(一)实验简介
如图所示,总部网络A和分支机构网络B之间采用网关对网关的组网模式进行资源传输。网络A和网络B分别通过FW_A和FW_B连接到Internet,通过手工方式创建IPSec VPN隧道,提高网络通信的安全性。
网络拓朴结构
(二)实验目的
- 掌握网关对网关的组网;
- 掌握手工方式配置两个网络的IPSecVPN;
(三)实验条件
- 一台CPU支持VT技术,内存4GB以上的计算机;
- 安装eNSP模拟器B510版,导入USG6000V镜像;
- 终端工具:SecuretyCRT,Putty,Psftp,XShell等。
(四)网络拓朴图
打开ENSP软件,按如下拓朴图创建实验环境,设置地址:
- LAN1地址:10.10.10.0/24;
- LAN2地址:10.20.20.0/24;
- ISP1地址:10.1.1.0/24;
- ISP2地址:10.2.2.0/24;
实验8拓朴
(五)配置思路
- 配置LAN1/LAN2网络;
- 配置两个防火墙互联;
- 配置IPSecVPN;
(六)配置步骤
(1)配置LAN1网络
先设置PC1的IP地址
配置PC1的地址
再配置交换机
The device is running!
<Huawei>
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname LAN1
[LAN1]interface Vlanif 1
[LAN1-Vlanif1]ip address 10.10.10.254 24
[LAN1-Vlanif1]quit
[LAN1]ospf 1
[LAN1-ospf-1]area 0
[LAN1-ospf-1-area-0.0.0.0]network 10.10.10.0 0.0.0.255
[LAN1-ospf-1-area-0.0.0.0]quit
[LAN1-ospf-1]quit
[LAN1]quit
<LAN1>save
<LAN1>save
The current configuration will be written to the device.
Are you sure to continue?[Y/N]y
Info: Please input the file name ( *.cfg, *.zip ) [vrpcfg.zip]:
Now saving the current configuration to the slot 0.
Save the configuration successfully.
<LAN1>
(2)配置LAN2网络
先设置PC2的IP地址
配置PC2的地址
再配置交换机
The device is running!
<Huawei>
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname LAN2
[LAN2]interface Vlanif 1
[LAN2-Vlanif1]ip address 10.20.20.254 24
[LAN2-Vlanif1]quit
[LAN2]ospf 1
[LAN2-ospf-1]area 0
[LAN2-ospf-1-area-0.0.0.0]network 10.20.20.0 0.0.0.255
[LAN2-ospf-1-area-0.0.0.0]quit
[LAN2-ospf-1]quit
[LAN2]quit
<LAN2>save
The current configuration will be written to the device.
Are you sure to continue?[Y/N]y
Info: Please input the file name ( *.cfg, *.zip ) [vrpcfg.zip]:
Now saving the current configuration to the slot 0.
Save the configuration successfully.
<LAN2>
(3)配置FW1的接口、安全域、安全策略、路由协议
The device is running!
Set a password and keep it safe. Otherwise you will not be able to login via the
console.
Please configure the login password (8-16)
Enter Password:
Confirm Password:
Warning: The authentication mode was changed to password authentication and the
user level was changed to 15 on con0 at the first user login.
Warning: There is a risk on the user-interface which you login through. Please c
hange the configuration of the user-interface as soon as possible.
*************************************************************************
* Copyright (C) 2014-2015 Huawei Technologies Co., Ltd. *
* All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
*************************************************************************
<USG6000V1>
<USG6000V1>system-view
Enter system view, return user view with Ctrl+Z.
[USG6000V1]undo info-center enable
Info: Information center is disabled.
[USG6000V1]sysname FW1
[FW2]
[FW2] //以下为防火墙的接口配置
[FW1]interface GigabitEthernet 1/0/1
[FW1-GigabitEthernet1/0/1]ip address 10.10.10.1 24
[FW1-GigabitEthernet1/0/1]service-manage ping permit
[FW1-GigabitEthernet1/0/1]quit
[FW1]interface GigabitEthernet 1/0/2
[FW1-GigabitEthernet1/0/2]ip address 10.1.1.1 24
[FW1-GigabitEthernet1/0/2]service-manage ping permit
[FW1-GigabitEthernet1/0/2]quit
[FW2]
[FW2] //以下为防火墙的安全域配置
[FW1]firewall zone trust
[FW1-zone-trust]add interface GigabitEthernet 1/0/1
[FW1-zone-trust]quit
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface GigabitEthernet 1/0/2
[FW1-zone-untrust]quit
[FW2]
[FW2] //以下为防火墙的安全策略配置
[FW1]security-policy
[FW1-policy-security]rule name lan1_isp1
[FW1-policy-security-rule-lan1_isp1]source-zone local trust untrust
[FW1-policy-security-rule-lan1_isp1]destination-zone local trust untrust
[FW1-policy-security-rule-lan1_isp1]action permit
[FW1-policy-security-rule-lan1_isp1]quit
[FW1-policy-security]quit
[FW1]
[FW2] //以下为防火墙的路由协议配置
[FW1]ospf 1
[FW1-ospf-1]area 0
[FW1-ospf-1-area-0.0.0.0]network 10.10.10.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0]quit
[FW1-ospf-1]quit
[FW1]
[FW1]
(4)配置FW2的接口、安全域、安全策略、路由协议
The device is running!
An initial password is required for the first login via the console.
Set a password and keep it safe. Otherwise you will not be able to login via the
console.
Please configure the login password (8-16)
Enter Password:
Confirm Password:
Warning: The authentication mode was changed to password authentication and the
user level was changed to 15 on con0 at the first user login.
Warning: There is a risk on the user-interface which you login through. Please c
hange the configuration of the user-interface as soon as possible.
*************************************************************************
* Copyright (C) 2014-2015 Huawei Technologies Co., Ltd. *
* All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
*************************************************************************
<USG6000V1>
<USG6000V1>system-view
Enter system view, return user view with Ctrl+Z.
[USG6000V1]undo info-center enable
Info: Information center is disabled.
[USG6000V1]sysname FW2
[FW2]undo info-center enable
Info: Information center is disabled.
[FW2]
[FW2] //以下为防火墙的接口配置
[FW2]interface GigabitEthernet 1/0/1
[FW2-GigabitEthernet1/0/1]ip address 10.20.20.1 24
[FW2-GigabitEthernet1/0/1]service-manage ping permit
[FW2-GigabitEthernet1/0/1]quit
[FW2]interface GigabitEthernet 1/0/2
[FW2-GigabitEthernet1/0/2]ip address 10.2.2.2 24
[FW2-GigabitEthernet1/0/2]service-manage ping permit
[FW2-GigabitEthernet1/0/2]quit
[FW2]
[FW2] //以下为防火墙的安全域配置
[FW2]firewall zone trust
[FW2-zone-trust]add interface GigabitEthernet 1/0/1
[FW2-zone-trust]quit
[FW2]firewall zone untrust
[FW2-zone-untrust]add interface GigabitEthernet 1/0/2
[FW2-zone-untrust]quit
[FW2]
[FW2] //以下为防火墙的安全策略配置
[FW2]security-policy
[FW2-policy-security]rule name lan2_isp2
[FW2-policy-security-rule-lan2_isp2]source-zone local trust untrust
[FW2-policy-security-rule-lan2_isp2]destination-zone local trust untrust
[FW2-policy-security-rule-lan2_isp2]action permit
[FW2-policy-security-rule-lan2_isp2]quit
[FW2-policy-security]quit
[FW2]
[FW2] //以下为防火墙的路由协议配置
[FW2]ospf 1
[FW2-ospf-1]area 0
[FW2-ospf-1-area-0.0.0.0]network 10.20.20.0 0.0.0.255
[FW2-ospf-1-area-0.0.0.0]network 10.2.2.0 0.0.0.255
[FW2-ospf-1-area-0.0.0.0]quit
[FW2-ospf-1]quit
[FW2]
(5)配置网络互连的路由器AR1
The device is running!
<Huawei>
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname AR1
[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]ip address 10.1.1.2 24
[AR1-GigabitEthernet0/0/0]quit
[AR1]interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1]ip address 10.2.2.1 24
[AR1-GigabitEthernet0/0/1]quit
[AR1]ospf 1
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]network 10.2.2.0 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]quit
[AR1-ospf-1]quit
[AR1]quit
<AR1>sav
<AR1>save
The current configuration will be written to the device.
Are you sure to continue? (y/n)[n]:y
It will take several minutes to save configuration file, please wait.......
Configuration file had been saved successfully
Note: The configuration file will take effect after being activated
<AR1>
至此,两个网络之间的互连互通已经完成
用PC1测试
(6)配置FW1的IPSec
<FW1>
<FW1>system-view
Enter system view, return user view with Ctrl+Z.
[FW1]
[FW1]acl 3001 //创建访问控制列表规则
[FW1-acl-adv-3001]rule permit ip source 10.10.10.0 0.0.0.255 destination 10.20.2
0.0 0.0.0.255
[FW1-acl-adv-3001]dis this //查询显示访问控制列表的配置
#
acl number 3001
rule 5 permit ip source 10.10.10.0 0.0.0.255 destination 10.20.20.0 0.0.0.255
#
return
[FW1-acl-adv-3001]quit
[FW1]
[FW1] //以下为IPSec安全提议配置
[FW1]ipsec proposal ipsec_p1 //创建IPSec安全提议,并进入IPSec安全提议视图
[FW1-ipsec-proposal-ipsec_p1]transform esp //配置IPSec安全提议使用的安全协议
[FW1-ipsec-proposal-ipsec_p1]encapsulation-mode tunnel //配置报文的封装模式为隧道模式
[FW1-ipsec-proposal-ipsec_p1]esp authentication-algorithm sha2-256 //配置ESP协议使用的认证算法
[FW1-ipsec-proposal-ipsec_p1]esp encryption-algorithm aes-256 //配置ESP协议使用的加密算法
[FW1-ipsec-proposal-ipsec_p1]quit
[FW1]
[FW1]ike proposal 1 //创建IKE安全提议,并进入IKE安全提议视图
[FW1-ike-proposal-1]quit
[FW1]
[FW1]ike peer ike_p1 //创建IKE对等体,并进入IKE对等体视图
[FW1-ike-peer-ike_p1]ike-proposal 1 //配置IKE对等体使用的IKE安全提
[FW1-ike-peer-ike_p1]pre-shared-key Admin1234 //配置对等体IKE协商预共享密钥
[FW1-ike-peer-ike_p1]remote-address 10.2.2.2 //配置为对端用户分配IP地址
[FW1-ike-peer-ike_p1]quit
[FW1]
[FW1]ipsec policy ipsec_map1 1 isakmp //创建以ISAKMP方式的IPSec安全策略
[FW1-ipsec-policy-isakmp-ipsec_map1-1]ike-peer ike_p1 //引用IKE对等体
[FW1-ipsec-policy-isakmp-ipsec_map1-1]proposal ipsec_p1 //引用IKE安全提议
[FW1-ipsec-policy-isakmp-ipsec_map1-1]security acl 3001 //引用访问控制列表
[FW1-ipsec-policy-isakmp-ipsec_map1-1]quit
[FW1]
[FW1]interface GigabitEthernet 1/0/2
[FW1-GigabitEthernet1/0/2]ipsec policy ipsec_map1 //在接口中引用IPSec安全策略
[FW1-GigabitEthernet1/0/2]quit
[FW1]
[FW1]
(7)配置FW2的IPSec
[FW2]
[FW2]acl 3002 //创建访问控制列表规则
[FW2-acl-adv-3002]
[FW2-acl-adv-3002]rule permit ip source 10.20.20.0 0.0.0.255 destination 10.10.1
0.0 0.0.0.255
[FW2-acl-adv-3002]quit
[FW2] //以下为IPSec安全提议配置
[FW2]ipsec proposal ipsec_p2 //创建IPSec安全提议,并进入IPSec安全提议视图
[FW2-ipsec-proposal-ipsec_p2]transform esp //配置IPSec安全提议使用的安全协议
[FW2-ipsec-proposal-ipsec_p2]encapsulation-mode tunnel //配置报文的封装模式为隧道模式
[FW2-ipsec-proposal-ipsec_p2]esp authentication-algorithm sha2-256 //配置ESP协议使用的认证算法
[FW2-ipsec-proposal-ipsec_p2]esp encryption-algorithm aes-256 //配置ESP协议使用的加密算法
[FW2-ipsec-proposal-ipsec_p2]quit
[FW2]
[FW2]ike proposal 1 //创建IKE安全提议,并进入IKE安全提议视图
[FW2-ike-proposal-1]quit
[FW2] //以下为IKE对等体配置
[FW2]ike peer ike_p2 //创建IKE对等体,并进入IKE对等体视图
[FW2-ike-peer-ike_p2]ike-proposal 1 //配置IKE对等体使用的IKE安全提
[FW2-ike-peer-ike_p2]pre-shared-key Admin1234 //配置对等体IKE协商预共享密钥
[FW2-ike-peer-ike_p2]remote-address 10.1.1.1 //配置为对端用户分配IP地址
[FW2-ike-peer-ike_p2]quit
[FW2]
[FW2]ipsec policy ipsec_map2 1 isakmp //创建以ISAKMP方式的IPSec安全策略
[FW2-ipsec-policy-isakmp-ipsec_map2-1]ike-peer ike_p2 //引用IKE对等体
[FW2-ipsec-policy-isakmp-ipsec_map2-1]proposal ipsec_p2 //引用IKE安全提议
[FW2-ipsec-policy-isakmp-ipsec_map2-1]security acl 3002 //引用访问控制列表
[FW2-ipsec-policy-isakmp-ipsec_map2-1]quit
[FW2]
[FW2]interface GigabitEthernet 1/0/2
[FW2-GigabitEthernet1/0/2]ipsec policy ipsec_map2 //在接口中引用IPSec安全策略
[FW2-GigabitEthernet1/0/2]quit
[FW2]
(8)测试IPSec
再次使用ping命令,以激活ike,使用"display ike sa"查看运行情况:
在FW1查看IKE
在FW2查看IKE
(七)参考资料
华为模拟器eNSP软件,
华为模拟器eNSP社区,
HCNA-Security 华为认证网络安全工程师,
HCNP-Security 华为认证网络安全资深工程师,
HUAWEI USG6000V V500R001C10SPC100 典型配置案例,
HUAWEI USG6000V V500R001C10SPC100 管理员指南,
HUAWEI USG6000V V500R001C10SPC100 命令参考 ,
华为ICT相关的英文简称 。
网友评论