method pre-share
    integrity-algorithm hmac-sha2-256
    prf hmac-sha2-256

    ike peer rut1
    undo version 2
    pre-shared-key cipher %%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%*!%%#
    ike-proposal 5
    remote-address 60.1.3.1

    ipsec policy policy1 10 isakmp
    security acl 3002
    ike-peer rut1
    proposal tran1

    interface GigabitEthernet0/0/1
    undo portswitch ip address 60.1.1.1 255.255.255.0
    ipsec policy policy1

    interface GigabitEthernet0/0/2
    undo portswitch ip address 192.168.1.2 255.255.255.0

    ip route-static 60.1.3.0 255.255.255.0 60.1.1.2
    ip route-static 192.168.3.0 255.255.255.0 60.1.1.2

    return

  • RouterB的配置文件

    #
    sysname RouterB

    acl number 3002
    rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

    ipsec proposal tran1
    esp authentication-algorithm sha2-256
    esp encryption-algorithm aes-128

    ike proposal 5
    encryption-algorithm aes-128
    dh group14
    authentication-algorithm sha2-256
    authentication-method pre-share
    integrity-algorithm hmac-sha2-256
    prf hmac-sha2-256

    ike peer rut1
    undo version 2
    pre-shared-key cipher %%#K{JG:rWVHPMnf;5|,GW(Luq'qi8BT4nOj%5W5=)%%#
    ike-proposal 5
    remote-address 60.1.3.1

    ipsec policy policy1 10 isakmp
    security acl 3002
    ike-peer rut1
    proposal tran1

    interface GigabitEthernet0/0/1
    undo portswitch ip address 60.1.2.1 255.255.255.0
    ipsec policy policy1

    interface GigabitEthernet0/0/2
    undo portswitch ip address 192.168.2.2 255.255.255.0

    ip route-static 60.1.3.0 255.255.255.0 60.1.2.2
    ip route-static 192.168.3.0 255.255.255.0 60.1.2.2

    return

  • RouterC的配置文件

    #
    sysname RouterC

    acl number 3002
    rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
    acl number 3003
    rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

    ipsec proposal tran1
    esp authentication-algorithm sha2-256
    esp encryption-algorithm aes-128

    ike proposal 5
    encryption-algorithm aes-128
    dh group14
    authentication-algorithm sha2-256
    authentication-method pre-share
    integrity-algorithm hmac-sha2-256
    prf hmac-sha2-256

    ike peer rut1
    undo version 2
    pre-shared-key cipher %%#IRFGEiFPJ1>%#
    ike-proposal 5
    remote-address 60.1.1.1

    ike peer rut2
    undo version 2
    pre-shared-key cipher %%#(3fr1!&6O=)!GN#~{)n,2fq>4#4+%;lMTs5(]:c)%%#
    ike-proposal 5
    remote-address 60.1.2.1

    ipsec policy policy1 10 isakmp
    security acl 3002
    ike-peer rut1
    proposal tran1
    ipsec policy policy1 11 isakmp
    security acl 3003
    ike-peer rut2
    proposal tran1

    interface GigabitEthernet0/0/1
    undo portswitch ip address 60.1.3.1 255.255.255.0
    ipsec policy policy1

    interface GigabitEthernet0/0/2
    undo portswitch ip address 192.168.3.2 255.255.255.0

    ip route-static 60.1.1.0 255.255.255.0 60.1.3.2
    ip route-static 60.1.2.0 255.255.255.0 60.1.3.2
    ip route-static 192.168.1.0 255.255.255.0 60.1.3.2
    ip route-static 192.168.2.0 255.255.255.0 60.1.3.2

    return

相关资料

视频:配置总部与多个分支建立IPSec隧道

你可能感兴趣的:(配置总部采用安全策略组方式与分支建立多条IPSec隧道示例)