所选语种没有对应资源,请选择:

本站点使用Cookies,继续浏览表示您同意我们使用Cookies。Cookies和隐私政策>

提示

尊敬的用户,您的IE浏览器版本过低,为获取更好的浏览体验,请升级您的IE浏览器。

升级

NE40E V800R010C00 配置指南 - NAT与IPv6过渡技术 01

评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置集中式NAT叠加普通IPSec隧道示例

配置集中式NAT叠加普通IPSec隧道示例

介绍集中式NAT叠加普通IPSec隧道场景的配置示例,实现内部私有地址和外部公共地址进行NAT转换后再入IPSEC隧道(采用安全策略方式建立IPSec隧道),结合配置组网图来理解业务的配置过程。

组网需求

图2-10所示,网络A和网络B之间采用网关对网关组网模式进行资源传输。网络A和网络B分别通过DeviceA和DeviceB连接到Internet,DeviceA上同时处理NAT和IPSec。

网络环境描述如下:
  • 网络A属于10.1.1.0/24子网,通过接口GE1/0/1与DeviceA连接。
  • 网络B属于10.1.2.0/24子网,通过接口GE1/0/1与DeviceB连接。
  • DeviceA和DeviceB路由可达。
  • 具有10.34.160.0/32至10.34.160.7/32共8个公网IP地址。
  • DeviceA的NAT功能部署在1号槽位的业务板上。
  • DeviceA和DeviceB的IPSec功能均部署在1号槽位的业务板上。

要求通过配置NAT和IPSec隧道,可以实现内部私有地址和外部公共地址进行多对多的转换,同时能实现PCA与PCB之间安全的互访。

NAT叠加IPSec的典型组网如图2-10所示:
图2-10  NAT叠加IPSec(采用安全策略方式建立IPSec隧道)组网图
说明:

本例中的interface1、interface2分别代表GE1/0/1、GE1/0/2


配置思路

本案例介绍NAT叠加IPSec场景下,采用网关对网关组网模式,安全策略方式配置IPSec隧道。封装模式采用隧道模式。

  1. 配置接口的IP地址。
  2. 配置NAT基本功能。
  3. 配置NAT引流策略。
  4. 配置公网路由,一般情况下配置静态路由。
  5. 通过配置ACL规则组来定义需要保护的数据流。
  6. 配置IPSec安全提议。
  7. 配置IKE安全提议。
  8. 配置IKE Peer。
  9. 配置IPSec安全策略。
  10. 配置IPsec服务实例组。
  11. 在Tunnel接口上应用IPSec安全策略。

数据准备

为完成此配置例,需要准备如下的数据:
  • 各接口的IP地址

  • VSM HA备份组的索引号1

  • NAT A设备业务板上的槽位号(场景需求中已指明为1号槽位号)

  • VSM HA业务实例组的名称group1

  • NAT实例的名称nat1和索引号1

  • DeviceA设备的NAT转换地址池名称address-group1、地址池编号1、IP地址段从10.34.160.0到10.34.160.7

  • NAT引流规则ACL的名称3000

  • 流分类的名称classifier1

  • 流行为的名称behavior1

  • 流策略的名称policy1

  • 应用NAT引流策略的接口号

  • Tunnel接口的IP地址

  • 预共享密钥

  • IPSec安全提议中采用的安全协议,加密算法,认证算法

  • IKE安全提议采用的认证算法

操作步骤

  1. 配置DeviceA。
    1. 配置接口IP地址。

      # 配置接口GE1/0/1的IP地址。

      <DeviceA> system-view 
      [~DeviceA] interface GigabitEthernet 1/0/1
      [~DeviceA-GigabitEthernet1/0/1] ip address 10.1.1.1 24
      [*DeviceA-GigabitEthernet1/0/1] quit
      [*DeviceA] commit

      # 配置接口GE1/0/2的IP地址。

      [~DeviceA] interface GigabitEthernet 1/0/2 
      [~DeviceA-GigabitEthernet1/0/2] ip address 172.16.163.1 24 
      [*DeviceA-GigabitEthernet1/0/2] quit 
      [*DeviceA] commit

    2. 配置NAT和IPsec服务实例组group1。

      集中板场景:
      • 对于VSUF-80/VSUF-160单板可以采取如下配置方式:
        [~DeviceA] service-location 1
        [*DeviceA -service-location-1] location slot 1 card 0
        [*DeviceA -service-location-1] commit
        [~DeviceA -service-location-1] quit
        [~DeviceA] service-instance-group group1
        [*DeviceA-service-instance-group-group1] service-location 1
        [*DeviceA-service-instance-group-group1] commit
        [~DeviceA-service-instance-group-group1] quit
      随板场景:
      • 对于LPUF-51-E/LPUI-51-E/LPUI-51-S单板可以采取如下方式配置:
        [~DeviceA] service-location 1
        [*DeviceA -service-location-1] location slot 1
        [*DeviceA -service-location-1] commit
        [~DeviceA -service-location-1] quit
        [~DeviceA] service-instance-group group1
        [*DeviceA-service-instance-group-group1] service-location 1
        [*DeviceA-service-instance-group-group1] commit
        [~DeviceA-service-instance-group-group1] quit

    3. 配置NAT基本功能。

      # 对于VSUF-80/VSUF-160,配置1号业务板的会话表资源为6M。

      <HUAWEI> system-view
      [~HUAWEI] sysname NATA
      [*HUAWEI] commit
      [~NATA] license
      [*NATA-license] active nat session-table size 6 slot 1 card 0
      [*NATA-license] commit
      [~NATA-license] quit

      # 创建NAT实例nat1,并将业务板绑定到NAT实例。

      [~NATA] nat instance nat1 id 1
      [*NATA-nat-instance-nat1] service-instance-group group1
      [*NATA-nat-instance-nat1] commit
      [~NATA-nat-instance-nat1] quit

      # 配置NAT地址池,地址池范围从10.34.160.0到10.34.160.7。

      [~NATA] nat instance nat1 
      [~NATA-nat-instance-nat1] nat address-group address-group1 group-id 1 10.34.160.0 mask 29
      [*NATA-nat-instance-nat1] commit
      [~NATA-nat-instance-nat1] quit

    4. 配置NAT的入接口引流策略。

      # 配置基于ACL流分类规则,地址访问控制列表号为3000,ACL规则的编号为5,只有内部网段地址为10.1.1.0/24的主机可以访问Internet。

      [~NATA] acl 3000
      [*NATA-acl4-advance-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255
      [*DeviceA-acl4-advance-3000] commit
      [~DeviceA-acl4-advance-3000] quit

      # 配置流分类。

      [~DeviceA] traffic classifier classifier1
      [*DeviceA-classifier-classifier1] if-match acl 3000
      [*DeviceA-classifier-classifier1] commit
      [~DeviceA-classifier-classifier1] quit

      # 定义流行为behavior1,配置流量动作为绑定NAT实例nat1。

      [~DeviceA] traffic behavior behavior1
      [*DeviceA-behavior-behavior1] nat bind instance nat1
      [*DeviceA-behavior-behavior1] commit
      [~DeviceA-behavior-behavior1] quit

      # 定义NAT策略policy1,将所有应用的ACL规则和动作进行关联。

      [~DeviceA] traffic policy policy1
      [*DeviceA-trafficpolicy-policy1] classifier classifier1 behavior behavior1
      [*DeviceA-trafficpolicy-policy1] commit
      [~DeviceA-trafficpolicy-policy1] quit

      # 在接口GE1/0/1视图下应用NAT引流策略。

      [~DeviceA] interface gigabitEthernet 1/0/1
      [*DeviceA-GigabitEthernet1/0/1] traffic-policy policy1 inbound
      [*DeviceA-GigabitEthernet1/0/1] commit
      [~DeviceA-GigabitEthernet1/0/1] quit

    5. 配置NAT转换策略。

      [~DeviceA] nat instance nat1
      [~DeviceA-nat-instance-nat1] nat outbound 3000 address-group address-group1 
      [*DeviceA-nat-instance-nat1] commit
      [~DeviceA-nat-instance-nat1] quit
      说明:
      VSUF-80/VSUF-160业务板上需要配置nat outbound { acl-number | any } address-group address-group-name命令,在LPUF-51-E/LPUI-51-E/LPUI-51-S业务板上不需要配置该命令。

    6. 配置采用安全策略方式建立IPSEC隧道功能。(集中板场景,只需在VSUF-80/VSUF-160上配置。)

      # 使能IPsec功能。

      [~DeviceA] license
      [*DeviceA-license] active ipsec slot 1
      [*DeviceA-license] quit

      # 创建并配置Tunnel接口。

      [~DeviceA] interface Tunnel 10 
      [*DeviceA-Tunnel10] tunnel-protocol ipsec 
      [*DeviceA-Tunnel10] ip address 192.168.1.1 32 
      [*DeviceA-Tunnel10] quit 
      [*DeviceA] commit

      # 配置做完NAT后到达目的网络B的静态路由,到达网络B的出接口为Tunnel10下一跳地址为192.168.1.2。假设DeviceA的下一跳地址为172.16.163.2/24。

      说明:
      配置静态路由引导做完NAT后的流量进入IPSec隧道时,需要指定静态路由的出接口是IPSec Tunnel接口,同时还需要指定下一跳地址。
      [~DeviceA] ip route-static 10.1.2.0 255.255.255.0 Tunnel 10 192.168.1.2 
      [*DeviceA] ip route-static 192.168.1.2 255.255.255.255 172.16.163.2  
      [*DeviceA] commit

      # 配置高级ACL 3010,允许PCA访问PCB。

      [~DeviceA] acl 3010  
      [*DeviceA-acl-adv-3010] rule permit ip source 10.34.160.0 0.0.0.7 destination 10.1.2.2 0.0.0.0
      [*DeviceA-acl-adv-3010] quit
      [*DeviceA] commit

      # 配置名称为tran1的IPSec安全提议。

      [~DeviceA] ipsec proposal tran1  
      [*DeviceA-ipsec-proposal-tran1] encapsulation-mode tunnel 
      [*DeviceA-ipsec-proposal-tran1] transform esp 
      [*DeviceA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 
      [*DeviceA-ipsec-proposal-tran1] esp encryption-algorithm aes 256 
      [*DeviceA-ipsec-proposal-tran1] quit 
      [*DeviceA] commit

      # 配置序号为10的IKE安全提议。

      [~DeviceA] ike proposal 10 
      [*DeviceA-ike-proposal-10] authentication-method pre-share 
      [*DeviceA-ike-proposal-10] authentication-algorithm sha2-256 
      [*DeviceA-ike-proposal-10] dh group14 
      [*DeviceA-ike-proposal-10] quit 
      [*DeviceA] commit

      # 配置名称为b的IKE peer。

      [~DeviceA] ike peer b 
      [*DeviceA-ike-peer-b] ike-proposal 10 
      [*DeviceA-ike-peer-b] remote-address 192.168.1.2 
      [*DeviceA-ike-peer-b] pre-shared-key abcde  
      [*DeviceA-ike-peer-b] quit 
      [*DeviceA] commit
      说明:
      • NE40E同时开启IKEv1和IKEv2,若对端不支持IKEv2,请禁用IKEv2,采用IKEv1进行协商。

      • 验证字的配置需要与对端设备相同。

      # 配置对对等体存活进行检测。

      [~DeviceA] ike dpd 100  
      [*DeviceA] quit 
      [*DeviceA] commit 

      # 配置名称为map1序号为10的IPSec安全策略。

      [~DeviceA] ipsec policy map1 10 isakmp 
      [*DeviceA-ipsec-policy-isakmp-map1-10] security acl 3010 
      [*DeviceA-ipsec-policy-isakmp-map1-10] proposal tran1 
      [*DeviceA-ipsec-policy-isakmp-map1-10] ike-peer b 
      [*DeviceA-ipsec-policy-isakmp-map1-10] quit 
      [*DeviceA] commit

      # 在Tunnel接口上应用安全策略map1。

      [~DeviceA] interface Tunnel 10 
      [~DeviceA-Tunnel10] ipsec policy map1 service-instance-group group1
      [*DeviceA-Tunnel10] quit  
      [*DeviceA] commit

  2. 配置DeviceB。
    1. 配置接口IP地址。

      # 配置接口GE1/0/1的IP地址。

      <DeviceB> system-view 
      [~DeviceB] interface gigabitethernet 1/0/1 
      [~DeviceB-GigabitEthernet1/0/1] ip address 10.1.2.1 24 
      [*DeviceB-GigabitEthernet1/0/1] quit 
      [*DeviceB] commit

      # 配置接口GE1/0/2的IP地址。

      [~DeviceB] interface gigabitethernet 1/0/2  
      [~DeviceB-GigabitEthernet1/0/2] ip address 172.16.169.1 24  
      [*DeviceB-GigabitEthernet1/0/2] quit 
      [*DeviceB] commit

    2. 使能IPsec功能。(集中板场景,只需在VSUF-80/VSUF-160上配置。)

      [~DeviceB] license
      [DeviceB-license] active ipsec slot 1
      [DeviceB-license] quit

    3. 创建并配置Tunnel接口。

      [~DeviceB] interface Tunnel 10 
      [~DeviceB-Tunnel10] tunnel-protocol ipsec 
      [*DeviceB-Tunnel10] ip address 192.168.1.2 32
      [*DeviceB-Tunnel10] quit 
      [*DeviceB] commit

    4. 配置到达目的网络A的静态路由,到达网络A的接口为Tunnel10下一跳地址为192.168.1.1。假设DeviceB的下一跳地址为172.16.169.2/24。

      说明:
      配置静态路由引导IPSec流量进入IPSec隧道时,需要指定静态路由的出接口是IPSec Tunnel接口,同时还需要指定下一跳地址。
      [~DeviceB] ip route-static 10.34.160.0 255.255.255.248 Tunnel 10 192.168.1.1 
      [*DeviceB] ip route-static 192.168.1.1 255.255.255.255 172.16.169.2 
      [*DeviceB] commit

    5. 配置高级ACL 3010,允许PCB访问PCA。

      [~DeviceB] acl 3010 
      [*DeviceB-acl-adv-3010] rule permit ip source 10.1.2.2 0.0.0.0 destination 10.34.160.0 0.0.0.7 
      [*DeviceB-acl-adv-3010] quit 
      [*DeviceB] commit

    6. 配置名称为tran1的IPSec安全提议。

      [~DeviceB] ipsec proposal tran1 
      [*DeviceB-ipsec-proposal-tran1] encapsulation-mode tunnel 
      [*DeviceB-ipsec-proposal-tran1] transform esp 
      [*DeviceB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 
      [*DeviceB-ipsec-proposal-tran1] esp encryption-algorithm aes 256 
      [*DeviceB-ipsec-proposal-tran1] quit 
      [*DeviceB] commit

    7. 配置序号为10的IKE安全提议。

      [~DeviceB] ike proposal 10 
      [*DeviceB-ike-proposal-10] authentication-method pre-share  
      [*DeviceB-ike-proposal-10] authentication-algorithm sha2-256  
      [*DeviceB-ike-proposal-10] dh group14 
      [*DeviceB-ike-proposal-10] quit 
      [*DeviceB] commit

    8. 配置名称为a的IKE peer。

      [~DeviceB] ike peer a  
      [*DeviceB-ike-peer-a] ike-proposal 10  
      [*DeviceB-ike-peer-a] remote-address 192.168.1.1 
      [*DeviceB-ike-peer-a] pre-shared-key abcde 
      [*DeviceB-ike-peer-a] quit 
      [*DeviceB] commit

    9. 配置对对等体存活进行检测。

      [~DeviceB] ike dpd 100 
      [*DeviceB] quit 
      [*DeviceB] commit

    10. 配置名称为map1序号为10的安全策略。

      [~DeviceB] ipsec policy map1 10 isakmp 
      [*DeviceB-ipsec-policy-isakmp-map1-10] security acl 3010  
      [*DeviceB-ipsec-policy-isakmp-map1-10] proposal tran1  
      [*DeviceB-ipsec-policy-isakmp-map1-10] ike-peer a 
      [*DeviceB-ipsec-policy-isakmp-map1-10] quit 
      [*DeviceB] commit

    11. 配置IPSec服务实例组group1。

      集中板场景:
      • 对于VSUF-80/VSUF-160单板可以采取如下配置方式:
        [DeviceB] service-location 1
        [DeviceB-service-location-1] location slot 1  card 0
        [DeviceB-service-location-1] commit
        [DeviceB-service-location-1] quit
        [~DeviceB] service-instance-group group1
        [*DeviceB-service-instance-group-1] service-location 1 
        [*DeviceB-service-instance-group-1] commit 
        [~DeviceB-service-instance-group-1] quit 
      随板场景:
      • 对于LPUF-51-E/LPUI-51-E/LPUI-51-S单板和可以采取如下方式配置:
        [DeviceB] service-location 1
        [DeviceB-service-location-1] location slot 1
        [DeviceB-service-location-1] commit
        [DeviceB-service-location-1] quit
        [~DeviceB] service-instance-group group1
        [*DeviceB-service-instance-group-1] service-location 1 
        [*DeviceB-service-instance-group-1] commit 
        [~DeviceB-service-instance-group-1] quit 

    12. 在Tunnel接口上应用安全策略map1。

      [~DeviceB] interface Tunnel10 
      [~DeviceB-Tunnel10] ipsec policy map1 service-instance-group group1
      [*DeviceB-Tunnel10] quit 
      [*DeviceB] commit

配置文件

DeviceA的配置文件。

# 
 sysname DeviceA 
# 
ike dpd 100
#
service-location 1
 location slot 1 card 0//注释:在集中板场景下生成此配置文件
 location slot 1//注释:在随板场景下生成此配置文件
#
service-instance-group group1
 service-location 1
#
nat instance nat1 id 1
 service-instance-group group1
 nat address-group address-group1 group-id 1 10.34.160.0 mask 29
 nat outbound 3000 address-group address-group1
#
acl number 3000
 rule 5 permit ip source 10.1.1.0 0.0.0.255
#
acl number 3010
 rule 5 permit ip source 10.34.160.0 0.0.0.7 destination 10.1.2.2 0.0.0.0
#
ike proposal 10
 encryption-algorithm aes-cbc 256
 dh group14
 authentication-algorithm sha2-256
 integrity-algorithm hmac-sha2-256
#
ike peer b
 pre-shared-key cipher %^%#.EJ~F"jURXr&0--*9[2(uLl^I@0_]XBJe;=-0x,V%^%# 
 ike-proposal 10
 remote-address 192.168.1.2
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes 256
#
traffic classifier classifier1 operator or
 if-match acl 3000
#
traffic behavior behavior1
 nat bind instance nat1
#
traffic policy policy1
 classifier classifier1 behavior behavior1 precedence 1
#
license
 active nat session-table size 6 slot 1 card 0
 active ipsec slot 1
#
ipsec policy map1 10 isakmp
 security acl 3010
 ike-peer b
 proposal tran1
#
interface GigabitEthernet 1/0/1
 ip address 10.1.1.1 255.255.255.0
 traffic-policy policy1 inbound
#
interface GigabitEthernet 1/0/2
 ip address 172.16.163.1 255.255.255.0
#
interface Tunnel10
 ip address 192.168.1.1 255.255.255.255
 tunnel-protocol ipsec
 ipsec policy map1 service-instance-group group1
#
ip route-static 10.1.2.0 255.255.255.0 Tunnel 10 192.168.1.2 
ip route-static 192.168.1.2 255.255.255.255 172.16.163.2
#
return

DeviceB的配置文件。

# 
 sysname DeviceB 
# 
acl number 3010 
  rule 5 permit ip source 10.1.2.2 0 destination 10.34.160.0 0.0.0.7 
# 
ike proposal 10 
 encryption-algorithm aes-cbc 256 
 dh group14 
 authentication-algorithm sha2-256 
 integrity-algorithm hmac-sha2-256 
# 
ike peer a 
 pre-shared-key cipher %^%#.EJ~F"jURXr&0--*9[2(uLl^I@0_]XBJe;=-0x,V%^%# 
 ike-proposal 10 
 remote-address 192.168.1.1 
#                                                                                 
service-location 1                                                                 
 location slot 1 card 0//注释:在集中板场景下生成此配置文件
 location slot 1//注释:在随板场景下生成此配置文件
#                                                                                 
service-instance-group group1                                                           
 service-location 1     
# 
ipsec proposal tran1 
 esp authentication-algorithm sha2-256   
 esp encryption-algorithm aes 256 
#                                          
license 
 active ipsec slot 1  
#
ipsec policy map1 10 isakmp 
 security acl 3010 
 ike-peer a 
 proposal tran1 
#     
interface GigabitEthernet1/0/1  
 ip address 10.1.2.1 255.255.255.0                                                 
#     
interface GigabitEthernet1/0/2  
 ip address 172.16.169.1 255.255.255.0 
#     
interface Tunnel10  
 ip address 192.168.1.2 255.255.255.255                                              
 tunnel-protocol ipsec  
 ipsec policy map1 service-instance-group 1 
# 
 ip route-static 10.34.160.0 255.255.255.248 Tunnel 10 192.168.1.1 
 ip route-static 192.168.1.1 255.255.255.255 172.16.169.2 
#
return 
下载文档
更新时间:2018-07-12

文档编号:EDOC1100028549

浏览量:20990

下载量:208

平均得分:
本文档适用于这些产品
相关文档
相关版本
Share
上一页 下一页