IPSEC_VPN实践配置-总部和分支机构三点通过IPSec VPN互联

案例介绍

本例介绍总部和分支机构三点、异厂商设备通过IPSec VPN互联，同时IPSec设备有NAT时如何建立IPSec隧道。全文分为：

组网拓扑

配置思路

配置步骤

结果验证

设备信息

共五个部份来介绍。

一、组网拓扑

某企业分为总部(A)和分支机构（B）、分支机构（C）。

如下图所示：

（建议在稿纸上画草图，标好端口及IP，以便后续配置查看）

组网如下：

总部(A)分别和分支机构(B)、分支机构(C)通过FW_A、FW_B和FW_C与Internet相连。

FW_A、FW_B和FW_C三点之间公网路由可达。

总部FW_A、分支机构FW_B、分支机构FW_C三点均为固定公网地址。

FW_A、FW_B和FW_C同时为NAT网关。

要求实现的需求如下：

PC1、PC2和PC3都可以直接访问公网。

FW_A和FW_B、FW_A和FW_C之间建立IPSec隧道。

分支机构PC2、PC3能与总部PC1之间进行安全通信。

二、配置思路

完成FW_A、FW_B和FW_C的接口、安全策略、路由等基本配置。

在FW_A、FW_B、FW_C上完成源NAT的配置。终端PC1、PC2、PC3经过NAT后可以访问Internet的数据。

在FW_A和FW_B、FW_A和FW_C上完成IPSec的配置。终端PC1和PC2、PC1和PC3经过IPSec隧道的数据流不需要经过NAT转换。

三、配置步骤

1、总部（A）设备基础配置

防火墙接口配置

interface GigabitEthernet1/0/0

undo shutdown

ip address 111.11.11.11 255.255.255.240

service-manage ping permit

service-manage ssh permit

interface GigabitEthernet1/0/1

undo shutdown

ip address 10.10.255.1 255.255.255.0

service-manage ping permit

service-manage ssh permit

service-manage telnet permit

quit

ip route-static 0.0.0.0 0.0.0.0 111.11.11.1

ip route-static 10.1.1.0 255.255.255.0 10.10.255.2

交换机接口配置

interface Ethernet0/0

no switchport

no shutdown

ip address 10.10.255.2 255.255.255.0

exit

exit

ping 10.10.255.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.255.1, timeout is 2 seconds:

...!!

Success rate is 40 percent (2/5), round-trip min/avg/max = 1/2/3 ms

configure terminal

interface Vlan1

shutdown

vlan 110

interface Vlan110

no shutdown

ip address 10.1.1.1 255.255.255.0

interface Ethernet0/1

no shutdown

switchport access vlan 110

exit

ip route 0.0.0.0 0.0.0.0 10.10.255.1

2、分支机构（B）设备基础配置

防火墙接口配置

int g0/0

no shutdown

nameif outside

security-level 0

ip add 223.23.23.23 255.255.255.240

int g0/1

no shutdown

nameif inside

security-level 100

ip add 10.20.255.1 255.255.255.0

quit

route outside 0.0.0.0 0.0.0.0 223.23.23.17

route inside 10.2.2.0 255.255.255.0 10.20.255.2

交换机接口配置

interface Ethernet0/0

no shdown

no switchport

ip add 10.20.255.2 255.255.255.0

int vlan 1

shut

vlan 100

int vlan 100

ip add 10.2.2.1 255.255.255.0

no shdown

exit

int e0/1

no shdown

switchport access vlan 100

exit

ip route 0.0.0.0 0.0.0.0 10.20.255.1

exit

ping 10.20.255.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.20.255.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/5 ms

3、分支机构（C）设备基础配置

防火墙接口配置

interface GigabitEthernet1/0/0

undo shutdown

ip address 123.13.13.13 255.255.255.0

service-manage ping permit

service-manage ssh permit

interface GigabitEthernet1/0/1

undo shutdown

ip address 10.30.255.1 255.255.255.0

service-manage ping permit

service-manage ssh permit

service-manage telnet permit

quit

ip route-static 0.0.0.0 0.0.0.0 123.13.13.1

ip route-static 10.3.3.0 255.255.255.0 10.30.255.2

交换机接口配置

interface Ethernet0/0

no switchport

no shutdown

ip address 10.30.255.2 255.255.255.0

exit

exit

ping 10.30.255.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.30.255.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

configure terminal

interface Vlan1

shutdown

vlan 130

interface Vlan130

no shutdown

ip address 10.3.3.1 255.255.255.0

interface Ethernet0/1

no shutdown

switchport access vlan 130

exit

ip route 0.0.0.0 0.0.0.0 10.30.255.1

3、NAT配置

总部（A）防火墙NAT配置

[HQ-A]ip address-set to_Internet type object

[HQ-A-object-address-set-to_Internet] address 0 10.1.1.0 mask 24

[HQ-A-object-address-set-to_Internet]

[HQ-A-object-address-set-to_Internet]quit

[HQ-A]security-policy

[HQ-A-policy-security] default action permit

[HQ-A-policy-security]quit

[HQ-A]nat-policy

[HQ-A-policy-nat] rule name to_Internet

[HQ-A-policy-nat-rule-to_Internet] source-zone trust

[HQ-A-policy-nat-rule-to_Internet] destination-zone untrust

[HQ-A-policy-nat-rule-to_Internet] source-address address-set to_Internet

[HQ-A-policy-nat-rule-to_Internet] action nat easy-ip

[HQ-A-policy-nat-rule-to_Internet]qui

[HQ-A-policy-nat]qui

[HQ-A]

在总部（A）交换机上对公网地址发起ping操做

如下图所示：

在总部（A）防火墙上可看到内网地址已被NAT

如下图所示：

分支机构（B）防火墙NAT配置

Branch-B(config)# object network to-Internet

Branch-B(config-network-object)# subnet 0.0.0.0 0.0.0.0

Branch-B(config-network-object)# nat (inside,outside) dynamic interface

Branch-B(config-network-object)#

在分支机构（B）交换机上对公网地址发起ping操做

如下图所示：

在分支机构（B）防火墙上可看到内网地址已被NAT

如下图所示：

分支机构（C）防火墙NAT配置

[Branch-C]ip address-set to_Outside type object

[Branch-C-object-address-set-to_Outside] address 0 10.3.3.0 mask 24

[Branch-C-object-address-set-to_Outside]quit

[Branch-C]nat-policy

[Branch-C-policy-nat]rule name to_Internet

[Branch-C-policy-nat-rule-to_Internet] source-zone trust

[Branch-C-policy-nat-rule-to_Internet] destination-zone untrust

[Branch-C-policy-nat-rule-to_Internet] source-address address-set to_Outside

[Branch-C-policy-nat-rule-to_Internet] action nat easy-ip

[Branch-C-policy-nat-rule-to_Internet] qui

[Branch-C-policy-nat] qui

[Branch-C]security-policy

[Branch-C-policy-security] default action permit

[Branch-C-policy-security]

[Branch-C-policy-security]qui

[Branch-C]

在分支机构（C）交换机上对公网地址发起ping操做

如下图所示：

在分支机构（C）防火墙上可看到内网地址已被NAT

如下图所示：

4、总部（A）防火墙VPN配置

4.1、配置IPSec安全提议。缺省参数可不配置。

[HQ-A] ipsec proposal asa

[HQ-A-ipsec-proposal-tran1] esp authentication-algorithm md5

[HQ-A-ipsec-proposal-tran1] esp encryption-algorithm des

[HQ-A-ipsec-proposal-tran1] quit

[HQ-A] ipsec proposal USG_C

[HQ-A-ipsec-proposal-USG_C] esp authentication-algorithm md5

[HQ-A-ipsec-proposal-USG_C] esp encryption-algorithm des

[HQ-A-ipsec-proposal-USG_C] quit

4.2、配置IKE安全提议。缺省参数可不配置。

[HQ-A] ike proposal 1

[HQ-A-ike-proposal-1] encryption-algorithm 3des

[HQ-A-ike-proposal-1] prf hmac-sha1

[HQ-A-ike-proposal-1] authentication-algorithm sha1

[HQ-A-ike-proposal-1] authentication-method pre-share

[HQ-A-ike-proposal-1] integrity-algorithm hmac-sha1-96

[HQ-A-ike-proposal-1] dh group2

[HQ-A-ike-proposal-1] quit

[HQ-A] ike proposal 2

[HQ-A-ike-proposal-2] encryption-algorithm 3des

[HQ-A-ike-proposal-2] prf hmac-sha1

[HQ-A-ike-proposal-2] authentication-algorithm sha1

[HQ-A-ike-proposal-2] authentication-method pre-share

[HQ-A-ike-proposal-2] integrity-algorithm hmac-sha1-96

[HQ-A-ike-proposal-2] dh group2

[HQ-A-ike-proposal-2] quit

4.3、配置IKE peer。

[HQ-A] ike peer asa

[HQ-A-ike-peer-asa] ike-proposal 1

[HQ-A-ike-peer-asa] remote-address 223.23.23.23

[HQ-A-ike-peer-asa] pre-shared-key Cisco@123

[HQ-A-ike-peer-asa] quit

[HQ-A] ike peer USG_C

[HQ-A-ike-peer-USG_C] ike-proposal 2

[HQ-A-ike-peer-USG_C] remote-address 123.13.13.13

[HQ-A-ike-peer-USG_C] pre-shared-key Cisco@123

[HQ-A-ike-peer-USG_C] quit

4.4、定义被保护的数据流

[HQ-A] acl 3000

[HQ-A-acl-adv-3000] rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 10.2.2.0 0.0.0.255

[HQ-A-acl-adv-3000] quit

[HQ-A] acl 3005

[HQ-A-acl-adv-3005] rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 10.3.3.0 0.0.0.255

[HQ-A-acl-adv-3005] quit

4.5、配置IPSec策略。

[HQ-A] ipsec policy ipsec 10 isakmp

[HQ-A-ipsec-policy-isakmp-ipsec-10] security acl 3000

[HQ-A-ipsec-policy-isakmp-ipsec-10] proposal asa

[HQ-A-ipsec-policy-isakmp-ipsec-10] ike-peer asa

[HQ-A-ipsec-policy-isakmp-ipsec-10] quit

[HQ-A] ipsec policy ipsec 20 isakmp

[HQ-A-ipsec-policy-isakmp-ipsec-20] security acl 3005

[HQ-A-ipsec-policy-isakmp-ipsec-20] proposal USG_C

[HQ-A-ipsec-policy-isakmp-ipsec-20] ike-peer USG_C

[HQ-A-ipsec-policy-isakmp-ipsec-20] quit

4.6、在接口GE1/0/0上应用IPSec策略组

[HQ-A] interface GigabitEthernet 1/0/0

[HQ-A-GigabitEthernet1/0/0] ipsec policy ipsec

[HQ-A-GigabitEthernet1/0/0] quit

5、分支机构（B）防火墙VPN配置

5.1、配置IKE

Branch-B(config)# crypto ikev1 enable outside

Branch-B(config)# crypto ikev1 policy 1

Branch-B(config-ikev1-policy)# authentication pre-share

Branch-B(config-ikev1-policy)# encryption 3des

Branch-B(config-ikev1-policy)# hash sha

Branch-B(config-ikev1-policy)# group 2

Branch-B(config-ikev1-policy)# lifetime 86400

Branch-B(config-ikev1-policy)# quit

Branch-B(config)tunnel-group 111.11.11.11 type ipsec-l2l

Branch-B(config)# tunnel-group 111.11.11.11 ipsec-attributes

Branch-B(config-tunnel-ipsec)# ikev1 pre-shared-key Cisco@123

Branch-B(config-tunnel-ipsec)# quit

5.2、配置IPSec

Branch-B(config)# crypto ipsec ikev1 transform-set trans esp-des esp-md5-hmac

Branch-B(config)# quit

5.3、定义感兴趣流

Branch-B(config)# access-list to-HQ EXtended PERmit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

Branch-B(config)# quit

5.4、关联IPSec策略

Branch-B(config)# crypto map l2l 10 match address to-HQ

Branch-B(config)# crypto map l2l 10 set peer 111.11.11.11

Branch-B(config)# crypto map l2l 10 set ikev1 transform-set trans

Branch-B(config)# quit

5.5、在outside接口上调用l2l策略

Branch-B(config)# crypto map l2l interface outside

6、分支机构（C）防火墙VPN配置

6.1、配置IPSec安全提议。缺省参数可不配置。

[Branch-C] ipsec proposal USG_A

[Branch-C-ipsec-proposal-USG_A] esp authentication-algorithm md5

[Branch-C-ipsec-proposal-USG_A] esp encryption-algorithm des

[Branch-C-ipsec-proposal-USG_A] quit

6.2、配置IKE安全提议。缺省参数可不配置。

[Branch-C] ike proposal 2

[Branch-C-ike-proposal-2] encryption-algorithm 3des

[Branch-C-ike-proposal-2] prf hmac-sha1

[Branch-C-ike-proposal-2] authentication-algorithm sha1

[Branch-C-ike-proposal-2] authentication-method pre-share

[Branch-C-ike-proposal-2] integrity-algorithm hmac-sha1-96

[Branch-C-ike-proposal-2] dh group2

[Branch-C-ike-proposal-2] quit

6.3、配置IKE peer。

[Branch-C] ike peer USG_A

[Branch-C-ike-peer-USG_A] ike-proposal 2

[Branch-C-ike-peer-USG_A] remote-address 111.11.11.11

[Branch-C-ike-peer-USG_A] pre-shared-key Cisco@123

[Branch-C-ike-peer-USG_A] quit

6.4、定义被保护的数据流

[Branch-C] acl 3005

[Branch-C-acl-adv-3005] rule 10 permit ip source 10.3.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

[Branch-C-acl-adv-3005] quit

6.5、配置IPSec策略。

[Branch-C] ipsec policy ipsec 20 isakmp

[Branch-C-ipsec-policy-isakmp-ipsec-20] security acl 3005

[Branch-C-ipsec-policy-isakmp-ipsec-20] proposal USG_A

[Branch-C-ipsec-policy-isakmp-ipsec-20] ike-peer USG_A

[Branch-C-ipsec-policy-isakmp-ipsec-20] quit

6.6、在接口GE1/0/0上应用IPSec策略组

[Branch-C] interface GigabitEthernet 1/0/0

[Branch-C-GigabitEthernet1/0/0] ipsec policy ipsec

[Branch-C-GigabitEthernet1/0/0] quit

7、NAT穿越

7.1、在总部（A）防火墙上定义10.1.1.0/24到10.2.2.0/24、10.1.1.0/24到10.3.3.0/24的流量不进行NAT转换，从VPN隧道转发。

配置如下：

[HQ-A]ip address-set local_address type object

[HQ-A-object-address-set-local_address] address 0 10.1.1.0 mask 24

[HQ-A-object-address-set-remote_address]quit

[HQ-A] ip address-set remote_address type object

[HQ-A-object-address-set-remote_address] address 0 10.2.2.0 mask 24

[HQ-A-object-address-set-remote_address] address 1 10.3.3.0 mask 24

[HQ-A-object-address-set-remote_address]quit

[HQ-A]

[HQ-A]nat-policy

[HQ-A-policy-nat] rule name nonat

[HQ-A-policy-nat-rule-nonat] source-zone trust

[HQ-A-policy-nat-rule-nonat] destination-zone untrust

[HQ-A-policy-nat-rule-nonat] source-address address-set local_address

[HQ-A-policy-nat-rule-nonat] destination-address address-set remote_address

[HQ-A-policy-nat-rule-nonat] action no-nat

7.2、在分支机构（B）防火墙上定义10.2.2.0/24到10.1.1.0/24的流量不进行NAT转换，从VPN隧道转发。

配置如下：

Branch-B(config)# object network local-address

Branch-B(config-network-object)# subnet 10.2.2.0 255.255.255.0

Branch-B(config-network-object)# quit

Branch-B(config)# object network remote-address

Branch-B(config-network-object)# subnet 10.1.1.0 255.255.255.0

Branch-B(config-network-object)# quit

Branch-B(config)# nat (inside,outside) source static local-address local-address destination static remote-address remote-address

7.3、在分支机构（C）防火墙上定义10.3.3.0/24到10.1.1.0/24的流量不进行NAT转换，从VPN隧道转发。

配置如下：

ip address-set local_address type object

address 0 10.3.3.0 mask 24

quit

ip address-set remote_address type object

address 0 10.1.1.0 mask 24

quit

nat-policy

rule name nonat

source-zone trust

destination-zone untrust

source-address address-set local_address

destination-address address-set remote_address

action no-nat

五、结果验证

1、发起ping操做

在总部交换机和分支机构交换机上带网关地址发起ping操做。

如下图所示：

2、查看IKE信息

在总部（A）防火墙上可看到相应的IKE信息。

如下图所示：

在分支机构（B）防火墙上可看到IKE已协商成功，IPSec也已建立成功。

如下图所示:

在分支机构（C）防火墙上也可看到相应的IKE信息。

如下图所示：

六、设备信息

本实验中

USG设备版本：Version 5.160

ASA设备版本：Version 9.4(1)200

交换机设备版本：无特殊要求，支持三层即可