组网需求
如下图所示,NGFW和H3C SecPath M9006分别作为总部和分支的企业网关连接Internet。现企业需要在NGFW和M9006之间建立IPSec隧道,实现总部和分支内网安全互通。
由于NGFW与和M9006的出口公网地址固定,可以采用策略方式建立IPSec隧道。此方式下,两端都可以主动发起协商建立IPSec隧道。
操作步骤
步骤1配置NGFW。
1、配置接口,并将接口加入安全区域。
# 配置口GE1/0/9接口,并将接口加入untrust安全区域。
<NGFW> system-view [NGFW] interface GigabitEthernet 1/0/9 [NGFW-GigabitEthernet1/0/9] ip address 1.1.1.1 24 [NGFW-GigabitEthernet1/0/9] quit [NGFW] firewall zone untrust [NGFW-zone-untrust] add interface GigabitEthernet 1/0/9 [NGFW-zone-untrust] quit
# 配置GE1/0/5接口,并将接口加入trust安全区域。
[NGFW] interface GigabitEthernet 1/0/5 [NGFW-GigabitEthernet1/0/5] ip address 192.168.10.1 24 [NGFW-GigabitEthernet1/0/5] quit [NGFW] firewall zone trust [NGFW-zone-trust] add interface GigabitEthernet 1/0/5 [NGFW-zone-trust] quit
2、配置安全策略。
# 配置untrust和trust之间的安全策略。
# 配置策略1,保证分支能够访问总部,配置策略2,保证总部能够访问分支。[NGFW] security-policy [NGFW-policy-security] rule name 1 [NGFW-policy-security-rule-1] source-zone untrust [NGFW-policy-security-rule-1] destination-zone trust [NGFW-policy-security-rule-1] source-address 192.168.0.0 24 [NGFW-policy-security-rule-1] destination-address 192.168.10.0 24 [NGFW-policy-security-rule-1] action permit [NGFW-policy-security-rule-1] quit [NGFW-policy-security] rule name 2 [NGFW-policy-security-rule-2] source-zone trust [NGFW-policy-security-rule-2] destination-zone untrust [NGFW-policy-security-rule-2] source-address 192.168.10.0 24 [NGFW-policy-security-rule-2] destination-address 192.168.0.0 24 [NGFW-policy-security-rule-2] action permit [NGFW-policy-security-rule-2] quit
# 配置local与untrust之间的安全策略。
# 配置策略3,保证NGFW能够发起IPSec隧道建立请求,配置策略4,保证NGFW能够接收IPSec隧道建立请求,源、目的IP地址为两端的出口公网地址。
[NGFW-policy-security] rule name 3 [NGFW-policy-security-rule-3] source-zone local [NGFW-policy-security-rule-3] destination-zone untrust [NGFW-policy-security-rule-3] source-address 1.1.1.1 24 [NGFW-policy-security-rule-3] destination-address 2.2.2.2 24 [NGFW-policy-security-rule-3] action permit [NGFW-policy-security-rule-3] quit [NGFW-policy-security] rule name 4 [NGFW-policy-security-rule-4] source-zone untrust [NGFW-policy-security-rule-4] destination-zone local [NGFW-policy-security-rule-4] source-address 2.2.2.2 24 [NGFW-policy-security-rule-4] destination-address 1.1.1.1 24 [NGFW-policy-security-rule-4] action permit [NGFW-policy-security-rule-4] quit
3、配置路由。
# 配置连接到Internet的缺省路由,假设下一跳为1.1.1.2。
[NGFW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
4、配置ACL,定义被保护的流量。
# 源地址为192.168.10.0/24,目的地址为192.168.0.0/24的报文,需要经过IPSec隧道传输。
[NGFW] acl 3000 [NGFW-acl-adv-3000] rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 [NGFW-acl-adv-3000] quit
5、配置IKE SA。
# 配置IKE安全协议,指定加密算法、认证算法、DH。此举例中采用IKEV1,不需要配置完整性算法。[NGFW] ike proposal 1 [NGFW-ike-proposal-1] encryption-algorithm 3des [NGFW-ike-proposal-1] authentication-algorithm sha1 [NGFW-ike-proposal-1] dh group2 [NGFW-ike-proposal-1] quit
# 配置IKE对等体,指定协商模式、IKE版本、预共享密钥,对端IP地址。
[NGFW] ike peer h3c [NGFW-ike-peer-h3c] exchange-mode main [NGFW-ike-peer-h3c] undo version 2 [NGFW-ike-peer-h3c] ike-proposal 1 [NGFW-ike-peer-h3c] pre-shared-key Key@123 [NGFW-ike-peer-h3c] remote-address 2.2.2.2 [NGFW-ike-peer-h3c] quit
6、配置IPSec安全提议,指定封装模式、安全协议,加密算法、认证算法。
[NGFW] ipsec proposal tran1 [NGFW-ipsec-proposal-tran1] transform esp [NGFW-ipsec-proposal-tran1] encapsulation-mode tunnel [NGFW-ipsec-proposal-tran1] esp encryption-algorithm 3des [NGFW-ipsec-proposal-tran1] esp authentication-algorithm sha1 [NGFW-ipsec-proposal-tran1] quit
7、配置isakmp方式的IPSec策略,绑定IKE对等体、IPSec安全提议、ACL。[NGFW] ipsec policy map1 1 isakmp [NGFW-ipsec-policy-isakmp-map1-1] ike-peer h3c [NGFW-ipsec-policy-isakmp-map1-1] proposal tran1 [NGFW-ipsec-policy-isakmp-map1-1] security acl 3000 [NGFW-ipsec-policy-isakmp-map1-1] quit
8、在接口上应用IPSec策略。
[NGFW] interface GigabitEthernet 1/0/9 [NGFW-GigabitEthernet1/0/9] ipsec policy map1 [NGFW-GigabitEthernet1/0/9] quit
步骤2:配置M9006。
:1、配置接口,并将接口加入安全区域。
# 配置接口GE2/0/10接口,并将接口加入untrust安全区域。
<H3C> system-view [H3C] interface Ten-GigabitEthernet2/0/10 [H3C-Ten-GigabitEthernet2/0/10] port link-mode route [H3C-Ten-GigabitEthernet2/0/10] ip address 2.2.2.2 255.255.255.0 [H3C-Ten-GigabitEthernet2/0/10] quit [H3C] security-zone name Untrust [H3C-security-zone-Untrust] import interface Ten-GigabitEthernet 2/0/10 [H3C-security-zone-Untrust] quit
# 配置接口GE2/0/9接口,并将接口加入trust安全区域。[H3C] interface Ten-GigabitEthernet2/0/9 [H3C-Ten-GigabitEthernet2/0/9] ip address 192.168.0.1 24 [H3C-Ten-GigabitEthernet2/0/9] quit [H3C] security-zone name Trust [H3C-security-zone-Trust] import interface Ten-GigabitEthernet 2/0/9 [H3C-security-zone-Trust] quit
2、配置安全策略。
# 配置总部网络、分支网络两个对象组。[H3C] object-group ip address trust1 [H3C-obj-grp-ip-trust1] network subnet 192.168.0.0 24 [H3C-obj-grp-ip-trust1] quit [H3C] object-group ip address untrust1 [H3C-obj-grp-ip-untrust1] network subnet 192.168.10.0 24 [H3C-obj-grp-ip-untrust1] quit
# 配置对象策略。[H3C] object-policy ip trust-untrust [H3C-object-policy-ip-trust-untrust] rule pass source-ip trust1 destination-ip untrust1 [H3C-object-policy-ip-trust-untrust] quit [H3C] object-policy ip untrust-trust [H3C-object-policy-ip-untrust-trust] rule pass source-ip untrust1 destination-ip trust1 [H3C-object-policy-ip-untrust-trust] quit
# 配置untrust和trust之间的安全策略,保证总部网络和分支网络能够互通。[H3C] zone-pair security source trust destination untrust [H3C-zone-pair-security-Trust-Untrust] object-policy apply ip trust-untrust [H3C-zone-pair-security-Trust-Untrust] quit [H3C] zone-pair security source untrust destination trust [H3C-zone-pair-security-Untrust-Trust] object-policy apply ip untrust-trust [H3C-zone-pair-security-Untrust-Trust] quit
# 配置ACL,用于local与untrust间的安全策略。[H3C] acl advanced 3999 [H3C-acl-ipv4-adv-3999] rule 0 permit ip [H3C-acl-ipv4-adv-3999] quit
# 配置local与untrust之间的安全策略。[H3C] zone-pair security source untrust destination local [H3C-zone-pair-security-Untrust-Local] packet-filter 3999 [H3C-zone-pair-security-Untrust-Local] quit [H3C] zone-pair security source local destination untrust [H3C-zone-pair-security-Local-Untrust] packet-filter 3999 [H3C-zone-pair-security-Local-Untrust] quit
3、配置路由。
# 配置连接到Internet的缺省路由,假设下一跳为2.2.2.3。
[H3C] ip route-static 0.0.0.0 0.0.0.0 2.2.2.3
4、配置ACL,定义被保护的流量。
# 源地址为192.168.0.0/24,目的地址为192.168.10.0/24的报文,需要经过IPSec隧道传输。定义的流量要与NGFW中定义的流量互为镜像,否则协商失败。[H3C] acl advanced 3000 [H3C-acl-ipv4-adv-3000] rule permit ip source 192.168.0.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 [H3C-acl-ipv4-adv-3000] quit
5、配置IKE安全提议。
# 配置IKE安全协议,指定加密算法、认证算法、DH、认证方法,取值要与NGFW的配置值严格一致。
# 配置认证算法时,设置为sha,M9006中sha也就是sha1。[H3C] ike proposal 1 [H3C-ike-proposal-1] encryption-algorithm 3des [H3C-ike-proposal-1] authentication-method pre-share [H3C-ike-proposal-1] authentication-algorithm sha [H3C-ike-proposal-1] dh group2 [H3C-ike-proposal-1] quit
6、配置keychain。[H3C] ike keychain keychain1 [H3C-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.255.0 key simple Key@123 [H3C-ike-keychain-keychain1] quit
7、配置profile。[H3C] ike profile profile1 [H3C-ike-profile-profile1] keychain keychain1 [H3C-ike-profile-profile1] proposal 1 [H3C-ike-profile-profile1] exchange-mode main [H3C-ike-profile-profile1] local-identity address 2.2.2.2 [H3C-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0 [H3C-ike-profile-profile1] match local address Ten-GigabitEthernet2/0/10 [H3C-ike-profile-profile1] quit
8、配置IPSec安全提议。
# 指定封装模式、安全协议,加密算法、认证算法,取值要与NGFW的配置值严格一致。[H3C] ipsec transform-set tran1 [H3C-ipsec-transform-set-tran1] encapsulation-mode tunnel [H3C-ipsec-transform-set-tran1] protocol esp [H3C-ipsec-transform-set-tran1] esp encryption-algorithm 3des [H3C-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [H3C-ipsec-transform-set-tran1] quit
9、配置IPSec策略。[H3C] ipsec policy map1 1 isakmp [H3C-ipsec-policy-isakmp-map1-1] remote-address 1.1.1.1 [H3C-ipsec-policy-isakmp-map1-1] security acl 3000 [H3C-ipsec-policy-isakmp-map1-1] transform-set tran1 [H3C-ipsec-policy-isakmp-map1-1] ike-profile profile1 [H3C-ipsec-policy-isakmp-map1-1] quit
10、在接口上应用IPSec策略。[H3C] interface Ten-GigabitEthernet2/0/10 [H3C-Ten-GigabitEthernet2/0/10] ipsec apply policy map1 [H3C-Ten-GigabitEthernet2/0/10] quit
总结
· IPSec的对接关键在于通信双方所设置的参数必须完全一致,配置时两端不要采用默认值(基本不一致),必须按照数据规划表,保持两端参数一致。
· M9006中配置profile时,match local address用来指定profile的使用范围,H3C的配置指导中该命令是可选的,但是跟NGFW对接时如果不配置该命令,M9006则找不到profile适用的接口,因此建议执行该命令,否则隧道协商失败。