实验拓扑
使用华为ensp 1.2.00.370模拟器
实验需求
USG-1和USG-2模拟企业边缘设备,分别在2台设备上配置NAT和IPsec VPN实现2边私网可以通过VPN互相通信
实验配置
R1 IP地址配置省略
USG-1配置
[USG-1]firewall zone trust //配置trust区域
[USG-1-zone-trust]add interface g0/0/0 //将接口加入trust区域
[USG-1-zone-trust]quit
[USG-1]firewall zone untrust //配置untrust区域
[USG-1-zone-untrust]add int g0/0/1 //将接口加入untrust区域
[USG-1-zone-untrust]quit
[USG-1]int g0/0/0
[USG-1-GigabitEthernet0/0/0]ip add 192.168.10.1 24
[USG-1-GigabitEthernet0/0/0]int g0/0/1
[USG-1-GigabitEthernet0/0/1]ip add 11.0.0.2 24
[USG-1-GigabitEthernet0/0/1]quit
[USG-1]ip route-static 0.0.0.0 0.0.0.0 11.0.0.1 //配置默认路由上公网
[USG-1]nat-policy interzone trust untrust outbound
//进入trust到untrust区域out方向的策略视图
[USG-1-nat-policy-interzone-trust-untrust-outbound]policy 1 //创建一个策略
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.10.0 0.0.0.255
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]policy destination 192.168.20.0 0.0.0.255
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]action no-nat
//以上三条命令意思是不允许将源为192.168.10.0/24网段目标为192.168.20.0/24网段的数据包进行NAT
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]quit
[USG-1-nat-policy-interzone-trust-untrust-outbound]policy 2 //创建策略2
[USG-1-nat-policy-interzone-trust-untrust-outbound-2]action source-nat
//允许对源IP进行NAT
[USG-1-nat-policy-interzone-trust-untrust-outbound-2]easy-ip g0/0/1
//对接口G0/0/1地址复用
[USG-1-nat-policy-interzone-trust-untrust-outbound-2]quit
[USG-1-nat-policy-interzone-trust-untrust-outbound]quit
---------------------------阶段一-----------------------------------------------------
[USG-1]ike proposal 1 //配置一个安全提议
[USG-1-ike-proposal-1]authentication-method pre-share //配置IKE认证方式为预共享密钥
[USG-1-ike-proposal-1]authentication-algorithm sha1 //配置IKE认证算法为sha1
[USG-1-ike-proposal-1]integrity-algorithm aes-xcbc-96 //配置IKE完整性算法
[USG-1-ike-proposal-1]dh group2 //配置IKE密钥协商DH组
[USG-1-ike-proposal-1]quit
[USG-1]ike peer USG-2 //创建一个IKE对等体名字为USG-2
[USG-1-ike-peer-usg-2]pre-shared-key abc123 //配置预共享密钥
[USG-1-ike-peer-usg-2]remote-address 12.0.0.2 //配置对等体IP地址
[USG-1-ike-peer-usg-2]ike-proposal 1 //调用ike安全提议
[USG-1-ike-peer-usg-2]quit
----------------------------阶段二-----------------------------------------------------
[USG-1]ipsec proposal test //配置一个ipsec安全提议
[USG-1-ipsec-proposal-test]encapsulation-mode tunnel //封装方式采用隧道
[USG-1-ipsec-proposal-test]transform esp //配置IPSEC安全协议为ESP
[USG-1-ipsec-proposal-test]esp encryption-algorithm aes //配置ESP协议加密算法为aes
[USG-1-ipsec-proposal-test]esp authentication-algorithm sha1 //配置ESP协议认证算法
[USG-1-ipsec-proposal-test]quit
[USG-1]acl 3000 //创建一个ACL定义感兴趣流
[USG-1-acl-adv-3000]rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
[USG-1]ipsec policy map 1 isakmp //创建一个安全策略,名称为map
[USG-1-ipsec-policy-isakmp-map-1]ike-peer USG-2 //调用ike对等体
[USG-1-ipsec-policy-isakmp-map-1]proposal test //调用IPsec安全提议
[USG-1-ipsec-policy-isakmp-map-1]security acl 3000 //配置感兴趣流
[USG-1-ipsec-policy-isakmp-map-1]quit
[USG-1]int g0/0/1
[USG-1-GigabitEthernet0/0/1]ipsec policy map //在外网口上调用安全策略
区域间策略配置
[USG-1]policy interzone trust untrust outbound .
//进入trust到untrust区域out方向策略视图
[USG-1-policy-interzone-trust-untrust-outbound]policy 1 //创建策略
[USG-1-policy-interzone-trust-untrust-outbound-1]action permit
//允许trust区域所有主机访问untrust区域
[USG-1-policy-interzone-trust-untrust-outbound-1]quit
[USG-1-policy-interzone-trust-untrust-outbound]quit
[USG-1]policy interzone trust untrust inbound
//进入trust区域到untrust区域的in方向策略视图
[USG-1-policy-interzone-trust-untrust-inbound]policy 1
[USG-1-policy-interzone-trust-untrust-inbound-1]policy source 192.168.20.0 0.0.0.255
[USG-1-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.10.0 0.0.0.255
[USG-1-policy-interzone-trust-untrust-inbound-1]action permit
//以上命令为允许数据包源地址为192.168.20.0/24网段和目标地址为192.168.10.0/24网段的流量过
[USG-1-policy-interzone-trust-untrust-inbound-1]quit
[USG-1-policy-interzone-trust-untrust-inbound]quit
[USG-1]policy interzone local untrust inbound
//进入local区域到untrust区域的in方向策略视图
[USG-1-policy-interzone-local-untrust-inbound]policy 1
[USG-1-policy-interzone-local-untrust-inbound-1]policy service service-set esp
[USG-1-policy-interzone-local-untrust-inbound-1]policy source 12.0.0.2 0
[USG-1-policy-interzone-local-untrust-inbound-1]policy destination 11.0.0.2 0
[USG-1-policy-interzone-local-untrust-inbound-1]action permit
//允许源地址是12.0.0.2目标地址是11.0.0.2的数据包访问esp协议
USG-2配置
[USG-2]firewall zone trust
[USG-2-zone-trust]add int g0/0/0
[USG-2-zone-trust]quit
[USG-2]firewall zone untrust
[USG-2-zone-untrust]add int g0/0/1
[USG-2-zone-untrust]quit
[USG-2]int g0/0/0
[USG-2-GigabitEthernet0/0/0]ip add 192.168.20.1 24
[USG-2-GigabitEthernet0/0/0]int g0/0/1
[USG-2-GigabitEthernet0/0/1]ip add 12.0.0.2 24
[USG-2-GigabitEthernet0/0/1]quit
[USG-2]ip route-static 0.0.0.0 0.0.0.0 12.0.0.1
[USG-2]nat-policy interzone trust untrust outbound
[USG-2-nat-policy-interzone-trust-untrust-outbound]policy 1
[USG-2-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.20.0 0.0.0.255
[USG-2-nat-policy-interzone-trust-untrust-outbound-1]policy destination 192.168.10.0 0.0.0.255
[USG-2-nat-policy-interzone-trust-untrust-outbound-1]action no-nat
[USG-2-nat-policy-interzone-trust-untrust-outbound-1]quit
[USG-2-nat-policy-interzone-trust-untrust-outbound]policy 2
[USG-2-nat-policy-interzone-trust-untrust-outbound-2]action source-nat
[USG-2-nat-policy-interzone-trust-untrust-outbound-2]easy-ip GigabitEthernet0/0/1
[USG-2-nat-policy-interzone-trust-untrust-outbound-2]quit
[USG-2-nat-policy-interzone-trust-untrust-outbound]quit
[USG-2]ike proposal 1
[USG-2-ike-proposal-1]authentication-method pre-share
[USG-2-ike-proposal-1]authentication-algorithm sha1
[USG-2-ike-proposal-1]integrity-algorithm aes-xcbc-96
[USG-2-ike-proposal-1]dh group2
[USG-2-ike-proposal-1]quit
[USG-2]ike peer USG-A
[USG-2-ike-peer-usg-a]pre-shared-key abc123
[USG-2-ike-peer-usg-a]ike-proposal 1
[USG-2-ike-peer-usg-a]remote-address 11.0.0.2
[USG-2-ike-peer-usg-a]quit
[USG-2]ipsec proposal test
[USG-2-ipsec-proposal-test]encapsulation-mode tunnel
[USG-2-ipsec-proposal-test]transform esp
[USG-2-ipsec-proposal-test]esp encryption-algorithm aes
[USG-2-ipsec-proposal-test]esp authentication-algorithm sha1
[USG-2-ipsec-proposal-test]quit
[USG-2]acl 3000
[USG-2-acl-adv-3000]rule permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
[USG-2-acl-adv-3000]quit
[USG-2]ipsec policy map 1 isakmp
[USG-2-ipsec-policy-isakmp-map-1]ike-peer USG-A
[USG-2-ipsec-policy-isakmp-map-1]proposal test
[USG-2-ipsec-policy-isakmp-map-1]security acl 3000
[USG-2-ipsec-policy-isakmp-map-1]quit
[USG-2]int g0/0/1
[USG-2-GigabitEthernet0/0/1]ipsec policy map
[USG-2-GigabitEthernet0/0/1]quit
[USG-2]policy interzone trust untrust outbound
[USG-2-policy-interzone-trust-untrust-outbound]policy 1
[USG-2-policy-interzone-trust-untrust-outbound-1]action permit
[USG-2-policy-interzone-trust-untrust-outbound-1]quit
[USG-2-policy-interzone-trust-untrust-outbound]quit
[USG-2]policy interzone trust untrust inbound
[USG-2-policy-interzone-trust-untrust-inbound]policy 1
[USG-2-policy-interzone-trust-untrust-inbound-1]policy source 192.168.10.0 0.0.0.255
[USG-2-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.20.0 0.0.0.255
[USG-2-policy-interzone-trust-untrust-inbound-1]action permit
[USG-2-policy-interzone-trust-untrust-inbound-1]quit
[USG-2-policy-interzone-trust-untrust-inbound]quit
[USG-2]policy interzone local untrust inbound
[USG-2-policy-interzone-local-untrust-inbound]policy 1
[USG-2-policy-interzone-local-untrust-inbound-1]policy source 11.0.0.2 0
[USG-2-policy-interzone-local-untrust-inbound-1]policy destination 12.0.0.2 0
[USG-2-policy-interzone-local-untrust-inbound-1]policy service service-set esp
[USG-2-policy-interzone-local-untrust-inbound-1]action permit
使用C1(192.168.10.10)去ping C2(192.168.20.10)
使用dispaly ike sa和display ipsec sa来查看邻居建立情况