防火墙IPSec （无固定IP地址---一对多）

目录

前言

一、场景：

 二、实现

1.拓扑图

2.配置思路

①基础通信配置

②PPPoE配置

③总部的模版IPSec配置

④分部的IPSec配置

⑤NAT配置

3.具体配置

①基础配置

②详细配置和顺序

效果测试：

③PPPOE

①配置PPPoE

②策略放行

③IPSec与NAT的配置

④NAT配置

效果测试：

---

前言

IPSec VPN的概述与配置可查看这篇文章

【华为】IPSec VPN（动态）的原理与配置

（此篇文章的配置可配合链接中的配置对比理解）

一、场景：

---

以FW1所在的站点为总部，以FW2、FW3、FW4所在的站点为分部

目的：实现三个分部能够通过IPSec VPN访问总部（FW1），但三个分部之间无法通信

其中分部（FW4）所在的防火墙通过PPPoE获取IP地址，实现分部为无固定IP地址与总部固定IP地址通信

分部（FW2、FW3）假设为无固定地址去与总部固定IP地址通信

 二、实现

1.拓扑图

2.配置思路

（详细的配置和顺序等都在具体配置体现出来了）

①基础通信配置

（此基础配置部分可看文章开头的链接）

②PPPoE配置

（此配置本文章先是将其他分部的IPSec配置结束之后才进行此分部的PPPoE与IPSec VPN配置）

③总部的模版IPSec配置

因为分部的设备都是无固定IP地址，所以总部无法得知分部具体的公网IP地址所以在配置里不能体现

④分部的IPSec配置

因为分部的设备都是无固定IP地址，所以分部的配置中不能体现本端公网的IP地址，但总部的IP地址需要体现

⑤NAT配置

3.具体配置

①基础配置

测试通信

②详细配置和顺序

FW1总部：
[FW1]acl number 3002
[FW1-acl-adv-3002]rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[FW1-acl-adv-3002]rule 20 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[FW1-acl-adv-3002]rule 20 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.4.0 0.0.0.255
#创建IKE安全提议
[FW1-acl-adv-3002]ike proposal 5
[FW1-ike-proposal-5]encryption-algorithm aes-256
[FW1-ike-proposal-5]dh group14
[FW1-ike-proposal-5]authentication-algorithm sha2-512
[FW1-ike-proposal-5]authentication-method pre-share
[FW1-ike-proposal-5]integrity-algorithm hmac-sha2-256
[FW1-ike-proposal-5]prf hmac-sha2-256
#创建IKE邻居分支
[FW1]ike peer branch
[FW1-ike-peer-branch]undo version 2
[FW1-ike-peer-branch]pre-shared-key Huawei@123
[FW1-ike-peer-branch]ike-proposal 5
[FW1-ike-peer-branch]exchange-mode main
#创建IPSec 安全提议
[FW1]ipsec proposal p
[FW1-ipsec-proposal-p]transform ah-esp
[FW1-ipsec-proposal-p]ah authentication-algorithm sha2-256
[FW1-ipsec-proposal-p]esp authentication-algorithm sha2-512
[FW1-ipsec-proposal-p]esp encryption-algorithm aes-256
配置IPSec模版
[FW1]ipsec policy-template branch_tem 10
[FW1-ipsec-policy-templet-branch_tem-10]security acl 3002
[FW1-ipsec-policy-templet-branch_tem-10]ike-peer branch
[FW1-ipsec-policy-templet-branch_tem-10]proposal p
绑定
[FW1]ipsec policy po 5 isakmp template branch_tem 
[FW1]interface GigabitEthernet1/0/0
[FW1-GigabitEthernet1/0/0] ipsec policy po 
nat策略配置
[FW1]nat-policy
[FW1-policy-nat]rule name ipsec_onat
[FW1-policy-nat-rule-ipsec_onat] source-zone trust
[FW1-policy-nat-rule-ipsec_onat] destination-zone untrust
[FW1-policy-nat-rule-ipsec_onat] source-address 192.168.1.0 mask 255.255.255.0
[FW1-policy-nat-rule-ipsec_onat] destination-address 192.168.2.0 mask 255.255.255.0
[FW1-policy-nat-rule-ipsec_onat] destination-address 192.168.3.0 mask 255.255.255.0
[FW1-policy-nat-rule-ipsec_onat] destination-address 192.168.4.0 mask 255.255.255.0
[FW1-policy-nat-rule-ipsec_onat] action no-natFW2：分部
#匹配感兴趣流量
[FW2]acl number 3001
[FW2-acl-adv-3001]rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#创建安全IKE提议
[FW2-acl-adv-3001]ike proposal 5
[FW2-ike-proposal-5]encryption-algorithm aes-256
[FW2-ike-proposal-5]dh group14
[FW2-ike-proposal-5]authentication-algorithm sha2-512
[FW2-ike-proposal-5]authentication-method pre-share
[FW2-ike-proposal-5]integrity-algorithm hmac-sha2-256
[FW2-ike-proposal-5]prf hmac-sha2-256
#创建IKE
[FW2]ike peer B
[FW2-ike-peer-B]undo version 2 
[FW2-ike-peer-B]pre-shared-key Huawei@123
[FW2-ike-peer-B]ike-proposal 5
[FW2-ike-peer-B]remote-address 15.15.15.15
#总部固定 IP 地址
[FW2]exchange-mode main
[FW2-ike-peer-B]ipsec proposal p
[FW2-ipsec-proposal-p]transform ah-esp
[FW2-ipsec-proposal-p]ah authentication-algorithm sha2-256
[FW2-ipsec-proposal-p]esp authentication-algorithm sha2-512
[FW2-ipsec-proposal-p]esp encryption-algorithm aes-256
创建IPSec安全策略
[FW2]ipsec policy po 10 isakmp
[FW2-ipsec-policy-isakmp-po-10]security acl 3001
[FW2-ipsec-policy-isakmp-po-10]ike-peer B
[FW2-ipsec-policy-isakmp-po-10]proposal p
[FW2-ipsec-policy-isakmp-po-10]interface GigabitEthernet1/0/0
[FW2-GigabitEthernet1/0/0] ipsec policy poFW3：分部
[FW3]#匹配感兴趣流量
[FW3]acl number 3001
[FW3-acl-adv-3001]rule 10 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#创建安全IKE提议
[FW3]ike proposal 5
[FW3-ike-proposal-5]encryption-algorithm aes-256
[FW3-ike-proposal-5]dh group14
[FW3-ike-proposal-5]authentication-algorithm sha2-512
[FW3-ike-proposal-5]authentication-method pre-share
[FW3-ike-proposal-5]integrity-algorithm hmac-sha2-256
[FW3-ike-proposal-5]prf hmac-sha2-256
#创建IKE
[FW3]ike peer C
[FW3-ike-peer-C]undo version 2 
[FW3-ike-peer-C]pre-shared-key Huawei@123
[FW3-ike-peer-C]ike-proposal 5
[FW3-ike-peer-C]remote-address 15.15.15.15
#总部固定 IP 地址
[FW3]exchange-mode main
[FW3-ike-peer-C]ipsec proposal p
[FW3-ipsec-proposal-p]transform ah-esp
[FW3-ipsec-proposal-p]ah authentication-algorithm sha2-256
[FW3-ipsec-proposal-p]esp authentication-algorithm sha2-512
[FW3-ipsec-proposal-p]esp encryption-algorithm aes-256
#创建IPSec安全策略
[FW3]ipsec policy po 10 isakmp
[FW3-ipsec-policy-isakmp-po-10]security acl 3001
[FW3-ipsec-policy-isakmp-po-10]ike-peer C
[FW3-ipsec-policy-isakmp-po-10]proposal p
接口调用策略
[FW3]interface GigabitEthernet1/0/0
[FW3-GigabitEthernet1/0/0] ipsec policy po

效果测试：

但总部无法主动访问分部，只有当分部访问之后总部才能被动的访问分布

③PPPOE

配置

①配置PPPoE

R5:ISP
[R5]ip pool D
[R5-ip-pool-D]network 45.45.45.0 mask 255.255.255.0[R5]aaa
[R5-aaa]local-user huawei password cipher Huawei@123
[R5-aaa]local-user huawei service-type ppp[R5]int Virtual-Template 1
[R5-Virtual-Template1]ppp authentication-mode chap
[R5-Virtual-Template1]remote address pool D
[R5-Virtual-Template1]ip add 45.45.45.5 24
[R5]int g1/0/0
[R5-GigabitEthernet1/0/0]pppoe-server bind virtual-template 1FW4 出口防火墙
[FW4]int Dialer 1
[FW4-Dialer1]link-protocol ppp
[FW4-Dialer1]ppp chap user huawei
[FW4-Dialer1]ppp chap password cipher Huawei@123
[FW4-Dialer1]ip address ppp-negotiate 
[FW4-Dialer1]dialer user huawei
[FW4-Dialer1]dialer bundle 1
[FW4-Dialer1]dialer-group 1[FW4]dialer-rule 1 ip permit [FW4]int g1/0/0
[FW4-GigabitEthernet1/0/0]pppoe-client dial-bundle-number 1
[FW4-GigabitEthernet1/0/0]undo shutdown 
[FW4]ip route-static 0.0.0.0 0.0.0.0 Dialer 1[FW4]firewall zone untrust 
[FW4-zone-untrust]add interface Dialer 1

②策略放行

FW4
同时也记得在总部放行此分部的策略
[FW4]security-policy
[FW4-policy-security] rule name ike_l2u
[FW4-policy-security-rule-ike_l2u]  source-zone local
[FW4-policy-security-rule-ike_l2u]  destination-zone untrust
[FW4-policy-security-rule-ike_l2u]  destination-address 15.15.15.0 mask 255.255.255.0
[FW4-policy-security-rule-ike_l2u]  action permit
[FW4-policy-security] rule name ike_u2l
[FW4-policy-security-rule-ike_u2l]  source-zone untrust
[FW4-policy-security-rule-ike_u2l]  destination-zone local
[FW4-policy-security-rule-ike_u2l]  source-address 15.15.15.0 mask 255.255.255.0 
[FW4-policy-security-rule-ike_u2l]  action permit
[FW4-policy-security] rule name t2u
[FW4-policy-security-rule-t2u]  source-zone trust
[FW4-policy-security-rule-t2u]  destination-zone untrust
[FW4-policy-security-rule-t2u]  source-address 192.168.4.0 mask 255.255.255.0
[FW4-policy-security-rule-t2u]  destination-address 192.168.1.0 mask 255.255.255.0
[FW4-policy-security-rule-t2u]  action permit
[FW4-policy-security] rule name u2t
[FW4-policy-security-rule-u2t]  source-zone untrust
[FW4-policy-security-rule-u2t]  destination-zone trust
[FW4-policy-security-rule-u2t]  source-address 192.168.1.0 mask 255.255.255.0
[FW4-policy-security-rule-u2t]  destination-address 192.168.4.0 mask 255.255.255.0
[FW4-policy-security-rule-u2t]  action permit

③IPSec与NAT的配置

FW4
[FW4]acl 3001
[FW4-acl-adv-3001] rule 15 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
IKE安全提议
[FW4]ike proposal 5
[FW4-ike-proposal-5]encryption-algorithm aes-256
[FW4-ike-proposal-5]dh group14
[FW4-ike-proposal-5]authentication-algorithm sha2-512
[FW4-ike-proposal-5]authentication-method pre-share
[FW4-ike-proposal-5]integrity-algorithm hmac-sha2-256
[FW4-ike-proposal-5]prf hmac-sha2-256[FW4]ike peer D
[FW4-ike-peer-D]undo version 2 
[FW4-ike-peer-D]pre-shared-key Huawei@123
[FW4-ike-peer-D]ike-proposal 5
[FW4-ike-peer-D]remote-address 15.15.15.15
[FW4-ike-peer-D]exchange-mode main [FW4]ipsec proposal p
[FW4-ipsec-proposal-p]transform ah-esp
[FW4-ipsec-proposal-p]ah authentication-algorithm sha2-256
[FW4-ipsec-proposal-p]esp authentication-algorithm sha2-512
[FW4-ipsec-proposal-p]esp encryption-algorithm aes-256[FW4]ipsec policy po 100 isakmp 
[FW4-ipsec-policy-isakmp-po-100]security acl 3001
[FW4-ipsec-policy-isakmp-po-100]ike-peer D
[FW4-ipsec-policy-isakmp-po-100]proposal p[FW4]int Dialer 1
[FW4-Dialer1] ipsec policy po[FW1-acl-adv-3002]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.4.0 0.0.0.255

④NAT配置

安全策略放行
[FW4-policy-security-rule-nat] rule name nat
[FW4-policy-security-rule-nat]  source-zone trust
[FW4-policy-security-rule-nat]  destination-zone untrust
[FW4-policy-security-rule-nat]  source-address 192.168.4.0 mask 255.255.255.0
[FW4-policy-security-rule-nat]  action permit
NAT策略
[FW4-policy-nat]nat-policy
[FW4-policy-nat] rule name nat
[FW4-policy-nat-rule-nat]  source-zone trust
[FW4-policy-nat-rule-nat]  destination-zone untrust
[FW4-policy-nat-rule-nat]  source-address 192.168.4.0 mask 255.255.255.0
[FW4-policy-nat-rule-nat]  action source-nat easy-ip
[FW4-policy-nat-rule-nat] rule name ipsec_nonat
[FW4-policy-nat-rule-ipsec_nonat]  source-zone trust
[FW4-policy-nat-rule-ipsec_nonat]  destination-zone untrust
[FW4-policy-nat-rule-ipsec_nonat]  source-address 192.168.4.0 mask 255.255.255.0 
[FW4-policy-nat-rule-ipsec_nonat]  destination-address 192.168.1.0 mask 255.255.255.0
[FW4-policy-nat-rule-ipsec_nonat]  action no-nat[FW4-policy-nat]rule move ipsec_nonat before nat

效果测试：