HCIE-Security Day42:IPsec高可用技术
为了提高网络可靠性,企业分支一般通过两条或者多条链路与企业总部建立IPSec连接。本节主要考虑如何感知IPSec链路状态并实现流量在多条IPSec之间按需切换,以保证业务的正常运行。
ipsec高可靠性涉及可以分为两类,一种是链路冗余,另一种是主备网关备份。其中链路冗余又有多种不同的实现方法。
主备链路备份
2:2模式
场景
FW1、FW2均有两个出口接入ISP,要求其中一个出口链路故障不会影响业务。
实现原理
FW1的两个物理接口分别应用不同的ipsec策略,FW2的两个物理接口也分别应用不同的ipsec策略。现网中比较少见,因为分支机构很少有两条链路接入公网,如果采用这种方法,配置上没有特别需要注意的。
2:1模式
场景
FWB有两个出口接入ISP,FWA只有一个出口接入ISP,要求FWB的一个出口链路故障不会影响业务。
实现原理
FWB的两个物理接口分别应用不同的ipsec策略,FWA的物理接口上创建两个tunnel,分别在两个tunnel上创建不同的ipsec策略。最常见的组网方式。注意不能使用子接口,子接口无法配置ipsec
实验一:两个网关之间配置IPSec VPN主备链路备份(双链路)
fw1的两个物理口分别应用不同的ipsec策略,fw2的物理口上创建两个tunnel,分别在两个tunnel上创建ipsec策略。
fw1的g0/0/2接口故障,业务切换到g0/0/3,相应 的fw2也要将业务从tunnel1切换到tunnel2,可以通过ip-link来检测链路,实现同步切换。
1、防火墙基本配置
#fw1interface GigabitEthernet0/0/1ip address 10.1.1.10 255.255.255.0interface GigabitEthernet0/0/2ip address 202.100.1.10 255.255.255.0interface GigabitEthernet0/0/3ip address 192.168.1.10 255.255.255.0interface GigabitEthernet0/0/4ip address 202.100.2.10 255.255.255.0#fw2interface GigabitEthernet0/0/1ip address 10.1.2.11 255.255.255.0interface GigabitEthernet0/0/2ip address 10.1.21.10 255.255.255.0interface GigabitEthernet0/0/3ip address 192.168.1.11 255.255.255.0
2、安全策略配置
security-policyrule name ikesource-zone localsource-zone untrustdestination-zone localdestination-zone untrustsource-address 10.1.21.10 mask 255.255.255.255source-address 202.100.1.10 mask 255.255.255.255source-address 202.100.2.10 mask 255.255.255.255destination-address 10.1.21.10 mask 255.255.255.255destination-address 202.100.1.10 mask 255.255.255.255destination-address 202.100.2.10 mask 255.255.255.255service espservice isakmpaction permitrule name pkisource-zone dmzsource-zone trustdestination-zone dmzdestination-zone trustsource-address 10.1.1.0 mask 255.255.255.0source-address 192.168.1.1 mask 255.255.255.255destination-address 10.1.1.0 mask 255.255.255.0destination-address 192.168.1.1 mask 255.255.255.255action permit rule name ipsec source-zone trust source-zone untrust destination-zone trust destination-zone untrust source-address 10.1.1.0 mask 255.255.255.0source-address 10.1.2.0 mask 255.255.255.0destination-address 10.1.1.0 mask 255.255.255.0destination-address 10.1.2.0 mask 255.255.255.0action permit
3、ip-link配置
ip-link check enable
ip-link name iplink1destination 202.100.1.11 interface GigabitEthernet0/0/2 mode icmp
4、负载静态路由配置
ip route-static 0.0.0.0 0.0.0.0 202.100.1.11 track ip-link iplink1
ip route-static 0.0.0.0 0.0.0.0 202.100.2.11 preference 200
5、fw1 ipsec策略配置
6、FW2创建tunnel接口
interface Tunnel1 ip address unnumbered interface GigabitEthernet0/0/2# 借用公网接口地址tunnel-protocol ipsec interface Tunnel2 ip address unnumbered interface GigabitEthernet0/0/2# 借用公网接口地址tunnel-protocol ipsec
#务必将接口加入安全区域
firewall zone untrustadd interface Tunnel1add interface Tunnel2
7、fw2配置ip-link
[FW2]ip-link name iplink2destination 202.100.1.11 interface GigabitEthernet0/0/2 mode icmp next-hop 10.1.21.254ip-link check enable
8、fw2配置静态路由
ip route-static 0.0.0.0 0.0.0.0 202.100.1.10
ip route-static 0.0.0.0 0.0.0.0 10.1.21.254
ip route-static 10.1.1.0 255.255.255.0 Tunnel1 track ip-link iplink2
ip route-static 10.1.1.0 255.255.255.0 Tunnel2 preference 200
9、fw2 ipsec policy配置
10、连通性测试
11、检查fw2的路由表
实验二:两个网关之间配置IPSec VPN主备链路备份
需求和拓扑
FW_A通过主备两条链路接入Internet,主备接口使用固定的公网IP地址;FW_B通过一条链路接入Internet,出接口同样使用固定的公网IP地址。
要求实现如下需求:
- FW_A和FW_B之间通过IPSec方式建立安全通信隧道,实现总部与分支之间的互访。
- FW_A上的主链路发生故障时,业务可以自动切换到备链路;主链路恢复时,业务会自动回切到主链路。
操作和配置
1、配置防火墙接口IP地址和安全区域
1.1、fw1
interface GigabitEthernet1/0/0ip address 10.1.1.1 255.255.255.0interface GigabitEthernet1/0/1ip address 1.1.3.1 255.255.255.0service-manage ping permitinterface GigabitEthernet1/0/2ip address 1.1.4.1 255.255.255.0service-manage ping permitfirewall zone trustadd interface GigabitEthernet0/0/0add interface GigabitEthernet1/0/0
firewall zone untrustadd interface GigabitEthernet1/0/1add interface GigabitEthernet1/0/2
1.2、fw2
interface GigabitEthernet1/0/0ip address 10.2.1.1 255.255.255.0interface GigabitEthernet1/0/1ip address 2.2.2.2 255.255.255.0service-manage ping permitfirewall zone trustadd interface GigabitEthernet0/0/0add interface GigabitEthernet1/0/0firewall zone untrustadd interface GigabitEthernet1/0/1add interface Tunnel1add interface Tunnel2
1.3、配置FW2的tunnel接口
FW1需要和FW2建立两条隧道,而FW2只有一个物理接口,所以需要在FW2上配置两个tunnel接口,来分别与FW1的主备接口建立隧道。当FW1发生主备链路切换时,FW2也会切换Tunnel接口,双方重新进行IPSec隧道协商。
在FW2上配置Tunnel1(主接口)和Tunnel2(备接口)两个Tunnel接口,分别与FW1上的主备接口对应。当FW1发生主备链路切换时,FW2也会切换到对应的Tunnel接口。
interface Tunnel1ip address unnumbered interface GigabitEthernet1/0/1tunnel-protocol ipsecinterface Tunnel2ip address unnumbered interface GigabitEthernet1/0/1tunnel-protocol ipsec
firewall zone untrustadd interface Tunnel1add interface Tunnel2
2、配置防火墙ip-link和路由
2.1、配置fw1的ip-link和路由
配置两条FW1到FW2的路由,两条路由的优先级不同,实现路由备份。同时,为主路由绑定ip-link,用于检测主路由上的链路状态。当主路由上的链路发生故障时,系统会自动切换到备用路由。
#FW1
ip-link check enable
ip-link name HA1destination 2.2.2.2 interface GigabitEthernet1/0/1 mode icmp next-hop 1.1.3.2
ip route-static 2.2.2.2 255.255.255.255 1.1.3.2 track ip-link HA1
ip route-static 2.2.2.2 255.255.255.255 1.1.4.2 preference 200
ip route-static 10.2.1.0 255.255.255.0 1.1.3.2 track ip-link HA1
ip route-static 10.2.1.0 255.255.255.0 1.1.4.2 preference 200
2.1、配置fw2的ip-link和路由
在FW2上将需要保护的数据流通过路由引流到Tunnel接口。因为FW2上有两个Tunnel接口,所以需要配置两条到总部的路由,出接口为Tunnel1和Tunnel2,两条路由的优先级不同,实现路由备份。同时,为主路由绑定IP-Link,用于检测主路由上的链路状态。当主路由上的链路发生故障时,系统会自动切换到备用路由。
#FW2
ip-link check enable
ip-link name HA1destination 1.1.3.1 interface GigabitEthernet1/0/1 mode icmp next-hop 2.2.2.1
ip route-static 1.1.3.1 255.255.255.255 2.2.2.1
ip route-static 1.1.4.1 255.255.255.255 2.2.2.1
ip route-static 10.1.1.0 255.255.255.0 Tunnel1 track ip-link HA1
ip route-static 10.1.1.0 255.255.255.0 Tunnel2 preference 200
3、配置ipsec
3.1、fw1配置ipsec
3.1.1、配置感兴趣流
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255
3.1.2、配置ike安全提议
ike proposal 1encryption-algorithm aes-256dh group14authentication-algorithm sha2-256authentication-method pre-shareintegrity-algorithm hmac-sha2-256prf hmac-sha2-256
3.1.3、配置ike对等体
ike peer FW2undo version 2pre-shared-key Huawei@123ike-proposal 1remote-address 2.2.2.2
3.1.4、配置ipsec安全提议
ipsec proposal FW1esp authentication-algorithm sha2-256esp encryption-algorithm aes-256
3.1.5、配置ipsec安全策略
ipsec policy FW1 10 isakmpsecurity acl 3000ike-peer FW2proposal FW1
ipsec policy FW1B 20 isakmpsecurity acl 3000ike-peer FW2proposal FW1
3.1.6、将ipsec安全策略绑定到接口上
FW1的GigabitEthernet 1/0/1、GigabitEthernet 1/0/2分别为主接口和备接口。需要在主备接口上应用相同的IPSec安全策略,当主接口发生故障时,系统自动将IPSec隧道切换至备接口。
interface GigabitEthernet1/0/1
ipsec policy FW1interface GigabitEthernet1/0/2
ipsec policy FW1B
3.2、fw2配置ipsec
3.2.1、配置感兴趣流
acl number 3000rule 5 permit ip source 10.2.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
3.2.2、配置ike安全提议
ike proposal 1encryption-algorithm aes-256dh group14authentication-algorithm sha2-256authentication-method pre-shareintegrity-algorithm hmac-sha2-256prf hmac-sha2-256
3.2.3、配置ike对等体
ike peer FW1undo version 2pre-shared-key Huawei@123ike-proposal 1remote-address 1.1.3.1
ike peer FW1Bundo version 2pre-shared-key Huawei@123ike-proposal 1remote-address 1.1.4.1
3.2.4、配置ipsec安全提议
ipsec proposal FW2esp authentication-algorithm sha2-256esp encryption-algorithm aes-256
3.2.5、配置ipsec安全策略
ipsec policy FW2 10 isakmpsecurity acl 3000ike-peer FW1proposal FW2
ipsec policy FW2B 20 isakmpsecurity acl 3000ike-peer FW1Bproposal FW2
3.2.6、将ipsec安全策略绑定到接口上
在Tunnel1和Tunnel2上分别应用IPSec安全策略,当主接口发生故障时,系统自动将IPSec隧道切换至备接口。
interface Tunnel1ip address unnumbered interface GigabitEthernet1/0/1tunnel-protocol ipsecipsec policy FW2interface Tunnel2ip address unnumbered interface GigabitEthernet1/0/1tunnel-protocol ipsecipsec policy FW2B
4、配置安全策略
#fw1&fw2
security-policy
rule name ikesource-zone localsource-zone untrustdestination-zone localdestination-zone untrustsource-address 1.1.3.1 mask 255.255.255.255source-address 1.1.4.1 mask 255.255.255.255source-address 2.2.2.2 mask 255.255.255.255destination-address 1.1.3.1 mask 255.255.255.255destination-address 1.1.4.1 mask 255.255.255.255destination-address 2.2.2.2 mask 255.255.255.255service espservice protocol udp destination-port 500action permitrule name trust_untrustsource-zone trustsource-zone untrustdestination-zone trustdestination-zone untrustsource-address 10.1.1.0 mask 255.255.255.0source-address 10.2.1.0 mask 255.255.255.0destination-address 10.1.1.0 mask 255.255.255.0destination-address 10.2.1.0 mask 255.255.255.0action permit
验证和分析
1、pc1去访问pc2检测连通性
2、检查fw的ike协商状况
[FW1]dis ike sa
2022-08-17 13:21:34.530
IKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
436 2.2.2.2:500 RD|ST|A v1:2 IP 2.2.2.2
435 2.2.2.2:500 RD|ST|A v1:1 IP 2.2.2.2
Number of IKE SA : 2
[FW2]dis ike sa
2022-08-17 13:25:09.220
IKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
21 1.1.3.1:500 RD|A v1:2 IP 1.1.3.1
20 1.1.3.1:500 RD|A v1:1 IP 1.1.3.1
Number of IKE SA : 2
3、检查fw的ipsec协商状况
[FW1]dis ipsec sa Interface: GigabitEthernet1/0/1
IPSec policy name: "FW1" Sequence number : 10 Acl group : 3000 Acl rule : 5 Mode : ISAKMP
Connection ID : 436
Encapsulation mode: Tunnel
Holding time : 0d 0h 41m 12s
Tunnel local : 1.1.3.1:500
Tunnel remote : 2.2.2.2:500
Flow source : 10.1.1.0/255.255.255.0 0/0-65535
Flow destination : 10.2.1.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 194213225 (0xb937569)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/1127
Max sent sequence-number: 10
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 9/540
[Inbound ESP SAs]
SPI: 192672062 (0xb7bf13e)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/1127
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 7/420
Anti-replay : Enable
Anti-replay window size: 1024
[FW2]dis ipsec sa
Interface: Tunnel1
IPSec policy name: "FW2" Sequence number : 10 Acl group : 3000 Acl rule : 5 Mode : ISAKMP
Connection ID : 21
Encapsulation mode: Tunnel
Holding time : 0d 0h 42m 39s
Tunnel local : 2.2.2.2:500
Tunnel remote : 1.1.3.1:500
Flow source : 10.2.1.0/255.255.255.0 0/0-65535
Flow destination : 10.1.1.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 192672062 (0xb7bf13e)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/1041
Max sent sequence-number: 8
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 7/420
[Inbound ESP SAs]
SPI: 194213225 (0xb937569)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/1041
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 9/540
Anti-replay : Enable
Anti-replay window size: 1024
4、检查会话表
[FW1]dis fire se ta
2022-08-17 13:40:12.300
Current Total Sessions : 2
udp VPN: public --> public 1.1.3.1:500 --> 2.2.2.2:500
icmp VPN: public --> public 2.2.2.2:1098 --> 1.1.3.1:2048
icmp VPN: public --> public 1.1.3.1:1027 --> 2.2.2.2:2048
dis fire se ta
2022-08-17 13:41:19.190
Current Total Sessions : 3
icmp VPN: public --> public 2.2.2.2:1098 --> 1.1.3.1:2048
icmp VPN: public --> public 1.1.3.1:1027 --> 2.2.2.2:2048
udp VPN: public --> public 1.1.3.1:500 --> 2.2.2.2:500
5、断开fw1的g1/0/1口,模拟故障
检查pc的通联情况。发现会有短暂的中断
6、检查fw的ike协商情况
[FW1]dis ike sa
2022-08-17 13:45:33.870
IKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
439 2.2.2.2:500 RD|ST|A v1:2 IP 2.2.2.2
438 2.2.2.2:500 RD|ST|A v1:1 IP 2.2.2.2
437 2.2.2.2:500 RD|ST|A v1:2 IP 2.2.2.2
435 2.2.2.2:500 RD|ST|A v1:1 IP 2.2.2.2
Number of IKE SA : 4
dis ike sa
2022-08-17 13:46:13.280
IKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
24 1.1.4.1:500 RD|A v1:2 IP 1.1.4.1
23 1.1.4.1:500 RD|A v1:1 IP 1.1.4.1
22 1.1.3.1:500 RD|A v1:2 IP 1.1.3.1
20 1.1.3.1:500 RD|A v1:1 IP 1.1.3.1
Number of IKE SA : 4
7、检查fw的ipsec协商情况
[FW1]dis ipsec sa
2022-08-17 13:45:39.450
ipsec sa information:
=============================== Interface: GigabitEthernet1/0/1
IPSec policy name: "FW1" Sequence number : 10 Acl group : 3000 Acl rule : 5 Mode : ISAKMP
Connection ID : 437
Encapsulation mode: Tunnel
Holding time : 0d 0h 59m 6s
Tunnel local : 1.1.3.1:500
Tunnel remote : 2.2.2.2:500
Flow source : 10.1.1.0/255.255.255.0 0/0-65535
Flow destination : 10.2.1.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 201056852 (0xbfbe254)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485759/3294
Max sent sequence-number: 24
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 23/1380
[Inbound ESP SAs]
SPI: 185969235 (0xb15aa53)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485759/3294
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 21/1260
Anti-replay : Enable
Anti-replay window size: 1024
=============================== Interface: GigabitEthernet1/0/2
IPSec policy name: "FW1B" Sequence number : 20 Acl group : 3000 Acl rule : 5 Mode : ISAKMP
Connection ID : 439
Encapsulation mode: Tunnel
Holding time : 0d 0h 0m 10s
Tunnel local : 1.1.4.1:500
Tunnel remote : 2.2.2.2:500
Flow source : 10.1.1.0/255.255.255.0 0/0-65535
Flow destination : 10.2.1.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 187192865 (0xb285621)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/3590
Max sent sequence-number: 6
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 5/300
[Inbound ESP SAs]
SPI: 192914366 (0xb7fa3be)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/3590
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 0/0
Anti-replay : Enable
Anti-replay window size: 1024
dis ipsec sa
2022-08-17 13:46:15.780
ipsec sa information:
=============================== Interface: Tunnel1
IPSec policy name: "FW2" Sequence number : 10 Acl group : 3000 Acl rule : 5 Mode : ISAKMP
Connection ID : 22
Encapsulation mode: Tunnel
Holding time : 0d 0h 59m 44s
Tunnel local : 2.2.2.2:500
Tunnel remote : 1.1.3.1:500
Flow source : 10.2.1.0/255.255.255.0 0/0-65535
Flow destination : 10.1.1.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 185969235 (0xb15aa53)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485759/3256
Max sent sequence-number: 27
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 26/1560
[Inbound ESP SAs]
SPI: 201056852 (0xbfbe254)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485759/3256
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 22/1320
Anti-replay : Enable
Anti-replay window size: 1024
=============================== Interface: Tunnel2
IPSec policy name: "FW2B" Sequence number : 20 Acl group : 3000 Acl rule : 5 Mode : ISAKMP
Connection ID : 24
Encapsulation mode: Tunnel
Holding time : 0d 0h 0m 47s
Tunnel local : 2.2.2.2:500
Tunnel remote : 1.1.4.1:500
Flow source : 10.2.1.0/255.255.255.0 0/0-65535
Flow destination : 10.1.1.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 192914366 (0xb7fa3be)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485759/3554
Max sent sequence-number: 34
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 33/1980
[Inbound ESP SAs]
SPI: 187192865 (0xb285621)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485758/3554
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 38/2280
Anti-replay : Enable
Anti-replay window size: 1024
可见协商状态sa不会主动消失
8、检查会话表
[FW1]dis fire se ta
2022-08-17 13:45:52.340
Current Total Sessions : 17
icmp VPN: public --> public 10.1.1.10:2289 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:753 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:3057 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:1777 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:241 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:3313 --> 10.2.1.10:2048
udp VPN: public --> public 1.1.4.1:500 --> 2.2.2.2:500
icmp VPN: public --> public 10.1.1.10:3569 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:1265 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:4849 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:4337 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:3825 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:2801 --> 10.2.1.10:2048
esp VPN: public --> public 2.2.2.2:0 --> 1.1.3.1:0
icmp VPN: public --> public 10.1.1.10:4081 --> 10.2.1.10:2048
esp VPN: public --> public 2.2.2.2:0 --> 1.1.4.1:0
icmp VPN: public --> public 10.1.1.10:4593 --> 10.2.1.10:2048
[FW2]dis fire se ta
2022-08-17 13:46:27.520
Current Total Sessions : 25
icmp VPN: public --> public 10.1.1.10:11761 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:10737 --> 10.2.1.10:2048
esp VPN: public --> public 1.1.3.1:0 --> 2.2.2.2:0
icmp VPN: public --> public 10.1.1.10:13809 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:9969 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:13297 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:9713 --> 10.2.1.10:2048
udp VPN: public --> public 1.1.4.1:500 --> 2.2.2.2:500
icmp VPN: public --> public 10.1.1.10:14065 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:12017 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:10225 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:13553 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:12529 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:10481 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:11249 --> 10.2.1.10:2048
icmp VPN: public --> public 2.2.2.2:1110 --> 1.1.3.1:2048
icmp VPN: public --> public 2.2.2.2:1107 --> 1.1.3.1:2048
icmp VPN: public --> public 10.1.1.10:10993 --> 10.2.1.10:2048
icmp VPN: public --> public 2.2.2.2:1109 --> 1.1.3.1:2048
icmp VPN: public --> public 2.2.2.2:1108 --> 1.1.3.1:2048
esp VPN: public --> public 1.1.4.1:0 --> 2.2.2.2:0
icmp VPN: public --> public 10.1.1.10:12785 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:12273 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:9201 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:11505 --> 10.2.1.10:2048
隧道化链路备份
场景
FWB上有两个出口接入ISP,FWA上只有一个出口接入ISP,要求FWB某个物理口上的链路故障不会影响业务。
实现原理
FWB创建一个隧道,基于隧道创建一个IPSEC策略,FWA的物理口上创建一个IPSEC策略。通过Tunnel接口进行链路冗余备份可以实现多条链路的冗余备份,而且与主备链路备份相比,配置更简单,IPSec隧道不需要进行重协商,故可快速完成流量切换,流量切换速度更快。tunnel接口的配置与主被链路备份方式正好相反,tunnel接口配置在总部(即多条公网物理链路)
实验
FW1创建一个隧道,基于隧道创建一个ipsec策略,fw2的物理口创建一个ipsec策略。
tunnel接口需要配置公网IP,并且这个ip,对方可达。
0、底层配置
#1、路由器底层配置
int g0/0/0
undo portswitch
ip add 10.1.21.254 24
int g0/0/1
undo portswitch
ip add 202.100.1.11 24
int g0/0/2
undo portswitch
ip add 202.100.2.11 24
#2、防火墙底层配置
#fw1
sys FW1
int g0/0/0
ip add 192.168.0.10 24
int g0/0/1
ip add 10.1.1.10 24
int g0/0/2
ip add 202.100.1.10 24
int g0/0/3
ip add 202.100.2.10 24
fire zone trust
add int g0/0/1
fire zone untrust
add int g0/0/2
add int g0/0/3
#fw2
sys FW2
int g0/0/0
ip add 192.168.0.11 24
int g0/0/1
ip add 10.1.2.10 24
int g0/0/2
ip add 10.1.21.10 24
fire zone trust
add int g0/0/1
fire zone untrust
add int g0/0/2
quit
ip route-s 0.0.0.0 0 10.1.21.254
1、fw1创建tunnel接口
interface tunnel 1
ip add 11.1.1.1 24 #必须是公网IP地址,并且保证可达
tunnel-protocol ipsec
fire zone untrust
add int tunnel 1
ip route-s 0.0.0.0 0 tunnel 1
2、安全策略配置
security-policyrule name ikesource-zone localsource-zone untrustdestination-zone localdestination-zone untrustsource-address 10.1.21.10 mask 255.255.255.255source-address 11.1.1.1 mask 255.255.255.255destination-address 10.1.21.10 mask 255.255.255.255destination-address 11.1.1.1 mask 255.255.255.255service espservice protocol udp source-port 0 to 65535 destination-port 500action permitrule name ipsecsource-zone trustsource-zone untrustdestination-zone trustdestination-zone untrustsource-address 10.1.1.0 mask 255.255.255.0source-address 10.1.2.0 mask 255.255.255.0destination-address 10.1.1.0 mask 255.255.255.0destination-address 10.1.2.0 mask 255.255.255.0action permit
3、ip-link配置
#FW1
ip-link check enable
ip-link name iplink1destination 202.100.1.11 interface GigabitEthernet0/0/2 mode icmp
ip-link name iplink2destination 202.100.2.11 interface GigabitEthernet0/0/3 mode icmp
4、路由配置
#FW1
ip route-static 0.0.0.0 0.0.0.0 202.100.1.11 track ip-link iplink1
ip route-static 0.0.0.0 0.0.0.0 202.100.2.11 track ip-link iplink2
ip route-static 10.1.2.0 255.255.255.0 tunnel 1 #关键!!保证把流量引导到tunnel隧道中
#AR1
ip route-static 11.1.1.1 32 202.100.1.10
ip route-static 11.1.1.1 32 202.100.2.10
5、ipsec配置
#fw1
#配置感兴趣流
acl number 3000rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#ike提议配置
ike proposal 1encryption-algorithm aes-256dh group14authentication-algorithm sha2-256authentication-method pre-shareintegrity-algorithm hmac-sha2-256prf hmac-sha2-256#ike对等体配置
ike peer ike1780516513exchange-mode autopre-shared-key Huawei@123ike-proposal 1remote-id-type nonedpd type periodicremote-address 10.1.21.10#ipsec提议配置ipsec proposal prop1780516513encapsulation-mode autoesp authentication-algorithm sha2-256esp encryption-algorithm aes-256#ipsec安全策略配置ipsec policy ipsec178051616 1 isakmpsecurity acl 3000ike-peer ike1780516513proposal prop1780516513tunnel local applied-interfacealias ipsec1sa trigger-mode autosa duration traffic-based 5242880sa duration time-based 3600#tunnel接口下调用ipsec安全策略
interface Tunnel1ipsec policy ipsec178051616
#fw2
#配置感兴趣流
acl number 3000rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255#配置ike提议ike proposal 1encryption-algorithm aes-256dh group14authentication-algorithm sha2-256authentication-method pre-shareintegrity-algorithm hmac-sha2-256prf hmac-sha2-256#配置ike对等体ike peer ike1780657904exchange-mode autopre-shared-key Huawei@123ike-proposal 1remote-id-type nonedpd type periodicremote-address 11.1.1.1#指的是tunnel接口IP地址,而不是物理接口的IP地址#配置ipsec提议ipsec proposal prop1780657904encapsulation-mode autoesp authentication-algorithm sha2-256esp encryption-algorithm aes-256#配置ipsec安全策略ipsec policy ipsec1780657438 1 isakmpsecurity acl 3000ike-peer ike1780657904proposal prop1780657904tunnel local applied-interfacealias ipsec2sa trigger-mode autosa duration traffic-based 5242880sa duration time-based 3600#出接口下调用ipsec安全策略
interface GigabitEthernet0/0/2ipsec policy ipsec1780657438
6、检查
6.1、检查ipsec协商状态
FW1]dis ipsec sa
2022-08-17 00:26:22.150 +08:00ipsec sa information:===============================
Interface: Tunnel1
===============================-----------------------------IPSec policy name: "ipsec178051616"Sequence number : 1Acl group : 3000Acl rule : 5Mode : ISAKMP-----------------------------Connection ID : 9Encapsulation mode: TunnelHolding time : 0d 0h 15m 36sTunnel local : 11.1.1.1:500Tunnel remote : 10.1.21.10:500Flow source : 10.1.1.0/255.255.255.0 0/0-65535Flow destination : 10.1.2.0/255.255.255.0 0/0-65535[Outbound ESP SAs] SPI: 188944344 (0xb430fd8)Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128SA remaining key duration (kilobytes/sec): 0/603864Max sent sequence-number: 1 UDP encapsulation used for NAT traversal: NSA encrypted packets (number/bytes): 0/0[Inbound ESP SAs] SPI: 184751568 (0xb0315d0) Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128SA remaining key duration (kilobytes/sec): 0/603864Max received sequence-number: 1 UDP encapsulation used for NAT traversal: NSA decrypted packets (number/bytes): 0/0Anti-replay : Enable Anti-replay window size: 1024 [FW2]dis ipsec sa
2022-08-17 00:25:01.370 +08:00ipsec sa information:===============================
Interface: GigabitEthernet0/0/2
===============================-----------------------------IPSec policy name: "ipsec1780657438"Sequence number : 1Acl group : 3000Acl rule : 5Mode : ISAKMP-----------------------------Connection ID : 6Encapsulation mode: TunnelHolding time : 0d 0h 14m 12sTunnel local : 10.1.21.10:500Tunnel remote : 11.1.1.1:500Flow source : 10.1.2.0/255.255.255.0 0/0-65535Flow destination : 10.1.1.0/255.255.255.0 0/0-65535[Outbound ESP SAs] SPI: 184751568 (0xb0315d0)Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128SA remaining key duration (kilobytes/sec): 5242880/2748Max sent sequence-number: 1 UDP encapsulation used for NAT traversal: NSA encrypted packets (number/bytes): 0/0[Inbound ESP SAs] SPI: 188944344 (0xb430fd8) Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128SA remaining key duration (kilobytes/sec): 5242880/2748Max received sequence-number: 1 UDP encapsulation used for NAT traversal: NSA decrypted packets (number/bytes): 0/0Anti-replay : Enable Anti-replay window size: 1024
6.2、检查ike协商状态
[FW1]dis ike sa
2022-08-17 00:26:45.930 +08:00IKE SA information :Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------9 10.1.21.10:500 RD|A v2:2 IP 10.1.21.10 8 10.1.21.10:500 RD|A v2:1 IP 10.1.21.10 Number of IKE SA : 2
------------------------------------------------------------------------------------------------------------------------------------Flag Description:RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUTHRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UPM--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
[FW2]dis ike sa
2022-08-17 00:25:40.520 +08:00IKE SA information :Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------6 11.1.1.1:500 RD|ST|A v2:2 IP 11.1.1.1 5 11.1.1.1:500 RD|ST|A v2:1 IP 11.1.1.1 Number of IKE SA : 2
------------------------------------------------------------------------------------------------------------------------------------Flag Description:RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUTHRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UPM--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
6.3、连通性测试
6.4、加解密测试
[FW1]dis ipsec sta
2022-08-17 00:39:47.970 +08:00IPSec statistics information:Number of IPSec tunnels: 1Number of standby IPSec tunnels: 0the security packet statistics:input/output security packets: 8/4 input/output security bytes: 480/240 input/output dropped security packets: 0/0 the encrypt packet statistics: send chip: 4, recv chip: 4, send err: 0local cpu: 4, other cpu: 0, recv other cpu: 0intact packet: 4, first slice: 0, after slice: 0the decrypt packet statistics:send chip: 8, recv chip: 8, send err: 0local cpu: 8, other cpu: 0, recv other cpu: 0reass first slice: 0, after slice: 0dropped security packet detail:can not find SA: 0, wrong SA: 0authentication: 0, replay: 0 front recheck: 0, after recheck: 0change cpu enc: 0, dec change cpu: 0 fib search: 0, output l3: 0flow err: 0, slice err: 0, byte limit: 0slave drop: 0negotiate about packet statistics:IKE fwd packet ok: 59, err: 0 IKE ctrl packet inbound ok: 59, outbound ok: 87SoftExpr: 0, HardExpr: 0, DPDOper: 0 trigger ok: 0, switch sa: 1, sync sa: 0 recv IKE nat keepalive: 0, IKE input: 0
6.5、查看fw1\ar1路由
[FW1]dis ip rou
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 202.100.1.11 GigabitEthernet0/0/2
Static 60 0 RD 202.100.2.11 GigabitEthernet0/0/3
10.1.1.0/24 Direct 0 0 D 10.1.1.10 GigabitEthernet0/0/1
10.1.1.10/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1
10.1.2.0/24 Static 60 0 D 11.1.1.1 Tunnel1
11.1.1.0/24 Direct 0 0 D 11.1.1.1 Tunnel1
11.1.1.1/32 Direct 0 0 D 127.0.0.1 Tunnel1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
202.100.1.0/24 Direct 0 0 D 202.100.1.10 GigabitEthernet0/0/2
202.100.1.10/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/2
202.100.2.0/24 Direct 0 0 D 202.100.2.10 GigabitEthernet0/0/3
202.100.2.10/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/3
[R1]dis ip routing-table
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.21.0/24 Direct 0 0 D 10.1.21.254 GigabitEthernet0/0/0
10.1.21.254/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0
10.1.21.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0
11.1.1.1/32 Static 60 0 RD 202.100.1.10 GigabitEthernet0/0/1
Static 60 0 RD 202.100.2.10 GigabitEthernet0/0/2
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
202.100.1.0/24 Direct 0 0 D 202.100.1.11 GigabitEthernet0/0/1
202.100.1.11/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1
202.100.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1
202.100.2.0/24 Direct 0 0 D 202.100.2.11 GigabitEthernet0/0/2
202.100.2.11/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/2
202.100.2.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/2
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
6.6、故障切换
ar1上shutdown接口g0/0/1,检查ar1路由
[R1-GigabitEthernet0/0/1]dis ip routing-table
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.21.0/24 Direct 0 0 D 10.1.21.254 GigabitEthernet0/0/0
10.1.21.254/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0
10.1.21.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0
11.1.1.1/32 Static 60 0 RD 202.100.2.10 GigabitEthernet0/0/2
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
202.100.2.0/24 Direct 0 0 D 202.100.2.11 GigabitEthernet0/0/2
202.100.2.11/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/2
202.100.2.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/2
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
检查fw1路由
[FW1]dis ip rou
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 202.100.2.11 GigabitEthernet0/0/3
10.1.1.0/24 Direct 0 0 D 10.1.1.10 GigabitEthernet0/0/1
10.1.1.10/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1
10.1.2.0/24 Static 60 0 D 11.1.1.1 Tunnel1
11.1.1.0/24 Direct 0 0 D 11.1.1.1 Tunnel1
11.1.1.1/32 Direct 0 0 D 127.0.0.1 Tunnel1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
202.100.1.0/24 Direct 0 0 D 202.100.1.10 GigabitEthernet0/0/2
202.100.1.10/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/2
202.100.2.0/24 Direct 0 0 D 202.100.2.10 GigabitEthernet0/0/3
202.100.2.10/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/3
6.7、检查ipsec状态
[FW1]dis ipsec sa
2022-08-17 00:46:36.620 +08:00ipsec sa information:===============================
Interface: Tunnel1
===============================-----------------------------IPSec policy name: "ipsec178051616"Sequence number : 1Acl group : 3000Acl rule : 5Mode : ISAKMP-----------------------------Connection ID : 9Encapsulation mode: TunnelHolding time : 0d 0h 35m 51sTunnel local : 11.1.1.1:500Tunnel remote : 10.1.21.10:500Flow source : 10.1.1.0/255.255.255.0 0/0-65535Flow destination : 10.1.2.0/255.255.255.0 0/0-65535[Outbound ESP SAs] SPI: 188944344 (0xb430fd8)Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128SA remaining key duration (kilobytes/sec): 0/602649Max sent sequence-number: 5 UDP encapsulation used for NAT traversal: NSA encrypted packets (number/bytes): 4/240[Inbound ESP SAs] SPI: 184751568 (0xb0315d0) Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128SA remaining key duration (kilobytes/sec): 0/602649Max received sequence-number: 1 UDP encapsulation used for NAT traversal: NSA decrypted packets (number/bytes): 8/480Anti-replay : Enable Anti-replay window size: 1024 [FW2]dis ipsec sa
2022-08-17 00:47:29.480 +08:00ipsec sa information:===============================
Interface: GigabitEthernet0/0/2
===============================-----------------------------IPSec policy name: "ipsec1780657438"Sequence number : 1Acl group : 3000Acl rule : 5Mode : ISAKMP-----------------------------Connection ID : 6Encapsulation mode: TunnelHolding time : 0d 0h 36m 40sTunnel local : 10.1.21.10:500Tunnel remote : 11.1.1.1:500Flow source : 10.1.2.0/255.255.255.0 0/0-65535Flow destination : 10.1.1.0/255.255.255.0 0/0-65535[Outbound ESP SAs] SPI: 184751568 (0xb0315d0)Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128SA remaining key duration (kilobytes/sec): 5242880/1400Max sent sequence-number: 9 UDP encapsulation used for NAT traversal: NSA encrypted packets (number/bytes): 8/480[Inbound ESP SAs] SPI: 188944344 (0xb430fd8) Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128SA remaining key duration (kilobytes/sec): 5242880/1400Max received sequence-number: 1 UDP encapsulation used for NAT traversal: NSA decrypted packets (number/bytes): 4/240Anti-replay : Enable Anti-replay window size: 1024
6.8、检查ike状态
[FW1]dis ike sa
2022-08-17 00:47:07.410 +08:00IKE SA information :Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------9 10.1.21.10:500 RD|A v2:2 IP 10.1.21.10 8 10.1.21.10:500 RD|A v2:1 IP 10.1.21.10 Number of IKE SA : 2
------------------------------------------------------------------------------------------------------------------------------------Flag Description:RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUTHRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UPM--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING[FW2]dis ike sa
2022-08-17 00:47:50.210 +08:00IKE SA information :Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------6 11.1.1.1:500 RD|ST|A v2:2 IP 11.1.1.1 5 11.1.1.1:500 RD|ST|A v2:1 IP 11.1.1.1 Number of IKE SA : 2
------------------------------------------------------------------------------------------------------------------------------------Flag Description:RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUTHRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UPM--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
6.9、再次测试联通性
6.10、再次检查加解密状态
[FW1]dis ipsec sta
2022-08-17 00:48:38.220 +08:00IPSec statistics information:Number of IPSec tunnels: 1Number of standby IPSec tunnels: 0the security packet statistics:input/output security packets: 12/8 input/output security bytes: 720/480 input/output dropped security packets: 0/0 the encrypt packet statistics: send chip: 8, recv chip: 8, send err: 0local cpu: 8, other cpu: 0, recv other cpu: 0intact packet: 8, first slice: 0, after slice: 0the decrypt packet statistics:send chip: 12, recv chip: 12, send err: 0local cpu: 12, other cpu: 0, recv other cpu: 0reass first slice: 0, after slice: 0dropped security packet detail:can not find SA: 0, wrong SA: 0authentication: 0, replay: 0 front recheck: 0, after recheck: 0change cpu enc: 0, dec change cpu: 0 fib search: 0, output l3: 0flow err: 0, slice err: 0, byte limit: 0slave drop: 0negotiate about packet statistics:IKE fwd packet ok: 75, err: 0 IKE ctrl packet inbound ok: 75, outbound ok: 103SoftExpr: 0, HardExpr: 0, DPDOper: 0 trigger ok: 0, switch sa: 1, sync sa: 0 recv IKE nat keepalive: 0, IKE input: 0
6.11、检查会话表
[FW1]dis fire se ta ver pro esp
2022-08-17 00:49:34.730 +08:00Current Total Sessions : 1esp VPN: public --> public ID: a48f38484db906f5562fc3accZone: untrust --> local TTL: 00:10:00 Left: 00:08:41Recv Interface: GigabitEthernet0/0/3Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 0000-0000-0000<--packets: 0 bytes: 0 --> packets: 4 bytes: 49610.1.21.10:0 --> 11.1.1.1:0 PolicyName: ike
[FW2]dis fire se ta ver pro esp
2022-08-17 00:51:13.320 +08:00Current Total Sessions : 1esp VPN: public --> public ID: a48f305918e103b9a62fc3ad0Zone: untrust --> local TTL: 00:10:00 Left: 00:07:06Recv Interface: GigabitEthernet0/0/2Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 0000-0000-0000<--packets: 0 bytes: 0 --> packets: 4 bytes: 49611.1.1.1:0 --> 10.1.21.10:0 PolicyName: ike
6.12、故障恢复,检查通联情况
[FW1]dis fire se ta ver pro esp
2022-08-17 00:54:57.470 +08:00Current Total Sessions : 1esp VPN: public --> public ID: a48f38484db906f5562fc3accZone: untrust --> local TTL: 00:10:00 Left: 00:10:00Recv Interface: GigabitEthernet0/0/2Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 0000-0000-0000<--packets: 0 bytes: 0 --> packets: 150 bytes: 18,60010.1.21.10:0 --> 11.1.1.1:0 PolicyName: ike
发现已经切换了。
主备网关备份
场景
总部有两个FW,两个FW分别由一个公网出口接入isp(双机单isp),FW1上的设备发生故障时,业务可以自动切换。
实现原理
FW1创建一个IPSEC策略,FW2同步策略,网关FW3创建一个ipsec策略。
实验
FW1创建一个IPsec策略,FW2同步策略。路由器创建一个IPSEC策略。
1、fw基本配置
#fw1
int g0/0/1
ip add 10.1.1.100 24
int g0/0/2
ip add 202.100.1.100 24
int g0/0/3
ip add 172.16.1.10 24
fire zone trust
add int g0/0/1
fire zone untrust
add int g0/0/2
fire zone dmz
add int g0/0/3
ip route-s 0.0.0.0 0 202.100.1.254
#fw2
int g0/0/1
ip add 10.1.1.101 24
int g0/0/2
ip add 202.100.1.101 24
int g0/0/3
ip add 172.16.1.11 24
fire zone trust
add int g0/0/1
fire zone untrust
add int g0/0/2
fire zone dmz
add int g0/0/3
ip route-s 0.0.0.0 0 202.100.1.254
2、ar基本配置
#AR1
sys AR1
int g0/0/2
undo ip add
int g0/0/1
undo portswitch
ip add 202.100.1.254 24
int g0/0/0
undo portswitch
ip add 202.100.2.254 24
#AR2
sys AR2
int g0/0/1
undo portswitch
ip add 202.100.2.10 24
int g0/0/0
undo portswitch
ip add 10.1.2.10 24
ip route-s 0.0.0.0 0 202.100.2.254
3、双机热备配置
3.1、fw1
hrp enable
hrp interface GigabitEthernet0/0/3 remote 172.16.1.11
hrp track interface GigabitEthernet0/0/1
hrp track interface GigabitEthernet0/0/2
interface GigabitEthernet0/0/1 vrrp vrid 1 virtual-ip 10.1.1.10 active interface GigabitEthernet0/0/2 vrrp vrid 2 virtual-ip 202.100.1.10 active
3.2、fw2
hrp enable
hrp interface GigabitEthernet0/0/3 remote 172.16.1.10
hrp track interface GigabitEthernet0/0/1
hrp track interface GigabitEthernet0/0/2
interface GigabitEthernet0/0/1 vrrp vrid 1 virtual-ip 10.1.1.10 standby interface GigabitEthernet0/0/2 vrrp vrid 2 virtual-ip 202.100.1.10 standby
4、安全策略配置
略
5、配置ipsec
5.1、配置感兴趣流
#fw1
acl number 3000rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#ar2
acl number 3000rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
5.2、配置ike安全提议
#fw1
ike proposal 1encryption-algorithm aes-256 aes-192 aes-128 3des desdh group14 group5 group2authentication-algorithm sha2-256 sha1 md5authentication-method pre-shareintegrity-algorithm hmac-sha2-256prf hmac-sha2-256
#ar2
ike proposal 1encryption-algorithm aes-cbc-128dh group2authentication-algorithm sha2-256prf hmac-sha2-256
5.3、配置ike对等体
#FW1
ike peer AR2undo version 2pre-shared-key Huawei@123ike-proposal 1remote-address 202.100.2.10#使用虚拟地址作为对端地址
#AR2
ike peer FW v1pre-shared-key simple Huawei@123ike-proposal 1remote-address 202.100.1.10
5.4、配置ipsec安全提议
#FW1
ipsec proposal FWesp authentication-algorithm sha2-256 sha1 md5esp encryption-algorithm aes-256 aes-192 aes-128 3des des
#AR2
ipsec proposal AR2esp authentication-algorithm sha1esp encryption-algorithm aes-128
5.5、配置ipsec安全策略
#FW1
ipsec policy FW 10 isakmpsecurity acl 3000ike-peer AR2proposal FWtunnel local 202.100.1.10#使用虚拟地址作为隧道的发起地址sa trigger-mode auto
#AR2
ipsec policy AR2 10 isakmpsecurity acl 3000ike-peer FWproposal AR2
5.6、接口绑定安全策略
#FW1
interface GigabitEthernet0/0/2ipsec policy FW
#AR2interface GigabitEthernet0/0/1ipsec policy AR2
6、检查
6.1、检查ike sa
HRP_M[FW1]dis ike sa
2022-08-18 00:41:03.110 +08:00IKE SA information :Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------102 202.100.2.10:500 RD|ST|M v1:2 IP 202.100.2.10 101 202.100.2.10:500 RD|ST|M v1:1 IP 202.100.2.10 Number of IKE SA : 2
HRP_S<FW2>dis ike sa
2022-08-18 00:41:52.780 +08:00IKE SA information :Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------6 202.100.2.10:500 RD|ST|S v1:2 IP 202.100.2.10 5 202.100.2.10:500 RD|ST|S v1:1 IP 202.100.2.10 Number of IKE SA : 2<AR2>dis ike saConn-ID Peer VPN Flag(s) Phase ---------------------------------------------------------------130 202.100.1.10 0 RD 2 128 202.100.1.10 0 RD 1
6.2、检查ipsec sa
HRP_M[FW1]dis ipsec sa
2022-08-18 00:42:48.780 +08:00ipsec sa information:===============================
Interface: GigabitEthernet0/0/2
===============================-----------------------------IPSec policy name: "FW"Sequence number : 10Acl group : 3000Acl rule : 5Mode : ISAKMP-----------------------------Connection ID : 102Encapsulation mode: TunnelHolding time : 0d 0h 32m 33sTunnel local : 202.100.1.10:500Tunnel remote : 202.100.2.10:500Flow source : 10.1.1.0/255.255.255.0 0/0-65535Flow destination : 10.1.2.0/255.255.255.0 0/0-65535[Outbound ESP SAs] SPI: 3679150852 (0xdb4b6304)Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1SA remaining key duration (kilobytes/sec): 1843200/1647Max sent sequence-number: 9 UDP encapsulation used for NAT traversal: NSA encrypted packets (number/bytes): 8/480[Inbound ESP SAs] SPI: 185315463 (0xb0bb087) Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1SA remaining key duration (kilobytes/sec): 1843200/1647Max received sequence-number: 1 UDP encapsulation used for NAT traversal: NSA decrypted packets (number/bytes): 8/480Anti-replay : Enable Anti-replay window size: 1024 HRP_S<FW2>dis ipsec sa
2022-08-18 00:43:16.090 +08:00ipsec sa information:===============================
Interface: GigabitEthernet0/0/2
===============================-----------------------------IPSec policy name: "FW"Sequence number : 10Acl group : 3000Acl rule : 5Mode : ISAKMP-----------------------------Connection ID : 6Encapsulation mode: TunnelHolding time : 0d 0h 32m 56sTunnel local : 202.100.1.10:500Tunnel remote : 202.100.2.10:500Flow source : 10.1.1.0/255.255.255.0 0/0-65535Flow destination : 10.1.2.0/255.255.255.0 0/0-65535[Outbound ESP SAs] SPI: 3679150852 (0xdb4b6304)Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1SA remaining key duration (kilobytes/sec): 1843200/1624Max sent sequence-number: 12288 UDP encapsulation used for NAT traversal: NSA encrypted packets (number/bytes): 0/0[Inbound ESP SAs] SPI: 185315463 (0xb0bb087) Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1SA remaining key duration (kilobytes/sec): 1843200/1624Max received sequence-number: 1 UDP encapsulation used for NAT traversal: NSA decrypted packets (number/bytes): 0/0Anti-replay : Enable Anti-replay window size: 1024 <AR2>dis ipsec sa===============================
Interface: GigabitEthernet0/0/1Path MTU: 1500
===============================-----------------------------IPSec policy name: "AR2"Sequence number : 10Acl group : 3000Acl rule : 5Mode : ISAKMP-----------------------------Connection ID : 130Encapsulation mode: TunnelTunnel local : 202.100.2.10Tunnel remote : 202.100.1.10Flow source : 10.1.2.0/255.255.255.0 0/0Flow destination : 10.1.1.0/255.255.255.0 0/0Qos pre-classify : DisableQos group : -[Outbound ESP SAs] SPI: 185315463 (0xb0bb087)Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1SA remaining key duration (bytes/sec): 1887436320/1598Outpacket count : 8 Outpacket encap count : 8 Outpacket drop count : 0 Max sent sequence-number: 8 UDP encapsulation used for NAT traversal: N[Inbound ESP SAs] SPI: 3679150852 (0xdb4b6304) Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1SA remaining key duration (bytes/sec): 1887436320/1598Inpacket count : 8 Inpacket decap count : 8 Inpacket drop count : 0 Max received sequence-number: 9 Anti-replay window size: 32 UDP encapsulation used for NAT traversal: N
6.3、测试连通性
6.4、检查会话表
HRP_M[FW1]dis fire se ta
2022-08-18 00:44:54.350 +08:00Current Total Sessions : 13udp VPN: public --> public 172.16.1.11:49152 --> 172.16.1.10:18514udp VPN: public --> public 172.16.1.10:49152 --> 172.16.1.11:18514esp VPN: public --> public 202.100.2.10:0 --> 202.100.1.10:0icmp VPN: public --> public 10.1.1.1:1 --> 10.1.2.1:2048udp VPN: public --> public 172.16.1.11:16384 --> 172.16.1.10:18514tcp VPN: default --> default 192.168.0.101:49334 --> 192.168.0.10:8443
HRP_S<FW2>dis fire se ta
2022-08-18 00:45:22.080 +08:00Current Total Sessions : 11udp VPN: public --> public 172.16.1.11:49152 --> 172.16.1.10:18514udp VPN: public --> public 172.16.1.10:49152 --> 172.16.1.11:18514tcp VPN: default --> default 192.168.0.101:49306 --> 192.168.0.11:8443udp VPN: public --> public 172.16.1.10:16384 --> 172.16.1.11:18514
6.5、模拟fw1故障
shutdown fw1的g0/0/1接口
6.6、再次测试连通性
6.7、检查ike sa
HRP_S[FW1]dis ike sa
2022-08-18 00:48:41.930 +08:00IKE SA information :Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------102 202.100.2.10:500 RD|ST|S v1:2 IP 202.100.2.10 101 202.100.2.10:500 RD|ST|S v1:1 IP 202.100.2.10 Number of IKE SA : 2
HRP_M<FW2>dis ike sa
2022-08-18 00:49:08.130 +08:00IKE SA information :Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------6 202.100.2.10:500 RD|ST|M v1:2 IP 202.100.2.10 5 202.100.2.10:500 RD|ST|M v1:1 IP 202.100.2.10 Number of IKE SA : 2
6.8、检查ipsec sa
HRP_M<FW2>dis ipsec sa
2022-08-18 00:49:42.940 +08:00ipsec sa information:===============================
Interface: GigabitEthernet0/0/2
===============================-----------------------------IPSec policy name: "FW"Sequence number : 10Acl group : 3000Acl rule : 5Mode : ISAKMP-----------------------------Connection ID : 6Encapsulation mode: TunnelHolding time : 0d 0h 39m 23sTunnel local : 202.100.1.10:500Tunnel remote : 202.100.2.10:500Flow source : 10.1.1.0/255.255.255.0 0/0-65535Flow destination : 10.1.2.0/255.255.255.0 0/0-65535[Outbound ESP SAs] SPI: 3679150852 (0xdb4b6304)Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1SA remaining key duration (kilobytes/sec): 1843200/1237Max sent sequence-number: 12292 UDP encapsulation used for NAT traversal: NSA encrypted packets (number/bytes): 4/240[Inbound ESP SAs] SPI: 185315463 (0xb0bb087) Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1SA remaining key duration (kilobytes/sec): 1843200/1237Max received sequence-number: 1 UDP encapsulation used for NAT traversal: NSA decrypted packets (number/bytes): 4/240Anti-replay : Enable Anti-replay window size: 1024 HRP_S[FW1]dis ipsec sa
2022-08-18 00:50:02.270 +08:00ipsec sa information:===============================
Interface: GigabitEthernet0/0/2
===============================-----------------------------IPSec policy name: "FW"Sequence number : 10Acl group : 3000Acl rule : 5Mode : ISAKMP-----------------------------Connection ID : 102Encapsulation mode: TunnelHolding time : 0d 0h 39m 46sTunnel local : 202.100.1.10:500Tunnel remote : 202.100.2.10:500Flow source : 10.1.1.0/255.255.255.0 0/0-65535Flow destination : 10.1.2.0/255.255.255.0 0/0-65535[Outbound ESP SAs] SPI: 3679150852 (0xdb4b6304)Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1SA remaining key duration (kilobytes/sec): 1843200/1214Max sent sequence-number: 24576 UDP encapsulation used for NAT traversal: NSA encrypted packets (number/bytes): 12/720[Inbound ESP SAs] SPI: 185315463 (0xb0bb087) Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1SA remaining key duration (kilobytes/sec): 1843200/1214Max received sequence-number: 1 UDP encapsulation used for NAT traversal: NSA decrypted packets (number/bytes): 12/720Anti-replay : Enable Anti-replay window size: 1024
HCIE-Security Day42:IPsec高可用技术相关推荐
- 阿里移动|《蚂蚁金服移动端高可用技术实践》
摘要:对于移动技术而言,2017年是继往开来之年.一方面是移动技术领域进入深水区,另一方面移动技术边界和内涵被不断重塑.阿里巴巴希望进一步推动移动应用研发事实标准落地,从而赋能整个行业开发者.在201 ...
- (转)Oracle与DB2在数据库高可用技术上的相同与差异探讨
原文:http://www.talkwithtrend.com/Article/178339 数据库建设过程中,高可用是每一个企业数据中心数据库建设过程中至关重要的一个关注点,直接关系到业务连续性和稳 ...
- 分享MYSQL中的各种高可用技术(源自姜承尧大牛)
图片和资料来源于MYSQL大牛姜承尧老师(MYSQL技术内幕作者) 姜承尧: 网易杭州研究院 技术经理 主导INNOSQL的开发 mysql高可用各个技术的比较 数据库的可靠指的是数据可靠 数据库可用 ...
- 数据库mysql工序_网易杭研总结:数据库高可用技术之道(4)
数据库作为IT系统中最关键的服务之一,其可用性一直是系统设计中的重点考虑因素.同时,由于数据库有数据有状态的天性,数据库高可用有其天然的复杂性和难点,云原生架构下尤其如此,是一个值得深入探讨的课题.本 ...
- 37了解高可用技术方案,如冗余、容灾
高可用性技术方案是指在系统设计和架构中采用一系列措施来确保系统在遇到各种故障和问题时仍能保持持续的可用性,避免因单点故障而导致系统宕机.数据丢失等问题.其中包括冗余和容灾技术. 冗余技术: 冗余技术是 ...
- android x86 支付宝,亿级APP支付宝在移动端的高可用技术实践
原标题:亿级APP支付宝在移动端的高可用技术实践 " 对于移动技术而言,2017 年是继往开来之年.一方面是移动技术领域进入深水区,另一方面移动技术边界和内涵被不断重塑. 阿里巴巴希望进一步 ...
- (3)HDFS原理与高可用技术原理介绍
专栏目录 (1)大数据和应用场景介绍 (2)大数据技术综述总结 (3)HDFS原理与高可用技术原理介绍 (4)Yarn架构.资源管理原理和运维技术介绍 (5)Kafka原理和高可用介绍 1.HDFS简 ...
- 云原生高可用技术体系的构建
简介:原来单一的技术环境开始走向分布式.分层的多组件技术架构,越来越多的组件使得保障业务稳定运行的工作也越来越艰巨.本文从容灾.容量.线上防护.演练四个维度全方位讲解如何构建一个真正的高可用体系. 伴 ...
- 云原生高可用技术体系构建
伴随着互联网业务的高速发展,越来越多的线下场景需要转移到线上,而线上业务的量级也在飞速增长,给互联网业务的技术架构带来了严峻的挑战,原来的"一体机+数据库"的方式已经不适用于当前的 ...
最新文章
- ARM汇编语言实现peek()_ARM汇编之访问C语言结构体数据
- php 自留地,重蔚自留地php基本语法-函数(附代码)
- 面向对象三大特性 -- 继承,封装,多态
- [MySQL]--gt;查询5天之内过生日的同事中的闰年2月29日问题的解决过程
- linux为什么创建不了分区,linux下扩容磁盘扩展分区解决因无法创建新分区不能扩容lvm问题...
- Java-大集合拆分为指定大小的小集合
- POJ2114-Boatherds-树分治
- thymeleaf 复选框回显_Thymeleaf+layui+jquery复选框回显
- Type mismatch: cannot convert from int to Object错误
- Namomo Spring Camp Div2 Week1 - 第五次打卡
- shell自定义函数及参数调用解析
- 排序算法专题-堆排序
- android守护进程
- CentOS6 x86_64最小化安装优化脚本
- python能编译成exe文件吗_python编译成exe文件
- 用 Delphi 下载网络文件
- COMSOL Multiphysics 学习小记3 变压器及电感专题记录
- 改变学习方式,改变一生-陈光超强逻辑记忆法笔记
- 宝塔面板windows建站教程_宝塔面板建站教程
- 解决本地笔记导入博客中图片无法显示的问题