一、拓扑图
在FW1和FW2间建立GRE Over IPSec,使PC1、PC2互通
二、底层配置
R1:
sysname R1#interface GigabitEthernet0/0/0 ip address 155.1.121.1 255.255.255.0#interface GigabitEthernet0/0/1 ip address 155.1.131.1 255.255.255.0#interface LoopBack0 ip address 150.1.1.1 255.255.255.255#
防火墙基础配置
配置接口IP地址,并将接口划分到安全区域
配置安全策略,放行防火墙自身发起的流量
配置缺省静态路由
FW1:
sysname FW1#interface GigabitEthernet1/0/0 undo shutdown ip address 155.1.121.12 255.255.255.0#interface GigabitEthernet1/0/1 undo shutdown ip address 10.1.1.12 255.255.255.0#firewall zone trust add interface GigabitEthernet1/0/1#firewall zone untrust add interface GigabitEthernet1/0/0#ip route-static 0.0.0.0 0.0.0.0 155.1.121.1#security-policy rule name local->any source-zone local action permit#
FW2:
sysname FW2#interface GigabitEthernet1/0/0 undo shutdown ip address 155.1.131.13 255.255.255.0#interface GigabitEthernet1/0/1 undo shutdown ip address 10.1.2.13 255.255.255.0#firewall zone trust add interface GigabitEthernet1/0/1#firewall zone untrust add interface GigabitEthernet1/0/0#ip route-static 0.0.0.0 0.0.0.0 155.1.131.1#security-policy rule name local->any source-zone local action permit#
测试访问R1的Loopback
三、配置GRE
Tunnel接口划分到DMZ区域
放行untrust到local的gre流量(GRE协议号47)
FW1:
interface Tunnel0 ip address 10.0.0.12 255.255.255.0 tunnel-protocol gre source GigabitEthernet1/0/0 destination 155.1.131.13 service-manage ping permit # firewall zone dmz add interface Tunnel0#security-policy rule name out->local source-zone untrust destination-zone local service gre action permit#
FW2:
interface Tunnel0 ip address 10.0.0.13 255.255.255.0 tunnel-protocol gre source GigabitEthernet1/0/0 destination 155.1.121.12 service-manage ping permit # firewall zone dmz add interface Tunnel0#security-policy rule name out->local source-zone untrust destination-zone local service gre action permit#
ping Tunnel接口
查看抓包
此时还没有加密
四、配置OSPF
把内网及Tunnel接口宣告到OSPF,千万不要宣告外网接口
FW1&FW2:
ospf 1 area 0.0.0.0 network 10.0.0.0 0.255.255.255 #
查看OSPF邻居及路由
五、配置IPSec
提供两种配置方法:
接口调用ipsec policy
接口调用ipsec profile
封装模式为传输模式,隧道模式虽然也可以,但是报头比传输模式大,增加开销
ACL匹配GRE流量
在物理接口调用ipsec policy
方法一(调用ipsec policy)
FW1:
ike proposal 10 encryption-algorithm 3des dh group2 authentication-algorithm sha1 authentication-method pre-share#ike peer FW2 pre-shared-key huawei@123 ike-proposal 10 remote-address 155.1.131.13#ipsec proposal PRO1 encapsulation-mode transport esp authentication-algorithm sha1 esp encryption-algorithm 3des#acl number 3000 rule 5 permit gre#ipsec policy FW1_FW2 10 isakmp security acl 3000 ike-peer FW2 proposal PRO1#interface GigabitEthernet1/0/0 ipsec policy FW1_FW2#
FW2:
ike proposal 10 encryption-algorithm 3des dh group2 authentication-algorithm sha1 authentication-method pre-share#ike peer FW1 pre-shared-key huawei@123 ike-proposal 10 remote-address 155.1.121.12#ipsec proposal PRO1 encapsulation-mode transport esp authentication-algorithm sha1 esp encryption-algorithm 3des#acl number 3000 rule 5 permit gre#ipsec policy FW1_FW2 10 isakmp security acl 3000 ike-peer FW1 proposal PRO1#interface GigabitEthernet1/0/0 ipsec policy FW1_FW2#
方法二(调用ipsec profile)
FW1:
ike proposal 10 encryption-algorithm 3des dh group2 authentication-algorithm sha1 authentication-method pre-share#ike peer FW2 pre-shared-key huawei@123 ike-proposal 10 remote-address 155.1.131.13#ipsec proposal PRO1 encapsulation-mode transport esp authentication-algorithm sha1 esp encryption-algorithm 3des#ipsec profile FW1_FW2 ike-peer FW2 proposal PRO1#interface Tunnel0 ipsec profile FW1_FW2#
FW2:
ike proposal 10 encryption-algorithm 3des dh group2 authentication-algorithm sha1 authentication-method pre-share#ike peer FW1 pre-shared-key huawei@123 ike-proposal 10 remote-address 155.1.121.12#ipsec proposal PRO1 encapsulation-mode transport esp authentication-algorithm sha1 esp encryption-algorithm 3des#ipsec profile FW1_FW2 ike-peer FW2 proposal PRO1#interface Tunnel0 ipsec profile FW1_FW2 #
六、配置安全策略
由于GRE被IPSec加密,untrust到local的流量放行esp和ike的流量
ike的udp端口号500
esp协议号50
允许外部流量主动访问内网
放行dmz到trust的流量
允许内部流量主动发起访问
放行trust->dmz的流量
FW1:
security-policy rule name out->local source-zone untrust destination-zone local service esp undo service gre action permit rule name vpn_in source-zone dmz destination-zone trust source-address 10.1.2.0 mask 255.255.255.0 destination-address 10.1.1.0 mask 255.255.255.0 action permit rule name vpn_out source-zone trust destination-zone dmz source-address 10.1.1.0 mask 255.255.255.0 destination-address 10.1.2.0 mask 255.255.255.0 action permit#
FW2:
security-policy rule name local->any source-zone local action permit rule name out->local source-zone untrust destination-zone local service esp action permit rule name vpn_in source-zone dmz destination-zone trust source-address 10.1.1.0 mask 255.255.255.0 destination-address 10.1.2.0 mask 255.255.255.0 action permit rule name vpn_out source-zone trust destination-zone dmz source-address 10.1.2.0 mask 255.255.255.0 destination-address 10.1.1.0 mask 255.255.255.0 action permit#
查看IKE SA
测试PC互访
抓包
流量已被加密
查看IPSec SA
拓展
PC1访问PC2,查看FW1的会话表
FW1发出的ESP报文对应的方向为untrust->local,表示FW1在接收ESP报文,实际上不应该是FW1发出ESP报文,对应方向为local->untrust吗?
原来FW1加密后发出的ESP报文是不建立会话的,不走防火墙转发流程,当然也不做安全策略检查。但是防火墙收到ESP报文进行解密时,需要先建会话走转发流程,做安全策略检查,所以这条会话对应FW1接收到的ESP报文。ISAKMP协商报文的收发都需要走转发流程,所以不存在这个问题。
打赏
支付宝微信扫一扫,打赏作者吧~
支付宝微信扫一扫,打赏作者吧~本文链接:https://www.kinber.cn/post/4235.html 转载需授权!
推荐本站淘宝优惠价购买喜欢的宝贝:
您阅读本篇文章共花了: 
