模板方式配置多站点思路

模板方式配置多站点思路

第一步：基本配置

FW1防火墙的配置

#
 sysname FW1
#
interface GigabitEthernet0/0/0
 ip address 202.1.1.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/0
 ip address 192.168.1.254 255.255.255.0
 service-manage ping permit
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.254
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/0
#
security-policy
 default action permit
#

FW2路由器的配置

#
 sysname FW2
#
interface GigabitEthernet0/0/0
 ip address 101.1.1.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/0
 ip address 192.168.2.254 255.255.255.0
service-manage ping permit
#
ip route-static 0.0.0.0 0.0.0.0 101.1.1.254
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/0
#
security-policy
 default action permit
#

FW3路由器的配置

#
 sysname FW3
#
interface GigabitEthernet0/0/0
 ip address 60.1.1.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/0
 ip address 192.168.3.254 255.255.255.0
service-manage ping permit
#
ip route-static 0.0.0.0 0.0.0.0 60.1.1.254
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/0
#
security-policy
 default action permit
#

internet的配置

#
interface GigabitEthernet0/0/0
 ip address 202.1.1.254 255.255.255.0
#
interface GigabitEthernet0/0/1
 ip address 101.1.1.254 255.255.255.0
#

检查如下：
检查FW1和PC1的通信

<FW1>ping 192.168.1.1
  PING 192.168.1.1: 56  data bytes, press CTRL_C to break
    Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=128 time=40 ms
    Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=128 time=60 ms
    Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=128 time=40 ms
    Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=128 time=60 ms
    Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=128 time=50 ms

  --- 192.168.1.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 40/50/60 ms

检查FW2和PC2的通信

[FW2]ping 192.168.2.2
  PING 192.168.2.2: 56  data bytes, press CTRL_C to break
    Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=128 time=45 ms
    Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=128 time=53 ms
    Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=128 time=51 ms
    Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=128 time=52 ms
    Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=128 time=32 ms

  --- 192.168.2.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
round-trip min/avg/max = 32/46/53 ms

检查FW3和PC3的通信

[FW3]ping 192.168.3.3
  PING 192.168.3.3: 56  data bytes, press CTRL_C to break
    Request time out
    Reply from 192.168.3.3: bytes=56 Sequence=2 ttl=128 time=47 ms
    Reply from 192.168.3.3: bytes=56 Sequence=3 ttl=128 time=42 ms
    Reply from 192.168.3.3: bytes=56 Sequence=4 ttl=128 time=36 ms
    Reply from 192.168.3.3: bytes=56 Sequence=5 ttl=128 time=27 ms

  --- 192.168.3.3 ping statistics ---
    5 packet(s) transmitted
    4 packet(s) received
    20.00% packet loss
    round-trip min/avg/max = 27/38/47 ms

检查FW1和FW2的通信

<FW1>ping 101.1.1.1
  PING 101.1.1.1: 56  data bytes, press CTRL_C to break
    Reply from 101.1.1.1: bytes=56 Sequence=1 ttl=254 time=30 ms
    Reply from 101.1.1.1: bytes=56 Sequence=2 ttl=254 time=20 ms
    Reply from 101.1.1.1: bytes=56 Sequence=3 ttl=254 time=40 ms
    Reply from 101.1.1.1: bytes=56 Sequence=4 ttl=254 time=20 ms
    Reply from 101.1.1.1: bytes=56 Sequence=5 ttl=254 time=30 ms

  --- 101.1.1.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
round-trip min/avg/max = 20/28/40 ms

检查FW1和FW3的通信

[FW1]ping 60.1.1.1
  PING 60.1.1.1: 56  data bytes, press CTRL_C to break
    Reply from 60.1.1.1: bytes=56 Sequence=1 ttl=254 time=15 ms
    Reply from 60.1.1.1: bytes=56 Sequence=2 ttl=254 time=11 ms
    Reply from 60.1.1.1: bytes=56 Sequence=3 ttl=254 time=8 ms
    Reply from 60.1.1.1: bytes=56 Sequence=4 ttl=254 time=9 ms
    Reply from 60.1.1.1: bytes=56 Sequence=5 ttl=254 time=8 ms

  --- 60.1.1.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 8/10/15 ms

检查PC1和PC2的通信

PC>ping  192.168.2.2

Ping 192.168.2.2: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!

--- 192.168.2.2 ping statistics ---
  5 packet(s) transmitted
  0 packet(s) received
  100.00% packet loss

检查PC1和PC3的通信

PC>ping  192.168.3.3

Ping 192.168.3.3: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!

--- 192.168.3.3 ping statistics ---
  5 packet(s) transmitted
  0 packet(s) received
  100.00% packet loss

第二步：IPSEC 阶段一配置

IKE安全提议

在FW1和FW2和FW3分别配置如下

ike proposal 10       注意：安全提议是有默认配置，可以修改
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256       IKEv1中不用这个参数 IKEv2中使用这个参数
 prf hmac-sha2-256
#

检查：

[FW1]display ike proposal
2020-03-14 14:25:22.420 

Number of IKE Proposals: 2

-------------------------------------------
 IKE Proposal: 10
   Authentication Method      : PRE_SHARED
   Authentication Algorithm   : SHA2-256
   Encryption Algorithm       : AES-256
   Diffie-Hellman Group       : MODP-2048
   SA Duration(Seconds)       : 86400
   Integrity Algorithm        : HMAC-SHA2-256
   Prf Algorithm              : HMAC-SHA2-256
-------------------------------------------

配置IKE对等体（PEER）

FW1配置 注意: 模板方式不需要配置remote-address 也可以配置网段，也可以不配置

ike peer yuanduan  -----------取名
 pre-shared-key  [email protected]如果采用预共享方式，配置密钥
 ike-proposal 10 -----------------------------调用安全提议
 undo version 2-------------------------------关闭V2版本，默认就是V2版本
FW2和FW3的配置
ike peer fw1
 pre-shared-key [email protected]
 ike-proposal 10
 undo version 2
 remote-address 202.1.1.1

检查如下：

[FW1]display ike peer brief
2020-03-14 14:31:19.910 

Current ike peer number: 1

---------------------------------------------------------------------------
Peer name        Version  Exchange-mode   Proposal   Id-type   RemoteAddr
---------------------------------------------------------------------------
yuanduan              v1       main            10         IP

第三步：IPSEC阶段二配置

配置感兴趣流（就是实际通信点）

FW1:

acl number 3000
 rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

FW2
acl number 3000
 rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 

FW3
acl number 3000
 rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 

注意：IKEV1感兴趣流要互为镜像，必须是相互匹配的，不是包含或者不一样的，都不能协商成功

IPSEC安全提议

在FW1和FW2和FW3配置

ipsec proposal 10
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256

检查：

[FW1]display ipsec proposal
2020-03-14 14:33:58.850 

Number of proposals: 1

IPSec proposal name: 10
 Encapsulation mode: Tunnel
 Transform         : esp-new
 ESP protocol      : Authentication SHA2-HMAC-256
                     Encryption AES-256
[FW1]

配置IPSEC安全策略

FW1

#
ipsec policy-template 10 10     第一个10是名称   第二个10是序号
 security acl 3000-----------------------调用感兴趣流
 ike-peer fw2---------------------------调用IKE PEER
 proposal 10---------------------------调用IPSEC安全
#
ipsec policy ipsec_policy 10 isakmp template 10

FW2和FW3的配置

ipsec policy ipsec_policy 10 isakmp          后面接isakmp的话是自动方式
 security acl 3000  -----------------------调用感兴趣流
 ike-peer fw1 ---------------------------调用IKE PEER
 alias ipsec_policy_10
 proposal 10  ---------------------------调用IPSEC安全

物理接口调用

在FW1和FW2和FW3上配置

interface GigabitEthernet0/0/0
 ipsec policy ipsec_policy 

放行安全策略

FW1的配置

#
security-policy
 rule name ipsec1
  source-zone local
  destination-zone untrust
  source-address 202.1.1.0 mask 255.255.255.0
  action permit
 rule name ipsec2
  source-zone untrust
  destination-zone local
  destination-address 202.1.1.0 mask 255.255.255.0
  action permit
 rule name ipsec3
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  destination-address 192.168.2.0 mask 255.255.255.0
destination-address 192.168.3.0 mask 255.255.255.0
  action permit
 rule name ipsec4
  source-zone untrust
  destination-zone trust
source-address 192.168.3.0 mask 255.255.255.0
  source-address 192.168.2.0 mask 255.255.255.0
  destination-address 192.168.1.0 mask 255.255.255.0
  action permit
#

FW2的配置

#
security-policy
 rule name ipsec1
  source-zone local
  destination-zone untrust
  destination-address 202.1.1.0 mask 255.255.255.0
  action permit
 rule name ipsec2
  source-zone untrust
  destination-zone local
  source-address 202.1.1.0 mask 255.255.255.0
  action permit
 rule name ipsec3
  source-zone trust
  destination-zone untrust
  source-address 192.168.2.0 mask 255.255.255.0
  destination-address 192.168.1.0 mask 255.255.255.0
  action permit
 rule name ipsec4
  source-zone untrust
  destination-zone trust
  source-address 192.168.1.0 mask 255.255.255.0
  destination-address 192.168.2.0 mask 255.255.255.0
  action permit
#

FW3的配置

#
security-policy
 rule name ipsec1
  source-zone local
  destination-zone untrust
  destination-address 202.1.1.0 mask 255.255.255.0
  action permit
 rule name ipsec2
  source-zone untrust
  destination-zone local
  source-address 202.1.1.0 mask 255.255.255.0
  action permit
 rule name ipsec3
  source-zone trust
  destination-zone untrust
  source-address 192.168.3.0 mask 255.255.255.0
  destination-address 192.168.1.0 mask 255.255.255.0
  action permit
 rule name ipsec4
  source-zone untrust
  destination-zone trust
  source-address 192.168.1.0 mask 255.255.255.0
  destination-address 192.168.3.0 mask 255.255.255.0
  action permit
#

测试如下：
在PC2上pingPC1

PC>ping 192.168.1.1

Ping 192.168.1.1: 32 data bytes, Press Ctrl_C to break
From 192.168.1.1: bytes=32 seq=1 ttl=126 time=94 ms
From 192.168.1.1: bytes=32 seq=2 ttl=126 time=78 ms
From 192.168.1.1: bytes=32 seq=3 ttl=126 time=94 ms
From 192.168.1.1: bytes=32 seq=4 ttl=126 time=78 ms
From 192.168.1.1: bytes=32 seq=5 ttl=126 time=62 ms

--- 192.168.1.1 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 62/81/94 ms

PC>

在PC3上pingPC1

PC>ping 192.168.1.1

Ping 192.168.1.1: 32 data bytes, Press Ctrl_C to break
From 192.168.1.1: bytes=32 seq=1 ttl=126 time=62 ms
From 192.168.1.1: bytes=32 seq=2 ttl=126 time=78 ms
From 192.168.1.1: bytes=32 seq=3 ttl=126 time=94 ms
From 192.168.1.1: bytes=32 seq=4 ttl=126 time=63 ms
From 192.168.1.1: bytes=32 seq=5 ttl=126 time=62 ms

--- 192.168.1.1 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 62/71/94 ms

在FW1上面查看ike sa

[FW1]display ike sa
2020-03-15 05:22:58.390 

IKE SA information :
 Conn-ID    Peer        ***              Flag(s)               Phase  RemoteType  RemoteID
------------------------------------------------------------------------------------------------------------------------------------
 2          101.1.1.1:500                RD|A                  v1:2   IP          101.1.1.1
 1          101.1.1.1:500                RD|A                  v1:1   IP          101.1.1.1
 4          60.1.1.1:500                 RD|A                  v1:2   IP          60.1.1.1
 3          60.1.1.1:500                 RD|A                  v1:1   IP          60.1.1.1        

  Number of IKE SA : 4
------------------------------------------------------------------------------------------------------------------------------------

 Flag Description:
 RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
 HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
 M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

在FW1上面查看ipsec sa

[FW1]display ipsec sa
2020-03-15 05:23:01.660 

ipsec sa information:

===============================
Interface: GigabitEthernet0/0/0
===============================

  -----------------------------
  IPSec policy name: "ipsec_policy"
  Sequence number  : 10
  Acl group        : 3000
  Acl rule         : 5
  Mode             : Template
  -----------------------------
    Connection ID     : 2
    Encapsulation mode: Tunnel
    Holding time      : 0d 0h 35m 23s
    Tunnel local      : 202.1.1.1:500
    Tunnel remote     : 101.1.1.1:500
    Flow source       : 192.168.1.0/255.255.255.0 0/0-65535
    Flow destination  : 192.168.2.0/255.255.255.0 0/0-65535

    [Outbound ESP SAs]
      SPI: 187921672 (0xb337508)
      Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
      SA remaining key duration (kilobytes/sec): 10485760/1476
      Max sent sequence-number: 17
      UDP encapsulation used for NAT traversal: N
      SA encrypted packets (number/bytes): 16/960

    [Inbound ESP SAs]
      SPI: 197430515 (0xbc48cf3)
      Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
      SA remaining key duration (kilobytes/sec): 10485759/1476
      Max received sequence-number: 1
      UDP encapsulation used for NAT traversal: N
      SA decrypted packets (number/bytes): 19/1140
      Anti-replay : Enable
      Anti-replay window size: 1024

  -----------------------------
  IPSec policy name: "ipsec_policy"
  Sequence number  : 10
  Acl group        : 3000
  Acl rule         : 10
  Mode             : Template
  -----------------------------
    Connection ID     : 4
    Encapsulation mode: Tunnel
    Holding time      : 0d 0h 35m 10s
    Tunnel local      : 202.1.1.1:500
    Tunnel remote     : 60.1.1.1:500
    Flow source       : 192.168.1.0/255.255.255.0 0/0-65535
    Flow destination  : 192.168.3.0/255.255.255.0 0/0-65535

    [Outbound ESP SAs]
      SPI: 197283812 (0xbc24fe4)
      Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
      SA remaining key duration (kilobytes/sec): 10485760/1489
      Max sent sequence-number: 14
      UDP encapsulation used for NAT traversal: N
      SA encrypted packets (number/bytes): 13/780

    [Inbound ESP SAs]
      SPI: 187509375 (0xb2d2a7f)
      Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
      SA remaining key duration (kilobytes/sec): 10485760/1489
      Max received sequence-number: 1
      UDP encapsulation used for NAT traversal: N
      SA decrypted packets (number/bytes): 14/840
      Anti-replay : Enable
      Anti-replay window size: 1024

在FW1上面查看ipsec加密解密情况

[FW1]display ipsec statistics
2020-03-15 05:23:12.690
 IPSec statistics information:
 Number of IPSec tunnels: 2
 Number of standby IPSec tunnels: 0
 the security packet statistics:
   input/output security packets: 33/29
   input/output security bytes: 1980/1740
   input/output dropped security packets: 0/0
   the encrypt packet statistics:
     send chip: 29, recv chip: 29, send err: 0
     local cpu: 29, other cpu: 0, recv other cpu: 0
     intact packet: 29, first slice: 0, after slice: 0
   the decrypt packet statistics:
     send chip: 33, recv chip: 33, send err: 0
     local cpu: 33, other cpu: 0, recv other cpu: 0
     reass  first slice: 0, after slice: 0
   dropped security packet detail:
     can not find SA: 0, wrong SA: 0
     authentication: 0, replay: 0
     front recheck: 0, after recheck: 0
     change cpu enc: 0, dec change cpu: 0
     fib search: 0, output l3: 0
     flow err: 0, slice err: 0, byte limit: 0
     slave drop: 0
   negotiate about packet statistics:
     IKE fwd packet ok: 10, err: 0
     IKE ctrl packet inbound ok: 10, outbound ok: 8
     SoftExpr: 0, HardExpr: 0, DPDOper: 0
     trigger ok: 0, switch sa: 2, sync sa: 0
     recv IKE nat keepalive: 0, IKE input: 0

[FW1]

原文地址：https://blog.51cto.com/13817711/2480611