IPSEC点到多点（SA+NAT穿越）策略模板方式成功配置

 

USG5500A 与USG5500C、USG5500D建立IPSEC VPN Tunnel，其中USG5500C穿越USG5500B NAT；USG5500A 、USG5500D  undo nat traversal。

ISP配置（用路由器模仿Internet）

<ISP>dis cur

#

sysname ISP

#

aaa

 authentication-scheme default

 authorization-scheme default

 accounting-scheme default

 domain default

 domain default_admin

 local-user admin password cipherxUpvP4d*n"ECB7Ie7'/)`WB#

 local-user admin service-type http

#

firewall zone permit

#

firewall zone Local

 priority 16

#

interface Ethernet0/0/0

#

interface Ethernet0/0/1

#

interface Serial0/0/0

 link-protocol ppp

#

interface Serial0/0/1

 link-protocol ppp

#

interface Serial0/0/2

 link-protocol ppp

#

interface Serial0/0/3

 link-protocol ppp

#

interface GigabitEthernet0/0/0

#

interface GigabitEthernet0/0/1

 ipaddress 200.0.0.2 255.255.255.0

#

interface GigabitEthernet0/0/2

 ipaddress 200.0.1.2 255.255.255.0

#

interface GigabitEthernet0/0/3

 ip address 200.0.3.2 255.255.255.0

#

wlan

#

interface NULL0

#

ospf 1

 import-route direct

 import-route static

 area0.0.0.0

 network 200.0.0.0 0.0.0.255

 network 200.0.1.0 0.0.0.255

 network 200.0.3.0 0.0.0.255

#

ip route-static 10.0.0.0 255.255.255.0200.0.0.1

ip route-static 10.0.1.0 255.255.255.0200.0.1.1

ip route-static 10.0.2.0 255.255.255.0200.0.3.1

#

user-interface con 0

user-interface vty 0 4

user-interface vty 16 20

#

return

<ISP>

总部防火墙FWA配置

<FWA>dis cur

19:37:14 2014/12/10

#

stp region-configuration

 region-name 30eca215b04c

 active region-configuration

#

acl number 3000

 rule5 permit ip source 10.0.0.0 0.0.0.255 destination 10.0.1.0 0.0.0.255

 rule10 permit ip source 10.0.0.0 0.0.0.255 destination 10.0.2.0 0.0.0.255

#

ike proposal 10

#

ike peer a

 exchange-mode aggressive

 pre-shared-key%$%$@s6v2,mfdGWd,xKf"%H6VSJA%$%$   (注：密码是“Huawei”)

 ike-proposal 10

 local-id-type fqdn

 undonat traversal

#

ipsec proposal tran1

#

ipsec policy-template map1tmp 10

 security acl 3000

 ike-peer a

 proposal tran1

#

ipsec policy map1 10 isakmp templatemap1tmp

#

interface GigabitEthernet0/0/0

 alias GE0/MGMT

 ipaddress 192.168.0.1 255.255.255.0

 dhcpselect interface

 dhcpserver gateway-list 192.168.0.1

#

interface GigabitEthernet0/0/1

 ipaddress 10.0.0.1 255.255.255.0

#

interface GigabitEthernet0/0/2

 ipaddress 200.0.0.1 255.255.255.0

 ipsec policy map1

#

interface GigabitEthernet0/0/3

#

interface GigabitEthernet0/0/4

#

interface GigabitEthernet0/0/5

#

interface GigabitEthernet0/0/6

#

interface GigabitEthernet0/0/7

#

interface GigabitEthernet0/0/8

#

interface NULL0

 alias NULL0

#

interface Tunnel10

 alias Tunnel10

 ipaddress 172.16.10.2 255.255.255.0

#

firewall zone local

 setpriority 100

#

firewall zone trust

 setpriority 85

 addinterface GigabitEthernet0/0/0

 addinterface GigabitEthernet0/0/1

#

firewall zone untrust

 setpriority 5

 addinterface GigabitEthernet0/0/2

#

firewall zone dmz

 setpriority 50

#

aaa

 local-user admin password cipher%$%$etpe4:p1;Lk,9p9YtPDPOg^U%$%$

 local-user admin service-type web terminaltelnet

 local-user admin level 15

 authentication-scheme default

 #

 authorization-scheme default

 #

 accounting-scheme default

 #

 domain default

 #

#

ospf 1

 import-route direct

 import-route static

 area0.0.0.0

 network 200.0.0.0 0.0.0.255

 network 10.0.0.0 0.0.0.255

#

nqa-jitter tag-version 1

 

#

 iproute-static 10.0.1.0 255.255.255.0 200.0.0.2

 iproute-static 10.0.2.0 255.255.255.0 200.0.0.2

#

 banner enable

#

user-interface con 0

 authentication-mode none

user-interface vty 0 4

 authentication-mode none

 protocol inbound all

#

 slb

#

right-manager server-group

#

 sysname FWA

#

 l2tpdomain suffix-separator @

#

 ikelocal-name FWA

#

 firewall packet-filter default permitinterzone local trust direction inbound

 firewall packet-filter default permitinterzone local trust direction outbound

 firewall packet-filter default permitinterzone local untrust direction inbound

 firewall packet-filter default permitinterzone local untrust direction outbound

 firewall packet-filter default permitinterzone local dmz direction outbound

 firewall packet-filter default permitinterzone trust untrust direction inbound

 firewall packet-filter default permitinterzone trust untrust direction outbound

#

 ipdf-unreachables enable

#

 firewall ipv6 session link-state check

 firewall ipv6 statistic system enable

#

 dnsresolve

#

 firewall statistic system enable

#

 pkiocsp response cache refresh interval 0

 pkiocsp response cache number 0

#

 undodns proxy

#

 license-server domain lic.huawei.com

#

 web-manager enable

#

return

<FWA>

 

 

分支机构1 NAT 防火墙FWB配置

 

<FWB>dis cur

19:40:18 2014/12/10

#

stp region-configuration

 region-name e81582044529

 active region-configuration

#

interface GigabitEthernet0/0/0

 alias GE0/MGMT

 ipaddress 192.168.0.1 255.255.255.0

 dhcpselect interface

 dhcpserver gateway-list 192.168.0.1

#

interface GigabitEthernet0/0/1

 ipaddress 200.0.1.1 255.255.255.0

#

interface GigabitEthernet0/0/2

 ipaddress 200.0.2.2 255.255.255.0

#

interface GigabitEthernet0/0/3

#

interface GigabitEthernet0/0/4

#

interface GigabitEthernet0/0/5

#

interface GigabitEthernet0/0/6

#

interface GigabitEthernet0/0/7

#

interface GigabitEthernet0/0/8

#

interface NULL0

 alias NULL0

#

firewall zone local

 setpriority 100

#

firewall zone trust

 setpriority 85

 addinterface GigabitEthernet0/0/0

 addinterface GigabitEthernet0/0/2

#

firewall zone untrust

 setpriority 5

 addinterface GigabitEthernet0/0/1

#

firewall zone dmz

 setpriority 50

#

aaa

 local-user admin password cipher%$%$o9xT/Dk8hE'4Fj~d;Z<'TlcZ%$%$

 local-user admin service-type web terminaltelnet

 local-user admin level 15

 authentication-scheme default

 #

 authorization-schemedefault

 #

 accounting-scheme default

 #

 domain default

 #

#

ospf 1

 import-route direct

 import-route static

 area0.0.0.0

 network 200.0.1.0 0.0.0.255

 network 200.0.2.0 0.0.0.255

#

nqa-jitter tag-version 1

 

#

 banner enable

#

user-interface con 0

 authentication-mode none

user-interface vty 0 4

 authentication-mode none

 protocol inbound all

#

 slb

#

right-manager server-group

#

 sysname FWB

#

 l2tpdomain suffix-separator @

#

 firewall packet-filter default permitinterzone local trust direction inbound

 firewall packet-filter default permitinterzone local trust direction outbound

 firewall packet-filter default permitinterzone local untrust direction inbound

 firewall packet-filter default permitinterzone local untrust direction outbound

 firewall packet-filter default permitinterzone local dmz direction inbound

 firewall packet-filter default permitinterzone local dmz direction outbound

 firewall packet-filter default permitinterzone trust untrust direction inbound

 firewall packet-filter default permitinterzone trust untrust direction outbound

 firewall packet-filter default permitinterzone trust dmz direction inbound

 firewall packet-filter default permitinterzone trust dmz direction outbound

 firewall packet-filter default permitinterzone dmz untrust direction inbound

 firewall packet-filter default permitinterzone dmz untrust direction outbound

#

 ipdf-unreachables enable

#

 firewall ipv6 session link-state check

 firewall ipv6 statistic system enable

#

 dnsresolve

#

 firewall statistic system enable

#

 pkiocsp response cache refresh interval 0

 pkiocsp response cache number 0

#

 undodns proxy

#

 license-server domain lic.huawei.com

#

 web-manager enable

#

nat-policy interzone trust untrust outbound

 policy 0

 action source-nat

 policy source 10.0.2.0 0.0.0.255

  easy-ip GigabitEthernet0/0/1

#

return

<FWB>

 

 

分支机构1 IPSEC 防火墙FWC配置

 

 

<FWC>dis cur

19:42:11 2014/12/10

#

stp region-configuration

 region-name 30eca215b04c

 active region-configuration

#

acl number 3000

 rule5 permit ip source 10.0.1.0 0.0.0.255 destination 10.0.0.0 0.0.0.255

#

ike proposal 10

#

ike peer c

 exchange-mode aggressive

 pre-shared-key%$%$nH`YH"9ZgHk]rk~za4#9OWNE%$%$

 ike-proposal 10

 local-id-type fqdn

 remote-id FWA

 remote-address 200.0.0.1

#

ipsec proposal tran1

#

ipsec policy map1 10 isakmp

 security acl 3000

 ike-peer c

 proposal tran1

#

interface GigabitEthernet0/0/0

 alias GE0/MGMT

 ipaddress 192.168.0.1 255.255.255.0

 dhcpselect interface

 dhcpserver gateway-list 192.168.0.1

#

interface GigabitEthernet0/0/1

 ipaddress 10.0.1.1 255.255.255.0

#

interface GigabitEthernet0/0/2

 ipaddress 200.0.2.1 255.255.255.0

 ipsec policy map1

#

interface GigabitEthernet0/0/3

#

interface GigabitEthernet0/0/4

#

interface GigabitEthernet0/0/5

#

interface GigabitEthernet0/0/6

#

interface GigabitEthernet0/0/7

#

interface GigabitEthernet0/0/8

#

interface NULL0

 alias NULL0

#

firewall zone local

 setpriority 100

#

firewall zone trust

 setpriority 85

 addinterface GigabitEthernet0/0/0

 addinterface GigabitEthernet0/0/1

#

firewall zone untrust

 setpriority 5

 addinterface GigabitEthernet0/0/2

#

firewall zone dmz

 setpriority 50

#

aaa

 local-user admin password cipher%$%$ZOYaHD}lAJt3.,0v[,d+OcZQ%$%$

 local-user admin service-type web terminaltelnet

 local-user admin level 15

 authentication-scheme default

 #

 authorization-scheme default

 #

 accounting-schemedefault

 #

 domain default

 #

#

ospf 1

 import-route direct

 import-route static

 area0.0.0.0

 network 200.0.2.0 0.0.0.255

 network 10.0.1.0 0.0.0.255

#

nqa-jitter tag-version 1

 

#

 iproute-static 10.0.0.0 255.255.255.0 200.0.2.2

#

 banner enable

#

user-interface con 0

 authentication-mode none

user-interface vty 0 4

 authentication-mode none

 protocol inbound all

#

 slb

#

right-manager server-group

#

 sysname FWC

#

 l2tpdomain suffix-separator @

#

 ikelocal-name FWC

#

 firewall packet-filter default permitinterzone local trust direction inbound

 firewall packet-filter default permitinterzone local trust direction outbound

 firewall packet-filter default permitinterzone local untrust direction inbound

 firewall packet-filter default permitinterzone local untrust direction outbound

 firewall packet-filter default permitinterzone local dmz direction outbound

 firewall packet-filter default permitinterzone trust untrust direction inbound

 firewall packet-filter default permitinterzone trust untrust direction outbound

#

 ip df-unreachables enable

#

 firewall ipv6 session link-state check

 firewall ipv6 statistic system enable

#

 dnsresolve

#

 firewall statistic system enable

#

 pkiocsp response cache refresh interval 0

 pkiocsp response cache number 0

#

 undodns proxy

#

 license-server domain lic.huawei.com

#

 web-manager enable

#

return

 

<FWC>

 

分支机构2 IPSEC 防火墙FWD配置

 

<FWD>

<FWD>dis cur

19:43:12 2014/12/10

#

stp region-configuration

 region-name b05fe31530c0

 active region-configuration

#

acl number 3000

 rule5 permit ip source 10.0.2.0 0.0.0.255 destination 10.0.0.0 0.0.0.255

#

ike proposal 10

#

ike peer d

 exchange-mode aggressive

 pre-shared-key%$%$gF]i;<em7PbbNZ"'!zA~V8/&%$%$

 ike-proposal 10

 local-id-type fqdn

 remote-id FWA

 remote-address200.0.0.1

#

ipsec proposal tran1

#

ipsec policy map1 10 isakmp

 security acl 3000

 ike-peer d

 proposal tran1

#

interface GigabitEthernet0/0/0

 alias GE0/MGMT

 ipaddress 192.168.0.1 255.255.255.0

 dhcpselect interface

 dhcpserver gateway-list 192.168.0.1

#

interface GigabitEthernet0/0/1

 ipaddress 10.0.2.1 255.255.255.0

#

interface GigabitEthernet0/0/2

 ipaddress 200.0.3.1 255.255.255.0

 ipsec policy map1

#

interface GigabitEthernet0/0/3

#

interface GigabitEthernet0/0/4

#

interface GigabitEthernet0/0/5

#

interface GigabitEthernet0/0/6

#

interface GigabitEthernet0/0/7

#

interface GigabitEthernet0/0/8

#

interface NULL0

 alias NULL0

#

firewall zone local

 setpriority 100

#

firewall zone trust

 setpriority 85

 addinterface GigabitEthernet0/0/0

 addinterface GigabitEthernet0/0/1

#

firewall zone untrust

 setpriority 5

 addinterface GigabitEthernet0/0/2

#

firewall zone dmz

 setpriority 50

#

aaa

 local-user admin password cipher%$%$N/{J<Au{:/,EME/=V8"CV)}t%$%$

 local-user admin service-type web terminaltelnet

 local-user admin level 15

 authentication-scheme default

 #

 authorization-scheme default

 #

 accounting-scheme default

 #

 domain default

 #

#

ospf 1

 import-route direct

 import-route static

 area0.0.0.0

 network 200.0.3.0 0.0.0.255

 network 10.0.2.0 0.0.0.255

#

nqa-jitter tag-version 1

 

#

 iproute-static 10.0.0.0 255.255.255.0 200.0.3.2

#

 banner enable

#

user-interface con 0

 authentication-mode none

user-interface vty 0 4

 authentication-mode none

 protocol inbound all

#

 slb

#

right-manager server-group

#

 sysname FWD

#

 l2tpdomain suffix-separator @

#

 ikelocal-name FWD

#

 firewall packet-filter default permitinterzone local trust direction inbound

 firewall packet-filter default permitinterzone local trust direction outbound

 firewall packet-filter default permitinterzone local untrust direction inbound

 firewall packet-filter default permitinterzone local untrust direction outbound

 firewall packet-filter default permitinterzone local dmz direction outbound

 firewall packet-filter default permitinterzone trust untrust direction inbound

 firewall packet-filter default permitinterzone trust untrust direction outbound

#

 ipdf-unreachables enable

#

 firewall ipv6 session link-state check

 firewall ipv6 statistic system enable

#

 dnsresolve

#

 firewall statistic system enable

#

 pkiocsp response cache refresh interval 0

 pkiocsp response cache number 0

#

 undodns proxy

#

 license-server domain lic.huawei.com

#

 web-manager enable

#

return

 

<FWD>

调试结果输出

 

[FWA]

[FWA]dis ipsec sa

19:48:50 2014/12/10

===============================

Interface: GigabitEthernet0/0/2

   path MTU: 1500

===============================

 

 -----------------------------

 IPsec policy name: "map1"

 sequence number: 10

 mode: template

 vpn: public

 -----------------------------

   connection id: 40010

   rule number: 4294967295

   encapsulation mode: tunnel

   holding time: 0d 0h 20m 57s

   tunnel local : 200.0.0.1    tunnelremote: 200.0.3.1

   flow      source:10.0.0.0-10.0.0.255 0-65535 0

   flow destination: 10.0.2.0-10.0.2.255 0-65535 0

 

   [inbound ESP SAs]

     spi: 2397387668 (0x8ee53b94)

     vpn: public  said: 8  cpuid: 0x0000

     proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

     sa remaining key duration (bytes/sec): 1887371640/2343

     max received sequence-number: 1093

     udp encapsulation used for nat traversal: N

 

   [outbound ESP SAs]

     spi: 1479467651 (0x582ee283)

     vpn: public  said: 9  cpuid: 0x0000

     proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

     sa remaining key duration (bytes/sec): 1887371940/2343

     max sent sequence-number: 1082

     udp encapsulation used for nat traversal: N

 

 -----------------------------

 IPsec policy name: "map1"

 sequence number: 10

 mode: template

 vpn: public

 -----------------------------

   connection id: 40011

   rule number: 4294967295

   encapsulation mode: tunnel

   holding time: 0d 1h 0m 13s

   tunnel local : 200.0.0.1    tunnelremote: 200.0.2.1

   flow      source:10.0.0.0-10.0.0.255 0-65535 0

   flow destination: 10.0.1.0-10.0.1.255 0-65535 0

 

   [inbound ESP SAs]

     spi: 3341720735 (0xc72e9c9f)

     vpn: public  said: 10  cpuid: 0x0000

     proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

     sa remaining key duration (bytes/sec): 1887370800/2903

     max received sequence-number: 1122

     udp encapsulation used for nat traversal: N

 

   [outbound ESP SAs]

     spi: 1006016915 (0x3bf69993)

     vpn: public  said: 7  cpuid: 0x0000

     proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

     sa remaining key duration (bytes/sec): 1887369840/2903

     max sent sequence-number: 1117

     udp encapsulation used for nat traversal: N

[FWA]