防火墙侧操作步骤
操作步骤
- 登录防火墙设备的命令行配置界面。
- 配置基本信息。
- 配置协商策略。
ike proposal /100/ //配置防火墙公网IP地址和VPN网关主EIP的IKE策略相关配置
authentication-algorithm SHA2-256 //请和表3配置的IKE策略认证算法保持一致
encryption-algorithm AES-128 //请和表3配置的IKE策略加密算法保持一致
authentication-method pre-share
integrity-algorithm HMAC-SHA2-256
prf HMAC-SHA2-256
dh group15 //请和表3配置的IKE策略DH算法保持一致
sa duration 86400 //请和表3配置的IKE策略生命周期保持一致
ike peer /hwcloud_peer33/
undo version 2 //请和表3配置的IKE策略IKE版本保持一致
pre-shared-key XXXXXXX //请和表3配置的预共享密钥保持一致
ike-proposal /100/
remote-address 1.1.1.2 //请和VPN网关的主EIP保持一致
IPsec proposal /IPsec-hwcloud100/ //配置防火墙公网IP地址和VPN网关主EIP的IPsec策略相关配置
transform esp
encapsulation-mode tunnel
esp authentication-algorithm SHA2-256 //请和表3配置的IPsec策略认证算法保持一致
esp encryption-algorithm aes-128 //请和表3配置的IPsec策略加密算法保持一致
ike proposal /200/ //配置防火墙公网IP地址和VPN网关备EIP的相关配置,配置规则同上
authentication-algorithm SHA2-256
encryption-algorithm AES-128
authentication-method pre-share
integrity-algorithm HMAC-SHA2-256
prf HMAC-SHA2-256
dh group15
sa duration 86400
ike peer /hwcloud_peer44/
undo version 2
pre-shared-key XXXXXXX
ike-proposal /200/
remote-address 2.2.2.2 //请和VPN网关的备EIP保持一致
IPsec proposal /IPsec-hwcloud200/
transform esp
encapsulation-mode tunnel
esp authentication-algorithm SHA2-256
esp encryption-algorithm aes-128
- 配置隧道连接。
IPsec profile /HW-IPsec100/ //配置防火墙公网IP地址对应的路由策略
ike-peer hwcloud_peer33/
proposal /IPsec-hwcloud100/ //配置防火墙公网IP地址的路由模式隧道接口
pfs dh-group15 //请和表3配置的IPsec策略PFS保持一致
sa duration time-based 3600 //请和表3配置的IPsec策略生命周期保持一致
interface /Tunnel100/
ip address 169.254.70.1 255.255.255.252 //配置为防火墙的隧道接口1 IP地址
tunnel-protocol IPsec
source 1.1.1.1 //配置为防火墙的公网IP地址
destination 1.1.1.2 //配置为VPN网关的主EIP
service-manage ping permit
IPsec profile /HW-IPsec100/
firewall zone untrust
add interface /Tunnel100/
interface /Tunnel200/
ip address 169.254.71.1 255.255.255.252 //配置为防火墙的隧道接口2 IP地址
tunnel-protocol IPsec
source 1.1.1.1 //配置为防火墙的公网IP地址
destination 2.2.2.2 //配置为VPN网关的备EIP
service-manage ping permit
IPsec profile /HW-IPsec200/
firewall zone untrust
add interface /Tunnel200/
- 配置路由信息。
- 配置华为云公网IP的静态路由。
ip route-static 1.1.1.2 255.255.255.255 1.1.1.1 //VPN网关主EIP+空格+255.255.255.255+空格+防火墙公网IP地址
ip route-static 2.2.2.2 255.255.255.255 1.1.1.1 //VPN网关备EIP+空格+255.255.255.255+空格+防火墙公网IP地址
- 配置私网静态路由。
ip route-static 192.168.0.0 255.255.255.0 /Tunnel100/ 1.1.1.2
ip route-static 192.168.0.0 255.255.255.0 /Tunnel200/ 2.2.2.2
- 格式为ip route-static VPC子网1+空格+子网掩码+空格+/Tunnel100/+VPN主EIP。
其中,Tunnel100需要和配置隧道连接配置的编号保持一致,且对应隧道编号中destination的值需要和配置的EIP保持一致。
- 如果存在多个VPC子网,则每个EIP均需要配置多条路由。
- 格式为ip route-static VPC子网1+空格+子网掩码+空格+/Tunnel100/+VPN主EIP。
- 配置华为云公网IP的静态路由。
- 配置安全策略。
ip address-set /localsubnet192/ type object //定义地址对象
address 0 172.16.0.0 mask 24 //配置用户数据中心的子网信息
ip address-set /HWCsubnet172/ type object
address 0 192.168.0.0 mask 24 //配置华为云VPC的子网信息
security-policy
rule name /IPsec_permit1/
source-zone untrust
source-zone internet
source-zone local
destination-zone untrust
destination-zone internet
destination-zone local
service ah esp
service protocol udp destination-port 500 4500
action permit
rule name /IPsec_permit2/
source-zone untrust
source-zone internet
source-zone trust
destination-zone untrust
destination-zone internet
destination-zone trust
source-address address-set /localsubnet192/
source-address address-set /HWCsubnet172/
destination-address address-set /localsubnet192/
destination-address address-set /HWCsubnet172/
action permit
nat-policy
rule name IPsec_subnet_bypass
source-zone trust
destination-zone untrust
destination-zone internet
source-address address-set /localsubnet192/
destination-address address-set /HWCsubnet172/
action no-nat
