组网需求
如图1-1所示,企业希望总部和分支的内网可以安全互访,且分支和总部间要能够传送组播数据(例如企业内网部部署了动态路由,动态路由交互过程中存在组播报文交互)。由于单纯的IPSec隧道不能传送组播数据,而GRE隧道具备传送组播数据的能力,为了满足用户需求,需要在NGFW和AR设备间建立GRE over IPSec隧道。
图1-1 GRE over IPSec对接组网
配置项 | NGFW | AR | |
设备信息 | l 设备型号:USG6330 l 软件版本:V100R001C30 | l 设备型号:AR2220 l 软件版本:V200R007C00 | |
IPSec安全提议 | 封装模式 | 隧道模式 | 隧道模式 |
安全协议 | ESP | ESP | |
ESP协议验证算法 | SHA2-256 | SHA2-256 | |
ESP协议加密算法 | AES-128 | AES-128 | |
DH Group | GROUP2 | GROUP2 | |
IKE对等体 | 协商模式 | 主模式 | 主模式 |
加密算法 | AES-128 | AES-128 | |
认证算法 | SHA2-256 | SHA2-256 | |
预共享密钥 | Key123 | Key123 | |
身份类型 | IP地址 | IP地址 | |
版本 | V1 | V1 |
操作步骤
步骤 1 配置NGFW。
1. 配置接口IP地址,并将接口加入安全区域。
[NGFW] interface GigabitEthernet 1/0/1
[NGFW-GigabitEthernet1/0/1] ip address 10.1.1.1 24
[NGFW-GigabitEthernet1/0/1] quit
[NGFW] interface GigabitEthernet 1/0/2
[NGFW-GigabitEthernet1/0/2] ip address 1.1.3.1 24
[NGFW-GigabitEthernet1/0/2] quit
[NGFW] firewall zone trust
[NGFW-zone-trust] add interface GigabitEthernet 1/0/1
[NGFW-zone-trust] quit
[NGFW] firewall zone untrust
[NGFW-zone-untrust] add interface GigabitEthernet 1/0/2
[NGFW-zone-untrust] quit
2. 配置到NGFW连接到Internet的缺省路由,假设下一跳为1.1.3.2。
[NGFW] ip route-static 0.0.0.0 0.0.0.0 1.1.3.2
3. 配置域间安全策略。
a. 配置Trust域与Untrust域的安全策略,允许IPSec封装前和解封装后的原始报文能通过NGFW。
[NGFW] security-policy
[NGFW-policy-security] rule name 1
[NGFW-policy-security-rule-1] source-zone untrust
[NGFW-policy-security-rule-1] destination-zone trust
[NGFW-policy-security-rule-1] source-address 10.1.3.0 24
[NGFW-policy-security-rule-1] destination-address 10.1.1.0 24
[NGFW-policy-security-rule-1] action permit
[NGFW-policy-security-rule-1] quit
[NGFW-policy-security] rule name 2
[NGFW-policy-security-rule-2] source-zone trust
[NGFW-policy-security-rule-2] destination-zone untrust
[NGFW-policy-security-rule-2] source-address 10.1.1.0 24
[NGFW-policy-security-rule-2] destination-address 10.1.3.0 24
[NGFW-policy-security-rule-2] action permit
[NGFW-policy-security-rule-2] quit
b. 配置Local域与Untrust域的安全策略,允许IKE协商报文能正常通过NGFW。
[NGFW-policy-security] rule name 3
[NGFW-policy-security-rule-3] source-zone local
[NGFW-policy-security-rule-3] destination-zone untrust
[NGFW-policy-security-rule-3] source-address 1.1.3.1 32
[NGFW-policy-security-rule-3] destination-address 1.1.5.1 32
[NGFW-policy-security-rule-3] action permit
[NGFW-policy-security-rule-3] quit
[NGFW-policy-security] rule name 4
[NGFW-policy-security-rule-4] source-zone untrust
[NGFW-policy-security-rule-4] destination-zone local
[NGFW-policy-security-rule-4] source-address 1.1.5.1 32
[NGFW-policy-security-rule-4] destination-address 1.1.3.1 32
[NGFW-policy-security-rule-4] action permit
[NGFW-policy-security-rule-4] quit
4. 配置GRE隧道。
[NGFW] interface tunnel 1
[NGFW-Tunnel1] tunnel-protocol gre
[NGFW-Tunnel1] ip address 172.16.1.1 24
[NGFW-Tunnel1] source 1.1.3.1
[NGFW-Tunnel1] destination 1.1.5.1
[NGFW-Tunnel1] quit
[NGFW] firewall zone untrust
[NGFW-zone-untrust] add interface tunnel 1
[NGFW-zone-untrust] quit
5. 配置IPSec策略。
a. 配置访问控制列表,定义需要保护的数据流。
[NGFW] acl 3000
[NGFW-acl-adv-3000] rule permit ip source 1.1.3.1 0 destination 1.1.5.1 0
[NGFW-acl-adv-3000] quit
b. 配置IPSec安全提议。
[NGFW] ipsec proposal tran1
[NGFW-ipsec-proposal-tran1] transform esp
[NGFW-ipsec-proposal-tran1] encapsulation-mode tunnel
[NGFW-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[NGFW-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[NGFW-ipsec-proposal-tran1] quit
c. 创建IKE安全提议。
[NGFW] ike proposal 1
[NGFW-ike-proposal-1] encryption-algorithm aes-128
[NGFW-ike-proposal-1] authentication-algorithm sha2-256
[NGFW-ike-proposal-1] dh group2
[NGFW-ike-proposal-1] quit
d. 配置IKE对等体。
[NGFW] ike peer ar
[NGFW-ike-peer-ar] undo version 2
[NGFW-ike-peer-ar] exchange-mode main
[NGFW-ike-peer-ar] ike-proposal 1
[NGFW-ike-peer-ar] pre-shared-key Key123
[NGFW-ike-peer-ar] remote-address 1.1.5.1
[NGFW-ike-peer-ar] quit
e. 配置isakmp方式的IPSec策略。
[NGFW] ipsec policy map1 1 isakmp
[NGFW-ipsec-policy-isakmp-map1-1] ike-peer ar
[NGFW-ipsec-policy-isakmp-map1-1] proposal tran1
[NGFW-ipsec-policy-isakmp-map1-1] security acl 3000
[NGFW-ipsec-policy-isakmp-map1-1] quit
f. 在接口GigabitEthernet 1/0/2上应用IPSec策略。
[NGFW] interface GigabitEthernet 1/0/2
[NGFW-GigabitEthernet1/0/2] ipsec policy map1
[NGFW-GigabitEthernet1/0/2] quit
步骤 2 配置AR设备。
1. 配置AR接口的IP地址。
<Huawei> system-view
[Huawei] sysname AR
[AR] interface GigabitEthernet 0/0/1
[AR-GigabitEthernet0/0/1] ip address 10.1.3.1 24
[AR-GigabitEthernet0/0/1] quit
[AR] interface GigabitEthernet 0/0/2
[AR-GigabitEthernet0/0/2] ip address 1.1.5.1 24
[AR-GigabitEthernet0/0/2] quit
2. 配置GRE隧道。
[AR] interface tunnel 0/0/2
[AR-Tunnel0/0/2] tunnel-protocol gre
[AR-Tunnel0/0/2] ip address 172.16.1.2 24
[AR-Tunnel0/0/2] source 1.1.5.1
[AR-Tunnel0/0/2] destination 1.1.3.1
[AR-Tunnel0/0/2] quit
3. 配置AR路由。
#配置AR连接到Internet的缺省路由,假设下一跳地址为1.1.5.2。
[AR] ip route-static 0.0.0.0 0.0.0.0 1.1.5.2
#配置AR到总部内网的路由,出接口为Tunnel0/0/2接口。
[AR] ip route-static 10.1.1.0 24 tunnel 0/0/2
4. 配置IPSec策略。
a. 配置访问控制列表,定义需要保护的数据流。
[AR] acl 3000
[AR-acl-adv-3000] rule permit ip source 1.1.5.1 0 destination 1.1.3.1 0
[AR-acl-adv-3000] quit
b. 配置IPSec安全提议。
[AR] ipsec proposal tran1
[AR-ipsec-proposal-tran1] transform esp
[AR-ipsec-proposal-tran1] encapsulation-mode tunnel
[AR-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[AR-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[AR-ipsec-proposal-tran1] quit
c. 创建IKE安全提议。
[AR] ike proposal 1
[AR-ike-proposal-1] encryption-algorithm aes-cbc-128
[AR-ike-proposal-1] authentication-algorithm sha2-256
[AR-ike-proposal-1] dh group2
[AR-ike-proposal-1] quit
d. 配置和对端相同的SHA2加解密方式。
[AR] ipsec authentication sha2 compatible enable
e. 配置IKE对等体。
[AR] ike peer ngfw v1 /*参数v1表示IKE使用v1版本进行IKE协商。/
[AR-ike-peer-ngfw] exchange-mode main
[AR-ike-peer-ngfw] ike-proposal 1
[AR-ike-peer-ngfw] pre-shared-key cipher Key123
[AR-ike-peer-ngfw] remote-address 1.1.3.1
[AR-ike-peer-ngfw] nat traversal
[AR-ike-peer-ngfw] quit
f. 配置isakmp方式的IPSec策略。
[AR] ipsec policy map1 1 isakmp
[AR-ipsec-policy-isakmp-map1-1] ike-peer ngfw
[AR-ipsec-policy-isakmp-map1-1] proposal tran1
[AR-ipsec-policy-isakmp-map1-1] security acl 3000
[AR-ipsec-policy-isakmp-map1-1] quit
g. 在接口GigabitEthernet 0/0/2上应用IPSec策略。
[AR] interface GigabitEthernet 0/0/2
[AR-GigabitEthernet0/0/2] ipsec policy map1
[AR-GigabitEthernet0/0/2] quit
----结束
结果验证
1. 配置完成后,使用分支下的用户Ping总部下的用户。
2. 正常情况下,分支访问总部的数据流将会触发两台网关之间建立IPSec隧道。此处在NGFW上查看IKE SA的建立情况,可以看到IKE SA已经建立成功。
<NGFW> display ike sa
current ike sa number: 2
--------------------------------------------------------------------------------------------------
conn-id peer flag phase ***
--------------------------------------------------------------------------------------------------
84125 1.1.5.1 RD|A v1:2 public
84121 1.1.5.1 RD|D|A v1:1 public
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
TD--DELETING NEG--NEGOTIATING D--DPD M--ACTIVE S--STANDBY
A--ALONE
3. 使用display ipsec sa命令查看IPSec的建立情况,可以看到IPSec SA也已建立成功。
<NGFW> display ipsec sa
===============================
Interface: GigabitEthernet1/0/2
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "map1"
sequence number: 1
mode: isakmp
***: public
-----------------------------
connection id: 84125
rule number: 5
encapsulation mode: tunnel
holding time: 0d 0h 25m 51s
tunnel local : 1.1.3.1 tunnel remote: 1.1.5.1
flow source: 1.1.3.1/255.255.255.255 0/0
flow destination: 1.1.3.2/255.255.255.255 0/0
[inbound ESP SAs]
spi: 3481684812 (0xcf864b4c)
***: public said: 2580 cpuid: 0x0000
proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256
sa remaining key duration (kilobytes/sec): 1843200/2049
max received sequence-number: 5
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 592143329 (0x234b63e1)
***: public said: 2581 cpuid: 0x0000
proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256
sa remaining key duration (kilobytes/sec): 1843200/2049
max sent sequence-number: 6
udp encapsulation used for nat traversal: N
强叔点评
l 在GRE over IPSec场景中,GRE隧道和IPSec共同使用公网接口建立隧道。因此GRE隧道的源地址就是建立IPSec隧道的公网接口IP地址。
l 由于本例中AR使用的是V200R007C00软件版本,该版本与NGFW通过SHA2认证算法进行IPSec对接时,会存在SHA2算法不一致的问题。SHA2算法不一致会造成报文加解密失败,进而造成业务不通的现象。因此,在本例中ipsec authentication sha2 compatible enable是必配命令。
转载于:https://blog.51cto.com/wangheyu1/2338110