前言:现需求在办公环境和机房之间搭建一个ipsec vpn隧道,用于传输文件。这里使用了两个工具,机房端使用华为usg2000型号的防火墙,本地端使用的pfsense。这两个都支持ipsec隧道,其实配置过程不复杂,难点就是在于要理清路由的走向。
pfsense端ipsec隧道配置:
1、配置安全协议
2、设置ipsec隧道协议
3、关闭SNAT
4、防火墙
USG2000端ipsec隧道配置:
1、配置一个安全提议
[USG-1]ike proposal 1
[USG-1-ike-proposal-1]authentication-method pre-share //配置IKE认证方式为预共享密钥
[USG-1-ike-proposal-1]authentication-algorithm sha1 //配置IKE认证算法为sha1
[USG-1-ike-proposal-1]integrity-algorithm aes-xcbc-96 //配置IKE完整性算法
[USG-1-ike-proposal-1]dh group2 //配置IKE密钥协商DH组
[USG-1]ike peer USG-2 //创建一个IKE对等体名字为USG-2
[USG-1-ike-peer-usg-2]pre-shared-key ecps123 //要与对端一样的共享密钥
[USG-1-ike-peer-usg-2]remote-address a.a.a.a //配置对等体IP地址
[USG-1-ike-peer-usg-2]ike-proposal 1 //调用ike安全提议
[USG-1-ike-peer-usg-2]quit
2、配置一个ipsec安全协议
[USG-1]ipsec proposal test
[USG-1-ipsec-proposal-test]encapsulation-mode tunnel //封装方式采用隧道
[USG-1-ipsec-proposal-test]transform esp //配置IPSEC安全协议为ESP
[USG-1-ipsec-proposal-test]esp encryption-algorithm aes //配置ESP协议加密算法为aes
[USG-1-ipsec-proposal-test]esp authentication-algorithm sha1 //配置ESP协议认证算法
//创建一个ACL定义感兴趣流
[USG-1]acl 3000
[USG-1-acl-adv-3000]rule permit ip source 10.75.1.0 0.0.0.255 destination 192.168.226.0 0.0.0.255
[USG-1]ipsec policy map 1 isakmp //创建一个安全策略,名称为map
[USG-1-ipsec-policy-isakmp-map-1]ike-peer USG-2 //调用ike对等体
[USG-1-ipsec-policy-isakmp-map-1]proposal test //调用IPsec安全提议
[USG-1-ipsec-policy-isakmp-map-1]security acl 3000 //配置感兴趣流
//在外网口上调用安全策略
[USG-1]int g0/0/1
[USG-1-GigabitEthernet0/0/1]ipsec policy map
3、添加静态路由,设置SNAT
//配置默认路由上公网
[USG-1]ip route-static 0.0.0.0 0.0.0.0 b.b.b.b
//进入trust到untrust区域out方向针对源为192.168.10.0/24网段目标为192.168.20.0/24网段的数据包不进行NAT
[USG-1]nat-policy interzone trust untrust outbound
[USG-1-nat-policy-interzone-trust-untrust-outbound]policy 1 //创建一个策略
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]policy source 10.75.1.0 0.0.0.255
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]policy destination 192.168.226.0 0.0.0.255
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]action no-nat
[USG-1-nat-policy-interzone-trust-untrust-outbound-1]quit
//允许对源IP进行NAT,对接口G0/0/1地址复用
[USG-1-nat-policy-interzone-trust-untrust-outbound]policy 2 //创建策略2
[USG-1-nat-policy-interzone-trust-untrust-outbound-2]action source-nat
[USG-1-nat-policy-interzone-trust-untrust-outbound-2]easy-ip g0/0/1
4、防火墙配置
//允许trust区域所有主机访问untrust区域
[USG-1]policy interzone trust untrust outbound
[USG-1-policy-interzone-trust-untrust-outbound]policy 1 //创建策略
[USG-1-policy-interzone-trust-untrust-outbound-1]action permit
//进入trust区域到untrust区域的in方向策略视图,允许数据包源地址为10.75.1.0/24网段和目标地址为192.168.226.0/24网段的流量过
[USG-1]policy interzone trust untrust inbound
[USG-1-policy-interzone-trust-untrust-inbound]policy 1
[USG-1-policy-interzone-trust-untrust-inbound-1]policy source 10.75.1.0 0.0.0.255
[USG-1-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.226.0 0.0.0.255
[USG-1-policy-interzone-trust-untrust-inbound-1]action permit
//进入local区域到untrust区域的in方向策略视图,允许源地址是a.a.a.a目标地址是b.b.b.b的数据包访问
[USG-1]policy interzone local untrust inbound
[USG-1-policy-interzone-local-untrust-inbound]policy 1
[USG-1-policy-interzone-local-untrust-inbound-1]policy source a.a.a.a 0
[USG-1-policy-interzone-local-untrust-inbound-1]policy destination b.b.b.b 0
[USG-1-policy-interzone-local-untrust-inbound-1]action permit
注:隧道的搭建需要注意器配置的协议参数要一致,隧道搭建完毕后,如果一端不能ping通另一端的pc地址,需要注意路由走向,以及是否关闭了snat,查漏补缺,我的配置可能不全,因为很多都是页面配置的,这里我没有截图,自己研究下吧。