1. 组网需求
1.1 IPSCE VPN
出口配置双线路,并配置负载均衡方式。通过配置IPSEC VPN服务,在各个分支与总部之间建立点到点的安全隧道连接,实现访问总部的网络资源和业务系统。IPSEC VPN的组网方式较为灵活,可采用点对多点或点对点方式实现总部与各分支连接,总部VPN网关负责响应各分支VPN网关的请求,需要配置固定IP地址,各个分支机构部署VPN网关,可采用静态IP或动态IP方式,与总部建立VPN隧道。
2. 配置思路
2.1组网架构
2.2测试拓扑
2.3 IP地址规划
2.4安全策略
- 创建允许VPN流量访问策略
- 创建允许总部与分公司的内网网络互通策略
- 创建允许分公司访问总部ERP、文件服务器、FTP服务器等业务策略
2.5 NAT策略
- 在防火墙上做NAT地址转换,允许内网用户上网。
- VPN流量不走NAT,直接转发。
3. 分公司FWA配置
1.设备名称更改
#
sysname FWA
#
2.开启DHCP服务
#
dhcp enable
#
3.配置接口及将接口加入区域
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.254 255.255.255.0
service-manage ping permit
dhcp select interface
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 100.1.1.1 255.255.255.0 /配置公网IP地址
service-manage ping permit /允许ping
ipsec policy klt /在接口下调用ipsec policy策略
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
4.配置静态路由
#
ip route-static 0.0.0.0 0.0.0.0 100.1.1.2
#
5.创建感兴趣流(内网业务的VPN流量)
#
acl number 3001
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
6.配置IPSEC VPN
6.1 配置IKE Proposal
#
ike proposal 1 /创建ike安全提议,名称为1
encryption-algorithm aes-256 /配置加密算法为aes-256
dh group14
authentication-algorithm sha2-256 /配置认证算法为sha2-256
authentication-method pre-share /认证模式为预共享密钥
#
6.2 配置IKE Peer
#
ike peer 12 /创建ike对等体,名称为12。
pre-shared-key %^%#fUIiD9jVgDb/qVQyaG_OR<Zh3KY7:N>z#[N0X)A7%^%# /设置预共享密钥的密码
ike-proposal 1 /引用ike安全提议
remote-address 200.1.1.1 /对端的公网IP
#
6.3 配置IPSEC Proposal
#
ipsec proposal 1 /创建ipsec提议,名称为1。
esp authentication-algorithm sha2-256 /使用esp对在公网上传输的数据进行加密,认证模式使用sha2-256
esp encryption-algorithm aes-256 /使用esp对在公网上传输的数据进行加密,加密模式使用aes-256
#
6.4 配置IPSEC Policy
#
ipsec policy klt 5 isakmp /创建ISAKMP方式IPSec安全策略
security acl 3001 /引用acl,将感兴趣流与ipsec policy绑定
ike-peer 12 /将ike对等体与ipsec policy绑定
proposal 1 /将安全提议与ipsec policy绑定,一个ISAKMP方式IPSec安全策略最多可以引用12个IPSec安全提议
#
6.5 将ipsec policy应用到接口
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 100.1.1.1 255.255.255.0
service-manage ping permit
ipsec policy klt /引用ipsec策略
#
7.创建自定义服务,允许500端口(IKE协议所用到)
#
ip service-set isakmp type object 16
service 0 protocol udp source-port 500 destination-port 500
#
8.创建安全策略
#
security-policy
rule name Permit-Internet
source-zone trust
destination-zone untrust
action permit
rule name yewo
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
source-address 192.168.2.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
destination-address 192.168.2.0 mask 255.255.255.0
action permit
rule name vpn
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 100.1.1.1 mask 255.255.255.255
source-address 200.1.1.1 mask 255.255.255.255
destination-address 100.1.1.1 mask 255.255.255.255
destination-address 200.1.1.1 mask 255.255.255.255
service isakmp
service protocol 50
action permit
#
9.创建NAT策略
#
nat-policy
rule name VPN /VPN流量一定要放在最前端!
source-address 192.168.1.0 mask 255.255.255.0
destination-address 192.168.2.0 mask 255.255.255.0
action no-nat
rule name Permit-Internet /允许内网用户上网
source-zone trust
destination-zone untrust
action source-nat easy-ip
#
1. 修改设备名称
#
sysname FWB
#
2. 开启DHCP服务
#
dhcp enable
#
3. 配置接口IP及将接口加入区域中
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.2.254 255.255.255.0
service-manage ping permit
dhcp select interface
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 200.1.1.1 255.255.255.0
service-manage ping permit
ipsec policy sozon
#
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
4. 配置静态路由
#
ip route-static 0.0.0.0 0.0.0.0 200.1.1.2
#
5. 定义感兴趣流
#
acl number 3001
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
6. 配置IPSEC VPN
6.1 配置IKE Proposal安全提议
#
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
6.2 配置IKE对等体
#
ike peer 12
pre-shared-key %^%#}@%vHBNwt7vc<\"Zl#[7ME+;;vT`*7qB8Y&:@V6~%^%#
ike-proposal 1
remote-address 100.1.1.1
#
6.3 创建IPSEC Proposal安全提议
#
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
6.4 创建IPSEC Policy
#
ipsec policy sozon 5 isakmp
security acl 3001
ike-peer 12
proposal 1
#
6.5 将IPSEC POLICY应用到接口上
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 200.1.1.1 255.255.255.0
service-manage ping permit
ipsec policy sozon
#
6.6 创建自定义服务
#
ip service-set isakmp type object 16
service 0 protocol udp source-port 500 destination-port 500
#
6.7 配置安全策略
#
security-policy
rule name shangwang
source-zone trust
destination-zone untrust
action permit
rule name yewo
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
source-address 192.168.2.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
destination-address 192.168.2.0 mask 255.255.255.0
action permit
rule name vpn
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 100.1.1.1 mask 255.255.255.255
source-address 200.1.1.1 mask 255.255.255.255
destination-address 100.1.1.1 mask 255.255.255.255
destination-address 200.1.1.1 mask 255.255.255.255
service isakmp
service protocol 50
action permit
#
7. 创建NAT策略
#
nat-policy
rule name VPN
source-address 192.168.2.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action no-nat
rule name shangwang
source-zone trust
destination-zone untrust
action source-nat easy-ip
#