Play with Huawei ENSP simulator series | IPSec gateway active and standby dual-machine hot standby

Enterprise 2023-06-11 20:57:45 views: null

Source: Huawei Firewall Configuration Guide

Organize the test notes while studying, and share with everyone, the infringement will be deleted, thank you for your support!

Attach a summary post: Playing with Huawei ENSP Simulator Series | Collection_COCOgsta's Blog-CSDN Blog_Huawei Simulator Experiment

Target

One end of the IPSec tunnel is established using two devices for dual-machine hot backup, which can back up IPSec configuration information and tunnel establishment information from the master device to the backup device, ensuring that the tunnel will not be dismantled even if the master device is disconnected, improving the network reliability.

Networking requirements

As shown in Figure 1 , the company headquarters (HQ) accesses the external network through FW_A and FW_B. Branch employees use FW_C to access the divquarters. Branch offices are required to securely access the intranet server protected by IPSec. The company consists of multiple branches, and this example only takes one of them as an example, and its gateway is FW_C. In order to improve network reliability, FW_A and FW_B are configured to form active/standby dual-system hot standby, and the uplink and downlink devices are all switches.

Configuration idea

  1. Configure the dual-system hot backup function for FW_A and FW_B.
  1. Configure security policies and IPSec services on FW_A. After the hot standby function of FW_A and FW_B is enabled, the security policy and IPSec services of FW_A will be automatically backed up to FW_B.
  1. Configure an IPSec tunnel on FW_C.

Steps

  1. Configure the hot backup function of FW_A (headquarters) and FW_B (headquarters).

    1. Configure an IP address for each interface and add the interface to the corresponding security zone.
    2. <sysname> system-view
[sysname] sysname FW_A
[FW_A] interface gigabitethernet 1 / 0 / 1
[FW_A-GigabitEthernet1/0/1] ip address 10.10.0.1  24
[FW_A-GigabitEthernet1/0/1] quit
[FW_A] interface gigabitethernet 1 / 0 / 2
[FW_A-GigabitEthernet1/0/2] ip address 1.1.1.2  24
[FW_A-GigabitEthernet1/0/2] quit
[FW_A] interface gigabitethernet 1 / 0 / 3
[FW_A-GigabitEthernet1/0/3] ip address 10.3.0.3  24
[FW_A-GigabitEthernet1/0/3] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface gigabitethernet 1 / 0 / 3
[FW_A-zone-trust] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface gigabitethernet 1 / 0 / 2
[FW_A-zone-untrust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface gigabitethernet 1 / 0 / 1
[FW_A-zone-dmz] quit
复制代码
    3. Configure a VRRP backup group on FW_A.
    4. [FW_A] interface gigabitethernet 1 / 0 / 2
[FW_A-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 1.1.1.1  24 active
[FW_A-GigabitEthernet1/0/2] quit
[FW_A] interface gigabitethernet 1 / 0 / 3
[FW_A-GigabitEthernet1/0/3] vrrp vrid 1 virtual-ip 10.3.0.2  24 active
[FW_A-GigabitEthernet1/0/3] quit
复制代码
    5. Specify the heartbeat port on FW_A and enable the dual-system hot backup function.
    6. [FW_A] hrp interface gigabitethernet 1 / 0 / 1 remote 10.10.0.2
[FW_A] hrp enable
复制代码
    7. Complete the configuration of FW_B and establish the dual-system hot standby state.
    8.   # The configuration of FW_B is basically the same as the above FW_A, the difference is:
    9. The IP addresses of the interfaces on FW_B are different from the IP addresses of the interfaces on FW_A.
    10. The VRRP backup groups of service interfaces GE1/0/2 and GE1/0/3 on FW_B need to be added to the VGMP group whose status is Standby.

  1. Configure security policies and IPSec services on FW_A.

    1. Configure security policies.

      1. Configure security policies in the Trust and Untrust domains to allow packets before encapsulation and after decapsulation to pass through FW_A.
      2. [FW_A] security-policy
[FW_A-policy-security] rule name policy_ipsec_1
[FW_A-policy-security-rule-policy_ipsec_1] source-zone trust
[FW_A-policy-security-rule-policy_ipsec_1] destination-zone untrust
[FW_A-policy-security-rule-policy_ipsec_1] source-address 10.3.0.0  24
[FW_A-policy-security-rule-policy_ipsec_1] destination-address 10.4.1.0  24 
[FW_A-policy-security-rule-policy_ipsec_1] action permit
[FW_A-policy-security-rule-policy_ipsec_1] quit
[FW_A-policy-security] rule name policy_ipsec_2
[FW_A-policy-security-rule-policy_ipsec_2] source-zone untrust
[FW_A-policy-security-rule-policy_ipsec_2] destination-zone trust
[FW_A-policy-security-rule-policy_ipsec_2] source-address 10.4.1.0  24 
[FW_A-policy-security-rule-policy_ipsec_2] destination-address 10.3.0.0  24 
[FW_A-policy-security-rule-policy_ipsec_2] action permit
[FW_A-policy-security-rule-policy_ipsec_2] quit
复制代码
      3. Configure security policies for the Local and Untrust domains to allow IKE negotiation packets to pass through FW_A normally.
      4. [FW_A-policy-security] rule name policy_ipsec_3
[FW_A-policy-security-rule-policy_ipsec_3] source-zone local
[FW_A-policy-security-rule-policy_ipsec_3] destination-zone untrust
[FW_A-policy-security-rule-policy_ipsec_3] source-address 1.1.1.1  32 
[FW_A-policy-security-rule-policy_ipsec_3] destination-address 4.4.4.4  32
[FW_A-policy-security-rule-policy_ipsec_3] action permit
[FW_A-policy-security-rule-policy_ipsec_3] quit
[FW_A-policy-security] rule name policy_ipsec_4
[FW_A-policy-security-rule-policy_ipsec_4] source-zone untrust
[FW_A-policy-security-rule-policy_ipsec_4] destination-zone local
[FW_A-policy-security-rule-policy_ipsec_4] source-address 4.4.4.4  32 
[FW_A-policy-security-rule-policy_ipsec_4] destination-address 1.1.1.1  32
[FW_A-policy-security-rule-policy_ipsec_4] action permit
[FW_A-policy-security-rule-policy_ipsec_4] quit
[FW_A-policy-security] quit
复制代码

    2. Configure routes for FW_A.

    3.   # Configure a default route with the next hop as 1.1.1.254.

    4. [FW_A] ip route- static  0.0.0.0  0.0.0.0  1.1.1.254
复制代码

    5.   # Configure a route to the internal network of the branch, with the next hop being 1.1.1.254.

    6. [FW_A] ip route- static  10.4.1.0  255.255.255.0  1.1.1.254
复制代码

    7. Configure an IPSec tunnel on FW_A.

      1. Configure access control lists to define data flows that need to be protected.
      2. [FW_A] acl 3000
[FW_A-acl-adv-3000] rule 5 permit ip source 10.3.0.0  0.0.0.255 destination 10.4.1.0  0.0.0.255
[FW_A-acl-adv-3000] quit
复制代码
      3. Configure an IKE proposal with sequence number 10.
      4. [FW_A] ike proposal 10
[FW_A-ike-proposal-10] quit
复制代码
      5. Placement IKE Peer.
      6. [FW_A] ike peer any
[FW_A-ike-peer-any] ike-proposal 10
[FW_A-ike-peer-any] pre-shared-key Admin @ 123
[FW_A-ike-peer-any] quit
复制代码
      7. Configure an IPSec proposal named tran1.
      8. [FW_A] ipsec proposal tran1
[FW_A-ipsec-proposal-tran1] encapsulation-mode tunnel
[FW_A-ipsec-proposal-tran1] transform esp
[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2- 256
[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes- 256
[FW_A-ipsec-proposal-tran1] quit
复制代码
      9. Configure policy template policy1 and reference this policy template in IPSec security policy group map1.
      10. [FW_A] ipsec policy-template policy1 1
[FW_A-ipsec-policy-templet-policy1-1] security acl 3000
[FW_A-ipsec-policy-templet-policy1-1] proposal tran1
[FW_A-ipsec-policy-templet-policy1-1] ike-peer any
[FW_A-ipsec-policy-templet-policy1-1] quit
[FW_A] ipsec policy map1 10 isakmp template policy1
复制代码
      11. Apply security policy group map1 to the outbound interface GE1/0/2.
      12. [FW_A] interface gigabitethernet 1 / 0 / 2
[FW_A-GigabitEthernet1/0/2] ipsec policy map1
[FW_A-GigabitEthernet1/0/2] quit
复制代码
  1. Configure routes on FW_B.

Configure a default route with the next hop as 1.1.1.254.

HRP_S[FW_B] ip route- static  0.0.0.0  0.0.0.0  1.1.1.254
复制代码

Configure a route to the intranet of the branch office, with the next hop being 1.1.1.254.

HRP_S[FW_B] ip route- static  10.4.1.0  255.255.255.0  1.1.1.254
复制代码

  1. Configure FW_C (branch).

    1. Configure the interface IP address.

    2. <sysname> system-view
[sysname] sysname FW_C
[FW_C] interface gigabitethernet 1 / 0 / 3
[FW_C-GigabitEthernet1/0/3] ip address 10.4.1.1  24
[FW_C-GigabitEthernet1/0/3] quit
[FW_C] interface gigabitethernet 1 / 0 / 1
[FW_C-GigabitEthernet1/0/1] ip address 4.4.4.4  24
[FW_C-GigabitEthernet1/0/1] quit
复制代码

    3. Configure the interface to join the corresponding security zone.

    4. [FW_C] firewall zone trust
[FW_C-zone-trust] add interface gigabitethernet 1 / 0 / 3
[FW_C-zone-trust] quit
[FW_C] firewall zone untrust
[FW_C-zone-untrust] add interface gigabitethernet 1 / 0 / 1
[FW_C-zone-untrust] quit
复制代码

    5. Configure security policies.

      1. Configure security policies in the Trust and Untrust domains to allow packets before encapsulation and after decapsulation to pass through FW_C.
      2. [FW_C] security-policy
[FW_C-policy-security] rule name policy_ipsec_1
[FW_C-policy-security-rule-policy_ipsec_1] source-zone trust
[FW_C-policy-security-rule-policy_ipsec_1] destination-zone untrust
[FW_C-policy-security-rule-policy_ipsec_1] source-address 10.4.1.0  24
[FW_C-policy-security-rule-policy_ipsec_1] destination-address 10.3.0.0  24 
[FW_C-policy-security-rule-policy_ipsec_1] action permit
[FW_C-policy-security-rule-policy_ipsec_1] quit
[FW_C-policy-security] rule name policy_ipsec_2
[FW_C-policy-security-rule-policy_ipsec_2] source-zone untrust
[FW_C-policy-security-rule-policy_ipsec_2] destination-zone trust
[FW_C-policy-security-rule-policy_ipsec_2] source-address 10.3.0.0  24 
[FW_C-policy-security-rule-policy_ipsec_2] destination-address 10.4.1.0  24
[FW_C-policy-security-rule-policy_ipsec_2] action permit
[FW_C-policy-security-rule-policy_ipsec_2] quit
复制代码
      3. Configure security policies for the Local and Untrust domains to allow IKE negotiation packets to pass through FW_C normally.
      4. [FW_C-policy-security] rule name policy_ipsec_3
[FW_C-policy-security-rule-policy_ipsec_3] source-zone local
[FW_C-policy-security-rule-policy_ipsec_3] destination-zone untrust
[FW_C-policy-security-rule-policy_ipsec_3] source-address 4.4.4.4  32 
[FW_C-policy-security-rule-policy_ipsec_3] destination-address 1.1.1.1  32
[FW_C-policy-security-rule-policy_ipsec_3] action permit
[FW_C-policy-security-rule-policy_ipsec_3] quit
[FW_C-policy-security] rule name policy_ipsec_4
[FW_C-policy-security-rule-policy_ipsec_4] source-zone untrust
[FW_C-policy-security-rule-policy_ipsec_4] destination-zone local
[FW_C-policy-security-rule-policy_ipsec_4] source-address 1.1.1.1  32 
[FW_C-policy-security-rule-policy_ipsec_4] destination-address 4.4.4.4  32
[FW_C-policy-security-rule-policy_ipsec_4] action permit
[FW_C-policy-security-rule-policy_ipsec_4] quit
[FW_C-policy-security] quit
复制代码

    6. Configure routes for FW_C.

    7.   # Configure a default route with the next hop as 4.4.4.254.

    8. [FW_C] ip route- static  0.0.0.0  0.0.0.0  4.4.4.254
复制代码

    9.   # Configure a route to the internal network of the headquarters, with the next hop being 4.4.4.254.

    10. [FW_C] ip route- static  10.3.0.0  255.255.255.0  4.4.4.254
复制代码

    11. Configure an IPSec tunnel on FW_C.

      1. Configure access control lists to define data flows that need to be protected.
      2. [FW_C] acl 3000 
[FW_C-acl-adv-3000] rule 5 permit ip source 10.4.1.0  0.0.0.255 destination 10.3.0.0  0.0.0.255
[FW_C-acl-adv-3000] quit
复制代码
      3. Configure an IKE proposal with sequence number 10.
      4. [FW_C] ike proposal 10
[FW_C-ike-proposal-10] quit
复制代码
      5. Placement IKE Peer.
      6. [FW_C] ike peer a
[FW_C-ike-peer-a] ike-proposal 10
[FW_C-ike-peer-a] remote-address 1.1.1.1
[FW_C-ike-peer-a] pre-shared-key Admin @ 123
[FW_C-ike-peer-a] quit
复制代码
      7. Configure an IPSec proposal named tran1.
      8. [FW_C] ipsec proposal tran1
[FW_C-ipsec-proposal-tran1] encapsulation-mode tunnel
[FW_C-ipsec-proposal-tran1] transform esp
[FW_C-ipsec-proposal-tran1] esp authentication-algorithm sha2- 256
[FW_C-ipsec-proposal-tran1] esp encryption-algorithm aes- 256
[FW_C-ipsec-proposal-tran1] quit
复制代码
      9. Configure IPSec security policy group map1.
      10. [FW_C] ipsec policy map1 10 isakmp
[FW_C-ipsec-policy-isakmp-map1-10] security acl 3000
[FW_C-ipsec-policy-isakmp-map1-10] proposal tran1
[FW_C-ipsec-policy-isakmp-map1-10] ike-peer a
[FW_C-ipsec-policy-isakmp-map1-10] quit
复制代码
      11. Apply the security policy group map1 to the outbound interface GE1/0/1.
      12. [FW_C] interface gigabitethernet 1 / 0 / 1
[FW_C-GigabitEthernet1/0/1] ipsec policy map1
[FW_C-GigabitEthernet1/0/1] quit
复制代码
  1. Configure the switch. Add each interface of the switch in Figure 1 to the same VLAN. For specific configuration commands, please refer to the relevant documents of the switch.

Result verification

  1. The intranet device of the branch office on network segment 10.4.1.0/24 accesses the server on network segment 10.3.0.0/24 of the headquarters, and the access is successful.
  1. Run the display ike sa and display ipsec sa commands on FW_A and FW_B . If an IPSec SA entry is generated, the IPSec tunnel is successfully established and the tunnel backup is successful.
  1. Disconnect GE1/0/3 or GE1/0/2 of FW_A, and services can be switched to FW_B normally.

Guess you like

Origin blog.csdn.net/guolianggsta/article/details/127372973
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com