华为ipsec 技术

最新推荐文章于 2024-05-05 01:48:28 发布
最新推荐文章于 2024-05-05 01:48:28 发布
阅读量457 收藏 3
点赞数
文章标签: 网络安全 Powered by 金山文档
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_44548030/article/details/129224092
版权

拓扑

fw1 1.1.1.1 fw2 2.2.2.2 建立ipsec

技术细节 ike 安全提议

ike 对等体 在ike 对等体中运用ike安全提议

ipsec 安全提议

ipsec 安全策略

acl 定义数据流

ipsec 安全策略运用 ike 对等体 ipsec 安全提议 ipsec acl

设备配置

sysname fw1

#

l2tp domain suffix-separator @

#

ipsec sha2 compatible enable

#

undo telnet server enable

undo telnet ipv6 server enable

#

update schedule location-sdb weekly Sun 22:49

#

firewall defend action discard

#

banner enable

#

user-manage web-authentication security port 8887

undo privacy-statement english

undo privacy-statement chinese

page-setting

user-manage security version tlsv1.1 tlsv1.2

password-policy

level high

user-manage single-sign-on ad

user-manage single-sign-on tsm

user-manage single-sign-on radius

user-manage auto-sync online-user

#

web-manager security version tlsv1.1 tlsv1.2

web-manager enable

web-manager security enable

#

firewall dataplane to manageplane application-apperceive default-action drop

#

undo ips log merge enable

#

decoding uri-cache disable

#

update schedule ips-sdb daily 01:23

update schedule av-sdb daily 01:23

update schedule sa-sdb daily 01:23

update schedule cnc daily 01:23

update schedule file-reputation daily 01:23

#

ip vpn-instance default

ipv4-family

#

time-range worktime

period-range 08:00:00 to 18:00:00 working-day

#

acl number 3000

rule 1 permit ip source 1.1.1.1 0 destination 2.2.2.2 0

#

ipsec proposal 1

esp authentication-algorithm sha2-256

esp encryption-algorithm aes-256

#

ike proposal default

encryption-algorithm aes-256 aes-192 aes-128

dh group14

authentication-algorithm sha2-512 sha2-384 sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

ike proposal 1

encryption-algorithm aes-256

dh group14

authentication-algorithm sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

#

ike peer fw3

pre-shared-key %^%#[@G*PGGTb%p\tG@e;=+LlcWRFN6ocQLdBg>&c[q'%^%#

ike-proposal 1

remote-address 10.1.1.2

#

ipsec policy 1 1 isakmp

security acl 3000

ike-peer fw3

proposal 1

#

aaa

authentication-scheme default

authentication-scheme admin_local

authentication-scheme admin_radius_local

authentication-scheme admin_hwtacacs_local

authentication-scheme admin_ad_local

authentication-scheme admin_ldap_local

authentication-scheme admin_radius

authentication-scheme admin_hwtacacs

authentication-scheme admin_ad

authorization-scheme default

accounting-scheme default

domain default

service-type internetaccess ssl-vpn l2tp ike

internet-access mode password

reference user current-domain

manager-user audit-admin

password cipher @%@%$#7F>H3CUQU*IUF%G0iQYQf@H^O'2hg+4W&G*RLq34bYQfCY@%@%

service-type web terminal

level 15

manager-user api-admin

password cipher @%@%\Ol~&]dxg~1kWzN#=G-%(6n8*~/lL,F>[9iPnL'@7G376n;(@%@%

level 15

manager-user admin

password cipher @%@%*yi~RPVVZR9<8h/N,l!Gk7)wj@r;@BAmIEoB"SDaaHDL7)zk@%@%

service-type web terminal

level 15

role system-admin

role device-admin

role device-admin(monitor)

role audit-admin

bind manager-user audit-admin role audit-admin

bind manager-user admin role system-admin

#

l2tp-group default-lns

#

interface GigabitEthernet0/0/0

undo shutdown

ip binding vpn-instance default

ip address 192.168.0.1 255.255.255.0

alias GE0/METH

#

interface GigabitEthernet1/0/0

undo shutdown

ip address 10.1.1.1 255.255.255.0

service-manage http permit

service-manage https permit

service-manage ping permit

service-manage ssh permit

service-manage snmp permit

service-manage telnet permit

ipsec policy 1

#

interface GigabitEthernet1/0/1

undo shutdown

#

interface GigabitEthernet1/0/2

undo shutdown

#

interface GigabitEthernet1/0/3

undo shutdown

#

interface GigabitEthernet1/0/4

undo shutdown

#

interface GigabitEthernet1/0/5

undo shutdown

#

interface GigabitEthernet1/0/6

undo shutdown

#

interface Virtual-if0

#

interface NULL0

#

interface LoopBack1

ip address 1.1.1.1 255.255.255.255

#

firewall zone local

set priority 100

#

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

#

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/0

#

firewall zone dmz

set priority 50

#

ip route-static 0.0.0.0 0.0.0.0 10.1.1.2

#

undo ssh server compatible-ssh1x enable

ssh authentication-type default password

ssh server cipher aes256_ctr aes128_ctr

ssh server hmac sha2_256 sha1

ssh client cipher aes256_ctr aes128_ctr

ssh client hmac sha2_256 sha1

#

firewall detect ftp

#

user-interface con 0

authentication-mode aaa

user-interface vty 0 4

authentication-mode aaa

protocol inbound ssh

user-interface vty 16 20

#

pki realm default

#

sa

#

location

#

multi-linkif

mode proportion-of-weight

#

right-manager server-group

#

device-classification

device-group pc

device-group mobile-terminal

device-group undefined-group

#

user-manage server-sync tsm

#

security-policy

rule name hulian

source-zone local

source-zone untrust

destination-zone local

destination-zone untrust

source-address 10.1.1.0 mask 255.255.255.0

destination-address 10.1.1.0 mask 255.255.255.0

action permit

rule name 1.1.1.1-2.2.2.2

source-zone local

source-zone untrust

destination-zone local

destination-zone untrust

source-address 1.1.1.1 mask 255.255.255.255

source-address 2.2.2.2 mask 255.255.255.255

destination-address 1.1.1.1 mask 255.255.255.255

destination-address 2.2.2.2 mask 255.255.255.255

action permit

#

auth-policy

#

traffic-policy

#

policy-based-route

#

nat-policy

#

quota-policy

#

pcp-policy

#

dns-transparent-policy

#

rightm-policy

#

return

#

==============================================================

fw2

[fw2] display current-configuration

2023-02-26 02:31:50.110

!Software Version V500R005C10SPC300

#

sysname fw2

#

l2tp domain suffix-separator @

#

ipsec sha2 compatible enable

#

undo telnet server enable

undo telnet ipv6 server enable

#

update schedule location-sdb weekly Sun 05:46

#

firewall defend action discard

#

banner enable

#

user-manage web-authentication security port 8887

undo privacy-statement english

undo privacy-statement chinese

page-setting

user-manage security version tlsv1.1 tlsv1.2

password-policy

level high

user-manage single-sign-on ad

user-manage single-sign-on tsm

user-manage single-sign-on radius

user-manage auto-sync online-user

#

web-manager security version tlsv1.1 tlsv1.2

web-manager enable

web-manager security enable

#

firewall dataplane to manageplane application-apperceive default-action drop

#

undo ips log merge enable

#

decoding uri-cache disable

#

update schedule ips-sdb daily 04:46

update schedule av-sdb daily 04:46

update schedule sa-sdb daily 04:46

update schedule cnc daily 04:46

update schedule file-reputation daily 04:46

#

#

ip vpn-instance default

ipv4-family

#

time-range worktime

period-range 08:00:00 to 18:00:00 working-day

#

acl number 3000

rule 1 permit ip source 2.2.2.2 0 destination 1.1.1.1 0

#

ipsec proposal 1

esp authentication-algorithm sha2-256

esp encryption-algorithm aes-256

#

ike proposal default

encryption-algorithm aes-256 aes-192 aes-128

dh group14

authentication-algorithm sha2-512 sha2-384 sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

ike proposal 1

encryption-algorithm aes-256

dh group14

authentication-algorithm sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

#

ike peer fw1

pre-shared-key %^%#,VAC.XNmAF0;1*&;4oo''$}F@.+*A!7uO@O=cVIU%^%#

ike-proposal 1

remote-address 10.1.1.1

#

ipsec policy 1 1 isakmp

security acl 3000

ike-peer fw1

proposal 1

#

aaa

authentication-scheme default

authentication-scheme admin_local

authentication-scheme admin_radius_local

authentication-scheme admin_hwtacacs_local

authentication-scheme admin_ad_local

authentication-scheme admin_ldap_local

authentication-scheme admin_radius

authentication-scheme admin_hwtacacs

authentication-scheme admin_ad

authorization-scheme default

accounting-scheme default

domain default

service-type internetaccess ssl-vpn l2tp ike

internet-access mode password

reference user current-domain

manager-user audit-admin

password cipher @%@%v%^hLqIut$cI8dF|e2cAiY>FfF~fI@#mb"-wM*F!b~~ZY>Ii@%@%

service-type web terminal

level 15

manager-user api-admin

password cipher @%@%%~np/];+,7s5`|U/Ez]3*:AMQ"Qt*ktICHDmX^QT5TQ8:AP*@%@%

level 15

manager-user admin

password cipher @%@%#)Yy3X#Vb4_56!:=O/A%EiJg)}PC4;>6]B(B`*>6nW}4iJjE@%@%

service-type web terminal

level 15

role system-admin

role device-admin

role device-admin(monitor)

role audit-admin

bind manager-user audit-admin role audit-admin

bind manager-user admin role system-admin

#

l2tp-group default-lns

#

interface GigabitEthernet0/0/0

undo shutdown

ip binding vpn-instance default

ip address 192.168.0.1 255.255.255.0

alias GE0/METH

#

interface GigabitEthernet1/0/0

undo shutdown

ip address 10.1.1.2 255.255.255.0

service-manage http permit

service-manage https permit

service-manage ping permit

service-manage ssh permit

service-manage snmp permit

service-manage telnet permit

ipsec policy 1

#

interface GigabitEthernet1/0/1

undo shutdown

#

interface GigabitEthernet1/0/2

undo shutdown

#

interface GigabitEthernet1/0/3

undo shutdown

#

interface GigabitEthernet1/0/4

undo shutdown

#

interface GigabitEthernet1/0/5

undo shutdown

#

interface GigabitEthernet1/0/6

undo shutdown

#

interface Virtual-if0

#

interface NULL0

#

interface LoopBack1

ip address 2.2.2.2 255.255.255.255

#

firewall zone local

set priority 100

#

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

#

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/0

#

firewall zone dmz

set priority 50

#

ip route-static 0.0.0.0 0.0.0.0 10.1.1.1

#

undo ssh server compatible-ssh1x enable

ssh authentication-type default password

ssh server cipher aes256_ctr aes128_ctr

ssh server hmac sha2_256 sha1

ssh client cipher aes256_ctr aes128_ctr

ssh client hmac sha2_256 sha1

#

firewall detect ftp

#

user-interface con 0

authentication-mode aaa

user-interface vty 0 4

authentication-mode aaa

protocol inbound ssh

user-interface vty 16 20

#

pki realm default

#

sa

#

location

#

multi-linkif

mode proportion-of-weight

#

right-manager server-group

#

device-classification

device-group pc

device-group mobile-terminal

device-group undefined-group

#

user-manage server-sync tsm

#

security-policy

rule name hulian

source-zone local

source-zone untrust

destination-zone local

destination-zone untrust

source-address 10.1.1.0 mask 255.255.255.0

destination-address 10.1.1.0 mask 255.255.255.0

action permit

rule name 1.1.1.1-2.2.2.2

source-zone local

source-zone untrust

destination-zone local

destination-zone untrust

source-address 1.1.1.1 mask 255.255.255.255

source-address 2.2.2.2 mask 255.255.255.255

destination-address 1.1.1.1 mask 255.255.255.255

destination-address 2.2.2.2 mask 255.255.255.255

action permit

#

auth-policy

#

traffic-policy

#

policy-based-route

#

nat-policy

#

quota-policy

#

pcp-policy

#

dns-transparent-policy

#

rightm-policy

#

return

沈艺强
关注
  • 0
    点赞
  • 3
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
华为IPSEC 由浅入深
weixin_42076325的博客
05-09 298
本章只介绍手动协商+隧道 配置案例,兰州分布和上海分布之间建立ipsec vpn 实现内网通信(北京总部可以看作是运营商) 兰州出口路由器配置 sys sys LZ acl 3000 rule deny ip destination 20.0.0.1 0.0.0.255 rule permit ip destination any dhcp enable ip route-s 0.0.0.0 0 13.0.0.3 vlan 10 int vlan 10 ip add 10.0..
USG6000V 默认配置分析
習慣沉默的博客
03-02 2057
# 软件版本 !Software Version V500R005C10SPC300 # 设备名 sysname USG6000V1 # l2tp domain suffix-separator @ # ipsec sha2 compatible enable # undo telnet server enable undo telnet ipv6 server enable # c...
华为 USG6000防火墙配置镜像模式双机热备
友人A的博客
05-28 9990
网络拓扑 要求: 企业前期是一台防火墙,为了提高网络可靠性,并且在不影响原先防火墙配置情况下,新增一台防火墙做双机热备。两台FW的业务接口都工作在三层,下行为三层核心交换机。上行为二层交换机连接运营商的接入点,运营商为企业分配的IP地址为100.1.1.1-100.1.1.5 配置思路: 两台防火墙型号必须要求一样,配置镜像模式前需要先完成双机热备的网络连接和基本配置,但是不需要配置业...
2024年Web前端最全华为防火墙USG6000通过WEB图形界面配置案例(1),真服了
最新发布
2401_84412357的博客
05-05 436
题外话,毕竟我工作多年,深知技术改革和创新的方向,Flutter作为跨平台开发技术、Flutter以其美观、快速、高效、开放等优势迅速俘获人心level high.1.1.2dh group14aaar(g+IYOVqbtq@%@%level 15level 15level 15est description 链路故障检测salocationmode patmode patdescription 外网访问FTP的安全策略nat-policypcp-policyreturn。
L2TP over IPSEC配置实例
永远是少年
08-24 6418
今天继续给大家介绍HCIE安全。本文以华为eNSP模拟器,实现了L2TP over ipsec架构配置。 阅读本文,您需要对L2TP 有一定的了解,如果您对此还存在困惑,欢迎您查阅我博客内的其他文章,相信您一定会有所收获。 关于Client-Initiated L2TP配置,请参考下列文章,在该文章中有详细介绍,本文中就不过多赘述了。 L2TP 配置实例——Client-Initiated 一、实验拓扑及目的 实验拓扑如上所示,现在要求配置L2TP Over IPSEC,其中本地使用Vmware虚拟出一台W
13.虚拟专用网络
分享学习网络的点点滴滴
12-06 1547
华为IE——V屁N介绍
华为防火墙配IPSEC.docx
12-27
华为防火墙配IPSEC.docx
华为防火墙技术漫谈.pdf
01-16
华为防火墙技术漫谈,理论篇共包含十章,涵盖了会话与状态检测、安全策略、攻击防范、NAT、GRE 、L2TP 、IPSec 、SSL、双机热备、出口选路的原理、应用场景及配置方法
华为,思科 IPsec 虚拟专用网络 学习手册
11-06
路由交换技术IPSec 虚拟专用网络 最全的学习手册,内容详细介绍了IPSEC 的原理,并有实验详细操作,让你一学就会!
2018华为最全复习笔记+考题
05-07
- IPSec与SSL VPN:理解加密技术,配置IPSec隧道和SSL VPN连接,确保数据传输安全。 5. **QoS(服务质量)** - QoS策略:学习如何设置QoS参数,保证关键业务的带宽和延迟需求。 6. **WLAN(无线局域网)技术** ...
华为eNSP GRE实验
11-29
在这个"华为eNSP GRE实验"中,我们将关注的是GRE(Generic Routing Encapsulation,通用路由封装)技术。GRE是一种网络协议,它允许在不同网络协议之间封装和传输数据,提供了一种透明的数据隧道技术,广泛应用于...
华为防火墙USG6000通过WEB图形界面配置案例
热门推荐
LiBai'S BLOG
12-02 2万+
华为防火墙USG6000:NAT和NAT Server配置案例网络拓扑图通过WEB方式登录到防火墙登录成功配置防火墙使内网用户通过PAT方式上网配置防火墙使得外网用户能访问企业DMZ区域的FTP服务器(双向nat)内网用户与FTP-Server配置配置代码官方参考文档 网络拓扑图 通过WEB方式登录到防火墙 登录成功 配置防火墙使内网用户通过PAT方式上网 防火墙上新建一个Nat Pool,供内网用户以NAT方式访问外网 配置Nat策略 配置策略,使得trust区域可以访问untrust区域 配
access建立er图_华为设备与思科设备对接建立IPSec隧道
weixin_31706903的博客
12-18 507
组网需求如图所示,RouterA为企业分支网关,RouterB为企业总部网关(思科路由器),分支与总部通过公网建立通信。企业希望对分支子网与总部子网之间相互访问的流量进行安全保护。由于分支与总部通过公网建立通信,可以在分支网关与总部网关之间建立一个IPSec隧道来实现该需求。图 配置设备与思科路由器采用主模式(IKEv1)建立IPSec隧道组网图操作步骤配置RouterA#sysname Rout...
任务十八:防火墙用户管理
2301_76274559的博客
12-20 919
掌握防火墙免认证用户和密码验证用户的配置过程。
华为 hrp vgmp 联动技术
weixin_44548030的博客
02-26 800
hrp vgmp
华为设备远程登录配置
A soul tortured by desire
08-28 3746
sys telnet server enable undo telnet enable stelnet ipv4 server enable # aaa local-user 用户名 password irreversible-cipher XXXXXX local-user 用户名 privilege level 15 local-user 用户名 service-type telnet terminal ssh http # ssh user 用户名 ssh user 用户名 authentic.
ENSP验证防火墙的策略路由、IP-Link绑定案例
shien00000xu的博客
01-08 5642
本案例可以掌握:依据ip link探测出口路由是否正常,以此判断内网出口规则。依据策略路由学习防火墙的路由功能。 1、拓扑 注:学习说明,该案例可以在华为usg入门里学习,也可以在其它作者里找到,但未配置完所有设备,如路由的配置等。 2、业务需求 某企业主要分为市场部和研发部两个部门,组网如上图,FW位于企业网出口, 该企业部署了两条接入Internet的链路ISP...
华为网络-配置-015】- IPSec 安全协议配置
sunsun778的博客
11-07 426
抓包查看数据信息,数据内容已变更,结果正常。PC1 与 PC2 可正常通信。
华为防火墙ipsec隧道
10-11
华为防火墙支持IPsec隧道,可以用于建立安全的加密通信连接。以下是在华为防火墙上配置IPsec隧道的基本步骤: 1. 配置IPsec策略 ...建议参考华为防火墙的官方文档或咨询华为技术支持获取详细的配置说明。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值