模板方式配置多站点思路第一步:基本配置FW1防火墙的配置# sysname FW1#interface GigabitEthernet0/0/0 ip address 202.1.1.1 255.25
.
模板方式配置多站点思路
第一步:基本配置
FW1防火墙的配置
# sysname FW1#interface GigabitEthernet0/0/0 ip address 202.1.1.1 255.255.255.0 service-manage ping permit#interface GigabitEthernet1/0/0 ip address 192.168.1.254 255.255.255.0 service-manage ping permit#ip route-static 0.0.0.0 0.0.0.0 202.1.1.254#firewall zone trust set priority 85 add interface GigabitEthernet1/0/0#firewall zone untrust set priority 5 add interface GigabitEthernet0/0/0#security-policy default action permit#FW2路由器的配置
# sysname FW2#interface GigabitEthernet0/0/0 ip address 101.1.1.1 255.255.255.0 service-manage ping permit#interface GigabitEthernet1/0/0 ip address 192.168.2.254 255.255.255.0 service-manage ping permit#ip route-static 0.0.0.0 0.0.0.0 101.1.1.254#firewall zone trust set priority 85 add interface GigabitEthernet1/0/0#firewall zone untrust set priority 5 add interface GigabitEthernet0/0/0#security-policy default action permit#FW3路由器的配置
# sysname FW3#interface GigabitEthernet0/0/0 ip address 60.1.1.1 255.255.255.0 service-manage ping permit#interface GigabitEthernet1/0/0 ip address 192.168.3.254 255.255.255.0 service-manage ping permit#ip route-static 0.0.0.0 0.0.0.0 60.1.1.254#firewall zone trust set priority 85 add interface GigabitEthernet1/0/0#firewall zone untrust set priority 5 add interface GigabitEthernet0/0/0#security-policy default action permit#internet的配置
#interface GigabitEthernet0/0/0 ip address 202.1.1.254 255.255.255.0 #interface GigabitEthernet0/0/1 ip address 101.1.1.254 255.255.255.0 #检查如下:
检查FW1和PC1的通信
<FW1>ping 192.168.1.1 PING 192.168.1.1: 56 data bytes, press CTRL_C to break Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=128 time=40 ms Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=128 time=60 ms Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=128 time=40 ms Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=128 time=60 ms Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=128 time=50 ms --- 192.168.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 40/50/60 ms检查FW2和PC2的通信
[FW2]ping 192.168.2.2 PING 192.168.2.2: 56 data bytes, press CTRL_C to break Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=128 time=45 ms Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=128 time=53 ms Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=128 time=51 ms Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=128 time=52 ms Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=128 time=32 ms --- 192.168.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet lossround-trip min/avg/max = 32/46/53 ms检查FW3和PC3的通信
[FW3]ping 192.168.3.3 PING 192.168.3.3: 56 data bytes, press CTRL_C to break Request time out Reply from 192.168.3.3: bytes=56 Sequence=2 ttl=128 time=47 ms Reply from 192.168.3.3: bytes=56 Sequence=3 ttl=128 time=42 ms Reply from 192.168.3.3: bytes=56 Sequence=4 ttl=128 time=36 ms Reply from 192.168.3.3: bytes=56 Sequence=5 ttl=128 time=27 ms --- 192.168.3.3 ping statistics --- 5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 27/38/47 ms检查FW1和FW2的通信
<FW1>ping 101.1.1.1 PING 101.1.1.1: 56 data bytes, press CTRL_C to break Reply from 101.1.1.1: bytes=56 Sequence=1 ttl=254 time=30 ms Reply from 101.1.1.1: bytes=56 Sequence=2 ttl=254 time=20 ms Reply from 101.1.1.1: bytes=56 Sequence=3 ttl=254 time=40 ms Reply from 101.1.1.1: bytes=56 Sequence=4 ttl=254 time=20 ms Reply from 101.1.1.1: bytes=56 Sequence=5 ttl=254 time=30 ms --- 101.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet lossround-trip min/avg/max = 20/28/40 ms检查FW1和FW3的通信
[FW1]ping 60.1.1.1 PING 60.1.1.1: 56 data bytes, press CTRL_C to break Reply from 60.1.1.1: bytes=56 Sequence=1 ttl=254 time=15 ms Reply from 60.1.1.1: bytes=56 Sequence=2 ttl=254 time=11 ms Reply from 60.1.1.1: bytes=56 Sequence=3 ttl=254 time=8 ms Reply from 60.1.1.1: bytes=56 Sequence=4 ttl=254 time=9 ms Reply from 60.1.1.1: bytes=56 Sequence=5 ttl=254 time=8 ms --- 60.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 8/10/15 ms检查PC1和PC2的通信
PC>ping 192.168.2.2Ping 192.168.2.2: 32 data bytes, Press Ctrl_C to breakRequest timeout!Request timeout!Request timeout!Request timeout!Request timeout!--- 192.168.2.2 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss检查PC1和PC3的通信
PC>ping 192.168.3.3Ping 192.168.3.3: 32 data bytes, Press Ctrl_C to breakRequest timeout!Request timeout!Request timeout!Request timeout!Request timeout!--- 192.168.3.3 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss第二步:IPSEC 阶段一配置
IKE安全提议
在FW1和FW2和FW3分别配置如下
ike proposal 10 注意:安全提议是有默认配置,可以修改 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 IKEv1中不用这个参数 IKEv2中使用这个参数 prf hmac-sha2-256#检查:
[FW1]display ike proposal 2020-03-14 14:25:22.420 Number of IKE Proposals: 2------------------------------------------- IKE Proposal: 10 Authentication Method : PRE_SHARED Authentication Algorithm : SHA2-256 Encryption Algorithm : AES-256 Diffie-Hellman Group : MODP-2048 SA Duration(Seconds) : 86400 Integrity Algorithm : HMAC-SHA2-256 Prf Algorithm : HMAC-SHA2-256 -------------------------------------------配置IKE对等体(PEER)
FW1配置 注意: 模板方式不需要配置remote-address 也可以配置网段,也可以不配置
ike peer yuanduan -----------取名 pre-shared-key Huawei@123---------------如果采用预共享方式,配置密钥 ike-proposal 10 -----------------------------调用安全提议 undo version 2-------------------------------关闭V2版本,默认就是V2版本FW2和FW3的配置ike peer fw1 pre-shared-key Huawei@123 ike-proposal 10 undo version 2 remote-address 202.1.1.1检查如下:
[FW1]display ike peer brief 2020-03-14 14:31:19.910 Current ike peer number: 1---------------------------------------------------------------------------Peer name Version Exchange-mode Proposal Id-type RemoteAddr---------------------------------------------------------------------------yuanduan v1 main 10 IP 第三步:IPSEC阶段二配置
配置感兴趣流(就是实际通信点)
FW1:
acl number 3000 rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255FW2acl number 3000 rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 FW3acl number 3000 rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 注意:IKEV1感兴趣流要互为镜像,必须是相互匹配的,不是包含或者不一样的,都不能协商成功
IPSEC安全提议
在FW1和FW2和FW3配置
ipsec proposal 10 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256检查:
[FW1]display ipsec proposal2020-03-14 14:33:58.850 Number of proposals: 1IPSec proposal name: 10 Encapsulation mode: Tunnel Transform : esp-new ESP protocol : Authentication SHA2-HMAC-256 Encryption AES-256 [FW1]配置IPSEC安全策略
FW1
#ipsec policy-template 10 10 第一个10是名称 第二个10是序号 security acl 3000-----------------------调用感兴趣流 ike-peer fw2---------------------------调用IKE PEER proposal 10---------------------------调用IPSEC安全#ipsec policy ipsec_policy 10 isakmp template 10FW2和FW3的配置
ipsec policy ipsec_policy 10 isakmp 后面接isakmp的话是自动方式 security acl 3000 -----------------------调用感兴趣流 ike-peer fw1 ---------------------------调用IKE PEER alias ipsec_policy_10 proposal 10 ---------------------------调用IPSEC安全物理接口调用
在FW1和FW2和FW3上配置
interface GigabitEthernet0/0/0 ipsec policy ipsec_policy 放行安全策略
FW1的配置
#security-policy rule name ipsec1 source-zone local destination-zone untrust source-address 202.1.1.0 mask 255.255.255.0 action permit rule name ipsec2 source-zone untrust destination-zone local destination-address 202.1.1.0 mask 255.255.255.0 action permit rule name ipsec3 source-zone trust destination-zone untrust source-address 192.168.1.0 mask 255.255.255.0 destination-address 192.168.2.0 mask 255.255.255.0destination-address 192.168.3.0 mask 255.255.255.0 action permit rule name ipsec4 source-zone untrust destination-zone trustsource-address 192.168.3.0 mask 255.255.255.0 source-address 192.168.2.0 mask 255.255.255.0 destination-address 192.168.1.0 mask 255.255.255.0 action permit#FW2的配置
#security-policy rule name ipsec1 source-zone local destination-zone untrust destination-address 202.1.1.0 mask 255.255.255.0 action permit rule name ipsec2 source-zone untrust destination-zone local source-address 202.1.1.0 mask 255.255.255.0 action permit rule name ipsec3 source-zone trust destination-zone untrust source-address 192.168.2.0 mask 255.255.255.0 destination-address 192.168.1.0 mask 255.255.255.0 action permit rule name ipsec4 source-zone untrust destination-zone trust source-address 192.168.1.0 mask 255.255.255.0 destination-address 192.168.2.0 mask 255.255.255.0 action permit#FW3的配置
#security-policy rule name ipsec1 source-zone local destination-zone untrust destination-address 202.1.1.0 mask 255.255.255.0 action permit rule name ipsec2 source-zone untrust destination-zone local source-address 202.1.1.0 mask 255.255.255.0 action permit rule name ipsec3 source-zone trust destination-zone untrust source-address 192.168.3.0 mask 255.255.255.0 destination-address 192.168.1.0 mask 255.255.255.0 action permit rule name ipsec4 source-zone untrust destination-zone trust source-address 192.168.1.0 mask 255.255.255.0 destination-address 192.168.3.0 mask 255.255.255.0 action permit#测试如下:
在PC2上pingPC1
PC>ping 192.168.1.1Ping 192.168.1.1: 32 data bytes, Press Ctrl_C to breakFrom 192.168.1.1: bytes=32 seq=1 ttl=126 time=94 msFrom 192.168.1.1: bytes=32 seq=2 ttl=126 time=78 msFrom 192.168.1.1: bytes=32 seq=3 ttl=126 time=94 msFrom 192.168.1.1: bytes=32 seq=4 ttl=126 time=78 msFrom 192.168.1.1: bytes=32 seq=5 ttl=126 time=62 ms--- 192.168.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 62/81/94 msPC>在PC3上pingPC1
PC>ping 192.168.1.1Ping 192.168.1.1: 32 data bytes, Press Ctrl_C to breakFrom 192.168.1.1: bytes=32 seq=1 ttl=126 time=62 msFrom 192.168.1.1: bytes=32 seq=2 ttl=126 time=78 msFrom 192.168.1.1: bytes=32 seq=3 ttl=126 time=94 msFrom 192.168.1.1: bytes=32 seq=4 ttl=126 time=63 msFrom 192.168.1.1: bytes=32 seq=5 ttl=126 time=62 ms--- 192.168.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 62/71/94 ms在FW1上面查看ike sa
[FW1]display ike sa 2020-03-15 05:22:58.390 IKE SA information : Conn-ID Peer *** Flag(s) Phase RemoteType RemoteID ------------------------------------------------------------------------------------------------------------------------------------ 2 101.1.1.1:500 RD|A v1:2 IP 101.1.1.1 1 101.1.1.1:500 RD|A v1:1 IP 101.1.1.1 4 60.1.1.1:500 RD|A v1:2 IP 60.1.1.1 3 60.1.1.1:500 RD|A v1:1 IP 60.1.1.1 Number of IKE SA : 4------------------------------------------------------------------------------------------------------------------------------------ Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING在FW1上面查看ipsec sa
[FW1]display ipsec sa 2020-03-15 05:23:01.660 ipsec sa information:===============================Interface: GigabitEthernet0/0/0=============================== ----------------------------- IPSec policy name: "ipsec_policy" Sequence number : 10 Acl group : 3000 Acl rule : 5 Mode : Template ----------------------------- Connection ID : 2 Encapsulation mode: Tunnel Holding time : 0d 0h 35m 23s Tunnel local : 202.1.1.1:500 Tunnel remote : 101.1.1.1:500 Flow source : 192.168.1.0/255.255.255.0 0/0-65535 Flow destination : 192.168.2.0/255.255.255.0 0/0-65535 [Outbound ESP SAs] SPI: 187921672 (0xb337508) Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128 SA remaining key duration (kilobytes/sec): 10485760/1476 Max sent sequence-number: 17 UDP encapsulation used for NAT traversal: N SA encrypted packets (number/bytes): 16/960 [Inbound ESP SAs] SPI: 197430515 (0xbc48cf3) Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128 SA remaining key duration (kilobytes/sec): 10485759/1476 Max received sequence-number: 1 UDP encapsulation used for NAT traversal: N SA decrypted packets (number/bytes): 19/1140 Anti-replay : Enable Anti-replay window size: 1024 ----------------------------- IPSec policy name: "ipsec_policy" Sequence number : 10 Acl group : 3000 Acl rule : 10 Mode : Template ----------------------------- Connection ID : 4 Encapsulation mode: Tunnel Holding time : 0d 0h 35m 10s Tunnel local : 202.1.1.1:500 Tunnel remote : 60.1.1.1:500 Flow source : 192.168.1.0/255.255.255.0 0/0-65535 Flow destination : 192.168.3.0/255.255.255.0 0/0-65535 [Outbound ESP SAs] SPI: 197283812 (0xbc24fe4) Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128 SA remaining key duration (kilobytes/sec): 10485760/1489 Max sent sequence-number: 14 UDP encapsulation used for NAT traversal: N SA encrypted packets (number/bytes): 13/780 [Inbound ESP SAs] SPI: 187509375 (0xb2d2a7f) Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128 SA remaining key duration (kilobytes/sec): 10485760/1489 Max received sequence-number: 1 UDP encapsulation used for NAT traversal: N SA decrypted packets (number/bytes): 14/840 Anti-replay : Enable Anti-replay window size: 1024在FW1上面查看ipsec加密解密情况
[FW1]display ipsec statistics 2020-03-15 05:23:12.690 IPSec statistics information: Number of IPSec tunnels: 2 Number of standby IPSec tunnels: 0 the security packet statistics: input/output security packets: 33/29 input/output security bytes: 1980/1740 input/output dropped security packets: 0/0 the encrypt packet statistics: send chip: 29, recv chip: 29, send err: 0 local cpu: 29, other cpu: 0, recv other cpu: 0 intact packet: 29, first slice: 0, after slice: 0 the decrypt packet statistics: send chip: 33, recv chip: 33, send err: 0 local cpu: 33, other cpu: 0, recv other cpu: 0 reass first slice: 0, after slice: 0 dropped security packet detail: can not find SA: 0, wrong SA: 0 authentication: 0, replay: 0 front recheck: 0, after recheck: 0 change cpu enc: 0, dec change cpu: 0 fib search: 0, output l3: 0 flow err: 0, slice err: 0, byte limit: 0 slave drop: 0 negotiate about packet statistics: IKE fwd packet ok: 10, err: 0 IKE ctrl packet inbound ok: 10, outbound ok: 8 SoftExpr: 0, HardExpr: 0, DPDOper: 0 trigger ok: 0, switch sa: 2, sync sa: 0 recv IKE nat keepalive: 0, IKE input: 0[FW1]