中文字幕av专区_日韩电影在线播放_精品国产精品久久一区免费式_av在线免费观看网站

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
  • 首頁 > 
  • 教程 > 
  • 網絡安全 > 
  • USG防火墻(總部網關和分支機構網關之間建立點到點IPSec隧道)

USG防火墻(總部網關和分支機構網關之間建立點到點IPSec隧道)

發布時間:2020-06-24 23:18:38 來源:網絡 閱讀:3046 作者:wangjunjack 欄目:網絡安全

總部網關和分支機構網關之間建立點到點IPSec隧道

總部網關和分支機構網關之間建立可以互相訪問的IPSec ×××。總部網關IP地址固定,總部經過NAT轉換后訪問Internet。分支機構通過ADSL獲取IP地址,每次獲取的IP地址不同。

組網需求

如圖1所示,USG_A連接總部(HQ),USG_B連接分支機構(Branch)。USG_A的IP地址固定,總部可通過NAT轉換后訪問Internet;分支機構通過ADSL接口上網,IP地址不固定。分支機構的內網設備通過DHCP方式從USG_B接口獲取IP地址。

要求通過配置IKE自動協商建立IPSec隧道,實現分支機構與總部之間可以互相訪問。

圖1 分支機構通過域名訪問總部(ADSL撥號)組網圖
USG防火墻(總部網關和分支機構網關之間建立點到點IPSec隧道)

項目數據說明

USG_A

(1)

接口號:GigabitEthernet 0/0/1

IP地址:10.1.1.1/24

安全區域:Trust

-

(2)

接口號:GigabitEthernet 0/0/2

IP地址:202.10.12.1/24

安全區域:Untrust

-

IPSec安全提議

封裝模式:tunnel

安全協議:ESP

ESP協議驗證算法:SHA1

ESP協議加密算法:AES

-

IKE對等體

協商模式:aggressive

預共享密鑰:abcde

本地身份類型:IP

對端域名:www.adsl.3322.org

總部采用非模板方式配置IPSec安全策略,分支機構IP地址不固定,此處指定對端域名。

對端域名為USG_B中配置的DDNS Client的域名。

USG_B

(5)

物理接口:Atm 2/0/0

邏輯接口:Dialer1

IP地址:自協商獲得

安全區域:Untrust

Atm 2/0/0是ADSL接口卡上的接口,Dialer1是ADSL的撥號接口。

(6)

接口號:GigabitEthernet 0/0/1

IP地址:10.1.3.1/24

安全區域:Trust

-

ADSL賬號

用戶名:adsluser

密碼:Admin@123

本例中的ADSL賬號僅供舉例使用,具體賬號請從當地運營商獲取。

DDNS

DDNS服務提供商:www.3322.org

DDNS Client的域名:www.adsl.3322.org

申請到的用戶名和密碼都為:abc123

DNS服務器IP地址:200.1.1.1

本例中的DDNS配置項僅供舉例使用,具體請聯系DDNS服務提供商。

IPSec安全提議

封裝模式:tunnel

安全協議:ESP

ESP協議驗證算法:SHA1

ESP協議加密算法:AES

-

IKE對等體

協商模式:aggressive

預共享密鑰:abcde

本地身份類型:IP

對端IP地址:202.10.12.1/24

分支機構采用非模板方式配置IPSec安全策略,指定對端IP。

配置思路

根據組網需求,配置思路如下:

  1. 分支機構設備配置ADSL接口,實現設備上網。

  2. 隧道兩端設備分別通過NAT策略區分是上網數據或IPSec數據,僅對上網數據進行NAT處理。

  3. 總部采用模板方式配置IPSec,以響應多個分支機構的需求;分支機構采用非模板方式配置IPSec。

  4. 分支機構要訪問總部,需要在USG_B上開啟域名解析以及DDNS策略,以便將獲取的IP地址與網絡中的DNS服務器中的域名建立對應關系,并及時更新。

操作步驟
  1. 配置USG_A

    # 配置GigabitEthernet 0/0/1接口。

    <USG_A> system-view[USG_A] interface GigabitEthernet 0/0/1[USG_A-GigabitEthernet0/0/1] ip address 10.1.1.1 24[USG_A-GigabitEthernet0/0/1] quit

    # 將GigabitEthernet 0/0/1接口加入Trust區域。

    [USG_A] firewall zone trust[USG_A-zone-trust] add interface GigabitEthernet 0/0/1[USG_A-zone-trust] quit

    # 配置GigabitEthernet 0/0/2接口。

    <USG_A> system-view[USG_A] interface GigabitEthernet 0/0/2[USG_A-GigabitEthernet0/0/2] ip address 202.10.12.1 24[USG_A-GigabitEthernet0/0/2] quit

    # 將GigabitEthernet 0/0/2接口加入Untrust區域。

    [USG_A] firewall zone untrust[USG_A-zone-untrust] add interface GigabitEthernet 0/0/2[USG_A-zone-untrust] quit

    # 配置Trust和Untrust域間包過濾。

    [USG_A] policy interzone trust untrust inbound [USG_A-policy-interzone-trust-untrust-inbound] policy 1 [USG_A-policy-interzone-trust-untrust-inbound-1] policy source 10.1.3.0 0.0.0.255 [USG_A-policy-interzone-trust-untrust-inbound-1] policy destination 10.1.1.0 0.0.0.255[USG_A-policy-interzone-trust-untrust-inbound-1] action permit[USG_A-policy-interzone-trust-untrust-inbound-1] quit [USG_A-policy-interzone-trust-untrust-inbound] quit[USG_A] policy interzone trust untrust outbound [USG_A-policy-interzone-trust-untrust-outbound] policy 1 [USG_A-policy-interzone-trust-untrust-outbound-1] policy source 10.1.1.0 0.0.0.255[USG_A-policy-interzone-trust-untrust-outbound-1] policy destination 10.1.3.0 0.0.0.255[USG_A-policy-interzone-trust-untrust-outbound-1] action permit [USG_A-policy-interzone-trust-untrust-outbound-1] quit [USG_A-policy-interzone-trust-untrust-outbound] quit

    # Untrust和Local域間的包過濾。

    [USG_A] policy interzone local untrust inbound[USG_A-policy-interzone-local-untrust-inbound] policy 1[USG_A-policy-interzone-local-untrust-inbound-1] action permit[USG_A-policy-interzone-local-untrust-inbound-1] quit[USG_A-policy-interzone-local-untrust-inbound] quit[USG_A] policy interzone local untrust outbound[USG_A-policy-interzone-local-untrust-outbound] policy 1[USG_A-policy-interzone-local-untrust-outbound-1] policy source 202.10.12.0 0.0.0.255[USG_A-policy-interzone-local-untrust-outbound-1] action permit[USG_A-policy-interzone-local-untrust-outbound-1] quit[USG_A-policy-interzone-local-untrust-outbound] quit

    # 配置缺省路由,假設下一跳是202.10.12.2。

    [USG_A] ip route-static 0.0.0.0 0 202.10.12.2

    # 配置ACL,匹配IPSec流量。

    [USG_A] acl 3001[USG_A-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.1 0.0.0.255[USG_A-acl-adv-3001] quit

    # 配置IPSec安全提議,參數使用缺省值。

    [USG_A] ipsec proposal 1[USG_A-ipsec-proposal-1] quit

    # 配置IKE安全提議,參數使用缺省值。

    [USG_A] ike proposal 1[USG_A-ike-proposal-1] quit

    # 配置IKE Peer。

    [USG_A] ike peer 1[USG_A-ike-peer-1] exchange-mode aggressive[USG_A-ike-peer-1] ike-proposal 1[USG_A-ike-peer-1] local-id-type ip[USG_A-ike-peer-1] remote-domain www.adsl.3322.org[USG_A-ike-peer-1] pre-shared-key abcde[USG_A-ike-peer-1] quit

    # 配置IPSec安全策略map。

    [USG_A] ipsec policy map 1 isakmp[USG_A-ipsec-policy-isakmp-map-1] security acl 3001[USG_A-ipsec-policy-isakmp-map-1] proposal 1[USG_A-ipsec-policy-isakmp-map-1] ike-peer 1[USG_A-ipsec-policy-manual-map-1] quit

    # 應用IPSec安全策略map到接口。

    [USG_A] interface GigabitEthernet 0/0/2[USG_A-GigabitEthernet0/0/2] ipsec policy map[USG_A-GigabitEthernet0/0/2] quit

    # 配置NAT,對上網流量進行NAT,對IPSec流量不進行NAT。

    [USG_A] nat-policy interzone trust untrust outbound[USG_A-nat-policy-interzone-trust-untrust-outbound] policy 1[USG_A-nat-policy-interzone-trust-untrust-outbound-1] policy source 10.1.1.0 0.0.0.255[USG_A-nat-policy-interzone-trust-untrust-outbound-1] policy destination 10.1.3.0 0.0.0.255[USG_A-nat-policy-interzone-trust-untrust-outbound-1] action no-nat[USG_A-nat-policy-interzone-trust-untrust-outbound-1] quit[USG_A-nat-policy-interzone-trust-untrust-outbound] policy 2[USG_A-nat-policy-interzone-trust-untrust-outbound-1] policy source 10.1.1.0 0.0.0.255[USG_A-nat-policy-interzone-trust-untrust-outbound-2] action source-nat[USG_A-nat-policy-interzone-trust-untrust-outbound-2] easy-ip GigabitEthernet 0/0/2[USG_A-nat-policy-interzone-trust-untrust-outbound-2] quit[USG_A-nat-policy-interzone-trust-untrust-outbound] quit
  2. 配置USG_B

    # 配置GigabitEthernet 0/0/1接口,開啟DHCP,對內網用戶自動分配IP地址。

    <USG_B> system-view[USG_B] interface GigabitEthernet 0/0/1[USG_B-GigabitEthernet0/0/1] ip address 10.1.3.1 24[USG_B-GigabitEthernet0/0/1] dhcp select interface[USG_B-GigabitEthernet0/0/1] quit

    # 配置ADSL接口,實現上網。

    [USG_B] dialer-rule 10 ip permit[USG_B] interface Dialer 1[USG_B-Dialer1] dialer user adsluser[USG_B-Dialer1] dialer bundle 5[USG_B-Dialer1] dialer-group 10[USG_B-Dialer1] ip address ppp-negotiate[USG_B-Dialer1] ppp pap local-user adsluser password cipher Admin@123[USG_B-Dialer1] ppp chap user adsluser[USG_B-Dialer1] ppp chap password cipher Admin@123[USG_B-Dialer1] quit[USG_B] firewall zone untrust[USG_B-zone-untrust] add interface Dialer 1[USG_B-zone-untrust] quit[USG_B] interface Atm 2/0/0[USG_B-Atm2/0/0] pppoe-client dial-bundle-number 5[USG_B-Atm2/0/0] quit

    # 配置Trust和Untrust域間包過濾。

    [USG_B] policy interzone trust untrust inbound [USG_B-policy-interzone-trust-untrust-inbound] policy 1 [USG_B-policy-interzone-trust-untrust-inbound-1] policy source 10.1.1.0 0.0.0.255 [USG_B-policy-interzone-trust-untrust-inbound-1] policy destination 10.1.3.0 0.0.0.255 [USG_B-policy-interzone-trust-untrust-inbound-1] action permit [USG_B-policy-interzone-trust-untrust-inbound-1] quit [USG_B-policy-interzone-trust-untrust-inbound] quit[USG_B] policy interzone trust untrust outbound[USG_B-policy-interzone-trust-untrust-outbound] policy 1[USG_B-policy-interzone-trust-untrust-outbound-1] policy source 10.1.3.0 0.0.0.255 [USG_B-policy-interzone-trust-untrust-outbound-1] policy destination 10.1.1.0 0.0.0.255[USG_B-policy-interzone-trust-untrust-outbound-1] action permit [USG_B-policy-interzone-trust-untrust-outbound-1] quit [USG_B-policy-interzone-trust-untrust-outbound] quit

    # 配置Untrust和Local域間包過濾。

    [USG_B] policy interzone local untrust inbound[USG_B-policy-interzone-local-untrust-inbound] policy 1[USG_B-policy-interzone-local-untrust-inbound-1] policy source 202.10.12.0 0.0.0.255[USG_B-policy-interzone-local-untrust-inbound-1] action permit[USG_B-policy-interzone-local-untrust-inbound-1] quit[USG_B-policy-interzone-local-untrust-inbound] quit[USG_B] policy interzone local untrust outbound[USG_B-policy-interzone-local-untrust-outbound] policy 1[USG_B-policy-interzone-local-untrust-outbound-1] action permit[USG_B-policy-interzone-local-untrust-outbound-1] quit[USG_B-policy-interzone-local-untrust-outbound] quit

    # 配置缺省路由。

    [USG_B] ip route-static 0.0.0.0 0 Dialer1

    # 配置ACL,匹配IPSec流量。

    [USG_B] acl 3001[USG_B-acl-adv-3001] rule permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255[USG_B-acl-adv-3001] quit

    # 配置IPSec安全提議1。參數使用缺省值。

    [USG_B] ipsec proposal 1[USG_B-ipsec-proposal-1] quit

    # 配置IKE安全提議。參數使用缺省值。

    [USG_B] ike proposal 1[USG_B-ike-proposal-1] quit

    # 配置IKE對等體。

    [USG_B] ike peer 1[USG_B-ike-peer-1] exchange-mode aggressive[USG_B-ike-peer-1] ike-proposal 1[USG_B-ike-peer-1] remote-address 202.10.12.1[USG_B-ike-peer-1] pre-shared-key abcde[USG_B-ike-peer-1] quit

    # 配置IPSec安全策略。

    [USG_B] ipsec policy map 1 isakmp[USG_B-ipsec-policy-template-map-1] security acl 3001[USG_B-ipsec-policy-template-map-1] proposal 1[USG_B-ipsec-policy-template-map-1] ike-peer 1[USG_B-ipsec-policy-template-map-1] quit

    # 在Dialer1接口上應用安全策略。

    [USG_B] interface Dialer 1[USG_B-Dialer1] ipsec policy map[USG_B-Dialer1] quit

    # 開啟域名解析,USG_B通過域名能訪問DDNS Server。

    [USG_B] dns resolve[USG_B] dns server 200.1.1.1

    # 向DDNS服務提供商申請DDNS服務。

    請聯系DDNS服務提供商,并根據DDNS服務提供商的說明操作。假設選擇的DDNS服務提供商為:www.3322.org;申請得到的用戶名和密碼都為:abc123;DDNS Client的域名為:www.adsl.3322.org。

    # 配置DDNS策略。

    [USG_B] ddns policy abc[USG_B-ddns-policy-abc] ddns client www.adsl.3322.org[USG_B-ddns-policy-abc] ddns server www.3322.org[USG_B-ddns-policy-abc] ddns username abc123 password abc123[USG_B-ddns-policy-abc] quit

    # 應用DDNS策略。

    [USG_B] ddns client enable[USG_B] interface Dialer 1[USG_B-Dialer1] ddns apply policy abc[USG_B-Dialer1] quit

配置腳本

USG_A配置腳本

#                                                                               
 ike local-name client                                                          
#                                                                               
acl number 3001                                                                 
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.1 0.0.0.255   
#                                                                               
ike proposal 1          
 encryption-algorithm aes-cbc
 dh group2                                                       
#                                                                               
ike peer 1                                                                      
 exchange-mode aggressive                                                       
 pre-shared-key %$%$E=6)6HJ)RLhy+2TB[Fr4jQH~%$%$       
 ike-proposal 1                                                                 
 remote-domain www.adsl.3322.org
#                                                                               
ipsec proposal 1 
 esp authentication-algorithm sha1
 esp encryption-algorithm aes                                                               
#                                                                               
ipsec policy map 1 isakmp                   
 security acl 3001 
 ike-peer 1                                                                     
 proposal 1                                                                     
#                                                                               
interface GigabitEthernet0/0/1        
 ip address 10.1.1.1 255.255.255.0                                           
#   
interface GigabitEthernet0/0/2        
 ip address 202.10.12.1 255.255.255.0 
 ipsec policy map
#                                                                               
firewall zone trust                                                             
 set priority 85                                                                
 add interface GigabitEthernet0/0/1                                                          #                                                                               
firewall zone untrust                                                           
 set priority 5                                                                 
 add interface GigabitEthernet0/0/2                                                          #                                                                               
 ip route-static 0.0.0.0 0.0.0.0 202.10.12.2
#                                                                               
policy interzone local untrust inbound                                          
 policy 1                                                                      
  action permit                                                                 
#                                                                               
policy interzone local untrust outbound                                         
 policy 1                                                                      
  action permit                                                                 
  policy source 202.10.12.0 0.0.0.255
#                                                                               
policy interzone trust untrust inbound                                          
 policy 1                                                                      
  action permit                                                                 
  policy source 10.1.3.0 0.0.0.255   
  policy destination 10.1.3.0 0.0.0.255                                                    
#                                                                               
policy interzone trust untrust outbound                                         
 policy 1                                                                      
  action permit                                                                 
  policy source 10.1.1.0 0.0.0.255
  policy destination 10.1.3.0 0.0.0.255
#                                                                               
nat-policy interzone trust untrust outbound                                     
 policy 1
  policy source 10.1.1.0 0.0.0.255
  policy destination 10.1.3.0 0.0.0.255
  action no-nat
 policy 2                                                                        
  policy source 10.1.1.0 0.0.0.255
  action source-nat                                             
  easy-ip GigabitEthernet 0/0/2   #
return

USG_B配置腳本

#                                                                               
 dialer-rule 10 ip permit                                                       
#                                                                               
 dns resolve                                                                    
 dns server 200.1.1.1                                                           
#                                                                               
 ddns client enable                                                             
#                                                                               
acl number 3001                                                                 
 rule 5 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255   
#                                                                               
ike proposal 1      
 encryption-algorithm aes-cbc
 dh group2                                                            
#                                                                               
ike peer 1                                                                      
 exchange-mode aggressive                                                       
 pre-shared-key %$%$E=6)6HJ)RLhy+2TB[Fr4jQH~%$%$        
 ike-proposal 1                                                                 
 remote-address 202.10.12.1                                                             
#                                                                               
ipsec proposal 1   
 esp authentication-algorithm sha1
 esp encryption-algorithm aes                                                             
#                                                                               
ipsec policy map 1 isakmp                                                   
 security acl 3001
 ike-peer 1                                                                     
 proposal 1                                                                     
#                                                                               
interface Dialer1                                                               
 link-protocol ppp                                                              
 ppp chap user adsluser                                                         
 ppp chap password cipher %$%$Gal~X`28S/.m]\*fuO|',{ri%$%$
 ppp pap local-user adsluser password cipher %$%$Gal~X`28S/.m]\*fuO|',{ri%$%$
 ip address ppp-negotiate                                                       
 dialer user adsluser                                                           
 dialer-group 10                                                                
 dialer bundle 5                                                                
 ipsec policy map
 ddns apply policy abc                                                          
#                                                                               
interface GigabitEthernet0/0/1                                                               
 ip address 10.1.3.1 255.255.255.0                                           
 dhcp select interface                                                          
#                                                                               
interface Atm2/0/0                                                              
 pppoe-client dial-bundle-number 5
#                                                                               
firewall zone trust                                                             
 set priority 85                                                                
 add interface GigabitEthernet0/0/1                                                          #                                                                               
firewall zone untrust                                                           
 set priority 5                                                                 
 add interface Dialer1                                                          
#                                                                               
 ip route-static 0.0.0.0 0.0.0.0 Dialer1
#                                                                               
ddns policy abc                                                                 
 ddns username abc123 password %$%$F\seVlS7YVU8DT"wpee,kYPG%$%$                                           
 ddns client www.adsl.3322.org                                                       
 ddns server www.3322.org                                                       
 ddns apply policy Dialer1 
#                                                                               
policy interzone local untrust inbound                                          
 policy 1                                                                      
  action permit                                                                 
  policy source 202.10.12.0 0.0.0.255
#                                                                               
policy interzone local untrust outbound                                         
 policy 1                                                                      
  action permit                                                                 
#                                                                               
policy interzone trust untrust inbound                                          
 policy 1                                                                      
  action permit                                                                 
  policy source 10.1.1.0 0.0.0.255
  policy destination 10.1.3.0 0.0.0.255
#                                                                               
policy interzone trust untrust outbound                                         
 policy 1                                                                      
  action permit                                                                 
  policy source 10.1.3.0 0.0.0.255
  policy destination 10.1.1.0 0.0.0.255
#
return

父主題: 專網內部通過×××互通


華為專有和保密信息

版權所有 華為技術有限公司


向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

闸北区| 涿州市| 浦东新区| 商丘市| 改则县| 巴中市| 莎车县| 彝良县| 得荣县| 剑阁县| 苏尼特左旗| 同江市| 新源县| 临沂市| 盐津县| 大宁县| 肥城市| 蓝田县| 定兴县| 抚松县| 安义县| 蒙自县| 香格里拉县| 汤原县| 嵊泗县| 莱州市| 巫山县| 叙永县| 赤壁市| 铜鼓县| 清流县| 乾安县| 正宁县| 阳江市| 日照市| 盐山县| 曲周县| 德昌县| 舒兰市| 柞水县| 临江市|