華為USG防火墻IPsec怎么配置

　　華為的產(chǎn)品主要涉及通信網(wǎng)絡(luò)中的交換網(wǎng)絡(luò)、傳輸網(wǎng)絡(luò)、無(wú)線及有線固定接入網(wǎng)絡(luò)和數(shù)據(jù)通信網(wǎng)絡(luò)及無(wú)線終端產(chǎn)品,那么你知道華為USG防火墻 IPsec 怎么配置嗎?下面是學(xué)習(xí)啦小編整理的一些關(guān)于華為USG防火墻 IPsec 怎么配置的相關(guān)資料，供你參考。

　　華為USG防火墻 IPsec 配置的案例

　　實(shí)驗(yàn)拓?fù)?/strong>

　　使用華為ensp 1.2.00.370模擬器來(lái)完成。連接方式是 client1 - USG-1 - AR1 - USG-2 - clent2 鏈?zhǔn)浇M網(wǎng)結(jié)構(gòu)。

　　實(shí)驗(yàn)需求

　　USG-1和USG-2模擬企業(yè)邊緣設(shè)備，分別在2臺(tái)設(shè)備上配置NAT和IPsec 實(shí)現(xiàn)2邊私網(wǎng)可以通過(guò)互相通信。

　　實(shí)驗(yàn)配置

　　R1的IP地址配置省略

　　USG-1配置

　　[USG-1]firewall zone trust //配置trust區(qū)域

　　[USG-1-zone-trust]add interface g0/0/0 //將接口加入trust區(qū)域

　　[USG-1-zone-trust]quit

　　[USG-1]firewall zone untrust //配置untrust區(qū)域

　　[USG-1-zone-untrust]add int g0/0/1 //將接口加入untrust區(qū)域

　　[USG-1-zone-untrust]quit

　　[USG-1]int g0/0/0

　　[USG-1-GigabitEthernet0/0/0]ip add 192.168.10.1 24

　　[USG-1-GigabitEthernet0/0/0]int g0/0/1

　　[USG-1-GigabitEthernet0/0/1]ip add 11.0.0.2 24

　　[USG-1-GigabitEthernet0/0/1]quit

　　[USG-1]ip route-static 0.0.0.0 0.0.0.0 11.0.0.1 //配置默認(rèn)路由上公網(wǎng)

　　[USG-1]nat-policy interzone trust untrust outbound

　　//進(jìn)入trust到untrust區(qū)域out方向的策略視圖

　　[USG-1-nat-policy-interzone-trust-untrust-outbound]policy 1 //創(chuàng)建一個(gè)策略

　　[USG-1-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.10.0 0.0.0.255

　　[USG-1-nat-policy-interzone-trust-untrust-outbound-1]policy destination 192.168.20.0 0.0.0.255

　　[USG-1-nat-policy-interzone-trust-untrust-outbound-1]action no-nat

　　//以上三條命令意思是不允許將源為192.168.10.0/24網(wǎng)段目標(biāo)為192.168.20.0/24網(wǎng)段的數(shù)據(jù)包進(jìn)行NAT

　　[USG-1-nat-policy-interzone-trust-untrust-outbound-1]quit

　　[USG-1-nat-policy-interzone-trust-untrust-outbound]policy 2 //創(chuàng)建策略2

　　[USG-1-nat-policy-interzone-trust-untrust-outbound-2]action source-nat

　　//允許對(duì)源IP進(jìn)行NAT

　　[USG-1-nat-policy-interzone-trust-untrust-outbound-2]easy-ip g0/0/1

　　//對(duì)接口G0/0/1地址復(fù)用

　　[USG-1-nat-policy-interzone-trust-untrust-outbound-2]quit

　　[USG-1-nat-policy-interzone-trust-untrust-outbound]quit

　　-------階段一---------

　　[USG-1]ike proposal 1 //配置一個(gè)安全提議

　　[USG-1-ike-proposal-1]authentication-method pre-share //配置IKE認(rèn)證方式為預(yù)共享密鑰

　　[USG-1-ike-proposal-1]authentication-algorithm sha1 //配置IKE認(rèn)證算法為sha1

　　[USG-1-ike-proposal-1]integrity-algorithm aes-xcbc-96 //配置IKE完整性算法

　　[USG-1-ike-proposal-1]dh group2 //配置IKE密鑰協(xié)商DH組

　　[USG-1-ike-proposal-1]quit

　　[USG-1]ike peer USG-2 //創(chuàng)建一個(gè)IKE對(duì)等體名字為USG-2

　　[USG-1-ike-peer-usg-2]pre-shared-key abc123 //配置預(yù)共享密鑰

　　[USG-1-ike-peer-usg-2]remote-address 12.0.0.2 //配置對(duì)等體IP地址

　　[USG-1-ike-peer-usg-2]ike-proposal 1 //調(diào)用ike安全提議

　　[USG-1-ike-peer-usg-2]quit

　　----------階段二----------

　　[USG-1]ipsec proposal test //配置一個(gè)ipsec安全提議

　　[USG-1-ipsec-proposal-test]encapsulation-mode tunnel //封裝方式采用隧道

　　[USG-1-ipsec-proposal-test]transform esp //配置IPSEC安全協(xié)議為ESP

　　[USG-1-ipsec-proposal-test]esp encryption-algorithm aes //配置ESP協(xié)議加密算法為aes

　　[USG-1-ipsec-proposal-test]esp authentication-algorithm sha1 //配置ESP協(xié)議認(rèn)證算法

　　[USG-1-ipsec-proposal-test]quit

　　[USG-1]acl 3000 //創(chuàng)建一個(gè)ACL定義感興趣流

　　[USG-1-acl-adv-3000]rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

　　[USG-1]ipsec policy map 1 isakmp //創(chuàng)建一個(gè)安全策略，名稱為map

　　[USG-1-ipsec-policy-isakmp-map-1]ike-peer USG-2 //調(diào)用ike對(duì)等體

　　[USG-1-ipsec-policy-isakmp-map-1]proposal test //調(diào)用IPsec安全提議

　　[USG-1-ipsec-policy-isakmp-map-1]security acl 3000 //配置感興趣流

　　[USG-1-ipsec-policy-isakmp-map-1]quit

　　[USG-1]int g0/0/1

　　[USG-1-GigabitEthernet0/0/1]ipsec policy map //在外網(wǎng)口上調(diào)用安全策略

　　區(qū)域間策略配置

　　[USG-1]policy interzone trust untrust outbound .

　　//進(jìn)入trust到untrust區(qū)域out方向策略視圖

　　[USG-1-policy-interzone-trust-untrust-outbound]policy 1 //創(chuàng)建策略

　　[USG-1-policy-interzone-trust-untrust-outbound-1]action permit

　　//允許trust區(qū)域所有主機(jī)訪問(wèn)untrust區(qū)域

　　[USG-1-policy-interzone-trust-untrust-outbound-1]quit

　　[USG-1-policy-interzone-trust-untrust-outbound]quit

　　[USG-1]policy interzone trust untrust inbound

　　//進(jìn)入trust區(qū)域到untrust區(qū)域的in方向策略視圖

　　[USG-1-policy-interzone-trust-untrust-inbound]policy 1

　　[USG-1-policy-interzone-trust-untrust-inbound-1]policy source 192.168.20.0 0.0.0.255

　　[USG-1-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.10.0 0.0.0.255

　　[USG-1-policy-interzone-trust-untrust-inbound-1]action permit

　　//以上命令為允許數(shù)據(jù)包源地址為192.168.20.0/24網(wǎng)段和目標(biāo)地址為192.168.10.0/24網(wǎng)段的流量過(guò)

　　[USG-1-policy-interzone-trust-untrust-inbound-1]quit

　　[USG-1-policy-interzone-trust-untrust-inbound]quit

　　[USG-1]policy interzone local untrust inbound

　　//進(jìn)入local區(qū)域到untrust區(qū)域的in方向策略視圖

　　[USG-1-policy-interzone-local-untrust-inbound]policy 1

　　[USG-1-policy-interzone-local-untrust-inbound-1]policy service service-set esp

　　[USG-1-policy-interzone-local-untrust-inbound-1]policy source 12.0.0.2 0

　　[USG-1-policy-interzone-local-untrust-inbound-1]policy destination 11.0.0.2 0

　　[USG-1-policy-interzone-local-untrust-inbound-1]action permit

　　//允許源地址是12.0.0.2目標(biāo)地址是11.0.0.2的數(shù)據(jù)包訪問(wèn)esp協(xié)議

　　USG-2配置

　　[USG-2]firewall zone trust

　　[USG-2-zone-trust]add int g0/0/0

　　[USG-2-zone-trust]quit

　　[USG-2]firewall zone untrust

　　[USG-2-zone-untrust]add int g0/0/1

　　[USG-2-zone-untrust]quit

　　[USG-2]int g0/0/0

　　[USG-2-GigabitEthernet0/0/0]ip add 192.168.20.1 24

　　[USG-2-GigabitEthernet0/0/0]int g0/0/1

　　[USG-2-GigabitEthernet0/0/1]ip add 12.0.0.2 24

　　[USG-2-GigabitEthernet0/0/1]quit

　　[USG-2]ip route-static 0.0.0.0 0.0.0.0 12.0.0.1

　　[USG-2]nat-policy interzone trust untrust outbound

　　[USG-2-nat-policy-interzone-trust-untrust-outbound]policy 1

　　[USG-2-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.20.0 0.0.0.255

　　[USG-2-nat-policy-interzone-trust-untrust-outbound-1]policy destination 192.168.10.0 0.0.0.255

　　[USG-2-nat-policy-interzone-trust-untrust-outbound-1]action no-nat

　　[USG-2-nat-policy-interzone-trust-untrust-outbound-1]quit

　　[USG-2-nat-policy-interzone-trust-untrust-outbound]policy 2

　　[USG-2-nat-policy-interzone-trust-untrust-outbound-2]action source-nat

　　[USG-2-nat-policy-interzone-trust-untrust-outbound-2]easy-ip GigabitEthernet0/0/1

　　[USG-2-nat-policy-interzone-trust-untrust-outbound-2]quit

　　[USG-2-nat-policy-interzone-trust-untrust-outbound]quit

　　[USG-2]ike proposal 1

　　[USG-2-ike-proposal-1]authentication-method pre-share

　　[USG-2-ike-proposal-1]authentication-algorithm sha1

　　[USG-2-ike-proposal-1]integrity-algorithm aes-xcbc-96

　　[USG-2-ike-proposal-1]dh group2

　　[USG-2-ike-proposal-1]quit

　　[USG-2]ike peer USG-A

　　[USG-2-ike-peer-usg-a]pre-shared-key abc123

　　[USG-2-ike-peer-usg-a]ike-proposal 1

　　[USG-2-ike-peer-usg-a]remote-address 11.0.0.2

　　[USG-2-ike-peer-usg-a]quit

　　[USG-2]ipsec proposal test

　　[USG-2-ipsec-proposal-test]encapsulation-mode tunnel

　　[USG-2-ipsec-proposal-test]transform esp

　　[USG-2-ipsec-proposal-test]esp encryption-algorithm aes

　　[USG-2-ipsec-proposal-test]esp authentication-algorithm sha1

　　[USG-2-ipsec-proposal-test]quit

　　[USG-2]acl 3000

　　[USG-2-acl-adv-3000]rule permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

　　[USG-2-acl-adv-3000]quit

　　[USG-2]ipsec policy map 1 isakmp

　　[USG-2-ipsec-policy-isakmp-map-1]ike-peer USG-A

　　[USG-2-ipsec-policy-isakmp-map-1]proposal test

　　[USG-2-ipsec-policy-isakmp-map-1]security acl 3000

　　[USG-2-ipsec-policy-isakmp-map-1]quit

　　[USG-2]int g0/0/1

　　[USG-2-GigabitEthernet0/0/1]ipsec policy map

　　[USG-2-GigabitEthernet0/0/1]quit

　　[USG-2]policy interzone trust untrust outbound

　　[USG-2-policy-interzone-trust-untrust-outbound]policy 1

　　[USG-2-policy-interzone-trust-untrust-outbound-1]action permit

　　[USG-2-policy-interzone-trust-untrust-outbound-1]quit

　　[USG-2-policy-interzone-trust-untrust-outbound]quit

　　[USG-2]policy interzone trust untrust inbound

　　[USG-2-policy-interzone-trust-untrust-inbound]policy 1

　　[USG-2-policy-interzone-trust-untrust-inbound-1]policy source 192.168.10.0 0.0.0.255

　　[USG-2-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.20.0 0.0.0.255

　　[USG-2-policy-interzone-trust-untrust-inbound-1]action permit

　　[USG-2-policy-interzone-trust-untrust-inbound-1]quit

　　[USG-2-policy-interzone-trust-untrust-inbound]quit

　　[USG-2]policy interzone local untrust inbound

　　[USG-2-policy-interzone-local-untrust-inbound]policy 1

　　[USG-2-policy-interzone-local-untrust-inbound-1]policy source 11.0.0.2 0

　　[USG-2-policy-interzone-local-untrust-inbound-1]policy destination 12.0.0.2 0

　　[USG-2-policy-interzone-local-untrust-inbound-1]policy service service-set esp

　　[USG-2-policy-interzone-local-untrust-inbound-1]action permit

　　使用C1(192.168.10.10)去ping C2(192.168.20.10)

　　使用dispaly ike sa和display ipsec sa來(lái)查看鄰居建立情況

　　看過(guò)文章“華為USG防火墻 IPsec 怎么配置”的人還看了：

　　1.華為路由器配置命令大全

　　2.華為路由器設(shè)置

　　3.華為路由器設(shè)置wifi的詳細(xì)方法

　　4.華為路由器配置詳細(xì)教程

　　5.華為如何設(shè)置連接兩個(gè)無(wú)線路由器

　　6.華為路由器詳細(xì)介紹