#路由配置,访问华为云子网路由由公网接口流出
ip route-static 0.0.0.0 0 GigabitEthernet1/0/1 B.B.B.1
……
3. 使用ikev1协商差异化配置说明:
#无V2标识,算法有差异
ike proposal 100
authentication-algorithm sha256 encryption-algorithm aes-cbc-128 authentication-method pre-share dh group14
sa duration 86400
#无V2标识,一条命令完成协商PSK配置
ike keychain IPSEC-KEY
pre-shared-key address 11.11.11.11 255.255.255.255 key simple *******
#无V2标识,配置增加exchange-mode,直接调用一阶段提议,不用单独配置ike policy
ike profile IKE-PROFILE keychain IPSEC-KEY
local-identity address 22.22.22.22 exchange-mode main //aggressive dpd interval 3 periodic
match remote identity address 11.11.11.11 255.255.255.255 match local address 22.22.22.22
proposal 100
A.2 HW-USG 防火墙(V5)对接华为云配置指引
华为云配置信息说明
VPN网关IP:11.11.11.11
VPC子网:192.168.10.0/24,192.168.20.0/24 客户侧网关IP:22.22.22.22
客户侧子网:172.16.10.0/24,172.16.20.0/24,172.16.30.0/24 协商策略详情:
一阶段策略(IKE Policy)
认证算法(Authentication Algorithm): sha2-256 加密算法(Encryption Algorithm): aes-128 版本(Version): v2
DH算法(DH Algorithm ): group14 生命周期(Life Cycle): 86400 二阶段策略(IPsec Policy)
传输协议(Transfer Protocol): esp
认证算法(Authentication Algorithm): sha2-256 加密算法(Encryption Algorithm): aes-128 完美前向安全(PFS):DH-group14
生命周期(Life Cycle): 86400
客户侧设备组网与基础配置假设
interface GigabitEthernet1/0/0 ip address 10.0.0.1 255.255.255.252
# interface GigabitEthernet1/0/1 ip address 22.22.22.22 255.255.255.0
# ip route-static 0.0.0.0 0.0.0.0 22.22.22.1
ip route-static 172.16.10.0 255.255.255.0 10.0.0.2 ip route-static 172.16.20.0 255.255.255.0 10.0.0.2 ip route-static 172.16.30.0 255.255.255.0 10.0.0.2
# firewall zone trust set priority 85
import interface GigabitEthernet1/0/0
# firewall zone untrust set priority 5
import interface GigabitEthernet1/0/1
#ip address-set Customer-subnet172.16.10.0/24 type object address 0 172.16.10.0 mask 24
# ip address-set Customer-subnet172.16.20.0/24 type object address 0 172.16.20.0 mask 24
# ip address-set Customer-subnet172.16.30.0/24 type object address 0 172.16.30.0 mask 24
# security-policy
rule name Policy-Internet policy logging
session logging source-zone trust destination-zone untrust action permit
# nat-policy
rule name Snat_Internet source-zone trust
egress-interface GigabitEthernet1/0/1 action nat easy-ip
IPsec 配置指引
1. WEB页面VPN配置过程说明:
登录设备WEB管理界面,在导航栏中选择“网络 > IPsec”,选择新建IPsec策 略。
2. 命令行配置说明:
#增加地址对象
ip address-set HWCloud_subnet192.168.10.0/24 type object address 0 192.168.10.0 mask 24
#ip address-set HWCloud_subnet192.168.20.0/24 type object address 0 192.168.20.0 mask 24
#配置一阶段提议,ike v1与ike v2的配置方式相同,ikev1使用认证、加密,ikev2 使用加密、完整性、prf
ike proposal 100
authentication-algorithm sha2-256 sa duration 86400
#配置对等体,指定版本,调用一阶段提议(undo version 2时需要配置 exchange-mode参数)
ike peer IKE-PEER undo version 1 pre-shared-key ******
ike-proposal 100
remote-address 11.11.11.11 dpd type periodic
#配置感兴趣流
acl number 3999
rule 0 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 rule 1 permit ip source 172.16.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 rule 2 permit ip source 172.16.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 rule 4 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 5 permit ip source 172.16.20.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 6 permit ip source 172.16.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
#配置二阶段提议
ipsec proposal IPSEC-PH2 transform esp
encapsulation-mode tunnel
esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128
#配置IPsec policy,调用ike peer、二阶段提议、ACL,注意PFS配置
ipsec policy IPSEC-HW 1 isakmp proposal IPSEC-PH2
security acl 3999 ike-peer IKE-PEER tunnel local 22.22.22.22 pfs dh-group14
sa duration time-based 3600
#全局配置,设定TCP分片大小
firewall tcp-mss 1300
#ipsec policy 绑定接口 interface GigabitEthernet1/0/1 ip address B.B.B.Y 255.255.255.0 ipsec apply policy IPSEC-HW
#security-policy rule name IPSEC-OUT policy logging session logging source-zone trust destination-zone untrust
source-address address-set Customer-subnet172.16.10.0/24
source-address address-set Customer-subnet172.16.20.0/24 source-address address-set Customer-subnet172.16.30.0/24 destination-address address-set HWCloud_subnet192.168.10.0/24 destination-address address-set HWCloud_subnet192.168.20.0/24 action permit
rule name IPSEC-IN policy logging session logging source-zone untrust destination-zone trust
source-address address-set HWCloud_subnet192.168.10.0/24 source-address address-set HWCloud_subnet192.168.20.0/24 destination-address address-set Customer-subnet172.16.10.0/24 destination-address address-set Customer-subnet172.16.20.0/24 destination-address address-set Customer-subnet172.16.30.0/24 action permit
rule name IPSEC-NEG-pass logging enable
counting enable
source-ip 11.11.11.11 255.255.255.255 source-ip 22.22.22.22 255.255.255.255 destination-ip 11.11.11.11 255.255.255.255 destination-ip 22.22.22.22 255.255.255.255 action permit
rule name Policy-Internet
……# nat policy
rule name IPSEC_NONAT description IPSEC_NONAT source-zone trust destination-zone untrust
source-address address-set Customer-subnet172.16.10.0/24 source-address address-set Customer-subnet172.16.20.0/24 source-address address-set Customer-subnet172.16.30.0/24 destination-address address-set HWCloud_subnet192.168.10.0/24 destination-address address-set HWCloud_subnet192.168.20.0/24 action no-nat
rule name Snat_Internet
……
#路由配置,访问华为云子网路由由公网接口流出
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1 22.22.22.1