指采用IPSEC协议来实现远程接入的一种XXX技术,IPSec全称为Internet Protocol Security,是由Internet Engineering Task Force (IETF) 定义的安全标准框架,在公网上为两个私有网络提供安全通信通道,通过加密通道保证连接的安全——在两个公共网关间提供私密数据封包服务,

配置采用IKE协商方式建立IPSec隧道的基本步骤如下:

(1)配置接口的IP地址和到对端的静态路由,保证两端路由可达。

(2)配置ACL,以定义需要IPSec保护的数据流。

(3)配置IPSec安全提议,定义IPSec的保护方法。

(4)配置IKE对等体,确定对等体间IKE协商时的参数。

(5)配置安全策略,并引用ACL、 IPSec安全提议和IKE对等体,确定对每种数据流采取的保护方法。

(6)在接口上应用安全策略组,使接口具有IPSec的保护功能。

要求:PC1和PC2通过IPSCE XXX加密通道实现通信

AR1

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 100.1.1.2 24
[Huawei-GigabitEthernet0/0/0]q
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]
[Huawei-GigabitEthernet0/0/1]ip address 200.1.1.2 24
[Huawei-GigabitEthernet0/0/1]q
[Huawei]

PC1

PC2

FW1

<USG6000V1>sys
Enter system view, return user view with Ctrl+Z.
[USG6000V1]undo info-center enable   #清除广告
Info: Saving log files...
Info: Information center is disabled.
[USG6000V1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]undo shutdown  #打开接口
[USG6000V1-GigabitEthernet1/0/0]ip address 192.168.1.254 24  #配IP地址
Info: Interface GigabitEthernet1/0/0 is not shutdown.
[USG6000V1-GigabitEthernet1/0/0]service-manage ping permit
[USG6000V1-GigabitEthernet1/0/0]q
[USG6000V1]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip address 100.1.1.254 24
[USG6000V1-GigabitEthernet1/0/1]undo shutdown
[USG6000V1-GigabitEthernet1/0/1]service-manage ping permit
[USG6000V1-GigabitEthernet1/0/1]q
[USG6000V1]firewall zone trust  #设置安全区域
[USG6000V1-zone-trust]add interface g1/0/0  #把接口添加到接口
[USG6000V1-zone-trust]q
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface g1/0/1
[USG6000V1-zone-untrust]q
[USG6000V1][USG6000V1]ip route-static 0.0.0.0 0 100.1.1.2   #配置缺省路由
[USG6000V1]se
[USG6000V1]security-policy  #配置安全策略
[USG6000V1-policy-security]rule name trust_untrust  #信任区到非信任区
[USG6000V1-policy-security-rule-trust_untrust]source-zone trust
[USG6000V1-policy-security-rule-trust_untrust]source-address 192.168.1.0 24
[USG6000V1-policy-security-rule-trust_untrust]destination-zone untrust
[USG6000V1-policy-security-rule-trust_untrust]action permit
[USG6000V1-policy-security-rule-trust_untrust]q
[USG6000V1-policy-security]rule name untrust_trust  #非信任区到信任区
[USG6000V1-policy-security-rule-untrust_trust]source-zone untrust
[USG6000V1-policy-security-rule-untrust_trust]source-address 172.16.1.0 24
[USG6000V1-policy-security-rule-untrust_trust]destination-zone trust
[USG6000V1-policy-security-rule-untrust_trust]action permit
[USG6000V1-policy-security-rule-untrust_trust]q [USG6000V1-policy-security]rule name local_untrust   #本地到非信任区
[USG6000V1-policy-security-rule-local_untrust]source-zone local
[USG6000V1-policy-security-rule-local_untrust]destination-zone untrust
[USG6000V1-policy-security-rule-local_untrust]destination-address 200.1.1.254 32
[USG6000V1-policy-security-rule-local_untrust]source-address 100.1.1.254 32
[USG6000V1-policy-security-rule-local_untrust]action permit
[USG6000V1-policy-security-rule-local_untrust]q [USG6000V1-policy-security]rule name untrust_local  #非信任区到本地
[USG6000V1-policy-security-rule-untrust_local]source-zone untrust
[USG6000V1-policy-security-rule-untrust_local]source-address 200.1.1.254 32
[USG6000V1-policy-security-rule-untrust_local]destination-zone local
[USG6000V1-policy-security-rule-untrust_local]destination-address 100.1.1.254 32
[USG6000V1-policy-security-rule-untrust_local]action permit [USG6000V1]nat-policy  #配置NAT-easy-ip
[USG6000V1-policy-nat]rule name nopat
[USG6000V1-policy-nat-rule-nopat]source-zone trust
[USG6000V1-policy-nat-rule-nopat]egress-interface g1/0/1
[USG6000V1-policy-nat-rule-nopat]source-address 192.168.1.0 24
[USG6000V1-policy-nat-rule-nopat]destination-zone untrust
[USG6000V1-policy-nat-rule-nopat]destination-address 172.16.1.0 24
[USG6000V1-policy-nat-rule-nopat]action no-nat
[USG6000V1-policy-nat-rule-nopat]q
[USG6000V1-policy-nat]rule name nat
[USG6000V1-policy-nat-rule-nat]source-zone trust
[USG6000V1-policy-nat-rule-nat]source-address 192.168.1.0 24
[USG6000V1-policy-nat-rule-nat]destination-zone untrust
[USG6000V1-policy-nat-rule-nat]egress-interface g1/0/1
[USG6000V1-policy-nat-rule-nat]action source-nat  easy-ip
[USG6000V1-policy-nat-rule-nat]q[USG6000V1]ike proposal 10  #创建IKE提议,编号为10[USG6000V1-ike-proposal-10]authentication-method pre-share  #认证模式为预共享
[USG6000V1-ike-proposal-10]authentication-algorithm sha2-256  #认证算法为sha2-256
[USG6000V1-ike-proposal-10]encryption-algorithm aes-256 #加密算法为aes-256
[USG6000V1-ike-proposal-10]dh group14  #配置DH算法参数
[USG6000V1-ike-proposal-10]q[USG6000V1]ike peer huawei #创建IKE对等体
[USG6000V1-ike-peer-huawei]ike-proposal 10 #引用ike安全提议
[USG6000V1-ike-peer-huawei]pre-shared-key abc-123  #预共享密钥
[USG6000V1-ike-peer-huawei]remote-address 200.1.1.254  #远端地址
[USG6000V1-ike-peer-huawei]q
[USG6000V1]ipsec proposal huawei-set #配置ipsec安全提议名为huawei-set
[USG6000V1-ipsec-proposal-huawei-set]encapsulation-mode tunnel  #配置报文的IPSec封装模式为隧道模式
[USG6000V1-ipsec-proposal-huawei-set]transform esp  #传输协议设置为esp默认也是esp
[USG6000V1-ipsec-proposal-huawei-set]esp encryption-algorithm aes-256
[USG6000V1-ipsec-proposal-huawei-set]esp authentication-algorithm sha2-256
[USG6000V1-ipsec-proposal-huawei-set]q[USG6000V1]acl 3000  #配置感兴趣流
[USG6000V1-acl-adv-3000]rule permit ip source  192.168.1.0 0.0.0.255 destination172.16.1.0 0.0.0.255
[USG6000V1-acl-adv-3000]q[USG6000V1]ipsec policy huawei-map 10 isakmp  #配置IKE动态协商方式安全策略
Info: The ISAKMP policy sequence number should be smaller than the template poli
cy sequence number in the policy group. Otherwise, the ISAKMP policy does not ta
ke effect.
[USG6000V1-ipsec-policy-isakmp-huawei-map-10]ike-peer huawei  #引入ike对等体
[USG6000V1-ipsec-policy-isakmp-huawei-map-10]proposal huawei-set  #引入ipsec安全提议
[USG6000V1-ipsec-policy-isakmp-huawei-map-10]security  acl 3000  #引入感兴趣流
[USG6000V1-ipsec-policy-isakmp-huawei-map-10]q[USG6000V1]int g1/0/1  #接口上应用安全策略组
[USG6000V1-GigabitEthernet1/0/1]ipsec policy huawei-map
[USG6000V1-GigabitEthernet1/0/1]q
[USG6000V1]

FW2  (与FW1大致相同)

<USG6000V1>sys
Enter system view, return user view with Ctrl+Z.
[USG6000V1]undo info-center enable
Info: Saving log files...
Info: Information center is disabled.
[USG6000V1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]undo shutdown
Info: Interface GigabitEthernet1/0/0 is not shutdown.
[USG6000V1-GigabitEthernet1/0/0]ip address 172.16.1.254 24
[USG6000V1-GigabitEthernet1/0/0]service-manage ping permit
[USG6000V1-GigabitEthernet1/0/0]q
[USG6000V1]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]undo shutdown
Info: Interface GigabitEthernet1/0/1 is not shutdown.
[USG6000V1-GigabitEthernet1/0/1]ip address 200.1.1.254 24
[USG6000V1-GigabitEthernet1/0/1]service-manage ping permit
[USG6000V1-GigabitEthernet1/0/1]q
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface g1/0/0
[USG6000V1-zone-trust]q
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface g1/0/1
[USG6000V1-zone-untrust]q
[USG6000V1]IP route-static 0.0.0.0 0 200.1.1.2
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name trust_untrust
[USG6000V1-policy-security-rule-trust_untrust]source-zone trust
[USG6000V1-policy-security-rule-trust_untrust]source-address 172.16.1.0 24
[USG6000V1-policy-security-rule-trust_untrust]destination-zone untrust
[USG6000V1-policy-security-rule-trust_untrust]access-authentication
[USG6000V1-policy-security-rule-trust_untrust]action permit
[USG6000V1-policy-security-rule-trust_untrust]q
[USG6000V1-policy-security]rule name untrust_trust
[USG6000V1-policy-security-rule-untrust_trust]source-zone untrust
[USG6000V1-policy-security-rule-untrust_trust]destination-zone trust
[USG6000V1-policy-security-rule-untrust_trust]destination-address 172.16.1.0 24
[USG6000V1-policy-security-rule-untrust_trust]source-address 192.168.1.0 24
[USG6000V1-policy-security-rule-untrust_trust]action permit
[USG6000V1-policy-security-rule-untrust_trust]q
[USG6000V1-policy-security]rule name local_untrust
[USG6000V1-policy-security-rule-local_untrust]source-zone local
[USG6000V1-policy-security-rule-local_untrust]source-address 200.1.1.254 32
[USG6000V1-policy-security-rule-local_untrust]destination-zone untrust
[USG6000V1-policy-security-rule-local_untrust]destination-address 100.1.1.254 32
[USG6000V1-policy-security-rule-local_untrust]action permit
[USG6000V1-policy-security-rule-local_untrust]q
[USG6000V1-policy-security]rule name untrust_local
[USG6000V1-policy-security-rule-untrust_local]source-zone untrust
[USG6000V1-policy-security-rule-untrust_local]source-address 100.1.1.254 32
[USG6000V1-policy-security-rule-untrust_local]destination-zone local
[USG6000V1-policy-security-rule-untrust_local]destination-address 200.1.1.254 32
[USG6000V1-policy-security-rule-untrust_local]action permit
[USG6000V1-policy-security-rule-untrust_local]q
[USG6000V1-policy-security]q
[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name nopat
[USG6000V1-policy-nat-rule-nopat]source-zone trust
[USG6000V1-policy-nat-rule-nopat]source-address 172.16.1.0 24
[USG6000V1-policy-nat-rule-nopat]destination-zone untrust
[USG6000V1-policy-nat-rule-nopat]destination-address 192.168.1.0 24
[USG6000V1-policy-nat-rule-nopat]egress-interface g1/0/1
[USG6000V1-policy-nat-rule-nopat]action no-nat
[USG6000V1-policy-nat-rule-nopat]q
[USG6000V1-policy-nat]rule name nat
[USG6000V1-policy-nat-rule-nat]source-zone trust
[USG6000V1-policy-nat-rule-nat]source-address 172.16.1.0 24
[USG6000V1-policy-nat-rule-nat]destination-zone untrust
[USG6000V1-policy-nat-rule-nat]egress-interface  g1/0/1
[USG6000V1-policy-nat-rule-nat]action source-nat easy-ip
[USG6000V1-policy-nat-rule-nat]q
[USG6000V1-policy-nat]q [USG6000V1]ike proposal 10
[USG6000V1-ike-proposal-10]authentication-method pre-share
[USG6000V1-ike-proposal-10]authentication-algorithm sha2-256
[USG6000V1-ike-proposal-10]encryption-algorithm aes-256
[USG6000V1-ike-proposal-10]dh group14
[USG6000V1-ike-proposal-10]q
[USG6000V1-ike-peer-huawei]ike-proposal 10
[USG6000V1-ike-peer-huawei]pre-shared-key abc-123
[USG6000V1-ike-peer-huawei]remote-address 100.1.1.254
[USG6000V1-ike-peer-huawei]q
[USG6000V1]ipsec proposal huawei-set
[USG6000V1-ipsec-proposal-huawei-set]transform esp
[USG6000V1-ipsec-proposal-huawei-set]encapsulation-mode tunnel
[USG6000V1-ipsec-proposal-huawei-set]esp authentication-algorithm sha2-256
[USG6000V1-ipsec-proposal-huawei-set]esp encryption-algorithm aes-256
[USG6000V1-ipsec-proposal-huawei-set]q
[USG6000V1]acl 3000
[USG6000V1-acl-adv-3000]rule permit ip source 172.16.1.0 0.0.0.255 destination 1
92.168.1.0 0.0.0.255
[USG6000V1-acl-adv-3000]q
[USG6000V1]ipsec policy huawei-map 10 isakmp
Info: The ISAKMP policy sequence number should be smaller than the template poli
cy sequence number in the policy group. Otherwise, the ISAKMP policy does not ta
ke effect.[USG6000V1-ipsec-policy-isakmp-huawei-map-10]ike-peer huawei
[USG6000V1-ipsec-policy-isakmp-huawei-map-10]proposal huawei-set
[USG6000V1-ipsec-policy-isakmp-huawei-map-10]security acl 3000
[USG6000V1-ipsec-policy-isakmp-huawei-map-10]q
[USG6000V1]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]ipsec policy huawei-map
[USG6000V1-GigabitEthernet1/0/1]q

验证

FW2的G1/0/1处转包

FW2

ENSP:防火墙IPSEC XXX相关推荐

  1. 华为ensp防火墙ipsec

    华为ensp防火墙ips_vpn 1)调试设备IP地址,防火墙有些策略限制会导致即使配置了正确的路由,也不能使得公网通,这就需要我们进行调试设备;一个是关于接口的ping服务是否打开,二是关于安全策略 ...

  2. 2020年网络搭建与应用国赛题-防火墙ipsec建立分解

    2020 年全国职业院校技能大赛中职组"网络搭建与应用"赛项竞赛样卷 --防火墙IPsec建立分解 题目要求:  集团防火墙与广东办事处防火墙之间使用互联地址建立 IPSEC 隧道 ...

  3. 华为eNSP防火墙USG5500基本配置

    华为eNSP防火墙USG5500基本配置 实验设备 防火墙采用eNSP自带USG5500,不需要导入操作系统:eNSP同时提供防火墙USG6000,它不能打开,提示需要导入防火墙系统.交换机采用的是5 ...

  4. eNSP之IPsec 虚拟专用网配置

    eNSP之IPsec 虚拟专用网配置 VPN的定义 1.互联网存在各种安全隐患 - 网上传输的数据有被窃听的风险- 网上传输的数据有被篡改的危险- 通信双方有被冒充的风险 2.VPN (Virtual ...

  5. 华为防火墙IPSec对接飞塔

    华为防火墙IPSec对接飞塔 一.飞塔端设置 1) 配置第一阶段 2) 配置第二阶段 3) 配置策略放行 二.华为防火墙USG2110-F 配置 1)配置第一阶段 2)配置第二阶段 4) 配置感兴趣流 ...

  6. 真机电脑使用 HTTPS 方式登录ensp防火墙USG6000

    1.首先安装完成ensp之后,会安装Oracle VM VirtualBox 2.打开VirtualBox软件,点击管理菜单下面的全局设定 3.添加虚拟网卡,可以只添加一个,主要是为了ensp里面的防 ...

  7. 基于ensp防火墙双击热备二层网络规划与设计

    作者:BSXY_19计科_陈永跃 BSXY_信息学院 注:未经允许禁止转发任何内容 基于ensp防火墙双击热备二层网络规划与设计 前言及资源下载 一.设计topo与要求(15个要求) 二.插曲:基于e ...

  8. 解决ensp防火墙(USG6000V)web无法打开

    众所周知,华为最新版本的ensp防火墙6000v已经支持web了,但在最近我发现我怎么也打不开. 发现的问题 这是我用Google浏览器访问https://192.168.0.1:8443打开时的界面 ...

  9. 锐捷路由器搭建ipsec xxx 详解

    在搭建这之前,我们先来科普一下所涉及的知识点! ipsec xxx (IPSEC xxx-internet protocol security virtual private networks) == ...

最新文章

  1. 3寸以上java手机_7寸屏手机有哪些(堪称性价比之王的四款手机)
  2. 管道符和作业控制、shell变量、环境变量配置文件
  3. linux关闭涉及安全的服务,Linux中关闭不必要服务减少漏洞
  4. python——变量的类型、不同类型变量的计算、变量的输入以及格式化输出
  5. redhat6.4使用yum时提示需要注册问题
  6. ffmpeg最新源代码(定期更新)
  7. vb.net服务器启动后cpu占用了70_记一次服务器被异常程序占用的解决过程(怀疑黑客攻击)...
  8. 在c 语言中 一个函数由函数头和,C语言程序设计基础教程_习题答案
  9. mysql典型安装和自定义_Mysql8.0.19下载安装—windows版本自定义安装
  10. 越是牛逼的人,越是不在意面子
  11. 各地“十四五”规划促智能网联新发展 | 政策解读系列
  12. Circular Local MiniMax
  13. 嵌入式系统开发与应用——Linux系统Socket网络编程
  14. java调用python实现校验一串字符串是否为单词
  15. kaggel竞赛之员工离职分析
  16. java实现正六面体染色
  17. 全国数学大学生数学建模竞赛以及2021高教杯的小总结
  18. 80.【Spring5】
  19. php毕业论文致谢,科学网—我也晒一下毕业论文致谢,感谢诸多帮助过我的人 - 何浩宇的博文...
  20. Java 多线程(超详细)

热门文章

  1. CandidateScorer
  2. 借助nz-pagination中的let-total解析ng-template
  3. 20-CVPR-Multi-branch and Multi-scale Attention Learning for Fine-Grained Visual Categorization
  4. 【数据库】逻辑设计-ER模型转换为关系模型
  5. 查询数据库中的重复数据记录
  6. (四)Bug的生命周期
  7. Android自定义SeekBar,带开始值结束值和Thumb上方滑动的Text
  8. SQL server-数据库修改与删除
  9. FineReport JS实现分页预览改变鼠标悬停所在的行列的背景色
  10. unity android 震动,unity 调用android的震动