组网需求
如图1所示,RouterA和RouterB为企业分支网关,RouterC为企业总部网关,分支与总部通过公网建立通信,并且各网关的IP地址均固定。分支A子网为192.168.1.0/24,分支B子网为192.168.2.0/24,总部子网为192.168.3.0/24。
企业希望对分支子网与总部子网之间相互访问的流量进行安全保护。分支与总部通过公网建立通信,可以在分支网关与总部网关之间建立IPSec隧道来实施安全保护。由于总部网关可以指定分支网关的IP地址,在RouterC上部署安全策略组,就可以向各分支网关发起IPSec协商或接入各分支网关发起的IPSec协商,完成多条IPSec隧道的建立。
**图1 **配置总部采用安全策略方式与分支建立多条IPSec隧道组网图
配置思路
采用如下思路配置采用IKE协商方式建立多条IPSec隧道(安全策略组):
配置接口的IP地址和到对端的静态路由,保证两端路由可达。
配置ACL,以定义需要IPSec保护的数据流。
配置IPSec安全提议,定义IPSec的保护方法。
配置IKE对等体,定义对等体间IKE协商时的属性。
分别在RouterA和RouterB上创建安全策略,确定对何种数据流采取何种保护方法。在RouterC上创建安全策略组,分别确定对RouterA与RouterC、RouterB与RouterC之间的数据流采取何种保护方法。
在接口上应用安全策略组,使接口具有IPSec的保护功能。
操作步骤
-
分别在RouterA、RouterB和RouterC上配置各接口的IP地址和到对端的静态路由,使RouterA、RouterB和RouterC之间路由可达
在RouterA上配置接口的IP地址。
system-view
[Huawei] sysname RouterA
[RouterA] interface gigabitethernet 0/0/1
[RouterA-GigabitEthernet0/0/1] undo portswitch [RouterA-GigabitEthernet0/0/1] ip address 60.1.1.1 255.255.255.0
[RouterA-GigabitEthernet0/0/1] quit
[RouterA] interface gigabitethernet 0/0/2
[RouterA-GigabitEthernet0/0/2] undo portswitch [RouterA-GigabitEthernet0/0/2] ip address 192.168.1.2 255.255.255.0
[RouterA-GigabitEthernet0/0/2] quit
在RouterA上配置到对端的静态路由,此处假设到达总部子网的下一跳地址为60.1.1.2。
[RouterA] ip route-static 60.1.3.0 255.255.255.0 60.1.1.2
[RouterA] ip route-static 192.168.3.0 255.255.255.0 60.1.1.2在RouterB上配置接口的IP地址。
system-view
[Huawei] sysname RouterB
[RouterB] interface gigabitethernet 0/0/1
[RouterB-GigabitEthernet0/0/1] undo portswitch [RouterB-GigabitEthernet0/0/1] ip address 60.1.2.1 255.255.255.0
[RouterB-GigabitEthernet0/0/1] quit
[RouterB] interface gigabitethernet 0/0/2
[RouterB-GigabitEthernet0/0/2] undo portswitch [RouterB-GigabitEthernet0/0/2] ip address 192.168.2.2 255.255.255.0
[RouterB-GigabitEthernet0/0/2] quit
在RouterB上配置到对端的静态路由,此处假设到达总部子网的下一跳地址为60.1.2.2。
[RouterB] ip route-static 60.1.3.0 255.255.255.0 60.1.2.2
[RouterB] ip route-static 192.168.3.0 255.255.255.0 60.1.2.2在RouterC上配置接口的IP地址。
system-view
[Huawei] sysname RouterC
[RouterC] interface gigabitethernet 0/0/1
[RouterC-GigabitEthernet0/0/1] undo portswitch [RouterC-GigabitEthernet0/0/1] ip address 60.1.3.1 255.255.255.0
[RouterC-GigabitEthernet0/0/1] quit
[RouterC] interface gigabitethernet 0/0/2
[RouterC-GigabitEthernet0/0/2] undo portswitch [RouterC-GigabitEthernet0/0/2] ip address 192.168.3.2 255.255.255.0
[RouterC-GigabitEthernet0/0/2] quit
在RouterC上配置到对端的静态路由,此处假设到达分支A子网和分支B子网的下一跳地址均为60.1.3.2。
[RouterC] ip route-static 60.1.1.0 255.255.255.0 60.1.3.2
[RouterC] ip route-static 60.1.2.0 255.255.255.0 60.1.3.2
[RouterC] ip route-static 192.168.1.0 255.255.255.0 60.1.3.2
[RouterC] ip route-static 192.168.2.0 255.255.255.0 60.1.3.2 -
分别在RouterA、RouterB和RouterC上配置ACL,定义各自要保护的数据流。
在RouterA上配置ACL,定义由子网192.168.1.0/24去子网192.168.3.0/24的数据流。
[RouterA] acl number 3002
[RouterA-acl-adv-3002] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[RouterA-acl-adv-3002] quit在RouterB上配置ACL,定义由子网192.168.2.0/24去子网192.168.3.0/24的数据流。
[RouterB] acl number 3002
[RouterB-acl-adv-3002] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[RouterB-acl-adv-3002] quit在RouterC上配置ACL,定义由子网192.168.3.0/24分别去子网192.168.1.0/24和子网192.168.2.0/24的数据流。
[RouterC] acl number 3002
[RouterC-acl-adv-3002] rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[RouterC-acl-adv-3002] quit
[RouterC] acl number 3003
[RouterC-acl-adv-3003] rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[RouterC-acl-adv-3003] quit -
分别在RouterA、RouterB和RouterC上创建IPSec安全提议
在RouterA上配置IPSec安全提议。
[RouterA] ipsec proposal tran1
[RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[RouterA-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[RouterA-ipsec-proposal-tran1] quit在RouterB上配置IPSec安全提议。
[RouterB] ipsec proposal tran1
[RouterB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[RouterB-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[RouterB-ipsec-proposal-tran1] quit在RouterC上配置IPSec安全提议。
[RouterC] ipsec proposal tran1
[RouterC-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[RouterC-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[RouterC-ipsec-proposal-tran1] quit此时分别在RouterA、RouterB和RouterC上执行display ipsec proposal会显示所配置的信息,以RouterA为例。
[RouterA] display ipsec proposal name tran1
IPSec proposal name: tran1
Encapsulation mode: Tunnel
Transform : esp-new
ESP protocol : Authentication SHA2-HMAC-256
Encryption AES-128
-
分别在RouterA、RouterB和RouterC上配置IKE对等体
在RouterA上配置IKE安全提议。
[RouterA] ike proposal 5
[RouterA-ike-proposal-5] encryption-algorithm aes-128
[RouterA-ike-proposal-5] authentication-algorithm sha2-256
[RouterA-ike-proposal-5] dh group14
[RouterA-ike-proposal-5] quit在RouterA上配置IKE对等体。
[RouterA] ike peer rut1
[RouterA-ike-peer-rut1] undo version 2
[RouterA-ike-peer-rut1] ike-proposal 5
[RouterA-ike-peer-rut1] pre-shared-key cipher huawei@123
[RouterA-ike-peer-rut1] remote-address 60.1.3.1
[RouterA-ike-peer-rut1] quit在RouterB上配置IKE安全提议。
[RouterB] ike proposal 5
[RouterB-ike-proposal-5] encryption-algorithm aes-128
[RouterB-ike-proposal-5] authentication-algorithm sha2-256
[RouterB-ike-proposal-5] dh group14
[RouterB-ike-proposal-5] quit在RouterB上配置IKE对等体。
[RouterB] ike peer rut1
[RouterB-ike-peer-rut1] undo version 2
[RouterB-ike-peer-rut1] ike-proposal 5
[RouterB-ike-peer-rut1] pre-shared-key cipher huawei@123
[RouterB-ike-peer-rut1] remote-address 60.1.3.1
[RouterB-ike-peer-rut1] quit在RouterC上配置IKE安全提议。
[RouterC] ike proposal 5
[RouterC-ike-proposal-5] encryption-algorithm aes-128
[RouterC-ike-proposal-5] authentication-algorithm sha2-256
[RouterC-ike-proposal-5] dh group14
[RouterC-ike-proposal-5] quit在RouterC上配置IKE对等体。
[RouterC] ike peer rut1
[RouterC-ike-peer-rut1] undo version 2
[RouterC-ike-peer-rut1] ike-proposal 5
[RouterC-ike-peer-rut1] pre-shared-key cipher huawei@123
[RouterC-ike-peer-rut1] remote-address 60.1.1.1
[RouterC-ike-peer-rut1] quit
[RouterC] ike peer rut2
[RouterC-ike-peer-rut2] undo version 2
[RouterC-ike-peer-rut2] ike-proposal 5
[RouterC-ike-peer-rut2] pre-shared-key cipher huawei@123
[RouterC-ike-peer-rut2] remote-address 60.1.2.1
[RouterC-ike-peer-rut2] quit -
分别在RouterA和RouterB上创建安全策略,在RouterC上创建安全策略组
在RouterA上配置安全策略。
[RouterA] ipsec policy policy1 10 isakmp
[RouterA-ipsec-policy-isakmp-policy1-10] ike-peer rut1
[RouterA-ipsec-policy-isakmp-policy1-10] proposal tran1
[RouterA-ipsec-policy-isakmp-policy1-10] security acl 3002
[RouterA-ipsec-policy-isakmp-policy1-10] quit在RouterB上配置安全策略。
[RouterB] ipsec policy policy1 10 isakmp
[RouterB-ipsec-policy-isakmp-policy1-10] ike-peer rut1
[RouterB-ipsec-policy-isakmp-policy1-10] proposal tran1
[RouterB-ipsec-policy-isakmp-policy1-10] security acl 3002
[RouterB-ipsec-policy-isakmp-policy1-10] quit在RouterC上配置安全策略组。
[RouterC] ipsec policy policy1 10 isakmp
[RouterC-ipsec-policy-isakmp-policy1-10] ike-peer rut1
[RouterC-ipsec-policy-isakmp-policy1-10] proposal tran1
[RouterC-ipsec-policy-isakmp-policy1-10] security acl 3002
[RouterC-ipsec-policy-isakmp-policy1-10] quit
[RouterC] ipsec policy policy1 11 isakmp
[RouterC-ipsec-policy-isakmp-policy1-11] ike-peer rut2
[RouterC-ipsec-policy-isakmp-policy1-11] proposal tran1
[RouterC-ipsec-policy-isakmp-policy1-11] security acl 3003
[RouterC-ipsec-policy-isakmp-policy1-11] quit此时分别在RouterA和RouterB上执行display ipsec policy会显示所配置的信息。
此时在RouterC上执行display ipsec policy会显示所配置的信息。
-
分别在RouterA、RouterB和RouterC的接口上应用各自的安全策略组,使接口具有IPSec的保护功能
在RouterA的接口上引用安全策略组。
[RouterA] interface gigabitethernet 0/0/1
[RouterA-GigabitEthernet0/0/1] ipsec policy policy1
[RouterA-GigabitEthernet0/0/1] quit在RouterB的接口上引用安全策略组。
[RouterB] interface gigabitethernet 0/0/1
[RouterB-GigabitEthernet0/0/1] ipsec policy policy1
[RouterB-GigabitEthernet0/0/1] quit在RouterC的接口上引用安全策略组。
[RouterC] interface gigabitethernet 0/0/1
[RouterC-GigabitEthernet0/0/1] ipsec policy policy1
[RouterC-GigabitEthernet0/0/1] quit -
检查配置结果
配置成功后,分别在主机PC A和主机PC B执行ping操作仍然可以ping通主机PC C,它们之间的数据传输将被加密。
分别在RouterA和RouterB上执行display ike sa操作,会显示相应信息,以RouterA为例。
[RouterA] display ike sa
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
24366 60.1.3.1:500 RD|ST v1:2 IP 60.1.3.1
24274 60.1.3.1:500 RD|ST v1:1 IP 60.1.3.1Number of IKE SA : 2
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING在RouterC上执行display ike sa操作,结果如下。
[RouterC] display ike sa
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
961 60.1.2.1:500 RD v1:2 IP 60.1.2.1
933 60.1.2.1:500 RD v1:1 IP 60.1.2.1
937 60.1.1.1:500 RD v1:2 IP 60.1.1.1
936 60.1.1.1:500 RD v1:1 IP 60.1.1.1Number of IKE SA : 4
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
配置文件
-
RouterA的配置文件
#
sysname RouterAacl number 3002
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256ike peer rut1
undo version 2
pre-shared-key cipher %%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%*!%%#
ike-proposal 5
remote-address 60.1.3.1ipsec policy policy1 10 isakmp
security acl 3002
ike-peer rut1
proposal tran1interface GigabitEthernet0/0/1
undo portswitch ip address 60.1.1.1 255.255.255.0
ipsec policy policy1interface GigabitEthernet0/0/2
undo portswitch ip address 192.168.1.2 255.255.255.0ip route-static 60.1.3.0 255.255.255.0 60.1.1.2
ip route-static 192.168.3.0 255.255.255.0 60.1.1.2return
-
RouterB的配置文件
#
sysname RouterBacl number 3002
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256ike peer rut1
undo version 2
pre-shared-key cipher %%#K{JG:rWVHPMnf;5|,GW(Luq'qi8BT4nOj%5W5=)%%#
ike-proposal 5
remote-address 60.1.3.1ipsec policy policy1 10 isakmp
security acl 3002
ike-peer rut1
proposal tran1interface GigabitEthernet0/0/1
undo portswitch ip address 60.1.2.1 255.255.255.0
ipsec policy policy1interface GigabitEthernet0/0/2
undo portswitch ip address 192.168.2.2 255.255.255.0ip route-static 60.1.3.0 255.255.255.0 60.1.2.2
ip route-static 192.168.3.0 255.255.255.0 60.1.2.2return
-
RouterC的配置文件
#
sysname RouterCacl number 3002
rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
acl number 3003
rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256ike peer rut1
undo version 2
pre-shared-key cipher %%#IRFGEiFPJ1>
ike-proposal 5
remote-address 60.1.1.1ike peer rut2
undo version 2
pre-shared-key cipher %%#(3fr1!&6O=)!GN#~{)n,2fq>4#4+%;lMTs5(]:c)%%#
ike-proposal 5
remote-address 60.1.2.1ipsec policy policy1 10 isakmp
security acl 3002
ike-peer rut1
proposal tran1
ipsec policy policy1 11 isakmp
security acl 3003
ike-peer rut2
proposal tran1interface GigabitEthernet0/0/1
undo portswitch ip address 60.1.3.1 255.255.255.0
ipsec policy policy1interface GigabitEthernet0/0/2
undo portswitch ip address 192.168.3.2 255.255.255.0ip route-static 60.1.1.0 255.255.255.0 60.1.3.2
ip route-static 60.1.2.0 255.255.255.0 60.1.3.2
ip route-static 192.168.1.0 255.255.255.0 60.1.3.2
ip route-static 192.168.2.0 255.255.255.0 60.1.3.2return
相关资料
视频:配置总部与多个分支建立IPSec隧道