• 华为防火墙:GRE over IPSec

    华为防火墙:GRE over IPSec-(ipsec安全策略方式)-(点到点)-(静态路由)

    1、Internet上仅配置IP地址

    2、FW-A和FW-B之间配置GRE over ipsec tunnel隧道

    3、配置静态路由使A-B两个网络互通

    防火墙安全策略配置

    源安全区域

    目的安全区域

    源地址

    目的地址

    untrust

    local

    gre-remote-公网IP

    gre-local-公网IP

    local

    untrust

    gre-local-公网IP

    gre-remote-公网IP

    trust

    tunnel接口所在区域

    reg-local-匹配流量

    gre-remote-匹配流量

    tunnel接口所在区域

    trust

    gre-remote-匹配流量

    gre-local-匹配流量

    ACL配置A-B两端的公网地址(GRE数据流

    ---------------------------------------------------------------------------------------------------------------------------------

    FW-A配置

    1. 基本配置
    2. [FW-A]int GigabitEthernet 1/0/0
    3. [FW-A-GigabitEthernet1/0/0]ip add 10.1.1.1 30
    4. [FW-A-GigabitEthernet1/0/0]q
    5.  
    6. [FW-A]int GigabitEthernet 1/0/1
    7. [FW-A-GigabitEthernet1/0/1]ip add 172.16.10.254 24
    8. [FW-A-GigabitEthernet1/0/1]q
    9.  
    10. [FW-A]firewall zone trust 
    11. [FW-A-zone-trust]add interface GigabitEthernet 1/0/1
    12. [FW-A-zone-trust]q
    13.  
    14. [FW-A]firewall zone untrust 
    15. [FW-A-zone-untrust]add interface g1/0/0
    16. [FW-A-zone-untrust]q
    17.  
    18. 配置gre tunnel
    19. [FW-A]interface Tunnel 1
    20. [FW-A-Tunnel1] description to_network-b
    21. [FW-A-Tunnel1] ip address 1.1.1.1 24
    22. [FW-A-Tunnel1] tunnel-protocol gre
    23. [FW-A-Tunnel1] source 10.1.1.1
    24. [FW-A-Tunnel1] destination 20.1.1.1
    25. [FW-A-Tunnel1] gre key cipher 123456
    26. [FW-A-Tunnel1] quit
    27.  
    28. [FW-A]firewall zone name gre 
    29. [FW-A-zone-gre] set priority 10
    30. [FW-A-zone-gre] add interface Tunnel1
    31. [FW-A-zone-gre] quit
    32.  
    33. 配置路由
    34. [FW-A]ip route-static 0.0.0.0 0.0.0.0 10.1.1.2
    35. [FW-A]ip route-static 172.16.20.0 255.255.255.0 Tunnel 1
    36.  
    37. 配置ipsec
    38.  
    39. ACL配置A-B两端的公网地址(GRE数据流)
    40. [FW-A]acl number 3000
    41. [FW-A-acl-adv-3000] rule 5 permit ip source 10.1.1.1 0 destination 20.1.1.1 0
    42. [FW-A-acl-adv-3000]quit
    43.  
    44. [FW-A]ike proposal 10
    45. [FW-A-ike-proposal-10] encryption-algorithm aes-256
    46. [FW-A-ike-proposal-10] dh group18
    47. [FW-A-ike-proposal-10] authentication-algorithm sha2-512
    48. [FW-A-ike-proposal-10] authentication-method pre-share
    49. [FW-A-ike-proposal-10] integrity-algorithm hmac-sha2-256
    50. [FW-A-ike-proposal-10] prf hmac-sha2-256
    51. [FW-A-ike-proposal-10] quit
    52.  
    53. [FW-A]ike peer fw
    54. [FW-A-ike-peer-fw] exchange-mode main 
    55. [FW-A-ike-peer-fw] pre-shared-key huawei
    56. [FW-A-ike-peer-fw] ike-proposal 10
    57. [FW-A-ike-peer-fw] remote-address 20.1.1.1
    58. [FW-A-ike-peer-fw] quit
    59.  
    60. [FW-A]ipsec proposal 10
    61. [FW-A-ipsec-proposal-10] transform esp
    62. [FW-A-ipsec-proposal-10] encapsulation-mode tunnel 
    63. [FW-A-ipsec-proposal-10] esp authentication-algorithm sha2-512
    64. [FW-A-ipsec-proposal-10] esp encryption-algorithm aes-256
    65. [FW-A-ipsec-proposal-10] quit
    66.  
    67. [FW-A]ipsec policy ipsec 1 isakmp
    68. [FW-A-ipsec-policy-isakmp-ipsec-1] security acl 3000
    69. [FW-A-ipsec-policy-isakmp-ipsec-1] ike-peer fw
    70. [FW-A-ipsec-policy-isakmp-ipsec-1] proposal 10
    71. [FW-A-ipsec-policy-isakmp-ipsec-1] quit
    72.  
    73. [FW-A]interface GigabitEthernet1/0/0
    74. [FW-A-GigabitEthernet1/0/0] ipsec policy ipsec
    75. [FW-A-GigabitEthernet1/0/0] quit
    76.  
    77. 配置安全策略
    78.  
    79. [FW-A]security-policy 
    80. [FW-A-policy-security] rule name local_remote
    81. [FW-A-policy-security-rule-local_remote]  source-zone local
    82. [FW-A-policy-security-rule-local_remote]  destination-zone untrust
    83. [FW-A-policy-security-rule-local_remote]  source-address 10.1.1.1 0.0.0.0         
    84. [FW-A-policy-security-rule-local_remote]  destination-address 20.1.1.1 0.0.0.0
    85. [FW-A-policy-security-rule-local_remote]  action permit
    86. [FW-A-policy-security-rule-local_remote]  quit
    87.  
    88. [FW-A-policy-security] rule name remote_local
    89. [FW-A-policy-security-rule-remote_local]  source-zone untrust
    90. [FW-A-policy-security-rule-remote_local]  destination-zone local
    91. [FW-A-policy-security-rule-remote_local]  source-address 20.1.1.1 0.0.0.0
    92. [FW-A-policy-security-rule-remote_local]  destination-address 10.1.1.1 0.0.0.0
    93. [FW-A-policy-security-rule-remote_local]  action permit
    94. [FW-A-policy-security-rule-remote_local]  quit
    95.  
    96. [FW-A-policy-security] rule name neiwang_a-neiwang_b
    97. [FW-A-policy-security-rule-neiwang_a-neiwang_b]  source-zone trust
    98. [FW-A-policy-security-rule-neiwang_a-neiwang_b]  destination-zone gre
    99. [FW-A-policy-security-rule-neiwang_a-neiwang_b]  source-address 172.16.10.0 mask 255.255.255.0
    100. [FW-A-policy-security-rule-neiwang_a-neiwang_b]  destination-address 172.16.20.0 mask 255.255.255.0
    101. [FW-A-policy-security-rule-neiwang_a-neiwang_b]  action permit
    102. [FW-A-policy-security-rule-neiwang_a-neiwang_b]  quit
    103.  
    104. [FW-A-policy-security] rule name neiwang_b-neiwang_a
    105. [FW-A-policy-security-rule-neiwang_b-neiwang_a]  source-zone gre
    106. [FW-A-policy-security-rule-neiwang_b-neiwang_a]  destination-zone trust
    107. [FW-A-policy-security-rule-neiwang_b-neiwang_a]  source-address 172.16.20.0 mask 255.255.255.0
    108. [FW-A-policy-security-rule-neiwang_b-neiwang_a]  destination-address 172.16.10.0 mask 255.255.255.0
    109. [FW-A-policy-security-rule-neiwang_b-neiwang_a]  action permit
    110. [FW-A-policy-security-rule-neiwang_b-neiwang_a]  quit
    111. [FW-A-policy-security]q
    112.

    FW-B配置

    1. [FW-B]int GigabitEthernet 1/0/0
    2. [FW-B-GigabitEthernet1/0/0]ip add 20.1.1.1 30
    3. [FW-B-GigabitEthernet1/0/0]q
    4.  
    5. [FW-B]int GigabitEthernet 1/0/1
    6. [FW-B-GigabitEthernet1/0/1]ip add 172.16.20.254 24
    7. [FW-B-GigabitEthernet1/0/1]q
    8.  
    9. [FW-B]firewall zone trust 
    10. [FW-B-zone-trust]add interface GigabitEthernet 1/0/1
    11. [FW-B-zone-trust]q
    12.  
    13. [FW-B]firewall zone untrust 
    14. [FW-B-zone-untrust]add interface g1/0/0
    15. [FW-B-zone-untrust]q
    16.  
    17. [FW-B]interface Tunnel 1
    18. [FW-B-Tunnel1] description to_network-a
    19. [FW-B-Tunnel1] ip address 1.1.1.2 255.255.255.0
    20. [FW-B-Tunnel1] tunnel-protocol gre
    21. [FW-B-Tunnel1] source 20.1.1.1
    22. [FW-B-Tunnel1] destination 10.1.1.1
    23. [FW-B-Tunnel1] gre key cipher 123456
    24. [FW-B-Tunnel1] quit
    25.  
    26. [FW-B]ip route-static 0.0.0.0 0.0.0.0 20.1.1.2
    27. [FW-B]ip route-static 172.16.10.0 24 Tunnel 1
    28.  
    29. [FW-B]firewall zone name gre 
    30. [FW-B-zone-gre] set priority 10
    31. [FW-B-zone-gre] add interface Tunnel1
    32. [FW-B-zone-gre] quit
    33.  
    34. [FW-B]acl number 3000
    35. [FW-B-acl-adv-3000] rule 5 permit ip source 20.1.1.1 0 destination 10.1.1.1 0
    36. [FW-B-acl-adv-3000]quit
    37.  
    38. [FW-B]ike proposal 10
    39. [FW-B-ike-proposal-10] encryption-algorithm aes-256
    40. [FW-B-ike-proposal-10] dh group18
    41. [FW-B-ike-proposal-10] authentication-algorithm sha2-512
    42. [FW-B-ike-proposal-10] authentication-method pre-share
    43. [FW-B-ike-proposal-10] integrity-algorithm hmac-sha2-256
    44. [FW-B-ike-proposal-10] prf hmac-sha2-256
    45. [FW-B-ike-proposal-10] quit
    46.  
    47. [FW-B]ike peer fw
    48. [FW-B-ike-peer-fw] exchange-mode main 
    49. [FW-B-ike-peer-fw] pre-shared-key huawei
    50. [FW-B-ike-peer-fw] ike-proposal 10
    51. [FW-B-ike-peer-fw] remote-address 10.1.1.1
    52. [FW-B-ike-peer-fw] quit
    53.  
    54. [FW-B]ipsec proposal 10
    55. [FW-B-ipsec-proposal-10] transform esp
    56. [FW-B-ipsec-proposal-10] encapsulation-mode tunnel 
    57. [FW-B-ipsec-proposal-10] esp authentication-algorithm sha2-512
    58. [FW-B-ipsec-proposal-10] esp encryption-algorithm aes-256
    59. [FW-B-ipsec-proposal-10] quit
    60.  
    61. [FW-B]ipsec policy ipsec 1 isakmp
    62. [FW-B-ipsec-policy-isakmp-ipsec-1] security acl 3000
    63. [FW-B-ipsec-policy-isakmp-ipsec-1] ike-peer fw
    64. [FW-B-ipsec-policy-isakmp-ipsec-1]
    65. [FW-B-ipsec-policy-isakmp-ipsec-1] proposal 10
    66. [FW-B-ipsec-policy-isakmp-ipsec-1] quit
    67.  
    68. [FW-B]interface GigabitEthernet1/0/0
    69. [FW-B-GigabitEthernet1/0/0] ipsec policy ipsec
    70. [FW-B-GigabitEthernet1/0/0] quit
    71.  
    72. [FW-B]security-policy 
    73. [FW-B-policy-security] rule name local_remote
    74. [FW-B-policy-security-rule-local_remote]  source-zone local
    75. [FW-B-policy-security-rule-local_remote]  destination-zone untrust
    76. [FW-B-policy-security-rule-local_remote]  source-address 20.1.1.1 0.0.0.0         
    77. [FW-B-policy-security-rule-local_remote]  destination-address 10.1.1.1 0.0.0.0
    78. [FW-B-policy-security-rule-local_remote]  action permit
    79. [FW-B-policy-security-rule-local_remote]  q
    80.  
    81. [FW-B-policy-security] rule name remote_local
    82. [FW-B-policy-security-rule-remote_local]  source-zone untrust
    83. [FW-B-policy-security-rule-remote_local]  destination-zone local
    84. [FW-B-policy-security-rule-remote_local]  source-address 10.1.1.1 0.0.0.0
    85. [FW-B-policy-security-rule-remote_local]  destination-address 20.1.1.1 0.0.0.0
    86. [FW-B-policy-security-rule-remote_local]  action permit
    87. [FW-B-policy-security-rule-remote_local]  q
    88.  
    89. [FW-B-policy-security]rule name neiwang_b-neiwang_ac
    90. [FW-B-policy-security-rule-neiwang_b-neiwang_ac]  source-zone trust
    91. [FW-B-policy-security-rule-neiwang_b-neiwang_ac]  destination-zone gre
    92. [FW-B-policy-security-rule-neiwang_b-neiwang_ac]  source-address 172.16.20.0 mask 255.255.255.0
    93. [FW-B-policy-security-rule-neiwang_b-neiwang_ac]  destination-address 172.16.10.0 mask 255.255.255.0
    94. [FW-B-policy-security-rule-neiwang_b-neiwang_ac]  action permit
    95. [FW-B-policy-security-rule-neiwang_b-neiwang_ac]  q
    96.  
    97. [FW-B-policy-security] rule name neiwang_ac-neiwang_b
    98. [FW-B-policy-security-rule-neiwang_ac-neiwang_b]  source-zone gre
    99. [FW-B-policy-security-rule-neiwang_ac-neiwang_b]  destination-zone trust
    100. [FW-B-policy-security-rule-neiwang_ac-neiwang_b]  source-address 172.16.10.0 mask 255.255.255.0
    101. [FW-B-policy-security-rule-neiwang_ac-neiwang_b]  destination-address 172.16.20.0 mask 255.255.255.0
    102. [FW-B-policy-security-rule-neiwang_ac-neiwang_b]  action permit
    103. [FW-B-policy-security-rule-neiwang_ac-neiwang_b]  q
    104. [FW-B-policy-security]q

    抓包验证

    普通gre tunnel抓取到的数据包 没有加密

    Gre over ipsec 抓取到的数据包 经过加密 

     

     

  • 相关阅读:
    Java8 新特性之Stream(三)-- Stream的终结操作
    智能导诊(Intelligent Guidance,IG)源码
    7000+字图文并茂解带你深入理解java锁升级的每个细节
    RK平台ADB不识别问题排查
    Springboot 实践(21)服务熔断机制
    SAP ABAP 动态结构实现发送企业微信应用消息
    1 什么是MyBatis?
    在pycharm中导入sklearn库失败到成功
    Spring Boot 注解
    Python程序龟速过载怎么办,asyncio并发教程来解决
  • 原文地址:https://blog.csdn.net/u010612642/article/details/126061867