文档首页/ 虚拟专用网络 VPN/ 管理员指南/ 适用于经典版VPN/ 附录/ HW-USG防火墙(V5)对接华为云配置指引
更新时间:2024-07-19 GMT+08:00
分享

HW-USG防火墙(V5)对接华为云配置指引

华为云配置信息说明

VPN网关IP:11.11.11.11

VPC子网:192.168.10.0/24,192.168.20.0/24

客户侧网关IP:22.22.22.22

客户侧子网:172.16.10.0/24,172.16.20.0/24,172.16.30.0/24

协商策略详情:

一阶段策略(IKE Policy)

认证算法(Authentication Algorithm): sha2-256

加密算法(Encryption Algorithm): aes-128

版本(Version): v2

DH算法(DH Algorithm ): group14

生命周期(Life Cycle): 86400

二阶段策略(IPsec Policy)

传输协议(Transfer Protocol): esp

认证算法(Authentication Algorithm): sha2-256

加密算法(Encryption Algorithm): aes-128

完美前向安全(PFS):DH-group14

生命周期(Life Cycle): 86400

客户侧设备组网与基础配置假设

  1. 假定客户侧基础网络配置如下:

内网接口:GigabitEthernet1/0/0 所属zone为Trust,接口IP为10.0.0.1/30。

预进行加密传输的子网为172.16.10.0/24,172.16.20.0/24,172.16.30.0/24,所属zone为Trust。

外网接口:GigabitEthernet1/0/1 所属zone为Untrust,接口IP为22.22.22.22/24。

缺省路由:目标网段0.0.0.0/0 出接口GE1/0/1,下一跳为GE1/0/1的网关IP为22.22.22.1。

安全策略:Trust访问Untrust,源地址、目标地址及服务均为any,动作放行。

NAT策略:源地址为内网网段,目标地址为ANY,动作为EasyIP,即转换为接口IP。

  1. 基础配置命令行示意如下:
    interface GigabitEthernet1/0/0 
    ip address 10.0.0.1 255.255.255.252 
    # 
    interface GigabitEthernet1/0/1 
    ip address 22.22.22.22 255.255.255.0 
    # 
    ip route-static 0.0.0.0 0.0.0.0 22.22.22.1
    ip route-static 172.16.10.0 255.255.255.0 10.0.0.2
    ip route-static 172.16.20.0 255.255.255.0 10.0.0.2
    ip route-static 172.16.30.0 255.255.255.0 10.0.0.2 
    # 
    firewall zone trust 
    set priority 85 
    import interface GigabitEthernet1/0/0 
    # 
    firewall zone untrust 
    set priority 5
    import interface GigabitEthernet1/0/1 
    #
    ip address-set Customer-subnet172.16.10.0/24 type object 
    address 0 172.16.10.0 mask 24  
    # 
    ip address-set Customer-subnet172.16.20.0/24 type object 
    address 0 172.16.20.0 mask 24  
    # 
    ip address-set Customer-subnet172.16.30.0/24 type object 
    address 0 172.16.30.0 mask 24 
    # 
    security-policy 
    rule name Policy-Internet 
      policy logging 
      session logging 
      source-zone trust 
      destination-zone untrust 
      action permit 
    # 
    nat-policy 
    rule name Snat_Internet 
      source-zone trust 
      egress-interface GigabitEthernet1/0/1 
      action nat easy-ip

IPsec配置指引

  1. WEB页面VPN配置过程说明:

    登录设备WEB管理界面,在导航栏中选择“网络 > IPsec”,选择新建IPsec策略。

    1. 基本配置:命名策略,选择出接口为本端接口,本端地址为出接口公网IP,对端地址为华为云VPN网关IP,认证方式选择预共享密钥,密钥信息与华为云配置一致,本端ID及对端ID均选择IP地址。
    2. 待加密数据流:新建配置,源地址为客户侧子网网段,目标地址为华为云子网网段,多条子网请分开填写,填写的条目数为两端子网数量的乘积,协议选择any,动作允许。
    3. 安全提议:IKE参数与IPsec参数与华为云配置一致,注意IKE版本只勾选与华为云匹配的选项,推荐开启周期性DPD检测。
    4. 安全策略:添加客户侧私网网段与华为云私网网段互访的安全策略,服务为ANY,动作允许,推荐置顶这两条安全策略规则。
    5. NAT策略:添加源地址为客户侧私网网段,目标为华为云私网网段动作为不做转换的nat规则,并将该规则置顶。
    • 安全策略中需要添加本地公网IP与华为云网关IP的互访规则,协议为UDP的500、4500和IP协议ESP与AH,确保协商流和加密流数据正常传输。
    • 不可以将公网IP的协商流进行NAT转发,必须确保本地公网IP访问华为云的流量不被NAT。
    • 确保访问目标子网的路由指向公网出接口下一跳。
    • 待加密数据流的网段请填写真实IP和掩码,请勿调用地址对象。
    • 若客户侧网络存在多出口时,请确保客户侧访问华为云VPN网关IP及私网网段从建立连接的公网出口流出,推荐使用静态路由配置选择出口网络。
  2. 命令行配置说明:

    #增加地址对象

    ip address-set HWCloud_subnet192.168.10.0/24 type object
    address 0 192.168.10.0 mask 24
    #
    ip address-set HWCloud_subnet192.168.20.0/24 type object
    address 0 192.168.20.0 mask 24

    #配置一阶段提议,ike v1与ike v2的配置方式相同,ikev1使用认证、加密,ikev2使用加密、完整性、prf

    ike proposal 100
    authentication-algorithm sha2-256
    encryption-algorithm aes-128
    authentication-method pre-share
    integrity-algorithm hmac-sha2-256
    prf hmac-sha2-256
    dh group14
    sa duration 86400

    #配置对等体,指定版本,调用一阶段提议(undo version 2时需要配置exchange-mode参数)

    ike peer IKE-PEER
    undo version 1
    pre-shared-key ******
    ike-proposal 100
    remote-address 11.11.11.11
    dpd type periodic

    #配置感兴趣流

    acl number 3999
    rule 0 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
    rule 1 permit ip source 172.16.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
    rule 2 permit ip source 172.16.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
    rule 4 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
    rule 5 permit ip source 172.16.20.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
    rule 6 permit ip source 172.16.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

    #配置二阶段提议

    IPsec proposal IPsec-PH2
    transform esp
    encapsulation-mode tunnel
    esp authentication-algorithm sha2-256
    esp encryption-algorithm aes-128

    #配置IPsec policy,调用ike peer、二阶段提议、ACL,注意PFS配置

    IPsec policy IPsec-HW 1 isakmp
    proposal IPsec-PH2
    security acl 3999
    ike-peer IKE-PEER
    tunnel local 22.22.22.22
    pfs dh-group14
    sa duration time-based 3600

    #全局配置,设定TCP分片大小

    firewall tcp-mss 1300
    #IPsec policy 绑定接口
    interface GigabitEthernet1/0/1
    ip address B.B.B.Y 255.255.255.0
    IPsec apply policy IPsec-HW
    #
    security-policy
    rule name IPsec-OUT
    policy logging
    session logging
    source-zone trust
    destination-zone untrust
    source-address address-set Customer-subnet172.16.10.0/24
    source-address address-set Customer-subnet172.16.20.0/24
    source-address address-set Customer-subnet172.16.30.0/24
    destination-address address-set HWCloud_subnet192.168.10.0/24
    destination-address address-set HWCloud_subnet192.168.20.0/24
    action permit
    rule name IPsec-IN
    policy logging
    session logging
    source-zone untrust
    destination-zone trust
    source-address address-set HWCloud_subnet192.168.10.0/24
    source-address address-set HWCloud_subnet192.168.20.0/24
    destination-address address-set Customer-subnet172.16.10.0/24
    destination-address address-set Customer-subnet172.16.20.0/24
    destination-address address-set Customer-subnet172.16.30.0/24
    action permit
    rule name IPsec-NEG-pass
    logging enable
    counting enable
    source-ip 11.11.11.11 255.255.255.255
    source-ip 22.22.22.22 255.255.255.255
    destination-ip 11.11.11.11 255.255.255.255
    destination-ip 22.22.22.22 255.255.255.255
    action permit
    rule name Policy-Internet
    ……
    #
    nat policy
    rule name IPsec_NONAT
    description IPsec_NONAT
    source-zone trust
    destination-zone untrust
    source-address address-set Customer-subnet172.16.10.0/24
    source-address address-set Customer-subnet172.16.20.0/24
    source-address address-set Customer-subnet172.16.30.0/24
    destination-address address-set HWCloud_subnet192.168.10.0/24
    destination-address address-set HWCloud_subnet192.168.20.0/24
    action no-nat
    rule name Snat_Internet
    ……

    #路由配置,访问华为云子网路由由公网接口流出

    ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1 22.22.22.1

功能验证

VPN连接配置完成后,云上不会主动触发隧道建立,需要数据流触发协商。

触发方式:私网间数据流,例如用192.168.10.0/24网段的主机去ping 172.16.10.0/24网段主机,反过来ping也可以。

用私网地址ping对端公网网关IP不触发隧道协商,例如172.16.10.0/24网段主机ping 11.11.11.11是不会触发隧道建立的。

相关文档