<address id="f77fj"></address>
            <form id="f77fj"></form>

                <em id="f77fj"></em>

                  【詳細圖解】華為USG防火墻 IPsec VPN怎么配置

                  路由器設置 2016-04-26 【詳細圖解】華為USG防火墻 IPsec VPN怎么配置已關閉評論 7874字
                  - N +

                  華為USG防火墻 IPsec VPN怎么配置

                    華為的產品主要涉及通信網絡中的交換網絡、傳輸網絡、無線及有線固定接入網絡和數據通信網絡及無線終端產品,那么你知道華為USG防火墻 IPsec VPN怎么配置嗎?下面是www.kala-koch.com整理的一些關于華為USG防火墻 IPsec VPN怎么配置的相關資料,供你參考。

                    華為USG防火墻 IPsec VPN配置的案例:

                  wds無線橋接,tp無線路由器,ping 192.168.1.1,路由器設置wifi,192.168.0.1路由器設置,無線路由器wifi穿墻

                    實驗拓撲

                    使用華為ensp 1.2.00.370模擬器來完成。連接方式是 client1 - USG-1 - AR1 - USG-2 - clent2 鏈式組網結構。

                    實驗需求

                    USG-1和USG-2模擬企業邊緣設備,分別在2臺設備上配置NAT和IPsec VPN實現2邊私網可以通過VPN互相通信。

                    實驗配置

                    R1的IP地址配置省略

                    USG-1配置

                    [USG-1]firewall zone trust //配置trust區域

                    [USG-1-zone-trust]add interface g0/0/0 //將接口加入trust區域

                    [USG-1-zone-trust]quit

                    [USG-1]firewall zone untrust //配置untrust區域

                    [USG-1-zone-untrust]add int g0/0/1 //將接口加入untrust區域

                    [USG-1-zone-untrust]quit

                    [USG-1]int g0/0/0

                    [USG-1-GigabitEthernet0/0/0]ip add 192.168.10.1 24

                    [USG-1-GigabitEthernet0/0/0]int g0/0/1

                    [USG-1-GigabitEthernet0/0/1]ip add 11.0.0.2 24

                    [USG-1-GigabitEthernet0/0/1]quit

                    [USG-1]ip route-static 0.0.0.0 0.0.0.0 11.0.0.1 //配置默認路由上公網

                    [USG-1]nat-policy interzone trust untrust outbound

                    //進入trust到untrust區域out方向的策略視圖

                    [USG-1-nat-policy-interzone-trust-untrust-outbound]policy 1 //創建一個策略

                    [USG-1-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.10.0 0.0.0.255

                    [USG-1-nat-policy-interzone-trust-untrust-outbound-1]policy destination 192.168.20.0 0.0.0.255

                    [USG-1-nat-policy-interzone-trust-untrust-outbound-1]action no-nat

                    //以上三條命令意思是不允許將源為192.168.10.0/24網段目標為192.168.20.0/24網段的數據包進行NAT

                    [USG-1-nat-policy-interzone-trust-untrust-outbound-1]quit

                    [USG-1-nat-policy-interzone-trust-untrust-outbound]policy 2 //創建策略2

                    [USG-1-nat-policy-interzone-trust-untrust-outbound-2]action source-nat

                    //允許對源IP進行NAT

                    [USG-1-nat-policy-interzone-trust-untrust-outbound-2]easy-ip g0/0/1

                    //對接口G0/0/1地址復用

                    [USG-1-nat-policy-interzone-trust-untrust-outbound-2]quit

                    [USG-1-nat-policy-interzone-trust-untrust-outbound]quit

                    -------階段一---------

                    [USG-1]ike proposal 1 //配置一個安全提議

                    [USG-1-ike-proposal-1]authentication-method pre-share //配置IKE認證方式為預共享密鑰

                    [USG-1-ike-proposal-1]authentication-algorithm sha1 //配置IKE認證算法為sha1

                    [USG-1-ike-proposal-1]integrity-algorithm aes-xcbc-96 //配置IKE完整性算法

                    [USG-1-ike-proposal-1]dh group2 //配置IKE密鑰協商DH組

                    [USG-1-ike-proposal-1]quit

                    [USG-1]ike peer USG-2 //創建一個IKE對等體名字為USG-2

                    [USG-1-ike-peer-usg-2]pre-shared-key abc123 //配置預共享密鑰

                    [USG-1-ike-peer-usg-2]remote-address 12.0.0.2 //配置對等體IP地址

                    [USG-1-ike-peer-usg-2]ike-proposal 1 //調用ike安全提議

                    [USG-1-ike-peer-usg-2]quit

                    ----------階段二----------

                    [USG-1]ipsec proposal test //配置一個ipsec安全提議

                    [USG-1-ipsec-proposal-test]encapsulation-mode tunnel //封裝方式采用隧道

                    [USG-1-ipsec-proposal-test]transform esp //配置IPSEC安全協議為ESP

                    [USG-1-ipsec-proposal-test]esp encryption-algorithm aes //配置ESP協議加密算法為aes

                    [USG-1-ipsec-proposal-test]esp authentication-algorithm sha1 //配置ESP協議認證算法

                    [USG-1-ipsec-proposal-test]quit

                    [USG-1]acl 3000 //創建一個ACL定義感興趣流

                    [USG-1-acl-adv-3000]rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

                    [USG-1]ipsec policy map 1 isakmp //創建一個安全策略,名稱為map

                    [USG-1-ipsec-policy-isakmp-map-1]ike-peer USG-2 //調用ike對等體

                    [USG-1-ipsec-policy-isakmp-map-1]proposal test //調用IPsec安全提議

                    [USG-1-ipsec-policy-isakmp-map-1]security acl 3000 //配置感興趣流

                    [USG-1-ipsec-policy-isakmp-map-1]quit

                    [USG-1]int g0/0/1

                    [USG-1-GigabitEthernet0/0/1]ipsec policy map //在外網口上調用安全策略

                    區域間策略配置

                    [USG-1]policy interzone trust untrust outbound .

                    //進入trust到untrust區域out方向策略視圖

                    [USG-1-policy-interzone-trust-untrust-outbound]policy 1 //創建策略

                    [USG-1-policy-interzone-trust-untrust-outbound-1]action permit

                    //允許trust區域所有主機訪問untrust區域

                    [USG-1-policy-interzone-trust-untrust-outbound-1]quit

                    [USG-1-policy-interzone-trust-untrust-outbound]quit

                    [USG-1]policy interzone trust untrust inbound

                    //進入trust區域到untrust區域的in方向策略視圖

                    [USG-1-policy-interzone-trust-untrust-inbound]policy 1

                    [USG-1-policy-interzone-trust-untrust-inbound-1]policy source 192.168.20.0 0.0.0.255

                    [USG-1-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.10.0 0.0.0.255

                    [USG-1-policy-interzone-trust-untrust-inbound-1]action permit

                    //以上命令為允許數據包源地址為192.168.20.0/24網段和目標地址為192.168.10.0/24網段的流量過

                    [USG-1-policy-interzone-trust-untrust-inbound-1]quit

                    [USG-1-policy-interzone-trust-untrust-inbound]quit

                    [USG-1]policy interzone local untrust inbound

                    //進入local區域到untrust區域的in方向策略視圖

                    [USG-1-policy-interzone-local-untrust-inbound]policy 1

                    [USG-1-policy-interzone-local-untrust-inbound-1]policy service service-set esp

                    [USG-1-policy-interzone-local-untrust-inbound-1]policy source 12.0.0.2 0

                    [USG-1-policy-interzone-local-untrust-inbound-1]policy destination 11.0.0.2 0

                    [USG-1-policy-interzone-local-untrust-inbound-1]action permit

                    //允許源地址是12.0.0.2目標地址是11.0.0.2的數據包訪問esp協議

                    USG-2配置

                    [USG-2]firewall zone trust

                    [USG-2-zone-trust]add int g0/0/0

                    [USG-2-zone-trust]quit

                    [USG-2]firewall zone untrust

                    [USG-2-zone-untrust]add int g0/0/1

                    [USG-2-zone-untrust]quit

                    [USG-2]int g0/0/0

                    [USG-2-GigabitEthernet0/0/0]ip add 192.168.20.1 24

                    [USG-2-GigabitEthernet0/0/0]int g0/0/1

                    [USG-2-GigabitEthernet0/0/1]ip add 12.0.0.2 24

                    [USG-2-GigabitEthernet0/0/1]quit

                    [USG-2]ip route-static 0.0.0.0 0.0.0.0 12.0.0.1

                    [USG-2]nat-policy interzone trust untrust outbound

                    [USG-2-nat-policy-interzone-trust-untrust-outbound]policy 1

                    [USG-2-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.20.0 0.0.0.255

                    [USG-2-nat-policy-interzone-trust-untrust-outbound-1]policy destination 192.168.10.0 0.0.0.255

                    [USG-2-nat-policy-interzone-trust-untrust-outbound-1]action no-nat

                    [USG-2-nat-policy-interzone-trust-untrust-outbound-1]quit

                    [USG-2-nat-policy-interzone-trust-untrust-outbound]policy 2

                    [USG-2-nat-policy-interzone-trust-untrust-outbound-2]action source-nat

                    [USG-2-nat-policy-interzone-trust-untrust-outbound-2]easy-ip GigabitEthernet0/0/1

                    [USG-2-nat-policy-interzone-trust-untrust-outbound-2]quit

                    [USG-2-nat-policy-interzone-trust-untrust-outbound]quit

                    [USG-2]ike proposal 1

                    [USG-2-ike-proposal-1]authentication-method pre-share

                    [USG-2-ike-proposal-1]authentication-algorithm sha1

                    [USG-2-ike-proposal-1]integrity-algorithm aes-xcbc-96

                    [USG-2-ike-proposal-1]dh group2

                    [USG-2-ike-proposal-1]quit

                    [USG-2]ike peer USG-A

                    [USG-2-ike-peer-usg-a]pre-shared-key abc123

                    [USG-2-ike-peer-usg-a]ike-proposal 1

                    [USG-2-ike-peer-usg-a]remote-address 11.0.0.2

                    [USG-2-ike-peer-usg-a]quit

                    [USG-2]ipsec proposal test

                    [USG-2-ipsec-proposal-test]encapsulation-mode tunnel

                    [USG-2-ipsec-proposal-test]transform esp

                    [USG-2-ipsec-proposal-test]esp encryption-algorithm aes

                    [USG-2-ipsec-proposal-test]esp authentication-algorithm sha1

                    [USG-2-ipsec-proposal-test]quit

                    [USG-2]acl 3000

                    [USG-2-acl-adv-3000]rule permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

                    [USG-2-acl-adv-3000]quit

                    [USG-2]ipsec policy map 1 isakmp

                    [USG-2-ipsec-policy-isakmp-map-1]ike-peer USG-A

                    [USG-2-ipsec-policy-isakmp-map-1]proposal test

                    [USG-2-ipsec-policy-isakmp-map-1]security acl 3000

                    [USG-2-ipsec-policy-isakmp-map-1]quit

                    [USG-2]int g0/0/1

                    [USG-2-GigabitEthernet0/0/1]ipsec policy map

                    [USG-2-GigabitEthernet0/0/1]quit

                    [USG-2]policy interzone trust untrust outbound

                    [USG-2-policy-interzone-trust-untrust-outbound]policy 1

                    [USG-2-policy-interzone-trust-untrust-outbound-1]action permit

                    [USG-2-policy-interzone-trust-untrust-outbound-1]quit

                    [USG-2-policy-interzone-trust-untrust-outbound]quit

                    [USG-2]policy interzone trust untrust inbound

                    [USG-2-policy-interzone-trust-untrust-inbound]policy 1

                    [USG-2-policy-interzone-trust-untrust-inbound-1]policy source 192.168.10.0 0.0.0.255

                    [USG-2-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.20.0 0.0.0.255

                    [USG-2-policy-interzone-trust-untrust-inbound-1]action permit

                    [USG-2-policy-interzone-trust-untrust-inbound-1]quit

                    [USG-2-policy-interzone-trust-untrust-inbound]quit

                    [USG-2]policy interzone local untrust inbound

                    [USG-2-policy-interzone-local-untrust-inbound]policy 1

                    [USG-2-policy-interzone-local-untrust-inbound-1]policy source 11.0.0.2 0

                    [USG-2-policy-interzone-local-untrust-inbound-1]policy destination 12.0.0.2 0

                    [USG-2-policy-interzone-local-untrust-inbound-1]policy service service-set esp

                    [USG-2-policy-interzone-local-untrust-inbound-1]action permit

                    使用C1(192.168.10.10)去ping C2(192.168.20.10)

                    使用dispaly ike sa和display ipsec sa來查看鄰居建立情況

                   

                   

                    

                  分享到您的社交平臺:

                  admin 推薦閱讀:

                  抱歉!評論已關閉.

                  已婚少妇推油按摩被中出

                          <address id="f77fj"></address>
                            <form id="f77fj"></form>

                                <em id="f77fj"></em>