In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-07 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
This article introduces the configuration method of IPSEC virtual private network on Huawei firewall. There is no plan for NAT in this model.
Configuration steps:
I. configure the interface
Second, configure the security zone
Third, configure security policy
Fourth, configure static routes
5. Configure IPSEC
1. Ike proposal
2. Ike peer
3. Ipsec proposal
4. ACL
5. Ipsec policy
# call ACL, IPSEC Proposal, ike peer
6. Call IPSEC policy on the public network interface
Detailed configuration
I. configure the interface
# the first step is to configure the IP address of the interface, and configure the public network and private network interfaces with IP
Interface GigabitEthernet1/0/1
Ip address 1.1.3.1 255.255.255.0
#
#
Interface GigabitEthernet1/0/3
Ip address 10.1.1.1 255.255.255.0
Second, configure the security zone
# configure the private network interface g1amp 0swap 3 to the Trust area, and the public network interface G1max 0lem1 to the Untrust area
Firewall zone trust
Add interface GigabitEthernet1/0/3
#
Firewall zone untrust
Add interface GigabitEthernet1/0/1
Third, configure security policy
# configure security policies. Here are four policies
# the first policy is the security policy from the Tust of this firewall to the private network IP segment of the peer.
# the second policy is the security policy from the private network IP segment of the peer to the Trust area of this firewall.
# the third policy is the security policy between local public network IP and peer public network IP
# the fourth policy is the security policy between the peer public network IP and the local public network IP
Security-policy
Rule name policy1
Source-zone trust
Destination-zone untrust
Source-address 10.1.1.0 mask 255.255.255.0
Destination-address 10.1.2.0 mask 255.255.255.0
Action permit
Rule name policy2
Source-zone untrust
Destination-zone trust
Source-address 10.1.2.0 mask 255.255.255.0
Destination-address 10.1.1.0 mask 255.255.255.0
Action permit
Rule name policy3
Source-zone local
Destination-zone untrust
Source-address 1.1.3.1 mask 255.255.255.255
Destination-address 1.1.5.1 mask 255.255.255.255
Action permit
Rule name policy4
Source-zone untrust
Destination-zone local
Source-address 1.1.5.1 mask 255.255.255.255
Destination-address 1.1.3.1 mask 255.255.255.255
Action permit
# the IPSEC trigger of Huawei FW needs to be triggered by private network traffic access. When the FW_1 receives the traffic from PC1 to PC2, 10.1.1.0-- > 10.1.2.0, so the security policy requires that the traffic from the local private network to the peer private network is allowed to pass.
# after the firewall receives this packet, it looks up the routing table and finds that it should be sent to the public network interface G1AGUAGUP 1, and the Policy of IPSEC is applied under this interface, and this traffic matches the flow of interest of Policy, so it will trigger × × negotiation.
Fourth, configure static routes
Ip route-static 1.1.5.0 255.255.255.0 1.1.3.254 # Route to the peer public network IP
Ip route-static 10.1.2.0 255.255.255.0 1.1.3.254 # Route to the peer private network IP
5. Configure IPSEC
Acl number 3000
Rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
# configure a stream of interest. The ACL of the stream of interest at both ends needs to be mirrored. Again, it needs to be mirrored. That is, compared with the local end, the ACL of the peer can only swap the source destination, but cannot change the network segment or become a subset.
#
Ike proposal 10
Encryption-algorithm aes-256
Dh group14
Authentication-algorithm sha2-256
Authentication-method pre-share
Integrity-algorithm hmac-sha2-256
Prf hmac-sha2-256
# in fact, this is the default, which is already very secure. in the early years, Cisco routers were all configured with DES and MD5.
Ike peer b
Pre-shared-key Test!1234
Ike-proposal 10
Remote-address 1.1.5.1
# the version of IKE can be configured here. Huawei initiated the negotiation of IKE v2 by default
[FW_A-ike-peer-b] version?
1 Only V1 SA's can be created
2 Only V2 SA's can be created
# you can also choose whether the mode of Pashe 1 is the main mode or the savage mode. The default is the main mode. Both sides have a fixed public network IP, and you can use the main mode when there is no traversing NAT device in the middle. If one end is PPPOE dialing, use savage mode.
[FW_A-ike-peer-b] exchange-mode?
Aggressive Aggressive mode
Auto Auto mode
Main Main mode
Ipsec proposal tran1
Esp authentication-algorithm sha2-256
Esp encryption-algorithm aes-256
# the default encapsulation mode is tunnel mode. When the route between two communication points is reachable, transport mode is used. When the route is unreachable, tunnel mode is required.
[FW_A-ipsec-proposal-tran1] encapsulation-mode?
Auto Specify automatic mode. The responder can accept negotiations in
Transport or tunnel mode. The initiator initiates negotiations in
Tunnel mode
Transport Only the payload of IP packet is protected (transport mode)
Tunnel The entire IP packet is protected (tunnel mode)
Ipsec policy map1 10 isakmp
Security acl 3000
Ike-peer b
Proposal tran1
# Policy needs to call three parameters, which can be said to associate the previously configured information, 1. Stream of interest 2. Ike-peer 3. Transform set when IPSEC negotiates.
Interface GigabitEthernet1/0/1
Ipsec policy map1
# call ipsec policy on the public network interface
This article only lists the configuration information of the first firewall, and the configuration information of the second firewall can refer to the configuration of the first firewall.
If the configuration doesn't work, congratulations, it's normal. A mismatch between any of the parameters when configuring IKE and IPSEC will result in a failure. Then we can remove the obstacles in the following ways
1. [FW_A] display ike sa
# normally, there are two ike associated, one for each stage, and then the flag information is:
RD--READY: indicates that this SA has been established successfully.
ST--STAYALIVE: indicates that this end is the initiator of channel negotiation.
# there is no ST information at the other end of the flag information, only RD | A
2019-07-16 12 purl 1314 03.740
IKE SA information:
Conn-ID Peer × × Flag (s) Phase RemoteType RemoteID
-
2 1.1.5.1 IP 500 RD | ST | A v2 IP 1.1.5.1
1 1.1.5.1 IP 500 RD | ST | A v2 IP 1.1.5.1
Number of IKE SA: 2
-
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
Display ipsec sa
# SA of the second stage
2019-07-16 12 1515 39.990
Ipsec sa information:
= =
Interface: GigabitEthernet1/0/1
= =
-
IPSec policy name: "map1"
Sequence number: 10
Acl group: 3000
Acl rule: 5
Mode: ISAKMP
-
Connection ID: 2
Encapsulation mode: Tunnel
Holding time: 0d 0h 27m 45s
Tunnel local: 1.1.5.1:500
Tunnel remote: 1.1.3.1:500
Flow source: 10.1.2.0 Universe 255.255.255.0 Universe 0-65535
Flow destination: 10.1.1.0 amp 255.255.255.0 0-65535
[Outbound ESP SAs]
SPI: 197382210 (0xbc3d042)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256128
SA remaining key duration (kilobytes/sec): 10485666Universe 1935
Max sent sequence-number: 1606
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 1605 Universe 96300
[Inbound ESP SAs]
SPI: 196813874 (0xbbb2432)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256128
SA remaining key duration (kilobytes/sec): 10485666Universe 1935
Max received sequence-number: 1600
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 1619 Universe 97140
Anti-replay: Enable
Anti-replay window size: 1024
The above two methods can only check errors. If you want to troubleshoot dynamically, three methods are recommended in the experimental environment.
First, the debug method, this method can find out where the error will be reported, and requires a certain degree of skill.
Termial monitor
Terminal debugging
Debugging ikev2 [error | all]
Second, grab the package: grab the package in the ENSP environment to see the status of the data
Third, knock on the experiment once a day for ten days in a row. If you knock on the experiment for the first few times, there will be problems, and you will check one place at a time.
Before conducting the experiment, there is some knowledge that needs to be prepared in advance:
Encryption principles: symmetric encryption, asymmetric encryption
Hash algorithm
The relationship between ISAKMP and IKE
DH algorithm, you can go to Wikipedia to see, there is a very good document.
The respective roles of Pashe1 and Pahase2
Characteristics of AH and ESP
Pre-shared key: the pre-share-key we configured is not a key for encryption, it is just a parameter for authentication; the encrypted key is the same symmetric encryption key calculated by the DH algorithm through the exchange of key material.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.