华为USG防火墙 IPsec VPN配置

实验拓扑

使用华为ensp 1.2.00.370模拟器

实验需求

USG-1和USG-2模拟企业边缘设备,分别在2台设备上配置NAT和IPsec VPN实现2边私网可以通过VPN互相通信

实验配置

R1 IP地址配置省略


USG-1配置

[USG-1]firewall zone trust          //配置trust区域

[USG-1-zone-trust]add interface g0/0/0    //将接口加入trust区域

[USG-1-zone-trust]quit

[USG-1]firewall zone untrust           //配置untrust区域

[USG-1-zone-untrust]add int g0/0/1          //将接口加入untrust区域

[USG-1-zone-untrust]quit

[USG-1]int g0/0/0

[USG-1-GigabitEthernet0/0/0]ip add 192.168.10.1 24

[USG-1-GigabitEthernet0/0/0]int g0/0/1

[USG-1-GigabitEthernet0/0/1]ip add 11.0.0.2 24

[USG-1-GigabitEthernet0/0/1]quit

[USG-1]ip route-static 0.0.0.0 0.0.0.0 11.0.0.1   //配置默认路由上公网

[USG-1]nat-policy interzone trust untrust outbound

//进入trust到untrust区域out方向的策略视图

[USG-1-nat-policy-interzone-trust-untrust-outbound]policy 1     //创建一个策略

[USG-1-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.10.0 0.0.0.255

[USG-1-nat-policy-interzone-trust-untrust-outbound-1]policy destination 192.168.20.0 0.0.0.255

[USG-1-nat-policy-interzone-trust-untrust-outbound-1]action no-nat

//以上三条命令意思是不允许将源为192.168.10.0/24网段目标为192.168.20.0/24网段的数据包进行NAT

[USG-1-nat-policy-interzone-trust-untrust-outbound-1]quit

[USG-1-nat-policy-interzone-trust-untrust-outbound]policy 2  //创建策略2

[USG-1-nat-policy-interzone-trust-untrust-outbound-2]action source-nat

//允许对源IP进行NAT

[USG-1-nat-policy-interzone-trust-untrust-outbound-2]easy-ip g0/0/1

//对接口G0/0/1地址复用

[USG-1-nat-policy-interzone-trust-untrust-outbound-2]quit

[USG-1-nat-policy-interzone-trust-untrust-outbound]quit

---------------------------阶段一-----------------------------------------------------

[USG-1]ike proposal 1     //配置一个安全提议

[USG-1-ike-proposal-1]authentication-method pre-share   //配置IKE认证方式为预共享密钥

[USG-1-ike-proposal-1]authentication-algorithm sha1   //配置IKE认证算法为sha1

[USG-1-ike-proposal-1]integrity-algorithm aes-xcbc-96  //配置IKE完整性算法

[USG-1-ike-proposal-1]dh group2  //配置IKE密钥协商DH组

[USG-1-ike-proposal-1]quit

[USG-1]ike peer USG-2             //创建一个IKE对等体名字为USG-2

[USG-1-ike-peer-usg-2]pre-shared-key abc123    //配置预共享密钥

[USG-1-ike-peer-usg-2]remote-address 12.0.0.2  //配置对等体IP地址

[USG-1-ike-peer-usg-2]ike-proposal 1       //调用ike安全提议

[USG-1-ike-peer-usg-2]quit

----------------------------阶段二-----------------------------------------------------

[USG-1]ipsec proposal test        //配置一个ipsec安全提议

[USG-1-ipsec-proposal-test]encapsulation-mode tunnel    //封装方式采用隧道

[USG-1-ipsec-proposal-test]transform esp    //配置IPSEC安全协议为ESP

[USG-1-ipsec-proposal-test]esp encryption-algorithm aes   //配置ESP协议加密算法为aes

[USG-1-ipsec-proposal-test]esp authentication-algorithm sha1  //配置ESP协议认证算法

[USG-1-ipsec-proposal-test]quit

[USG-1]acl 3000         //创建一个ACL定义感兴趣流

[USG-1-acl-adv-3000]rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

[USG-1]ipsec policy map 1 isakmp    //创建一个安全策略,名称为map

[USG-1-ipsec-policy-isakmp-map-1]ike-peer USG-2    //调用ike对等体

[USG-1-ipsec-policy-isakmp-map-1]proposal test     //调用IPsec安全提议

[USG-1-ipsec-policy-isakmp-map-1]security acl 3000   //配置感兴趣流

[USG-1-ipsec-policy-isakmp-map-1]quit

[USG-1]int g0/0/1

[USG-1-GigabitEthernet0/0/1]ipsec policy map     //在外网口上调用安全策略

区域间策略配置

[USG-1]policy interzone trust untrust outbound .

//进入trust到untrust区域out方向策略视图

[USG-1-policy-interzone-trust-untrust-outbound]policy 1    //创建策略

[USG-1-policy-interzone-trust-untrust-outbound-1]action permit

//允许trust区域所有主机访问untrust区域 

[USG-1-policy-interzone-trust-untrust-outbound-1]quit

[USG-1-policy-interzone-trust-untrust-outbound]quit

[USG-1]policy interzone trust untrust inbound

//进入trust区域到untrust区域的in方向策略视图

[USG-1-policy-interzone-trust-untrust-inbound]policy 1

[USG-1-policy-interzone-trust-untrust-inbound-1]policy source 192.168.20.0 0.0.0.255

[USG-1-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.10.0 0.0.0.255

[USG-1-policy-interzone-trust-untrust-inbound-1]action permit

//以上命令为允许数据包源地址为192.168.20.0/24网段和目标地址为192.168.10.0/24网段的流量过

[USG-1-policy-interzone-trust-untrust-inbound-1]quit

[USG-1-policy-interzone-trust-untrust-inbound]quit

[USG-1]policy interzone local untrust inbound

//进入local区域到untrust区域的in方向策略视图

[USG-1-policy-interzone-local-untrust-inbound]policy 1

[USG-1-policy-interzone-local-untrust-inbound-1]policy service service-set esp

[USG-1-policy-interzone-local-untrust-inbound-1]policy source 12.0.0.2 0

[USG-1-policy-interzone-local-untrust-inbound-1]policy destination 11.0.0.2 0

[USG-1-policy-interzone-local-untrust-inbound-1]action permit

//允许源地址是12.0.0.2目标地址是11.0.0.2的数据包访问esp协议

USG-2配置

[USG-2]firewall zone trust

[USG-2-zone-trust]add int g0/0/0

[USG-2-zone-trust]quit

[USG-2]firewall zone untrust

[USG-2-zone-untrust]add int g0/0/1

[USG-2-zone-untrust]quit

[USG-2]int g0/0/0

[USG-2-GigabitEthernet0/0/0]ip add 192.168.20.1 24

[USG-2-GigabitEthernet0/0/0]int g0/0/1

[USG-2-GigabitEthernet0/0/1]ip add 12.0.0.2 24

[USG-2-GigabitEthernet0/0/1]quit

[USG-2]ip route-static 0.0.0.0 0.0.0.0 12.0.0.1

[USG-2]nat-policy interzone trust untrust outbound

[USG-2-nat-policy-interzone-trust-untrust-outbound]policy 1

[USG-2-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.20.0 0.0.0.255

[USG-2-nat-policy-interzone-trust-untrust-outbound-1]policy destination 192.168.10.0 0.0.0.255

[USG-2-nat-policy-interzone-trust-untrust-outbound-1]action no-nat

[USG-2-nat-policy-interzone-trust-untrust-outbound-1]quit

[USG-2-nat-policy-interzone-trust-untrust-outbound]policy 2

[USG-2-nat-policy-interzone-trust-untrust-outbound-2]action source-nat

[USG-2-nat-policy-interzone-trust-untrust-outbound-2]easy-ip GigabitEthernet0/0/1

[USG-2-nat-policy-interzone-trust-untrust-outbound-2]quit

[USG-2-nat-policy-interzone-trust-untrust-outbound]quit

[USG-2]ike proposal 1

[USG-2-ike-proposal-1]authentication-method pre-share

[USG-2-ike-proposal-1]authentication-algorithm sha1

[USG-2-ike-proposal-1]integrity-algorithm aes-xcbc-96

[USG-2-ike-proposal-1]dh group2

[USG-2-ike-proposal-1]quit

[USG-2]ike peer USG-A

[USG-2-ike-peer-usg-a]pre-shared-key abc123

[USG-2-ike-peer-usg-a]ike-proposal 1

[USG-2-ike-peer-usg-a]remote-address 11.0.0.2

[USG-2-ike-peer-usg-a]quit

[USG-2]ipsec proposal test

[USG-2-ipsec-proposal-test]encapsulation-mode tunnel

[USG-2-ipsec-proposal-test]transform esp

[USG-2-ipsec-proposal-test]esp encryption-algorithm aes

[USG-2-ipsec-proposal-test]esp authentication-algorithm sha1

[USG-2-ipsec-proposal-test]quit

[USG-2]acl 3000

[USG-2-acl-adv-3000]rule permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

[USG-2-acl-adv-3000]quit

[USG-2]ipsec policy map 1 isakmp

[USG-2-ipsec-policy-isakmp-map-1]ike-peer USG-A

[USG-2-ipsec-policy-isakmp-map-1]proposal test

[USG-2-ipsec-policy-isakmp-map-1]security acl 3000

[USG-2-ipsec-policy-isakmp-map-1]quit

[USG-2]int g0/0/1

[USG-2-GigabitEthernet0/0/1]ipsec policy map

[USG-2-GigabitEthernet0/0/1]quit

[USG-2]policy interzone trust untrust outbound

[USG-2-policy-interzone-trust-untrust-outbound]policy 1

[USG-2-policy-interzone-trust-untrust-outbound-1]action permit

[USG-2-policy-interzone-trust-untrust-outbound-1]quit

[USG-2-policy-interzone-trust-untrust-outbound]quit

[USG-2]policy interzone trust untrust inbound

[USG-2-policy-interzone-trust-untrust-inbound]policy 1

[USG-2-policy-interzone-trust-untrust-inbound-1]policy source 192.168.10.0 0.0.0.255

[USG-2-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.20.0 0.0.0.255

[USG-2-policy-interzone-trust-untrust-inbound-1]action permit

[USG-2-policy-interzone-trust-untrust-inbound-1]quit

[USG-2-policy-interzone-trust-untrust-inbound]quit

[USG-2]policy interzone local untrust inbound

[USG-2-policy-interzone-local-untrust-inbound]policy 1

[USG-2-policy-interzone-local-untrust-inbound-1]policy source 11.0.0.2 0

[USG-2-policy-interzone-local-untrust-inbound-1]policy destination 12.0.0.2 0

[USG-2-policy-interzone-local-untrust-inbound-1]policy service service-set esp

[USG-2-policy-interzone-local-untrust-inbound-1]action permit

使用C1(192.168.10.10)去ping C2(192.168.20.10)

使用dispaly ike sa和display ipsec sa来查看邻居建立情况

时间: 2024-10-10 13:34:35

华为USG防火墙 IPsec VPN配置的相关文章

ASA防火墙IPSEC VPN配置

一.IPSEC  VPN (site to site) 第一步:在外部接口启用IKE协商 crypto isakmp enable outside 第二步:配置isakmp协商策略 isakmp 策略两边要一致,可设置多个策略模板,只要其中一个和对方匹配即可 isakmp policy 5 authenticationpre-share    //配置认证方式为预共享密钥 isakmp policy 5 encryption des            //配置isakmp 策略的加密算法 i

华为USG6550的ipsec VPN配置

两年了,没有再这里写点东西了哈,人都变赖了! 配置的环境,总部USG6550 ,分厂USG63XX 分厂需要访问总部,两个厂都要自己的IP地址 分厂配置: # acl number 3000 rule 5 permit ip source 10.50.0.0 0.0.255.255 destination 10.10.0.0 0.0.255.255 # ike proposal 1 authentication-algorithm sha2-256 integrity-algorithm hma

华为USG防火墙基本配置

USG防火墙基本配置 学习目的 掌握登陆USG防火墙的方法 掌握修改防火墙设备名的方法 掌握对防火墙的时间.时区进行修改的方法 掌握修改防火墙登陆标语信息的方法 掌握修改防火墙登陆密码的方法 掌握查看.保存和删除防火墙配置的方法 掌握在防火墙上配置vlan.地址接口.测试基本连通性的方法 拓扑图 学习任务 步骤一.登陆缺省配置的防火墙并修改防火墙的名称 防火墙和路由器一样,有一个Console接口.使用console线缆将console接口和计算机的com口连接在一块.使用windows操作系统

华为USG防火墙搭建IPsecVPN

1.实验拓扑: 使用模拟器eNSP(版本号:1.2.00.350 V100R002c00)+AR3260+USG5500 AR1模拟运营商 2.实验需求: a)  在FW1上做PAT,让C1可以上互联网 b)  在FW1和FW2之间做IPsecVPN,让C1.C2间实现私网通信 3.实验步骤: a)  IP地址规划: FW1 GE0/0/0 172.16.1.1/24 AR1 GE0/0/0 11.0.0.1/24 GE0/0/1 11.0.0.2/24 GE0/0/1 12.0.0.1/24

华为USG防火墙恢复密码步骤

华为USG防火墙恢复密码步骤 本文档用于介绍在保留防火墙原有配置的前提下恢复密码,以USG 6330 V100R001C20SPC为例 重启防火墙,在出现"Press Ctrl+B to enter main menu..."的提示时候,按下Ctrl+B:系统会要求输入密码,密码默认为O&m15213 密码输入完成后,我们就进入主菜单:如果不需要保留防火墙配置,我们可以选择6恢复默认值,然后再按1 确认恢复,再按1启动系统,这样防火墙就直接重启并恢复默认值了. 但我们这次需要保

华为USG防火墙及NGFW高可用性的规划与实施详解

华为USG防火墙及NGFW高可用性的规划与实施详解 课程目标: 该课程程为卷B,它紧接卷A所描述的基础内容,开始进入防火墙的高可性的规划与实施,本课程卷B的核心目标是:一.从真正意义上去理解防火墙的双机热备的工作原理:二.让工程人员能够实施基于不同防火墙工作模式的双机热备并结合实践的环境进行故障排除:三.突破学员仅在安全认证学习过程中所理解的防火墙双机热备的内容,在实践的环境中防火墙的双机热备技术及可能引发的问题远不止安全认证学习中所描述的内容. 为USG防火墙及NGFW高可用性的规划与实施详解

ipsec vpn配置

ipsec  vpn分为场点到场带点ipsec vpn和远程接入客户ip sec  vpn 一.场点到场点 1.配置预共享密钥 ctypto  isakmp   key   cisco    address    10.1.1.1 2. 配置ike策略 ctypto   isakmp   policy   10 hash   md5 authentication    pre-share 3.配置ipsec  变换集 crypto   ipsec   transform-set    trans

基于数字证书认证的 IPSec VPN 配置

一.数字证书的相关术语 1.数字签名 数字签名基于哈希算法和公钥加密算法,对明文报文先用哈希算法计算摘要,然后用私钥对摘要进行加密,得到的一段数字串就是原文的数字签名数字签名与原文一起传送给接收者.接收者只有用发送者的公钥才能解密被加密的摘要信息,然后用HASH函数对收到的原文产生一个摘要信息,与解密的摘要信息对比.如果相同,则说明收到的信息是完整的,在传输过程中没有被修改,否则说明信息被修改过,因此数字签名能够验证信息的完整性. 2.数字证书 数字证书是由权威机构发行的,用来证明自己的身份和验

juniper防火墙 L2TP VPN配置

juniper防火墙 L2TP  VPN配置 建立L2TP_POOL 创建连接的用户: 创建用户组: 更改L2TP的连接池: 更改L2TP的隧道: 设置防火墙的策略: Win7连接: