前置配置
1)防火墙基本转发配置(①添加安全区域,②安全转发策略,③配置默认路由,④基本的NAT策略)
①添加安全区域
②防火墙的安全转发策略(需要放通trust、untrust区域相互访问,local、untrust区域相互访问)
FW1:
security-policy
rule name site1_site2_network
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
action permit
rule name loacl_site2
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
action permit
FW2:
security-policy
rule name site2_site1_network
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
action permit
rule name loacl_site1
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
action permit
③配置默认路由
FW1:
ip route-static 0.0.0.0 0.0.0.0 192.168.10.254
FW2:
ip route-static 0.0.0.0 0.0.0.0 192.168.20.254
④基本的NAT策略
FW1:
nat-policy
rule name nopat #用于IPSec隧道建立后的报文转发
source-zone trust
egress-interface GigabitEthernet1/0/1
source-address 192.168.100.0 mask 255.255.255.0
destination-address 192.168.200.0 mask 255.255.255.0
action no-nat
rule name nat
source-zone trust #用于访问ISP
egress-interface GigabitEthernet1/0/1
action source-nat easy-ip
FW2:
nat-policy
rule name nopat
source-zone trust
egress-interface GigabitEthernet1/0/1
source-address 192.168.200.0 mask 255.255.255.0
destination-address 192.168.100.0 mask 255.255.255.0
action no-nat
rule name nat
source-zone trust
egress-interface GigabitEthernet1/0/1
action source-nat easy-ip
2)允许ping访问防火墙的外网接口
[USG6000V1]int 接口
[USG6000V1]service-manage ping permit
3)连通检查:
FW1防火墙的外网接口能够ping通FW2防火墙的外网接口
FW1配置:
配置FW1防火墙acl列表
acl 3000
rule 5 permit ip source 192.168.100.0 0.0.0.255 destination 192.168.200.0 0.0.0.255
配置FW1防火墙ike安全提议(使用默认即可)
ike proposal 1 #提议的编号为1
配置FW1防火墙的对等体
ike peer site2 #对等体名称为site2
pre-shared-key cipher huawei #配置密钥,需要双端相同
ike-proposal 1 #调用ike安全提议
remote-add 192.168.20.1 #对端IP地址
配置FW1防火墙的ipsec安全提议,安全提议类型需要双端相同
ipsec proposal 1 #提议的编号为1
encapsulation-mode tunnel #配置报文的IPsec封装模式为隧道模式
esp authentication-algorithm sha2-256 #配置ESP协议使用的认证算法
esp encryption-algorithm aes-256 #配置ESP协议使用的加密算法
transform esp #传输协议设置为esp
配置FW1防火墙的ipsec安全策略
ipsec policy site1 1 isakmp #安全策略名称为site1
security acl 3000 #调用acl列表
ike-peer site2 #调用对等体
proposal 1 #调用ipsec安全提议
将安全策略应用到出接口
int g1/0/1
ipsec policy site1 #调用安全策略site1
FW2配置:
配置FW2防火墙acl列表
acl 3000
rule 5 permit ip source 192.168.200.0 0.0.0.255 destination 192.168.100.0 0.0.0.255
配置FW2防火墙ike安全提议
ike proposal 1
配置FW2防火墙的对等体
ike peer site1
pre-shared-key cipher huawei
ike-proposal 1
remote-id-type ip
remote-add 192.168.10.1
配置FW2防火墙的ipsec安全提议
ipsec proposal 1
encapsulation-mode tunnel
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
transform esp
配置FW2防火墙的ipsec安全策略
ipsec policy site2 1 isakmp
security acl 3000
ike-peer site1
proposal 1
将安全策略应用到出接口
int g1/0/1
ipsec policy site2
使用命令查看IKE安全联盟、IPSec安全联盟建立情况
[USG6000V1]dis ike sa
[USG6000V1]dis ipsec sa