正文

华为防火墙与Cisco防火墙以虚拟隧道接口方式建立IPSec隧道(详解!)

admin
admin V管理员 /0 评论 /157 阅读
0809
此篇文章发布距今已超过197天,您需要注意文章的内容或图片是否可用!

前言

IPsec(Internet Protocol Security)是为IP网络提供安全性的协议和服务的集合,它是VPN(Virtual Private Network,虚拟专用网)中常用的一种技术。由于IP报文本身没有集成任何安全特性,IP数据包在公用网络如Internet中传输可能会面临被伪造、窃取或篡改的风险。通信双方通过IPsec建立一条IPsec隧道,IP数据包通过IPsec隧道进行加密传输,有效保证了数据在不安全的网络环境如Internet中传输的安全性。

而在我们工作中经常会遇到因历史网络建设造成不同品牌厂商对接的问题,接下来几期文章,以华为防火墙和思科防火墙对接为例,介绍其配置方法。

01

组网需求

如图1所示,总部和分支分别通过华为防火墙和Cisco防火墙设备接入Internet。总部需要将通过IPSec隧道传输的流量全部引入到Tunnel接口,便于对经过IPSec隧道传输的流量进行管理,以实现分支和总部内网安全互通。

图 1  以虚拟隧道接口方式建立IPSec隧道

02

数据规划

03

配置思路

3.1  配置华为防火墙:

  1. 配置接口IP地址,并将接口加入安全区域;

  2. 配置域间安全策略,允许IKE协商报文、IPSec封装前和解封装后的原始报文能通过华为防火墙;

  3. 配置IPSec策略,包括定义需要保护的数据流、配置IPSec安全提议、创建IKE安全提议、配置IKE对等体;

  4. 在Tunnel接口上应用IPSec策略;

  5. 配置华为防火墙到分支内网的路由;

  6. 配置华为防火墙到Internet的缺省路由。

3.2  配置Cisco防火墙:

  1. 配置接口的IP地址,打开接口的访问控制;

  2. 配置Cisco防火墙到Internet的缺省路由;

  3. 配置IPSec策略,包括定义需要保护的数据流、配置IPSec安全提议、创建IKE安全提议、配置预共享密钥;

  4. 在接口上应用IPSec策略;

  5. 在接口上启用IPSec策略。

3.3  配置注意事项:

  • 本例的重点在于建立隧道的接口由物理接口变为了逻辑接口Tunnel。Tunnel接口如何配置IP地址是有讲究的,无论是手工指定的IP地址还是借用物理接口的IP地址,总之都要能与隧道对端的接口路由可达。从实际应用上来看,这个IP地址通常是一个公网地址。

  • Tunnel接口的Ping服务要配置为permit,这个不能忽略。如果忽略了这个配置,在结果验证环节分支用户Ping总部下的用户时会出现业务不通。

  • Tunnel接口建立IPSec隧道时,tunnel-protocol要设置成IPSec。

04

操作步骤

【1】配置华为防火墙。

A、配置接口IP地址,并将接口加入安全区域。

[HUAWEI] interface GigabitEthernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] ip address 10.1.1.1 24 [HUAWEI-GigabitEthernet1/0/1] ip service-manage ping permit /*允许Cisco防火墙设备Ping此接口。*/ [HUAWEI-GigabitEthernet1/0/1] quit [HUAWEI] interface GigabitEthernet 1/0/2 [HUAWEI-GigabitEthernet1/0/2] ip address 1.1.3.1 24 [HUAWEI-GigabitEthernet1/0/2] service-manage ping permit /*允许Cisco防火墙设备Ping此接口。*/ [HUAWEI-GigabitEthernet1/0/2] quit [HUAWEI] interface tunnel 1 [HUAWEI-Tunnel1] ip address unnumbered interface GigabitEthernet1/0/2 [HUAWEI-Tunnel1] tunnel-protocol ipsec [HUAWEI-Tunnel1] service-manage ping permit [HUAWEI-Tunnel1] quit [HUAWEI] firewall zone trust [HUAWEI-zone-trust] add interface GigabitEthernet 1/0/1 [HUAWEI-zone-trust] quit [HUAWEI] firewall zone untrust [HUAWEI-zone-untrust] add interface GigabitEthernet 1/0/2 [HUAWEI-zone-untrust] add interface tunnel 1 [HUAWEI-zone-untrust] quit

B、配置域间安全策略。

配置Trust域与Untrust域的安全策略,允许IPSec封装前和解封装后的原始报文能通过华为防火墙。

[HUAWEI] security-policy [HUAWEI-policy-security] rule name 1 [HUAWEI-policy-security-rule-1] source-zone untrust [HUAWEI-policy-security-rule-1] destination-zone trust [HUAWEI-policy-security-rule-1] source-address 10.1.3.0 24 [HUAWEI-policy-security-rule-1] destination-address 10.1.1.0 24 [HUAWEI-policy-security-rule-1] action permit [HUAWEI-policy-security-rule-1] quit [HUAWEI-policy-security] rule name 2 [HUAWEI-policy-security-rule-2] source-zone trust [HUAWEI-policy-security-rule-2] destination-zone untrust [HUAWEI-policy-security-rule-2] source-address 10.1.1.0 24 [HUAWEI-policy-security-rule-2] destination-address 10.1.3.0 24 [HUAWEI-policy-security-rule-2] action permit [HUAWEI-policy-security-rule-2] quit

配置Local域与Untrust域的安全策略,允许IKE协商报文能正常通过华为防火墙。

[HUAWEI-policy-security] rule name 3 [HUAWEI-policy-security-rule-3] source-zone local [HUAWEI-policy-security-rule-3] destination-zone untrust [HUAWEI-policy-security-rule-3] source-address 1.1.3.1 32 [HUAWEI-policy-security-rule-3] destination-address 1.1.5.1 32 [HUAWEI-policy-security-rule-3] action permit [HUAWEI-policy-security-rule-3] quit [HUAWEI-policy-security] rule name 4 [HUAWEI-policy-security-rule-4] source-zone untrust [HUAWEI-policy-security-rule-4] destination-zone local [HUAWEI-policy-security-rule-4] source-address 1.1.5.1 32 [HUAWEI-policy-security-rule-4] destination-address 1.1.3.1 32 [HUAWEI-policy-security-rule-4] action permit [HUAWEI-policy-security-rule-4] quit

C、配置IPSec策略。

配置访问控制列表,定义需要保护的数据流。

[HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255 [HUAWEI-acl-adv-3000] quit

配置IPSec安全提议。

[HUAWEI] ipsec proposal tran1 [HUAWEI-ipsec-proposal-tran1] transform esp [HUAWEI-ipsec-proposal-tran1] encapsulation-mode tunnel [HUAWEI-ipsec-proposal-tran1] esp authentication-algorithm sha1 [HUAWEI-ipsec-proposal-tran1] esp encryption-algorithm aes-128 [HUAWEI-ipsec-proposal-tran1] quit

创建IKE安全提议。

[HUAWEI] ike proposal 1 [HUAWEI-ike-proposal-1] encryption-algorithm aes-128 [HUAWEI-ike-proposal-1] authentication-algorithm sha1 [HUAWEI-ike-proposal-1] dh group2 [HUAWEI-ike-proposal-1] quit

配置IKE对等体。

[HUAWEI] ike peer asa [HUAWEI-ike-peer-asa] undo version 2 [HUAWEI-ike-peer-asa] exchange-mode main [HUAWEI-ike-peer-asa] ike-proposal 1 [HUAWEI-ike-peer-asa] remote-address 1.1.5.1 [HUAWEI-ike-peer-asa] pre-shared-key Key123 [HUAWEI-ike-peer-asa] quit

配置IPSec策略。

[HUAWEI] ipsec policy map1 1 isakmp [HUAWEI-ipsec-policy-isakmp-map1-1] security acl 3000 [HUAWEI-ipsec-policy-isakmp-map1-1] proposal tran1 [HUAWEI-ipsec-policy-isakmp-map1-1] ike-peer asa [HUAWEI-ipsec-policy-isakmp-map1-1] quit

在Tunnel接口上应用IPSec策略。

[HUAWEI] interface Tunnel 1 [HUAWEI-Tunnel1] ipsec policy map1 [HUAWEI-Tunnel1] quit

D、配置路由。

# 配置到分支内网的路由,并将流量引流到Tunnel接口。

[HUAWEI] ip route-static 10.1.3.0 24 tunnel 1

# 配置华为防火墙连接到Internet的缺省路由,假设下一跳为1.1.3.2。

[HUAWEI] security-policy [HUAWEI-policy-security] rule name 1 [HUAWEI-policy-security-rule-1] source-zone untrust [HUAWEI-policy-security-rule-1] destination-zone trust [HUAWEI-policy-security-rule-1] source-address 10.1.3.0 24 [HUAWEI-policy-security-rule-1] destination-address 10.1.1.0 24 [HUAWEI-policy-security-rule-1] action permit [HUAWEI-policy-security-rule-1] quit [HUAWEI-policy-security] rule name 2 [HUAWEI-policy-security-rule-2] source-zone trust [HUAWEI-policy-security-rule-2] destination-zone untrust [HUAWEI-policy-security-rule-2] source-address 10.1.1.0 24 [HUAWEI-policy-security-rule-2] destination-address 10.1.3.0 24 [HUAWEI-policy-security-rule-2] action permit [HUAWEI-policy-security-rule-2] quit0

【2】配置Cisco防火墙。

A、配置Cisco防火墙接口的IP地址。

[HUAWEI] security-policy [HUAWEI-policy-security] rule name 1 [HUAWEI-policy-security-rule-1] source-zone untrust [HUAWEI-policy-security-rule-1] destination-zone trust [HUAWEI-policy-security-rule-1] source-address 10.1.3.0 24 [HUAWEI-policy-security-rule-1] destination-address 10.1.1.0 24 [HUAWEI-policy-security-rule-1] action permit [HUAWEI-policy-security-rule-1] quit [HUAWEI-policy-security] rule name 2 [HUAWEI-policy-security-rule-2] source-zone trust [HUAWEI-policy-security-rule-2] destination-zone untrust [HUAWEI-policy-security-rule-2] source-address 10.1.1.0 24 [HUAWEI-policy-security-rule-2] destination-address 10.1.3.0 24 [HUAWEI-policy-security-rule-2] action permit [HUAWEI-policy-security-rule-2] quit1

B、打开Cisco防火墙接口的访问控制。

[HUAWEI] security-policy [HUAWEI-policy-security] rule name 1 [HUAWEI-policy-security-rule-1] source-zone untrust [HUAWEI-policy-security-rule-1] destination-zone trust [HUAWEI-policy-security-rule-1] source-address 10.1.3.0 24 [HUAWEI-policy-security-rule-1] destination-address 10.1.1.0 24 [HUAWEI-policy-security-rule-1] action permit [HUAWEI-policy-security-rule-1] quit [HUAWEI-policy-security] rule name 2 [HUAWEI-policy-security-rule-2] source-zone trust [HUAWEI-policy-security-rule-2] destination-zone untrust [HUAWEI-policy-security-rule-2] source-address 10.1.1.0 24 [HUAWEI-policy-security-rule-2] destination-address 10.1.3.0 24 [HUAWEI-policy-security-rule-2] action permit [HUAWEI-policy-security-rule-2] quit2

C、配置Cisco防火墙到Internet的缺省路由,假设下一跳地址为1.1.5.2。

[HUAWEI] security-policy [HUAWEI-policy-security] rule name 1 [HUAWEI-policy-security-rule-1] source-zone untrust [HUAWEI-policy-security-rule-1] destination-zone trust [HUAWEI-policy-security-rule-1] source-address 10.1.3.0 24 [HUAWEI-policy-security-rule-1] destination-address 10.1.1.0 24 [HUAWEI-policy-security-rule-1] action permit [HUAWEI-policy-security-rule-1] quit [HUAWEI-policy-security] rule name 2 [HUAWEI-policy-security-rule-2] source-zone trust [HUAWEI-policy-security-rule-2] destination-zone untrust [HUAWEI-policy-security-rule-2] source-address 10.1.1.0 24 [HUAWEI-policy-security-rule-2] destination-address 10.1.3.0 24 [HUAWEI-policy-security-rule-2] action permit [HUAWEI-policy-security-rule-2] quit3

D、配置IPSec。

配置ACL(访问控制列表),定义需要保护的数据流。

这里需要注意,Cisco防火墙的ACL用的是掩码,而华为防火墙用的是反掩码,两者存在不同。

[HUAWEI] security-policy [HUAWEI-policy-security] rule name 1 [HUAWEI-policy-security-rule-1] source-zone untrust [HUAWEI-policy-security-rule-1] destination-zone trust [HUAWEI-policy-security-rule-1] source-address 10.1.3.0 24 [HUAWEI-policy-security-rule-1] destination-address 10.1.1.0 24 [HUAWEI-policy-security-rule-1] action permit [HUAWEI-policy-security-rule-1] quit [HUAWEI-policy-security] rule name 2 [HUAWEI-policy-security-rule-2] source-zone trust [HUAWEI-policy-security-rule-2] destination-zone untrust [HUAWEI-policy-security-rule-2] source-address 10.1.1.0 24 [HUAWEI-policy-security-rule-2] destination-address 10.1.3.0 24 [HUAWEI-policy-security-rule-2] action permit [HUAWEI-policy-security-rule-2] quit4

配置IPSec安全提议。

[HUAWEI] security-policy [HUAWEI-policy-security] rule name 1 [HUAWEI-policy-security-rule-1] source-zone untrust [HUAWEI-policy-security-rule-1] destination-zone trust [HUAWEI-policy-security-rule-1] source-address 10.1.3.0 24 [HUAWEI-policy-security-rule-1] destination-address 10.1.1.0 24 [HUAWEI-policy-security-rule-1] action permit [HUAWEI-policy-security-rule-1] quit [HUAWEI-policy-security] rule name 2 [HUAWEI-policy-security-rule-2] source-zone trust [HUAWEI-policy-security-rule-2] destination-zone untrust [HUAWEI-policy-security-rule-2] source-address 10.1.1.0 24 [HUAWEI-policy-security-rule-2] destination-address 10.1.3.0 24 [HUAWEI-policy-security-rule-2] action permit [HUAWEI-policy-security-rule-2] quit5

创建IKE安全提议。

[HUAWEI] security-policy [HUAWEI-policy-security] rule name 1 [HUAWEI-policy-security-rule-1] source-zone untrust [HUAWEI-policy-security-rule-1] destination-zone trust [HUAWEI-policy-security-rule-1] source-address 10.1.3.0 24 [HUAWEI-policy-security-rule-1] destination-address 10.1.1.0 24 [HUAWEI-policy-security-rule-1] action permit [HUAWEI-policy-security-rule-1] quit [HUAWEI-policy-security] rule name 2 [HUAWEI-policy-security-rule-2] source-zone trust [HUAWEI-policy-security-rule-2] destination-zone untrust [HUAWEI-policy-security-rule-2] source-address 10.1.1.0 24 [HUAWEI-policy-security-rule-2] destination-address 10.1.3.0 24 [HUAWEI-policy-security-rule-2] action permit [HUAWEI-policy-security-rule-2] quit6

配置预共享密钥。

[HUAWEI] security-policy [HUAWEI-policy-security] rule name 1 [HUAWEI-policy-security-rule-1] source-zone untrust [HUAWEI-policy-security-rule-1] destination-zone trust [HUAWEI-policy-security-rule-1] source-address 10.1.3.0 24 [HUAWEI-policy-security-rule-1] destination-address 10.1.1.0 24 [HUAWEI-policy-security-rule-1] action permit [HUAWEI-policy-security-rule-1] quit [HUAWEI-policy-security] rule name 2 [HUAWEI-policy-security-rule-2] source-zone trust [HUAWEI-policy-security-rule-2] destination-zone untrust [HUAWEI-policy-security-rule-2] source-address 10.1.1.0 24 [HUAWEI-policy-security-rule-2] destination-address 10.1.3.0 24 [HUAWEI-policy-security-rule-2] action permit [HUAWEI-policy-security-rule-2] quit7

配置IPSec策略。

在IPSec策略中引用前面配置的ACL、IPSec安全提议。

[HUAWEI] security-policy [HUAWEI-policy-security] rule name 1 [HUAWEI-policy-security-rule-1] source-zone untrust [HUAWEI-policy-security-rule-1] destination-zone trust [HUAWEI-policy-security-rule-1] source-address 10.1.3.0 24 [HUAWEI-policy-security-rule-1] destination-address 10.1.1.0 24 [HUAWEI-policy-security-rule-1] action permit [HUAWEI-policy-security-rule-1] quit [HUAWEI-policy-security] rule name 2 [HUAWEI-policy-security-rule-2] source-zone trust [HUAWEI-policy-security-rule-2] destination-zone untrust [HUAWEI-policy-security-rule-2] source-address 10.1.1.0 24 [HUAWEI-policy-security-rule-2] destination-address 10.1.3.0 24 [HUAWEI-policy-security-rule-2] action permit [HUAWEI-policy-security-rule-2] quit8

在接口上应用IPSec策略。

[HUAWEI] security-policy [HUAWEI-policy-security] rule name 1 [HUAWEI-policy-security-rule-1] source-zone untrust [HUAWEI-policy-security-rule-1] destination-zone trust [HUAWEI-policy-security-rule-1] source-address 10.1.3.0 24 [HUAWEI-policy-security-rule-1] destination-address 10.1.1.0 24 [HUAWEI-policy-security-rule-1] action permit [HUAWEI-policy-security-rule-1] quit [HUAWEI-policy-security] rule name 2 [HUAWEI-policy-security-rule-2] source-zone trust [HUAWEI-policy-security-rule-2] destination-zone untrust [HUAWEI-policy-security-rule-2] source-address 10.1.1.0 24 [HUAWEI-policy-security-rule-2] destination-address 10.1.3.0 24 [HUAWEI-policy-security-rule-2] action permit [HUAWEI-policy-security-rule-2] quit9

在接口上启用IPSec策略。

[HUAWEI-policy-security] rule name 3 [HUAWEI-policy-security-rule-3] source-zone local [HUAWEI-policy-security-rule-3] destination-zone untrust [HUAWEI-policy-security-rule-3] source-address 1.1.3.1 32 [HUAWEI-policy-security-rule-3] destination-address 1.1.5.1 32 [HUAWEI-policy-security-rule-3] action permit [HUAWEI-policy-security-rule-3] quit [HUAWEI-policy-security] rule name 4 [HUAWEI-policy-security-rule-4] source-zone untrust [HUAWEI-policy-security-rule-4] destination-zone local [HUAWEI-policy-security-rule-4] source-address 1.1.5.1 32 [HUAWEI-policy-security-rule-4] destination-address 1.1.3.1 32 [HUAWEI-policy-security-rule-4] action permit [HUAWEI-policy-security-rule-4] quit0

05

结果验证

【1】配置完成后,使用分支下的用户Ping总部下的用户。

【2】正常情况下,分支访问总部的数据流将会触发华为防火墙与Cisco防火墙之间建立IPSec隧道。此时在华为防火墙上查看IKE SA的建立情况,可以看到IKE SA已经建立成功。

[HUAWEI-policy-security] rule name 3 [HUAWEI-policy-security-rule-3] source-zone local [HUAWEI-policy-security-rule-3] destination-zone untrust [HUAWEI-policy-security-rule-3] source-address 1.1.3.1 32 [HUAWEI-policy-security-rule-3] destination-address 1.1.5.1 32 [HUAWEI-policy-security-rule-3] action permit [HUAWEI-policy-security-rule-3] quit [HUAWEI-policy-security] rule name 4 [HUAWEI-policy-security-rule-4] source-zone untrust [HUAWEI-policy-security-rule-4] destination-zone local [HUAWEI-policy-security-rule-4] source-address 1.1.5.1 32 [HUAWEI-policy-security-rule-4] destination-address 1.1.3.1 32 [HUAWEI-policy-security-rule-4] action permit [HUAWEI-policy-security-rule-4] quit1

【3】使用display ipsec sa命令查看IPSec的建立情况,可以看到IPSec SA也已建立成功。

[HUAWEI-policy-security] rule name 3 [HUAWEI-policy-security-rule-3] source-zone local [HUAWEI-policy-security-rule-3] destination-zone untrust [HUAWEI-policy-security-rule-3] source-address 1.1.3.1 32 [HUAWEI-policy-security-rule-3] destination-address 1.1.5.1 32 [HUAWEI-policy-security-rule-3] action permit [HUAWEI-policy-security-rule-3] quit [HUAWEI-policy-security] rule name 4 [HUAWEI-policy-security-rule-4] source-zone untrust [HUAWEI-policy-security-rule-4] destination-zone local [HUAWEI-policy-security-rule-4] source-address 1.1.5.1 32 [HUAWEI-policy-security-rule-4] destination-address 1.1.3.1 32 [HUAWEI-policy-security-rule-4] action permit [HUAWEI-policy-security-rule-4] quit2


推荐站内搜索:最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……
ZhouSa.com