HUAWEI路由器部署IPSec与分支互联实例
客户需求:客户园区总部采用双路由器出口冗余备份方式,保证设备级的可靠性。核心交换机采用两台堆叠,保证设备级的可靠性;并且核心交换机作为用户网关,为用户分配IP地址。
具体业务要求:
部门A的用户可以访问Internet,但是部门B的用户不能访问Internet。
总部有Web服务器,对外提供WWW服务,外网用户可以访问内网服务器。
总部和分支之间需要通过Internet进行私网VPN互通,通信内容需要有安全保护。
案例中汇聚层的两台交换机组建堆叠,与核心交换机相连
路由器部署IPSec与分支互联的组网图
设备和版本 AR6300 V300R019C10 核心层 S12700E V200R019C10
部署思路
1 、核心交换机配置堆叠,提高设备级可靠性。
2、核心交换机、总部出口路由器配置Eth-Trunk功能,提高链路可靠性。
3、核心交换机、出口路由器配置接口、VLAN、IP地址。
4、总部出口路由器配置VRRP,提高设备级可靠性。
5、核心交换机、出口路由器配置路由,使得网络互通。
6、出口路由器配置NAT Outbound,使得部门A用户可以访问外网。
7、总部出口路由器配置NAT Server,使得外网用户可以访问内网Web服务器。
8、出口路由器配置IPSec,实现总部和分支之间的安全通信。
部署步骤
核心交换机配置堆叠,具体配置请参考集群/堆叠通用部署。
配置Eth-Trunk功能。
# 配置总部出口路由器RouterA。RouterB的配置与RouterA类似,这里不再赘述。
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] interface eth-trunk 1
[RouterA-Eth-Trunk1] undo portswitch
[RouterA-Eth-Trunk1] mode lacp-static
[RouterA-Eth-Trunk1] quit
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] eth-trunk 1
[RouterA-GigabitEthernet2/0/0] quit
[RouterA] interface gigabitethernet 2/0/1
[RouterA-GigabitEthernet2/0/1] eth-trunk 1
[RouterA-GigabitEthernet2/0/1] quit
# 配置核心交换机CORE。
<HUAWEI> system-view
[HUAWEI] sysname CORE
[CORE] interface eth-trunk 3
[CORE-Eth-Trunk3] mode lacp
[CORE-Eth-Trunk3] quit
[CORE] interface eth-trunk 4
[CORE-Eth-Trunk4] mode lacp
[CORE-Eth-Trunk4] quit
[CORE] interface gigabitethernet 1/3/0/0
[CORE-GigabitEthernet1/3/0/0] eth-trunk 3
[CORE-GigabitEthernet1/3/0/0] quit
[CORE] interface gigabitethernet 2/3/0/0
[CORE-GigabitEthernet2/3/0/0] eth-trunk 3
[CORE-GigabitEthernet2/3/0/0] quit
[CORE] interface gigabitethernet 1/3/0/1
[CORE-GigabitEthernet1/3/0/1] eth-trunk 4
[CORE-GigabitEthernet1/3/0/1] quit
[CORE] interface gigabitethernet 2/3/0/1
[CORE-GigabitEthernet2/3/0/1] eth-trunk 4
[CORE-GigabitEthernet2/3/0/1] quit
配置接口、VLAN、IP地址。
# 配置分支出口路由器RouterC。
<HUAWEI> system-view
[HUAWEI] sysname RouterC
[RouterC] interface gigabitethernet 1/0/0
[RouterC-GigabitEthernet1/0/0] ip address 3.3.3.2 24
[RouterC-GigabitEthernet1/0/0] quit
[RouterC] interface gigabitethernet 2/0/0
[RouterC-GigabitEthernet2/0/0] ip address 10.10.200.1 24
[RouterC-GigabitEthernet2/0/0] quit
# 配置总部出口路由器RouterA。RouterB的配置与RouterA类似。
[RouterA] interface Eth-Trunk 1.100
[RouterA-Eth-Trunk1.100] ip address 10.10.100.2 24
[RouterA-Eth-Trunk1.100] dot1q termination vid 100 //配置子接口Dot1q终结的单层VLAN ID
[RouterA-Eth-Trunk1.100] arp broadcast enable //使能接口可以处理ARP广播报文功能
[RouterA-Eth-Trunk1.100] quit
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 1.1.1.2 24
[RouterA-GigabitEthernet1/0/0] quit
# 配置核心交换机CORE。
[CORE] vlan batch 30 100
[CORE] interface Eth-Trunk 3
[CORE-Eth-Trunk3] port link-type trunk
[CORE-Eth-Trunk3] port trunk allow-pass vlan 100
[CORE-Eth-Trunk3] quit
[CORE] interface Eth-Trunk 4
[CORE-Eth-Trunk4] port link-type trunk
[CORE-Eth-Trunk4] port trunk allow-pass vlan 100
[CORE-Eth-Trunk4] quit
[CORE] interface xgigabitethernet 1/1/0/5
[CORE-XGigabitEthernet1/1/0/5] port link-type access
[CORE-XGigabitEthernet1/1/0/5] port default vlan 30
[CORE-XGigabitEthernet1/1/0/5] quit
[CORE] interface vlanif 30
[CORE-Vlanif30] ip address 10.10.30.1 24
[CORE-Vlanif30] quit
[CORE] interface vlanif 100
[CORE-Vlanif100] ip address 10.10.100.4 24
[CORE-Vlanif100] quit
在路由器上配置VRRP。
# 配置RouterA。
[RouterA] interface Eth-Trunk 1.100
[RouterA-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.100.1
[RouterA-Eth-Trunk1.100] vrrp vrid 1 priority 120
[RouterA-Eth-Trunk1.100] vrrp vrid 1 track interface GigabitEthernet1/0/0 reduced 40 //配置VRRP的状态和RouterA的上行口进行联动,保证RouterA上行链路中断的时候VRRP状态迅速倒换
[RouterA-Eth-Trunk1.100] quit
# 配置RouterB。
[RouterB] interface Eth-Trunk 1.100
[RouterB-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.100.1
[RouterB-Eth-Trunk1.100] quit
部署缺省路由,用于引导各个设备的上行流量。
# 在核心交换机CORE上配置一条缺省路由,下一跳指向出口路由器VRRP的虚地址。
[CORE] ip route-static 0.0.0.0 0.0.0.0 10.10.100.1
# 在总部及分支出口路由器上各配置一条缺省路由,下一跳指向运营商网络设备的对接地址(公网网关)。
[RouterA] ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
[RouterB] ip route-static 0.0.0.0 0.0.0.0 2.2.2.1
[RouterC] ip route-static 0.0.0.0 0.0.0.0 3.3.3.1
部署OSPF。
# 配置总部出口路由器RouterA。
[RouterA] ospf 1 router-id 10.1.1.1
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 10.10.100.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] quit
# 配置总部出口路由器RouterB。
[RouterB] ospf 1 router-id 10.2.2.2
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 10.10.100.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] quit
# 配置总部核心交换机CORE。
[CORE] ospf 1 router-id 10.3.3.3
[CORE-ospf-1] area 0
[CORE-ospf-1-area-0.0.0.0] network 10.10.100.0 0.0.0.255
[CORE-ospf-1-area-0.0.0.0] network 10.10.30.0 0.0.0.255
[CORE-ospf-1-area-0.0.0.0] quit
在路由器上配置NAT Outbound。
总部仅部门A允许访问Internet,源IP地址段是10.10.10.0/24;分支所有用户都允许访问Internet,源IP地址段是10.10.200.0/24。如果接口上同时配置了IPSec和NAT,则先执行NAT。所以为了避免把IPSec保护的数据流进行NAT转换,需要NAT引用的ACL规则deny掉需要IPSec保护的数据流。
在总部出口路由器RouterA上定义需要进行NAT转换的数据流。RouterB的配置和RouterA类似。
[RouterA] acl 3000
[RouterA-acl-adv-3000] rule 5 deny ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0 0.0.0.255 //需要IPSec保护的数据流
[RouterA-acl-adv-3000] rule 10 deny ip source 10.10.20.0 0.0.0.255 destination 10.10.200.0 0.0.0.255 //需要IPSec保护的数据流
[RouterA-acl-adv-3000] rule 15 permit ip source 10.10.10.0 0.0.0.255 //需要进行NAT转换的数据流
[RouterA-acl-adv-3000] quit
在分支出口路由器RouterC上定义需要进行NAT转换的数据流。
[RouterC] acl 3000
[RouterC-acl-adv-3000] rule 5 deny ip source 10.10.200.0 0.0.0.255 destination 10.10.10.0 0.0.0.255 //需要IPSec保护的数据流
[RouterC-acl-adv-3000] rule 10 deny ip source 10.10.200.0 0.0.0.255 destination 10.10.20.0 0.0.0.255 //需要IPSec保护的数据流
[RouterC-acl-adv-3000] rule 15 permit ip source 10.10.200.0 0.0.0.255 //需要进行NAT转换的数据流
[RouterC-acl-adv-3000] quit
在出口路由器的上行口上配置NAT转换。RouterB及RouterC的配置与RouterA类似。
[RouterA] interface GigabitEthernet1/0/0
[RouterA-GigabitEthernet1/0/0] nat outbound 3000
[RouterA-GigabitEthernet1/0/0] quit
在路由器上配置NAT Server。
# 配置RouterA。
[RouterA] interface GigabitEthernet1/0/0
[RouterA-GigabitEthernet1/0/0] nat server protocol tcp global 4.4.4.3 www inside 10.10.30.2 8080
[RouterA-GigabitEthernet1/0/0] quit
# 配置RouterB。
[RouterB] interface GigabitEthernet1/0/0
[RouterB-GigabitEthernet1/0/0] nat server protocol tcp global 4.4.4.3 www inside 10.10.30.2 8080
[RouterB-GigabitEthernet1/0/0] quit
在路由器上配置IPSec VPN。
在总部出口路由器RouterA配置ACL,定义需要IPSec保护的数据流。
[RouterA] acl 3001
[RouterA-acl-adv-3001] rule 5 permit ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
[RouterA-acl-adv-3001] rule 10 permit ip source 10.10.20.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
[RouterA-acl-adv-3001] quit
在总部出口路由器RouterB配置ACL,定义需要IPSec保护的数据流。
[RouterB] acl 3001
[RouterB-acl-adv-3001] rule 5 permit ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
[RouterB-acl-adv-3001] rule 10 permit ip source 10.10.20.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
[RouterB-acl-adv-3001] quit
在分支出口路由器RouterC配置ACL,定义需要IPSec保护的数据流。
[RouterC] acl 3001
[RouterC-acl-adv-3001] rule 5 permit ip source 10.10.200.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
[RouterC-acl-adv-3001] rule 10 permit ip source 10.10.200.0 0.0.0.255 destination 10.10.20.0 0.0.0.255
[RouterC-acl-adv-3001] quit
在总部出口路由器RouterA配置IPSec安全提议。总部出口路由器RouterB以及分支出口路由器RouterC的配置和RouterA类似。
[RouterA] ipsec proposal tran1
[RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[RouterA-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[RouterA-ipsec-proposal-tran1] quit
在总部出口路由器RouterA配置IKE安全提议。总部出口路由器RouterB以及分支出口路由器RouterC的配置和RouterA类似。
[RouterA] ike proposal 5
[RouterA-ike-proposal-5] authentication-method pre-share
[RouterA-ike-proposal-5] encryption-algorithm aes-128
[RouterA-ike-proposal-5] authentication-algorithm sha2-256
[RouterA-ike-proposal-5] dh group14
[RouterA-ike-proposal-5] quit
在总部出口路由器RouterA配置IKE对等体。
[RouterA] ike peer vpn
[RouterA-ike-peer-vpn] undo version 2
[RouterA-ike-peer-vpn] pre-shared-key cipher YsHsjx_202206
[RouterA-ike-peer-vpn] ike-proposal 5
[RouterA-ike-peer-vpn] dpd type periodic //配置周期性对等体存活检测
[RouterA-ike-peer-vpn] dpd idle-time 10 //设置对等体存活检测空闲时间为10秒
[RouterA-ike-peer-vpn] remote-address 3.3.3.2
[RouterA-ike-peer-vpn] quit
在总部出口路由器RouterB配置IKE对等体。
[RouterB] ike peer vpn
[RouterB-ike-peer-vpn] undo version 2
[RouterB-ike-peer-vpn] pre-shared-key cipher YsHsjx_202206
[RouterB-ike-peer-vpn] ike-proposal 5
[RouterB-ike-peer-vpn] dpd type periodic
[RouterB-ike-peer-vpn] dpd idle-time 10
[RouterB-ike-peer-vpn] remote-address 3.3.3.2
[RouterB-ike-peer-vpn] quit
在分支出口路由器RouterC配置IKE对等体。
[RouterC] ike peer vpnr1
[RouterC-ike-peer-vpnr1] undo version 2
[RouterC-ike-peer-vpnr1] pre-shared-key cipher YsHsjx_202206
[RouterC-ike-peer-vpnr1] ike-proposal 5
[RouterC-ike-peer-vpnr1] dpd type periodic
[RouterC-ike-peer-vpnr1] dpd idle-time 10
[RouterC-ike-peer-vpnr1] remote-address 1.1.1.2
[RouterC-ike-peer-vpnr1] quit
[RouterC] ike peer vpnr2
[RouterC-ike-peer-vpnr2] undo version 2
[RouterC-ike-peer-vpnr2] pre-shared-key cipher YsHsjx_202206
[RouterC-ike-peer-vpnr2] ike-proposal 5
[RouterC-ike-peer-vpnr2] dpd type periodic
[RouterC-ike-peer-vpnr2] dpd idle-time 10
[RouterC-ike-peer-vpnr2] remote-address 2.2.2.2
[RouterC-ike-peer-vpnr2] quit
在总部出口路由器RouterA配置安全策略。
[RouterA] ipsec policy ipsec_vpn 10 isakmp
[RouterA-ipsec-policy-isakmp-ipsec_vpn-10] security acl 3001
[RouterA-ipsec-policy-isakmp-ipsec_vpn-10] ike-peer vpn
[RouterA-ipsec-policy-isakmp-ipsec_vpn-10] proposal tran1
[RouterA-ipsec-policy-isakmp-ipsec_vpn-10] quit
在总部出口路由器RouterB配置安全策略。
[RouterB] ipsec policy ipsec_vpn 10 isakmp
[RouterB-ipsec-policy-isakmp-ipsec_vpn-10] security acl 3001
[RouterB-ipsec-policy-isakmp-ipsec_vpn-10] ike-peer vpn
[RouterB-ipsec-policy-isakmp-ipsec_vpn-10] proposal tran1
[RouterB-ipsec-policy-isakmp-ipsec_vpn-10] quit
在分支出口路由器RouterC配置安全策略。
[RouterC] ipsec policy ipsec_vpn 10 isakmp
[RouterC-ipsec-policy-isakmp-ipsec_vpn-10] security acl 3001
[RouterC-ipsec-policy-isakmp-ipsec_vpn-10] ike-peer vpnr1
[RouterC-ipsec-policy-isakmp-ipsec_vpn-10] proposal tran1
[RouterC-ipsec-policy-isakmp-ipsec_vpn-10] quit
[RouterC] ipsec policy ipsec_vpn 20 isakmp
[RouterC-ipsec-policy-isakmp-ipsec_vpn-20] security acl 3001
[RouterC-ipsec-policy-isakmp-ipsec_vpn-20] ike-peer vpnr2
[RouterC-ipsec-policy-isakmp-ipsec_vpn-20] proposal tran1
[RouterC-ipsec-policy-isakmp-ipsec_vpn-20] quit
在总部出口路由器RouterA的接口上引用安全策略组。
[RouterA] interface GigabitEthernet1/0/0
[RouterA-GigabitEthernet1/0/0] ipsec policy ipsec_vpn
[RouterA-GigabitEthernet1/0/0] quit
在总部出口路由器RouterB的接口上引用安全策略组。
[RouterB] interface GigabitEthernet1/0/0
[RouterB-GigabitEthernet1/0/0] ipsec policy ipsec_vpn
[RouterB-GigabitEthernet1/0/0] quit
在分支出口路由器RouterC的接口上引用安全策略组。
[RouterC] interface GigabitEthernet1/0/0
[RouterC-GigabitEthernet1/0/0] ipsec policy ipsec_vpn
[RouterC-GigabitEthernet1/0/0] quit
结果验证
# 配置完成后,可以执行display ike sa命令查看由IKE建立的安全联盟信息,以RouterA为例,由IKE建立的安全联盟信息如下。
[RouterA] display ike sa
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
--------------------------------------------------------------------------------
16 3.3.3.2:500 RD|ST v1:2 IP 3.3.3.2
14 3.3.3.2:500 RD|ST v1:1 IP 3.3.3.2
Number of IKE SA : 2
--------------------------------------------------------------------------------
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
# 通过Ping方式,可以发现总部和分支的私网可以相互Ping通。部门A的用户可以访问Internet,部门B的用户不能访问Internet。
配置文件
RouterA的配置文件
#
sysname RouterA
#
acl number 3000
rule 5 deny ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
rule 10 deny ip source 10.10.20.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
rule 15 permit ip source 10.10.10.0 0.0.0.255
acl number 3001
rule 5 permit ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
rule 10 permit ip source 10.10.20.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
#
ike peer vpn
undo version 2
pre-shared-key cipher %^%#l17URBYEtOKZ~ZL(:AY2#(k(3<RTl>@s@KJ"6
