You need to enable JavaScript to run this app.
导航
华三防火墙配置文件
最近更新时间:2023.01.06 07:45:01首次发布时间:2023.01.06 07:45:01

本文为您介绍如何在用户本地VPN网关是华三(h3c)防火墙的场景下,配置本地IPsec连接的配置文件。

说明

同一厂商不同型号防火墙的配置文件可能存在差异,本文仅做示例参考,具体请咨询防火墙厂商。本文使用的预共享密钥均为便于理解的演示使用目的,实际操作中请配置安全性更高的预共享密钥。

云上IPsec连接配置参数

  • 预共享密钥:test@1234

  • 路由模式:感兴趣流

  • 本端网段:1.1.1.1/32172.1.1.1/32

  • 对端网段:2.2.2.2/323.3.3.3/324.4.4.4/32

  • IKE配置

    策略取值
    认证算法md5
    加密算法aes192
    DH算法group1
    协商模式main
    版本ikev2
    生命周期86400
    Local ID119.XX.XX.94
    Remote ID180.XX.XX.137
  • IPsec配置

    策略取值
    认证算法md5
    加密算法aes192
    DH算法group1
    生命周期3600

说明

此为云上的配置:“本端”、“Local”均指云上VPN侧,“对端”、“Remote”均指用户本地VPN侧。配置文件中刚好相反,“本端”、“Local”均指用户本地VPN侧,“对端”、“Remote”均指云上VPN侧。

配置文件

VPC utilizes unique identifiers to manipulate the configuration of
 a VPN Connection. Each VPN Connection is assigned an identifier and is
 associated with Virtual Private Gateway Identifier and User Gateway IP.

 Your VPN Connection ID : 37315  #用户本地防火墙IPsec连接的ID
 Your Virtual Private Gateway ID : 23850 #用户本地VPN网关的ID
 Your User Gateway IP : 180.XX.XX.137 255.255.255.255 180.XX.XX.137/32 0.0.0.0 #用户本地VPN网关的IP地址



 To configure an IKEv2-based IPsec tunnel, perform the following tasks:

 1. Internet Key Exchange (IKEv2) Configuration

 A policy is established for the supported ISAKMP encryption,
 authentication, Diffie-Hellman and key parameters.

 An IKEv2 proposal defines a set of attributes describing how IKEv2 negotiation in
 phase 1 should take place.
 By default, there is an IKEv2 proposal that is used as the default IKEv2 proposal.
 The default IKEv2 proposal parameters are as follows:
 Authentication Authentication Encryption Diffie-Hellman Duration
 method algorithm algorithm group (seconds)
 ------------------------------------------------------------------
 PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400

 Create an IKEv2 keychain to use the pre-shared key for authentication.

ikev2 keychain keychain1   #配置密钥信息
peer peer1
address 119.XX.XX.94   #VPN网关的标识,默认云上VPN网关的出口IP地址。
pre-shared-key plaintext test@1234   #预共享密钥
quit


ikev2 proposal 1   #配置加密信息
encryption aes-cbc-192   #加密算法
integrity md5   #认证算法
dh group1   #DH算法
quit


ikev2 policy unique
proposal 1
match local address 180.XX.XX.137  #用户本地VPN网关标识

 An IKEv2 profile is intended to provide a set of parameters for IKEv2
 negotiation. IKEv2 negotiation mode for phase 1 uses Main mode.   #协商模式main(主模式),aggressive(野蛮模式)
 Uses the IP address of the user gateway as the local ID. Uses the WAN IP
 address of the VPN gateway as the remote ID.

ikev2 profile profile1
authentication-method local pre-share
authentication-method remote pre-share
keychain keychain1


identity local address 180.XX.XX.137  #用户本地VPN网关标识
match remote identity address 119.XX.XX.94 #云上VPN网关网关标识
quit




 The invalid SPI recovery feature enables the receiving peer to set up an IKE
 SA with the originator so that an SPI invalid notification can be sent. Upon
 receiving the notification, the originator deletes the IPsec SA that has the
 invalid SPI. If the originator has data to send, new SAs will be set up.
 
ike invalid-spi-recovery enable


 2. IPsec Configuration

 By default, the time-based IPsec SA lifetime is 3600 seconds.

 The IPsec transform set defines the encryption, authentication, and IPsec
 mode parameters.
 The default IPsec transform-set parameters are as follows:
 Security protocol Encapsulation mode PFS feature
 ----------------------------------------------------
 ESP tunnel disabled

ipsec transform-set transform-set1
esp authentication-algorithm md5
esp encryption-algorithm aes-cbc-192


pfs dh-group1

quit


 IPsec uses ACLs to identify the traffic to be protected. Configure an IPv4
 advanced ACL to identify data flows.

 acl advanced 3001 #配置用户端策略条目,源IP地址为用户本地网段,目的IP地址为云上网段

rule permit ip source 2.2.2.2 0.0.0.0 destination 1.1.1.1 0.0.0.0
rule permit ip source 2.2.2.2 0.0.0.0 destination 172.1.1.1 0.0.0.0
rule permit ip source 3.3.3.3 0.0.0.0 destination 1.1.1.1 0.0.0.0
rule permit ip source 3.3.3.3 0.0.0.0 destination 172.1.1.1 0.0.0.0
rule permit ip source 4.4.4.4 0.0.0.0 destination 1.1.1.1 0.0.0.0
rule permit ip source 4.4.4.4 0.0.0.0 destination 172.1.1.1 0.0.0.0




 ACL for VPN connection probe




 The IPsec policy references the IPsec transform set, ACL and IKE profile.
 Configure the remote address for the IPsec tunnel in the IPsec policy policy1.



ipsec policy policy1 1 isakmp
transform-set transform-set1
security acl 3001
remote-address 119.XX.XX.94 #远程地址即云上VPN网关标识

ikev2-profile profile1

sa duration time-based 3600
quit

 Enable sending ICMP destination unreachable messages. The device sends ICMP
 destination unreachable message when the received packet cannot be sent to
 the destination.

ip unreachables enable


 3. Interface Configuration
 Apply the IPsec policy to an interface. All traffic routed to the interface
 will be encrypted and transmitted to the VPC. Traffic from the VPC will be
 received on this interface.  #将IPsec策略应用于接口,路由到接口的所有流量将被加密并传输到云上VPC,云上VPC的流量将下发并在此接口上被接收
 Finally, use the command 'ip address' to assign an IP address to the interface. 

interface myporttest1  #用户本地的端口名称
port link-mode route
ipsec apply policy policy1
quit