华为防火墙和飞塔防火墙建立IPSec隧道,使两地局域网互通

以前写过总部与两个分支机构、三台华为防火墙配置ipsec,都是同一个品牌,相对来说配置比较简单。

今天这个案例,分支机构采用的是飞塔的防火墙,接入链路是电信的PPPOE拨号宽带,没有固定的公网IP;总部则是华为防火墙,有固定的公网IP。

图片

一、客户需求

华为防火墙作为总部的企业网关,以模板方式与分支机构的飞塔防火墙建立IPSec隧道;由于分支机构的飞塔防火墙的出口公网地址不固定,因此,只能是分支主动发起协商建立IPSec隧道,总部不能主动发起协商。

IPSec配置参数规划如下图所示:

图片

二、配置过程

1、华为防火墙的配置

华为防火墙采用模板方式的IPSec策略,不要求对端IP地址固定,且不管有多少分支,总部只需要配置1个IPSec策略,1个IKE对等体,配置较为简单;如果采用策略方式的IPSec策略,有N个分支,则总部需要配置N个IPSec策略,N个IKE对等体,配置较为复杂。

(1)配置接口,并将接口加入相应的安全区域。

配置口GE1/0/3接口,并将接口加入untrust安全区域。

[HUAWEI] interface GigabitEthernet 1/0/3

[HUAWEI-GigabitEthernet1/0/3] ip address 222.xx.xx.50 29

[HUAWEI-GigabitEthernet1/0/3] quit

[HUAWEI] firewall zone untrust

[HUAWEI-zone-untrust] add interface GigabitEthernet 1/0/3

[HUAWEI-zone-untrust] quit

配置GE1/0/5接口,并将接口加入trust安全区域。

[HUAWEI] interface GigabitEthernet 1/0/5

[HUAWEI-GigabitEthernet1/0/5] ip address 192.168.160.1 24

[HUAWEI-GigabitEthernet1/0/5] quit

[HUAWEI] firewall zone trust

[HUAWEI-zone-trust] add interface GigabitEthernet 1/0/5

[HUAWEI-zone-trust] quit

(2)配置安全策略。

配置untrust和trust之间的安全策略。

策略1:允许分支访问总部;策略2,允许总部访问分支。

[HUAWEI] security-policy

[HUAWEI-policy-security] rule name 1

[HUAWEI-policy-security-rule-1] source-zone untrust

[HUAWEI-policy-security-rule-1] destination-zone trust

[HUAWEI-policy-security-rule-1] source-address 192.168.60.0 24

[HUAWEI-policy-security-rule-1] destination-address 192.168.160.0 24

[HUAWEI-policy-security-rule-1] action permit

[HUAWEI-policy-security-rule-1] quit

[HUAWEI-policy-security] rule name 2

[HUAWEI-policy-security-rule-2] source-zone trust

[HUAWEI-policy-security-rule-2] destination-zone untrust

[HUAWEI-policy-security-rule-2] source-address 192.168.160.0 24

[HUAWEI-policy-security-rule-2] destination-address 192.168.60.0 24

[HUAWEI-policy-security-rule-2] action permit

[HUAWEI-policy-security-rule-2] quit

(3)配置local与untrust之间的安全策略。

策略3:允许华为防火墙发起IPSec隧道建立请求;策略4:允许华为防火墙接收IPSec隧道建立请求,源、目的IP地址为两端的出口公网地址。

[HUAWEI-policy-security] rule name 3

[HUAWEI-policy-security-rule-3] source-zone local

[HUAWEI-policy-security-rule-3] destination-zone untrust

[HUAWEI-policy-security-rule-3] source-address 222.xx.xx.50 29

[HUAWEI-policy-security-rule-3] action permit

[HUAWEI-policy-security-rule-3] quit

[HUAWEI-policy-security] rule name 4

[HUAWEI-policy-security-rule-4] source-zone untrust

[HUAWEI-policy-security-rule-4] destination-zone local

[HUAWEI-policy-security-rule-4]destination-address 222.xx.xx.50 29

[HUAWEI-policy-security-rule-4] action permit

[HUAWEI-policy-security-rule-4] quit

(4)配置路由。

配置连接到Internet的缺省路由

[HUAWEI] ip route-static 0.0.0.0 0.0.0.0 222.xx.xx.49

(5)配置ACL

源地址为192.168.160.0/24,目的地址为192.168.60.0/24的报文,需要经过IPSec隧道传输。

[HUAWEI] acl 3000

[HUAWEI-acl-adv-3000] rule permit ip source 192.168.160.0 0.0.0.255 destination 192.168.60.0 0.0.0.255

[HUAWEI-acl-adv-3000] quit

(6)配置 IKE SA。

配置IKE安全提议,指定加密算法、认证算法、DH。

[HUAWEI] ike proposal 1

[HUAWEI-ike-proposal-1] encryption-algorithm 3des

[HUAWEI-ike-proposal-1] authentication-algorithm sha1

[HUAWEI-ike-proposal-1] dh group2

[HUAWEI-ike-proposal-1] quit

配置IKE对等体,指定协商模式、IKE版本、预共享密钥。

[HUAWEI] ike peer fortigate

[HUAWEI-ike-peer-fortigate] exchange-mode main

[HUAWEI-ike-peer-fortigate] undo version 2

[HUAWEI-ike-peer-fortigate] ike-proposal 1

[HUAWEI-ike-peer-fortigate] pre-shared-key Key@hcit333

[HUAWEI-ike-peer-fortigate] quit

(7)配置IPSec安全提议,指定封装模式、安全协议,加密算法、认证算法。

[HUAWEI] ipsec proposal tran1

[HUAWEI-ipsec-proposal-tran1] transform esp

[HUAWEI-ipsec-proposal-tran1] encapsulation-mode tunnel

[HUAWEI-ipsec-proposal-tran1] esp encryption-algorithm 3des

[HUAWEI-ipsec-proposal-tran1] esp authentication-algorithm sha1

[HUAWEI-ipsec-proposal-tran1] quit

(8)配置模板及策略,绑定IKE对等体、IPSe安全提议、ACL。

[HUAWEI] ipsec policy-template tem 1

[HUAWEI-ipsec-policy-template-tem-1] security acl 3000

[HUAWEI-ipsec-policy-template-tem-1] proposal tran1

[HUAWEI-ipsec-policy-template-tem-1] ike-peer fortigate

[HUAWEI-ipsec-policy-template-tem-1] ipsec policy map1 1 isakmp template tem

[HUAWEI-ipsec-policy-template-tem-1] quit

(9)在接口上应用IPSec策略。

[HUAWEI] interface GigabitEthernet 1/0/3

[HUAWEI-GigabitEthernet1/0/3] ipsec policy map1

[HUAWEI-GigabitEthernet1/0/3] quit

2、飞塔防火墙的配置

(1)配置接口

配置接口port03的宽带连接

Fortigate # config system interface

Fortigate (interface) # edit port03

Fortigate (port03) # set mode pppoe

Fortigate (port03) # set username xxxxxx

Fortigate (port03) # set password xxxxxx

Fortigate (port03) # set distance 5

*注意管理距离(distance),固定IP的distance值为10,PPPoE拨号的distance值为5

Fortigate (port03) # set dns-server-override enable

Fortigate (port03) # end

配置接口port10。

Fortigate # config system interface

Fortigate (interface) # edit port10

Fortigate (port10) # set ip 192.168.60.1/24

Fortigate (port10) # set allowaccess ping https telnet

Fortigate (port10) # end

(2)配置IKE SA,指定IKE SA的名称、绑定的接口、协商模式、加密算法、认证算法、预共享密钥、对端地址、DH。

Fortigate # config vpn ipsec phase1-interface

Fortigate (phase1-interface) # edit firewall

Fortigate (firewall) # set interface port03

Fortigate (firewall) # set mode main

Fortigate (firewall) # set proposal 3des-sha1

Fortigate (firewall) # set psksecret Key@hcit333

Fortigate (firewall) # set remote-gw 222.xx.xx.50

Fortigate (firewall) # set dhgrp 2

Fortigate (firewall) # end

(3)配置IPSec SA,指定IPSec SA的名称、绑定的IKE SA、加密算法、认证算法,DH。

Fortigate # config vpn ipsec phase2-interface

Fortigate (phase2-interface) # edit firewall

new entry ‘firewall’ added

Fortigate (firewall) # set phase1name firewall

Fortigate (firewall) # set dhgrp 2

Fortigate (firewall) # set proposal 3des-sha1

Fortigate (firewall) # set dst-subnet 192.168.160.0 255.255.255.0

Fortigate (firewall) # set src-subnet 192.168.60.0 255.255.255.0

Fortigate (firewall) # end

(3)将Tunnel口加入到untrust区域中。

Fortigate # config system zone

Fortigate (zone) # edit untrust

Fortigate (untrust) # set interface firewall

Fortigate (untrust) # end

(4)配置安全策略。

配置port03与port10之间的安全策略。

配置策略66,保证总部能够正常访问分支;

Fortigate # config firewall policy

Fortigate (policy) # edit 66

Fortigate (66) # set srcintf port03

Fortigate (66) # set dstintf port10

Fortigate (66) # set srcaddr all

Fortigate (66) # set dstaddr all

Fortigate (66) # set action accept

Fortigate (66) # set schedule always

Fortigate (66) # set service ANY

Fortigate (66) # end

配置策略99,保证分支能够访问总部。

Fortigate # config firewall policy

Fortigate (policy) # edit 99

Fortigate (99) # set srcintf port10

Fortigate (99) # set dstintf port03

Fortigate (99) # set srcaddr all

Fortigate (99) # set dstaddr all

Fortigate (99) # set action accept

Fortigate (99) # set schedule always

Fortigate (99) # set service ANY

Fortigate (99) # end

配置untrust与port10的安全策略,也就是Tunnel接口与port10之间的安全策略。

配置策略96,保证经过Tunnel接口的流量能够进入分支内网;

Fortigate # config firewall policy

Fortigate (policy) # edit 96

Fortigate (96) # set srcintf untrust

Fortigate (96) # set dstintf port10

Fortigate (96) # set srcaddr all

Fortigate (96) # set dstaddr all

Fortigate (96) # set action accept

Fortigate (96) # set schedule always

Fortigate (96) # set service ANY

Fortigate (96) # end

配置策略76,保证经过Tunnel接口的流量能够透传到外网。

Fortigate # config firewall policy

Fortigate (policy) # edit 76

Fortigate (76) # set srcintf port10

Fortigate (76) # set dstintf untrust

Fortigate (76) # set srcaddr all

Fortigate (76) # set dstaddr all

Fortigate (76) # set action accept

Fortigate (76) # set schedule always

Fortigate (76) # set service ANY

Fortigate (76) # end

(5)配置路由。

配置静态路由,将流量引入到Tunnel接口。

Fortigate # config route static

Fortigate (static) # edit 76

Fortigate (76) # set device firewall

Fortigate (76) # set dst 192.168.160.0 255.255.255.0

Fortigate (76) # end

三、验证配置

直接WEB登录华为防火墙,看一下IPSec是否已连接。

图片

IPSec能连接,并且两端局域网能够互通,就表示配置正确;如果IPSec无法连接,大概率是两端参数配置不同,请仔细对比;如果IPSec已连接,但是两端局域网无法互通,请检查安全策略以及路由配置是否正确。

阅读原文

简介:鄙人从事IT行业20年,写点技术类短文或相关趣事,全是原创。有兴趣的朋友请关注微信公众号:IT狂人日志58446291

声明:本文来自“IT狂人日志58446291”,本文链接:https://www.zyxiao.com/p/297500

发表评论

登录后才能评论
网站客服
网站客服
内容投稿 侵权处理
分享本页
返回顶部