华为防火墙 IPSec over GRE 配置

企业开发 2023-07-01 22:58:57 阅读次数: 0

在这里插入图片描述

IPsec

主要作用是对数据进行加密,因为他能提供所有有时候被单独用作实现加密的一种方法!IPsec建立的是一个逻辑隧道,并不是真正意义上的隧道!并且不能提供路由功能,因为IPsec不支持非ip流量,也不支持广播(组播)!

GRE
    GRE是一种三层VPN封装技术。GRE可以对某些网络层协议(如IPX、Apple Talk、IP等)的报文进行封装,使封装后的报文能够在另一种网络中(如IPv4)传输,从而解决了跨越异种网络的报文传输问题,虽然无法提供加密,但是能很好的支持非ip流量和广播!

GRE over IPSec(使用IPsec来加密隧道进行传输)
    GRE OVER IPSEC 是 gre 做内层封装, ipsec 做外层封装,ipsec 感兴趣数据流为 gre源目地址,适用于两点都是固定 ip 或者一方是动态 IP 或内网环境,由于 ipsec 不能传广播和组播,gre 可以,这种环境还可以运行一些适用组播和广播的协议。

IPSec over GRE(加密数据流后从隧道传输)
    IPSEC OVER GRE 是 IPSEC 做内层封装,GRE 做外层封装,适用于两端路由器都是固定IP,ipsec 策略应用在物理口,ipsec 感兴趣数据流为业务网段,只对业务数据进行加密。

配置
sysname FW1

配置感兴趣流,源目都是业务地址段
acl number 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 10.191.10.0 0.0.0.255
acl number 3001
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 10.191.20.0 0.0.0.255

安全提议正常配置,保证两端的参数一致就ok
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256

ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256

对端地址值得注意,ips over gre的对端地址是隧道地址
ike peer fw2
pre-shared-key huawei@123
ike-proposal 1
remote-address 12.1.1.2 //对端隧道地址
ike peer fw3
pre-shared-key huawei@123
ike-proposal 1
remote-address 22.1.1.2 //对端隧道地址

点到多点的场景中创建两个ipsec策略
ipsec policy ips1 1 isakmp
security acl 3000
ike-peer fw2
proposal 1
ipsec policy ips2 1 isakmp
security acl 3001
ike-peer fw3
proposal 1

interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.254 255.255.255.0

interface GigabitEthernet1/0/1
undo shutdown
ip address 172.16.0.254 255.255.255.0

interface GigabitEthernet1/0/3
undo shutdown
ip address 100.1.12.1 255.255.255.252
service-manage ping permit

interface Tunnel0
ip address 12.1.1.1 255.255.255.252
tunnel-protocol gre
keepalive
source GigabitEthernet1/0/3 //指定原接口
destination 100.1.12.6 //指定对端地址
ipsec policy ips1 //调用ipsec

interface Tunnel1
ip address 22.1.1.1 255.255.255.252
tunnel-protocol gre
keepalive
source GigabitEthernet1/0/3
destination 100.1.12.10
ipsec policy ips2

firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
add interface Tunnel0 //隧道接口要加入安全域,加入到非信任也可以
add interface Tunnel1

firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/3

ip route-static 0.0.0.0 0.0.0.0 100.1.12.2
ip route-static 10.191.10.0 255.255.255.0 Tunnel0 //去往对端私网的路由指向隧道口
ip route-static 10.191.20.0 255.255.255.0 Tunnel1

security-policy
rule name t-un //防火墙繁琐之处,私网到私网的流量一定要设置正反向
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
destination-address 10.191.10.0 mask 255.255.255.0
destination-address 10.191.20.0 mask 255.255.255.0
action permit
rule name un-t
source-zone untrust
destination-zone trust
source-address 10.191.10.0 mask 255.255.255.0
source-address 10.191.20.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action permit
rule name ipsce //如果隧道口放非信任区,就省去了两个命令,local-unt就都包含了
source-zone local
source-zone trust
source-zone untrust
destination-zone local
destination-zone trust
destination-zone untrust
action permit
rule name to-isp //放行nat的流量
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action permit

nat-policy
rule name no-ips //无论防火墙还是路由器,在nat中一定要先把隧道的流量禁止
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
destination-address 10.191.10.0 mask 255.255.255.0
destination-address 10.191.20.0 mask 255.255.255.0
action no-nat
rule name to-isp
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action source-nat easy-ip

sysname FW2

acl number 3000
rule 5 permit ip source 10.191.10.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256

ike peer fw1
pre-shared-key huawei@123
ike-proposal 1
remote-address 12.1.1.1

ipsec policy ips 1 isakmp
security acl 3000
ike-peer fw1
proposal 1

interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
alias GE0/METH

interface GigabitEthernet1/0/0
undo shutdown
ip address 10.191.10.254 255.255.255.0

interface GigabitEthernet1/0/3
undo shutdown
ip address 100.1.12.6 255.255.255.252
service-manage ping permit

interface Tunnel0
ip address 12.1.1.2 255.255.255.252
tunnel-protocol gre
keepalive
source GigabitEthernet1/0/3
destination 100.1.12.1
ipsec policy ips

firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
add interface Tunnel0

firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/3

firewall zone dmz
set priority 50

ip route-static 0.0.0.0 0.0.0.0 100.1.12.5
ip route-static 192.168.1.0 255.255.255.0 Tunnel0

security-policy
rule name t-un
source-zone trust
destination-zone untrust
source-address 10.191.10.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action permit
rule name un-t
source-zone untrust
destination-zone trust
source-address 192.168.1.0 mask 255.255.255.0
destination-address 10.191.10.0 mask 255.255.255.0
action permit
rule name ipsce
source-zone local
source-zone trust
source-zone untrust
destination-zone local
destination-zone trust
destination-zone untrust
action permit
rule name to-isp
source-zone trust
destination-zone untrust
source-address 10.191.10.0 mask 255.255.255.0
action permit

nat-policy
rule name t-un
source-zone trust
destination-zone untrust
source-address 10.191.10.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action no-nat
rule name to-isp
source-zone trust
destination-zone untrust
source-address 10.191.10.0 mask 255.255.255.0
action source-nat easy-ip

sysname FW3

acl number 3000
rule 5 permit ip source 10.191.20.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256

ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256

ike peer fw1
pre-shared-key huawei@123
ike-proposal 1
remote-address 22.1.1.1

ipsec policy ips 1 isakmp
security acl 3000
ike-peer fw1
proposal 1

interface GigabitEthernet1/0/0
undo shutdown
ip address 10.191.20.254 255.255.255.0

interface GigabitEthernet1/0/3
undo shutdown
ip address 100.1.12.10 255.255.255.252
service-manage ping permit

interface Tunnel0
ip address 22.1.1.2 255.255.255.252
tunnel-protocol gre
keepalive
source GigabitEthernet1/0/3
destination 100.1.12.1
ipsec policy ips

firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
add interface Tunnel0

firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/3

firewall zone dmz
set priority 50

ip route-static 0.0.0.0 0.0.0.0 100.1.12.9
ip route-static 192.168.1.0 255.255.255.0 Tunnel0

security-policy
rule name t-un
source-zone trust
destination-zone untrust
source-address 10.191.20.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action permit
rule name un-t
source-zone untrust
destination-zone trust
source-address 192.168.1.0 mask 255.255.255.0
destination-address 10.191.20.0 mask 255.255.255.0
action permit
rule name ipsce
source-zone local
source-zone trust
source-zone untrust
destination-zone local
destination-zone trust
destination-zone untrust
action permit
rule name to-isp
source-zone trust
destination-zone untrust
source-address 10.191.20.0 mask 255.255.255.0
action permit

nat-policy
rule name t-un
source-zone trust
destination-zone untrust
source-address 10.191.20.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action no-nat
rule name to-isp
source-zone trust
destination-zone untrust
source-address 10.191.20.0 mask 255.255.255.0
action source-nat easy-ip

​如果是点到点,总部配置删除一组即可

验证
模拟器开始会丢一部分包
在这里插入图片描述
验证ike sa
在这里插入图片描述
在这里插入图片描述

猜你喜欢

转载自blog.csdn.net/weixin_45650628/article/details/129645528
今日推荐
中国码农的“35岁魔咒”
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Arc Browser for Windows 1.0 正式 GA
90后程序员开发视频搬运软件、不到一年获利超 700 万,结局很刑!
《美国对全球网络空间安全与发展的威胁和破坏》报告发布
周排行
[编程题]学英语
[codeforces 1288A] Deadline 约数+模
Python的web开发
Docker在Centos 7上的部署
python编码
解决Ubuntu16.04 fatal error: json/json.h: No such file or directory
mysql并发插入
rest接口如何适应jsonp的方案
linux 终端上网设置
高数——等号两边同时求导、积分的解释
每日归档
更多
2024-05-04(7)
2024-05-03(19)
2024-05-02(0)
2024-05-01(4)
2024-04-30(1)
2024-04-29(40)
2024-04-28(0)
2024-04-27(56)
2024-04-26(39)
2024-04-25(22)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022