IPSEC_VPN实践配置-华为USG和Juniper SRX之间建立l2l ipsec VPN连接

一、案例介绍

本例介绍华为USG系列防火墙和Juniper SRX系列防火墙为公网出口边界设备，且有NAT时如何建立点到点的L2L VPN连接。

二、组网拓扑

如下图所示：

以总部(A)为USG和分支机构（B）为SRX为例进行讲解。

（建议画草图，标好端口及IP，以便后续查看）

组网说明：

USG和SRX分别与Internet相连。

USG和SRX公网路由可达。

USG和SRX为固定公网地址。

USG和SRX同时为NAT网关。

要求实现的需求如下：

PC1和PC2都可以直接访问公网。

USG和SRX之间建立IPSec隧道。

分支机构PC2能与总部PC1之间进行安全通信。

三、配置思路

完成USG和SRX的接口、安全策略、路由等基本配置。

在USG和SRX上完成源NAT的配置。终端PC1和PC2访问经过NAT后可以访问Internet的数据。

在USG和SRX上完成IPSec的配置。终端PC1和PC2经过IPSec隧道的数据流不需要经过NAT转换。

四、配置步骤

1、总部USG防火墙基础配置

interface GigabitEthernet1/0/0

undo shutdown

ip address 111.11.11.11 255.255.255.240

service-manage ping permit

service-manage ssh permit

service-manage telnet permit

ipsec policy ipsec

#

interface GigabitEthernet1/0/1

undo shutdown

ip address 10.11.255.1 255.255.255.252

service-manage ping permit

service-manage ssh permit

service-manage telnet permit

#

ip route-static 0.0.0.0 0.0.0.0 111.11.11.1

ip route-static 10.1.1.0 255.255.255.0 10.11.255.2

#

2、总部交换机基础配置

interface Ethernet0/0

no switchport

ip address 10.11.255.2 255.255.255.252

no shutdown

!

Vlan 110

!

interface Vlan110

ip address 10.1.1.1 255.255.255.0

no shutdown

!

ip route 0.0.0.0 0.0.0.0 10.11.255.1

!

3、分支机构SRX防火墙基础配置

set interfaces ge-0/0/0 unit 0 family inet address 222.22.22.18/28

set interfaces ge-0/0/1 unit 0 family inet address 10.22.255.1/30

set routing-options static route 10.2.2.0/24 next-hop 10.22.255.2

set routing-options static route 0.0.0.0/0 next-hop 222.22.22.17

4、分支机构交换机基础配置

interface Ethernet0/0

no switchport

ip address 10.22.255.2 255.255.255.252

no shutdown

!

vlan 10

!

interface Vlan10

ip address 10.2.2.1 255.255.255.0

no shutdown

!

interface Ethernet0/1

switchport access vlan 10

switchport mode access

no shutdown

!

5、总部USG防火墙NAT配置

ip address-set mappd_add type object

address 0 10.1.1.0 mask 24

#

security-policy

default action permit

quit

#

rule name to_public

source-zone trust

destination-zone untrust

source-address address-set mappd_add

action nat easy-ip

#

在交换机上对公网地址发起ping操做.

如下图所示：

在USG防火墙上可看到内网地址已NAT成公网地址.

如下图所示：

6、分支机构SRX防火墙NAT配置

set security nat source rule-set trust-to-untrust from zone trust

set security nat source rule-set trust-to-untrust to zone untrust

set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0

set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface

在分支机构交换机上对公网地址发起ping操做。

如下图所示：

7、总部USG防火墙VPN配置

、配置IPSec安全提议。缺省参数可不配置。

ipsec proposal srx

esp authentication-algorithm md5

esp encryption-algorithm des

、配置IKE安全提议。缺省参数可不配置。

ike proposal 10

encryption-algorithm 3des

dh group2

authentication-algorithm sha1

authentication-method pre-share

integrity-algorithm hmac-sha1-96

prf hmac-sha1

、配置IKE peer。

ike peer srx

pre-shared-key cisco@123

ike-proposal 10

remote-address 222.22.22.18

、定义被保护的数据流。

配置高级ACL 3001，允许10.1.1.0/24网段访问10.1.2.0/24网段。

acl number 3001

rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.2.2.0 0.0.0.255

、配置IPSec策略。

ipsec policy ipsec 10 isakmp

security acl 3001

ike-peer srx

proposal srx

sa trigger-mode auto

sa duration traffic-based 5242880

、在接口GE1/0/0上应用IPSec策略组ipsec。

interface GigabitEthernet 1/0/0

ipsec policy ipsec

8、分支机构SRX防火墙VPN配置

、配置IKE

set security ike proposal l2l authentication-method pre-shared-keys

set security ike proposal l2l dh-group group2

set security ike proposal l2l authentication-algorithm sha1

set security ike proposal l2l encryption-algorithm 3des-cbc

set security ike proposal l2l lifetime-seconds 86400

set security ike policy l2l mode main

set security ike policy l2l proposals l2l

set security ike policy l2l pre-shared-key ascii-text cisco@123

set security ike gateway l2l ike-policy l2l

set security ike gateway l2l address 111.11.11.11

set security ike gateway l2l external-interface ge-0/0/0.0

set security ike gateway l2l version v1-only

、配置IPSec

set security ipsec proposal trans1 protocol esp

set security ipsec proposal trans1 authentication-algorithm hmac-md5-96

set security ipsec proposal trans1 encryption-algorithm des-cbc

set security ipsec proposal trans1 lifetime-seconds 3600

set security ipsec policy l2l proposals trans1

set security ipsec vpn l2l ike gateway l2l

set security ipsec vpn l2l ike ipsec-policy l2l

set security ipsec vpn l2l establish-tunnels immediately

、定义感兴趣流

set security zones security-zone trust address-book address local-address01 10.2.2.0/24

set security zones security-zone untrust address-book address remote-address01 10.1.1.0/24

、策略方向与VPN关联

set security policies from-zone trust to-zone untrust policy l2l01 match source-address local-address01

set security policies from-zone trust to-zone untrust policy l2l01 match destination-address remote-address01

set security policies from-zone trust to-zone untrust policy l2l01 match application any

set security policies from-zone trust to-zone untrust policy l2l01 then permit tunnel ipsec-vpn l2l

set security policies from-zone untrust to-zone trust policy l2l01 match source-address remote-address01

set security policies from-zone untrust to-zone trust policy l2l01 match destination-address local-address01

set security policies from-zone untrust to-zone trust policy l2l01 match application any

set security policies from-zone untrust to-zone trust policy l2l01 then permit tunnel ipsec-vpn l2l

五、结果验证

1、发起ping操做

在USG侧和SRX侧交换机上带网关地址发起ping操做。

如下图所示：

2、查看VPN信息

在SRX防火墙上可看到IKE已协商成功，IPSec也已建立成功。

如下图所示：

在USG防火墙上也可看到相应的IKE信息。

如下图所示：

六、设备信息

本实验中

SRX设备版本：Version 12.1X47-D20.7

USG设备版本：Version 5.160

交换机设备版本：无特殊要求，支持三层即可