以下是一个详细的 H3C 防火墙与多个分支建立 IPsec VPN 的配置案例,假设总部 H3C 防火墙与两个分支建立 VPN 连接。
网络拓扑信息
总部:
- 内部网络:172.16.0.0/16
- 防火墙公网 IP:202.100.1.1
分支 1:
- 内部网络:192.168.1.0/24
- 防火墙公网 IP:202.100.2.1
分支 2:
- 内部网络:192.168.2.0/24
- 防火墙公网 IP:202.100.3.1
总部 H3C 防火墙配置
# 1. 配置接口 IP 及安全区域
interface GigabitEthernet 1/0/1
ip address 172.16.0.1 255.255.0.0
zone trust
add interface GigabitEthernet 1/0/1
interface GigabitEthernet 1/0/2
ip address 202.100.1.1 255.255.255.0
zone untrust
add interface GigabitEthernet 1/0/2
# 2. 定义感兴趣流
acl number 3000
rule 0 permit ip source 172.16.0.0 0.0.255.255 destination 192.168.1.0 0.0.0.255
rule 1 permit ip source 172.16.0.0 0.0.255.255 destination 192.168.2.0 0.0.0.255
rule 2 permit ip source 192.168.1.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
rule 3 permit ip source 192.168.2.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
# 3. 在原有 NAT 中排除感兴趣流
acl number 2000
rule 0 deny ip source 172.16.0.0 0.0.255.255 destination 192.168.1.0 0.0.0.255
rule 1 deny ip source 172.16.0.0 0.0.255.255 destination 192.168.2.0 0.0.0.255
rule 2 deny ip source 192.168.1.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
rule 3 deny ip source 192.168.2.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
rule 4 permit any
nat outbound 2000 interface GigabitEthernet 1/0/2
# 4. 配置 IKE
# 4.1 创建 IKE 对等体
ike peer branch1
remote-address 202.100.2.1
pre-shared-key cipher "123456"
ike-proposal 1
dpddelay 10
dpdtimeout 30
dpdretry 3
nat-traversal enable
ike peer branch2
remote-address 202.100.3.1
pre-shared-key cipher "123456"
ike-proposal 1
dpddelay 10
dpdtimeout 30
dpdretry 3
nat-traversal enable
# 4.2 创建 IKE 安全提议
ike proposal 1
authentication-method pre-share
encryption-algorithm aes-cbc-128
authentication-algorithm sha1
dh group2
sa duration 28800
# 5. 配置 IPSec
# 5.1 创建 IPSec 安全提议
ipsec proposal 1
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm aes-cbc-128
# 5.2 创建 IPSec 模板
ipsec policy template branch1 1
security acl 3000
ike-peer branch1
proposal 1
pfs dh-group2
ipsec policy template branch2 1
security acl 3000
ike-peer branch2
proposal 1
pfs dh-group2
# 5.3 调用 IPSec 模板
ipsec policy name branch1 1 isakmp template branch1
ipsec policy name branch2 1 isakmp template branch2
interface GigabitEthernet 1/0/2
ipsec policy branch1
ipsec policy branch2
# 6. 配置安全策略
security-policy
rule name to_branch
source-zone trust
destination-zone untrust
source-address 172.16.0.0 0.0.255.255
destination-address 192.168.1.0 0.0.0.255
destination-address 192.168.2.0 0.0.0.255
service all
action permit
rule name from_branch
source-zone untrust
destination-zone trust
source-address 192.168.1.0 0.0.0.255
source-address 192.168.2.0 0.0.0.255
destination-address 172.16.0.0 0.0.255.255
service all
action permit
分支 1 防火墙配置
# 1. 配置接口 IP 及安全区域
interface GigabitEthernet 1/0/1
ip address 192.168.1.1 255.255.255.0
zone trust
add interface GigabitEthernet 1/0/1
interface GigabitEthernet 1/0/2
ip address 202.100.2.1 255.255.255.0
zone untrust
add interface GigabitEthernet 1/0/2
# 2. 定义感兴趣流
acl number 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
rule 1 permit ip source 172.16.0.0 0.0.255.255 destination 192.168.1.0 0.0.0.255
# 3. 在原有 NAT 中排除感兴趣流
acl number 2000
rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
rule 1 deny ip source 172.16.0.0 0.0.255.255 destination 192.168.1.0 0.0.0.255
rule 2 permit any
nat outbound 2000 interface GigabitEthernet 1/0/2
# 4. 配置 IKE
# 4.1 创建 IKE 对等体
ike peer headquarters
remote-address 202.100.1.1
pre-shared-key cipher "123456"
ike-proposal 1
dpddelay 10
dpdtimeout 30
dpdretry 3
nat-traversal enable
# 4.2 创建 IKE 安全提议
ike proposal 1
authentication-method pre-share
encryption-algorithm aes-cbc-128
authentication-algorithm sha1
dh group2
sa duration 28800
# 5. 配置 IPSec
# 5.1 创建 IPSec 安全提议
ipsec proposal 1
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm aes-cbc-128
# 5.2 创建 IPSec 模板
ipsec policy template headquarters 1
security acl 3000
ike-peer headquarters
proposal 1
pfs dh-group2
# 5.3 调用 IPSec 模板
ipsec policy name headquarters 1 isakmp template headquarters
interface GigabitEthernet 1/0/2
ipsec policy headquarters
# 6. 配置安全策略
security-policy
rule name to_headquarters
source-zone trust
destination-zone untrust
source-address 192.168.1.0 0.0.0.255
destination-address 172.16.0.0 0.0.255.255
service all
action permit
rule name from_headquarters
source-zone untrust
destination-zone trust
source-address 172.16.0.0 0.0.255.255
destination-address 192.168.1.0 0.0.0.255
service all
action permit
分支 2 防火墙配置
分支 2 的配置与分支 1 类似,只需将内部网络地址替换为 192.168.2.0/24,公网 IP 替换为 202.100.3.1 即可。
# 1. 配置接口 IP 及安全区域
interface GigabitEthernet 1/0/1
ip address 192.168.2.1 255.255.255.0
zone trust
add interface GigabitEthernet 1/0/1
interface GigabitEthernet 1/0/2
ip address 202.100.3.1 255.255.255.0
zone untrust
add interface GigabitEthernet 1/0/2
# 2. 定义感兴趣流
acl number 3000
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
rule 1 permit ip source 172.16.0.0 0.0.255.255 destination 192.168.2.0 0.0.0.255
# 3. 在原有 NAT 中排除感兴趣流
acl number 2000
rule 0 deny ip source 192.168.2.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
rule 1 deny ip source 172.16.0.0 0.0.255.255 destination 192.168.2.0 0.0.0.255
rule 2 permit any
nat outbound 2000 interface GigabitEthernet 1/0/2
# 4. 配置 IKE
# 4.1 创建 IKE 对等体
ike peer headquarters
remote-address 202.100.1.1
pre-shared-key cipher "123456"
ike-proposal 1
dpddelay 10
dpdtimeout 30
dpdretry 3
nat-traversal enable
# 4.2 创建 IKE 安全提议
ike proposal 1
authentication-method pre-share
encryption-algorithm aes-cbc-128
authentication-algorithm sha1
dh group2
sa duration 28800
# 5. 配置 IPSec
# 5.1 创建 IPSec 安全提议
ipsec proposal 1
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm aes-cbc-128
# 5.2 创建 IPSec 模板
ipsec policy template headquarters 1
security acl 3000
ike-peer headquarters
proposal 1
pfs dh-group2
# 5.3 调用 IPSec 模板
ipsec policy name headquarters 1 isakmp template headquarters
interface GigabitEthernet 1/0/2
ipsec policy headquarters
# 6. 配置安全策略
security-policy
rule name to_headquarters
source-zone trust
destination-zone untrust
source-address 192.168.2.0 0.0.0.255
destination-address 172.16.0.0 0.0.255.255
service all
action permit
rule name from_headquarters
source-zone untrust
destination-zone trust
source-address 172.16.0.0 0.0.255.255
destination-address 192.168.2.0 0.0.0.255
service all
action permit
注意事项
- 上述配置中的预共享密钥、加密算法、认证算法等参数可根据实际安全需求进行调整。
- 确保各设备之间的时钟同步,以免影响 IKE 协商。
- 配置完成后,可通过
display ipsec sa
和display ike sa
命令查看 IPSec 和 IKE 的协商状态。