虚拟专用网络 VPN-防火墙侧操作步骤
时间:2025-05-14 17:33:20
下载虚拟专用网络 VPN用户手册完整版
复制链接到剪贴板
分享文章到微博
分享文章到朋友圈
防火墙侧操作步骤
- 登录防火墙设备的命令行配置界面。
- 配置基本信息。
- 配置防火墙接口的IP地址。
interface GigabitEthernet1/0/1 # 配置防火墙的公网IP地址。 ip address 1.1.1.1 255.255.255.0 interface GigabitEthernet1/0/2 # 配置防火墙的私网IP地址。 ip address 172.16.0.233 255.255.0.0
- 将接口划入对应zone。
firewall zone untrust add interface GigabitEthernet1/0/1 firewall zone trust add interface GigabitEthernet1/0/2
- 配置TCP MSS大小。
firewall tcp-mss 1300
- 配置防火墙接口的IP地址。
- 配置协商策略。
ike proposal 100 # 配置防火墙公网IP地址和VPN网关主EIP的IKE策略相关配置 authentication-algorithm SHA2-256 # 和表3配置的IKE策略认证算法保持一致 encryption-algorithm AES-128 # 和表3配置的IKE策略加密算法保持一致 authentication-method pre-share integrity-algorithm HMAC-SHA2-256 prf HMAC-SHA2-256 dh group15 # 和表3配置的IKE策略DH算法保持一致 sa duration 86400 # 和表3配置的IKE策略生命周期保持一致 ike peer hwcloud_peer33 undo version 1 # 和表3配置的IKE策略IKE版本保持一致 pre-shared-key Test@123 # 和表3配置的预共享密钥保持一致 ike-proposal 100 remote-address 1.1.1.2 # 和VPN网关的主EIP保持一致 IPsec proposal IPsec-pro100 # 配置防火墙公网IP地址和VPN网关主EIP的IPsec策略相关配置 transform esp encapsulation-mode tunnel esp authentication-algorithm SHA2-256 # 和表3配置的IPsec策略认证算法保持一致 esp encryption-algorithm aes-128 # 和表3配置的IPsec策略加密算法保持一致 ike proposal 200 # 配置防火墙公网IP地址和VPN网关备EIP的相关配置,配置规则同上 authentication-algorithm SHA2-256 encryption-algorithm AES-128 authentication-method pre-share integrity-algorithm HMAC-SHA2-256 prf HMAC-SHA2-256 dh group15 sa duration 86400 ike peer hwcloud_peer44 undo version 1 pre-shared-key Test@123 ike-proposal 200 remote-address 2.2.2.2 # 和VPN网关的备EIP保持一致 IPsec proposal IPsec-pro200 transform esp encapsulation-mode tunnel esp authentication-algorithm SHA2-256 esp encryption-algorithm aes-128
- 配置IPsec隧道。
IPsec profile HW-IPsec100 # 配置防火墙公网IP地址对应的路由策略 ike-peer hwcloud_peer33 proposal IPsec-pro100 pfs dh-group15 # 和表3配置的IPsec策略PFS保持一致 sa duration time-based 3600 # 和表3配置的IPsec策略生命周期保持一致 interface Tunnel100 ip address 169.254.70.2 255.255.255.252 # 配置为防火墙的隧道接口1 IP地址 tunnel-protocol IPsec source 1.1.1.1 # 配置为防火墙的公网IP地址 destination 1.1.1.2 # 配置为VPN网关的主EIP service-manage ping permit IPsec profile HW-IPsec100 firewall zone untrust add interface Tunnel100 interface Tunnel200 ip address 169.254.71.2 255.255.255.252 # 配置为防火墙的隧道接口2 IP地址 tunnel-protocol IPsec source 1.1.1.1 # 配置为防火墙的公网IP地址 destination 2.2.2.2 # 配置为VPN网关的备EIP service-manage ping permit IPsec profile HW-IPsec200 firewall zone untrust add interface Tunnel200
- 配置路由信息。
- 配置华为云公网IP的静态路由。
ip route-static 1.1.1.2 255.255.255.255 1.1.1.1 # VPN网关主EIP+空格+255.255.255.255+空格+防火墙公网IP的网关地址 ip route-static 2.2.2.2 255.255.255.255 1.1.1.1 # VPN网关备EIP+空格+255.255.255.255+空格+防火墙公网IP的网关地址
- 配置BGP邻居和BGP路由。
bgp 64515 router-id 1.1.1.1 private-4-byte-as enable peer 169.254.70.1 as-number 64512 peer 169.254.70.1 connect-interface Tunnel100 peer 169.254.71.1 as-number 64512 peer 169.254.71.1 connect-interface Tunnel200 # ipv4-family unicast network 172.16.0.0 255.255.255.0 peer 169.254.70.1 enable peer 169.254.71.1 enable
- 配置华为云公网IP的静态路由。
- 配置安全策略。
ip address-set localsubnet172 type object # 定义地址对象 address 0 172.16.0.0 mask 16 # 配置用户数据中心的子网信息 ip address-set HWCsubnet192 type object address 0 192.168.0.0 mask 24 # 配置华为云VPC的子网信息 address 0 192.168.1.0 mask 24 security-policy rule name IPsec_permit1 source-zone untrust source-zone internet source-zone local destination-zone untrust destination-zone internet destination-zone local service ah esp service protocol udp destination-port 500 4500 action permit rule name IPsec_permit2 source-zone untrust source-zone internet source-zone trust destination-zone untrust destination-zone internet destination-zone trust source-address address-set localsubnet172 source-address address-set HWCsubnet192 destination-address address-set localsubnet172 destination-address address-set HWCsubnet192 action permit nat-policy rule name IPsec_subnet_bypass source-zone trust destination-zone untrust destination-zone internet source-address address-set localsubnet172 destination-address address-set HWCsubnet192 action no-nat
父主题: BGP路由模式
support.huaweicloud.com/admin-vpn/s2cvpn_admin_usg_00011.html
