H3CCloudLab

HCL_总部采用IPsec安全策略模板方式与分支建立保护IPv4报文的IPsec隧道配置

工程名称

配置和验证华三设备上的总部采用 IPsec 安全策略模板方式与分支建 立保护 IPv4 报文的 IPsec 隧道

网络规划设计

总部的IPsec设备FW1采用旁挂方式,单独的网段接入核心交换机SW1;分支1的IPsec设备FW2采用旁挂方式接入核心交换机SW2,且与PC_2同一网段;分支2的IPsec设备FW3为出口设备,且出口公网IP地址为动态获取。

总部与分支1(静态公网IP地址)的IKE第一阶段使用主模式;总部与分支2(动态公网IP地址)的IKE第一阶段使用主动模式(野蛮模式)

需求:

总部和分支均能访问R3的环回接口地址3.3.3.3

分支FW2、FW3和总部FW1之间建立IPsec隧道,对分支网络与总部网络之间的数据进行安全保护

image-20250327

配置思路

  1. 先完成IP地址配置,PC能与3.3.3.3 互通 (需要做PAT)
  2. 总部出口路由器配置NAT SERVER 映射旁挂防火墙FW1
  3. 分支1的 R2 路由器配置静态公网IP地址
  4. 分支2的 FW2 防火墙配置动态公网IP地址
  5. 总部的SW1为核心交换机,PC1的网关在SW1上
  6. 分支1的SW2为核心交换机,PC2的网关在SW2上
  7. 分支2的的网关在FW3上
  8. 当分支机构为静态公网IP地址时ike协商使用main模式
  9. 当分支机构为动态公网IP地址时ike协商使用aggressive模式
  10. 使用IKE协商方式建立IPsec SA,采用ESP安全协议
  11. IKE协商采用预共享密钥认证方式
  12. 总部FW1采用IKE安全策略模板方式,分支FW2和FW3采用IKE安全策略方式
  13. 由于只验证ipsec vpn理论,三台防火墙的策略配置了any安全策略

实验步骤:

IP地址和路由

  • 设备配置IP地址、静态路由、NAT
  • 配置完成后各PC能ping通R3上的3.3.3.3;出口设备能ping通对端出口设备的公网IP地址

SW1和SW2上的引流

1、SW1上,配置静态路由,将总部去往分支机构的网段下一跳指向FW1

# 默认路由器用于访问互联网
 ip route-static 0.0.0.0 0 10.11.11.1
# 引流的静态路由
 ip route-static 192.168.20.0 24 10.1.1.1
 ip route-static 192.168.30.0 24 10.1.1.1

2、SW2上,配置策略路由,将分支1去往总部的网段下一跳地址指向FW2

# 配置acl批量分支1去往总部的流量
acl advanced 3666
 rule 0 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
# 配置策略路由匹配acl 3666,指定下一跳地址
policy-based-route TO-ZONGBU permit node 10
 if-match acl 3666
 apply next-hop 192.168.20.200
# 分支1网关上应用策略路由
interface Vlan-interface10
 ip policy-based-route TO-ZONGBU
#

R1和R2上配置端口映射

1、R1上配置端口映射,将端口映射到FW1的接口地址10.1.1.1

# udp 500 和 udp 4500
interface GigabitEthernet0/1
 nat server protocol udp global current-interface 500 inside 10.1.1.1 500
 nat server protocol udp global current-interface 4500 inside 10.1.1.1 4500
#

2、R2上配置端口映射,将端口映射到FW2的接口地址192.168.20.200

# udp 500 和 udp 4500
interface GigabitEthernet0/1
 nat server protocol udp global current-interface 500 inside 192.168.20.200 500
 nat server protocol udp global current-interface 4500 inside 192.168.20.200 4500
#

FW1配置

将流量区分为两类给后面的ipsec policy调用

  • acl 3010 用于分支机构外网出口是静态公网IP地址的ike 主模式
  • acl 3020 用于分支机构外网出口是动态公网IP地址或主模式协商有问题 的ike 野蛮模式
  • 如果后续需要新增分支机构加入ipsec vpn,可在以上两个acl后直接添加规则
# 总部去往分支1的数据
acl advanced 3010
 rule 0 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
# 总部去往分支2的数据
acl advanced 3020
 rule 0 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
#

# 配置IPsec安全提议,协商封装报文使用的各种安全协议
ipsec transform-set tran1
 # 默认tunnel模式 encapsulation-mode tunnel
 # 默认esp封装 protocol esp
 esp encryption-algorithm des-cbc 
 esp authentication-algorithm sha1 

# 配置IKE keychain,约定通信双方使用的密钥信息
ike keychain key1
 # 对于使用静态公网IP地址的,省个事,直接4个0,这样后面要新增分支不需要修改配置
 pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123
 # 对于使用动态IP的fqdn,或野蛮模式的
 pre-shared-key hostname fenzhi-2 key simple 456
 
# 配置IKE profile,约定建立IKE SA所需的安全参数
# 使用mian模式的连接
ike profile profile1
 keychain key1
 local-identity fqdn zongbu
 # 后续新增分支可添加match配置
 match remote identity fqdn fenzhi-1
# 使用aggressive模式的连接
ike profile profile2
 keychain key1
 exchange-mode aggressive
 local-identity fqdn zongbu
 # 后续新增分支可添加match配置
 match remote identity fqdn fenzhi-2

# 配置IPsec安全策略模板,用于创建IPsec安全策略
# 用于主模式的模板
ipsec policy-template temp1 10
 transform-set tran1 
 security acl 3010 
 ike-profile profile1
# 用于野蛮模式的模板
ipsec policy-template temp1 20
 transform-set tran1 
 security acl 3020 
 ike-profile profile2
 
# 引用安全策略模板temp1创建一条IKE协商方式的安全策略policy1
# 建立IPsec隧道,保护需要防护的数据流
ipsec policy map1 10 isakmp template temp1

# 配置IKE提议,定义双方进行IKE协商所需的安全参数
# 创建并配置IKE提议1,指定使用预共享密钥认证方式、加密算法、认证算法。
ike proposal 1
 encryption-algorithm 3des-cbc
 # 默认认证算法  authentication-algorithm sha
 # 默认预共享密钥认证 authentication-method pre-share
#

# 在接口下引用IPsec安全策略,对接口上的流量进行保护
interface gigabitethernet 1/0/3
 ipsec apply policy map1

FW2配置

# 分支1去往总部的流量
acl advanced 3000
 rule 0 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
#

# 配置IPsec安全提议,协商封装报文使用的各种安全协议
ipsec transform-set tran1
 # 默认tunnel模式 encapsulation-mode tunnel
 # 默认esp封装 protocol esp
 esp encryption-algorithm des-cbc 
 esp authentication-algorithm sha1 
 
# 配置IKE keychain,约定通信双方使用的密钥信息
ike keychain key1
 pre-shared-key address 101.1.1.1 255.255.255.255 key simple 123

# 配置IKE profile,约定建立IKE SA所需的安全参数
ike profile profile1
 keychain key1
 local-identity fqdn fenzhi-1
 match remote identity address 101.1.1.1 255.255.255.0

# 配置ISAKMP方式的安全策略,建立IPsec隧道,保护需要防护的数据流
# 创建并配置名为map1的IPsec安全策略,引用安全提议tran1,引用ACL 3000,并指定IPsec隧道的对端地址为101.1.1.1
ipsec policy map1 10 isakmp
 transform-set tran1 
 security acl 3000 
 remote-address 101.1.1.1
 ike-profile profile1

# 配置IKE提议,定义双方进行IKE协商所需的安全参数
# 创建并配置IKE提议1,指定使用预共享密钥认证方式、加密算法、认证算法。
ike proposal 1
 encryption-algorithm 3des-cbc
 # 默认认证算法  authentication-algorithm sha
 # 默认预共享密钥认证 authentication-method pre-share
#

# 在接口下引用IPsec安全策略,对接口上的流量进行保护
interface gigabitethernet 1/0/3
 ipsec apply policy map1

FW3配置

# 分支2去往总部的流量
acl advanced 3000
 rule 0 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

# NAT调用的acl,排除去往总部的流量进行NAT
acl advanced 3010
 rule 0 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
 rule 5 permit ip
#

#
ipsec transform-set tran1
 esp encryption-algorithm des-cbc 
 esp authentication-algorithm sha1 
#
ipsec policy map1 10 isakmp
 transform-set tran1 
 security acl 3000 
 remote-address 101.1.1.1
 ike-profile profile1
#
ike profile profile1
 keychain key1
 # 野蛮模式
 exchange-mode aggressive
 local-identity fqdn fenzhi-2
 match remote identity address 101.1.1.1 255.255.255.0
#
ike proposal 1
 encryption-algorithm 3des-cbc
#
ike keychain key1
 pre-shared-key address 101.1.1.1 255.255.255.255 key simple 456
#

# 在接口下引用IPsec安全策略,对接口上的流量进行保护
# NAT outbound引用acl 3010
interface GigabitEthernet1/0/2
 ip address dhcp-alloc
 nat outbound 3010
 ipsec apply policy map1
#

测试结果:

连通性测试

image-20250327

注意:应用了该类IPsec安全策略(FW1上的IPsec安全策略模板方式)的接口不能发起协商,仅可以响应远端设备的协商请求。由于IPsec安全策略模板中未定义的可选参数由发起方来决定,而响应方会接受发起方的建议,因此这种方式创建的IPsec安全策略适用于通信对端(例如对端的IP地址)未知的情况下,允许这些对端设备向本端设备主动发起协商

FW1上查看ike sa

# FW1
<FW1>dis ike sa
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
 ID       Profile   Remote               Flag     Remote-Type    Remote-ID      
--------------------------------------------------------------------------------
 34       profile2  103.1.1.1            RD       FQDN           fenzhi-2      
 38       profile1  102.1.1.2            RD       FQDN           fenzhi-1      
<FW1>

在FW1上观察到,每个ike sa的引用的profile、远端地址、远端类型、远端ID

关于使用序号的问题:文档中说越小越优先,不知是以哪一个匹配项进行的profile选择,待研究

FW1上查看ike sa 详细信息

<FW1>dis ike sa ver
   -----------------------------------------------
   Connection ID: 34
   Outside VPN: 
   Inside VPN: 
   Profile: profile2
   Transmitting entity: Responder
   Initiator cookie: b3ef914a89aa888a
   Responder cookie: 168da67159b7262f
   Output interface name: 
   -----------------------------------------------
   Local IP/port: 10.1.1.1/4500
   Local ID type: FQDN
   Local ID: zongbu

   Remote IP/port: 103.1.1.1/4500
   Remote ID type: FQDN
   Remote ID: fenzhi-2

   Authentication-method: PRE-SHARED-KEY
   Authentication-algorithm: SHA1
   Encryption-algorithm: 3DES-CBC

   Life duration(sec): 86400
   Remaining key duration(sec): 84747
   Exchange-mode: Aggressive
   Diffie-Hellman group: Group 1
   NAT traversal: Detected

   Extend authentication: Disabled
   Assigned IP address:
   Vendor ID index:0xffffffff
   Vendor ID sequence number:0x0
   -----------------------------------------------
   Connection ID: 38
   Outside VPN: 
   Inside VPN: 
   Profile: profile1
   Transmitting entity: Responder
   Initiator cookie: 4a8ad70544712029
   Responder cookie: cee73f6122f5b8b8
   Output interface name: 
   -----------------------------------------------
   Local IP/port: 10.1.1.1/4500
   Local ID type: FQDN
   Local ID: zongbu

   Remote IP/port: 102.1.1.2/1025
   Remote ID type: FQDN
   Remote ID: fenzhi-1

   Authentication-method: PRE-SHARED-KEY
   Authentication-algorithm: SHA1
   Encryption-algorithm: 3DES-CBC

   Life duration(sec): 86400
   Remaining key duration(sec): 84800
   Exchange-mode: Main
   Diffie-Hellman group: Group 1
   NAT traversal: Detected

   Extend authentication: Disabled
   Assigned IP address:
   Vendor ID index:0xffffffff
   Vendor ID sequence number:0x0
<FW1>

在FW1上观察到,sa 协商使用的各种算法、详细的各种信息,Exchange-mode

FW1上查看ipsec sa 信息

<FW1>dis ipsec sa brief 
-----------------------------------------------------------------------------
Tunnel-ID Name            Dst Address(port)              Protocol SPI           
-----------------------------------------------------------------------------
0         template-temp1~ --                             ESP      --            
0         template-temp1~ --                             ESP      --            
1         template-temp1~ <102.1.1.2(1025)               ESP      2205382650    
1         template-temp1~ >102.1.1.2(1025)               ESP      17477209      
2         template-temp1~ <103.1.1.1(4500)               ESP      558262863     
2         template-temp1~ >103.1.1.1(4500)               ESP      1974871094    
3         template-temp1~ --                             ESP      --            
3         template-temp1~ --                             ESP      --            

<FW1>dis ipsec sa 
-------------------------------
Interface: GigabitEthernet1/0/3
-------------------------------

  -----------------------------
  IPsec policy: map1
  Sequence number: 10
  Alias: template-temp1-10
  Mode: Template
  -----------------------------
    Tunnel id: 1
    Encapsulation mode: tunnel
    Perfect Forward Secrecy: 
    Inside VPN: 
    Extended Sequence Numbers enable: N
    Traffic Flow Confidentiality enable: N
    Transmitting entity: Responder
    Path MTU: 1436
    Tunnel:
        local  address/port: 10.1.1.1/4500
        remote address/port: 102.1.1.2/1025
    Flow:
        sour addr: 192.168.10.0/255.255.255.0  port: 0  protocol: ip
        dest addr: 192.168.20.0/255.255.255.0  port: 0  protocol: ip

    [Inbound ESP SAs]
      SPI: 2205382650 (0x837377fa)
      Connection ID: 81604378625
      Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
      SA duration (kilobytes/sec): 1843200/3600
      SA remaining duration (kilobytes/sec): 1842414/1585
      Max received sequence-number: 9136
      Anti-replay check enable: Y
      Anti-replay window size: 64
      UDP encapsulation used for NAT traversal: Y
      Status: Active

    [Outbound ESP SAs]
      SPI: 17477209 (0x010aae59)
      Connection ID: 81604378624
      Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
      SA duration (kilobytes/sec): 1843200/3600
      SA remaining duration (kilobytes/sec): 1842414/1585
      Max sent sequence-number: 9136
      UDP encapsulation used for NAT traversal: Y
      Status: Active
-------------------------------
Interface: GigabitEthernet1/0/3
-------------------------------

  -----------------------------
  IPsec policy: map1
  Sequence number: 10
  Alias: template-temp1-20
  Mode: Template
  -----------------------------
    Tunnel id: 2
    Encapsulation mode: tunnel
    Perfect Forward Secrecy: 
    Inside VPN: 
    Extended Sequence Numbers enable: N
    Traffic Flow Confidentiality enable: N
    Transmitting entity: Responder
    Path MTU: 1436
    Tunnel:
        local  address/port: 10.1.1.1/4500
        remote address/port: 103.1.1.1/4500
    Flow:
        sour addr: 192.168.10.0/255.255.255.0  port: 0  protocol: ip
        dest addr: 192.168.30.0/255.255.255.0  port: 0  protocol: ip

    [Inbound ESP SAs]
      SPI: 558262863 (0x21466a4f)
      Connection ID: 90194313219
      Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
      SA duration (kilobytes/sec): 1843200/3600
      SA remaining duration (kilobytes/sec): 1842377/1531
      Max received sequence-number: 9572
      Anti-replay check enable: Y
      Anti-replay window size: 64
      UDP encapsulation used for NAT traversal: Y
      Status: Active

    [Outbound ESP SAs]
      SPI: 1974871094 (0x75b62436)
      Connection ID: 90194313218
      Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
      SA duration (kilobytes/sec): 1843200/3600
      SA remaining duration (kilobytes/sec): 1842377/1531
      Max sent sequence-number: 9572
      UDP encapsulation used for NAT traversal: Y
      Status: Active
<FW1>

在FW1上观察到,NAT-T都是 Y

FW2上查看信息

<FW2>dis ike sa
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
 ID       Profile   Remote               Flag     Remote-Type    Remote-ID      
--------------------------------------------------------------------------------
 11       profile1  101.1.1.1            RD       FQDN           zongbu        
<FW2>
<FW2>dis ike sa ver
   -----------------------------------------------
   Connection ID: 11
   Outside VPN: 
   Inside VPN: 
   Profile: profile1
   Transmitting entity: Initiator
   Initiator cookie: 4a8ad70544712029
   Responder cookie: cee73f6122f5b8b8
   Output interface name: 
   -----------------------------------------------
   Local IP/port: 192.168.20.200/4500
   Local ID type: FQDN
   Local ID: fenzhi-1

   Remote IP/port: 101.1.1.1/4500
   Remote ID type: FQDN
   Remote ID: zongbu

   Authentication-method: PRE-SHARED-KEY
   Authentication-algorithm: SHA1
   Encryption-algorithm: 3DES-CBC

   Life duration(sec): 86400
   Remaining key duration(sec): 84794
   Exchange-mode: Main
   Diffie-Hellman group: Group 1
   NAT traversal: Detected

   Extend authentication: Disabled
   Assigned IP address:
   Vendor ID index:0xffffffff
   Vendor ID sequence number:0x0
<FW2>

<FW2>dis ipsec sa bri
-----------------------------------------------------------------------------
Tunnel-ID Name            Dst Address(port)              Protocol SPI           
-----------------------------------------------------------------------------
0         map1-10         <101.1.1.1(4500)               ESP      17477209      
0         map1-10         >101.1.1.1(4500)               ESP      2205382650    
<FW2>
<FW2>dis ipsec sa 
-------------------------------
Interface: GigabitEthernet1/0/3
-------------------------------

  -----------------------------
  IPsec policy: map1
  Sequence number: 10
  Alias: map1-10
  Mode: ISAKMP
  -----------------------------
    Tunnel id: 0
    Encapsulation mode: tunnel
    Perfect Forward Secrecy: 
    Inside VPN: 
    Extended Sequence Numbers enable: N
    Traffic Flow Confidentiality enable: N
    Transmitting entity: Initiator
    Path MTU: 1436
    Tunnel:
        local  address/port: 192.168.20.200/4500
        remote address/port: 101.1.1.1/4500
    Flow:
        sour addr: 192.168.20.0/255.255.255.0  port: 0  protocol: ip
        dest addr: 192.168.10.0/255.255.255.0  port: 0  protocol: ip

    [Inbound ESP SAs]
      SPI: 17477209 (0x010aae59)
      Connection ID: 98784247809
      Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
      SA duration (kilobytes/sec): 1843200/3600
      SA remaining duration (kilobytes/sec): 1842396/1455
      Max received sequence-number: 9345
      Anti-replay check enable: Y
      Anti-replay window size: 64
      UDP encapsulation used for NAT traversal: Y
      Status: Active

    [Outbound ESP SAs]
      SPI: 2205382650 (0x837377fa)
      Connection ID: 98784247808
      Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
      SA duration (kilobytes/sec): 1843200/3600
      SA remaining duration (kilobytes/sec): 1842396/1455
      Max sent sequence-number: 9345
      UDP encapsulation used for NAT traversal: Y
      Status: Active
<FW2>

FW3上查看信息

<FW3>dis ike sa
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
 ID       Profile   Remote               Flag     Remote-Type    Remote-ID      
--------------------------------------------------------------------------------
 8        profile1  101.1.1.1            RD       FQDN           zongbu        
<FW3>dis ike sa ver
<FW3>dis ike sa verbose 
   -----------------------------------------------
   Connection ID: 8
   Outside VPN: 
   Inside VPN: 
   Profile: profile1
   Transmitting entity: Initiator
   Initiator cookie: b3ef914a89aa888a
   Responder cookie: 168da67159b7262f
   Output interface name: 
   -----------------------------------------------
   Local IP/port: 103.1.1.1/4500
   Local ID type: FQDN
   Local ID: fenzhi-2

   Remote IP/port: 101.1.1.1/4500
   Remote ID type: FQDN
   Remote ID: zongbu

   Authentication-method: PRE-SHARED-KEY
   Authentication-algorithm: SHA1
   Encryption-algorithm: 3DES-CBC

   Life duration(sec): 86400
   Remaining key duration(sec): 84212
   Exchange-mode: Aggressive
   Diffie-Hellman group: Group 1
   NAT traversal: Detected

   Extend authentication: Disabled
   Assigned IP address:
   Vendor ID index:0xffffffff
   Vendor ID sequence number:0x0
<FW3> 

<FW3>dis ipsec sa bri
-----------------------------------------------------------------------------
Tunnel-ID Name            Dst Address(port)              Protocol SPI           
-----------------------------------------------------------------------------
0         map1-10         <101.1.1.1(4500)               ESP      1974871094    
0         map1-10         >101.1.1.1(4500)               ESP      558262863     
<FW3>
<FW3>dis ipsec sa 
-------------------------------
Interface: GigabitEthernet1/0/2
-------------------------------

  -----------------------------
  IPsec policy: map1
  Sequence number: 10
  Alias: map1-10
  Mode: ISAKMP
  -----------------------------
    Tunnel id: 0
    Encapsulation mode: tunnel
    Perfect Forward Secrecy: 
    Inside VPN: 
    Extended Sequence Numbers enable: N
    Traffic Flow Confidentiality enable: N
    Transmitting entity: Initiator
    Path MTU: 1436
    Tunnel:
        local  address/port: 103.1.1.1/4500
        remote address/port: 101.1.1.1/4500
    Flow:
        sour addr: 192.168.30.0/255.255.255.0  port: 0  protocol: ip
        dest addr: 192.168.10.0/255.255.255.0  port: 0  protocol: ip

    [Inbound ESP SAs]
      SPI: 1974871094 (0x75b62436)
      Connection ID: 30064771073
      Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
      SA duration (kilobytes/sec): 1843200/3600
      SA remaining duration (kilobytes/sec): 1842352/1474
      Max received sequence-number: 9867
      Anti-replay check enable: Y
      Anti-replay window size: 64
      UDP encapsulation used for NAT traversal: Y
      Status: Active

    [Outbound ESP SAs]
      SPI: 558262863 (0x21466a4f)
      Connection ID: 55834574848
      Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
      SA duration (kilobytes/sec): 1843200/3600
      SA remaining duration (kilobytes/sec): 1842352/1474
      Max sent sequence-number: 9867
      UDP encapsulation used for NAT traversal: Y
      Status: Active
<FW3>

说明:

拓扑文件:

https://hclhub.h3c.com/project/20293