前言:现需求在办公环境和机房之间搭建一个ipsec vpn隧道,用于传输文件。这里使用了两个工具,机房端使用华为usg2000型号的防火墙,本地端使用的pfsense。这两个都支持ipsec隧道,其实配置过程不复杂,难点就是在于要理清路由的走向。

防火墙的ospf卡在extart 防火墙做ospf_NAT

pfsense端ipsec隧道配置:

防火墙的ospf卡在extart 防火墙做ospf_源地址_02

1、配置安全协议

防火墙的ospf卡在extart 防火墙做ospf_网络_03

防火墙的ospf卡在extart 防火墙做ospf_网络_04

2、设置ipsec隧道协议

防火墙的ospf卡在extart 防火墙做ospf_NAT_05


防火墙的ospf卡在extart 防火墙做ospf_NAT_06

3、关闭SNAT

防火墙的ospf卡在extart 防火墙做ospf_源地址_07

4、防火墙

防火墙的ospf卡在extart 防火墙做ospf_安全策略_08


防火墙的ospf卡在extart 防火墙做ospf_NAT_09

USG2000端ipsec隧道配置:
1、配置一个安全提议
[USG-1]ike proposal 1    
[USG-1-ike-proposal-1]authentication-method pre-share   //配置IKE认证方式为预共享密钥
[USG-1-ike-proposal-1]authentication-algorithm sha1   //配置IKE认证算法为sha1
[USG-1-ike-proposal-1]integrity-algorithm aes-xcbc-96  //配置IKE完整性算法
[USG-1-ike-proposal-1]dh group2  //配置IKE密钥协商DH组


[USG-1]ike peer USG-2   //创建一个IKE对等体名字为USG-2          
[USG-1-ike-peer-usg-2]pre-shared-key ecps123    //要与对端一样的共享密钥
[USG-1-ike-peer-usg-2]remote-address a.a.a.a  //配置对等体IP地址
[USG-1-ike-peer-usg-2]ike-proposal 1       //调用ike安全提议
[USG-1-ike-peer-usg-2]quit
2、配置一个ipsec安全协议
[USG-1]ipsec proposal test        
[USG-1-ipsec-proposal-test]encapsulation-mode tunnel    //封装方式采用隧道
[USG-1-ipsec-proposal-test]transform esp    //配置IPSEC安全协议为ESP
[USG-1-ipsec-proposal-test]esp encryption-algorithm aes   //配置ESP协议加密算法为aes
[USG-1-ipsec-proposal-test]esp authentication-algorithm sha1  //配置ESP协议认证算法

//创建一个ACL定义感兴趣流
[USG-1]acl 3000         
[USG-1-acl-adv-3000]rule permit ip source 10.75.1.0 0.0.0.255 destination 192.168.226.0 0.0.0.255
[USG-1]ipsec policy map 1 isakmp    //创建一个安全策略,名称为map
[USG-1-ipsec-policy-isakmp-map-1]ike-peer USG-2    //调用ike对等体
[USG-1-ipsec-policy-isakmp-map-1]proposal test     //调用IPsec安全提议
[USG-1-ipsec-policy-isakmp-map-1]security acl 3000   //配置感兴趣流

//在外网口上调用安全策略
[USG-1]int g0/0/1
[USG-1-GigabitEthernet0/0/1]ipsec policy map
3、添加静态路由,设置SNAT
//配置默认路由上公网
[USG-1]ip route-static 0.0.0.0 0.0.0.0 b.b.b.b   

//进入trust到untrust区域out方向针对源为192.168.10.0/24网段目标为192.168.20.0/24网段的数据包不进行NAT
[USG-1]nat-policy interzone trust untrust outbound 
[USG-1-nat-policy-interzone-trust-untrust-outbound]policy 1     //创建一个策略
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]policy source 10.75.1.0 0.0.0.255
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]policy destination 192.168.226.0 0.0.0.255
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]action no-nat 
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]quit

//允许对源IP进行NAT,对接口G0/0/1地址复用
[USG-1-nat-policy-interzone-trust-untrust-outbound]policy 2  //创建策略2
[USG-1-nat-policy-interzone-trust-untrust-outbound-2]action source-nat
[USG-1-nat-policy-interzone-trust-untrust-outbound-2]easy-ip g0/0/1
4、防火墙配置
//允许trust区域所有主机访问untrust区域 
[USG-1]policy interzone trust untrust outbound
[USG-1-policy-interzone-trust-untrust-outbound]policy 1    //创建策略
[USG-1-policy-interzone-trust-untrust-outbound-1]action permit  

//进入trust区域到untrust区域的in方向策略视图,允许数据包源地址为10.75.1.0/24网段和目标地址为192.168.226.0/24网段的流量过
[USG-1]policy interzone trust untrust inbound 
[USG-1-policy-interzone-trust-untrust-inbound]policy 1
[USG-1-policy-interzone-trust-untrust-inbound-1]policy source 10.75.1.0 0.0.0.255
[USG-1-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.226.0 0.0.0.255
[USG-1-policy-interzone-trust-untrust-inbound-1]action permit 

//进入local区域到untrust区域的in方向策略视图,允许源地址是a.a.a.a目标地址是b.b.b.b的数据包访问
[USG-1]policy interzone local untrust inbound
[USG-1-policy-interzone-local-untrust-inbound]policy 1
[USG-1-policy-interzone-local-untrust-inbound-1]policy source a.a.a.a 0
[USG-1-policy-interzone-local-untrust-inbound-1]policy destination b.b.b.b 0
[USG-1-policy-interzone-local-untrust-inbound-1]action permit

注:隧道的搭建需要注意器配置的协议参数要一致,隧道搭建完毕后,如果一端不能ping通另一端的pc地址,需要注意路由走向,以及是否关闭了snat,查漏补缺,我的配置可能不全,因为很多都是页面配置的,这里我没有截图,自己研究下吧。