
以前写过总部与两个分支机构、三台华为防火墙配置ipsec,都是同一个品牌,相对来说配置比较简单。
今天这个案例,分支机构采用的是飞塔的防火墙,接入链路是电信的PPPOE拨号宽带,没有固定的公网IP;总部则是华为防火墙,有固定的公网IP。

华为防火墙作为总部的企业网关,以模板方式与分支机构的飞塔防火墙建立IPSec隧道;由于分支机构的飞塔防火墙的出口公网地址不固定,因此,只能是分支主动发起协商建立IPSec隧道,总部不能主动发起协商。
IPSec配置参数规划如下图所示:

1、华为防火墙的配置
华为防火墙采用模板方式的IPSec策略,不要求对端IP地址固定,且不管有多少分支,总部只需要配置1个IPSec策略,1个IKE对等体,配置较为简单;如果采用策略方式的IPSec策略,有N个分支,则总部需要配置N个IPSec策略,N个IKE对等体,配置较为复杂。
(1)配置接口,并将接口加入相应的安全区域。
配置口GE1/0/3接口,并将接口加入untrust安全区域。
[HUAWEI] interface GigabitEthernet 1/0/3
[HUAWEI-GigabitEthernet1/0/3] ip address 222.xx.xx.50 29
[HUAWEI-GigabitEthernet1/0/3] quit
[HUAWEI] firewall zone untrust
[HUAWEI-zone-untrust] add interface GigabitEthernet 1/0/3
[HUAWEI-zone-untrust] quit
配置GE1/0/5接口,并将接口加入trust安全区域。
[HUAWEI] interface GigabitEthernet 1/0/5
[HUAWEI-GigabitEthernet1/0/5] ip address 192.168.160.1 24
[HUAWEI-GigabitEthernet1/0/5] quit
[HUAWEI] firewall zone trust
[HUAWEI-zone-trust] add interface GigabitEthernet 1/0/5
[HUAWEI-zone-trust] quit
(2)配置安全策略。
配置untrust和trust之间的安全策略。
策略1:允许分支访问总部;策略2,允许总部访问分支。
[HUAWEI] security-policy
[HUAWEI-policy-security] rule name 1
[HUAWEI-policy-security-rule-1] source-zone untrust
[HUAWEI-policy-security-rule-1] destination-zone trust
[HUAWEI-policy-security-rule-1] source-address 192.168.60.0 24
[HUAWEI-policy-security-rule-1] destination-address 192.168.160.0 24
[HUAWEI-policy-security-rule-1] action permit
[HUAWEI-policy-security-rule-1] quit
[HUAWEI-policy-security] rule name 2
[HUAWEI-policy-security-rule-2] source-zone trust
[HUAWEI-policy-security-rule-2] destination-zone untrust
[HUAWEI-policy-security-rule-2] source-address 192.168.160.0 24
[HUAWEI-policy-security-rule-2] destination-address 192.168.60.0 24
[HUAWEI-policy-security-rule-2] action permit
[HUAWEI-policy-security-rule-2] quit
(3)配置local与untrust之间的安全策略。
策略3:允许华为防火墙发起IPSec隧道建立请求;策略4:允许华为防火墙接收IPSec隧道建立请求,源、目的IP地址为两端的出口公网地址。
[HUAWEI-policy-security] rule name 3
[HUAWEI-policy-security-rule-3] source-zone local
[HUAWEI-policy-security-rule-3] destination-zone untrust
[HUAWEI-policy-security-rule-3] source-address 222.xx.xx.50 29
[HUAWEI-policy-security-rule-3] action permit
[HUAWEI-policy-security-rule-3] quit
[HUAWEI-policy-security] rule name 4
[HUAWEI-policy-security-rule-4] source-zone untrust
[HUAWEI-policy-security-rule-4] destination-zone local
[HUAWEI-policy-security-rule-4]destination-address 222.xx.xx.50 29
[HUAWEI-policy-security-rule-4] action permit
[HUAWEI-policy-security-rule-4] quit
(4)配置路由。
配置连接到Internet的缺省路由
[HUAWEI] ip route-static 0.0.0.0 0.0.0.0 222.xx.xx.49
(5)配置ACL
源地址为192.168.160.0/24,目的地址为192.168.60.0/24的报文,需要经过IPSec隧道传输。
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule permit ip source 192.168.160.0 0.0.0.255 destination 192.168.60.0 0.0.0.255
[HUAWEI-acl-adv-3000] quit
(6)配置 IKE SA。
配置IKE安全提议,指定加密算法、认证算法、DH。
[HUAWEI] ike proposal 1
[HUAWEI-ike-proposal-1] encryption-algorithm 3des
[HUAWEI-ike-proposal-1] authentication-algorithm sha1
[HUAWEI-ike-proposal-1] dh group2
[HUAWEI-ike-proposal-1] quit
配置IKE对等体,指定协商模式、IKE版本、预共享密钥。
[HUAWEI] ike peer fortigate
[HUAWEI-ike-peer-fortigate] exchange-mode main
[HUAWEI-ike-peer-fortigate] undo version 2
[HUAWEI-ike-peer-fortigate] ike-proposal 1
[HUAWEI-ike-peer-fortigate] pre-shared-key Key@hcit333
[HUAWEI-ike-peer-fortigate] quit
(7)配置IPSec安全提议,指定封装模式、安全协议,加密算法、认证算法。
[HUAWEI] ipsec proposal tran1
[HUAWEI-ipsec-proposal-tran1] transform esp
[HUAWEI-ipsec-proposal-tran1] encapsulation-mode tunnel
[HUAWEI-ipsec-proposal-tran1] esp encryption-algorithm 3des
[HUAWEI-ipsec-proposal-tran1] esp authentication-algorithm sha1
[HUAWEI-ipsec-proposal-tran1] quit
(8)配置模板及策略,绑定IKE对等体、IPSe安全提议、ACL。
[HUAWEI] ipsec policy-template tem 1
[HUAWEI-ipsec-policy-template-tem-1] security acl 3000
[HUAWEI-ipsec-policy-template-tem-1] proposal tran1
[HUAWEI-ipsec-policy-template-tem-1] ike-peer fortigate
[HUAWEI-ipsec-policy-template-tem-1] ipsec policy map1 1 isakmp template tem
[HUAWEI-ipsec-policy-template-tem-1] quit
(9)在接口上应用IPSec策略。
[HUAWEI] interface GigabitEthernet 1/0/3
[HUAWEI-GigabitEthernet1/0/3] ipsec policy map1
[HUAWEI-GigabitEthernet1/0/3] quit
2、飞塔防火墙的配置
(1)配置接口
配置接口port03的宽带连接
Fortigate # config system interface
Fortigate (interface) # edit port03
Fortigate (port03) # set mode pppoe
Fortigate (port03) # set username xxxxxx
Fortigate (port03) # set password xxxxxx
Fortigate (port03) # set distance 5
*注意管理距离(distance),固定IP的distance值为10,PPPoE拨号的distance值为5
Fortigate (port03) # set dns-server-override enable
Fortigate (port03) # end
配置接口port10。
Fortigate # config system interface
Fortigate (interface) # edit port10
Fortigate (port10) # set ip 192.168.60.1/24
Fortigate (port10) # set allowaccess ping https telnet
Fortigate (port10) # end
(2)配置IKE SA,指定IKE SA的名称、绑定的接口、协商模式、加密算法、认证算法、预共享密钥、对端地址、DH。
Fortigate # config vpn ipsec phase1-interface
Fortigate (phase1-interface) # edit firewall
Fortigate (firewall) # set interface port03
Fortigate (firewall) # set mode main
Fortigate (firewall) # set proposal 3des-sha1
Fortigate (firewall) # set psksecret Key@hcit333
Fortigate (firewall) # set remote-gw 222.xx.xx.50
Fortigate (firewall) # set dhgrp 2
Fortigate (firewall) # end
(3)配置IPSec SA,指定IPSec SA的名称、绑定的IKE SA、加密算法、认证算法,DH。
Fortigate # config vpn ipsec phase2-interface
Fortigate (phase2-interface) # edit firewall
new entry 'firewall' added
Fortigate (firewall) # set phase1name firewall
Fortigate (firewall) # set dhgrp 2
Fortigate (firewall) # set proposal 3des-sha1
Fortigate (firewall) # set dst-subnet 192.168.160.0 255.255.255.0
Fortigate (firewall) # set src-subnet 192.168.60.0 255.255.255.0
Fortigate (firewall) # end
(3)将Tunnel口加入到untrust区域中。
Fortigate # config system zone
Fortigate (zone) # edit untrust
Fortigate (untrust) # set interface firewall
Fortigate (untrust) # end
(4)配置安全策略。
配置port03与port10之间的安全策略。
配置策略66,保证总部能够正常访问分支;
Fortigate # config firewall policy
Fortigate (policy) # edit 66
Fortigate (66) # set srcintf port03
Fortigate (66) # set dstintf port10
Fortigate (66) # set srcaddr all
Fortigate (66) # set dstaddr all
Fortigate (66) # set action accept
Fortigate (66) # set schedule always
Fortigate (66) # set service ANY
Fortigate (66) # end
配置策略99,保证分支能够访问总部。
Fortigate # config firewall policy
Fortigate (policy) # edit 99
Fortigate (99) # set srcintf port10
Fortigate (99) # set dstintf port03
Fortigate (99) # set srcaddr all
Fortigate (99) # set dstaddr all
Fortigate (99) # set action accept
Fortigate (99) # set schedule always
Fortigate (99) # set service ANY
Fortigate (99) # end
配置untrust与port10的安全策略,也就是Tunnel接口与port10之间的安全策略。
配置策略96,保证经过Tunnel接口的流量能够进入分支内网;
Fortigate # config firewall policy
Fortigate (policy) # edit 96
Fortigate (96) # set srcintf untrust
Fortigate (96) # set dstintf port10
Fortigate (96) # set srcaddr all
Fortigate (96) # set dstaddr all
Fortigate (96) # set action accept
Fortigate (96) # set schedule always
Fortigate (96) # set service ANY
Fortigate (96) # end
配置策略76,保证经过Tunnel接口的流量能够透传到外网。
Fortigate # config firewall policy
Fortigate (policy) # edit 76
Fortigate (76) # set srcintf port10
Fortigate (76) # set dstintf untrust
Fortigate (76) # set srcaddr all
Fortigate (76) # set dstaddr all
Fortigate (76) # set action accept
Fortigate (76) # set schedule always
Fortigate (76) # set service ANY
Fortigate (76) # end
(5)配置路由。
配置静态路由,将流量引入到Tunnel接口。
Fortigate # config route static
Fortigate (static) # edit 76
Fortigate (76) # set device firewall
Fortigate (76) # set dst 192.168.160.0 255.255.255.0
Fortigate (76) # end
直接WEB登录华为防火墙,看一下IPSec是否已连接。

IPSec能连接,并且两端局域网能够互通,就表示配置正确;如果IPSec无法连接,大概率是两端参数配置不同,请仔细对比;如果IPSec已连接,但是两端局域网无法互通,请检查安全策略以及路由配置是否正确。
本文分享自 IT狂人日志58446291 微信公众号,前往查看
如有侵权,请联系 cloudcommunity@tencent.com 删除。
本文参与 腾讯云自媒体同步曝光计划 ,欢迎热爱写作的你一起参与!