- 如果本文对你有帮助,欢迎关注、讨论、点赞、收藏、转发给朋友,让我有持续创作的动力,让我们一起相互学习共同进步。
如图1所示,华为防火墙和Fortinet防火墙分别作为总部和分支的企业网关连接Internet。现企业需要在华为防火墙和Fortinet防火墙之间建立IPSec隧道,实现总部和分支安全互通。由于华为防火墙与和Fortinet防火墙的出口公网地址固定,可以采用ISAKMP方式建立IPSec隧道。此方式下,两端都可以主动发起协商建立IPSec隧道。
图2-7 以ISAKMP方式建立IPSec隧道
数据规划
- 配置华为防火墙:
- 配置接口IP地址,并将接口加入安全区域;
- 配置域间安全策略,允许ike协商报文、IPSec封装前和解封装后的原始报文能通过华为防火墙;
- 配置华为防火墙到Internet的缺省路由;
- 配置IPSec策略,包括定义需要保护的数据流、配置IPSec安全提议、创建IKE安全提议、配置IKE对等体;
- 在接口上应用IPSec策略。
- 配置Fortinet防火墙:
- 配置接口的IP地址;
- 配置IKE SA、IPSec SA;
- 将Tunnel口加入到untrust区域中;
- 配置安全策略,允许IKE协商报文、IPSec封装前和解封装后的原始报文能通过Fortinet防火墙;
- 配置路由,将流量引入到Tunnel接口;
- 配置连接到Internet的缺省路由。
- IPSec的对接关键在于通信双方的对接参数必须完全一致,配置时必须按照数据规划表,保持两端对接参数一致。
- 在Fortinet防火墙中,没有提供命令设置IKE的版本、封装模式、安全协议,默认值分别为V1、隧道模式、ESP,在华为防火墙侧不要设置错误,否则隧道协商不成功。
- 华为防火墙、Fortinet防火墙中定义的被保护数据流必须互为镜像,华为防火墙中通过配置ACL定义被保护的数据流,而Fortinet防火墙中执行dst-subnet、src-subnet定义被保护的数据流,相当于华为防火墙中的配置ACL。
配置口GE1/0/3接口,并将接口加入untrust安全区域。
[HUAWEI] interface GigabitEthernet 1/0/3
[HUAWEI-GigabitEthernet1/0/3] ip address 1.1.1.1 24
[HUAWEI-GigabitEthernet1/0/3] quit
[HUAWEI] firewall zone untrust
[HUAWEI-zone-untrust] add interface GigabitEthernet 1/0/3
[HUAWEI-zone-untrust] quit
配置GE1/0/5接口,并将接口加入trust安全区域。
[HUAWEI] interface GigabitEthernet 1/0/5
[HUAWEI-GigabitEthernet1/0/5] ip address 192.168.10.1 24
[HUAWEI-GigabitEthernet1/0/5] quit
[HUAWEI] firewall zone trust
[HUAWEI-zone-trust] add interface GigabitEthernet 1/0/5
[HUAWEI-zone-trust] quit
配置untrust和trust之间的安全策略。配置策略1,保证分支能够访问总部;配置策略2,保证总部能够访问分支。
[HUAWEI] security-policy
[HUAWEI-policy-security] rule name 1
[HUAWEI-policy-security-rule-1] source-zone untrust
[HUAWEI-policy-security-rule-1] destination-zone trust
[HUAWEI-policy-security-rule-1] source-address 192.168.0.0 24
[HUAWEI-policy-security-rule-1] destination-address 192.168.10.0 24
[HUAWEI-policy-security-rule-1] action permit
[HUAWEI-policy-security-rule-1] quit
[HUAWEI-policy-security] rule name 2
[HUAWEI-policy-security-rule-2] source-zone trust
[HUAWEI-policy-security-rule-2] destination-zone untrust
[HUAWEI-policy-security-rule-2] source-address 192.168.10.0 24
[HUAWEI-policy-security-rule-2] destination-address 192.168.0.0 24
[HUAWEI-policy-security-rule-2] action permit
[HUAWEI-policy-security-rule-2] quit
配置local与untrust之间的安全策略。配置策略3,保证华为防火墙能够发起IPSec隧道建立请求;配置策略4,保证华为防火墙能够接收IPSec隧道建立请求,源、目的IP地址为两端的出口公网地址。
[HUAWEI-policy-security] rule name 3
[HUAWEI-policy-security-rule-3] source-zone local
[HUAWEI-policy-security-rule-3] destination-zone untrust
[HUAWEI-policy-security-rule-3] source-address 1.1.1.1 24
[HUAWEI-policy-security-rule-3] destination-address 2.2.2.2 24
[HUAWEI-policy-security-rule-3] action permit
[HUAWEI-policy-security-rule-3] quit
[HUAWEI-policy-security] rule name 4
[HUAWEI-policy-security-rule-4] source-zone untrust
[HUAWEI-policy-security-rule-4] destination-zone local
[HUAWEI-policy-security-rule-4] source-address 2.2.2.2 24
[HUAWEI-policy-security-rule-4] destination-address 1.1.1.1 24
[HUAWEI-policy-security-rule-4] action permit
[HUAWEI-policy-security-rule-4] quit
配置连接到Internet的缺省路由,假设下一跳为1.1.1.2。
[HUAWEI] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
源地址为192.168.10.0/24,目的地址为192.168.0.0/24的报文,需要经过IPSec隧道传输。
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
[HUAWEI-acl-adv-3000] quit
说明:华为防火墙发起协商请求时,将根据路由找到出接口,根据安全策略2判断流量是否可以透传,根据ACL判断是否是走IPSec的流 量,根据安全策略3判断是否能够发起协商,如果判断结果都为“是”,华为防火墙才能正式发起协商。华为防火墙接收协商请求时,将根据ACL判断对方的流量是否是受保护流量,根据安全策略4判断是否接受协商,如果判断结果都为“是”,则开始与对方协商,否则将丢弃协商报文。
e、配置 IKE SA。配置IKE安全提议,指定加密算法、认证算法、DH。
[HUAWEI] ike proposal 1 [HUAWEI-ike-proposal-1] encryption-algorithm 3des [HUAWEI-ike-proposal-1] authentication-algorithm sha1 [HUAWEI-ike-proposal-1] dh group2 [HUAWEI-ike-proposal-1] quit配置IKE对等体,指定协商模式、IKE版本、预共享密钥,对端IP地址。
[HUAWEI] ike peer fortigate [HUAWEI-ike-peer-fortigate] exchange-mode main [HUAWEI-ike-peer-fortigate] undo version 2 [HUAWEI-ike-peer-fortigate] ike-proposal 1 [HUAWEI-ike-peer-fortigate] pre-shared-key Key@123 [HUAWEI-ike-peer-fortigate] remote-address 2.2.2.2 [HUAWEI-ike-peer-fortigate] quit说明:Fortinet防火墙中没有提供设置IKE版本的命令,默认使用V1,所以必须执行undo version 2将华为防火墙的IKE版本设置为V1。
f、配置IPSec安全提议,指定封装模式、安全协议,加密算法、认证算法。g、配置IPSec策略,绑定IKE对等体、IPSec安全提议、ACL。
[HUAWEI]ipsec proposal tran1 [HUAWEI-ipsec-proposal-tran1] transform esp [HUAWEI-ipsec-proposal-tran1] encapsulation-mode tunnel [HUAWEI-ipsec-proposal-tran1] esp encryption-algorithm 3des [HUAWEI-ipsec-proposal-tran1] esp authentication-algorithm sha1 [HUAWEI-ipsec-proposal-tran1] quith、在接口上应用IPSec策略。
[HUAWEI] ipsec policy map1 1 isakmp [HUAWEI-ipsec-policy-isakmp-map1-1] ike-peer fortigate [HUAWEI-ipsec-policy-isakmp-map1-1] proposal tran1 [HUAWEI-ipsec-policy-isakmp-map1-1] security acl 3000 [HUAWEI-ipsec-policy-isakmp-map1-1] quit2. 配置Fortinet防火墙。a、配置接口IP地址。
[HUAWEI] interface GigabitEthernet 1/0/3 [HUAWEI-GigabitEthernet1/0/3] ipsec policy map1 [HUAWEI-GigabitEthernet1/0/3] quit配置接口port03。
Fortigate # config system interface Fortigate (interface) # edit port03 Fortigate (port03) # set ip 2.2.2.2/24 Fortigate (port03) # set allowaccess ping https ssh snmp http telnet Fortigate (port03) # end配置接口port10。
Fortigate # config system interface Fortigate (interface) # edit port10 Fortigate (port10) # set ip 192.168.0.1/24 Fortigate (port10) # set allowaccess ping https ssh snmp http telnet Fortigate (port10) # end说明:Fortinet防火墙中,可以直接针对物理接口配置安全策略,因此无需将接口加入安全区域。也可以将物理接口加入安全区域,然后针对安全区域配置安全策略。但对于Tunnel接口,必须先将Tunnel接口加入安全区域,才能针对安全区域(Tunnel接口)配置安全策略。Fortinet防火墙中,执行完配置命令后,必须执行end配置才能生效。
b、配置IKE SA,指定IKE SA的名称、绑定的接口、协商模式、加密算法、认证算法、预共享密钥、对端地址、DH。
Fortigate # config vpn ipsec phase1-interface Fortigate (phase1-interface) # edit firewall new entry 'firewall' added Fortigate (firewall) # set interface port03 Fortigate (firewall) # set mode main Fortigate (firewall) # set proposal 3des-sha1 Fortigate (firewall) # set psksecret Key@123 Fortigate (firewall) # set remote-gw 1.1.1.1 Fortigate (firewall) # set dhgrp 2 Fortigate (firewall) # end说明:Fortinet防火墙中没有提供设置IKE版本的命令,默认使用V1。执行set interface将IKE SA绑定到指定的端口上,相当于在华为防火墙中将IPSec策略应用到接口。执行set proposal 3des-sha1设置IKE SA的加密算法(3des)、认证算法(sha1)。
c、配置IPSec SA,指定IPSec SA的名称、绑定的IKE SA、加密算法、认证算法,DH。
Fortigate # config vpn ipsec phase2-interface Fortigate (phase2-interface) # edit firewall new entry 'firewall' added Fortigate (firewall) # set phase1name firewall Fortigate (firewall) # set dhgrp 2 Fortigate (firewall) # set proposal 3des-sha1 Fortigate (firewall) # set dst-subnet 192.168.10.0 255.255.255.0 Fortigate (firewall) # set src-subnet 192.168.0.0 255.255.255.0 Fortigate (firewall) # end说明;Fortinet防火墙中没有提供设置封装模式、安全协议的命令,默认使用隧道模式、ESP。执行set phase1name指定IPSec SA引用的IKE SA。执行set proposal 3des-sha1设置IPSec SA的加密算法(3des)、认证算法(sha1)。执行dst-subnet、src-subnet定义被保护的数据流,相当于在华为防火墙中配置ACL。
d、将Tunnel口加入到untrust区域中。
Fortigate # config system zone Fortigate (zone) # edit untrust Fortigate (untrust) # set interface firewall Fortigate (untrust) # end说明:IKE SA配置成功后,设备中将自动生成与IKE SA同名的Tunnel接口,受保护流量将经过该Tunnel接口。Fortinet防火墙中,必须将Tunnel接口加入安全区域后,才能针对安全区域(Tunnel接口)配置安全策略。
e、配置安全策略。配置port03与port10之间的安全策略。配置策略66,保证总部能够正常访问分支;配置策略99,保证分支能够访问总部。
Fortigate # config firewall policy Fortigate (policy) # edit 66 Fortigate (66) # set srcintf port03 Fortigate (66) # set dstintf port10 Fortigate (66) # set srcaddr all Fortigate (66) # set dstaddr all Fortigate (66) # set action accept Fortigate (66) # set schedule always Fortigate (66) # set service ANY Fortigate (66) # end Fortigate # config firewall policy Fortigate (policy) # edit 99 Fortigate (99) # set srcintf port10 Fortigate (99) # set dstintf port03 Fortigate (99) # set srcaddr all Fortigate (99) # set dstaddr all Fortigate (99) # set action accept Fortigate (99) # set schedule always Fortigate (99) # set service ANY Fortigate (99) # end配置untrust与port10的安全策略,也就是Tunnel接口与port10之间的安全策略。配置策略96,保证经过Tunnel接口的流量能够进入分支内网;配置策略76,保证经过Tunnel接口的流量能够透传到外网。
Fortigate # config firewall policy Fortigate (policy) # edit 96 Fortigate (96) # set srcintf untrust Fortigate (96) # set dstintf port10 Fortigate (96) # set srcaddr all Fortigate (96) # set dstaddr all Fortigate (96) # set action accept Fortigate (96) # set schedule always Fortigate (96) # set service ANY Fortigate (96) # end Fortigate # config firewall policy Fortigate (policy) # edit 76 Fortigate (76) # set srcintf port10 Fortigate (76) # set dstintf untrust Fortigate (76) # set srcaddr all Fortigate (76) # set dstaddr all Fortigate (76) # set action accept Fortigate (76) # set schedule always Fortigate (76) # set service ANY Fortigate (76) # end说明:Fortinet防火墙中,无需配置untrust和local之间的安全策略。
f、配置路由。配置静态路由,将流量引入到Tunnel接口。
Fortigate # config route static Fortigate (static) # edit 76 Fortigate (76) # set device firewall Fortigate (76) # set dst 192.168.10.0 255.255.255.0 Fortigate (76) # end配置连接到Internet的缺省路由,下一跳为2.2.2.3,经过端口port03。
结果验证1. 验证总部是否可以主动与分支建立IPSec隧道。a、在总部的PC1中Ping分支网络中的PC2。b、在总部华为防火墙中,执行display ike sa命令,若显示如下信息,表明IKE SA建立成功。
Fortigate # config router static Fortigate (static) # edit 33 Fortigate (33) # set dst 0.0.0.0 0.0.0.0 Fortigate (33) # set gateway 2.2.2.3 Fortigate (33) # set device port03 Fortigate (33) # endc、在华为防火墙中执行display ipsec sa命令,若显示如下信息,表明IPSec SA建立成功。
<HUAWEI> display ike sa current ike sa number: 2 -------------------------------------------------------------------------------------------------- conn-id peer flag phase vpn -------------------------------------------------------------------------------------------------- 12 2.2.2.2 RD|ST|A v1:2 public 11 2.2.2.2 RD|ST|A v1:1 public flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD M--ACTIVE S--STANDBY A--ALONEd、登录到分支Fortinet防火墙的Web管理界面中查看IPSec隧道建立情况。
<HUAWEI> display ipsec sa =============================== Interface: GigabitEthernet1/0/3 path MTU: 1500 =============================== ----------------------------- IPSec policy name: "map1" sequence number: 1 mode: isakmp vpn: public ----------------------------- connection id: 12 rule number: 5 encapsulation mode: tunnel holding time: 0d 0h 1m 14s tunnel local : 1.1.1.1 tunnel remote: 2.2.2.2 flow source: 192.168.10.0/255.255.255.0 0/0 flow destination: 192.168.0.0/255.255.255.0 0/0 [inbound ESP SAs] spi: 2160560287 (0x80c7889f) vpn: public said: 0 cpuid: 0x0000 proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 200000000/1726 max received sequence-number: 4 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 3708493377 (0xdd0b1e41) vpn: public said: 1 cpuid: 0x0000 proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 200000000/1726 max sent sequence-number: 5 udp encapsulation used for nat traversal: N如果隧道的状态显示为绿色向上的箭头,表明IPSec隧道建立成功。也可以在分支Fortinet防火墙中执行get ipsec tunnel list查看IPSec隧道建立情况,如果状态为up,则IPSec隧道建立成功。
2. 验证分支是否可以主动与总部建立IPSec隧道。a、在总部的华为防火墙中执行reset ike sa命令,断开IPSec隧道。b、在分支的PC2中Ping总部网络中的PC1,参照上述方法验证是否可以建立IPSec隧道。来源:华为文档
样式编辑:网络工程师阿龙,如需转载本风格请保留此信息。
,
