一、案例介绍
本例介绍华为USG系列防火墙和Juniper SRX系列防火墙为公网出口边界设备,且有NAT时如何建立点到点的L2L VPN连接。
二、组网拓扑
如下图所示:
以总部(A)为USG和分支机构(B)为SRX为例进行讲解。
(建议画草图,标好端口及IP,以便后续查看)
组网说明:
USG和SRX分别与Internet相连。
USG和SRX公网路由可达。
USG和SRX为固定公网地址。
USG和SRX同时为NAT网关。
要求实现的需求如下:
PC1和PC2都可以直接访问公网。
USG和SRX之间建立IPSec隧道。
分支机构PC2能与总部PC1之间进行安全通信。
三、配置思路
完成USG和SRX的接口、安全策略、路由等基本配置。
在USG和SRX上完成源NAT的配置。终端PC1和PC2访问经过NAT后可以访问Internet的数据。
在USG和SRX上完成IPSec的配置。终端PC1和PC2经过IPSec隧道的数据流不需要经过NAT转换。
四、配置步骤
1、总部USG防火墙基础配置
interface GigabitEthernet1/0/0
undo shutdown
ip address 111.11.11.11 255.255.255.240
service-manage ping permit
service-manage ssh permit
service-manage telnet permit
ipsec policy ipsec
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.11.255.1 255.255.255.252
service-manage ping permit
service-manage ssh permit
service-manage telnet permit
#
ip route-static 0.0.0.0 0.0.0.0 111.11.11.1
ip route-static 10.1.1.0 255.255.255.0 10.11.255.2
#
2、总部交换机基础配置
interface Ethernet0/0
no switchport
ip address 10.11.255.2 255.255.255.252
no shutdown
!
Vlan 110
!
interface Vlan110
ip address 10.1.1.1 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.11.255.1
!
3、分支机构SRX防火墙基础配置
set interfaces ge-0/0/0 unit 0 family inet address 222.22.22.18/28
set interfaces ge-0/0/1 unit 0 family inet address 10.22.255.1/30
set routing-options static route 10.2.2.0/24 next-hop 10.22.255.2
set routing-options static route 0.0.0.0/0 next-hop 222.22.22.17
4、分支机构交换机基础配置
interface Ethernet0/0
no switchport
ip address 10.22.255.2 255.255.255.252
no shutdown
!
vlan 10
!
interface Vlan10
ip address 10.2.2.1 255.255.255.0
no shutdown
!
interface Ethernet0/1
switchport access vlan 10
switchport mode access
no shutdown
!
5、总部USG防火墙NAT配置
ip address-set mappd_add type object
address 0 10.1.1.0 mask 24
#
security-policy
default action permit
quit
#
rule name to_public
source-zone trust
destination-zone untrust
source-address address-set mappd_add
action nat easy-ip
#
在交换机上对公网地址发起ping操做.
如下图所示:
在USG防火墙上可看到内网地址已NAT成公网地址.
如下图所示:
6、分支机构SRX防火墙NAT配置
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
在分支机构交换机上对公网地址发起ping操做。
如下图所示:
7、总部USG防火墙VPN配置
、配置IPSec安全提议。缺省参数可不配置。
ipsec proposal srx
esp authentication-algorithm md5
esp encryption-algorithm des
、配置IKE安全提议。缺省参数可不配置。
ike proposal 10
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
authentication-method pre-share
integrity-algorithm hmac-sha1-96
prf hmac-sha1
、配置IKE peer。
ike peer srx
pre-shared-key cisco@123
ike-proposal 10
remote-address 222.22.22.18
、定义被保护的数据流。
配置高级ACL 3001,允许10.1.1.0/24网段访问10.1.2.0/24网段。
acl number 3001
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.2.2.0 0.0.0.255
、配置IPSec策略。
ipsec policy ipsec 10 isakmp
security acl 3001
ike-peer srx
proposal srx
sa trigger-mode auto
sa duration traffic-based 5242880
、在接口GE1/0/0上应用IPSec策略组ipsec。
interface GigabitEthernet 1/0/0
ipsec policy ipsec
8、分支机构SRX防火墙VPN配置
、配置IKE
set security ike proposal l2l authentication-method pre-shared-keys
set security ike proposal l2l dh-group group2
set security ike proposal l2l authentication-algorithm sha1
set security ike proposal l2l encryption-algorithm 3des-cbc
set security ike proposal l2l lifetime-seconds 86400
set security ike policy l2l mode main
set security ike policy l2l proposals l2l
set security ike policy l2l pre-shared-key ascii-text cisco@123
set security ike gateway l2l ike-policy l2l
set security ike gateway l2l address 111.11.11.11
set security ike gateway l2l external-interface ge-0/0/0.0
set security ike gateway l2l version v1-only
、配置IPSec
set security ipsec proposal trans1 protocol esp
set security ipsec proposal trans1 authentication-algorithm hmac-md5-96
set security ipsec proposal trans1 encryption-algorithm des-cbc
set security ipsec proposal trans1 lifetime-seconds 3600
set security ipsec policy l2l proposals trans1
set security ipsec vpn l2l ike gateway l2l
set security ipsec vpn l2l ike ipsec-policy l2l
set security ipsec vpn l2l establish-tunnels immediately
、定义感兴趣流
set security zones security-zone trust address-book address local-address01 10.2.2.0/24
set security zones security-zone untrust address-book address remote-address01 10.1.1.0/24
、策略方向与VPN关联
set security policies from-zone trust to-zone untrust policy l2l01 match source-address local-address01
set security policies from-zone trust to-zone untrust policy l2l01 match destination-address remote-address01
set security policies from-zone trust to-zone untrust policy l2l01 match application any
set security policies from-zone trust to-zone untrust policy l2l01 then permit tunnel ipsec-vpn l2l
set security policies from-zone untrust to-zone trust policy l2l01 match source-address remote-address01
set security policies from-zone untrust to-zone trust policy l2l01 match destination-address local-address01
set security policies from-zone untrust to-zone trust policy l2l01 match application any
set security policies from-zone untrust to-zone trust policy l2l01 then permit tunnel ipsec-vpn l2l
五、结果验证
1、发起ping操做
在USG侧和SRX侧交换机上带网关地址发起ping操做。
如下图所示:
2、查看VPN信息
在SRX防火墙上可看到IKE已协商成功,IPSec也已建立成功。
如下图所示:
在USG防火墙上也可看到相应的IKE信息。
如下图所示:
六、设备信息
本实验中
SRX设备版本:Version 12.1X47-D20.7
USG设备版本:Version 5.160
交换机设备版本:无特殊要求,支持三层即可
领取专属 10元无门槛券
私享最新 技术干货