HW-USG防火墙(V5)对接华为云配置指引
华为云配置信息说明
VPN网关IP:11.11.11.11
VPC子网:192.168.10.0/24,192.168.20.0/24
客户侧网关IP:22.22.22.22
客户侧子网:172.16.10.0/24,172.16.20.0/24,172.16.30.0/24
协商策略详情:
一阶段策略(IKE Policy)
认证算法(Authentication Algorithm): sha2-256
加密算法(Encryption Algorithm): aes-128
版本(Version): v2
DH算法(DH Algorithm ): group14
生命周期(Life Cycle): 86400
二阶段策略(IPsec Policy)
传输协议(Transfer Protocol): esp
认证算法(Authentication Algorithm): sha2-256
加密算法(Encryption Algorithm): aes-128
完美前向安全(PFS):DH-group14
生命周期(Life Cycle): 86400
客户侧设备组网与基础配置假设
- 假定客户侧基础网络配置如下:
内网接口:GigabitEthernet1/0/0 所属zone为Trust,接口IP为10.0.0.1/30。
预进行加密传输的子网为172.16.10.0/24,172.16.20.0/24,172.16.30.0/24,所属zone为Trust。
外网接口:GigabitEthernet1/0/1 所属zone为Untrust,接口IP为22.22.22.22/24。
缺省路由:目标网段0.0.0.0/0 出接口GE1/0/1,下一跳为GE1/0/1的网关IP为22.22.22.1。
安全策略:Trust访问Untrust,源地址、目标地址及服务均为any,动作放行。
NAT策略:源地址为内网网段,目标地址为ANY,动作为EasyIP,即转换为接口IP。
- 基础配置命令行示意如下:
interface GigabitEthernet1/0/0 ip address 10.0.0.1 255.255.255.252 # interface GigabitEthernet1/0/1 ip address 22.22.22.22 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 22.22.22.1 ip route-static 172.16.10.0 255.255.255.0 10.0.0.2 ip route-static 172.16.20.0 255.255.255.0 10.0.0.2 ip route-static 172.16.30.0 255.255.255.0 10.0.0.2 # firewall zone trust set priority 85 import interface GigabitEthernet1/0/0 # firewall zone untrust set priority 5 import interface GigabitEthernet1/0/1 # ip address-set Customer-subnet172.16.10.0/24 type object address 0 172.16.10.0 mask 24 # ip address-set Customer-subnet172.16.20.0/24 type object address 0 172.16.20.0 mask 24 # ip address-set Customer-subnet172.16.30.0/24 type object address 0 172.16.30.0 mask 24 # security-policy rule name Policy-Internet policy logging session logging source-zone trust destination-zone untrust action permit # nat-policy rule name Snat_Internet source-zone trust egress-interface GigabitEthernet1/0/1 action nat easy-ip
IPsec配置指引
- WEB页面VPN配置过程说明:
登录设备WEB管理界面,在导航栏中选择“网络 > IPsec”,选择新建IPsec策略。
- 基本配置:命名策略,选择出接口为本端接口,本端地址为出接口公网IP,对端地址为华为云VPN网关IP,认证方式选择预共享密钥,密钥信息与华为云配置一致,本端ID及对端ID均选择IP地址。
- 待加密数据流:新建配置,源地址为客户侧子网网段,目标地址为华为云子网网段,多条子网请分开填写,填写的条目数为两端子网数量的乘积,协议选择any,动作允许。
- 安全提议:IKE参数与IPsec参数与华为云配置一致,注意IKE版本只勾选与华为云匹配的选项,推荐开启周期性DPD检测。
- 安全策略:添加客户侧私网网段与华为云私网网段互访的安全策略,服务为ANY,动作允许,推荐置顶这两条安全策略规则。
- NAT策略:添加源地址为客户侧私网网段,目标为华为云私网网段动作为不做转换的nat规则,并将该规则置顶。
- 安全策略中需要添加本地公网IP与华为云网关IP的互访规则,协议为UDP的500、4500和IP协议ESP与AH,确保协商流和加密流数据正常传输。
- 不可以将公网IP的协商流进行NAT转发,必须确保本地公网IP访问华为云的流量不被NAT。
- 确保访问目标子网的路由指向公网出接口下一跳。
- 待加密数据流的网段请填写真实IP和掩码,请勿调用地址对象。
- 若客户侧网络存在多出口时,请确保客户侧访问华为云VPN网关IP及私网网段从建立连接的公网出口流出,推荐使用静态路由配置选择出口网络。
- 命令行配置说明:
ip address-set HWCloud_subnet192.168.10.0/24 type object address 0 192.168.10.0 mask 24 # ip address-set HWCloud_subnet192.168.20.0/24 type object address 0 192.168.20.0 mask 24
#配置一阶段提议,ike v1与ike v2的配置方式相同,ikev1使用认证、加密,ikev2使用加密、完整性、prf
ike proposal 100 authentication-algorithm sha2-256 encryption-algorithm aes-128 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 dh group14 sa duration 86400
#配置对等体,指定版本,调用一阶段提议(undo version 2时需要配置exchange-mode参数)
ike peer IKE-PEER undo version 1 pre-shared-key ****** ike-proposal 100 remote-address 11.11.11.11 dpd type periodic
#配置感兴趣流
acl number 3999 rule 0 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 rule 1 permit ip source 172.16.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 rule 2 permit ip source 172.16.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 rule 4 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 5 permit ip source 172.16.20.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 6 permit ip source 172.16.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
#配置二阶段提议
IPsec proposal IPsec-PH2 transform esp encapsulation-mode tunnel esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128
#配置IPsec policy,调用ike peer、二阶段提议、ACL,注意PFS配置
IPsec policy IPsec-HW 1 isakmp proposal IPsec-PH2 security acl 3999 ike-peer IKE-PEER tunnel local 22.22.22.22 pfs dh-group14 sa duration time-based 3600
#全局配置,设定TCP分片大小
firewall tcp-mss 1300 #IPsec policy 绑定接口 interface GigabitEthernet1/0/1 ip address B.B.B.Y 255.255.255.0 IPsec apply policy IPsec-HW # security-policy rule name IPsec-OUT policy logging session logging source-zone trust destination-zone untrust source-address address-set Customer-subnet172.16.10.0/24 source-address address-set Customer-subnet172.16.20.0/24 source-address address-set Customer-subnet172.16.30.0/24 destination-address address-set HWCloud_subnet192.168.10.0/24 destination-address address-set HWCloud_subnet192.168.20.0/24 action permit rule name IPsec-IN policy logging session logging source-zone untrust destination-zone trust source-address address-set HWCloud_subnet192.168.10.0/24 source-address address-set HWCloud_subnet192.168.20.0/24 destination-address address-set Customer-subnet172.16.10.0/24 destination-address address-set Customer-subnet172.16.20.0/24 destination-address address-set Customer-subnet172.16.30.0/24 action permit rule name IPsec-NEG-pass logging enable counting enable source-ip 11.11.11.11 255.255.255.255 source-ip 22.22.22.22 255.255.255.255 destination-ip 11.11.11.11 255.255.255.255 destination-ip 22.22.22.22 255.255.255.255 action permit rule name Policy-Internet …… # nat policy rule name IPsec_NONAT description IPsec_NONAT source-zone trust destination-zone untrust source-address address-set Customer-subnet172.16.10.0/24 source-address address-set Customer-subnet172.16.20.0/24 source-address address-set Customer-subnet172.16.30.0/24 destination-address address-set HWCloud_subnet192.168.10.0/24 destination-address address-set HWCloud_subnet192.168.20.0/24 action no-nat rule name Snat_Internet ……
#路由配置,访问华为云子网路由由公网接口流出
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1 22.22.22.1
功能验证
VPN连接配置完成后,云上不会主动触发隧道建立,需要数据流触发协商。
触发方式:私网间数据流,例如用192.168.10.0/24网段的主机去ping 172.16.10.0/24网段主机,反过来ping也可以。
用私网地址ping对端公网网关IP不触发隧道协商,例如172.16.10.0/24网段主机ping 11.11.11.11是不会触发隧道建立的。
