组网需求

『图』1所示, *** A和 *** B通过NGFW_A和NGFW_B{连接到}Internet,NGFW_A和NGFW_B公网路由可达。现需要在NGFW_A和NGFW_B之间确立IKE方式【(的)】IPSec 隧道[,使 *** A和 *** B「【(的)】用户可通过」IPSec 隧道[平安互访。



『图』1 IKE 协商方式【(的)】点到点[IPSec 隧道[举例组网『图』 

数据计划

〖{<设置>}〗思绪

NGFW_A和NGFW_B【(的)】〖{<设置>}〗思绪相同。

1. 〖{<设置>}〗接口IP地址并将接口加入到平安区域。

2. 〖{<设置>}〗平安计谋。

3. 〖{<设置>}〗到对端内网【(的)】路由。

4. 〖{<设置>}〗IPSec计谋。包罗〖{<设置>}〗IPSec计谋【(的)】基本信息、〖{<设置>}〗待加密【(的)】数据流、〖{<设置>}〗『平安提议』【(的)】协商参数。

(操作步)骤

· 〖{<设置>}〗NGFW_A(总部)。

1. 〖{<设置>}〗接口IP地址。

<sysname> system-view
[sysname] sysname NGFW_A
[NGFW_A] interface GigabitEthernet 1/0/3
[NGFW_A-GigabitEthernet1/0/3] ip address 10.1.1.1 24
[NGFW_A-GigabitEthernet1/0/3] quit
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ip address 1.1.3.1 24
[NGFW_A-GigabitEthernet1/0/1] quit

2. 〖{<设置>}〗接口加入响应平安区域。

[NGFW_A] firewall zone trust
[NGFW_A-zone-trust] add interface GigabitEthernet 1/0/3
[NGFW_A-zone-trust] quit
[NGFW_A] firewall zone untrust
[NGFW_A-zone-untrust] add interface GigabitEthernet 1/0/1
[NGFW_A-zone-untrust] quit

3. 〖{<设置>}〗平安计谋。

a. 〖{<设置>}〗Trust域与Untrust域【(的)】平安计谋,允许封装前和解封后【(的)】报文能通过NGFW_A。

[NGFW_A] security-policy
[NGFW_A-policy-security] rule name policy_ipsec_1
[NGFW_A-policy-security-rule-policy_ipsec_1] source-zone trust
[NGFW_A-policy-security-rule-policy_ipsec_1] destination-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_1] source-address 10.1.1.0 24
[NGFW_A-policy-security-rule-policy_ipsec_1] destination-address 10.1.2.0 24
[NGFW_A-policy-security-rule-policy_ipsec_1] action permit
[NGFW_A-policy-security-rule-policy_ipsec_1] quit
[NGFW_A-policy-security] rule name policy_ipsec_2
[NGFW_A-policy-security-rule-policy_ipsec_2] source-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_2] destination-zone trust
[NGFW_A-policy-security-rule-policy_ipsec_2] source-address 10.1.2.0 24
[NGFW_A-policy-security-rule-policy_ipsec_2] destination-address 10.1.1.0 24
[NGFW_A-policy-security-rule-policy_ipsec_2] action permit
[NGFW_A-policy-security-rule-policy_ipsec_2] quit

b. 〖{<设置>}〗Local域与Untrust域【(的)】平安计谋,允许IKE协商报文能正常通过NGFW_A。

[NGFW_A-policy-security] rule name policy_ipsec_3
[NGFW_A-policy-security-rule-policy_ipsec_3] source-zone local
[NGFW_A-policy-security-rule-policy_ipsec_3] destination-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_3] source-address 1.1.3.1 32
[NGFW_A-policy-security-rule-policy_ipsec_3] destination-address 1.1.5.1 32
[NGFW_A-policy-security-rule-policy_ipsec_3] action permit
[NGFW_A-policy-security-rule-policy_ipsec_3] quit
[NGFW_A-policy-security] rule name policy_ipsec_4
[NGFW_A-policy-security-rule-policy_ipsec_4] source-zone untrust
[NGFW_A-policy-security-rule-policy_ipsec_4] destination-zone local
[NGFW_A-policy-security-rule-policy_ipsec_4] source-address 1.1.5.1 32
[NGFW_A-policy-security-rule-policy_ipsec_4] destination-address 1.1.3.1 32
[NGFW_A-policy-security-rule-policy_ipsec_4] action permit
[NGFW_A-policy-security-rule-policy_ipsec_4] quit
[NGFW_A-policy-security] quit

4. 〖{<设置>}〗到达对端私网【(的)】路由。假设NGFW_A通往NGFW_B侧【(的)】下一跳装备【(的)】IP地址为1.1.3.2。

[NGFW_A] ip route-static 10.1.2.0 24 1.1.3.2

5. 〖{<设置>}〗NGFW_A【(的)】IPSec 隧道[。

a. 〖{<设置>}〗接见控制列表,界说需要珍爱【(的)】数据流。

[NGFW_A] acl 3000
[NGFW_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[NGFW_A-acl-adv-3000] quit

b. 〖{<设置>}〗序号为10【(的)】IKE『平安提议』。

[NGFW_A] ike proposal 10
[NGFW_A-ike-proposal-10] authentication-method pre-share
[NGFW_A-ike-proposal-10] authentication-algorithm sha2-256
[NGFW_A-ike-proposal-10] quit

c. 〖{<设置>}〗IKE Peer。

,

皇冠体育APP

(www.huangguan.us)是一个提供皇冠 *** APP下载、皇冠会员APP下载、皇冠体育最新登录线路、新2 皇冠网址【(的)】【(的)】体[育平台。{也只有}皇冠APP可以真正地带给你顶级体育赛事【(的)】娱乐体验感。立马一键皇冠体育开户,世界体育赛事等你欣赏。

,
[NGFW_A] ike peer b
[NGFW_A-ike-peer-b] ike-proposal 10
[NGFW_A-ike-peer-b] remote-address 1.1.5.1
[NGFW_A-ike-peer-b] pre-shared-key Admin@123
[NGFW_A-ike-peer-b] undo version 2
[NGFW_A-ike-peer-b] quit

d. 〖{<设置>}〗名称为tran1【(的)】IPSec『平安提议』。

[NGFW_A] ipsec proposal tran1
[NGFW_A-ipsec-proposal-tran1] encapsulation-mode tunnel
[NGFW_A-ipsec-proposal-tran1] transform esp
[NGFW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[NGFW_A-ipsec-proposal-tran1] esp encryption-algorithm aes
[NGFW_A-ipsec-proposal-tran1] quit

e. 〖{<设置>}〗IPSec平安计谋组map1。

[NGFW_A] ipsec policy map1 10 isakmp
[NGFW_A-ipsec-policy-isakmp-map1-10] security acl 3000
[NGFW_A-ipsec-policy-isakmp-map1-10] proposal tran1
[NGFW_A-ipsec-policy-isakmp-map1-10] ike-peer b
[NGFW_A-ipsec-policy-isakmp-map1-10] quit

f. 在出接口GigabitEthernet 1/0/1上应用平安计谋组map1。

[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ipsec policy map1 auto-neg
[NGFW_A-GigabitEthernet1/0/1] quit

· 〖{<设置>}〗NGFW_B(分支)。

1. 〖{<设置>}〗接口IP地址。

<sysname> system-view
[sysname] sysname NGFW_B
[NGFW_B] interface GigabitEthernet 1/0/3
[NGFW_B-GigabitEthernet1/0/3] ip address 10.1.2.1 24
[NGFW_B-GigabitEthernet1/0/3] quit
[NGFW_B] interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1] ip address 1.1.5.1 24
[NGFW_B-GigabitEthernet1/0/1] quit

2. 〖{<设置>}〗接口加入响应平安区域。

[NGFW_B] firewall zone trust
[NGFW_B-zone-trust] add interface GigabitEthernet 1/0/3
[NGFW_B-zone-trust] quit
[NGFW_B] firewall zone untrust
[NGFW_B-zone-untrust] add interface GigabitEthernet 1/0/1
[NGFW_B-zone-untrust] quit

3. 〖{<设置>}〗平安计谋。

a. 〖{<设置>}〗Trust域与Untrust域【(的)】平安计谋,允许封装前和解封后【(的)】报文能通过NGFW_B。

[NGFW_B] security-policy
[NGFW_B-policy-security] rule name policy_ipsec_1
[NGFW_B-policy-security-rule-policy_ipsec_1] source-zone trust
[NGFW_B-policy-security-rule-policy_ipsec_1] destination-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_1] source-address 10.1.2.0 24
[NGFW_B-policy-security-rule-policy_ipsec_1] destination-address 10.1.1.0 24
[NGFW_B-policy-security-rule-policy_ipsec_1] action permit
[NGFW_B-policy-security-rule-policy_ipsec_1] quit
[NGFW_B-policy-security] rule name policy_ipsec_2
[NGFW_B-policy-security-rule-policy_ipsec_2] source-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_2] destination-zone trust
[NGFW_B-policy-security-rule-policy_ipsec_2] source-address 10.1.1.0 24
[NGFW_B-policy-security-rule-policy_ipsec_2] destination-address 10.1.2.0 24
[NGFW_B-policy-security-rule-policy_ipsec_2] action permit
[NGFW_B-policy-security-rule-policy_ipsec_2] quit

b. 〖{<设置>}〗Local域与Untrust域【(的)】平安计谋,允许IKE协商报文能正常通过NGFW_B。

[NGFW_B-policy-security] rule name policy_ipsec_3
[NGFW_B-policy-security-rule-policy_ipsec_3] source-zone local
[NGFW_B-policy-security-rule-policy_ipsec_3] destination-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_3] source-address 1.1.5.1 32
[NGFW_B-policy-security-rule-policy_ipsec_3] destination-address 1.1.3.1 32
[NGFW_B-policy-security-rule-policy_ipsec_3] action permit
[NGFW_B-policy-security-rule-policy_ipsec_3] quit
[NGFW_B-policy-security] rule name policy_ipsec_4
[NGFW_B-policy-security-rule-policy_ipsec_4] source-zone untrust
[NGFW_B-policy-security-rule-policy_ipsec_4] destination-zone local
[NGFW_B-policy-security-rule-policy_ipsec_4] source-address 1.1.3.1 32
[NGFW_B-policy-security-rule-policy_ipsec_4] destination-address 1.1.5.1 32
[NGFW_B-policy-security-rule-policy_ipsec_4] action permit
[NGFW_B-policy-security-rule-policy_ipsec_4] quit
[NGFW_B-policy-security] quit

4. 〖{<设置>}〗到达对端私网【(的)】路由。假设NGFW_B通往NGFW_A侧【(的)】下一跳装备【(的)】IP地址为1.1.5.2。

[NGFW_B] ip route-static 10.1.1.0 24 1.1.5.2

5. 〖{<设置>}〗NGFW_B【(的)】IPSec 隧道[。

a. 〖{<设置>}〗接见控制列表,界说需要珍爱【(的)】数据流。

[NGFW_B] acl 3000
[NGFW_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[NGFW_B-acl-adv-3000] quit

b. 〖{<设置>}〗序号为10【(的)】IKE『平安提议』。

[NGFW_B] ike proposal 10
[NGFW_B-ike-proposal-10] authentication-method pre-share
[NGFW_B-ike-proposal-10] authentication-algorithm sha2-256
[NGFW_B-ike-proposal-10] quit

c. 〖{<设置>}〗IKE Peer。

[NGFW_B] ike peer a
[NGFW_B-ike-peer-a] ike-proposal 10
[NGFW_B-ike-peer-a] remote-address 1.1.3.1
[NGFW_B-ike-peer-a] pre-shared-key Admin@123
[NGFW_B-ike-peer-a] undo version 2
[NGFW_B-ike-peer-a] quit

d. 〖{<设置>}〗名称为tran1【(的)】IPSec『平安提议』。

[NGFW_B] ipsec proposal tran1
[NGFW_B-ipsec-proposal-tran1] encapsulation-mode tunnel
[NGFW_B-ipsec-proposal-tran1] transform esp
[NGFW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[NGFW_B-ipsec-proposal-tran1] esp encryption-algorithm aes
[NGFW_B-ipsec-proposal-tran1] quit

e. 〖{<设置>}〗IPSec平安计谋组map1。

[NGFW_B] ipsec policy map1 10 isakmp
[NGFW_B-ipsec-policy-isakmp-map1-10] security acl 3000
[NGFW_B-ipsec-policy-isakmp-map1-10] proposal tran1
[NGFW_B-ipsec-policy-isakmp-map1-10] ike-peer a
[NGFW_B-ipsec-policy-isakmp-map1-10] quit

f. 在出接口GigabitEthernet 1/0/1上应用平安计谋组map1。

[NGFW_B] interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1] ipsec policy map1 auto-neg
[NGFW_B-GigabitEthernet1/0/1] quit

效果验证

1. 〖{<设置>}〗乐成后,在NGFW_A上执行display ike sa『下令』,《查看》IKE平安同盟【(的)】确立情形,【泛起以下显示说明】IKE平安同盟确立乐成。

[NGFW_A] display ike sa
current ike sa number: 2
---------------------------------------------------------------------------
conn-id    peer                                flag          phase ***
---------------------------------------------------------------------------
3          1.1.5.1                             RD|ST|A       v1:2  public
2          1.1.5.1                             RD|ST|A       v1:1  public
 flag meaning
 RD--READY     ST--STAYALIVE     RL--REPLACED    FD--FADING    TO--TIMEOUT
 TD--DELETING  NEG--NEGOTIATING  D--DPD          M--ACTIVE     S--STANDBY
 A--ALONE

2. 在NGFW_A上执行display ipsec sa『下令』,《查看》IPSec平安同盟【(的)】确立情形,【泛起以下显示说明】IPSec平安同盟确立乐成。

[NGFW_A] display ipsec sa
===============================
Interface: GigabitEthernet 1/0/1
   path MTU: 1500
===============================
                         
 -----------------------------
 IPsec policy name: "map1"
 sequence number: 10
 mode: isakmp
 ***: 0
 -----------------------------
   connection id: 3
 rule number: 5
   encapsulation mode: tunnel
   holding time: 0d 0h 0m 12s
   tunnel local : 1.1.3.1    tunnel remote: 1.1.5.1
   flow      source: 10.1.1.0/255.255.255.0 0/0
   flow destination: 10.1.2.0/255.255.255.0 0/0
                         
   [inbound ESP SAs]
     spi: 3715780278 (0xdd7a4eb6)
   ***: public  said: 0  cpuid: 0x0000
     proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256
     sa remaining key duration (kilobytes/sec): 1843200/3588
     max received sequence-number: 1
     udp encapsulation used for nat traversal: N
                         
 [outbound ESP SAs]
    spi: 3312146193 (0xc56b5711)
     ***: public  said: 1  cpuid: 0x0000
     proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256
     sa remaining key duration (kilobytes/sec): 1843200/3588
     max sent sequence-number: 1
    udp encapsulation used for nat traversal: N

〖{<设置>}〗 剧[本

· NGFW_A(总部)【(的)】〖{<设置>}〗 剧[本

#
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ike proposal 10
authentication-algorithm sha2-256
integrity-algorithm hmac-sha2-256
#
ike peer b
pre-shared-key %$%$g6]1Md'q_QwX%A,v7]c1;md[%$%$
ike-proposal 10
undo version 2
remote-address 1.1.5.1
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
#
ipsec policy map1 10 isakmp
security acl 3000
ike-peer b
alias map1_10
proposal tran1
#
interface GigabitEthernet1/0/3
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
ip address 1.1.3.1 255.255.255.0
ipsec policy map1 auto-neg
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ip route-static 10.1.2.0 255.255.255.0 1.1.3.2
#
security-policy
 rule name policy_ipsec_1
   source-zone trust
   destination-zone untrust
   source-address 10.1.1.0 24
   destination-address 10.1.2.0 24
   action permit
 rule name policy_ipsec_2
   source-zone untrust
   destination-zone trust
   source-address 10.1.2.0 24
   destination-address 10.1.1.0 24
   action permit
 rule name policy_ipsec_3
   source-zone local
   destination-zone untrust
   source-address 1.1.3.1 32
   destination-address 1.1.5.1 32
   action permit
 rule name policy_ipsec_4
   source-zone untrust
   destination-zone local
   source-address 1.1.5.1 32
   destination-address 1.1.3.1 32
   action permit

· NGFW_B(分支)【(的)】〖{<设置>}〗 剧[本

#
acl number 3000
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ike proposal 10
authentication-algorithm sha2-256
integrity-algorithm hmac-sha2-256
#
ike peer a
pre-shared-key %$%$g6]1Md'q_QwX%A,v7]c1;md[%$%$
ike-proposal 10
undo version 2
remote-address 1.1.3.1
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
#
ipsec policy map1 10 isakmp
security acl 3000
ike-peer a
proposal tran1
#
interface GigabitEthernet1/0/3
ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet1/0/1
ip address 1.1.5.1 255.255.255.0
ipsec policy map1 auto-neg
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ip route-static 10.1.1.0 255.255.255.0 1.1.5.2
#
security-policy
 rule name policy_ipsec_1
   source-zone trust
   destination-zone untrust
   source-address 10.1.2.0 24
   destination-address 10.1.1.0 24
   action permit
 rule name policy_ipsec_2
   source-zone untrust
   destination-zone trust
   source-address 10.1.1.0 24
   destination-address 10.1.2.0 24
   action permit
 rule name policy_ipsec_3
   source-zone local
   destination-zone untrust
   source-address 1.1.5.1 32
   destination-address 1.1.3.1 32
   action permit
 rule name policy_ipsec_4
   source-zone untrust
   destination-zone local
   source-address 1.1.3.1 32
   destination-address 1.1.5.1 32
   action permit