虚拟专用网络 VPN-H3C-SecPath防火墙(V7)对接华为云配置指引:IPsec配置指引
IPsec配置指引
- WEB页面的VPN配置过程说明:
登录设备WEB管理界面,在导航栏中选择“VPN > IPsec”。
- 配置IKE提议:选择新建IKE提议,指定认证方式、认证算法、加密算法、DH、生命周期与华为云参数相同。
- 配置IPsec策略:
基本配置中选择设备角色为对等/分支节点,IP地址类型选择IPv4,接口选择外网接口,本地IP填写对接公网地址,对端IP地址填写华为云网关IP。
IKE策略中,协商模式与预共享秘密选择与华为相同配置,ike提议调用已创建提议,本端ID与对端ID均选择IPv4地址类型,值键入对应的公网IP。
保护数据流的源IP为本地私网网段,目的地址为华为云侧私网网段。
高级配置IPsec参数中封装模式、安全协议、认证算法、加密算法、PFS、生存时间均须要与华为云配置一致,建议开通DPD按时检测。
- 配置安全策略:添加客户侧私网网段与华为云私网网段互访的安全策略,服务为ANY,动作pass,推荐置顶这两条安全策略规则。
- NAT策略:添加源地址为客户侧私网网段,目标为华为云私网网段动作为不做转换的nat规则,并将该规则置顶。
- 安全策略中需要添加本地公网IP与华为云网关IP的互访规则,协议为UDP的500、4500和IP协议ESP与AH,确保协商流和加密流数据正常传输。
- 不可以将公网IP的协商流进行NAT转发,须要确保本地公网IP访问华为云的流量不被NAT。
- 确保访问目标子网的路由指向公网出接口下一跳。
- 待加密数据流的网段请填写真实IP和掩码,请勿调用地址对象。
- 若客户侧网络存在多出口时,请确保客户侧访问华为云VPN网关IP及私网网段从建立连接的公网出口流出,推荐使用静态路由配置选择出口网络。
- 命令行配置说明:
object-group ip address HWCloud_subnet192.168.10.0/240 network subnet 192.168.10.0 255.255.255.0 # object-group ip address HWCloud_subnet192.168.20.0/240 network subnet 192.168.20.0 255.255.255.0
#配置一阶段提议,算法详情与华为云相同
ikev2 proposal 100 encryption aes-cbc-128 integrity sha256 dh group14 prf sha256
# 配置两端协商PSK,PSK两端现同
ikev2 keychain IPsec-KEY peer keypeername address 11.11.11.11 255.255.255.255 pre-shared-key local plaintext ****** pre-shared-key remote plaintext ******
#配置IKEV2的Profile,调用PSK,匹配两端公网IP
ikev2 profile IKE-PROFILE authentication-method local pre-share authentication-method remote pre-share keychain IPsec-KEY identity local address 22.22.22.22 match local address 22.22.22.22 match remote identity address 11.11.11.11 255.255.255.255 sa duration 86400
# 配置ike policy,类同ike对等体配置,调用ike阶段提议并于接口IP进行关联
ikev2 policy IKE-PEER proposal 100 match local address 22.22.22.22
# 配置感兴趣流
acl advanced 3999 rule 0 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255rule 1 permit ip source 172.16.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255rule 2 permit ip source 172.16.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 rule 4 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255rule 5 permit ip source 172.16.20.0 0.0.0.255 destination 192.168.20.0 0.0.0.255rule 6 permit ip source 172.16.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
#配置二阶段提议
IPsec transform-set IPsec-PH2 encapsulation-mode tunnel esp authentication-algorithm sha256 esp encryption-algorithm aes-cbc-128 pfs dh-group14
#配置IPsec policy,调用感兴趣流和二阶段提议
IPsec policy IPsec-HW 1 isakmp transform-set IPsec-PH2 security acl 3999 local-address 22.22.22.22 remote-address 11.11.11.11 ikev2-profile IKE-PROFILE sa duration time-based 3600
#将IPsec policy绑定在协商接口下
interface GigabitEthernet1/0/1 ip address 22.22.22.22 255.255.255.0 tcp mss 1300 IPsec apply policy IPsec-HW
#配置安全策略,放行两端私网的数据互访,放行公网IP间互访流量
security-policy ip rule 1 name IPsec-OUT action pass logging enable counting enable source-zone Trust destination-zone Untrust source-ip Customer-subnet172.16.10.0/24 source-ip Customer-subnet172.16.20.0/24 source-ip Customer-subnet172.16.30.0/24 destination-ip HWCloud_subnet192.168.10.0/24 destination-ip HWCloud_subnet192.168.20.0/24rule 2 name IPsec-IN action pass logging enable counting enable source-zone Untrust destination-zone Trust source-ip HWCloud_subnet192.168.10.0/24 source-ip HWCloud_subnet192.168.20.0/24 destination-ip Customer-subnet172.16.10.0/24 destination-ip Customer-subnet172.16.20.0/24 destination-ip Customer-subnet172.16.30.0/24rule 3 name IPsec-NEG-pass action pass logging enable counting enable source-ip 11.11.11.11 255.255.255.255 source-ip 22.22.22.22 255.255.255.255 destination-ip 11.11.11.11 255.255.255.255 destination-ip 22.22.22.22 255.255.255.255rule 0 name Policy-Internet……
#配置NAT策略,确保本地子网访问华为云子网no-nat
nat policy rule name IPsec_NONAT source-ip Customer-subnet172.16.10.0/24 source-ip Customer-subnet172.16.20.0/24 source-ip Customer-subnet172.16.30.0/24 destination-ip HWCloud_subnet192.168.10.0/24 destination-ip HWCloud_subnet192.168.20.0/24 outbound-interface GigabitEthernet1/0/1 action no-nat rule name Snat_Internet……
#路由配置,访问华为云子网路由由公网接口流出
ip route-static 0.0.0.0 0 GigabitEthernet1/0/1 B.B.B.1……
- 使用ikev1协商差异化配置说明:
ike proposal 100 authentication-algorithm sha256 encryption-algorithm aes-cbc-128 authentication-method pre-share dh group14 sa duration 86400
#无V2标识,一条命令完成协商PSK配置
ike keychain IPsec-KEY pre-shared-key address 11.11.11.11 255.255.255.255 key simple *******
#无V2标识,配置增加exchange-mode,直接调用一阶段提议,不用单独配置ike policy
ike profile IKE-PROFILE keychain IPsec-KEY local-identity address 22.22.22.22 exchange-mode main //aggressivedpd interval 3 periodic match remote identity address 11.11.11.11 255.255.255.255 match local address 22.22.22.22 proposal 100