
要求在FW1、FW2之间部署站点到站点的IPSecVPN,使得两个站点内网的PC:PC1及PC2能够 安全的互相访问;PC1可以使用目的IP地址192.168.2.1来访问PC2,同理,PC2也可以使用PC1的 真实IP地址来对其进行访问。
Local与Untrust区域间的outbound方向要放行源为200.1.1.1、目的为200.2.2.2的流量; Local与Untrust区域间的Inbound方向要放行源为200.2.2.2、目的为200.1.1.1的流量; 必须放开上述流量,否则IPSecVPN隧道无法正常建立。
Trust与Untrust的outbound方向要放行源为192.168.1.0/24、目的为192.168.2.0/24的流量; Trust与Untrust的inbound方向要放行源为192.168.2.0/24、目的为192.168.1.0/24的流量。 必须放开上述流量,否则PC1与PC2无法互访。
FW1的配置如下
FW2的配置如下:
注意:在商业局点中部署IPSec VPN时,相关加密、哈希算法需采用更为安全、更为高级的算法。 另外,在部署IPSecVPN时,隧道两端的防火墙必须使用完全相同的策略,包括加密算法、哈希算法、DH等等。 完成配置后,可在两个PC之间相互执行ping操作,产生的流量将触发防火墙之间的IPSecVPN隧道协商。
Internet路由器的配置如下:
[Internet] interface GigabitEthernet0/0/0
[Internet-GigabitEthernet0/0/0] ip address 200.1.1.2 255.255.255.0
[Internet] interface GigabitEthernet0/0/1
[Internet-GigabitEthernet0/0/1] ip address 200.2.2.1 255.255.255.0 完成配置后,PC1与PC2即可互相访问。在防火墙上做查看。使用display ike sa命令可查看IKE协 商方式(本实验采用的方式)建立的安全联盟(SA)的相关信息:
在上述输出中,flag列中的RD意为READY,表示此SA已建立成功。ST(STAYALIVE):表示此 端是通道协商发起方。
在防火墙上使用display ipsec sa可查看协商后所产生的IPSec安全联盟,这是非常关键的信息:

在完成上述配置后,我们再考虑一个新增需求:FW1下挂的192.168.1.0/24的子网除了需要通过
IPSecVPN隧道访问PC2所在的网络,同时还需要访问Internet,该如何实现呢? 首先要让192.168.1.0/24的子网用户能够访问Internet,那肯定是要部署源地址NAT的,我们这里做 一个基于地址池的源地址NAT,地址池使用200.1.1.10到200.1.1.20这个区间。但是在部署的时候 要注意,如果直接将NAT部署上去,就会影响到已经实施好的IPSecVPN,因为192.168.1.0/24访 问192.168.2.0/24的流量也会被NAT执行源地址转换,这样一来数据包的源地址就发生了变更,而 这在IPSecVPN看来就不是一个感兴趣的流量了(无法被ACL3000匹配),也就无法正常的进入 IPSecVPN隧道进行转发。
所以在IPSecVPN环境中部署NAT需格外注意。在我们这个场景中,部署NAT时,切记要将 192.168.1.0/24访问192.168.2.0/24的流量排除在NAT的范围之外。
FW1增加配置如下:
如此一来,PC1即可以通过IPSecVPN隧道访问PC2,又能够直接访问Internet。
#配置接口IP地址:
[FW1] interface GigabitEthernet0/0/1
[FW1-GigabitEthernet0/0/1] ip address 192.168.1.254 255.255.255.0
[FW1] interface GigabitEthernet0/0/2
[FW1-GigabitEthernet0/0/2] ip address 200.1.1.1 255.255.255.0
#将接口关联到相应的安全域:
[FW1] firewall zone trust
[FW1-zone-trust] add interface GigabitEthernet0/0/1
[FW1] firewall zone untrust
[FW1-zone-untrust] add interface GigabitEthernet0/0/2
#配置默认路由:
[FW1] ip route-static 0.0.0.0 0.0.0.0 200.1.1.2
#定义IPSecVPN感兴趣数据流,使用ACL3000来匹配感兴趣流量:
[FW1] acl number 3000
[FW1-acl-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination
192.168.2.0 0.0.0.255
[FW1-acl-adv-3000] quit
#配置IKE Proposal,这是IKE阶段一的策略:
[FW1] ike proposal 10
[FW1-ike-proposal-10] authentication-method pre-share
[FW1-ike-proposal-10] authentication-algorithm sha1
[FW1-ike-proposal-10] encryption-algorithm 3des-cbc
[FW1-ike-proposal-10] quit
#配置IPsec proposal,这是IKE阶段二的策略:
[FW1] ipsec proposal myset
[FW1-ipsec-proposal-myset] transform esp
[FW1-ipsec-proposal-myset] esp authentication-algorithm sha1
[FW1-ipsec-proposal-myset] esp encryption-algorithm 3des
#配置IKE peer,定义预共享秘钥、关联IKE proposal并指定隧道对端防火墙的IP:
[FW1] ike peer fw2
[FW1-ike-peer-b] pre-shared-key huawei
[FW1-ike-peer-b] ike-proposal 10
[FW1-ike-peer-b] remote-address 200.2.2.2
#配置IPsec Policy:
[FW1] ipsec policy mymap 10 isakmp
[FW1-ipsec-policy-isakmp-mymap-10] security acl 3000
[FW1-ipsec-policy-isakmp-mymap-10] ike-peer fw2
[FW1-ipsec-policy-isakmp-mymap-10] proposal myset
#应用IPsec Policy到接口:
[FW1] interface GigabitEthernet0/0/2
[FW1-GigabitEthernet0/0/2] ipsec policy mymap
#放开FW1发送往FW2的IPSecVPN协商流量:
[FW1] policy interzone local untrust outbound
[FW1-policy-interzone-local-untrust-outbound] policy 10
[FW1-policy-interzone-local-untrust-outbound-10] policy destination 200.2.2.2 0
[FW1-policy-interzone-local-untrust-outbound-10] action permit
#放开FW2发送过来的IPSecVPN协商流量:
[FW1] policy interzone local untrust inbound
[FW1-policy-interzone-local-untrust-inbound] policy 10
[FW1-policy-interzone-local-untrust-inbound-10] policy source 200.2.2.2 0
[FW1-policy-interzone-local-untrust-inbound-10] action permit
#放开对端站点内网访问本地站点内网的流量:
[FW1] policy interzone trust untrust inbound
[FW1-policy-interzone-trust-untrust-inbound] policy 10
[FW1-policy-interzone-trust-untrust-inbound-10] policy source 192.168.2.0
0.0.0.255
[FW1-policy-interzone-trust-untrust-inbound-10] policy destination 192.168.1.0
0.0.0.255
[FW1-policy-interzone-trust-untrust-inbound-10] action permit
#放开本地站点内网到对端站点内网的流量:
[FW1] policy interzone trust untrust outbound
[FW1-policy-interzone-trust-untrust-outbound] policy 10
[FW1-policy-interzone-trust-untrust-outbound-10] policy source 192.168.1.0
0.0.0.255
[FW1-policy-interzone-trust-untrust-outbound-10] policy destination 192.168.2.0
0.0.0.255
[FW1-policy-interzone-trust-untrust-outbound-10] action permit[FW2] interface GigabitEthernet0/0/1
[FW2-GigabitEthernet0/0/1] ip address 192.168.2.254 255.255.255.0
[FW2] interface GigabitEthernet0/0/2
[FW2-GigabitEthernet0/0/2] ip address 200.2.2.2 255.255.255.0
[FW2] firewall zone trust
[FW2-zone-trust] add interface GigabitEthernet0/0/1
[FW2] firewall zone untrust
[FW2-zone-untrust] add interface GigabitEthernet0/0/2
[FW2] ip route-static 0.0.0.0 0.0.0.0 200.2.2.1
#定义IPSecVPN感兴趣数据流,使用ACL3000来匹配感兴趣流量:
[FW2] acl number 3000
[FW2-acl-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination
192.168.1.0 0.0.0.255
[FW2-acl-adv-3000] quit
#配置IKE Proposal,这是IKE阶段一的策略:
[FW2] ike proposal 10
[FW2-ike-proposal-10] authentication-method pre-share
[FW2-ike-proposal-10] authentication-algorithm sha1
[FW2-ike-proposal-10] encryption-algorithm 3des-cbc
[FW2-ike-proposal-10] quit
#配置IPsec proposal,这是IKE阶段二的策略:
[FW2] ipsec proposal myset
[FW2-ipsec-proposal-myset] transform esp
[FW2-ipsec-proposal-myset] esp authentication-algorithm sha1
[FW2-ipsec-proposal-myset] esp encryption-algorithm 3des
#配置IKE peer,定义预共享秘钥、关联IKE proposal并指定隧道对端防火墙的IP:
[FW2] ike peer fw1
[FW2-ike-peer-a] pre-shared-key huawei
[FW2-ike-peer-a] ike-proposal 10
[FW2-ike-peer-a] remote-address 200.1.1.1
#配置IPsec Policy:
[FW2] ipsec policy mymap 10 isakmp
[FW2-ipsec-policy-isakmp-mymap-10] security acl 3000
[FW2-ipsec-policy-isakmp-mymap-10] ike-peer fw1
[FW2-ipsec-policy-isakmp-mymap-10] proposal myset
#应用IPsec Policy到接口:
[FW2] interface GigabitEthernet0/0/2
[FW2-GigabitEthernet0/0/2] ipsec policy mymap
#放开防火墙发送给FW2的IPSecVPN协商流量:
[FW2] policy interzone local untrust outbound
[FW2-policy-interzone-local-untrust-outbound] policy 10
[FW2-policy-interzone-local-untrust-outbound-10] policy destination 200.1.1.1 0
[FW2-policy-interzone-local-untrust-outbound-10] action permit
#放开FW2发送过来的IPSecVPN协商流量:
[FW2] policy interzone local untrust inbound
[FW2-policy-interzone-local-untrust-inbound] policy 10
[FW2-policy-interzone-local-untrust-inbound-10] policy source 200.1.1.1 0
[FW2-policy-interzone-local-untrust-inbound-10] action permit
#放开对端站点内网访问本地站点内网的流量:
[FW2] policy interzone trust untrust inbound
[FW2-policy-interzone-trust-untrust-inbound] policy 10
[FW2-policy-interzone-trust-untrust-inbound-10] policy source 192.168.1.0
0.0.0.255
[FW2-policy-interzone-trust-untrust-inbound-10] policy destination 192.168.2.0
0.0.0.255
[FW2-policy-interzone-trust-untrust-inbound-10] action permit
#放开本地站点内网到对端站点内网的流量:
[FW2] policy interzone trust untrust outbound
[FW2-policy-interzone-trust-untrust-outbound] policy 10
[FW2-policy-interzone-trust-untrust-outbound-10] policy source 192.168.2.0
0.0.0.255
[FW2-policy-interzone-trust-untrust-outbound-10] policy destination 192.168.1.0
0.0.0.255
[FW2-policy-interzone-trust-untrust-outbound-10] action permit [FW1] display ike sa
current ike sa number: 2 -----------------------------------------------------------------------------
conn-id peer flag phase vpn -----------------------------------------------------------------------------
40001 200.2.2.2 RD|ST v2:2 public
1 200.2.2.2 RD|ST v2:1 public
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING
TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD [FW1]display ipsec sa
===============================
Interface: GigabitEthernet0/0/2
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "mymap"
sequence number: 10
mode: isakmp
vpn: public
-----------------------------
connection id: 40001
rule number: 5
encapsulation mode: tunnel
holding time: 0d 0h 6m 9s
tunnel local : 200.1.1.1 tunnel remote: 200.2.2.2
flow source: 192.168.1.0-192.168.1.255 0-65535 0
flow destination: 192.168.2.0-192.168.2.255 0-65535 0
[inbound ESP SAs]
spi: 3796720173 (0xe24d5a2d)
vpn: public said: 0 cpuid: 0x0000
proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887436560/3231
max received sequence-number: 4
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 2146809471 (0x7ff5b67f)
vpn: public said: 1 cpuid: 0x0000
proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887436500/3231
max sent sequence-number: 6
udp encapsulation used for nat traversal: N#配置NAT地址池:
[FW1] nat address-group 1 200.1.1.10 200.1.1.20
#配置NAT策略,其中policy 10用于匹配192.168.1.0/24到192.168.2.0/24的流量,注意,这里执行的
动作必须是no-nat,因为这些流量是不能被NAT的,否则就不满足IPsec VPN受保护流量的条件了。policy
20用于匹配192.168.1.0/24访问Internet的流量,这些流量需做源地址转换,使用nat地址池1:
[FW1] nat-policy interzone trust untrust outbound
[FW1-nat-policy-interzone-trust-untrust-outbound] policy 10
[FW1-nat-policy-interzone-trust-untrust-outbound-10] policy source 192.168.1.0
0.0.0.255
[FW1-nat-policy-interzone-trust-untrust-outbound-10] policy destination
192.168.2.0 0.0.0.255
[FW1-nat-policy-interzone-trust-untrust-outbound-10] action no-nat
[FW1-nat-policy-interzone-trust-untrust-outbound-10] quit
[FW1-nat-policy-interzone-trust-untrust-outbound] policy 20
[FW1-nat-policy-interzone-trust-untrust-outbound-20] policy source 192.168.1.0
0.0.0.255
[FW1-nat-policy-interzone-trust-untrust-outbound-20] address-group 1
[FW1-nat-policy-interzone-trust-untrust-outbound-20] action source-nat
#修改Trust到Untrust的区域间安全策略,使得内网用户能够访问Internet:
[FW1] policy interzone trust untrust outbound
[FW1-policy-interzone-trust-untrust-outbound] policy 20
[FW1-policy-interzone-trust-untrust-outbound-20] policy source 192.168.1.0
0.0.0.255
[FW1-policy-interzone-trust-untrust-outbound-20] action permit