技术支持文档中心路由器接入路由器AR100&200配置调测配置指南

AR100, AR120, AR150, AR160, AR200, AR300, AR1200, AR2200, AR3200, AR3600 V200R010 配置指南-VPN(命令行)

本文档针对VPN特性,从配置过程和配置举例两方面对特性进行介绍。

配置建立NAT穿越功能的IPSec隧道示例

配置建立NAT穿越功能的IPSec隧道示例

组网需求

图5-47所示,RouterA与RouterB通过NAT网关建立通信。RouterA的子网为10.1.0.2/24,RouterB的子网为10.2.0.2/24。

企业希望对RouterA与RouterB之间相互访问的流量进行安全保护。

图5-47  建立NAT穿越功能的IPSec隧道组网图

配置思路

由于RouterA与RouterB通过NAT网关建立通信,需要配置NAT穿越功能才能建立IPSec隧道。采用如下思路配置建立NAT穿越功能的IPSec隧道:

  1. 配置接口的IP地址和到对端的静态路由,保证两端路由可达。

  2. RouterA上配置ACL,以定义需要IPSec保护的数据流。

  3. 配置IPSec安全提议,定义IPSec的保护方法。

  4. 配置IKE对等体,定义对等体间IKE协商时的属性。

  5. 分别在RouterA和RouterB上配置安全策略,确定对何种数据流采取何种保护方法。其中RouterB采用策略模板方式创建安全策略。

  6. 在接口上应用安全策略组,使接口具有IPSec的保护功能。

操作步骤

  1. 分别在RouterA和RouterB上配置接口的IP地址和到对端的静态路由

    # 在RouterA上配置接口的IP地址。

    <Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 192.168.0.2 255.255.255.0
[RouterA-GigabitEthernet1/0/0] quit
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] ip address 10.1.0.1 255.255.255.0
[RouterA-GigabitEthernet2/0/0] quit

    # 在RouterA上配置到对端的缺省路由,此处假设到对端下一跳地址为192.168.0.1。

    [RouterA] ip route-static 0.0.0.0 0.0.0.0 192.168.0.1

    # 在RouterB上配置接口的IP地址。

    <Huawei> system-view
[Huawei] sysname RouterB
[RouterB] interface gigabitethernet 1/0/0 
[RouterB-GigabitEthernet1/0/0] ip address 1.2.0.1 255.255.255.0
[RouterB-GigabitEthernet1/0/0] quit
[RouterB] interface gigabitethernet 2/0/0
[RouterB-GigabitEthernet2/0/0] ip address 10.2.0.1 255.255.255.0
[RouterB-GigabitEthernet2/0/0] quit

    # 在RouterB上配置到对端的静态路由,此处假设到对端下一跳地址为1.2.0.2。

    [RouterB] ip route-static 10.1.0.0 255.255.255.0 1.2.0.2
[RouterB] ip route-static 192.168.0.0 255.255.255.0 1.2.0.2

  2. RouterA上配置ACL,定义由子网10.1.0.0/24去子网10.2.0.0/24的数据流 

    [RouterA] acl number 3101
[RouterA-acl-adv-3101] rule permit ip source 10.1.0.0 0.0.0.255 destination 10.2.0.0 0.0.0.255
[RouterA-acl-adv-3101] quit

  3. 分别在RouterA和RouterB上创建IPSec安全提议

    # 在RouterA上配置IPSec安全提议。

    [RouterA] ipsec proposal tran1
[RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[RouterA-ipsec-proposal-tran1] esp encryption-algorithm aes-128 
[RouterA-ipsec-proposal-tran1] quit

    # 在RouterB上配置IPSec安全提议。

    [RouterB] ipsec proposal tran1
[RouterB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[RouterB-ipsec-proposal-tran1] esp encryption-algorithm aes-128 
[RouterB-ipsec-proposal-tran1] quit

  4. 分别在RouterA和RouterB上配置IKE协商时的名称类型ID。

    # 在RouterA上配置名称类型ID。

    [RouterA] ike local-name rta

    # 在RouterB上配置名称类型ID。

    [RouterB] ike local-name rtb

  5. 分别在RouterA和RouterB上配置IKE对等体

    # 在RouterA上配置IKE安全提议。

    [RouterA] ike proposal 5
[RouterA-ike-proposal-5] encryption-algorithm aes-128
[RouterA-ike-proposal-5] authentication-algorithm sha2-256
[RouterA-ike-proposal-5] dh group14
[RouterA-ike-proposal-5] quit

    # 在RouterA上配置IKE对等体。

    [RouterA] ike peer rta
[RouterA-ike-peer-rta] undo version 2
[RouterA-ike-peer-rta] exchange-mode aggressive 
[RouterA-ike-peer-rta] ike-proposal 5
[RouterA-ike-peer-rta] pre-shared-key cipher huawei@123
[RouterA-ike-peer-rta] local-id-type fqdn
[RouterA-ike-peer-rta] remote-address 1.2.0.1
[RouterA-ike-peer-rta] remote-id rtb
[RouterA-ike-peer-rta] nat traversal
[RouterA-ike-peer-rta] quit

    # 在RouterB上配置IKE安全提议。

    [RouterB] ike proposal 5
[RouterB-ike-proposal-5] encryption-algorithm aes-128
[RouterB-ike-proposal-5] authentication-algorithm sha2-256
[RouterB-ike-proposal-5] dh group14
[RouterB-ike-proposal-5] quit

    # 在RouterB上配置IKE对等体。

    [RouterB] ike peer rtb
[RouterB-ike-peer-rtb] undo version 2
[RouterB-ike-peer-rtb] exchange-mode aggressive 
[RouterB-ike-peer-rtb] ike-proposal 5
[RouterB-ike-peer-rtb] pre-shared-key cipher huawei@123
[RouterB-ike-peer-rtb] local-id-type fqdn
[RouterB-ike-peer-rtb] remote-id rta
[RouterA-ike-peer-rta] nat traversal
[RouterB-ike-peer-rtb] quit

  6. 分别在RouterA和RouterB上创建安全策略

    # 在RouterA上配置IKE动态协商方式安全策略。

    [RouterA] ipsec policy policy1 10 isakmp
[RouterA-ipsec-policy-isakmp-policy1-10] security acl 3101
[RouterA-ipsec-policy-isakmp-policy1-10] ike-peer rta
[RouterA-ipsec-policy-isakmp-policy1-10] proposal tran1
[RouterA-ipsec-policy-isakmp-policy1-10] quit

    # 在RouterB上以策略模板方式配置IKE动态协商方式安全策略。

    [RouterB] ipsec policy-template temp1 10
[RouterB-ipsec-policy-templet-temp1-10] ike-peer rtb
[RouterB-ipsec-policy-templet-temp1-10] proposal tran1
[RouterB-ipsec-policy-templet-temp1-10] quit
[RouterB] ipsec policy policy1 10 isakmp template temp1

    此时分别在RouterA和RouterB上执行display ipsec policy会显示所配置的信息。

  7. 分别在RouterA和RouterB的接口上应用各自的安全策略组,使接口具有IPSec的保护功能

    # 在RouterA的接口上引用安全策略组。

    [RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ipsec policy policy1
[RouterA-GigabitEthernet1/0/0] quit

    # 在RouterB的接口上引用安全策略组。

    [RouterB] interface gigabitethernet 1/0/0
[RouterB-GigabitEthernet1/0/0] ipsec policy policy1
[RouterB-GigabitEthernet1/0/0] quit

  8. 检查配置结果

    # 配置成功后,在主机PC A执行ping操作仍然可以ping通主机PC B,它们之间的数据传输将被加密,执行命令display ipsec statistics可以查看数据包的统计信息。

    # 在RouterA上执行display ike sa操作,结果如下。

    [RouterA] display ike sa
IKE SA information :
  Conn-ID  Peer            VPN   Flag(s)   Phase   RemoteType  RemoteID
  ---------------------------------------------------------------------------
     15    1.2.0.1:4500          RD|ST     v1:2    FQDN        rtb
     14    1.2.0.1:4500          RD|ST     v1:1    FQDN        rtb
                                   
  Number of IKE SA : 2 
  ---------------------------------------------------------------------------
                                                           
  Flag Description:           
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

配置文件

  • RouterA的配置文件

    #
 sysname RouterA
#
ike local-name rta
#
acl number 3101
 rule 5 permit ip source 10.1.0.0 0.0.0.255 destination 10.2.0.0 0.0.0.255
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256   
 esp encryption-algorithm aes-128
#
ike proposal 5
 encryption-algorithm aes-128
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
ike peer rta
 undo version 2 
 exchange-mode aggressive
 pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
 ike-proposal 5
 local-id-type fqdn
 remote-id rtb
 remote-address 1.2.0.1
#
ipsec policy policy1 10 isakmp
 security acl 3101
 ike-peer rta
 proposal tran1
#
interface GigabitEthernet1/0/0
 ip address 192.168.0.2 255.255.255.0
 ipsec policy policy1
#
interface GigabitEthernet2/0/0
 ip address 10.1.0.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.0.1
#
return

  • RouterB的配置文件

    #
 sysname RouterB
#
ike local-name rtb
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256   
 esp encryption-algorithm aes-128
#
ike proposal 5
 encryption-algorithm aes-128
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
ike peer rtb
 undo version 2 
 exchange-mode aggressive
 pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
 ike-proposal 5
 local-id-type fqdn
 remote-id rta
#
ipsec policy-template temp1 10
 ike-peer rtb
 proposal tran1
#
ipsec policy policy1 10 isakmp template temp1
#
interface GigabitEthernet1/0/0
 ip address 1.2.0.1 255.255.255.0
 ipsec policy policy1
#
interface GigabitEthernet2/0/0
 ip address 10.2.0.1 255.255.255.0
#
ip route-static 10.1.0.0 255.255.255.0 1.2.0.2
ip route-static 192.168.0.0 255.255.255.0 1.2.0.2
#
return