IPSec配置模板方式配置思路

配置模板方式配置思路

ike peer fw2
 exchange-mode aggressive  修改模式为野蛮

其它部分同主模式
注意: 野蛮模式也必须指定remote-address , 必须配置远端地址或者域名 华为不建议野蛮模式,推荐使用模板方式

[FW1-ipsec-policy-isakmp-ipsec_policy-10]ike-peer fw2
Error: ike peer‘s remote addresses or domain name should be configed.

第一步:基本配置

FW1防火墙的配置

#
 sysname FW1
#
interface GigabitEthernet0/0/0
 ip address 202.1.1.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/0
 ip address 192.168.1.254 255.255.255.0
 service-manage ping permit
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.254
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/0
#
security-policy
 default action permit
#

FW2路由器的配置

#
 sysname FW2
#
interface GigabitEthernet0/0/0
 ip address 101.1.1.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/0
 ip address 192.168.2.254 255.255.255.0
service-manage ping permit
#
ip route-static 0.0.0.0 0.0.0.0 101.1.1.254
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/0
#
security-policy
 default action permit
#

internet的配置

#
interface GigabitEthernet0/0/0
 ip address 202.1.1.254 255.255.255.0
#
interface GigabitEthernet0/0/1
 ip address 101.1.1.254 255.255.255.0
#

检查如下:
检查FW1和PC1的通信

<FW1>ping 192.168.1.1
  PING 192.168.1.1: 56  data bytes, press CTRL_C to break
    Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=128 time=40 ms
    Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=128 time=60 ms
    Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=128 time=40 ms
    Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=128 time=60 ms
    Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=128 time=50 ms

  --- 192.168.1.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 40/50/60 ms

检查FW2和PC2的通信

[FW2]ping 192.168.2.2
  PING 192.168.2.2: 56  data bytes, press CTRL_C to break
    Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=128 time=45 ms
    Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=128 time=53 ms
    Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=128 time=51 ms
    Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=128 time=52 ms
    Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=128 time=32 ms

  --- 192.168.2.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 32/46/53 ms

检查FW1和FW2的通信

<FW1>ping 101.1.1.1
  PING 101.1.1.1: 56  data bytes, press CTRL_C to break
    Reply from 101.1.1.1: bytes=56 Sequence=1 ttl=254 time=30 ms
    Reply from 101.1.1.1: bytes=56 Sequence=2 ttl=254 time=20 ms
    Reply from 101.1.1.1: bytes=56 Sequence=3 ttl=254 time=40 ms
    Reply from 101.1.1.1: bytes=56 Sequence=4 ttl=254 time=20 ms
    Reply from 101.1.1.1: bytes=56 Sequence=5 ttl=254 time=30 ms

  --- 101.1.1.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 20/28/40 ms

检查PC1和PC2的通信

PC>ping  192.168.2.2

Ping 192.168.2.2: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!

--- 192.168.2.2 ping statistics ---
  5 packet(s) transmitted
  0 packet(s) received
  100.00% packet loss

第二步:IPSEC 阶段一配置

IKE安全提议

在FW1和FW2分别配置如下

ike proposal 10       注意:安全提议是有默认配置,可以修改
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256       IKEv1中不用这个参数 IKEv2中使用这个参数
 prf hmac-sha2-256
#

检查:

[FW1]display ike proposal
2020-03-14 14:25:22.420 

Number of IKE Proposals: 2

-------------------------------------------
 IKE Proposal: 10
   Authentication Method      : PRE_SHARED
   Authentication Algorithm   : SHA2-256
   Encryption Algorithm       : AES-256
   Diffie-Hellman Group       : MODP-2048
   SA Duration(Seconds)       : 86400
   Integrity Algorithm        : HMAC-SHA2-256
   Prf Algorithm              : HMAC-SHA2-256
-------------------------------------------

配置IKE对等体(PEER)

FW1配置 注意: 模板方式不需要配置remote-address 也可以配置网段,也可以不配置

ike peer fw2  -----------取名
 pre-shared-key  [email protected]如果采用预共享方式,配置密钥
 ike-proposal 10 -----------------------------调用安全提议
 undo version 2-------------------------------关闭V2版本,默认就是V2版本

FW2配置

ike peer fw1
 pre-shared-key [email protected]
 ike-proposal 10
 undo version 2
 remote-address 202.1.1.1

检查如下:

[FW1]display ike peer brief
2020-03-14 14:31:19.910 

Current ike peer number: 1

---------------------------------------------------------------------------
Peer name        Version  Exchange-mode   Proposal   Id-type   RemoteAddr
---------------------------------------------------------------------------
fw2              v1       main            10         IP        

第三步:IPSEC阶段二配置

配置感兴趣流(就是实际通信点)

FW1:
acl number 3000
 rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 

FW2
acl number 3000
 rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 

注意:IKEV1感兴趣流要互为镜像,必须是相互匹配的,不是包含或者不一样的,都不能协商成功

IPSEC安全提议

在FW1和FW2配置

ipsec proposal 10
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256

检查:

[FW1]display ipsec proposal
2020-03-14 14:33:58.850 

Number of proposals: 1

IPSec proposal name: 10
 Encapsulation mode: Tunnel
 Transform         : esp-new
 ESP protocol      : Authentication SHA2-HMAC-256
                     Encryption AES-256
[FW1]

配置IPSEC安全策略

FW1

#
ipsec policy-template 10 10     第一个10是名称   第二个10是序号
 security acl 3000-----------------------调用感兴趣流
 ike-peer fw2---------------------------调用IKE PEER
 proposal 10---------------------------调用IPSEC安全
#
ipsec policy ipsec_policy 10 isakmp template 10

FW2

ipsec policy ipsec_policy 10 isakmp          后面接isakmp的话是自动方式
 security acl 3000  -----------------------调用感兴趣流
 ike-peer fw1 ---------------------------调用IKE PEER
 alias ipsec_policy_10
 proposal 10  ---------------------------调用IPSEC安全

物理接口调用

在FW1和FW2上配置

interface GigabitEthernet0/0/0
 ipsec policy ipsec_policy 

放行安全策略

FW1的配置

#
security-policy
 rule name ipsec1
  source-zone local
  destination-zone untrust
  source-address 202.1.1.0 mask 255.255.255.0
  action permit
 rule name ipsec2
  source-zone untrust
  destination-zone local
  destination-address 202.1.1.0 mask 255.255.255.0
  action permit
 rule name ipsec3
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  destination-address 192.168.2.0 mask 255.255.255.0
  action permit
 rule name ipsec4
  source-zone untrust
  destination-zone trust
  source-address 192.168.2.0 mask 255.255.255.0
  destination-address 192.168.1.0 mask 255.255.255.0
  action permit
#

FW2的配置

#
security-policy
 rule name ipsec1
  source-zone local
  destination-zone untrust
  destination-address 202.1.1.0 mask 255.255.255.0
  action permit
 rule name ipsec2
  source-zone untrust
  destination-zone local
  source-address 202.1.1.0 mask 255.255.255.0
  action permit
 rule name ipsec3
  source-zone trust
  destination-zone untrust
  source-address 192.168.2.0 mask 255.255.255.0
  destination-address 192.168.1.0 mask 255.255.255.0
  action permit
 rule name ipsec4
  source-zone untrust
  destination-zone trust
  source-address 192.168.1.0 mask 255.255.255.0
  destination-address 192.168.2.0 mask 255.255.255.0
  action permit
#

测试如下

默认如果没有配置 auto-neg ,需要手动触发(触发感兴趣流)

[FW1]display ike sa                 检查IKE SA,阶段一的问题
2020-03-14 14:46:10.170 

IKE SA information :
 Conn-ID    Peer         ***              Flag(s)               Phase  RemoteType  RemoteID
------------------------------------------------------------------------------------------------------------------------------------
 2     101.1.1.1:500                     RD|ST|A               v1:2   IP          101.1.1.1
 1     101.1.1.1:500                     RD|ST|A               v1:1   IP          101.1.1.1       

  Number of IKE SA : 2
--------------------------------------------------------------------------------------------

 Flag Description:
 RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
 HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
 M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

查看IPsec SA信息

[FW1]display ipsec sa
2020-03-14 15:16:47.650 

ipsec sa information:

===============================
Interface: GigabitEthernet0/0/0
===============================

  -----------------------------
  IPSec policy name: "ipsec_policy"
  Sequence number  : 10
  Acl group        : 3000
  Acl rule         : 5
  Mode             : Template
  -----------------------------
    Connection ID     : 2
    Encapsulation mode: Tunnel
    Holding time      : 0d 0h 11m 51s
    Tunnel local      : 202.1.1.1:500
    Tunnel remote     : 101.1.1.1:500
    Flow source       : 192.168.1.0/255.255.255.0 0/0-65535
    Flow destination  : 192.168.2.0/255.255.255.0 0/0-65535

    [Outbound ESP SAs]
      SPI: 190568358 (0xb5bd7a6)
      Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
      SA remaining key duration (kilobytes/sec): 10485760/2889
      Max sent sequence-number: 7
      UDP encapsulation used for NAT traversal: N
      SA encrypted packets (number/bytes): 6/360

    [Inbound ESP SAs]
      SPI: 194468180 (0xb975954)
      Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
      SA remaining key duration (kilobytes/sec): 10485760/2889
      Max received sequence-number: 1
      UDP encapsulation used for NAT traversal: N
      SA decrypted packets (number/bytes): 4/240
      Anti-replay : Enable
      Anti-replay window size: 1024
[FW1]

查看加密解密信息

[FW1]display ipsec statistics
2020-03-14 15:17:20.770
 IPSec statistics information:
 Number of IPSec tunnels: 1
 Number of standby IPSec tunnels: 0
 the security packet statistics:
   input/output security packets: 4/6
   input/output security bytes: 240/360
   input/output dropped security packets: 0/5
   the encrypt packet statistics:
     send chip: 6, recv chip: 6, send err: 0
     local cpu: 6, other cpu: 0, recv other cpu: 0
     intact packet: 6, first slice: 0, after slice: 0
   the decrypt packet statistics:
     send chip: 4, recv chip: 4, send err: 0
     local cpu: 4, other cpu: 0, recv other cpu: 0
     reass  first slice: 0, after slice: 0
   dropped security packet detail:
     can not find SA: 0, wrong SA: 0
     authentication: 0, replay: 0
     front recheck: 0, after recheck: 0
     change cpu enc: 0, dec change cpu: 0
     fib search: 0, output l3: 0
     flow err: 5, slice err: 0, byte limit: 0
     slave drop: 0
   negotiate about packet statistics:
     IKE fwd packet ok: 5, err: 0
     IKE ctrl packet inbound ok: 5, outbound ok: 4
     SoftExpr: 0, HardExpr: 0, DPDOper: 0
     trigger ok: 0, switch sa: 1, sync sa: 0
     recv IKE nat keepalive: 0, IKE input: 0

[FW1]

注意:如果对接华为路由器的话

ipsec proposal 10
 esp authentication-algorithm sha1 --------注意路由器VS FW,ESP认证算法采用SHA1
 esp encryption-algorithm aes-128

原文地址:https://blog.51cto.com/13817711/2480555

时间: 2024-10-08 06:10:17

IPSec配置模板方式配置思路的相关文章

模板方式配置多站点思路

模板方式配置多站点思路 第一步:基本配置 FW1防火墙的配置 # sysname FW1 # interface GigabitEthernet0/0/0 ip address 202.1.1.1 255.255.255.0 service-manage ping permit # interface GigabitEthernet1/0/0 ip address 192.168.1.254 255.255.255.0 service-manage ping permit # ip route-

【转】Entity Framework 6 Code First 实践系列(1):实体类配置-根据依赖配置关系和关联

本文转自:http://www.cnblogs.com/easygame/p/3622893.html EF实体类的配置可以使用数据注释或Fluent API两种方式配置,Fluent API配置的关键在于搞清实体类的依赖关系,按此方法配置,快速高效合理.为了方便理解,我们使用简化的实体A和B以及A.B的配置类AMap和BMap,来演示如何正确配置实体类关系的过程. public class A { public int Id { get; set; } } public class B { p

ASA8.2版本及以下ipsec隧道配置模板

配置模板: interface e0/0 nameif inside security-level 100 ip address x.x.x.x 255.255.255.0(修改为本地内网 IP 及掩码 ) ! interface e0/1 nameif outside security-level 0 ip address x.x.x.x 255.255.255.248 (修改为本地公网 IP 及掩码 ) ! interface Ethernet0/2 ! interface Ethernet

arcgis api for js入门开发系列二十一气泡窗口信息动态配置模板

前面地图查询篇实现图层查询query功能,但是查询结果的气泡窗口展示信息是在代码写死绑定图层的字段来的,比如name属性字段对应的值.但是这种实现方式很不灵活,对于图层字段不变的情况下或者多个图层字段名称都是一致情况下,还好,代码也不用变动:要是图层字段新增或者删除以及多个图层的字段不一致情况下,每次改动,查询结果的js代码也要对应的修改,对于维护来说,挺不方便的.所以,本篇优化一下气泡窗口的信息模板,采取动态可配置化图层字段方式,在配置文件里面配置好图层需要展示的字段模板,比如在mapconf

AEAI Portal-虚拟菜单方式配置SSO界面集成

1.前言 一般情况下虚拟菜单集成方式:先创建虚拟菜单节点,然后配置虚拟菜单的数据URL,同时指定显示页面,在显示页面中添加虚拟IframePortlet.而且:通常情况虚拟菜单是要依赖CAS认证的. 在本文中虚拟菜单集成方式,不依赖CAS认证,而是依赖于表单认证模式.主要区别是在于,显示页面配置的不再是虚拟IframePortlet,而是配置SSO界面集成Portlet (SSORedirectPortlet),具体如下. 2.虚拟菜单配置 2.1  流程机制说明 虚拟菜单配置包括虚拟菜单目录及

java web学习总结(二十一) -------------------模拟Servlet3.0使用注解的方式配置Servlet

一.Servlet的传统配置方式 在JavaWeb开发中, 每次编写一个Servlet都需要在web.xml文件中进行配置,如下所示: 1 <servlet> 2 <servlet-name>ActionServlet</servlet-name> 3 <servlet-class>me.gacl.web.controller.ActionServlet</servlet-class> 4 </servlet> 5 6 <ser

IPsec VPN原理与配置 【Route&ASA】

IPsec VPN原理与配置 简单的了解一些VPN的理论知识: 1.VPN的连接模式 VPN技术有两种传输模式:隧道模式和传输模式.这两种模式定义了两台实体设备之间传输数据时所采用的不同封装过程. (1)传输模式 传输模式一个最显著的特点就是:在传输过程中,包头并没有被封装进去,意思是从源端到目的端始终使用原有的IP地址进行通信.而传输的实际数据被封装在VPN报文中. (2)隧道模式 与传输模式的区别显而易见,VPN设备将整个三层数据报文封装在VPN数据内,再为封装过后的数据报文添加新的IP包头

JavaWeb学习总结(四十八)——模拟Servlet3.0使用注解的方式配置Servlet

JavaWeb学习总结(四十八)——模拟Servlet3.0使用注解的方式配置Servlet 一.Servlet的传统配置方式 在JavaWeb开发中, 每次编写一个Servlet都需要在web.xml文件中进行配置,如下所示: 1 <servlet> 2 <servlet-name>ActionServlet</servlet-name> 3 <servlet-class>me.gacl.web.controller.ActionServlet</s

Linux:Vmware安装linux虚拟机,桥接方式配置静态IP后重启网卡,提示:Error,some other host already uses address 10.252.252.21...

问题: Vmware安装linux虚拟机,桥接方式配置静态IP后重启网卡,提示:Error,some other host already uses address 10.252.252.21... 思路: 网上查找资料,得到解决方案如下: 编辑 /etc/sysconfig/network-scripts/ifup-eth, 将 (注:RHEL5.3 )if ! arping -q -c 2 -w 3 -D -I ${REALDEVICE} ${IPADDR} ; thenecho $”Err