更新时间:2025-04-15 GMT+08:00
防火墙侧操作步骤
操作步骤
- 登录防火墙设备的命令行配置界面。
- 配置基本信息。
- 配置防火墙接口的IP地址。
interface GigabitEthernet1/0/1 # 配置防火墙的公网IP地址。 ip address 1.1.1.1 255.255.255.0 interface GigabitEthernet1/0/2 # 配置防火墙的私网IP地址。 ip address 172.16.0.233 255.255.255.0
- 将接口划入对应zone。
firewall zone untrust add interface GigabitEthernet1/0/1 firewall zone trust add interface GigabitEthernet1/0/2
- 配置TCP MSS大小。
firewall tcp-mss 1300
- 配置防火墙接口的IP地址。
- 配置协商策略。
ike proposal 100 # 配置防火墙公网IP地址和VPN网关主EIP的IKE策略相关配置 authentication-algorithm SHA2-256 # 和表3配置的IKE策略认证算法保持一致 encryption-algorithm AES-128 # 和表3配置的IKE策略加密算法保持一致 authentication-method pre-share integrity-algorithm HMAC-SHA2-256 prf HMAC-SHA2-256 dh group15 # 和表3配置的IKE策略DH算法保持一致 sa duration 86400 # 和表3配置的IKE策略生命周期保持一致 ike peer hwcloud_peer33 undo version 1 # 和表3配置的IKE策略IKE版本保持一致 pre-shared-key XXXXXXX # 和表3配置的预共享密钥保持一致 ike-proposal 100 remote-address 1.1.1.2 # 和VPN网关的主EIP保持一致 IPsec proposal IPsec-pro100 # 配置防火墙公网IP地址和VPN网关主EIP的IPsec策略相关配置 transform esp encapsulation-mode tunnel esp authentication-algorithm SHA2-256 # 和表3配置的IPsec策略认证算法保持一致 esp encryption-algorithm aes-128 # 和表3配置的IPsec策略加密算法保持一致 ike proposal 200 # 配置防火墙公网IP地址和VPN网关备EIP的相关配置,配置规则同上 authentication-algorithm SHA2-256 encryption-algorithm AES-128 authentication-method pre-share integrity-algorithm HMAC-SHA2-256 prf HMAC-SHA2-256 dh group15 sa duration 86400 ike peer hwcloud_peer44 undo version 1 pre-shared-key XXXXXXX ike-proposal 200 remote-address 2.2.2.2 # 和VPN网关的备EIP保持一致 IPsec proposal IPsec-pro200 transform esp encapsulation-mode tunnel esp authentication-algorithm SHA2-256 esp encryption-algorithm aes-128
- 配置IPsec隧道。
IPsec profile HW-IPsec100 # 配置防火墙公网IP地址对应的路由策略 ike-peer hwcloud_peer33 proposal IPsec-pro100 pfs dh-group15 # 和表3配置的IPsec策略PFS保持一致 sa duration time-based 3600 # 和表3配置的IPsec策略生命周期保持一致 interface Tunnel100 ip address 169.254.70.2 255.255.255.252 # 配置为防火墙的隧道接口1 IP地址 tunnel-protocol IPsec source 1.1.1.1 # 配置为防火墙的公网IP地址 destination 1.1.1.2 # 配置为VPN网关的主EIP service-manage ping permit IPsec profile HW-IPsec100 firewall zone untrust add interface Tunnel100 interface Tunnel200 ip address 169.254.71.2 255.255.255.252 # 配置为防火墙的隧道接口2 IP地址 tunnel-protocol IPsec source 1.1.1.1 # 配置为防火墙的公网IP地址 destination 2.2.2.2 # 配置为VPN网关的备EIP service-manage ping permit IPsec profile HW-IPsec200 firewall zone untrust add interface Tunnel200
- 配置路由信息。
- 配置华为云公网IP的静态路由。
ip route-static 1.1.1.2 255.255.255.255 1.1.1.1 # VPN网关主EIP+空格+255.255.255.255+空格+防火墙公网IP的网关地址 ip route-static 2.2.2.2 255.255.255.255 1.1.1.1 # VPN网关备EIP+空格+255.255.255.255+空格+防火墙公网IP的网关地址
- 配置华为云私网IP的静态路由。
ip route-static 192.168.0.0 255.255.255.0 Tunnel100 1.1.1.2 ip route-static 192.168.0.0 255.255.255.0 Tunnel200 2.2.2.2
- 格式为ip route-static VPC子网1+空格+子网掩码+空格+Tunnel口编号+VPN主EIP/备EIP。
- 如果存在多个VPC子网,则需要为每个VPC子网配置两条路由。
- 配置华为云公网IP的静态路由。
- 配置安全策略。
ip address-set localsubnet172 type object # 定义地址对象 address 0 172.16.0.0 mask 24 # 配置用户数据中心的子网信息 ip address-set HWCsubnet192 type object address 0 192.168.0.0 mask 24 # 配置华为云VPC的子网信息 security-policy rule name IPsec_permit1 source-zone untrust source-zone internet source-zone local destination-zone untrust destination-zone internet destination-zone local service ah esp service protocol udp destination-port 500 4500 action permit rule name IPsec_permit2 source-zone untrust source-zone internet source-zone trust destination-zone untrust destination-zone internet destination-zone trust source-address address-set localsubnet172 source-address address-set HWCsubnet192 destination-address address-set localsubnet172 destination-address address-set HWCsubnet192 action permit nat-policy rule name IPsec_subnet_bypass source-zone trust destination-zone untrust destination-zone internet source-address address-set localsubnet172 destination-address address-set HWCsubnet192 action no-nat
父主题: 静态路由模式
