一、拓扑图
在FW1和FW2间建立GRE Over IPSec,使PC1、PC2互通
二、底层配置
R1:
sysname R1
#
interface GigabitEthernet0/0/0
ip address 155.1.121.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 155.1.131.1 255.255.255.0
#
interface LoopBack0
ip address 150.1.1.1 255.255.255.255
#
防火墙基础配置
配置接口IP地址,并将接口划分到安全区域
配置安全策略,放行防火墙自身发起的流量
配置缺省静态路由
FW1:
sysname FW1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 155.1.121.12 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.1.1.12 255.255.255.0
#
firewall zone trust
add interface GigabitEthernet1/0/1
#
firewall zone untrust
add interface GigabitEthernet1/0/0
#
ip route-static 0.0.0.0 0.0.0.0 155.1.121.1
#
security-policy
rule name local->any
source-zone local
action permit
#
FW2:
sysname FW2
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 155.1.131.13 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.1.2.13 255.255.255.0
#
firewall zone trust
add interface GigabitEthernet1/0/1
#
firewall zone untrust
add interface GigabitEthernet1/0/0
#
ip route-static 0.0.0.0 0.0.0.0 155.1.131.1
#
security-policy
rule name local->any
source-zone local
action permit
#
测试访问R1的Loopback
三、配置GRE
Tunnel接口划分到DMZ区域
放行untrust到local的gre流量(GRE协议号47)
FW1:
interface Tunnel0
ip address 10.0.0.12 255.255.255.0
tunnel-protocol gre
source GigabitEthernet1/0/0
destination 155.1.131.13
service-manage ping permit
#
firewall zone dmz
add interface Tunnel0
#
security-policy
rule name out->local
source-zone untrust
destination-zone local
service gre
action permit
#
FW2:
interface Tunnel0
ip address 10.0.0.13 255.255.255.0
tunnel-protocol gre
source GigabitEthernet1/0/0
destination 155.1.121.12
service-manage ping permit
#
firewall zone dmz
add interface Tunnel0
#
security-policy
rule name out->local
source-zone untrust
destination-zone local
service gre
action permit
#
ping Tunnel接口
查看抓包
此时还没有加密
四、配置OSPF
把内网及Tunnel接口宣告到OSPF,千万不要宣告外网接口
FW1&FW2:
ospf 1
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
查看OSPF邻居及路由
五、配置IPSec
提供两种配置方法:
- 接口调用ipsec policy
- 接口调用ipsec profile
封装模式为传输模式,隧道模式虽然也可以,但是报头比传输模式大,增加开销
ACL匹配GRE流量
在物理接口调用ipsec policy
方法一(调用ipsec policy)
FW1:
ike proposal 10
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
authentication-method pre-share
#
ike peer FW2
pre-shared-key huawei@123
ike-proposal 10
remote-address 155.1.131.13
#
ipsec proposal PRO1
encapsulation-mode transport
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
acl number 3000
rule 5 permit gre
#
ipsec policy FW1_FW2 10 isakmp
security acl 3000
ike-peer FW2
proposal PRO1
#
interface GigabitEthernet1/0/0
ipsec policy FW1_FW2
#
FW2:
ike proposal 10
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
authentication-method pre-share
#
ike peer FW1
pre-shared-key huawei@123
ike-proposal 10
remote-address 155.1.121.12
#
ipsec proposal PRO1
encapsulation-mode transport
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
acl number 3000
rule 5 permit gre
#
ipsec policy FW1_FW2 10 isakmp
security acl 3000
ike-peer FW1
proposal PRO1
#
interface GigabitEthernet1/0/0
ipsec policy FW1_FW2
#
方法二(调用ipsec profile)
FW1:
ike proposal 10
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
authentication-method pre-share
#
ike peer FW2
pre-shared-key huawei@123
ike-proposal 10
remote-address 155.1.131.13
#
ipsec proposal PRO1
encapsulation-mode transport
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec profile FW1_FW2
ike-peer FW2
proposal PRO1
#
interface Tunnel0
ipsec profile FW1_FW2
#
FW2:
ike proposal 10
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
authentication-method pre-share
#
ike peer FW1
pre-shared-key huawei@123
ike-proposal 10
remote-address 155.1.121.12
#
ipsec proposal PRO1
encapsulation-mode transport
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec profile FW1_FW2
ike-peer FW2
proposal PRO1
#
interface Tunnel0
ipsec profile FW1_FW2
#
六、配置安全策略
由于GRE被IPSec加密,untrust到local的流量放行esp和ike的流量
- ike的udp端口号500
- esp协议号50
允许外部流量主动访问内网
- 放行dmz到trust的流量
允许内部流量主动发起访问
- 放行trust->dmz的流量
FW1:
security-policy
rule name out->local
source-zone untrust
destination-zone local
service esp
undo service gre
action permit
rule name vpn_in
source-zone dmz
destination-zone trust
source-address 10.1.2.0 mask 255.255.255.0
destination-address 10.1.1.0 mask 255.255.255.0
action permit
rule name vpn_out
source-zone trust
destination-zone dmz
source-address 10.1.1.0 mask 255.255.255.0
destination-address 10.1.2.0 mask 255.255.255.0
action permit
#
FW2:
security-policy
rule name local->any
source-zone local
action permit
rule name out->local
source-zone untrust
destination-zone local
service esp
action permit
rule name vpn_in
source-zone dmz
destination-zone trust
source-address 10.1.1.0 mask 255.255.255.0
destination-address 10.1.2.0 mask 255.255.255.0
action permit
rule name vpn_out
source-zone trust
destination-zone dmz
source-address 10.1.2.0 mask 255.255.255.0
destination-address 10.1.1.0 mask 255.255.255.0
action permit
#
查看IKE SA
测试PC互访
抓包
流量已被加密
查看IPSec SA
拓展
PC1访问PC2,查看FW1的会话表
FW1发出的ESP报文对应的方向为untrust->local,表示FW1在接收ESP报文,实际上不应该是FW1发出ESP报文,对应方向为local->untrust吗?
原来FW1加密后发出的ESP报文是不建立会话的,不走防火墙转发流程,当然也不做安全策略检查。但是防火墙收到ESP报文进行解密时,需要先建会话走转发流程,做安全策略检查,所以这条会话对应FW1接收到的ESP报文。ISAKMP协商报文的收发都需要走转发流程,所以不存在这个问题。