ENSP:防火墙IPSEC XXX
指采用IPSEC协议来实现远程接入的一种XXX技术,IPSec全称为Internet Protocol Security,是由Internet Engineering Task Force (IETF) 定义的安全标准框架,在公网上为两个私有网络提供安全通信通道,通过加密通道保证连接的安全——在两个公共网关间提供私密数据封包服务,
配置采用IKE协商方式建立IPSec隧道的基本步骤如下:
(1)配置接口的IP地址和到对端的静态路由,保证两端路由可达。
(2)配置ACL,以定义需要IPSec保护的数据流。
(3)配置IPSec安全提议,定义IPSec的保护方法。
(4)配置IKE对等体,确定对等体间IKE协商时的参数。
(5)配置安全策略,并引用ACL、 IPSec安全提议和IKE对等体,确定对每种数据流采取的保护方法。
(6)在接口上应用安全策略组,使接口具有IPSec的保护功能。
要求:PC1和PC2通过IPSCE XXX加密通道实现通信
AR1
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 100.1.1.2 24
[Huawei-GigabitEthernet0/0/0]q
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]
[Huawei-GigabitEthernet0/0/1]ip address 200.1.1.2 24
[Huawei-GigabitEthernet0/0/1]q
[Huawei]
PC1
PC2
FW1
<USG6000V1>sys
Enter system view, return user view with Ctrl+Z.
[USG6000V1]undo info-center enable #清除广告
Info: Saving log files...
Info: Information center is disabled.
[USG6000V1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]undo shutdown #打开接口
[USG6000V1-GigabitEthernet1/0/0]ip address 192.168.1.254 24 #配IP地址
Info: Interface GigabitEthernet1/0/0 is not shutdown.
[USG6000V1-GigabitEthernet1/0/0]service-manage ping permit
[USG6000V1-GigabitEthernet1/0/0]q
[USG6000V1]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip address 100.1.1.254 24
[USG6000V1-GigabitEthernet1/0/1]undo shutdown
[USG6000V1-GigabitEthernet1/0/1]service-manage ping permit
[USG6000V1-GigabitEthernet1/0/1]q
[USG6000V1]firewall zone trust #设置安全区域
[USG6000V1-zone-trust]add interface g1/0/0 #把接口添加到接口
[USG6000V1-zone-trust]q
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface g1/0/1
[USG6000V1-zone-untrust]q
[USG6000V1][USG6000V1]ip route-static 0.0.0.0 0 100.1.1.2 #配置缺省路由
[USG6000V1]se
[USG6000V1]security-policy #配置安全策略
[USG6000V1-policy-security]rule name trust_untrust #信任区到非信任区
[USG6000V1-policy-security-rule-trust_untrust]source-zone trust
[USG6000V1-policy-security-rule-trust_untrust]source-address 192.168.1.0 24
[USG6000V1-policy-security-rule-trust_untrust]destination-zone untrust
[USG6000V1-policy-security-rule-trust_untrust]action permit
[USG6000V1-policy-security-rule-trust_untrust]q
[USG6000V1-policy-security]rule name untrust_trust #非信任区到信任区
[USG6000V1-policy-security-rule-untrust_trust]source-zone untrust
[USG6000V1-policy-security-rule-untrust_trust]source-address 172.16.1.0 24
[USG6000V1-policy-security-rule-untrust_trust]destination-zone trust
[USG6000V1-policy-security-rule-untrust_trust]action permit
[USG6000V1-policy-security-rule-untrust_trust]q [USG6000V1-policy-security]rule name local_untrust #本地到非信任区
[USG6000V1-policy-security-rule-local_untrust]source-zone local
[USG6000V1-policy-security-rule-local_untrust]destination-zone untrust
[USG6000V1-policy-security-rule-local_untrust]destination-address 200.1.1.254 32
[USG6000V1-policy-security-rule-local_untrust]source-address 100.1.1.254 32
[USG6000V1-policy-security-rule-local_untrust]action permit
[USG6000V1-policy-security-rule-local_untrust]q [USG6000V1-policy-security]rule name untrust_local #非信任区到本地
[USG6000V1-policy-security-rule-untrust_local]source-zone untrust
[USG6000V1-policy-security-rule-untrust_local]source-address 200.1.1.254 32
[USG6000V1-policy-security-rule-untrust_local]destination-zone local
[USG6000V1-policy-security-rule-untrust_local]destination-address 100.1.1.254 32
[USG6000V1-policy-security-rule-untrust_local]action permit [USG6000V1]nat-policy #配置NAT-easy-ip
[USG6000V1-policy-nat]rule name nopat
[USG6000V1-policy-nat-rule-nopat]source-zone trust
[USG6000V1-policy-nat-rule-nopat]egress-interface g1/0/1
[USG6000V1-policy-nat-rule-nopat]source-address 192.168.1.0 24
[USG6000V1-policy-nat-rule-nopat]destination-zone untrust
[USG6000V1-policy-nat-rule-nopat]destination-address 172.16.1.0 24
[USG6000V1-policy-nat-rule-nopat]action no-nat
[USG6000V1-policy-nat-rule-nopat]q
[USG6000V1-policy-nat]rule name nat
[USG6000V1-policy-nat-rule-nat]source-zone trust
[USG6000V1-policy-nat-rule-nat]source-address 192.168.1.0 24
[USG6000V1-policy-nat-rule-nat]destination-zone untrust
[USG6000V1-policy-nat-rule-nat]egress-interface g1/0/1
[USG6000V1-policy-nat-rule-nat]action source-nat easy-ip
[USG6000V1-policy-nat-rule-nat]q[USG6000V1]ike proposal 10 #创建IKE提议,编号为10[USG6000V1-ike-proposal-10]authentication-method pre-share #认证模式为预共享
[USG6000V1-ike-proposal-10]authentication-algorithm sha2-256 #认证算法为sha2-256
[USG6000V1-ike-proposal-10]encryption-algorithm aes-256 #加密算法为aes-256
[USG6000V1-ike-proposal-10]dh group14 #配置DH算法参数
[USG6000V1-ike-proposal-10]q[USG6000V1]ike peer huawei #创建IKE对等体
[USG6000V1-ike-peer-huawei]ike-proposal 10 #引用ike安全提议
[USG6000V1-ike-peer-huawei]pre-shared-key abc-123 #预共享密钥
[USG6000V1-ike-peer-huawei]remote-address 200.1.1.254 #远端地址
[USG6000V1-ike-peer-huawei]q
[USG6000V1]ipsec proposal huawei-set #配置ipsec安全提议名为huawei-set
[USG6000V1-ipsec-proposal-huawei-set]encapsulation-mode tunnel #配置报文的IPSec封装模式为隧道模式
[USG6000V1-ipsec-proposal-huawei-set]transform esp #传输协议设置为esp默认也是esp
[USG6000V1-ipsec-proposal-huawei-set]esp encryption-algorithm aes-256
[USG6000V1-ipsec-proposal-huawei-set]esp authentication-algorithm sha2-256
[USG6000V1-ipsec-proposal-huawei-set]q[USG6000V1]acl 3000 #配置感兴趣流
[USG6000V1-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination172.16.1.0 0.0.0.255
[USG6000V1-acl-adv-3000]q[USG6000V1]ipsec policy huawei-map 10 isakmp #配置IKE动态协商方式安全策略
Info: The ISAKMP policy sequence number should be smaller than the template poli
cy sequence number in the policy group. Otherwise, the ISAKMP policy does not ta
ke effect.
[USG6000V1-ipsec-policy-isakmp-huawei-map-10]ike-peer huawei #引入ike对等体
[USG6000V1-ipsec-policy-isakmp-huawei-map-10]proposal huawei-set #引入ipsec安全提议
[USG6000V1-ipsec-policy-isakmp-huawei-map-10]security acl 3000 #引入感兴趣流
[USG6000V1-ipsec-policy-isakmp-huawei-map-10]q[USG6000V1]int g1/0/1 #接口上应用安全策略组
[USG6000V1-GigabitEthernet1/0/1]ipsec policy huawei-map
[USG6000V1-GigabitEthernet1/0/1]q
[USG6000V1]
FW2 (与FW1大致相同)
<USG6000V1>sys
Enter system view, return user view with Ctrl+Z.
[USG6000V1]undo info-center enable
Info: Saving log files...
Info: Information center is disabled.
[USG6000V1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]undo shutdown
Info: Interface GigabitEthernet1/0/0 is not shutdown.
[USG6000V1-GigabitEthernet1/0/0]ip address 172.16.1.254 24
[USG6000V1-GigabitEthernet1/0/0]service-manage ping permit
[USG6000V1-GigabitEthernet1/0/0]q
[USG6000V1]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]undo shutdown
Info: Interface GigabitEthernet1/0/1 is not shutdown.
[USG6000V1-GigabitEthernet1/0/1]ip address 200.1.1.254 24
[USG6000V1-GigabitEthernet1/0/1]service-manage ping permit
[USG6000V1-GigabitEthernet1/0/1]q
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface g1/0/0
[USG6000V1-zone-trust]q
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface g1/0/1
[USG6000V1-zone-untrust]q
[USG6000V1]IP route-static 0.0.0.0 0 200.1.1.2
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name trust_untrust
[USG6000V1-policy-security-rule-trust_untrust]source-zone trust
[USG6000V1-policy-security-rule-trust_untrust]source-address 172.16.1.0 24
[USG6000V1-policy-security-rule-trust_untrust]destination-zone untrust
[USG6000V1-policy-security-rule-trust_untrust]access-authentication
[USG6000V1-policy-security-rule-trust_untrust]action permit
[USG6000V1-policy-security-rule-trust_untrust]q
[USG6000V1-policy-security]rule name untrust_trust
[USG6000V1-policy-security-rule-untrust_trust]source-zone untrust
[USG6000V1-policy-security-rule-untrust_trust]destination-zone trust
[USG6000V1-policy-security-rule-untrust_trust]destination-address 172.16.1.0 24
[USG6000V1-policy-security-rule-untrust_trust]source-address 192.168.1.0 24
[USG6000V1-policy-security-rule-untrust_trust]action permit
[USG6000V1-policy-security-rule-untrust_trust]q
[USG6000V1-policy-security]rule name local_untrust
[USG6000V1-policy-security-rule-local_untrust]source-zone local
[USG6000V1-policy-security-rule-local_untrust]source-address 200.1.1.254 32
[USG6000V1-policy-security-rule-local_untrust]destination-zone untrust
[USG6000V1-policy-security-rule-local_untrust]destination-address 100.1.1.254 32
[USG6000V1-policy-security-rule-local_untrust]action permit
[USG6000V1-policy-security-rule-local_untrust]q
[USG6000V1-policy-security]rule name untrust_local
[USG6000V1-policy-security-rule-untrust_local]source-zone untrust
[USG6000V1-policy-security-rule-untrust_local]source-address 100.1.1.254 32
[USG6000V1-policy-security-rule-untrust_local]destination-zone local
[USG6000V1-policy-security-rule-untrust_local]destination-address 200.1.1.254 32
[USG6000V1-policy-security-rule-untrust_local]action permit
[USG6000V1-policy-security-rule-untrust_local]q
[USG6000V1-policy-security]q
[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name nopat
[USG6000V1-policy-nat-rule-nopat]source-zone trust
[USG6000V1-policy-nat-rule-nopat]source-address 172.16.1.0 24
[USG6000V1-policy-nat-rule-nopat]destination-zone untrust
[USG6000V1-policy-nat-rule-nopat]destination-address 192.168.1.0 24
[USG6000V1-policy-nat-rule-nopat]egress-interface g1/0/1
[USG6000V1-policy-nat-rule-nopat]action no-nat
[USG6000V1-policy-nat-rule-nopat]q
[USG6000V1-policy-nat]rule name nat
[USG6000V1-policy-nat-rule-nat]source-zone trust
[USG6000V1-policy-nat-rule-nat]source-address 172.16.1.0 24
[USG6000V1-policy-nat-rule-nat]destination-zone untrust
[USG6000V1-policy-nat-rule-nat]egress-interface g1/0/1
[USG6000V1-policy-nat-rule-nat]action source-nat easy-ip
[USG6000V1-policy-nat-rule-nat]q
[USG6000V1-policy-nat]q [USG6000V1]ike proposal 10
[USG6000V1-ike-proposal-10]authentication-method pre-share
[USG6000V1-ike-proposal-10]authentication-algorithm sha2-256
[USG6000V1-ike-proposal-10]encryption-algorithm aes-256
[USG6000V1-ike-proposal-10]dh group14
[USG6000V1-ike-proposal-10]q
[USG6000V1-ike-peer-huawei]ike-proposal 10
[USG6000V1-ike-peer-huawei]pre-shared-key abc-123
[USG6000V1-ike-peer-huawei]remote-address 100.1.1.254
[USG6000V1-ike-peer-huawei]q
[USG6000V1]ipsec proposal huawei-set
[USG6000V1-ipsec-proposal-huawei-set]transform esp
[USG6000V1-ipsec-proposal-huawei-set]encapsulation-mode tunnel
[USG6000V1-ipsec-proposal-huawei-set]esp authentication-algorithm sha2-256
[USG6000V1-ipsec-proposal-huawei-set]esp encryption-algorithm aes-256
[USG6000V1-ipsec-proposal-huawei-set]q
[USG6000V1]acl 3000
[USG6000V1-acl-adv-3000]rule permit ip source 172.16.1.0 0.0.0.255 destination 1
92.168.1.0 0.0.0.255
[USG6000V1-acl-adv-3000]q
[USG6000V1]ipsec policy huawei-map 10 isakmp
Info: The ISAKMP policy sequence number should be smaller than the template poli
cy sequence number in the policy group. Otherwise, the ISAKMP policy does not ta
ke effect.[USG6000V1-ipsec-policy-isakmp-huawei-map-10]ike-peer huawei
[USG6000V1-ipsec-policy-isakmp-huawei-map-10]proposal huawei-set
[USG6000V1-ipsec-policy-isakmp-huawei-map-10]security acl 3000
[USG6000V1-ipsec-policy-isakmp-huawei-map-10]q
[USG6000V1]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]ipsec policy huawei-map
[USG6000V1-GigabitEthernet1/0/1]q
验证
FW2的G1/0/1处转包
FW2
ENSP:防火墙IPSEC XXX相关推荐
- 华为ensp防火墙ipsec
华为ensp防火墙ips_vpn 1)调试设备IP地址,防火墙有些策略限制会导致即使配置了正确的路由,也不能使得公网通,这就需要我们进行调试设备;一个是关于接口的ping服务是否打开,二是关于安全策略 ...
- 2020年网络搭建与应用国赛题-防火墙ipsec建立分解
2020 年全国职业院校技能大赛中职组"网络搭建与应用"赛项竞赛样卷 --防火墙IPsec建立分解 题目要求: 集团防火墙与广东办事处防火墙之间使用互联地址建立 IPSEC 隧道 ...
- 华为eNSP防火墙USG5500基本配置
华为eNSP防火墙USG5500基本配置 实验设备 防火墙采用eNSP自带USG5500,不需要导入操作系统:eNSP同时提供防火墙USG6000,它不能打开,提示需要导入防火墙系统.交换机采用的是5 ...
- eNSP之IPsec 虚拟专用网配置
eNSP之IPsec 虚拟专用网配置 VPN的定义 1.互联网存在各种安全隐患 - 网上传输的数据有被窃听的风险- 网上传输的数据有被篡改的危险- 通信双方有被冒充的风险 2.VPN (Virtual ...
- 华为防火墙IPSec对接飞塔
华为防火墙IPSec对接飞塔 一.飞塔端设置 1) 配置第一阶段 2) 配置第二阶段 3) 配置策略放行 二.华为防火墙USG2110-F 配置 1)配置第一阶段 2)配置第二阶段 4) 配置感兴趣流 ...
- 真机电脑使用 HTTPS 方式登录ensp防火墙USG6000
1.首先安装完成ensp之后,会安装Oracle VM VirtualBox 2.打开VirtualBox软件,点击管理菜单下面的全局设定 3.添加虚拟网卡,可以只添加一个,主要是为了ensp里面的防 ...
- 基于ensp防火墙双击热备二层网络规划与设计
作者:BSXY_19计科_陈永跃 BSXY_信息学院 注:未经允许禁止转发任何内容 基于ensp防火墙双击热备二层网络规划与设计 前言及资源下载 一.设计topo与要求(15个要求) 二.插曲:基于e ...
- 解决ensp防火墙(USG6000V)web无法打开
众所周知,华为最新版本的ensp防火墙6000v已经支持web了,但在最近我发现我怎么也打不开. 发现的问题 这是我用Google浏览器访问https://192.168.0.1:8443打开时的界面 ...
- 锐捷路由器搭建ipsec xxx 详解
在搭建这之前,我们先来科普一下所涉及的知识点! ipsec xxx (IPSEC xxx-internet protocol security virtual private networks) == ...
最新文章
- 3寸以上java手机_7寸屏手机有哪些(堪称性价比之王的四款手机)
- 管道符和作业控制、shell变量、环境变量配置文件
- linux关闭涉及安全的服务,Linux中关闭不必要服务减少漏洞
- python——变量的类型、不同类型变量的计算、变量的输入以及格式化输出
- redhat6.4使用yum时提示需要注册问题
- ffmpeg最新源代码(定期更新)
- vb.net服务器启动后cpu占用了70_记一次服务器被异常程序占用的解决过程(怀疑黑客攻击)...
- 在c 语言中 一个函数由函数头和,C语言程序设计基础教程_习题答案
- mysql典型安装和自定义_Mysql8.0.19下载安装—windows版本自定义安装
- 越是牛逼的人,越是不在意面子
- 各地“十四五”规划促智能网联新发展 | 政策解读系列
- Circular Local MiniMax
- 嵌入式系统开发与应用——Linux系统Socket网络编程
- java调用python实现校验一串字符串是否为单词
- kaggel竞赛之员工离职分析
- java实现正六面体染色
- 全国数学大学生数学建模竞赛以及2021高教杯的小总结
- 80.【Spring5】
- php毕业论文致谢,科学网—我也晒一下毕业论文致谢,感谢诸多帮助过我的人 - 何浩宇的博文...
- Java 多线程(超详细)
热门文章
- CandidateScorer
- 借助nz-pagination中的let-total解析ng-template
- 20-CVPR-Multi-branch and Multi-scale Attention Learning for Fine-Grained Visual Categorization
- 【数据库】逻辑设计-ER模型转换为关系模型
- 查询数据库中的重复数据记录
- (四)Bug的生命周期
- Android自定义SeekBar,带开始值结束值和Thumb上方滑动的Text
- SQL server-数据库修改与删除
- FineReport JS实现分页预览改变鼠标悬停所在的行列的背景色
- unity android 震动,unity 调用android的震动