為了提高網絡可靠性,企業分支一般通過兩條或者多條鍊路與企業總部建立IPSec連接配接。本節主要考慮如何感覺IPSec鍊路狀态并實作流量在多條IPSec之間按需切換,以保證業務的正常運作。
ipsec高可靠性涉及可以分為兩類,一種是鍊路備援,另一種是主備網關備份。其中鍊路備援又有多種不同的實作方法。
主備鍊路備份
2:2模式
場景
FW1、FW2均有兩個出口接入ISP,要求其中一個出口鍊路故障不會影響業務。
實作原理
FW1的兩個實體接口分别應用不同的ipsec政策,FW2的兩個實體接口也分别應用不同的ipsec政策。現網中比較少見,因為分支機構很少有兩條鍊路接入公網,如果采用這種方法,配置上沒有特别需要注意的。
2:1模式
場景
FWB有兩個出口接入ISP,FWA隻有一個出口接入ISP,要求FWB的一個出口鍊路故障不會影響業務。
實作原理
FWB的兩個實體接口分别應用不同的ipsec政策,FWA的實體接口上建立兩個tunnel,分别在兩個tunnel上建立不同的ipsec政策。最常見的組網方式。注意不能使用子接口,子接口無法配置ipsec
實驗一:兩個網關之間配置IPSec VPN主備鍊路備份(雙鍊路)
fw1的兩個實體口分别應用不同的ipsec政策,fw2的實體口上建立兩個tunnel,分别在兩個tunnel上建立ipsec政策。
fw1的g0/0/2接口故障,業務切換到g0/0/3,相應 的fw2也要将業務從tunnel1切換到tunnel2,可以通過ip-link來檢測鍊路,實作同步切換。
1、防火牆基本配置
#fw1
interface GigabitEthernet0/0/1
ip address 10.1.1.10 255.255.255.0
interface GigabitEthernet0/0/2
ip address 202.100.1.10 255.255.255.0
interface GigabitEthernet0/0/3
ip address 192.168.1.10 255.255.255.0
interface GigabitEthernet0/0/4
ip address 202.100.2.10 255.255.255.0
#fw2
interface GigabitEthernet0/0/1
ip address 10.1.2.11 255.255.255.0
interface GigabitEthernet0/0/2
ip address 10.1.21.10 255.255.255.0
interface GigabitEthernet0/0/3
ip address 192.168.1.11 255.255.255.0 2、安全政策配置
security-policy
rule name ike
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 10.1.21.10 mask 255.255.255.255
source-address 202.100.1.10 mask 255.255.255.255
source-address 202.100.2.10 mask 255.255.255.255
destination-address 10.1.21.10 mask 255.255.255.255
destination-address 202.100.1.10 mask 255.255.255.255
destination-address 202.100.2.10 mask 255.255.255.255
service esp
service isakmp
action permit
rule name pki
source-zone dmz
source-zone trust
destination-zone dmz
destination-zone trust
source-address 10.1.1.0 mask 255.255.255.0
source-address 192.168.1.1 mask 255.255.255.255
destination-address 10.1.1.0 mask 255.255.255.0
destination-address 192.168.1.1 mask 255.255.255.255
action permit
rule name ipsec
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
source-address 10.1.2.0 mask 255.255.255.0
destination-address 10.1.1.0 mask 255.255.255.0
destination-address 10.1.2.0 mask 255.255.255.0
action permit 3、ip-link配置
ip-link check enable
ip-link name iplink1
destination 202.100.1.11 interface GigabitEthernet0/0/2 mode icmp 4、負載靜态路由配置
ip route-static 0.0.0.0 0.0.0.0 202.100.1.11 track ip-link iplink1
ip route-static 0.0.0.0 0.0.0.0 202.100.2.11 preference 200 5、fw1 ipsec政策配置
6、FW2建立tunnel接口
interface Tunnel1
ip address unnumbered interface GigabitEthernet0/0/2# 借用公網接口位址
tunnel-protocol ipsec
interface Tunnel2
ip address unnumbered interface GigabitEthernet0/0/2# 借用公網接口位址
tunnel-protocol ipsec
#務必将接口加入安全區域
firewall zone untrust
add interface Tunnel1
add interface Tunnel2 7、fw2配置ip-link
[FW2]ip-link name iplink2
destination 202.100.1.11 interface GigabitEthernet0/0/2 mode icmp next-hop 10.1.21.254
ip-link check enable 8、fw2配置靜态路由
ip route-static 0.0.0.0 0.0.0.0 202.100.1.10
ip route-static 0.0.0.0 0.0.0.0 10.1.21.254
ip route-static 10.1.1.0 255.255.255.0 Tunnel1 track ip-link iplink2
ip route-static 10.1.1.0 255.255.255.0 Tunnel2 preference 200 9、fw2 ipsec policy配置
10、連通性測試
11、檢查fw2的路由表
實驗二:兩個網關之間配置IPSec VPN主備鍊路備份
需求和拓撲
FW_A通過主備兩條鍊路接入Internet,主備接口使用固定的公網IP位址;FW_B通過一條鍊路接入Internet,出接口同樣使用固定的公網IP位址。
要求實作如下需求:
- FW_A和FW_B之間通過IPSec方式建立安全通信隧道,實作總部與分支之間的互訪。
- FW_A上的主鍊路發生故障時,業務可以自動切換到備鍊路;主鍊路恢複時,業務會自動回切到主鍊路。
操作和配置
1、配置防火牆接口IP位址和安全區域
1.1、fw1
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
interface GigabitEthernet1/0/1
ip address 1.1.3.1 255.255.255.0
service-manage ping permit
interface GigabitEthernet1/0/2
ip address 1.1.4.1 255.255.255.0
service-manage ping permit
firewall zone trust
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
firewall zone untrust
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2
1.2、fw2
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.255.0
interface GigabitEthernet1/0/1
ip address 2.2.2.2 255.255.255.0
service-manage ping permit
firewall zone trust
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
firewall zone untrust
add interface GigabitEthernet1/0/1
add interface Tunnel1
add interface Tunnel2
1.3、配置FW2的tunnel接口
FW1需要和FW2建立兩條隧道,而FW2隻有一個實體接口,是以需要在FW2上配置兩個tunnel接口,來分别與FW1的主備接口建立隧道。當FW1發生主備鍊路切換時,FW2也會切換Tunnel接口,雙方重新進行IPSec隧道協商。
在FW2上配置Tunnel1(主接口)和Tunnel2(備接口)兩個Tunnel接口,分别與FW1上的主備接口對應。當FW1發生主備鍊路切換時,FW2也會切換到對應的Tunnel接口。
interface Tunnel1
ip address unnumbered interface GigabitEthernet1/0/1
tunnel-protocol ipsec
interface Tunnel2
ip address unnumbered interface GigabitEthernet1/0/1
tunnel-protocol ipsec
firewall zone untrust
add interface Tunnel1
add interface Tunnel2 2、配置防火牆ip-link和路由
2.1、配置fw1的ip-link和路由
配置兩條FW1到FW2的路由,兩條路由的優先級不同,實作路由備份。同時,為主路由綁定ip-link,用于檢測主路由上的鍊路狀态。當主路由上的鍊路發生故障時,系統會自動切換到備用路由。
#FW1
ip-link check enable
ip-link name HA1
destination 2.2.2.2 interface GigabitEthernet1/0/1 mode icmp next-hop 1.1.3.2
ip route-static 2.2.2.2 255.255.255.255 1.1.3.2 track ip-link HA1
ip route-static 2.2.2.2 255.255.255.255 1.1.4.2 preference 200
ip route-static 10.2.1.0 255.255.255.0 1.1.3.2 track ip-link HA1
ip route-static 10.2.1.0 255.255.255.0 1.1.4.2 preference 200
2.1、配置fw2的ip-link和路由
在FW2上将需要保護的資料流通過路由引流到Tunnel接口。因為FW2上有兩個Tunnel接口,是以需要配置兩條到總部的路由,出接口為Tunnel1和Tunnel2,兩條路由的優先級不同,實作路由備份。同時,為主路由綁定IP-Link,用于檢測主路由上的鍊路狀态。當主路由上的鍊路發生故障時,系統會自動切換到備用路由。
#FW2
ip-link check enable
ip-link name HA1
destination 1.1.3.1 interface GigabitEthernet1/0/1 mode icmp next-hop 2.2.2.1
ip route-static 1.1.3.1 255.255.255.255 2.2.2.1
ip route-static 1.1.4.1 255.255.255.255 2.2.2.1
ip route-static 10.1.1.0 255.255.255.0 Tunnel1 track ip-link HA1
ip route-static 10.1.1.0 255.255.255.0 Tunnel2 preference 200 3、配置ipsec
3.1、fw1配置ipsec
3.1.1、配置感興趣流
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255 3.1.2、配置ike安全提議
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256 3.1.3、配置ike對等體
ike peer FW2
undo version 2
pre-shared-key Huawei@123
ike-proposal 1
remote-address 2.2.2.2 3.1.4、配置ipsec安全提議
ipsec proposal FW1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256 3.1.5、配置ipsec安全政策
ipsec policy FW1 10 isakmp
security acl 3000
ike-peer FW2
proposal FW1
ipsec policy FW1B 20 isakmp
security acl 3000
ike-peer FW2
proposal FW1 3.1.6、将ipsec安全政策綁定到接口上
FW1的GigabitEthernet 1/0/1、GigabitEthernet 1/0/2分别為主接口和備接口。需要在主備接口上應用相同的IPSec安全政策,當主接口發生故障時,系統自動将IPSec隧道切換至備接口。
interface GigabitEthernet1/0/1
ipsec policy FW1
interface GigabitEthernet1/0/2
ipsec policy FW1B 3.2、fw2配置ipsec
3.2.1、配置感興趣流
acl number 3000
rule 5 permit ip source 10.2.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 3.2.2、配置ike安全提議
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256 3.2.3、配置ike對等體
ike peer FW1
undo version 2
pre-shared-key Huawei@123
ike-proposal 1
remote-address 1.1.3.1
ike peer FW1B
undo version 2
pre-shared-key Huawei@123
ike-proposal 1
remote-address 1.1.4.1 3.2.4、配置ipsec安全提議
ipsec proposal FW2
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256 3.2.5、配置ipsec安全政策
ipsec policy FW2 10 isakmp
security acl 3000
ike-peer FW1
proposal FW2
ipsec policy FW2B 20 isakmp
security acl 3000
ike-peer FW1B
proposal FW2 3.2.6、将ipsec安全政策綁定到接口上
在Tunnel1和Tunnel2上分别應用IPSec安全政策,當主接口發生故障時,系統自動将IPSec隧道切換至備接口。
interface Tunnel1
ip address unnumbered interface GigabitEthernet1/0/1
tunnel-protocol ipsec
ipsec policy FW2
interface Tunnel2
ip address unnumbered interface GigabitEthernet1/0/1
tunnel-protocol ipsec
ipsec policy FW2B 4、配置安全政策
#fw1&fw2
security-policy
rule name ike
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 1.1.3.1 mask 255.255.255.255
source-address 1.1.4.1 mask 255.255.255.255
source-address 2.2.2.2 mask 255.255.255.255
destination-address 1.1.3.1 mask 255.255.255.255
destination-address 1.1.4.1 mask 255.255.255.255
destination-address 2.2.2.2 mask 255.255.255.255
service esp
service protocol udp destination-port 500
action permit
rule name trust_untrust
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
source-address 10.2.1.0 mask 255.255.255.0
destination-address 10.1.1.0 mask 255.255.255.0
destination-address 10.2.1.0 mask 255.255.255.0
action permit 驗證和分析
1、pc1去通路pc2檢測連通性
2、檢查fw的ike協商狀況
[FW1]dis ike sa
2022-08-17 13:21:34.530
IKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
436 2.2.2.2:500 RD|ST|A v1:2 IP 2.2.2.2
435 2.2.2.2:500 RD|ST|A v1:1 IP 2.2.2.2
Number of IKE SA : 2
[FW2]dis ike sa
2022-08-17 13:25:09.220
IKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
21 1.1.3.1:500 RD|A v1:2 IP 1.1.3.1
20 1.1.3.1:500 RD|A v1:1 IP 1.1.3.1
Number of IKE SA : 2
3、檢查fw的ipsec協商狀況
[FW1]dis ipsec sa Interface: GigabitEthernet1/0/1
IPSec policy name: "FW1" Sequence number : 10 Acl group : 3000 Acl rule : 5 Mode : ISAKMP
Connection ID : 436
Encapsulation mode: Tunnel
Holding time : 0d 0h 41m 12s
Tunnel local : 1.1.3.1:500
Tunnel remote : 2.2.2.2:500
Flow source : 10.1.1.0/255.255.255.0 0/0-65535
Flow destination : 10.2.1.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 194213225 (0xb937569)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/1127
Max sent sequence-number: 10
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 9/540
[Inbound ESP SAs]
SPI: 192672062 (0xb7bf13e)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/1127
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 7/420
Anti-replay : Enable
Anti-replay window size: 1024
[FW2]dis ipsec sa
Interface: Tunnel1
IPSec policy name: "FW2" Sequence number : 10 Acl group : 3000 Acl rule : 5 Mode : ISAKMP
Connection ID : 21
Encapsulation mode: Tunnel
Holding time : 0d 0h 42m 39s
Tunnel local : 2.2.2.2:500
Tunnel remote : 1.1.3.1:500
Flow source : 10.2.1.0/255.255.255.0 0/0-65535
Flow destination : 10.1.1.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 192672062 (0xb7bf13e)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/1041
Max sent sequence-number: 8
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 7/420
[Inbound ESP SAs]
SPI: 194213225 (0xb937569)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/1041
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 9/540
Anti-replay : Enable
Anti-replay window size: 1024
4、檢查會話表
[FW1]dis fire se ta
2022-08-17 13:40:12.300
Current Total Sessions : 2
udp VPN: public --> public 1.1.3.1:500 --> 2.2.2.2:500
icmp VPN: public --> public 2.2.2.2:1098 --> 1.1.3.1:2048
icmp VPN: public --> public 1.1.3.1:1027 --> 2.2.2.2:2048
dis fire se ta
2022-08-17 13:41:19.190
Current Total Sessions : 3
icmp VPN: public --> public 2.2.2.2:1098 --> 1.1.3.1:2048
icmp VPN: public --> public 1.1.3.1:1027 --> 2.2.2.2:2048
udp VPN: public --> public 1.1.3.1:500 --> 2.2.2.2:500
5、斷開fw1的g1/0/1口,模拟故障
檢查pc的通聯情況。發現會有短暫的中斷
6、檢查fw的ike協商情況
[FW1]dis ike sa
2022-08-17 13:45:33.870
IKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
439 2.2.2.2:500 RD|ST|A v1:2 IP 2.2.2.2
438 2.2.2.2:500 RD|ST|A v1:1 IP 2.2.2.2
437 2.2.2.2:500 RD|ST|A v1:2 IP 2.2.2.2
435 2.2.2.2:500 RD|ST|A v1:1 IP 2.2.2.2
Number of IKE SA : 4
dis ike sa
2022-08-17 13:46:13.280
IKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
24 1.1.4.1:500 RD|A v1:2 IP 1.1.4.1
23 1.1.4.1:500 RD|A v1:1 IP 1.1.4.1
22 1.1.3.1:500 RD|A v1:2 IP 1.1.3.1
20 1.1.3.1:500 RD|A v1:1 IP 1.1.3.1
Number of IKE SA : 4
7、檢查fw的ipsec協商情況
[FW1]dis ipsec sa
2022-08-17 13:45:39.450
ipsec sa information:
=============================== Interface: GigabitEthernet1/0/1
IPSec policy name: "FW1" Sequence number : 10 Acl group : 3000 Acl rule : 5 Mode : ISAKMP
Connection ID : 437
Encapsulation mode: Tunnel
Holding time : 0d 0h 59m 6s
Tunnel local : 1.1.3.1:500
Tunnel remote : 2.2.2.2:500
Flow source : 10.1.1.0/255.255.255.0 0/0-65535
Flow destination : 10.2.1.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 201056852 (0xbfbe254)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485759/3294
Max sent sequence-number: 24
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 23/1380
[Inbound ESP SAs]
SPI: 185969235 (0xb15aa53)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485759/3294
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 21/1260
Anti-replay : Enable
Anti-replay window size: 1024
=============================== Interface: GigabitEthernet1/0/2
IPSec policy name: "FW1B" Sequence number : 20 Acl group : 3000 Acl rule : 5 Mode : ISAKMP
Connection ID : 439
Encapsulation mode: Tunnel
Holding time : 0d 0h 0m 10s
Tunnel local : 1.1.4.1:500
Tunnel remote : 2.2.2.2:500
Flow source : 10.1.1.0/255.255.255.0 0/0-65535
Flow destination : 10.2.1.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 187192865 (0xb285621)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/3590
Max sent sequence-number: 6
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 5/300
[Inbound ESP SAs]
SPI: 192914366 (0xb7fa3be)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/3590
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 0/0
Anti-replay : Enable
Anti-replay window size: 1024
dis ipsec sa
2022-08-17 13:46:15.780
ipsec sa information:
=============================== Interface: Tunnel1
IPSec policy name: "FW2" Sequence number : 10 Acl group : 3000 Acl rule : 5 Mode : ISAKMP
Connection ID : 22
Encapsulation mode: Tunnel
Holding time : 0d 0h 59m 44s
Tunnel local : 2.2.2.2:500
Tunnel remote : 1.1.3.1:500
Flow source : 10.2.1.0/255.255.255.0 0/0-65535
Flow destination : 10.1.1.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 185969235 (0xb15aa53)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485759/3256
Max sent sequence-number: 27
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 26/1560
[Inbound ESP SAs]
SPI: 201056852 (0xbfbe254)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485759/3256
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 22/1320
Anti-replay : Enable
Anti-replay window size: 1024
=============================== Interface: Tunnel2
IPSec policy name: "FW2B" Sequence number : 20 Acl group : 3000 Acl rule : 5 Mode : ISAKMP
Connection ID : 24
Encapsulation mode: Tunnel
Holding time : 0d 0h 0m 47s
Tunnel local : 2.2.2.2:500
Tunnel remote : 1.1.4.1:500
Flow source : 10.2.1.0/255.255.255.0 0/0-65535
Flow destination : 10.1.1.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 192914366 (0xb7fa3be)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485759/3554
Max sent sequence-number: 34
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 33/1980
[Inbound ESP SAs]
SPI: 187192865 (0xb285621)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485758/3554
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 38/2280
Anti-replay : Enable
Anti-replay window size: 1024
可見協商狀态sa不會主動消失
8、檢查會話表
[FW1]dis fire se ta
2022-08-17 13:45:52.340
Current Total Sessions : 17
icmp VPN: public --> public 10.1.1.10:2289 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:753 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:3057 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:1777 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:241 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:3313 --> 10.2.1.10:2048
udp VPN: public --> public 1.1.4.1:500 --> 2.2.2.2:500
icmp VPN: public --> public 10.1.1.10:3569 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:1265 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:4849 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:4337 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:3825 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:2801 --> 10.2.1.10:2048
esp VPN: public --> public 2.2.2.2:0 --> 1.1.3.1:0
icmp VPN: public --> public 10.1.1.10:4081 --> 10.2.1.10:2048
esp VPN: public --> public 2.2.2.2:0 --> 1.1.4.1:0
icmp VPN: public --> public 10.1.1.10:4593 --> 10.2.1.10:2048
[FW2]dis fire se ta
2022-08-17 13:46:27.520
Current Total Sessions : 25
icmp VPN: public --> public 10.1.1.10:11761 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:10737 --> 10.2.1.10:2048
esp VPN: public --> public 1.1.3.1:0 --> 2.2.2.2:0
icmp VPN: public --> public 10.1.1.10:13809 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:9969 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:13297 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:9713 --> 10.2.1.10:2048
udp VPN: public --> public 1.1.4.1:500 --> 2.2.2.2:500
icmp VPN: public --> public 10.1.1.10:14065 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:12017 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:10225 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:13553 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:12529 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:10481 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:11249 --> 10.2.1.10:2048
icmp VPN: public --> public 2.2.2.2:1110 --> 1.1.3.1:2048
icmp VPN: public --> public 2.2.2.2:1107 --> 1.1.3.1:2048
icmp VPN: public --> public 10.1.1.10:10993 --> 10.2.1.10:2048
icmp VPN: public --> public 2.2.2.2:1109 --> 1.1.3.1:2048
icmp VPN: public --> public 2.2.2.2:1108 --> 1.1.3.1:2048
esp VPN: public --> public 1.1.4.1:0 --> 2.2.2.2:0
icmp VPN: public --> public 10.1.1.10:12785 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:12273 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:9201 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:11505 --> 10.2.1.10:2048
隧道化鍊路備份
場景
FWB上有兩個出口接入ISP,FWA上隻有一個出口接入ISP,要求FWB某個實體口上的鍊路故障不會影響業務。
實作原理
FWB建立一個隧道,基于隧道建立一個IPSEC政策,FWA的實體口上建立一個IPSEC政策。通過Tunnel接口進行鍊路備援備份可以實作多條鍊路的備援備份,而且與主備鍊路備份相比,配置更簡單,IPSec隧道不需要進行重協商,故可快速完成流量切換,流量切換速度更快。tunnel接口的配置與主被鍊路備份方式正好相反,tunnel接口配置在總部(即多條公網實體鍊路)
實驗
FW1建立一個隧道,基于隧道建立一個ipsec政策,fw2的實體口建立一個ipsec政策。
tunnel接口需要配置公網IP,并且這個ip,對方可達。
0、底層配置
#1、路由器底層配置
int g0/0/0
undo portswitch
ip add 10.1.21.254 24
int g0/0/1
undo portswitch
ip add 202.100.1.11 24
int g0/0/2
undo portswitch
ip add 202.100.2.11 24
#2、防火牆底層配置
#fw1
sys FW1
int g0/0/0
ip add 192.168.0.10 24
int g0/0/1
ip add 10.1.1.10 24
int g0/0/2
ip add 202.100.1.10 24
int g0/0/3
ip add 202.100.2.10 24
fire zone trust
add int g0/0/1
fire zone untrust
add int g0/0/2
add int g0/0/3
#fw2
sys FW2
int g0/0/0
ip add 192.168.0.11 24
int g0/0/1
ip add 10.1.2.10 24
int g0/0/2
ip add 10.1.21.10 24
fire zone trust
add int g0/0/1
fire zone untrust
add int g0/0/2
quit
ip route-s 0.0.0.0 0 10.1.21.254 1、fw1建立tunnel接口
interface tunnel 1
ip add 11.1.1.1 24 #必須是公網IP位址,并且保證可達
tunnel-protocol ipsec
fire zone untrust
add int tunnel 1
ip route-s 0.0.0.0 0 tunnel 1 2、安全政策配置
security-policy
rule name ike
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 10.1.21.10 mask 255.255.255.255
source-address 11.1.1.1 mask 255.255.255.255
destination-address 10.1.21.10 mask 255.255.255.255
destination-address 11.1.1.1 mask 255.255.255.255
service esp
service protocol udp source-port 0 to 65535 destination-port 500
action permit
rule name ipsec
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
source-address 10.1.2.0 mask 255.255.255.0
destination-address 10.1.1.0 mask 255.255.255.0
destination-address 10.1.2.0 mask 255.255.255.0
action permit 3、ip-link配置
#FW1
ip-link check enable
ip-link name iplink1
destination 202.100.1.11 interface GigabitEthernet0/0/2 mode icmp
ip-link name iplink2
destination 202.100.2.11 interface GigabitEthernet0/0/3 mode icmp 4、路由配置
#FW1
ip route-static 0.0.0.0 0.0.0.0 202.100.1.11 track ip-link iplink1
ip route-static 0.0.0.0 0.0.0.0 202.100.2.11 track ip-link iplink2
ip route-static 10.1.2.0 255.255.255.0 tunnel 1 #關鍵!!保證把流量引導到tunnel隧道中
#AR1
ip route-static 11.1.1.1 32 202.100.1.10
ip route-static 11.1.1.1 32 202.100.2.10 5、ipsec配置
#fw1
#配置感興趣流
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#ike提議配置
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#ike對等體配置
ike peer ike1780516513
exchange-mode auto
pre-shared-key Huawei@123
ike-proposal 1
remote-id-type none
dpd type periodic
remote-address 10.1.21.10
#ipsec提議配置
ipsec proposal prop1780516513
encapsulation-mode auto
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#ipsec安全政策配置
ipsec policy ipsec178051616 1 isakmp
security acl 3000
ike-peer ike1780516513
proposal prop1780516513
tunnel local applied-interface
alias ipsec1
sa trigger-mode auto
sa duration traffic-based 5242880
sa duration time-based 3600
#tunnel接口下調用ipsec安全政策
interface Tunnel1
ipsec policy ipsec178051616 #fw2
#配置感興趣流
acl number 3000
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#配置ike提議
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#配置ike對等體
ike peer ike1780657904
exchange-mode auto
pre-shared-key Huawei@123
ike-proposal 1
remote-id-type none
dpd type periodic
remote-address 11.1.1.1#指的是tunnel接口IP位址,而不是實體接口的IP位址
#配置ipsec提議
ipsec proposal prop1780657904
encapsulation-mode auto
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#配置ipsec安全政策
ipsec policy ipsec1780657438 1 isakmp
security acl 3000
ike-peer ike1780657904
proposal prop1780657904
tunnel local applied-interface
alias ipsec2
sa trigger-mode auto
sa duration traffic-based 5242880
sa duration time-based 3600
#出接口下調用ipsec安全政策
interface GigabitEthernet0/0/2
ipsec policy ipsec1780657438 6、檢查
6.1、檢查ipsec協商狀态
FW1]dis ipsec sa
2022-08-17 00:26:22.150 +08:00
ipsec sa information:
===============================
Interface: Tunnel1
===============================
-----------------------------
IPSec policy name: "ipsec178051616"
Sequence number : 1
Acl group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 9
Encapsulation mode: Tunnel
Holding time : 0d 0h 15m 36s
Tunnel local : 11.1.1.1:500
Tunnel remote : 10.1.21.10:500
Flow source : 10.1.1.0/255.255.255.0 0/0-65535
Flow destination : 10.1.2.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 188944344 (0xb430fd8)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 0/603864
Max sent sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 0/0
[Inbound ESP SAs]
SPI: 184751568 (0xb0315d0)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 0/603864
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 0/0
Anti-replay : Enable
Anti-replay window size: 1024
[FW2]dis ipsec sa
2022-08-17 00:25:01.370 +08:00
ipsec sa information:
===============================
Interface: GigabitEthernet0/0/2
===============================
-----------------------------
IPSec policy name: "ipsec1780657438"
Sequence number : 1
Acl group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 6
Encapsulation mode: Tunnel
Holding time : 0d 0h 14m 12s
Tunnel local : 10.1.21.10:500
Tunnel remote : 11.1.1.1:500
Flow source : 10.1.2.0/255.255.255.0 0/0-65535
Flow destination : 10.1.1.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 184751568 (0xb0315d0)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 5242880/2748
Max sent sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 0/0
[Inbound ESP SAs]
SPI: 188944344 (0xb430fd8)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 5242880/2748
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 0/0
Anti-replay : Enable
Anti-replay window size: 1024
6.2、檢查ike協商狀态
[FW1]dis ike sa
2022-08-17 00:26:45.930 +08:00
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------
9 10.1.21.10:500 RD|A v2:2 IP 10.1.21.10
8 10.1.21.10:500 RD|A v2:1 IP 10.1.21.10
Number of IKE SA : 2
------------------------------------------------------------------------------------------------------------------------------------
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
[FW2]dis ike sa
2022-08-17 00:25:40.520 +08:00
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------
6 11.1.1.1:500 RD|ST|A v2:2 IP 11.1.1.1
5 11.1.1.1:500 RD|ST|A v2:1 IP 11.1.1.1
Number of IKE SA : 2
------------------------------------------------------------------------------------------------------------------------------------
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING 6.3、連通性測試
6.4、加解密測試
[FW1]dis ipsec sta
2022-08-17 00:39:47.970 +08:00
IPSec statistics information:
Number of IPSec tunnels: 1
Number of standby IPSec tunnels: 0
the security packet statistics:
input/output security packets: 8/4
input/output security bytes: 480/240
input/output dropped security packets: 0/0
the encrypt packet statistics:
send chip: 4, recv chip: 4, send err: 0
local cpu: 4, other cpu: 0, recv other cpu: 0
intact packet: 4, first slice: 0, after slice: 0
the decrypt packet statistics:
send chip: 8, recv chip: 8, send err: 0
local cpu: 8, other cpu: 0, recv other cpu: 0
reass first slice: 0, after slice: 0
dropped security packet detail:
can not find SA: 0, wrong SA: 0
authentication: 0, replay: 0
front recheck: 0, after recheck: 0
change cpu enc: 0, dec change cpu: 0
fib search: 0, output l3: 0
flow err: 0, slice err: 0, byte limit: 0
slave drop: 0
negotiate about packet statistics:
IKE fwd packet ok: 59, err: 0
IKE ctrl packet inbound ok: 59, outbound ok: 87
SoftExpr: 0, HardExpr: 0, DPDOper: 0
trigger ok: 0, switch sa: 1, sync sa: 0
recv IKE nat keepalive: 0, IKE input: 0
6.5、檢視fw1\ar1路由
[FW1]dis ip rou
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 202.100.1.11 GigabitEthernet0/0/2
Static 60 0 RD 202.100.2.11 GigabitEthernet0/0/3
10.1.1.0/24 Direct 0 0 D 10.1.1.10 GigabitEthernet0/0/1
10.1.1.10/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1
10.1.2.0/24 Static 60 0 D 11.1.1.1 Tunnel1
11.1.1.0/24 Direct 0 0 D 11.1.1.1 Tunnel1
11.1.1.1/32 Direct 0 0 D 127.0.0.1 Tunnel1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
202.100.1.0/24 Direct 0 0 D 202.100.1.10 GigabitEthernet0/0/2
202.100.1.10/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/2
202.100.2.0/24 Direct 0 0 D 202.100.2.10 GigabitEthernet0/0/3
202.100.2.10/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/3
[R1]dis ip routing-table
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.21.0/24 Direct 0 0 D 10.1.21.254 GigabitEthernet0/0/0
10.1.21.254/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0
10.1.21.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0
11.1.1.1/32 Static 60 0 RD 202.100.1.10 GigabitEthernet0/0/1
Static 60 0 RD 202.100.2.10 GigabitEthernet0/0/2
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
202.100.1.0/24 Direct 0 0 D 202.100.1.11 GigabitEthernet0/0/1
202.100.1.11/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1
202.100.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1
202.100.2.0/24 Direct 0 0 D 202.100.2.11 GigabitEthernet0/0/2
202.100.2.11/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/2
202.100.2.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/2
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
6.6、故障切換
ar1上shutdown接口g0/0/1,檢查ar1路由
[R1-GigabitEthernet0/0/1]dis ip routing-table
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.21.0/24 Direct 0 0 D 10.1.21.254 GigabitEthernet0/0/0
10.1.21.254/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0
10.1.21.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0
11.1.1.1/32 Static 60 0 RD 202.100.2.10 GigabitEthernet0/0/2
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
202.100.2.0/24 Direct 0 0 D 202.100.2.11 GigabitEthernet0/0/2
202.100.2.11/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/2
202.100.2.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/2
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
檢查fw1路由
[FW1]dis ip rou
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 202.100.2.11 GigabitEthernet0/0/3
10.1.1.0/24 Direct 0 0 D 10.1.1.10 GigabitEthernet0/0/1
10.1.1.10/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1
10.1.2.0/24 Static 60 0 D 11.1.1.1 Tunnel1
11.1.1.0/24 Direct 0 0 D 11.1.1.1 Tunnel1
11.1.1.1/32 Direct 0 0 D 127.0.0.1 Tunnel1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
202.100.1.0/24 Direct 0 0 D 202.100.1.10 GigabitEthernet0/0/2
202.100.1.10/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/2
202.100.2.0/24 Direct 0 0 D 202.100.2.10 GigabitEthernet0/0/3
202.100.2.10/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/3
6.7、檢查ipsec狀态
[FW1]dis ipsec sa
2022-08-17 00:46:36.620 +08:00
ipsec sa information:
===============================
Interface: Tunnel1
===============================
-----------------------------
IPSec policy name: "ipsec178051616"
Sequence number : 1
Acl group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 9
Encapsulation mode: Tunnel
Holding time : 0d 0h 35m 51s
Tunnel local : 11.1.1.1:500
Tunnel remote : 10.1.21.10:500
Flow source : 10.1.1.0/255.255.255.0 0/0-65535
Flow destination : 10.1.2.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 188944344 (0xb430fd8)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 0/602649
Max sent sequence-number: 5
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 4/240
[Inbound ESP SAs]
SPI: 184751568 (0xb0315d0)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 0/602649
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 8/480
Anti-replay : Enable
Anti-replay window size: 1024
[FW2]dis ipsec sa
2022-08-17 00:47:29.480 +08:00
ipsec sa information:
===============================
Interface: GigabitEthernet0/0/2
===============================
-----------------------------
IPSec policy name: "ipsec1780657438"
Sequence number : 1
Acl group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 6
Encapsulation mode: Tunnel
Holding time : 0d 0h 36m 40s
Tunnel local : 10.1.21.10:500
Tunnel remote : 11.1.1.1:500
Flow source : 10.1.2.0/255.255.255.0 0/0-65535
Flow destination : 10.1.1.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 184751568 (0xb0315d0)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 5242880/1400
Max sent sequence-number: 9
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 8/480
[Inbound ESP SAs]
SPI: 188944344 (0xb430fd8)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 5242880/1400
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 4/240
Anti-replay : Enable
Anti-replay window size: 1024 6.8、檢查ike狀态
[FW1]dis ike sa
2022-08-17 00:47:07.410 +08:00
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------
9 10.1.21.10:500 RD|A v2:2 IP 10.1.21.10
8 10.1.21.10:500 RD|A v2:1 IP 10.1.21.10
Number of IKE SA : 2
------------------------------------------------------------------------------------------------------------------------------------
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
[FW2]dis ike sa
2022-08-17 00:47:50.210 +08:00
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------
6 11.1.1.1:500 RD|ST|A v2:2 IP 11.1.1.1
5 11.1.1.1:500 RD|ST|A v2:1 IP 11.1.1.1
Number of IKE SA : 2
------------------------------------------------------------------------------------------------------------------------------------
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING 6.9、再次測試聯通性
6.10、再次檢查加解密狀态
[FW1]dis ipsec sta
2022-08-17 00:48:38.220 +08:00
IPSec statistics information:
Number of IPSec tunnels: 1
Number of standby IPSec tunnels: 0
the security packet statistics:
input/output security packets: 12/8
input/output security bytes: 720/480
input/output dropped security packets: 0/0
the encrypt packet statistics:
send chip: 8, recv chip: 8, send err: 0
local cpu: 8, other cpu: 0, recv other cpu: 0
intact packet: 8, first slice: 0, after slice: 0
the decrypt packet statistics:
send chip: 12, recv chip: 12, send err: 0
local cpu: 12, other cpu: 0, recv other cpu: 0
reass first slice: 0, after slice: 0
dropped security packet detail:
can not find SA: 0, wrong SA: 0
authentication: 0, replay: 0
front recheck: 0, after recheck: 0
change cpu enc: 0, dec change cpu: 0
fib search: 0, output l3: 0
flow err: 0, slice err: 0, byte limit: 0
slave drop: 0
negotiate about packet statistics:
IKE fwd packet ok: 75, err: 0
IKE ctrl packet inbound ok: 75, outbound ok: 103
SoftExpr: 0, HardExpr: 0, DPDOper: 0
trigger ok: 0, switch sa: 1, sync sa: 0
recv IKE nat keepalive: 0, IKE input: 0 6.11、檢查會話表
[FW1]dis fire se ta ver pro esp
2022-08-17 00:49:34.730 +08:00
Current Total Sessions : 1
esp VPN: public --> public ID: a48f38484db906f5562fc3acc
Zone: untrust --> local TTL: 00:10:00 Left: 00:08:41
Recv Interface: GigabitEthernet0/0/3
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 0000-0000-0000
<--packets: 0 bytes: 0 --> packets: 4 bytes: 496
10.1.21.10:0 --> 11.1.1.1:0 PolicyName: ike
[FW2]dis fire se ta ver pro esp
2022-08-17 00:51:13.320 +08:00
Current Total Sessions : 1
esp VPN: public --> public ID: a48f305918e103b9a62fc3ad0
Zone: untrust --> local TTL: 00:10:00 Left: 00:07:06
Recv Interface: GigabitEthernet0/0/2
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 0000-0000-0000
<--packets: 0 bytes: 0 --> packets: 4 bytes: 496
11.1.1.1:0 --> 10.1.21.10:0 PolicyName: ike 6.12、故障恢複,檢查通聯情況
[FW1]dis fire se ta ver pro esp
2022-08-17 00:54:57.470 +08:00
Current Total Sessions : 1
esp VPN: public --> public ID: a48f38484db906f5562fc3acc
Zone: untrust --> local TTL: 00:10:00 Left: 00:10:00
Recv Interface: GigabitEthernet0/0/2
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 0000-0000-0000
<--packets: 0 bytes: 0 --> packets: 150 bytes: 18,600
10.1.21.10:0 --> 11.1.1.1:0 PolicyName: ike 發現已經切換了。
主備網關備份
場景
總部有兩個FW,兩個FW分别由一個公網出口接入isp(雙機單isp),FW1上的裝置發生故障時,業務可以自動切換。
實作原理
FW1建立一個IPSEC政策,FW2同步政策,網關FW3建立一個ipsec政策。
實驗
FW1建立一個IPsec政策,FW2同步政策。路由器建立一個IPSEC政策。
1、fw基本配置
#fw1
int g0/0/1
ip add 10.1.1.100 24
int g0/0/2
ip add 202.100.1.100 24
int g0/0/3
ip add 172.16.1.10 24
fire zone trust
add int g0/0/1
fire zone untrust
add int g0/0/2
fire zone dmz
add int g0/0/3
ip route-s 0.0.0.0 0 202.100.1.254
#fw2
int g0/0/1
ip add 10.1.1.101 24
int g0/0/2
ip add 202.100.1.101 24
int g0/0/3
ip add 172.16.1.11 24
fire zone trust
add int g0/0/1
fire zone untrust
add int g0/0/2
fire zone dmz
add int g0/0/3
ip route-s 0.0.0.0 0 202.100.1.254 2、ar基本配置
#AR1
sys AR1
int g0/0/2
undo ip add
int g0/0/1
undo portswitch
ip add 202.100.1.254 24
int g0/0/0
undo portswitch
ip add 202.100.2.254 24
#AR2
sys AR2
int g0/0/1
undo portswitch
ip add 202.100.2.10 24
int g0/0/0
undo portswitch
ip add 10.1.2.10 24
ip route-s 0.0.0.0 0 202.100.2.254 3、雙機熱備配置
3.1、fw1
hrp enable
hrp interface GigabitEthernet0/0/3 remote 172.16.1.11
hrp track interface GigabitEthernet0/0/1
hrp track interface GigabitEthernet0/0/2
interface GigabitEthernet0/0/1
vrrp vrid 1 virtual-ip 10.1.1.10 active
interface GigabitEthernet0/0/2
vrrp vrid 2 virtual-ip 202.100.1.10 active
3.2、fw2
hrp enable
hrp interface GigabitEthernet0/0/3 remote 172.16.1.10
hrp track interface GigabitEthernet0/0/1
hrp track interface GigabitEthernet0/0/2
interface GigabitEthernet0/0/1
vrrp vrid 1 virtual-ip 10.1.1.10 standby
interface GigabitEthernet0/0/2
vrrp vrid 2 virtual-ip 202.100.1.10 standby
4、安全政策配置
略
5、配置ipsec
5.1、配置感興趣流
#fw1
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#ar2
acl number 3000
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 5.2、配置ike安全提議
#fw1
ike proposal 1
encryption-algorithm aes-256 aes-192 aes-128 3des des
dh group14 group5 group2
authentication-algorithm sha2-256 sha1 md5
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#ar2
ike proposal 1
encryption-algorithm aes-cbc-128
dh group2
authentication-algorithm sha2-256
prf hmac-sha2-256 5.3、配置ike對等體
#FW1
ike peer AR2
undo version 2
pre-shared-key Huawei@123
ike-proposal 1
remote-address 202.100.2.10#使用虛拟位址作為對端位址
#AR2
ike peer FW v1
pre-shared-key simple Huawei@123
ike-proposal 1
remote-address 202.100.1.10 5.4、配置ipsec安全提議
#FW1
ipsec proposal FW
esp authentication-algorithm sha2-256 sha1 md5
esp encryption-algorithm aes-256 aes-192 aes-128 3des des
#AR2
ipsec proposal AR2
esp authentication-algorithm sha1
esp encryption-algorithm aes-128
5.5、配置ipsec安全政策
#FW1
ipsec policy FW 10 isakmp
security acl 3000
ike-peer AR2
proposal FW
tunnel local 202.100.1.10#使用虛拟位址作為隧道的發起位址
sa trigger-mode auto
#AR2
ipsec policy AR2 10 isakmp
security acl 3000
ike-peer FW
proposal AR2 5.6、接口綁定安全政策
#FW1
interface GigabitEthernet0/0/2
ipsec policy FW
#AR2
interface GigabitEthernet0/0/1
ipsec policy AR2 6、檢查
6.1、檢查ike sa
HRP_M[FW1]dis ike sa
2022-08-18 00:41:03.110 +08:00
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------
102 202.100.2.10:500 RD|ST|M v1:2 IP 202.100.2.10
101 202.100.2.10:500 RD|ST|M v1:1 IP 202.100.2.10
Number of IKE SA : 2
HRP_S<FW2>dis ike sa
2022-08-18 00:41:52.780 +08:00
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------
6 202.100.2.10:500 RD|ST|S v1:2 IP 202.100.2.10
5 202.100.2.10:500 RD|ST|S v1:1 IP 202.100.2.10
Number of IKE SA : 2
<AR2>dis ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
130 202.100.1.10 0 RD 2
128 202.100.1.10 0 RD 1 6.2、檢查ipsec sa
HRP_M[FW1]dis ipsec sa
2022-08-18 00:42:48.780 +08:00
ipsec sa information:
===============================
Interface: GigabitEthernet0/0/2
===============================
-----------------------------
IPSec policy name: "FW"
Sequence number : 10
Acl group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 102
Encapsulation mode: Tunnel
Holding time : 0d 0h 32m 33s
Tunnel local : 202.100.1.10:500
Tunnel remote : 202.100.2.10:500
Flow source : 10.1.1.0/255.255.255.0 0/0-65535
Flow destination : 10.1.2.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 3679150852 (0xdb4b6304)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA remaining key duration (kilobytes/sec): 1843200/1647
Max sent sequence-number: 9
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 8/480
[Inbound ESP SAs]
SPI: 185315463 (0xb0bb087)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA remaining key duration (kilobytes/sec): 1843200/1647
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 8/480
Anti-replay : Enable
Anti-replay window size: 1024
HRP_S<FW2>dis ipsec sa
2022-08-18 00:43:16.090 +08:00
ipsec sa information:
===============================
Interface: GigabitEthernet0/0/2
===============================
-----------------------------
IPSec policy name: "FW"
Sequence number : 10
Acl group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 6
Encapsulation mode: Tunnel
Holding time : 0d 0h 32m 56s
Tunnel local : 202.100.1.10:500
Tunnel remote : 202.100.2.10:500
Flow source : 10.1.1.0/255.255.255.0 0/0-65535
Flow destination : 10.1.2.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 3679150852 (0xdb4b6304)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA remaining key duration (kilobytes/sec): 1843200/1624
Max sent sequence-number: 12288
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 0/0
[Inbound ESP SAs]
SPI: 185315463 (0xb0bb087)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA remaining key duration (kilobytes/sec): 1843200/1624
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 0/0
Anti-replay : Enable
Anti-replay window size: 1024
<AR2>dis ipsec sa
===============================
Interface: GigabitEthernet0/0/1
Path MTU: 1500
===============================
-----------------------------
IPSec policy name: "AR2"
Sequence number : 10
Acl group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 130
Encapsulation mode: Tunnel
Tunnel local : 202.100.2.10
Tunnel remote : 202.100.1.10
Flow source : 10.1.2.0/255.255.255.0 0/0
Flow destination : 10.1.1.0/255.255.255.0 0/0
Qos pre-classify : Disable
Qos group : -
[Outbound ESP SAs]
SPI: 185315463 (0xb0bb087)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA remaining key duration (bytes/sec): 1887436320/1598
Outpacket count : 8
Outpacket encap count : 8
Outpacket drop count : 0
Max sent sequence-number: 8
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 3679150852 (0xdb4b6304)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA remaining key duration (bytes/sec): 1887436320/1598
Inpacket count : 8
Inpacket decap count : 8
Inpacket drop count : 0
Max received sequence-number: 9
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
6.3、測試連通性
6.4、檢查會話表
HRP_M[FW1]dis fire se ta
2022-08-18 00:44:54.350 +08:00
Current Total Sessions : 13
udp VPN: public --> public 172.16.1.11:49152 --> 172.16.1.10:18514
udp VPN: public --> public 172.16.1.10:49152 --> 172.16.1.11:18514
esp VPN: public --> public 202.100.2.10:0 --> 202.100.1.10:0
icmp VPN: public --> public 10.1.1.1:1 --> 10.1.2.1:2048
udp VPN: public --> public 172.16.1.11:16384 --> 172.16.1.10:18514
tcp VPN: default --> default 192.168.0.101:49334 --> 192.168.0.10:8443
HRP_S<FW2>dis fire se ta
2022-08-18 00:45:22.080 +08:00
Current Total Sessions : 11
udp VPN: public --> public 172.16.1.11:49152 --> 172.16.1.10:18514
udp VPN: public --> public 172.16.1.10:49152 --> 172.16.1.11:18514
tcp VPN: default --> default 192.168.0.101:49306 --> 192.168.0.11:8443
udp VPN: public --> public 172.16.1.10:16384 --> 172.16.1.11:18514
6.5、模拟fw1故障
shutdown fw1的g0/0/1接口
6.6、再次測試連通性
HRP_S[FW1]dis ike sa
2022-08-18 00:48:41.930 +08:00
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------
102 202.100.2.10:500 RD|ST|S v1:2 IP 202.100.2.10
101 202.100.2.10:500 RD|ST|S v1:1 IP 202.100.2.10
Number of IKE SA : 2
HRP_M<FW2>dis ike sa
2022-08-18 00:49:08.130 +08:00
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------
6 202.100.2.10:500 RD|ST|M v1:2 IP 202.100.2.10
5 202.100.2.10:500 RD|ST|M v1:1 IP 202.100.2.10
Number of IKE SA : 2 HRP_M<FW2>dis ipsec sa
2022-08-18 00:49:42.940 +08:00
ipsec sa information:
===============================
Interface: GigabitEthernet0/0/2
===============================
-----------------------------
IPSec policy name: "FW"
Sequence number : 10
Acl group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 6
Encapsulation mode: Tunnel
Holding time : 0d 0h 39m 23s
Tunnel local : 202.100.1.10:500
Tunnel remote : 202.100.2.10:500
Flow source : 10.1.1.0/255.255.255.0 0/0-65535
Flow destination : 10.1.2.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 3679150852 (0xdb4b6304)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA remaining key duration (kilobytes/sec): 1843200/1237
Max sent sequence-number: 12292
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 4/240
[Inbound ESP SAs]
SPI: 185315463 (0xb0bb087)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA remaining key duration (kilobytes/sec): 1843200/1237
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 4/240
Anti-replay : Enable
Anti-replay window size: 1024
HRP_S[FW1]dis ipsec sa
2022-08-18 00:50:02.270 +08:00
ipsec sa information:
===============================
Interface: GigabitEthernet0/0/2
===============================
-----------------------------
IPSec policy name: "FW"
Sequence number : 10
Acl group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 102
Encapsulation mode: Tunnel
Holding time : 0d 0h 39m 46s
Tunnel local : 202.100.1.10:500
Tunnel remote : 202.100.2.10:500
Flow source : 10.1.1.0/255.255.255.0 0/0-65535
Flow destination : 10.1.2.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 3679150852 (0xdb4b6304)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA remaining key duration (kilobytes/sec): 1843200/1214
Max sent sequence-number: 24576
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 12/720
[Inbound ESP SAs]
SPI: 185315463 (0xb0bb087)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA remaining key duration (kilobytes/sec): 1843200/1214
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 12/720
Anti-replay : Enable
Anti-replay window size: 1024