华为USG防火墙IPsec怎么配置.docx
- 文档编号:12179811
- 上传时间:2023-04-17
- 格式:DOCX
- 页数:8
- 大小:16.07KB
华为USG防火墙IPsec怎么配置.docx
《华为USG防火墙IPsec怎么配置.docx》由会员分享,可在线阅读,更多相关《华为USG防火墙IPsec怎么配置.docx(8页珍藏版)》请在冰豆网上搜索。
华为USG防火墙IPsec怎么配置
华为USG防火墙IPsec怎么配置
华为USG防火墙IPsec怎么配置
华为的产品主要涉及通信网络中的交换网络、传输网络、无线及有线固定接入网络和数据通信网络及无线终端产品,那么你知道华为USG防火墙IPsec怎么配置吗?
下面是学习啦我整理的一些关于华为USG防火墙IPsec怎么配置的相关资料,供你参考。
华为USG防火墙IPsec配置的案例
实验拓扑
使用华为ensp1.2.00.370模拟器来完成。
连接方式是client1-USG-1-AR1-USG-2-clent2链式组网构造。
实验需求
USG-1和USG-2模拟企业边缘设备,分别在2台设备上配置NAT和IPsec实现2边私网能够通过相互通信。
实验配置
R1的IP地址配置省略
USG-1配置
[USG-1]firewallzonetrust//配置trust区域
[USG-1-zone-trust]addinterfaceg0/0/0//将接口参加trust区域
[USG-1-zone-trust]quit
[USG-1]firewallzoneuntrust//配置untrust区域
[USG-1-zone-untrust]addintg0/0/1//将接口参加untrust区域
[USG-1-zone-untrust]quit
[USG-1]intg0/0/0
[USG-1-GigabitEthernet0/0/0]ipadd192.168.10.124
[USG-1-GigabitEthernet0/0/0]intg0/0/1
[USG-1-GigabitEthernet0/0/1]ipadd11.0.0.224
[USG-1-GigabitEthernet0/0/1]quit
[USG-1]iproute-static0.0.0.00.0.0.011.0.0.1//配置默认路由上公网
[USG-1]nat-policyinterzonetrustuntrustoutbound
//进入trust到untrust区域out方向的策略视图
[USG-1-nat-policy-interzone-trust-untrust-outbound]policy1//创立一个策略
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]policysource192.168.10.00.0.0.255
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]policydestination192.168.20.00.0.0.255
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]actionno-nat
//以上三条命令意思是不允许将源为192.168.10.0/24网段目的为192.168.20.0/24网段的数据包进行NAT
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]quit
[USG-1-nat-policy-interzone-trust-untrust-outbound]policy2//创立策略2
[USG-1-nat-policy-interzone-trust-untrust-outbound-2]actionsource-nat
//允许对源IP进行NAT
[USG-1-nat-policy-interzone-trust-untrust-outbound-2]easy-ipg0/0/1
//对接口G0/0/1地址复用
[USG-1-nat-policy-interzone-trust-untrust-outbound-2]quit
[USG-1-nat-policy-interzone-trust-untrust-outbound]quit
-------阶段一---------
[USG-1]ikeproposal1//配置一个安全提议
[USG-1-ike-proposal-1]authentication-methodpre-share//配置IKE认证方式为预分享密钥
[USG-1-ike-proposal-1]authentication-algorithmsha1//配置IKE认证算法为sha1
[USG-1-ike-proposal-1]integrity-algorithmaes-xcbc-96//配置IKE完好性算法
[USG-1-ike-proposal-1]dhgroup2//配置IKE密钥协商DH组
[USG-1-ike-proposal-1]quit
[USG-1]ikepeerUSG-2//创立一个IKE对等体名字为USG-2
[USG-1-ike-peer-usg-2]pre-shared-keyabc123//配置预分享密钥
[USG-1-ike-peer-usg-2]remote-address12.0.0.2//配置对等体IP地址
[USG-1-ike-peer-usg-2]ike-proposal1//调用ike安全提议
[USG-1-ike-peer-usg-2]quit
----------阶段二----------
[USG-1]ipsecproposaltest//配置一个ipsec安全提议
[USG-1-ipsec-proposal-test]encapsulation-modetunnel//封装方式采用隧道
[USG-1-ipsec-proposal-test]transformesp//配置IPSEC安全协议为ESP
[USG-1-ipsec-proposal-test]espencryption-algorithmaes//配置ESP协议加密算法为aes
[USG-1-ipsec-proposal-test]espauthentication-algorithmsha1//配置ESP协议认证算法
[USG-1-ipsec-proposal-test]quit
[USG-1]acl3000//创立一个ACL定义感兴趣流
[USG-1-acl-adv-3000]rulepermitipsource192.168.10.00.0.0.255destination192.168.20.00.0.0.255
[USG-1]ipsecpolicymap1isakmp//创立一个安全策略,名称为map
[USG-1-ipsec-policy-isakmp-map-1]ike-peerUSG-2//调用ike对等体
[USG-1-ipsec-policy-isakmp-map-1]proposaltest//调用IPsec安全提议
[USG-1-ipsec-policy-isakmp-map-1]securityacl3000//配置感兴趣流
[USG-1-ipsec-policy-isakmp-map-1]quit
[USG-1]intg0/0/1
[USG-1-GigabitEthernet0/0/1]ipsecpolicymap//在外网口上调用安全策略
区域间策略配置
[USG-1]policyinterzonetrustuntrustoutbound.
//进入trust到untrust区域out方向策略视图
[USG-1-policy-interzone-trust-untrust-outbound]policy1//创立策略
[USG-1-policy-interzone-trust-untrust-outbound-1]actionpermit
//允许trust区域所有主机访问untrust区域
[USG-1-policy-interzone-trust-untrust-outbound-1]quit
[USG-1-policy-interzone-trust-untrust-outbound]quit
[USG-1]policyinterzonetrustuntrustinbound
//进入trust区域到untrust区域的in方向策略视图
[USG-1-policy-interzone-trust-untrust-inbound]policy1
[USG-1-policy-interzone-trust-untrust-inbound-1]policysource192.168.20.00.0.0.255
[USG-1-policy-interzone-trust-untrust-inbound-1]policydestination192.168.10.00.0.0.255
[USG-1-policy-interzone-trust-untrust-inbound-1]actionpermit
//以上命令为允许数据包源地址为192.168.20.0/24网段和目的地址为192.168.10.0/24网段的流量过
[USG-1-policy-interzone-trust-untrust-inbound-1]quit
[USG-1-policy-interzone-trust-untrust-inbound]quit
[USG-1]policyinterzonelocaluntrustinbound
//进入local区域到untrust区域的in方向策略视图
[USG-1-policy-interzone-local-untrust-inbound]policy1
[USG-1-policy-interzone-local-untrust-inbound-1]policyserviceservice-setesp
[USG-1-policy-interzone-local-untrust-inbound-1]policysource12.0.0.20
[USG-1-policy-interzone-local-untrust-inbound-1]policydestination11.0.0.20
[USG-1-policy-interzone-local-untrust-inbound-1]actionpermit
//允许源地址是12.0.0.2目的地址是11.0.0.2的数据包访问esp协议
USG-2配置
[USG-2]firewallzonetrust
[USG-2-zone-trust]addintg0/0/0
[USG-2-zone-trust]quit
[USG-2]firewallzoneuntrust
[USG-2-zone-untrust]addintg0/0/1
[USG-2-zone-untrust]quit
[USG-2]intg0/0/0
[USG-2-GigabitEthernet0/0/0]ipadd192.168.20.124
[USG-2-GigabitEthernet0/0/0]intg0/0/1
[USG-2-GigabitEthernet0/0/1]ipadd12.0.0.224
[USG-2-GigabitEthernet0/0/1]quit
[USG-2]iproute-static0.0.0.00.0.0.012.0.0.1
[USG-2]nat-policyinterzonetrustuntrustoutbound
[USG-2-nat-policy-interzone-trust-untrust-outbound]policy1
[USG-2-nat-policy-interzone-trust-untrust-outbound-1]policysource192.168.20.00.0.0.255
[USG-2-nat-policy-interzone-trust-untrust-outbound-1]policydestination192.168.10.00.0.0.255
[USG-2-nat-policy-interzone-trust-untrust-outbound-1]actionno-nat
[USG-2-nat-policy-interzone-trust-untrust-outbound-1]quit
[USG-2-nat-policy-interzone-trust-untrust-outbound]policy2
[USG-2-nat-policy-interzone-trust-untrust-outbound-2]actionsource-nat
[USG-2-nat-policy-interzone-trust-untrust-outbound-2]easy-ipGigabitEthernet0/0/1
[USG-2-nat-policy-interzone-trust-untrust-outbound-2]quit
[USG-2-nat-policy-interzone-trust-untrust-outbound]quit
[USG-2]ikeproposal1
[USG-2-ike-proposal-1]authentication-methodpre-share
[USG-2-ike-proposal-1]authentication-algorithmsha1
[USG-2-ike-proposal-1]integrity-algorithmaes-xcbc-96
[USG-2-ike-proposal-1]dhgroup2
[USG-2-ike-proposal-1]quit
[USG-2]ikepeerUSG-A
[USG-2-ike-peer-usg-a]pre-shared-keyabc123
[USG-2-ike-peer-usg-a]ike-proposal1
[USG-2-ike-peer-usg-a]remote-address11.0.0.2
[USG-2-ike-peer-usg-a]quit
[USG-2]ipsecproposaltest
[USG-2-ipsec-proposal-test]encapsulation-modetunnel
[USG-2-ipsec-proposal-test]transformesp
[USG-2-ipsec-proposal-test]espencryption-algorithmaes
[USG-2-ipsec-proposal-test]espauthentication-algorithmsha1
[USG-2-ipsec-proposal-test]quit
[USG-2]acl3000
[USG-2-acl-adv-3000]rulepermitipsource192.168.20.00.0.0.255destination192.168.10.00.0.0.255
[USG-2-acl-adv-3000]quit
[USG-2]ipsecpolicymap1isakmp
[USG-2-ipsec-policy-isakmp-map-1]ike-peerUSG-A
[USG-2-ipsec-policy-isakmp-map-1]proposaltest
[USG-2-ipsec-policy-isakmp-map-1]securityacl3000
[USG-2-ipsec-policy-isakmp-map-1]quit
[USG-2]intg0/0/1
[USG-2-GigabitEthernet0/0/1]ipsecpolicymap
[USG-2-GigabitEthernet0/0/1]quit
[USG-2]policyinterzonetrustuntrustoutbound
[USG-2-policy-interzone-trust-untrust-outbound]policy1
[USG-2-policy-interzone-trust-untrust-outbound-1]actionpermit
[USG-2-policy-interzone-trust-untrust-outbound-1]quit
[USG-2-policy-interzone-trust-untrust-outbound]quit
[USG-2]policyinterzonetrustuntrustinbound
[USG-2-policy-interzone-trust-untrust-inbound]policy1
[USG-2-policy-interzone-trust-untrust-inbound-1]policysource192.168.10.00.0.0.255
[USG-2-policy-interzone-trust-untrust-inbound-1]policydestination192.168.20.00.0.0.255
[USG-2-policy-interzone-trust-untrust-inbound-1]actionpermit
[USG-2-policy-interzone-trust-untrust-inbound-1]quit
[USG-2-policy-interzone-trust-untrust-inbound]quit
[USG-2]policyinterzonelocaluntrustinbound
[USG-2-policy-interzone-local-untrust-inbound]policy1
[USG-2-policy-interzone-local-untrust-inbound-1]policysource11.0.0.20
[USG-2-policy-interzone-local-untrust-inbound-1]policydestination12.0.0.20
[USG-2-policy-interzone-local-untrust-inbound-1]policyserviceservice-setesp
[USG-2-policy-interzone-local-untrust-inbound-1]actionpermit
使用C1(192.168.10.10)去pingC2(192.168.20.10)
使用dispalyikesa和displayipsecsa来查看邻居建立情况
看过文章华为USG防火墙IPsec怎么配置的人还看了:
1.华为路由器配置命令大全
2.华为路由器设置
3.华为路由器设置wifi的具体方法
4.华为路由器配置具体教程
5.华为怎样设置连接两个无线路由器
6.华为路由器具体介绍
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 华为 USG 防火墙 IPsec 怎么 配置