华为USG Firewall Ipsec L2L
*需要解決的問題
1、Untrust local inbound /esp ike (做策略放行IKE/ESP流量)
policy interzone local untrust inbound
policy 0
action permit
policy service service-set ike
policy service service-set esp
2、trust untrust inbound /source ip.destination ip (放行IP回傳的流量)
policy interzone trust untrust inbound
policy 0
action permit
policy source 192.168.10.0 mask 24
policy destination 172.16.10.0 mask 24
?
3、trust untrust outbound/source ip.destination ip (放行IP的出去流量)
policy interzone trust untrust outbound
policy 0
action permit
policy source 172.16.10.0 mask 24
policy destination 192.168.10.0 mask 24
?
4、放行端口UDP 500
ip service-set ike type object
service 0 protocol udp destination-port 500
?
?
<Site_1>dis current-configuration
[V200R003C00]
#
sysname Site_1
#
interface GigabitEthernet0/0/0
ip address 192.168.10.10 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.10.254
#
return
<Site_1>
?
?
<Firewall_1>dis current-configuration
09:01:29 2015/08/31
#
acl number 3000
rule 0 permit ip source 192.168.10.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
#
ike peer fw2
pre-shared-key %$%$a)%OV{\VtHc7c+S#@4|<Fi`W%$%$
remote-address 100.100.200.100
#
ipsec proposal huawei
#
ipsec policy lab 10 isakmp
security acl 3000
ike-peer fw2
proposal huawei
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 100.100.100.100 255.255.255.0
ipsec policy lab
interface GigabitEthernet0/0/1
ip address 192.168.10.254 255.255.255.0
#
firewall zone local
set priority 100
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
#
firewall zone dmz
set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 100.100.100.200
#
ip service-set ike type object
service 0 protocol udp destination-port 500 ---------解決端口號(hào)UDP500
#
sysname Firewall_1
policy interzone local untrust inbound ----------放行IKE ESP流量
policy 0
action permit
policy service service-set ike
policy service service-set esp
#
policy interzone trust untrust inbound ----------允許tr--un 流量進(jìn)來
policy 0
action permit
policy source 172.16.10.0 mask 24
policy destination 192.168.10.0 mask 24
#
policy interzone trust untrust outbound ----------允許tr--un 流量出去
policy 0
action permit
policy source 192.168.10.0 mask 24
policy destination 172.16.10.0 mask 24
#
return
<Firewall_1>
?
?
<Intenet>dis current-configuration
[V200R003C00]
#
sysname Intenet
#
interface GigabitEthernet0/0/0
ip address 100.100.100.200 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 100.100.200.200 255.255.255.0
#
return
<Intenet>
?
?
<Firewall_2>dis current-configuration
09:05:02 2015/08/31
#
acl number 3000
rule 5 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
#
ike peer fw1
pre-shared-key %$%$>iw;;,1n$Xn:taCrVb`6FSJA%$%$
remote-address 100.100.100.100
#
ipsec proposal huawei
#
ipsec policy lab 10 isakmp
security acl 3000
ike-peer fw1
proposal huawei
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 100.100.200.100 255.255.255.0
ipsec policy lab
interface GigabitEthernet0/0/1
ip address 172.16.10.254 255.255.255.0
#
firewall zone local
set priority 100
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
#
firewall zone dmz
set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 100.100.200.200
#
ip service-set ike type object
service 0 protocol udp destination-port 500
#
sysname Firewall_2
pki ocsp response cache refresh interval 0
pki ocsp response cache number 0
#
policy interzone local untrust inbound
policy 0
action permit
policy service service-set ike
policy service service-set esp
#
policy interzone trust untrust inbound
policy 0
action permit
policy source 192.168.10.0 mask 24
policy destination 172.16.10.0 mask 24
#
policy interzone trust untrust outbound
policy 0
action permit
policy source 172.16.10.0 mask 24
policy destination 192.168.10.0 mask 24
#
return
<Firewall_2>
?
?
<Site_2>dis current-configuration
[V200R003C00]
#
sysname Site_2
#
interface GigabitEthernet0/0/1
ip address 172.16.10.10 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 172.16.10.254
#
return
<Site_2>
?
?
Test:
<Firewall_2>dis ipsec sa ----------------------配置詳細(xì)詳細(xì)
09:08:52 2015/08/31
Interface: GigabitEthernet0/0/0
path MTU: 1500
?
IPsec policy name: "lab"
sequence number: 10
mode: isakmp
***: public
connection id: 40001
rule number: 5
encapsulation mode: tunnel .................................
<Firewall_2>
?
<Firewall_2>dis ipsec statistics ----------------------加密解密的數(shù)據(jù)
09:09:47 2015/08/31
the security packet statistics:
input/output security packets: 23/23
input/output security bytes: 1932/1932
input/output dropped security packets: 0/0
the encrypt packet statistics
send sae:23, recv sae:23, send err:0
local cpu:23, other cpu:0, recv other cpu:0
intact packet:7, first slice:0, after slice:0
the decrypt packet statistics
send sae:23, recv sae:23, send err:0
?
?
<Firewall_2>display ipsec sa brief --------------------看是否與對(duì)端設(shè)備建立的狀態(tài)
09:12:27 2015/08/31
current ipsec sa number: 2
current ipsec tunnel number: 1
Src Address Dst Address SPI Protocol Algorithm
100.100.100.100 100.100.200.100 1982786750 ESP E:DES;A:HMAC-MD5-96;
100.100.200.100 100.100.100.100 2672106707 ESP E:DES;A:HMAC-MD5-96;
<Firewall_2>
轉(zhuǎn)載于:https://blog.51cto.com/9616635/2056335
總結(jié)
以上是生活随笔為你收集整理的华为USG Firewall Ipsec L2L的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: ES6/7 异步编程学习笔记
- 下一篇: 2017年的总结