以下是一个详细的 H3C 防火墙与多个分支建立 IPsec VPN 的配置案例,假设总部 H3C 防火墙与两个分支建立 VPN 连接。

网络拓扑信息

  • 总部

    • 内部网络:172.16.0.0/16
    • 防火墙公网 IP:202.100.1.1

  • 分支 1

    • 内部网络:192.168.1.0/24
    • 防火墙公网 IP:202.100.2.1

  • 分支 2

    • 内部网络:192.168.2.0/24
    • 防火墙公网 IP:202.100.3.1

总部 H3C 防火墙配置

# 1. 配置接口 IP 及安全区域
interface GigabitEthernet 1/0/1
 ip address 172.16.0.1 255.255.0.0
 zone trust
 add interface GigabitEthernet 1/0/1

interface GigabitEthernet 1/0/2
 ip address 202.100.1.1 255.255.255.0
 zone untrust
 add interface GigabitEthernet 1/0/2

# 2. 定义感兴趣流
acl number 3000
 rule 0 permit ip source 172.16.0.0 0.0.255.255 destination 192.168.1.0 0.0.0.255
 rule 1 permit ip source 172.16.0.0 0.0.255.255 destination 192.168.2.0 0.0.0.255
 rule 2 permit ip source 192.168.1.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
 rule 3 permit ip source 192.168.2.0 0.0.0.255 destination 172.16.0.0 0.0.255.255

# 3. 在原有 NAT 中排除感兴趣流
acl number 2000
 rule 0 deny ip source 172.16.0.0 0.0.255.255 destination 192.168.1.0 0.0.0.255
 rule 1 deny ip source 172.16.0.0 0.0.255.255 destination 192.168.2.0 0.0.0.255
 rule 2 deny ip source 192.168.1.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
 rule 3 deny ip source 192.168.2.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
 rule 4 permit any

nat outbound 2000 interface GigabitEthernet 1/0/2

# 4. 配置 IKE
# 4.1 创建 IKE 对等体
ike peer branch1
 remote-address 202.100.2.1
 pre-shared-key cipher "123456"
 ike-proposal 1
 dpddelay 10
 dpdtimeout 30
 dpdretry 3
 nat-traversal enable

ike peer branch2
 remote-address 202.100.3.1
 pre-shared-key cipher "123456"
 ike-proposal 1
 dpddelay 10
 dpdtimeout 30
 dpdretry 3
 nat-traversal enable

# 4.2 创建 IKE 安全提议
ike proposal 1
 authentication-method pre-share
 encryption-algorithm aes-cbc-128
 authentication-algorithm sha1
 dh group2
 sa duration 28800

# 5. 配置 IPSec
# 5.1 创建 IPSec 安全提议
ipsec proposal 1
 transform esp
 esp authentication-algorithm sha1
 esp encryption-algorithm aes-cbc-128

# 5.2 创建 IPSec 模板
ipsec policy template branch1 1
 security acl 3000
 ike-peer branch1
 proposal 1
 pfs dh-group2

ipsec policy template branch2 1
 security acl 3000
 ike-peer branch2
 proposal 1
 pfs dh-group2

# 5.3 调用 IPSec 模板
ipsec policy name branch1 1 isakmp template branch1
ipsec policy name branch2 1 isakmp template branch2

interface GigabitEthernet 1/0/2
 ipsec policy branch1
 ipsec policy branch2

# 6. 配置安全策略
security-policy
 rule name to_branch
 source-zone trust
 destination-zone untrust
 source-address 172.16.0.0 0.0.255.255
 destination-address 192.168.1.0 0.0.0.255
 destination-address 192.168.2.0 0.0.0.255
 service all
 action permit

 rule name from_branch
 source-zone untrust
 destination-zone trust
 source-address 192.168.1.0 0.0.0.255
 source-address 192.168.2.0 0.0.0.255
 destination-address 172.16.0.0 0.0.255.255
 service all
 action permit

分支 1 防火墙配置

# 1. 配置接口 IP 及安全区域
interface GigabitEthernet 1/0/1
 ip address 192.168.1.1 255.255.255.0
 zone trust
 add interface GigabitEthernet 1/0/1

interface GigabitEthernet 1/0/2
 ip address 202.100.2.1 255.255.255.0
 zone untrust
 add interface GigabitEthernet 1/0/2

# 2. 定义感兴趣流
acl number 3000
 rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
 rule 1 permit ip source 172.16.0.0 0.0.255.255 destination 192.168.1.0 0.0.0.255

# 3. 在原有 NAT 中排除感兴趣流
acl number 2000
 rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
 rule 1 deny ip source 172.16.0.0 0.0.255.255 destination 192.168.1.0 0.0.0.255
 rule 2 permit any

nat outbound 2000 interface GigabitEthernet 1/0/2

# 4. 配置 IKE
# 4.1 创建 IKE 对等体
ike peer headquarters
 remote-address 202.100.1.1
 pre-shared-key cipher "123456"
 ike-proposal 1
 dpddelay 10
 dpdtimeout 30
 dpdretry 3
 nat-traversal enable

# 4.2 创建 IKE 安全提议
ike proposal 1
 authentication-method pre-share
 encryption-algorithm aes-cbc-128
 authentication-algorithm sha1
 dh group2
 sa duration 28800

# 5. 配置 IPSec
# 5.1 创建 IPSec 安全提议
ipsec proposal 1
 transform esp
 esp authentication-algorithm sha1
 esp encryption-algorithm aes-cbc-128

# 5.2 创建 IPSec 模板
ipsec policy template headquarters 1
 security acl 3000
 ike-peer headquarters
 proposal 1
 pfs dh-group2

# 5.3 调用 IPSec 模板
ipsec policy name headquarters 1 isakmp template headquarters

interface GigabitEthernet 1/0/2
 ipsec policy headquarters

# 6. 配置安全策略
security-policy
 rule name to_headquarters
 source-zone trust
 destination-zone untrust
 source-address 192.168.1.0 0.0.0.255
 destination-address 172.16.0.0 0.0.255.255
 service all
 action permit

 rule name from_headquarters
 source-zone untrust
 destination-zone trust
 source-address 172.16.0.0 0.0.255.255
 destination-address 192.168.1.0 0.0.0.255
 service all
 action permit

分支 2 防火墙配置

分支 2 的配置与分支 1 类似,只需将内部网络地址替换为 192.168.2.0/24,公网 IP 替换为 202.100.3.1 即可。

# 1. 配置接口 IP 及安全区域
interface GigabitEthernet 1/0/1
 ip address 192.168.2.1 255.255.255.0
 zone trust
 add interface GigabitEthernet 1/0/1

interface GigabitEthernet 1/0/2
 ip address 202.100.3.1 255.255.255.0
 zone untrust
 add interface GigabitEthernet 1/0/2

# 2. 定义感兴趣流
acl number 3000
 rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
 rule 1 permit ip source 172.16.0.0 0.0.255.255 destination 192.168.2.0 0.0.0.255

# 3. 在原有 NAT 中排除感兴趣流
acl number 2000
 rule 0 deny ip source 192.168.2.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
 rule 1 deny ip source 172.16.0.0 0.0.255.255 destination 192.168.2.0 0.0.0.255
 rule 2 permit any

nat outbound 2000 interface GigabitEthernet 1/0/2

# 4. 配置 IKE
# 4.1 创建 IKE 对等体
ike peer headquarters
 remote-address 202.100.1.1
 pre-shared-key cipher "123456"
 ike-proposal 1
 dpddelay 10
 dpdtimeout 30
 dpdretry 3
 nat-traversal enable

# 4.2 创建 IKE 安全提议
ike proposal 1
 authentication-method pre-share
 encryption-algorithm aes-cbc-128
 authentication-algorithm sha1
 dh group2
 sa duration 28800

# 5. 配置 IPSec
# 5.1 创建 IPSec 安全提议
ipsec proposal 1
 transform esp
 esp authentication-algorithm sha1
 esp encryption-algorithm aes-cbc-128

# 5.2 创建 IPSec 模板
ipsec policy template headquarters 1
 security acl 3000
 ike-peer headquarters
 proposal 1
 pfs dh-group2

# 5.3 调用 IPSec 模板
ipsec policy name headquarters 1 isakmp template headquarters

interface GigabitEthernet 1/0/2
 ipsec policy headquarters

# 6. 配置安全策略
security-policy
 rule name to_headquarters
 source-zone trust
 destination-zone untrust
 source-address 192.168.2.0 0.0.0.255
 destination-address 172.16.0.0 0.0.255.255
 service all
 action permit

 rule name from_headquarters
 source-zone untrust
 destination-zone trust
 source-address 172.16.0.0 0.0.255.255
 destination-address 192.168.2.0 0.0.0.255
 service all
 action permit

注意事项

  • 上述配置中的预共享密钥、加密算法、认证算法等参数可根据实际安全需求进行调整。
  • 确保各设备之间的时钟同步,以免影响 IKE 协商。
  • 配置完成后,可通过 display ipsec sadisplay ike sa 命令查看 IPSec 和 IKE 的协商状态。
Copyright © https://yan-jian.com 2023 all right reserved更新时间: 2025-04-29 16:46:04

results matching ""

    No results matching ""