华为防火墙NAT-T（NAT穿越）场景实验

场景说明：FW1作为出口设备连接公网，FW2作为内网防火墙，连接自己放的出口路由器，出口路由器上做SNAT，现在需要两台防火墙之间建立IPSEC VPN隧道保护PC1与PC2之间通讯。

FW1配置：

sysname FW1

acl number 3000 //配置IPSEC VPN感兴趣流

rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

ipsec proposal 1 //配置IPSEC安全提议，默认采用隧道模式

esp authentication-algorithm sha2-256 //配置IPSEC的认证算法

esp encryption-algorithm aes-256 //配置IPSEC的加密算法

ike proposal 1 //配置IKE安全提议

encryption-algorithm aes-256 //配置加密算法

dh group14 //配置DH公共值的组

authentication-algorithm sha2-256 //配置认证算法

authentication-method pre-share //配置认证方式为预共享密钥

integrity-algorithm hmac-sha2-256 //配置IKEv2版本下的完整性验证算法

prf hmac-sha2-256 //配置IKEv2中使用的伪随机数算法

ike peer 1 //配置IKE PEER

pre-shared-key %^%#ybh~2$'Xc/KwoR1:_.MD;TTg&p_2:WaWe30&tHf/%^%#

ike-proposal 1

dpd type on-demand //配置DPD保活检测，周期性发送DPD报文保活IPSEC隧道和检测IPSEC隧道的故障

remote-address 100.0.0.2 //由于是NAT-T场景，对端路由器做了SNAT，因此需要写地址为SNAT后的地址

remote-address authentication-address 10.0.12.1 //由于NAT-T场景，需要验证对等体SNAT之前的地址

ipsec policy 1 1 isakmp //配置IPSEC POLICY，采用IKE方式协商IPSEC SA

security acl 3000

ike-peer 1

proposal 1

interface GigabitEthernet1/0/0

undo shutdown

ip address 100.0.0.1 255.255.255.252

interface GigabitEthernet1/0/6

undo shutdown

ip address 192.168.10.254 255.255.255.0

firewall zone local

set priority 100

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

add interface GigabitEthernet1/0/6

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/0

firewall zone dmz

set priority 50

ip route-static 0.0.0.0 0.0.0.0 100.0.0.2

security-policy

rule name Trust_Untrust_Permit

source-zone trust

destination-zone untrust

source-address 192.168.10.0 mask 255.255.255.0

action permit

rule name Untrust&Local_IKE_Permit

source-zone local

source-zone untrust

destination-zone local

destination-zone untrust

source-address 100.0.0.1 mask 255.255.255.255

source-address 100.0.0.2 mask 255.255.255.255

destination-address 100.0.0.1 mask 255.255.255.255

destination-address 100.0.0.2 mask 255.255.255.255

action permit

rule name Untrust_Trust_Permit

source-zone untrust

destination-zone trust

source-address 192.168.20.0 mask 255.255.255.0

destination-address 192.168.10.0 mask 255.255.255.0

action permit

rule name Untrust_Local_IPSEC_Permit

source-zone untrust

destination-zone local

source-address 100.0.0.2 mask 255.255.255.255

destination-address 100.0.0.1 mask 255.255.255.255

service esp

action permit

nat-policy

rule name Trust_Untrust_NO-PAT //配置NO-NAT，让PC1访问PC2不进行NAT

source-zone trust

destination-zone untrust

source-address 192.168.10.0 mask 255.255.255.0

destination-address 192.168.20.0 mask 255.255.255.0

action no-nat

rule name Trust_Untrust_SNAT //为了使PC1访问互联网，需要配置SNAT

source-zone trust

destination-zone untrust

source-address 192.168.10.0 mask 255.255.255.0

action source-nat easy-ip

return

# sysname FW1 # acl number 3000 //配置IPSEC VPN感兴趣流 rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 # ipsec proposal 1 //配置IPSEC安全提议，默认采用隧道模式 esp authentication-algorithm sha2-256 //配置IPSEC的认证算法 esp encryption-algorithm aes-256 //配置IPSEC的加密算法 # ike proposal 1 //配置IKE安全提议 encryption-algorithm aes-256 //配置加密算法 dh group14 //配置DH公共值的组 authentication-algorithm sha2-256 //配置认证算法 authentication-method pre-share //配置认证方式为预共享密钥 integrity-algorithm hmac-sha2-256 //配置IKEv2版本下的完整性验证算法 prf hmac-sha2-256 //配置IKEv2中使用的伪随机数算法 # ike peer 1 //配置IKE PEER pre-shared-key %^%#ybh~2$'Xc/KwoR1:_.MD;TTg&p_2:WaWe30&tHf/%^%# ike-proposal 1 dpd type on-demand //配置DPD保活检测，周期性发送DPD报文保活IPSEC隧道和检测IPSEC隧道的故障 remote-address 100.0.0.2 //由于是NAT-T场景，对端路由器做了SNAT，因此需要写地址为SNAT后的地址 remote-address authentication-address 10.0.12.1 //由于NAT-T场景，需要验证对等体SNAT之前的地址 # ipsec policy 1 1 isakmp //配置IPSEC POLICY，采用IKE方式协商IPSEC SA security acl 3000 ike-peer 1 proposal 1 # interface GigabitEthernet1/0/0 undo shutdown ip address 100.0.0.1 255.255.255.252 # interface GigabitEthernet1/0/6 undo shutdown ip address 192.168.10.254 255.255.255.0 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/0 add interface GigabitEthernet1/0/6 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/0 # firewall zone dmz set priority 50 # ip route-static 0.0.0.0 0.0.0.0 100.0.0.2 # security-policy rule name Trust_Untrust_Permit source-zone trust destination-zone untrust source-address 192.168.10.0 mask 255.255.255.0 action permit rule name Untrust&Local_IKE_Permit source-zone local source-zone untrust destination-zone local destination-zone untrust source-address 100.0.0.1 mask 255.255.255.255 source-address 100.0.0.2 mask 255.255.255.255 destination-address 100.0.0.1 mask 255.255.255.255 destination-address 100.0.0.2 mask 255.255.255.255 action permit rule name Untrust_Trust_Permit source-zone untrust destination-zone trust source-address 192.168.20.0 mask 255.255.255.0 destination-address 192.168.10.0 mask 255.255.255.0 action permit rule name Untrust_Local_IPSEC_Permit source-zone untrust destination-zone local source-address 100.0.0.2 mask 255.255.255.255 destination-address 100.0.0.1 mask 255.255.255.255 service esp action permit # nat-policy rule name Trust_Untrust_NO-PAT //配置NO-NAT，让PC1访问PC2不进行NAT source-zone trust destination-zone untrust source-address 192.168.10.0 mask 255.255.255.0 destination-address 192.168.20.0 mask 255.255.255.0 action no-nat rule name Trust_Untrust_SNAT //为了使PC1访问互联网，需要配置SNAT source-zone trust destination-zone untrust source-address 192.168.10.0 mask 255.255.255.0 action source-nat easy-ip # return

#
sysname FW1
#
acl number 3000 //配置IPSEC VPN感兴趣流
 rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
#
ipsec proposal 1 //配置IPSEC安全提议，默认采用隧道模式
 esp authentication-algorithm sha2-256 //配置IPSEC的认证算法
 esp encryption-algorithm aes-256      //配置IPSEC的加密算法
#
ike proposal 1  //配置IKE安全提议
 encryption-algorithm aes-256   //配置加密算法
 dh group14 //配置DH公共值的组
 authentication-algorithm sha2-256 //配置认证算法
 authentication-method pre-share //配置认证方式为预共享密钥
 integrity-algorithm hmac-sha2-256  //配置IKEv2版本下的完整性验证算法
 prf hmac-sha2-256 //配置IKEv2中使用的伪随机数算法
#
ike peer 1 //配置IKE PEER
 pre-shared-key %^%#ybh~2$'Xc/KwoR1:_.MD;TTg&p_2:WaWe30&tHf/%^%#
 ike-proposal 1
 dpd type on-demand //配置DPD保活检测，周期性发送DPD报文保活IPSEC隧道和检测IPSEC隧道的故障
 remote-address 100.0.0.2 //由于是NAT-T场景，对端路由器做了SNAT，因此需要写地址为SNAT后的地址
 remote-address authentication-address 10.0.12.1 //由于NAT-T场景，需要验证对等体SNAT之前的地址
#
ipsec policy 1 1 isakmp //配置IPSEC POLICY，采用IKE方式协商IPSEC SA
 security acl 3000
 ike-peer 1
 proposal 1
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 100.0.0.1 255.255.255.252
#
interface GigabitEthernet1/0/6
 undo shutdown
 ip address 192.168.10.254 255.255.255.0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/6
#
firewall zone untrust
 set priority 5                           
 add interface GigabitEthernet1/0/0
#
firewall zone dmz
 set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 100.0.0.2
#
security-policy
 rule name Trust_Untrust_Permit
  source-zone trust
  destination-zone untrust
  source-address 192.168.10.0 mask 255.255.255.0
  action permit
 rule name Untrust&Local_IKE_Permit       
  source-zone local
  source-zone untrust
  destination-zone local
  destination-zone untrust
  source-address 100.0.0.1 mask 255.255.255.255
  source-address 100.0.0.2 mask 255.255.255.255
  destination-address 100.0.0.1 mask 255.255.255.255
  destination-address 100.0.0.2 mask 255.255.255.255
  action permit
 rule name Untrust_Trust_Permit
  source-zone untrust
  destination-zone trust
  source-address 192.168.20.0 mask 255.255.255.0
  destination-address 192.168.10.0 mask 255.255.255.0
  action permit
 rule name Untrust_Local_IPSEC_Permit
  source-zone untrust
  destination-zone local
  source-address 100.0.0.2 mask 255.255.255.255
  destination-address 100.0.0.1 mask 255.255.255.255
  service esp
  action permit
#
nat-policy
 rule name Trust_Untrust_NO-PAT //配置NO-NAT，让PC1访问PC2不进行NAT
  source-zone trust
  destination-zone untrust
  source-address 192.168.10.0 mask 255.255.255.0
  destination-address 192.168.20.0 mask 255.255.255.0
  action no-nat
 rule name Trust_Untrust_SNAT //为了使PC1访问互联网，需要配置SNAT
  source-zone trust
  destination-zone untrust
  source-address 192.168.10.0 mask 255.255.255.0
  action source-nat easy-ip
#
return

要点：该场景要点，需要由于是NAT-T场景，由于是路由器进行SNAT，FW2在内网工作，因此第一次流量发起者需要是PC2访问PC1，如果是PC1访问PC2的话是无法建立IKE SA的。另外配置DPD来保活后续建立的通道，让PC1也可以访问PC2，防止没有流量的时候隧道被拆除。

一	二	三	四	五	六	日
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
31

An

记录点滴，记录生活

华为防火墙NAT-T（NAT穿越）场景实验

发表评论取消回复

发表评论 取消回复

发表评论取消回复