IPsec VPN综合实验

一、实验目的及拓扑

实验目的：

1、在总部通过防火墙建立双机热备

2、在分支通过路由器向外宣告防火墙NAT SERVER

3、在分支和总部自己建立站点到站点VPN并实现负载分担

二、基础配置

如拓扑所示配置相应端口地址

三、详细配置

（一）双机热备配置

#
 hrp enable
 hrp interface GigabitEthernet1/0/2 remote 10.0.0.13
 hrp mirror session enable
 hrp standby config enable
#

#
 hrp enable
 hrp interface GigabitEthernet1/0/2 remote 10.0.0.12
 hrp mirror session enable
 hrp standby config enable
#

（二）VPN配置

1、防火墙1和防火墙2总部站点配置

acl number 3000
 rule 5 permit ip source 10.1.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
#
ipsec proposal LAN_SET
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128
 dh group14
 authentication-algorithm sha2-512 sha2-384 sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
ike proposal 10
 encryption-algorithm 3des
 dh group2
 authentication-algorithm sha1
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
ike peer FW3
 pre-shared-key HUAWEI
 ike-proposal 10
 remote-address 155.1.12.14
#
ipsec policy LAN_MAP 10 isakmp
 security acl 3000
 ike-peer FW3
 proposal LAN_SET
 sa trigger-mode auto
#
#
interface Vlanif121
 ip address 155.1.121.12 255.255.255.0
 ipsec policy LAN_MAP
#

#
interface Vlanif131
 ip address 155.1.131.13 255.255.255.0
 ipsec policy LAN_MAP alone
#

调整安全策略

HRP_M[FW1-policy-security]dis th
2024-08-06 02:50:25.360 
#
security-policy
 default action permit
 rule name IN_TO_OUT
  source-zone trust
  destination-zone untrust
  source-address 10.1.0.0 mask 255.255.0.0
  action permit
 rule name OUT_TO_IN
  source-zone untrust
  destination-zone trust
  destination-address 10.1.100.100 mask 255.255.255.255
  service protocol tcp destination-port 80
  action permit
 rule name FOR_VPN
  source-zone untrust
  destination-zone trust
  source-address 10.1.0.0 mask 255.255.0.0
  destination-address 10.1.0.0 mask 255.255.0.0
  action permit
 rule name OUT_TO_LOCAL
  source-zone untrust
  destination-zone local
  service protocol udp destination-port 4500
  service protocol udp destination-port 500
  action permit
#

调整路由实现虚拟系统与根系统之间、虚拟系统之间互访

#
ip route-static 0.0.0.0 0.0.0.0 155.1.121.1
ip route-static 10.1.10.10 255.255.255.255 vpn-instance VRF_A
ip route-static 10.1.20.10 255.255.255.255 vpn-instance VRF_B
ip route-static 10.1.100.0 255.255.255.0 vpn-instance VRF_A
ip route-static vpn-instance VRF_A 10.1.20.0 255.255.255.0 vpn-instance VRF_B
ip route-static vpn-instance VRF_B 10.1.10.0 255.255.255.0 vpn-instance VRF_A
ip route-static vpn-instance VRF_B 10.1.100.0 255.255.255.0 vpn-instance VRF_A
#

调整NAT策略时总部内网终端既能范围外网155网段也能访问分支站点VPN终端

HRP_M[FW1-policy-nat]dis th
2024-08-07 03:33:20.820 
#
nat-policy
 rule name NO_NAT
  source-zone trust
  destination-zone untrust
  source-address 10.1.0.0 mask 255.255.0.0
  destination-address 10.1.0.0 mask 255.255.0.0
  action no-nat
 rule name EASY_IP
  source-zone trust
  destination-zone untrust
  source-address 10.1.0.0 mask 255.255.0.0
  action source-nat easy-ip
#

2、防火墙3分支站点配置

#
acl number 3000
 rule 5 permit ip source 10.1.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
#
ipsec proposal LAN_SET
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ike proposal 10
 encryption-algorithm 3des
 dh group2
 authentication-algorithm sha1
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
ike peer FW1
 pre-shared-key HUAWEI
 ike-proposal 10
 remote-address 155.1.121.12
ike peer FW2
 pre-shared-key HUAWEI
 ike-proposal 10
 remote-address 155.1.131.13
#
ipsec policy LAN_MAP1 10 isakmp
 security acl 3000
 ike-peer FW1
 proposal LAN_SET
 sa trigger-mode auto
ipsec policy LAN_MAP2 10 isakmp
 security acl 3000
 ike-peer FW2
 proposal LAN_SET
 sa trigger-mode auto
#

配置隧道并将隧道加入DMZ区域

[FW3-Tunnel1]dis th
#
interface Tunnel1
 ip address unnumbered interface GigabitEthernet1/0/0
 tunnel-protocol ipsec
 source GigabitEthernet1/0/0
 destination 155.1.121.12
 ipsec policy LAN_MAP1
#

[FW3-Tunnel2]dis th
#
interface Tunnel2
 ip address unnumbered interface GigabitEthernet1/0/0
 tunnel-protocol ipsec
 source GigabitEthernet1/0/0
 destination 155.1.131.13
 ipsec policy LAN_MAP2
#

[FW3]dis zone 
local
 priority is 100
 interface of the zone is (0):
#
trust
 priority is 85
 interface of the zone is (2):
    GigabitEthernet0/0/0
    GigabitEthernet1/0/1
#
untrust
 priority is 5
 interface of the zone is (1):
    GigabitEthernet1/0/0
#
dmz
 priority is 50
 interface of the zone is (2):
    Tunnel1
    Tunnel2
#

安全策略调整

[FW3-policy-security]dis th
2024-08-06 03:14:03.740 
#
security-policy
 rule name LOCAL_TO_ANY
  source-zone local
  action permit
 rule name OUT_TO_LOCAL
  source-zone untrust
  destination-zone local
  service protocol udp destination-port 4500
  service protocol udp destination-port 500
  action permit
 rule name DMZ_TO_IN
  source-zone dmz
  destination-zone trust
  source-address 10.1.0.0 mask 255.255.0.0
  destination-address 10.1.0.0 mask 255.255.0.0
  action permit
 rule name IN_TO_DMZ
  source-zone trust
  destination-zone dmz
  source-address 10.1.0.0 mask 255.255.0.0
  destination-address 10.1.0.0 mask 255.255.0.0
  action permit
#

调整路由

#
ip route-static 10.1.0.0 255.255.0.0 Tunnel1
ip route-static 10.1.0.0 255.255.0.0 Tunnel2
#

（三）在R2上使用NAT SERVER防火墙3地址

#
interface GigabitEthernet0/0/0
 ip address 155.1.12.2 255.255.255.0 
 nat server protocol udp global 155.1.12.14 500 inside 10.1.142.14 500
 nat server protocol udp global 155.1.12.14 4500 inside 10.1.142.14 4500
#

四、结果验证

[FW3]dis ike sa

IKE SA information :
 Conn-ID    Peer                                          VPN              Flag(
s)               Phase  RemoteType  RemoteID        
--------------------------------------------------------------------------------
----------------------------------------------------
 48         155.1.131.13:4500                                              RD|ST
|A               v2:2   IP          155.1.131.13    
 38         155.1.131.13:4500                                              RD|A 
                 v2:1   IP          155.1.131.13    
 50         155.1.121.12:4500                                              RD|ST
|A               v2:2   IP          155.1.121.12    
 49         155.1.121.12:4500                                              RD|ST
|A               v2:1   IP          155.1.121.12    

  Number of IKE SA : 4
--------------------------------------------------------------------------------
----------------------------------------------------

分支站点终端访问内网服务器

PC>ping 10.1.100.100

Ping 10.1.100.100: 32 data bytes, Press Ctrl_C to break
From 10.1.100.100: bytes=32 seq=1 ttl=252 time=110 ms

traceroute to 10.1.100.100, 8 hops max
(ICMP), press Ctrl+C to stop
 1  10.1.14.14   <1 ms  <1 ms  <1 ms
 2    *  *  *
 3    *  *  *
 4  10.1.100.100   110 ms  125 ms  125 ms

总部内网站点访问外网

PC>ping 150.1.1.1

Ping 150.1.1.1: 32 data bytes, Press Ctrl_C to break
From 150.1.1.1: bytes=32 seq=1 ttl=253 time=141 ms
From 150.1.1.1: bytes=32 seq=2 ttl=253 time=125 ms

traceroute to 150.1.1.1, 8 hops max
(ICMP), press Ctrl+C to stop
 1  10.1.10.12   94 ms  78 ms  78 ms
 2    *  *  *
 3  150.1.1.1   94 ms  109 ms  141 ms

总部内网站点访问分支站点内网

PC>ping 10.1.14.10

Ping 10.1.14.10: 32 data bytes, Press Ctrl_C to break
From 10.1.14.10: bytes=32 seq=1 ttl=125 time=125 ms
From 10.1.14.10: bytes=32 seq=2 ttl=125 time=125 ms

traceroute to 10.1.14.10, 8 hops max
(ICMP), press Ctrl+C to stop
 1  10.1.10.12   109 ms  78 ms  79 ms
 2    *  *  *
 3  10.1.142.14   156 ms  125 ms  172 ms
 4  10.1.14.10   109 ms  125 ms  141 ms