华为防火墙和飞塔防火墙建立IPSec隧道，使两地局域网互通

以前写过总部与两个分支机构、三台华为防火墙配置ipsec，都是同一个品牌，相对来说配置比较简单。

今天这个案例，分支机构采用的是飞塔的防火墙，接入链路是电信的PPPOE拨号宽带，没有固定的公网IP；总部则是华为防火墙，有固定的公网IP。

一、客户需求

华为防火墙作为总部的企业网关，以模板方式与分支机构的飞塔防火墙建立IPSec隧道；由于分支机构的飞塔防火墙的出口公网地址不固定，因此，只能是分支主动发起协商建立IPSec隧道，总部不能主动发起协商。

IPSec配置参数规划如下图所示：

二、配置过程

1、华为防火墙的配置

华为防火墙采用模板方式的IPSec策略，不要求对端IP地址固定，且不管有多少分支，总部只需要配置1个IPSec策略，1个IKE对等体，配置较为简单；如果采用策略方式的IPSec策略，有N个分支，则总部需要配置N个IPSec策略，N个IKE对等体，配置较为复杂。

（1）配置接口，并将接口加入相应的安全区域。

配置口GE1/0/3接口，并将接口加入untrust安全区域。

[HUAWEI] interface GigabitEthernet 1/0/3

[HUAWEI-GigabitEthernet1/0/3] ip address 222.xx.xx.50 29

[HUAWEI-GigabitEthernet1/0/3] quit

[HUAWEI] firewall zone untrust

[HUAWEI-zone-untrust] add interface GigabitEthernet 1/0/3

[HUAWEI-zone-untrust] quit

配置GE1/0/5接口，并将接口加入trust安全区域。

[HUAWEI] interface GigabitEthernet 1/0/5

[HUAWEI-GigabitEthernet1/0/5] ip address 192.168.160.1 24

[HUAWEI-GigabitEthernet1/0/5] quit

[HUAWEI] firewall zone trust

[HUAWEI-zone-trust] add interface GigabitEthernet 1/0/5

[HUAWEI-zone-trust] quit

（2）配置安全策略。

配置untrust和trust之间的安全策略。

策略1：允许分支访问总部；策略2，允许总部访问分支。

[HUAWEI] security-policy

[HUAWEI-policy-security] rule name 1

[HUAWEI-policy-security-rule-1] source-zone untrust

[HUAWEI-policy-security-rule-1] destination-zone trust

[HUAWEI-policy-security-rule-1] source-address 192.168.60.0 24

[HUAWEI-policy-security-rule-1] destination-address 192.168.160.0 24

[HUAWEI-policy-security-rule-1] action permit

[HUAWEI-policy-security-rule-1] quit

[HUAWEI-policy-security] rule name 2

[HUAWEI-policy-security-rule-2] source-zone trust

[HUAWEI-policy-security-rule-2] destination-zone untrust

[HUAWEI-policy-security-rule-2] source-address 192.168.160.0 24

[HUAWEI-policy-security-rule-2] destination-address 192.168.60.0 24

[HUAWEI-policy-security-rule-2] action permit

[HUAWEI-policy-security-rule-2] quit

（3）配置local与untrust之间的安全策略。

策略3：允许华为防火墙发起IPSec隧道建立请求；策略4：允许华为防火墙接收IPSec隧道建立请求，源、目的IP地址为两端的出口公网地址。

[HUAWEI-policy-security] rule name 3

[HUAWEI-policy-security-rule-3] source-zone local

[HUAWEI-policy-security-rule-3] destination-zone untrust

[HUAWEI-policy-security-rule-3] source-address 222.xx.xx.50 29

[HUAWEI-policy-security-rule-3] action permit

[HUAWEI-policy-security-rule-3] quit

[HUAWEI-policy-security] rule name 4

[HUAWEI-policy-security-rule-4] source-zone untrust

[HUAWEI-policy-security-rule-4] destination-zone local

[HUAWEI-policy-security-rule-4]destination-address 222.xx.xx.50 29

[HUAWEI-policy-security-rule-4] action permit

[HUAWEI-policy-security-rule-4] quit

（4）配置路由。

配置连接到Internet的缺省路由

[HUAWEI] ip route-static 0.0.0.0 0.0.0.0 222.xx.xx.49

（5）配置ACL

源地址为192.168.160.0/24，目的地址为192.168.60.0/24的报文，需要经过IPSec隧道传输。

[HUAWEI] acl 3000

[HUAWEI-acl-adv-3000] rule permit ip source 192.168.160.0 0.0.0.255 destination 192.168.60.0 0.0.0.255

[HUAWEI-acl-adv-3000] quit

（6）配置 IKE SA。

配置IKE安全提议，指定加密算法、认证算法、DH。

[HUAWEI] ike proposal 1

[HUAWEI-ike-proposal-1] encryption-algorithm 3des

[HUAWEI-ike-proposal-1] authentication-algorithm sha1

[HUAWEI-ike-proposal-1] dh group2

[HUAWEI-ike-proposal-1] quit

配置IKE对等体，指定协商模式、IKE版本、预共享密钥。

[HUAWEI] ike peer fortigate

[HUAWEI-ike-peer-fortigate] exchange-mode main

[HUAWEI-ike-peer-fortigate] undo version 2

[HUAWEI-ike-peer-fortigate] ike-proposal 1

[HUAWEI-ike-peer-fortigate] pre-shared-key Key@hcit333

[HUAWEI-ike-peer-fortigate] quit

（7）配置IPSec安全提议，指定封装模式、安全协议，加密算法、认证算法。

[HUAWEI] ipsec proposal tran1

[HUAWEI-ipsec-proposal-tran1] transform esp

[HUAWEI-ipsec-proposal-tran1] encapsulation-mode tunnel

[HUAWEI-ipsec-proposal-tran1] esp encryption-algorithm 3des

[HUAWEI-ipsec-proposal-tran1] esp authentication-algorithm sha1

[HUAWEI-ipsec-proposal-tran1] quit

（8）配置模板及策略，绑定IKE对等体、IPSe安全提议、ACL。

[HUAWEI] ipsec policy-template tem 1

[HUAWEI-ipsec-policy-template-tem-1] security acl 3000

[HUAWEI-ipsec-policy-template-tem-1] proposal tran1

[HUAWEI-ipsec-policy-template-tem-1] ike-peer fortigate

[HUAWEI-ipsec-policy-template-tem-1] ipsec policy map1 1 isakmp template tem

[HUAWEI-ipsec-policy-template-tem-1] quit

（9）在接口上应用IPSec策略。

[HUAWEI] interface GigabitEthernet 1/0/3

[HUAWEI-GigabitEthernet1/0/3] ipsec policy map1

[HUAWEI-GigabitEthernet1/0/3] quit

2、飞塔防火墙的配置

（1）配置接口

配置接口port03的宽带连接

Fortigate # config system interface

Fortigate (interface) # edit port03

Fortigate (port03) # set mode pppoe

Fortigate (port03) # set username xxxxxx

Fortigate (port03) # set password xxxxxx

Fortigate (port03) # set distance 5

*注意管理距离（distance），固定IP的distance值为10，PPPoE拨号的distance值为5

Fortigate (port03) # set dns-server-override enable

Fortigate (port03) # end

配置接口port10。

Fortigate # config system interface

Fortigate (interface) # edit port10

Fortigate (port10) # set ip 192.168.60.1/24

Fortigate (port10) # set allowaccess ping https telnet

Fortigate (port10) # end

（2）配置IKE SA，指定IKE SA的名称、绑定的接口、协商模式、加密算法、认证算法、预共享密钥、对端地址、DH。

Fortigate # config vpn ipsec phase1-interface

Fortigate (phase1-interface) # edit firewall

Fortigate (firewall) # set interface port03

Fortigate (firewall) # set mode main

Fortigate (firewall) # set proposal 3des-sha1

Fortigate (firewall) # set psksecret Key@hcit333

Fortigate (firewall) # set remote-gw 222.xx.xx.50

Fortigate (firewall) # set dhgrp 2

Fortigate (firewall) # end

（3）配置IPSec SA，指定IPSec SA的名称、绑定的IKE SA、加密算法、认证算法，DH。

Fortigate # config vpn ipsec phase2-interface

Fortigate (phase2-interface) # edit firewall

new entry 'firewall' added

Fortigate (firewall) # set phase1name firewall

Fortigate (firewall) # set dhgrp 2

Fortigate (firewall) # set proposal 3des-sha1

Fortigate (firewall) # set dst-subnet 192.168.160.0 255.255.255.0

Fortigate (firewall) # set src-subnet 192.168.60.0 255.255.255.0

Fortigate (firewall) # end

（3）将Tunnel口加入到untrust区域中。

Fortigate # config system zone

Fortigate (zone) # edit untrust

Fortigate (untrust) # set interface firewall

Fortigate (untrust) # end

（4）配置安全策略。

配置port03与port10之间的安全策略。

配置策略66，保证总部能够正常访问分支；

Fortigate # config firewall policy

Fortigate (policy) # edit 66

Fortigate (66) # set srcintf port03

Fortigate (66) # set dstintf port10

Fortigate (66) # set srcaddr all

Fortigate (66) # set dstaddr all

Fortigate (66) # set action accept

Fortigate (66) # set schedule always

Fortigate (66) # set service ANY

Fortigate (66) # end

配置策略99，保证分支能够访问总部。

Fortigate # config firewall policy

Fortigate (policy) # edit 99

Fortigate (99) # set srcintf port10

Fortigate (99) # set dstintf port03

Fortigate (99) # set srcaddr all

Fortigate (99) # set dstaddr all

Fortigate (99) # set action accept

Fortigate (99) # set schedule always

Fortigate (99) # set service ANY

Fortigate (99) # end

配置untrust与port10的安全策略，也就是Tunnel接口与port10之间的安全策略。

配置策略96，保证经过Tunnel接口的流量能够进入分支内网；

Fortigate # config firewall policy

Fortigate (policy) # edit 96

Fortigate (96) # set srcintf untrust

Fortigate (96) # set dstintf port10

Fortigate (96) # set srcaddr all

Fortigate (96) # set dstaddr all

Fortigate (96) # set action accept

Fortigate (96) # set schedule always

Fortigate (96) # set service ANY

Fortigate (96) # end

配置策略76，保证经过Tunnel接口的流量能够透传到外网。

Fortigate # config firewall policy

Fortigate (policy) # edit 76

Fortigate (76) # set srcintf port10

Fortigate (76) # set dstintf untrust

Fortigate (76) # set srcaddr all

Fortigate (76) # set dstaddr all

Fortigate (76) # set action accept

Fortigate (76) # set schedule always

Fortigate (76) # set service ANY

Fortigate (76) # end

（5）配置路由。

配置静态路由，将流量引入到Tunnel接口。

Fortigate # config route static

Fortigate (static) # edit 76

Fortigate (76) # set device firewall

Fortigate (76) # set dst 192.168.160.0 255.255.255.0

Fortigate (76) # end

三、验证配置

直接WEB登录华为防火墙，看一下IPSec是否已连接。

IPSec能连接，并且两端局域网能够互通，就表示配置正确；如果IPSec无法连接，大概率是两端参数配置不同，请仔细对比；如果IPSec已连接，但是两端局域网无法互通，请检查安全策略以及路由配置是否正确。