1. 项目背景

总部与两个分支机构通过公网建立 IPsec VPN,实现内网互通与安全通信。总部防火墙为 H3C,分支防火墙同样为 H3C。

  • 总部内网:172.16.0.0/16,公网 IP:202.100.1.1
  • 分支 1 内网:192.168.1.0/24,公网 IP:202.100.2.1
  • 分支 2 内网:192.168.2.0/24,公网 IP:202.100.3.1

2. 配置概要

  • 接口与安全区域划分
  • 感兴趣流 ACL 定义(总部为分支 1/分支 2 分别独立 ACL)
  • NAT 排除策略
  • IKE 配置(AES-256/SHA256/DH14,启用 DPD 与 NAT-T)
  • IPsec 提议与模板
  • 接口绑定多条 IPsec policy
  • 安全策略(分支维度拆分)

3. 总部防火墙配置

接口与区域

interface GigabitEthernet 1/0/1
 ip address 172.16.0.1 255.255.0.0
 zone trust
 add interface GigabitEthernet 1/0/1

interface GigabitEthernet 1/0/2
 ip address 202.100.1.1 255.255.255.0
 zone untrust
 add interface GigabitEthernet 1/0/2

ACL 感兴趣流

acl number 3001  # HQ <-> Branch1
 rule 0 permit ip source 172.16.0.0 0.0.255.255 destination 192.168.1.0 0.0.0.255
 rule 1 permit ip source 192.168.1.0 0.0.0.255 destination 172.16.0.0 0.0.255.255

acl number 3002  # HQ <-> Branch2
 rule 0 permit ip source 172.16.0.0 0.0.255.255 destination 192.168.2.0 0.0.0.255
 rule 1 permit ip source 192.168.2.0 0.0.0.255 destination 172.16.0.0 0.0.255.255

NAT 排除

acl number 2000
 rule 0 deny ip source 172.16.0.0 0.0.255.255 destination 192.168.1.0 0.0.0.255
 rule 1 deny ip source 172.16.0.0 0.0.255.255 destination 192.168.2.0 0.0.0.255
 rule 2 permit any

nat outbound 2000 interface GigabitEthernet 1/0/2

IKE 配置

ike proposal 1
 authentication-method pre-share
 encryption-algorithm aes-cbc-256
 authentication-algorithm sha256
 dh group14
 sa duration 28800

ike peer branch1
 remote-address 202.100.2.1
 pre-shared-key cipher "123456"
 ike-proposal 1
 dpddelay 10
 dpdtimeout 30
 dpdretry 3
 nat-traversal enable

ike peer branch2
 remote-address 202.100.3.1
 pre-shared-key cipher "123456"
 ike-proposal 1
 dpddelay 10
 dpdtimeout 30
 dpdretry 3
 nat-traversal enable

IPsec 配置

ipsec proposal 1
 transform esp
 esp authentication-algorithm sha256
 esp encryption-algorithm aes-cbc-256

ipsec policy template branch1 1
 security acl 3001
 ike-peer branch1
 proposal 1
 pfs dh-group14

ipsec policy template branch2 1
 security acl 3002
 ike-peer branch2
 proposal 1
 pfs dh-group14

ipsec policy name branch1 10 isakmp template branch1
ipsec policy name branch2 20 isakmp template branch2

interface GigabitEthernet 1/0/2
 ipsec policy branch1 10
 ipsec policy branch2 20

安全策略

security-policy
 rule name to_branch1
  source-zone trust
  destination-zone untrust
  source-address 172.16.0.0 0.0.255.255
  destination-address 192.168.1.0 0.0.0.255
  service all
  action permit

 rule name from_branch1
  source-zone untrust
  destination-zone trust
  source-address 192.168.1.0 0.0.0.255
  destination-address 172.16.0.0 0.0.255.255
  service all
  action permit

 rule name to_branch2
  source-zone trust
  destination-zone untrust
  source-address 172.16.0.0 0.0.255.255
  destination-address 192.168.2.0 0.0.0.255
  service all
  action permit

 rule name from_branch2
  source-zone untrust
  destination-zone trust
  source-address 192.168.2.0 0.0.0.255
  destination-address 172.16.0.0 0.0.255.255
  service all
  action permit

4. 分支防火墙配置(分支1)

接口与区域

interface GigabitEthernet 1/0/1
 ip address 192.168.1.1 255.255.255.0
 zone trust
 add interface GigabitEthernet 1/0/1

interface GigabitEthernet 1/0/2
 ip address 202.100.2.1 255.255.255.0
 zone untrust
 add interface GigabitEthernet 1/0/2

ACL 感兴趣流

acl number 3000
 rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
 rule 1 permit ip source 172.16.0.0 0.0.255.255 destination 192.168.1.0 0.0.0.255

NAT 排除

acl number 2000
 rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
 rule 1 permit any

nat outbound 2000 interface GigabitEthernet 1/0/2

IKE 配置

ike proposal 1
 authentication-method pre-share
 encryption-algorithm aes-cbc-256
 authentication-algorithm sha256
 dh group14
 sa duration 28800

ike peer headquarters
 remote-address 202.100.1.1
 pre-shared-key cipher "123456"
 ike-proposal 1
 dpddelay 10
 dpdtimeout 30
 dpdretry 3
 nat-traversal enable

IPsec 配置

ipsec proposal 1
 transform esp
 esp authentication-algorithm sha256
 esp encryption-algorithm aes-cbc-256

ipsec policy template headquarters 1
 security acl 3000
 ike-peer headquarters
 proposal 1
 pfs dh-group14

ipsec policy name headquarters 10 isakmp template headquarters

interface GigabitEthernet 1/0/2
 ipsec policy headquarters 10

安全策略

security-policy
 rule name to_headquarters
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 0.0.0.255
  destination-address 172.16.0.0 0.0.255.255
  service all
  action permit

 rule name from_headquarters
  source-zone untrust
  destination-zone trust
  source-address 172.16.0.0 0.0.255.255
  destination-address 192.168.1.0 0.0.0.255
  service all
  action permit

5. 分支防火墙配置(分支2)

接口与区域

interface GigabitEthernet 1/0/1
 ip address 192.168.2.1 255.255.255.0
 zone trust
 add interface GigabitEthernet 1/0/1

interface GigabitEthernet 1/0/2
 ip address 202.100.3.1 255.255.255.0
 zone untrust
 add interface GigabitEthernet 1/0/2

ACL 感兴趣流

acl number 3000
 rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
 rule 1 permit ip source 172.16.0.0 0.0.255.255 destination 192.168.2.0 0.0.0.255

NAT 排除

acl number 2000
 rule 0 deny ip source 192.168.2.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
 rule 1 permit any

nat outbound 2000 interface GigabitEthernet 1/0/2

IKE 配置

ike proposal 1
 authentication-method pre-share
 encryption-algorithm aes-cbc-256
 authentication-algorithm sha256
 dh group14
 sa duration 28800

ike peer headquarters
 remote-address 202.100.1.1
 pre-shared-key cipher "123456"
 ike-proposal 1
 dpddelay 10
 dpdtimeout 30
 dpdretry 3
 nat-traversal enable

IPsec 配置

ipsec proposal 1
 transform esp
 esp authentication-algorithm sha256
 esp encryption-algorithm aes-cbc-256

ipsec policy template headquarters 1
 security acl 3000
 ike-peer headquarters
 proposal 1
 pfs dh-group14

ipsec policy name headquarters 10 isakmp template headquarters

interface GigabitEthernet 1/0/2
 ipsec policy headquarters 10

安全策略

security-policy
 rule name to_headquarters
  source-zone trust
  destination-zone untrust
  source-address 192.168.2.0 0.0.0.255
  destination-address 172.16.0.0 0.0.255.255
  service all
  action permit

 rule name from_headquarters
  source-zone untrust
  destination-zone trust
  source-address 172.16.0.0 0.0.255.255
  destination-address 192.168.2.0 0.0.0.255
  service all
  action permit

6. 验证步骤

4.1 状态检查

  • IKE SA 状态

    display ike sa

    确认 HQ ↔ Branch1、HQ ↔ Branch2 状态为 Established

  • IPsec SA 状态

    display ipsec sa

    确认双向 SA 建立,流量计数递增。

4.2 ACL 命中统计

  • 总部:

    display acl 3001
display acl 3002

  • 分支:

    display acl 3000

检查感兴趣流是否有命中。

4.3 安全策略统计

display security-policy statistics

确认 to_branchX / from_branchX 规则有命中。

4.4 连通性测试

  • HQ → Branch1:ping 192.168.1.1
  • HQ → Branch2:ping 192.168.2.1
  • Branch1 → HQ:ping 172.16.0.1
  • Branch2 → HQ:ping 172.16.0.1

4.5 应用层验证

  • 测试 SMB/HTTP 等业务流量,确认应用可达。
  • 若 ping 正常但应用不可达,需检查 MTU/MSS 设置。

4.6 调试(必要时)

  • 开启调试日志(低峰期执行):

    debugging ike 1
debugging ipsec 1

    用于分析协商过程、DPD 行为、proxy-id 匹配情况。

Copyright © https://yan-jian.com 2023 all right reserved更新时间: 2025-12-29 11:48:17

results matching ""

    No results matching ""