• 沒有找到結果。

H3C-SecPath 防火墙(V7)对接华为云配置指引

华为云配置信息说明

VPN网关IP:11.11.11.11

VPC子网:192.168.10.0/24,192.168.20.0/24 客户侧网关IP:22.22.22.22

客户侧子网:172.16.10.0/24,172.16.20.0/24,172.16.30.0/24 协商策略详情:

一阶段策略(IKE Policy)

认证算法(Authentication Algorithm): sha2-256 加密算法(Encryption Algorithm): aes-128 版本(Version): v2

DH算法(DH Algorithm ): group14 生命周期(Life Cycle): 86400 二阶段策略(IPsec Policy)

传输协议(Transfer Protocol): esp

认证算法(Authentication Algorithm): sha2-256 加密算法(Encryption Algorithm): aes-128 完美前向安全(PFS):DH-group14

生命周期(Life Cycle): 86400

客户侧设备组网与基础配置假设

1. 假定客户侧基础网络配置如下:

内网接口:GigabitEthernet1/0/0 所属zone为Trust,接口IP为10.0.0.1/30。

interface GigabitEthernet1/0/0 ip address 10.0.0.1 255.255.255.252

# interface GigabitEthernet1/0/1 ip address 22.22.22.22 255.255.255.0

# ip route-static 0.0.0.0 0 GigabitEthernet1/0/1 22.22.22.1

ip route-static 172.16.10.0 255.255.255.0 0 GigabitEthernet1/0/0 10.0.0.2 ip route-static 172.16.20.0 255.255.255.0 0 GigabitEthernet1/0/0 10.0.0.2 ip route-static 172.16.30.0 255.255.255.0 0 GigabitEthernet1/0/0 10.0.0.2

# security-zone name Trust

import interface GigabitEthernet1/0/0

# security-zone name Untrust

import interface GigabitEthernet1/0/1

# security-policy ip

rule 0 name Policy-Internet action pass

logging enable counting enable source-zone Trust destination-zone Untrust

# object-group ip address Customer-subnet172.16.10.0/24 0 network subnet 172.16.10.0 255.255.255.0

# object-group ip address Customer-subnet172.16.20.0/24 0 network subnet 172.16.20.0 255.255.255.0

# object-group ip address Customer-subnet172.16.30.0/24 0 network subnet 172.16.30.0 255.255.255.0

# nat policy

rule name Snat_Internet

source-ip Customer-subnet172.16.10.0/24 source-ip Customer-subnet172.16.20.0/24 source-ip Customer-subnet172.16.30.0/24 outbound-interface GigabitEthernet1/0/1 action easy-ip port-preserved

IPsec 配置指引

1. WEB页面的VPN配置过程说明:

登录设备WEB管理界面,在导航栏中选择“VPN > IPsec”。

a. 配置IKE提议:选择新建IKE提议,指定认证方式、认证算法、加密算法、

DH、生命周期与华为云参数相同。

b. 配置IPsec策略:

基本配置中选择设备角色为对等/分支节点,IP地址类型选择IPv4,接口选择外

object-group ip address HWCloud_subnet192.168.10.0/24 0 network subnet 192.168.10.0 255.255.255.0

# object-group ip address HWCloud_subnet192.168.20.0/24 0 network subnet 192.168.20.0 255.255.255.0

#配置一阶段提议,算法详情与华为云相同

ikev2 proposal 100 encryption aes-cbc-128 integrity sha256 dh group14 prf sha256

# 配置两端协商PSK,PSK两端现同

ikev2 keychain IPSEC-KEY peer keypeername

address 11.11.11.11 255.255.255.255 pre-shared-key local plaintext ******

pre-shared-key remote plaintext ******

#配置IKEV2的Profile,调用PSK,匹配两端公网IP

ikev2 profile IKE-PROFILE

authentication-method local pre-share authentication-method remote pre-share keychain IPSEC-KEY

identity local address 22.22.22.22 match local address 22.22.22.22

match remote identity address 11.11.11.11 255.255.255.255 sa duration 86400

# 配置ike policy,类同ike对等体配置,调用ike阶段提议并于接口IP进行关联

ikev2 policy IKE-PEER proposal 100

match local address 22.22.22.22

# 配置感兴趣流

acl advanced 3999

rule 0 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 rule 1 permit ip source 172.16.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 rule 2 permit ip source 172.16.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 rule 4 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 5 permit ip source 172.16.20.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 6 permit ip source 172.16.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

#配置二阶段提议

ipsec transform-set IPSEC-PH2 encapsulation-mode tunnel

esp authentication-algorithm sha256 esp encryption-algorithm aes-cbc-128 pfs dh-group14

#配置IPsec policy,调用感兴趣流和二阶段提议

ipsec policy IPSEC-HW 1 isakmp transform-set IPSEC-PH2 security acl 3999 local-address 22.22.22.22 remote-address 11.11.11.11 ikev2-profile IKE-PROFILE sa duration time-based 3600

#将IPsec policy绑定在协商接口下

interface GigabitEthernet1/0/1 ip address 22.22.22.22 255.255.255.0 tcp mss 1300

ipsec apply policy IPSEC-HW

#配置安全策略,放行两端私网的数据互访,放行公网IP间互访流量

security-policy ip rule 1 name IPSEC-OUT action pass

logging enable counting enable source-zone Trust destination-zone Untrust

source-ip Customer-subnet172.16.10.0/24 source-ip Customer-subnet172.16.20.0/24 source-ip Customer-subnet172.16.30.0/24 destination-ip HWCloud_subnet192.168.10.0/24 destination-ip HWCloud_subnet192.168.20.0/24 rule 2 name IPSEC-IN

action pass logging enable counting enable source-zone Untrust destination-zone Trust

source-ip HWCloud_subnet192.168.10.0/24 source-ip HWCloud_subnet192.168.20.0/24 destination-ip Customer-subnet172.16.10.0/24 destination-ip Customer-subnet172.16.20.0/24 destination-ip Customer-subnet172.16.30.0/24 rule 3 name IPSEC-NEG-pass

action pass logging enable counting enable

source-ip 11.11.11.11 255.255.255.255 source-ip 22.22.22.22 255.255.255.255 destination-ip 11.11.11.11 255.255.255.255 destination-ip 22.22.22.22 255.255.255.255 rule 0 name Policy-Internet

……

#配置NAT策略,确保本地子网访问华为云子网no-nat

nat policy

rule name IPSEC_NONAT

source-ip Customer-subnet172.16.10.0/24 source-ip Customer-subnet172.16.20.0/24 source-ip Customer-subnet172.16.30.0/24 destination-ip HWCloud_subnet192.168.10.0/24 destination-ip HWCloud_subnet192.168.20.0/24 outbound-interface GigabitEthernet1/0/1 action no-nat

rule name Snat_Internet

……

#路由配置,访问华为云子网路由由公网接口流出

ip route-static 0.0.0.0 0 GigabitEthernet1/0/1 B.B.B.1

……

3. 使用ikev1协商差异化配置说明:

#无V2标识,算法有差异

ike proposal 100

authentication-algorithm sha256 encryption-algorithm aes-cbc-128 authentication-method pre-share dh group14

sa duration 86400

#无V2标识,一条命令完成协商PSK配置

ike keychain IPSEC-KEY

pre-shared-key address 11.11.11.11 255.255.255.255 key simple *******

#无V2标识,配置增加exchange-mode,直接调用一阶段提议,不用单独配置ike policy

ike profile IKE-PROFILE keychain IPSEC-KEY

local-identity address 22.22.22.22 exchange-mode main //aggressive dpd interval 3 periodic

match remote identity address 11.11.11.11 255.255.255.255 match local address 22.22.22.22

proposal 100

立即下載 "示例:使用OpenSwan配置..."

Outline

相關文件