華為防火牆和飛塔防火牆建立IPSec隧道,使兩地區域網互通

2022-05-02     IT狂人日誌

原標題:華為防火牆和飛塔防火牆建立IPSec隧道,使兩地區域網互通

以前寫過總部與兩個分支機構、三台華為防火牆配置ipsec,都是同一個品牌,相對來說配置比較簡單。

今天這個案例,分支機構採用的是飛塔的防火牆,接入鏈路是電信的PPPOE撥號寬頻,沒有固定的公網IP;總部則是華為防火牆,有固定的公網IP。

一、客戶需求

華為防火牆作為總部的企業網關,以模板方式與分支機構的飛塔防火牆建立IPSec隧道;由於分支機構的飛塔防火牆的出口公網地址不固定,因此,只能是分支主動發起協商建立IPSec隧道,總部不能主動發起協商。

IPSec配置參數規劃如下圖所示:

二、配置過程

1、華為防火牆的配置

華為防火牆採用模板方式的IPSec策略,不要求對端IP位址固定,且不管有多少分支,總部只需要配置1個IPSec策略,1個IKE對等體,配置較為簡單;如果採用策略方式的IPSec策略,有N個分支,則總部需要配置N個IPSec策略,N個IKE對等體,配置較為複雜。

(1)配置接口,並將接口加入相應的安全區域。

配置口GE1/0/3接口,並將接口加入untrust安全區域。

[HUAWEI] interface GigabitEthernet 1/0/3

[HUAWEI-GigabitEthernet1/0/3] ip address 222.xx.xx.50 29

[HUAWEI-GigabitEthernet1/0/3] quit

[HUAWEI] firewall zone untrust

[HUAWEI-zone-untrust] add interface GigabitEthernet 1/0/3

[HUAWEI-zone-untrust] quit

配置GE1/0/5接口,並將接口加入trust安全區域。

[HUAWEI] interface GigabitEthernet 1/0/5

[HUAWEI-GigabitEthernet1/0/5] ip address 192.168.160.1 24

[HUAWEI-GigabitEthernet1/0/5] quit

[HUAWEI] firewall zone trust

[HUAWEI-zone-trust] add interface GigabitEthernet 1/0/5

[HUAWEI-zone-trust] quit

(2)配置安全策略。

配置untrust和trust之間的安全策略。

策略1:允許分支訪問總部;策略2,允許總部訪問分支。

[HUAWEI] security-policy

[HUAWEI-policy-security] rule name 1

[HUAWEI-policy-security-rule-1] source-zone untrust

[HUAWEI-policy-security-rule-1] destination-zone trust

[HUAWEI-policy-security-rule-1] source-address 192.168.60.0 24

[HUAWEI-policy-security-rule-1] destination-address 192.168.160.0 24

[HUAWEI-policy-security-rule-1] action permit

[HUAWEI-policy-security-rule-1] quit

[HUAWEI-policy-security] rule name 2

[HUAWEI-policy-security-rule-2] source-zone trust

[HUAWEI-policy-security-rule-2] destination-zone untrust

[HUAWEI-policy-security-rule-2] source-address 192.168.160.0 24

[HUAWEI-policy-security-rule-2] destination-address 192.168.60.0 24

[HUAWEI-policy-security-rule-2] action permit

[HUAWEI-policy-security-rule-2] quit

(3)配置local與untrust之間的安全策略。

策略3:允許華為防火牆發起IPSec隧道建立請求;策略4:允許華為防火牆接收IPSec隧道建立請求,源、目的IP位址為兩端的出口公網地址。

[HUAWEI-policy-security] rule name 3

[HUAWEI-policy-security-rule-3] source-zone local

[HUAWEI-policy-security-rule-3] destination-zone untrust

[HUAWEI-policy-security-rule-3] source-address 222.xx.xx.50 29

[HUAWEI-policy-security-rule-3] action permit

[HUAWEI-policy-security-rule-3] quit

[HUAWEI-policy-security] rule name 4

[HUAWEI-policy-security-rule-4] source-zone untrust

[HUAWEI-policy-security-rule-4] destination-zone local

[HUAWEI-policy-security-rule-4]destination-address 222.xx.xx.50 29

[HUAWEI-policy-security-rule-4] action permit

[HUAWEI-policy-security-rule-4] quit

(4)配置路由。

配置連接到Internet的預設路由

[HUAWEI] ip route-static 0.0.0.0 0.0.0.0 222.xx.xx.49

(5)配置ACL

源地址為192.168.160.0/24,目的地址為192.168.60.0/24的報文,需要經過IPSec隧道傳輸。

[HUAWEI] acl 3000

[HUAWEI-acl-adv-3000] rule permit ip source 192.168.160.0 0.0.0.255 destination 192.168.60.0 0.0.0.255

[HUAWEI-acl-adv-3000] quit

(6)配置 IKE SA。

配置IKE安全提議,指定加密算法、認證算法、DH。

[HUAWEI] ike proposal 1

[HUAWEI-ike-proposal-1] encryption-algorithm 3des

[HUAWEI-ike-proposal-1] authentication-algorithm sha1

[HUAWEI-ike-proposal-1] dh group2

[HUAWEI-ike-proposal-1] quit

配置IKE對等體,指定協商模式、IKE版本、預共享密鑰。

[HUAWEI] ike peer fortigate

[HUAWEI-ike-peer-fortigate] exchange-mode main

[HUAWEI-ike-peer-fortigate] undo version 2

[HUAWEI-ike-peer-fortigate] ike-proposal 1

[HUAWEI-ike-peer-fortigate] pre-shared-key Key@hcit333

[HUAWEI-ike-peer-fortigate] quit

(7)配置IPSec安全提議,指定封裝模式、安全協議,加密算法、認證算法。

[HUAWEI] ipsec proposal tran1

[HUAWEI-ipsec-proposal-tran1] transform esp

[HUAWEI-ipsec-proposal-tran1] encapsulation-mode tunnel

[HUAWEI-ipsec-proposal-tran1] esp encryption-algorithm 3des

[HUAWEI-ipsec-proposal-tran1] esp authentication-algorithm sha1

[HUAWEI-ipsec-proposal-tran1] quit

(8)配置模板及策略,綁定IKE對等體、IPSe安全提議、ACL。

[HUAWEI] ipsec policy-template tem 1

[HUAWEI-ipsec-policy-template-tem-1] security acl 3000

[HUAWEI-ipsec-policy-template-tem-1] proposal tran1

[HUAWEI-ipsec-policy-template-tem-1] ike-peer fortigate

[HUAWEI-ipsec-policy-template-tem-1] ipsec policy map1 1 isakmp template tem

[HUAWEI-ipsec-policy-template-tem-1] quit

(9)在接口上應用IPSec策略。

[HUAWEI] interface GigabitEthernet 1/0/3

[HUAWEI-GigabitEthernet1/0/3] ipsec policy map1

[HUAWEI-GigabitEthernet1/0/3] quit

2、飛塔防火牆的配置

(1)配置接口

配置接口port03的寬頻連接

Fortigate # config system interface

Fortigate (interface) # edit port03

Fortigate (port03) # set mode pppoe

Fortigate (port03) # set username xxxxxx

Fortigate (port03) # set password xxxxxx

Fortigate (port03) # set distance 5

*注意管理距離(distance),固定IP的distance值為10,PPPoE撥號的distance值為5

Fortigate (port03) # set dns-server-override enable

Fortigate (port03) # end

配置接口port10。

Fortigate # config system interface

Fortigate (interface) # edit port10

Fortigate (port10) # set ip 192.168.60.1/24

Fortigate (port10) # set allowaccess ping https telnet

Fortigate (port10) # end

(2)配置IKE SA,指定IKE SA的名稱、綁定的接口、協商模式、加密算法、認證算法、預共享密鑰、對端地址、DH。

Fortigate # config vpn ipsec phase1-interface

Fortigate (phase1-interface) # edit firewall

Fortigate (firewall) # set interface port03

Fortigate (firewall) # set mode main

Fortigate (firewall) # set proposal 3des-sha1

Fortigate (firewall) # set psksecret Key@hcit333

Fortigate (firewall) # set remote-gw 222.xx.xx.50

Fortigate (firewall) # set dhgrp 2

Fortigate (firewall) # end

(3)配置IPSec SA,指定IPSec SA的名稱、綁定的IKE SA、加密算法、認證算法,DH。

Fortigate # config vpn ipsec phase2-interface

Fortigate (phase2-interface) # edit firewall

new entry 'firewall' added

Fortigate (firewall) # set phase1name firewall

Fortigate (firewall) # set dhgrp 2

Fortigate (firewall) # set proposal 3des-sha1

Fortigate (firewall) # set dst-subnet 192.168.160.0 255.255.255.0

Fortigate (firewall) # set src-subnet 192.168.60.0 255.255.255.0

Fortigate (firewall) # end

(3)將Tunnel口加入到untrust區域中。

Fortigate # config system zone

Fortigate (zone) # edit untrust

Fortigate (untrust) # set interface firewall

Fortigate (untrust) # end

(4)配置安全策略。

配置port03與port10之間的安全策略。

配置策略66,保證總部能夠正常訪問分支;

Fortigate # config firewall policy

Fortigate (policy) # edit 66

Fortigate (66) # set srcintf port03

Fortigate (66) # set dstintf port10

Fortigate (66) # set srcaddr all

Fortigate (66) # set dstaddr all

Fortigate (66) # set action accept

Fortigate (66) # set schedule always

Fortigate (66) # set service ANY

Fortigate (66) # end

配置策略99,保證分支能夠訪問總部。

Fortigate # config firewall policy

Fortigate (policy) # edit 99

Fortigate (99) # set srcintf port10

Fortigate (99) # set dstintf port03

Fortigate (99) # set srcaddr all

Fortigate (99) # set dstaddr all

Fortigate (99) # set action accept

Fortigate (99) # set schedule always

Fortigate (99) # set service ANY

Fortigate (99) # end

配置untrust與port10的安全策略,也就是Tunnel接口與port10之間的安全策略。

配置策略96,保證經過Tunnel接口的流量能夠進入分支內網;

Fortigate # config firewall policy

Fortigate (policy) # edit 96

Fortigate (96) # set srcintf untrust

Fortigate (96) # set dstintf port10

Fortigate (96) # set srcaddr all

Fortigate (96) # set dstaddr all

Fortigate (96) # set action accept

Fortigate (96) # set schedule always

Fortigate (96) # set service ANY

Fortigate (96) # end

配置策略76,保證經過Tunnel接口的流量能夠透傳到外網。

Fortigate # config firewall policy

Fortigate (policy) # edit 76

Fortigate (76) # set srcintf port10

Fortigate (76) # set dstintf untrust

Fortigate (76) # set srcaddr all

Fortigate (76) # set dstaddr all

Fortigate (76) # set action accept

Fortigate (76) # set schedule always

Fortigate (76) # set service ANY

Fortigate (76) # end

(5)配置路由。

配置靜態路由,將流量引入到Tunnel接口。

Fortigate # config route static

Fortigate (static) # edit 76

Fortigate (76) # set device firewall

Fortigate (76) # set dst 192.168.160.0 255.255.255.0

Fortigate (76) # end

三、驗證配置

直接WEB登錄華為防火牆,看一下IPSec是否已連接。

IPSec能連接,並且兩端區域網能夠互通,就表示配置正確;如果IPSec無法連接,大機率是兩端參數配置不同,請仔細對比;如果IPSec已連接,但是兩端區域網無法互通,請檢查安全策略以及路由配置是否正確。

文章來源: https://twgreatdaily.com/zh-hk/7febcb03191e6ecd5173a69ac130f820.html

10張圖片教會你配置ipsec vpn

2023-12-11

伺服器無法安裝系統以及整個公司不能上網的排查和解決

2023-10-22

FreeSwitch無法撥打電話、電話沒聲音如何解決?

2023-09-05

華為伺服器無法安裝PVE?看我曲線救國

2023-08-31

歷經艱辛修復華為伺服器上崩潰的Proxmox虛擬機

2023-08-25

如何監控分散在不同的區域網內的伺服器和網絡設備?

2023-07-30

無法連接共享印表機?告訴你一個終極方法,簡單快速又穩定

2023-06-21

設置靜態IP就不能聯網,並且還獲取不到正確的IP位址

2023-06-06

伺服器故障,自動郵件報警

2023-06-04

部署雙域控的曲折過程

2023-05-27

做完這個配置,文件傳輸速度飛快

2023-05-01

寬頻升級後,監控畫面全部都沒了?

2023-04-10

已處理證書鏈,但是在不受信任提供程序信任的根證書中終止,軟體無法安裝?

2023-03-27

剛裝上的印表機就無法列印,顯示為脫機狀態,看我如何快速解決

2022-09-30

只能上QQ和微信,卻打不開網頁,這次不是DNS的問題

2022-09-19

所有電腦只能上QQ和微信,這是怎麼回事?

2022-08-18

監控缺失大量畫面,怎麼辦?

2022-08-04

不用模擬器,普通手機也能安裝Windows系統?國產遠控迎來全新升級!

2022-08-03

機房停電必作妖,恢復供電後,硬碟Predictive Fail,更換要講究方法

2022-07-21

如何在作業系統內獲取伺服器的序列號

2022-07-08

郵件伺服器被列入黑名單,如何快速解封?

2022-07-01

Proxmox VE重裝後,如何無損掛載原有的數據盤?

2022-06-20

電腦無法加域,ping域名顯示為公網IP,這是什麼問題?怎麼解決?

2022-06-09

防火牆系統崩潰、文件丟失的修復方法,材料成本0元

2022-06-07