1、华为USG系列IPSECVPN实施经验总结一、网络环境介绍在清江酒店的USG防火墙调试IPSEC VPN的时候发现官方的配置手册有些问题,所以详细整理下实施过程出现的问题与解决方法。网络情况简介:清江酒店总部设在,等地有10个分支机构,只有总部可以确认为固定IP,分支机构无法确认,有的固定,有的用ADSL。本案例用2个分支介绍。了解了客户的根本网络状况后开始跟客户商量设计调试方案,选用IPSEC野蛮模式组网。在实施过程中发现以下问题:1、配置手册中IPSEC VPN配置实例不完善,NAT局部没有写要阻止VPN之间的数据访问做NAT转换,导致配置的时候不知道问题出在哪,在NAT中完善了转换策略后
2、,问题解决。2、因为野蛮模式配置是用ike local-name进展验证的,初步在IKE协商参数配置中参加了remote-name这项,配置完成后IPSEC VPN建立成功,分支和总部用网IP可以直接访问,第二天总部防火墙重启了一次后VPN怎么都建立不起来,打400后发现在IKE协商参数配置中使用了remote-name出现问题,导致VPN连接不上,去掉remote-name后问题解决。二、配置过程详细介绍下面详细介绍下配置过程,总部网用的172.16.1.0/24网段,其它分支采用192.168.X.X/24网段。防火墙的软件版本都是V100R005。一总部配置1、配置本地IKE本地用户名i
3、ke local-name qndc2、配置ACLacl number 3001 创建序号3001的高级访问控制列表rule 5 permit ip source 172.16.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255总部到分支1的网网段VPN触发策略rule 10 permit ip source 172.16.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255总部到分支2的网网段VPN触发策略3、配置IKE安全提议ike proposal 10 创建名称为10的IKE安全提议authentic
4、ation-algorithm md5 选择加密的算法为md54、配置IKE PEERike peer a 创建名称为a的IKE PEER exchange-mode aggressive 模式选择野蛮模式 pre-shared-key 123456 IKE协商的密钥为123456 ike-proposal 10 绑定IKE安全提议 undo version 2 选择V1的版本 local-id-type name 使用野蛮模式的IKE local-name验证 nat traversal 打开NAT穿越5、创建IPSEC安全提议ipsec proposal tran1 创建名称为tran1的
5、IPSEC安全提议 esp authentication-algorithm sha1 选择安全算法为哈希算法sha16、配置IPSEC安全策略模板ipsec policy-template map 1 创建名称为map的策略模板 security acl 3001 绑定触发ACL ike-peer a 选择前面创建的 ike-peer a proposal tran1 选择前面创建的IPSEC安全提议tran17、创建IPSEC安全策略ipsec policy map1 1 isakmp template map 创建名称为map1的IPSEC安全策略绑定map策略模板8、在外网接口上应用I
6、PSEC安全策略interface Ethernet0/0/0 ip address 119.97.240.106 255.255.255.248 ipsec policy map1 应用map1的IPSEC VPN策略9、配置目的地址为192.168.X.X/16网段不做NAT转换;这步不配的话网数据直接做NAT转换了,不会通过VPN隧道,那么前面的配置就白做了。nat-policy interzone trust untrust outbound 进入NAT配置视图 policy 1 策略1这是优先级,数字越小越优先 action no-nat 不做NAT转换 policy destina
7、tion 192.168.0.0 0.0.255.255 目的地址为192.168.0.0/16不做NAT转换 policy 2 策略2 action source-nat 基于源地址的转换 policy source 172.16.1.0 0.0.0.255 源地址为172.16.1.0/24做NAT转换 easy-ip Ethernet0/0/0 转换的外网地址为Ethernet0/0/0的接口地址# 一定要注意策略的优先级,反了就没有作用了。二分之机构配置 分之机构1的配置详解1、配置本地IKE本地用户名ike local-name fenzhi1 2、配置ACLacl number 3
8、001 创建序号3001的高级访问控制列表rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255分之1到总部网网段的VPN触发策略3、配置IKE安全提议ike proposal 10 创建名称为10的IKE安全提议authentication-algorithm md5 选择加密的算法为md54、配置IKE PEERike peer a 创建名称为a的IKE PEER exchange-mode aggressive 模式选择野蛮模式 pre-shared-key 123456 IKE协商的密
9、钥为123456 ike-proposal 10 绑定IKE安全提议 undo version 2 选择V1的版本 local-id-type name 使用野蛮模式的IKE local-name验证remote-address 119.97.240.106 总部的外网地址 nat traversal 打开NAT穿越5、创建IPSEC安全提议ipsec proposal tran1 创建名称为tran1的IPSEC安全提议 esp authentication-algorithm sha1 选择安全算法为哈希算法sha16、配置IPSEC安全策略ipsec policy map1 10 isa
10、kmp 创建名称为map1的策略 security acl 3001 绑定触发ACL ike-peer a 选择前面创建的 ike-peer a proposal tran1 选择前面创建的IPSEC安全提议tran17、在外网接口上应用IPSEC安全策略interface Ethernet0/0/0 ip address 59.175.185.126 255.255.255.0 ipsec policy map1 应用map1的IPSEC VPN策略8、NAT策略配置。nat-policy interzone trust untrust outbound 进入NAT配置视图 policy 1
11、 策略1这是优先级,数字越小越优先 action no-nat 不做NAT转换 policy destination 172.16.0.0 0.0.255.255 目的地址为172.16.0.0/16不做NAT转换 policy 2 策略2 action source-nat 基于源地址的转换 policy source 192.168.1.0 0.0.0.255 源地址为192.168.1.0/24做NAT转换 easy-ip Ethernet0/0/0 转换的外网地址为Ethernet0/0/0的接口地址#分之2的配置参照分之1, ACL源地址改本钱地网网段,IKE本地名称重新命名;其它主
12、要VPN主要配置都一样三配置总结总部和分之的配置区别在于,总部采用IPSEC安全策略模板绑定到外网接口,分之机构使用安全策略。完成所有配置后使用可以display ike sa、display ipsec sa 查看ike安全联盟状态和ipsec安全联盟状态;有这些信息就代表ipsec vpn连接成功。 三、详细配置文档现网成功稳定运行配置文档1、总部的配置文档#ike local-name qndc# firewall packet-filter default permit interzone local trust direction inbound firewall packet-fi
13、lter default permit interzone local trust direction outbound firewall packet-filter default permit interzone local untrust direction inbound firewall packet-filter default permit interzone local untrust direction outbound firewall packet-filter default permit interzone local dmz direction inbound fi
14、rewall packet-filter default permit interzone local dmz direction outbound firewall packet-filter default permit interzone trust untrust direction inbound firewall packet-filter default permit interzone trust untrust direction outbound firewall packet-filter default permit interzone trust dmz direct
15、ion inbound firewall packet-filter default permit interzone trust dmz direction outbound firewall packet-filter default permit interzone dmz untrust direction inbound firewall packet-filter default permit interzone dmz untrust direction outbound#acl number 3001 rule 5 permit ip source 172.16.1.0 0.0
16、.0.255 destination 192.168.1.0 0.0.0.255 rule 10 permit ip source 172.16.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 #ike proposal 10 authentication-algorithm md5#ike peer a exchange-mode aggressive pre-shared-key 123456 ike-proposal 10 undo version 2 local-id-type namenat traversal#ipsec propos
17、al tran1 esp authentication-algorithm sha1#ipsec policy-template map 1 security acl 3001 ike-peer a proposal tran1#ipsec policy map1 1 isakmp template map# interface Vlanif1 ip address 172.16.1.1 255.255.255.0#interface Cellular5/0/0 link-protocol ppp#interface Ethernet0/0/0 ip address 119.97.240.10
18、6 255.255.255.248 ipsec policy map1#interface Ethernet1/0/0 portswitch port link-type access#interface Ethernet1/0/1 portswitch port link-type access#interface Ethernet1/0/2 portswitch port link-type access#interface Ethernet1/0/3 portswitch port link-type access#interface Ethernet1/0/4 portswitch p
19、ort link-type access#interface Ethernet1/0/5 portswitch port link-type access#interface Ethernet1/0/6 portswitch port link-type access#interface Ethernet1/0/7 portswitch port link-type access#interface NULL0 #firewall zone local set priority 100#firewall zone trust set priority 85 add interface Ethe
20、rnet1/0/0 add interface Ethernet1/0/1 add interface Ethernet1/0/2 add interface Ethernet1/0/3 add interface Ethernet1/0/4 add interface Ethernet1/0/5 add interface Ethernet1/0/6 add interface Ethernet1/0/7 add interface Vlanif1#firewall zone untrust set priority 5 add interface Ethernet0/0/0#ip rout
21、e-static 0.0.0.0 0.0.0.0 119.97.240.105# nat-policy interzone trust untrust outbound policy 1 action no-nat policy destination 182.168.0.0 0.0.255.255 policy 2 action source-nat policy source 172.16.1.0 0.0.0.255 easy-ip Ethernet0/0/0#2、分之1的配置# ike local-name fenzhi-1# firewall packet-filter default
22、 permit interzone local trust direction inbound firewall packet-filter default permit interzone local trust direction outbound firewall packet-filter default permit interzone local untrust direction inbound firewall packet-filter default permit interzone local untrust direction outbound firewall pac
23、ket-filter default permit interzone local dmz direction inbound firewall packet-filter default permit interzone local dmz direction outbound firewall packet-filter default permit interzone trust untrust direction inbound firewall packet-filter default permit interzone trust untrust direction outboun
24、d firewall packet-filter default permit interzone trust dmz direction inbound firewall packet-filter default permit interzone trust dmz direction outbound firewall packet-filter default permit interzone dmz untrust direction inbound firewall packet-filter default permit interzone dmz untrust directi
25、on outbound#l2fwdfast enable#acl number 3001 rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255#ike proposal 10 authentication-algorithm md5#ike peer a exchange-mode aggressive pre-shared-key 123456 ike-proposal 10 undo version 2 local-id-type name remote-address 119.97.2
26、40.106 nat traversal#ipsec proposal tran1 esp authentication-algorithm sha1#ipsec policy map1 10 isakmp security acl 3001 ike-peer a proposal tran1 #interface Vlanif1 ip address 192.168.1.1 255.255.255.0#interface Cellular5/0/0 link-protocol ppp#interface Ethernet0/0/0 ip address 59.175.185.126 255.
27、255.255.0 ipsec policy map1#interface Ethernet1/0/0 portswitch port link-type access#interface Ethernet1/0/1 portswitch port link-type access #interface Ethernet1/0/2 portswitch port link-type access#interface Ethernet1/0/3 portswitch port link-type access#interface Ethernet1/0/4 portswitch port lin
28、k-type access#interface Ethernet1/0/5 portswitch port link-type access#interface Ethernet1/0/6 portswitch port link-type access#interface Ethernet1/0/7 portswitch port link-type access#interface Ethernet2/0/0#interface NULL0#firewall zone local set priority 100#firewall zone trust set priority 85 de
29、tect ftp add interface Ethernet1/0/0 add interface Ethernet1/0/1 add interface Ethernet1/0/2 add interface Ethernet1/0/3 add interface Ethernet1/0/4 add interface Ethernet1/0/5 add interface Ethernet1/0/6 add interface Ethernet1/0/7 add interface Vlanif1#firewall zone untrust set priority 5 detect f
30、tp add interface Ethernet0/0/0 add interface Ethernet2/0/0# ip route-static 0.0.0.0 0.0.0.0 59.175.185.1#nat-policy interzone trust untrust outbound policy 1 action no-nat policy destination 172.16.0.0 0.0.255.255 policy 2 action source-nat policy source 192.168.1.0 0.0.0.255 easy-ip Ethernet0/0/0#3、分之2的配置文档# ike local-name fenzhi-2# firewall packet-filter default permit interzone local trust direction inbound firewall packet-filter default permit interzone local trust direction outbound firewall packet-filter default permit interzone local untrust direction inbound
copyright@ 2008-2022 冰豆网网站版权所有
经营许可证编号:鄂ICP备2022015515号-1
升级会员 