以前写过总部与两个分支机构、三台华为防火墙配置ipsec,都是同一个品牌,相对来说配置比较简单。 今天这个案例,分支机构采用的是飞塔的防火墙,接入链路是电信的PPPOE拨号宽带,没有固定的公网IP;总部则是华为防火墙,有固定的公网IP。 一、客户需求华为防火墙作为总部的企业网关,以模板方式与分支机构的飞塔防火墙建立IPSec隧道;由于分支机构的飞塔防火墙的出口公网地址不固定,因此,只能是分支主动发起协商建立IPSec隧道,总部不能主动发起协商。 IPSec配置参数规划如下图所示: 二、配置过程1、华为防火墙的配置 华为防火墙采用模板方式的IPSec策略,不要求对端IP地址固定,且不管有多少分支,总部只需要配置1个IPSec策略,1个IKE对等体,配置较为简单;如果采用策略方式的IPSec策略,有N个分支,则总部需要配置N个IPSec策略,N个IKE对等体,配置较为复杂。 (1)配置接口,并将接口加入相应的安全区域。 配置口GE1/0/3接口,并将接口加入untrust安全区域。 [HUAWEI] interface GigabitEthernet 1/0/3 [HUAWEI-GigabitEthernet1/0/3] ip address 222.xx.xx.50 29 [HUAWEI-GigabitEthernet1/0/3] quit [HUAWEI] firewall zone untrust [HUAWEI-zone-untrust] add interface GigabitEthernet 1/0/3 [HUAWEI-zone-untrust] quit 配置GE1/0/5接口,并将接口加入trust安全区域。 [HUAWEI] interface GigabitEthernet 1/0/5 [HUAWEI-GigabitEthernet1/0/5] ip address 192.168.160.1 24 [HUAWEI-GigabitEthernet1/0/5] quit [HUAWEI] firewall zone trust [HUAWEI-zone-trust] add interface GigabitEthernet 1/0/5 [HUAWEI-zone-trust] quit (2)配置安全策略。 配置untrust和trust之间的安全策略。 策略1:允许分支访问总部;策略2,允许总部访问分支。 [HUAWEI] security-policy [HUAWEI-policy-security] rule name 1 [HUAWEI-policy-security-rule-1] source-zone untrust [HUAWEI-policy-security-rule-1] destination-zone trust [HUAWEI-policy-security-rule-1] source-address 192.168.60.0 24 [HUAWEI-policy-security-rule-1] destination-address 192.168.160.0 24 [HUAWEI-policy-security-rule-1] action permit [HUAWEI-policy-security-rule-1] quit [HUAWEI-policy-security] rule name 2 [HUAWEI-policy-security-rule-2] source-zone trust [HUAWEI-policy-security-rule-2] destination-zone untrust [HUAWEI-policy-security-rule-2] source-address 192.168.160.0 24 [HUAWEI-policy-security-rule-2] destination-address 192.168.60.0 24 [HUAWEI-policy-security-rule-2] action permit [HUAWEI-policy-security-rule-2] quit (3)配置local与untrust之间的安全策略。 策略3:允许华为防火墙发起IPSec隧道建立请求;策略4:允许华为防火墙接收IPSec隧道建立请求,源、目的IP地址为两端的出口公网地址。 [HUAWEI-policy-security] rule name 3 [HUAWEI-policy-security-rule-3] source-zone local [HUAWEI-policy-security-rule-3] destination-zone untrust [HUAWEI-policy-security-rule-3] source-address 222.xx.xx.50 29 [HUAWEI-policy-security-rule-3] action permit [HUAWEI-policy-security-rule-3] quit [HUAWEI-policy-security] rule name 4 [HUAWEI-policy-security-rule-4] source-zone untrust [HUAWEI-policy-security-rule-4] destination-zone local [HUAWEI-policy-security-rule-4]destination-address 222.xx.xx.50 29 [HUAWEI-policy-security-rule-4] action permit [HUAWEI-policy-security-rule-4] quit (4)配置路由。 配置连接到Internet的缺省路由 [HUAWEI] ip route-static 0.0.0.0 0.0.0.0 222.xx.xx.49 (5)配置ACL 源地址为192.168.160.0/24,目的地址为192.168.60.0/24的报文,需要经过IPSec隧道传输。 [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule permit ip source 192.168.160.0 0.0.0.255 destination 192.168.60.0 0.0.0.255 [HUAWEI-acl-adv-3000] quit (6)配置 IKE SA。 配置IKE安全提议,指定加密算法、认证算法、DH。 [HUAWEI] ike proposal 1 [HUAWEI-ike-proposal-1] encryption-algorithm 3des [HUAWEI-ike-proposal-1] authentication-algorithm sha1 [HUAWEI-ike-proposal-1] dh group2 [HUAWEI-ike-proposal-1] quit 配置IKE对等体,指定协商模式、IKE版本、预共享密钥。 [HUAWEI] ike peer fortigate [HUAWEI-ike-peer-fortigate] exchange-mode main [HUAWEI-ike-peer-fortigate] undo version 2 [HUAWEI-ike-peer-fortigate] ike-proposal 1 [HUAWEI-ike-peer-fortigate] pre-shared-key Key@hcit333 [HUAWEI-ike-peer-fortigate] quit (7)配置IPSec安全提议,指定封装模式、安全协议,加密算法、认证算法。 [HUAWEI] ipsec proposal tran1 [HUAWEI-ipsec-proposal-tran1] transform esp [HUAWEI-ipsec-proposal-tran1] encapsulation-mode tunnel [HUAWEI-ipsec-proposal-tran1] esp encryption-algorithm 3des [HUAWEI-ipsec-proposal-tran1] esp authentication-algorithm sha1 [HUAWEI-ipsec-proposal-tran1] quit (8)配置模板及策略,绑定IKE对等体、IPSe安全提议、ACL。 [HUAWEI] ipsec policy-template tem 1 [HUAWEI-ipsec-policy-template-tem-1] security acl 3000 [HUAWEI-ipsec-policy-template-tem-1] proposal tran1 [HUAWEI-ipsec-policy-template-tem-1] ike-peer fortigate [HUAWEI-ipsec-policy-template-tem-1] ipsec policy map1 1 isakmp template tem [HUAWEI-ipsec-policy-template-tem-1] quit (9)在接口上应用IPSec策略。 [HUAWEI] interface GigabitEthernet 1/0/3 [HUAWEI-GigabitEthernet1/0/3] ipsec policy map1 [HUAWEI-GigabitEthernet1/0/3] quit 2、飞塔防火墙的配置 (1)配置接口 配置接口port03的宽带连接 Fortigate # config system interface Fortigate (interface) # edit port03 Fortigate (port03) # set mode pppoe Fortigate (port03) # set username xxxxxx Fortigate (port03) # set password xxxxxx Fortigate (port03) # set distance 5 *注意管理距离(distance),固定IP的distance值为10,PPPoE拨号的distance值为5 Fortigate (port03) # set dns-server-override enable Fortigate (port03) # end 配置接口port10。 Fortigate # config system interface Fortigate (interface) # edit port10 Fortigate (port10) # set ip 192.168.60.1/24 Fortigate (port10) # set allowaccess ping https telnet Fortigate (port10) # end (2)配置IKE SA,指定IKE SA的名称、绑定的接口、协商模式、加密算法、认证算法、预共享密钥、对端地址、DH。 Fortigate # config vpn ipsec phase1-interface Fortigate (phase1-interface) # edit firewall Fortigate (firewall) # set interface port03 Fortigate (firewall) # set mode main Fortigate (firewall) # set proposal 3des-sha1 Fortigate (firewall) # set psksecret Key@hcit333 Fortigate (firewall) # set remote-gw 222.xx.xx.50 Fortigate (firewall) # set dhgrp 2 Fortigate (firewall) # end (3)配置IPSec SA,指定IPSec SA的名称、绑定的IKE SA、加密算法、认证算法,DH。 Fortigate # config vpn ipsec phase2-interface Fortigate (phase2-interface) # edit firewall new entry 'firewall' added Fortigate (firewall) # set phase1name firewall Fortigate (firewall) # set dhgrp 2 Fortigate (firewall) # set proposal 3des-sha1 Fortigate (firewall) # set dst-subnet 192.168.160.0 255.255.255.0 Fortigate (firewall) # set src-subnet 192.168.60.0 255.255.255.0 Fortigate (firewall) # end (3)将Tunnel口加入到untrust区域中。 Fortigate # config system zone Fortigate (zone) # edit untrust Fortigate (untrust) # set interface firewall Fortigate (untrust) # end (4)配置安全策略。 配置port03与port10之间的安全策略。 配置策略66,保证总部能够正常访问分支; Fortigate # config firewall policy Fortigate (policy) # edit 66 Fortigate (66) # set srcintf port03 Fortigate (66) # set dstintf port10 Fortigate (66) # set srcaddr all Fortigate (66) # set dstaddr all Fortigate (66) # set action accept Fortigate (66) # set schedule always Fortigate (66) # set service ANY Fortigate (66) # end 配置策略99,保证分支能够访问总部。 Fortigate # config firewall policy Fortigate (policy) # edit 99 Fortigate (99) # set srcintf port10 Fortigate (99) # set dstintf port03 Fortigate (99) # set srcaddr all Fortigate (99) # set dstaddr all Fortigate (99) # set action accept Fortigate (99) # set schedule always Fortigate (99) # set service ANY Fortigate (99) # end 配置untrust与port10的安全策略,也就是Tunnel接口与port10之间的安全策略。 配置策略96,保证经过Tunnel接口的流量能够进入分支内网; Fortigate # config firewall policy Fortigate (policy) # edit 96 Fortigate (96) # set srcintf untrust Fortigate (96) # set dstintf port10 Fortigate (96) # set srcaddr all Fortigate (96) # set dstaddr all Fortigate (96) # set action accept Fortigate (96) # set schedule always Fortigate (96) # set service ANY Fortigate (96) # end 配置策略76,保证经过Tunnel接口的流量能够透传到外网。 Fortigate # config firewall policy Fortigate (policy) # edit 76 Fortigate (76) # set srcintf port10 Fortigate (76) # set dstintf untrust Fortigate (76) # set srcaddr all Fortigate (76) # set dstaddr all Fortigate (76) # set action accept Fortigate (76) # set schedule always Fortigate (76) # set service ANY Fortigate (76) # end (5)配置路由。 配置静态路由,将流量引入到Tunnel接口。 Fortigate # config route static Fortigate (static) # edit 76 Fortigate (76) # set device firewall Fortigate (76) # set dst 192.168.160.0 255.255.255.0 Fortigate (76) # end 三、验证配置直接WEB登录华为防火墙,看一下IPSec是否已连接。 IPSec能连接,并且两端局域网能够互通,就表示配置正确;如果IPSec无法连接,大概率是两端参数配置不同,请仔细对比;如果IPSec已连接,但是两端局域网无法互通,请检查安全策略以及路由配置是否正确。 |
|