为了提高网络可靠性,企业分支一般通过两条或者多条链路与企业总部建立IPSec连接。本节主要考虑如何感知IPSec链路状态并实现流量在多条IPSec之间按需切换,以保证业务的正常运行。
ipsec高可靠性涉及可以分为两类,一种是链路冗余,另一种是主备网关备份。其中链路冗余又有多种不同的实现方法。
主备链路备份
2:2模式
场景
FW1、FW2均有两个出口接入ISP,要求其中一个出口链路故障不会影响业务。
实现原理
FW1的两个物理接口分别应用不同的ipsec策略,FW2的两个物理接口也分别应用不同的ipsec策略。现网中比较少见,因为分支机构很少有两条链路接入公网,如果采用这种方法,配置上没有特别需要注意的。
2:1模式
场景
FWB有两个出口接入ISP,FWA只有一个出口接入ISP,要求FWB的一个出口链路故障不会影响业务。
实现原理
FWB的两个物理接口分别应用不同的ipsec策略,FWA的物理接口上创建两个tunnel,分别在两个tunnel上创建不同的ipsec策略。最常见的组网方式。注意不能使用子接口,子接口无法配置ipsec
实验一:两个网关之间配置IPSec VPN主备链路备份(双链路)
fw1的两个物理口分别应用不同的ipsec策略,fw2的物理口上创建两个tunnel,分别在两个tunnel上创建ipsec策略。
fw1的g0/0/2接口故障,业务切换到g0/0/3,相应 的fw2也要将业务从tunnel1切换到tunnel2,可以通过ip-link来检测链路,实现同步切换。
1、防火墙基本配置
#fw1
interface GigabitEthernet0/0/1
ip address 10.1.1.10 255.255.255.0
interface GigabitEthernet0/0/2
ip address 202.100.1.10 255.255.255.0
interface GigabitEthernet0/0/3
ip address 192.168.1.10 255.255.255.0
interface GigabitEthernet0/0/4
ip address 202.100.2.10 255.255.255.0
#fw2
interface GigabitEthernet0/0/1
ip address 10.1.2.11 255.255.255.0
interface GigabitEthernet0/0/2
ip address 10.1.21.10 255.255.255.0
interface GigabitEthernet0/0/3
ip address 192.168.1.11 255.255.255.0 2、安全策略配置
security-policy
rule name ike
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 10.1.21.10 mask 255.255.255.255
source-address 202.100.1.10 mask 255.255.255.255
source-address 202.100.2.10 mask 255.255.255.255
destination-address 10.1.21.10 mask 255.255.255.255
destination-address 202.100.1.10 mask 255.255.255.255
destination-address 202.100.2.10 mask 255.255.255.255
service esp
service isakmp
action permit
rule name pki
source-zone dmz
source-zone trust
destination-zone dmz
destination-zone trust
source-address 10.1.1.0 mask 255.255.255.0
source-address 192.168.1.1 mask 255.255.255.255
destination-address 10.1.1.0 mask 255.255.255.0
destination-address 192.168.1.1 mask 255.255.255.255
action permit
rule name ipsec
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
source-address 10.1.2.0 mask 255.255.255.0
destination-address 10.1.1.0 mask 255.255.255.0
destination-address 10.1.2.0 mask 255.255.255.0
action permit 3、ip-link配置
ip-link check enable
ip-link name iplink1
destination 202.100.1.11 interface GigabitEthernet0/0/2 mode icmp 4、负载静态路由配置
ip route-static 0.0.0.0 0.0.0.0 202.100.1.11 track ip-link iplink1
ip route-static 0.0.0.0 0.0.0.0 202.100.2.11 preference 200 5、fw1 ipsec策略配置
6、FW2创建tunnel接口
interface Tunnel1
ip address unnumbered interface GigabitEthernet0/0/2# 借用公网接口地址
tunnel-protocol ipsec
interface Tunnel2
ip address unnumbered interface GigabitEthernet0/0/2# 借用公网接口地址
tunnel-protocol ipsec
#务必将接口加入安全区域
firewall zone untrust
add interface Tunnel1
add interface Tunnel2 7、fw2配置ip-link
[FW2]ip-link name iplink2
destination 202.100.1.11 interface GigabitEthernet0/0/2 mode icmp next-hop 10.1.21.254
ip-link check enable 8、fw2配置静态路由
ip route-static 0.0.0.0 0.0.0.0 202.100.1.10
ip route-static 0.0.0.0 0.0.0.0 10.1.21.254
ip route-static 10.1.1.0 255.255.255.0 Tunnel1 track ip-link iplink2
ip route-static 10.1.1.0 255.255.255.0 Tunnel2 preference 200 9、fw2 ipsec policy配置
10、连通性测试
11、检查fw2的路由表
实验二:两个网关之间配置IPSec VPN主备链路备份
需求和拓扑
FW_A通过主备两条链路接入Internet,主备接口使用固定的公网IP地址;FW_B通过一条链路接入Internet,出接口同样使用固定的公网IP地址。
要求实现如下需求:
- FW_A和FW_B之间通过IPSec方式建立安全通信隧道,实现总部与分支之间的互访。
- FW_A上的主链路发生故障时,业务可以自动切换到备链路;主链路恢复时,业务会自动回切到主链路。
操作和配置
1、配置防火墙接口IP地址和安全区域
1.1、fw1
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
interface GigabitEthernet1/0/1
ip address 1.1.3.1 255.255.255.0
service-manage ping permit
interface GigabitEthernet1/0/2
ip address 1.1.4.1 255.255.255.0
service-manage ping permit
firewall zone trust
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
firewall zone untrust
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2
1.2、fw2
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.255.0
interface GigabitEthernet1/0/1
ip address 2.2.2.2 255.255.255.0
service-manage ping permit
firewall zone trust
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
firewall zone untrust
add interface GigabitEthernet1/0/1
add interface Tunnel1
add interface Tunnel2
1.3、配置FW2的tunnel接口
FW1需要和FW2建立两条隧道,而FW2只有一个物理接口,所以需要在FW2上配置两个tunnel接口,来分别与FW1的主备接口建立隧道。当FW1发生主备链路切换时,FW2也会切换Tunnel接口,双方重新进行IPSec隧道协商。
在FW2上配置Tunnel1(主接口)和Tunnel2(备接口)两个Tunnel接口,分别与FW1上的主备接口对应。当FW1发生主备链路切换时,FW2也会切换到对应的Tunnel接口。
interface Tunnel1
ip address unnumbered interface GigabitEthernet1/0/1
tunnel-protocol ipsec
interface Tunnel2
ip address unnumbered interface GigabitEthernet1/0/1
tunnel-protocol ipsec
firewall zone untrust
add interface Tunnel1
add interface Tunnel2 2、配置防火墙ip-link和路由
2.1、配置fw1的ip-link和路由
配置两条FW1到FW2的路由,两条路由的优先级不同,实现路由备份。同时,为主路由绑定ip-link,用于检测主路由上的链路状态。当主路由上的链路发生故障时,系统会自动切换到备用路由。
#FW1
ip-link check enable
ip-link name HA1
destination 2.2.2.2 interface GigabitEthernet1/0/1 mode icmp next-hop 1.1.3.2
ip route-static 2.2.2.2 255.255.255.255 1.1.3.2 track ip-link HA1
ip route-static 2.2.2.2 255.255.255.255 1.1.4.2 preference 200
ip route-static 10.2.1.0 255.255.255.0 1.1.3.2 track ip-link HA1
ip route-static 10.2.1.0 255.255.255.0 1.1.4.2 preference 200
2.1、配置fw2的ip-link和路由
在FW2上将需要保护的数据流通过路由引流到Tunnel接口。因为FW2上有两个Tunnel接口,所以需要配置两条到总部的路由,出接口为Tunnel1和Tunnel2,两条路由的优先级不同,实现路由备份。同时,为主路由绑定IP-Link,用于检测主路由上的链路状态。当主路由上的链路发生故障时,系统会自动切换到备用路由。
#FW2
ip-link check enable
ip-link name HA1
destination 1.1.3.1 interface GigabitEthernet1/0/1 mode icmp next-hop 2.2.2.1
ip route-static 1.1.3.1 255.255.255.255 2.2.2.1
ip route-static 1.1.4.1 255.255.255.255 2.2.2.1
ip route-static 10.1.1.0 255.255.255.0 Tunnel1 track ip-link HA1
ip route-static 10.1.1.0 255.255.255.0 Tunnel2 preference 200 3、配置ipsec
3.1、fw1配置ipsec
3.1.1、配置感兴趣流
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255 3.1.2、配置ike安全提议
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256 3.1.3、配置ike对等体
ike peer FW2
undo version 2
pre-shared-key Huawei@123
ike-proposal 1
remote-address 2.2.2.2 3.1.4、配置ipsec安全提议
ipsec proposal FW1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256 3.1.5、配置ipsec安全策略
ipsec policy FW1 10 isakmp
security acl 3000
ike-peer FW2
proposal FW1
ipsec policy FW1B 20 isakmp
security acl 3000
ike-peer FW2
proposal FW1 3.1.6、将ipsec安全策略绑定到接口上
FW1的GigabitEthernet 1/0/1、GigabitEthernet 1/0/2分别为主接口和备接口。需要在主备接口上应用相同的IPSec安全策略,当主接口发生故障时,系统自动将IPSec隧道切换至备接口。
interface GigabitEthernet1/0/1
ipsec policy FW1
interface GigabitEthernet1/0/2
ipsec policy FW1B 3.2、fw2配置ipsec
3.2.1、配置感兴趣流
acl number 3000
rule 5 permit ip source 10.2.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 3.2.2、配置ike安全提议
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256 3.2.3、配置ike对等体
ike peer FW1
undo version 2
pre-shared-key Huawei@123
ike-proposal 1
remote-address 1.1.3.1
ike peer FW1B
undo version 2
pre-shared-key Huawei@123
ike-proposal 1
remote-address 1.1.4.1 3.2.4、配置ipsec安全提议
ipsec proposal FW2
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256 3.2.5、配置ipsec安全策略
ipsec policy FW2 10 isakmp
security acl 3000
ike-peer FW1
proposal FW2
ipsec policy FW2B 20 isakmp
security acl 3000
ike-peer FW1B
proposal FW2 3.2.6、将ipsec安全策略绑定到接口上
在Tunnel1和Tunnel2上分别应用IPSec安全策略,当主接口发生故障时,系统自动将IPSec隧道切换至备接口。
interface Tunnel1
ip address unnumbered interface GigabitEthernet1/0/1
tunnel-protocol ipsec
ipsec policy FW2
interface Tunnel2
ip address unnumbered interface GigabitEthernet1/0/1
tunnel-protocol ipsec
ipsec policy FW2B 4、配置安全策略
#fw1&fw2
security-policy
rule name ike
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 1.1.3.1 mask 255.255.255.255
source-address 1.1.4.1 mask 255.255.255.255
source-address 2.2.2.2 mask 255.255.255.255
destination-address 1.1.3.1 mask 255.255.255.255
destination-address 1.1.4.1 mask 255.255.255.255
destination-address 2.2.2.2 mask 255.255.255.255
service esp
service protocol udp destination-port 500
action permit
rule name trust_untrust
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
source-address 10.2.1.0 mask 255.255.255.0
destination-address 10.1.1.0 mask 255.255.255.0
destination-address 10.2.1.0 mask 255.255.255.0
action permit 验证和分析
1、pc1去访问pc2检测连通性
2、检查fw的ike协商状况
[FW1]dis ike sa
2022-08-17 13:21:34.530
IKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
436 2.2.2.2:500 RD|ST|A v1:2 IP 2.2.2.2
435 2.2.2.2:500 RD|ST|A v1:1 IP 2.2.2.2
Number of IKE SA : 2
[FW2]dis ike sa
2022-08-17 13:25:09.220
IKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
21 1.1.3.1:500 RD|A v1:2 IP 1.1.3.1
20 1.1.3.1:500 RD|A v1:1 IP 1.1.3.1
Number of IKE SA : 2
3、检查fw的ipsec协商状况
[FW1]dis ipsec sa Interface: GigabitEthernet1/0/1
IPSec policy name: "FW1" Sequence number : 10 Acl group : 3000 Acl rule : 5 Mode : ISAKMP
Connection ID : 436
Encapsulation mode: Tunnel
Holding time : 0d 0h 41m 12s
Tunnel local : 1.1.3.1:500
Tunnel remote : 2.2.2.2:500
Flow source : 10.1.1.0/255.255.255.0 0/0-65535
Flow destination : 10.2.1.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 194213225 (0xb937569)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/1127
Max sent sequence-number: 10
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 9/540
[Inbound ESP SAs]
SPI: 192672062 (0xb7bf13e)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/1127
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 7/420
Anti-replay : Enable
Anti-replay window size: 1024
[FW2]dis ipsec sa
Interface: Tunnel1
IPSec policy name: "FW2" Sequence number : 10 Acl group : 3000 Acl rule : 5 Mode : ISAKMP
Connection ID : 21
Encapsulation mode: Tunnel
Holding time : 0d 0h 42m 39s
Tunnel local : 2.2.2.2:500
Tunnel remote : 1.1.3.1:500
Flow source : 10.2.1.0/255.255.255.0 0/0-65535
Flow destination : 10.1.1.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 192672062 (0xb7bf13e)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/1041
Max sent sequence-number: 8
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 7/420
[Inbound ESP SAs]
SPI: 194213225 (0xb937569)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/1041
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 9/540
Anti-replay : Enable
Anti-replay window size: 1024
4、检查会话表
[FW1]dis fire se ta
2022-08-17 13:40:12.300
Current Total Sessions : 2
udp VPN: public --> public 1.1.3.1:500 --> 2.2.2.2:500
icmp VPN: public --> public 2.2.2.2:1098 --> 1.1.3.1:2048
icmp VPN: public --> public 1.1.3.1:1027 --> 2.2.2.2:2048
dis fire se ta
2022-08-17 13:41:19.190
Current Total Sessions : 3
icmp VPN: public --> public 2.2.2.2:1098 --> 1.1.3.1:2048
icmp VPN: public --> public 1.1.3.1:1027 --> 2.2.2.2:2048
udp VPN: public --> public 1.1.3.1:500 --> 2.2.2.2:500
5、断开fw1的g1/0/1口,模拟故障
检查pc的通联情况。发现会有短暂的中断
6、检查fw的ike协商情况
[FW1]dis ike sa
2022-08-17 13:45:33.870
IKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
439 2.2.2.2:500 RD|ST|A v1:2 IP 2.2.2.2
438 2.2.2.2:500 RD|ST|A v1:1 IP 2.2.2.2
437 2.2.2.2:500 RD|ST|A v1:2 IP 2.2.2.2
435 2.2.2.2:500 RD|ST|A v1:1 IP 2.2.2.2
Number of IKE SA : 4
dis ike sa
2022-08-17 13:46:13.280
IKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
24 1.1.4.1:500 RD|A v1:2 IP 1.1.4.1
23 1.1.4.1:500 RD|A v1:1 IP 1.1.4.1
22 1.1.3.1:500 RD|A v1:2 IP 1.1.3.1
20 1.1.3.1:500 RD|A v1:1 IP 1.1.3.1
Number of IKE SA : 4
7、检查fw的ipsec协商情况
[FW1]dis ipsec sa
2022-08-17 13:45:39.450
ipsec sa information:
=============================== Interface: GigabitEthernet1/0/1
IPSec policy name: "FW1" Sequence number : 10 Acl group : 3000 Acl rule : 5 Mode : ISAKMP
Connection ID : 437
Encapsulation mode: Tunnel
Holding time : 0d 0h 59m 6s
Tunnel local : 1.1.3.1:500
Tunnel remote : 2.2.2.2:500
Flow source : 10.1.1.0/255.255.255.0 0/0-65535
Flow destination : 10.2.1.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 201056852 (0xbfbe254)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485759/3294
Max sent sequence-number: 24
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 23/1380
[Inbound ESP SAs]
SPI: 185969235 (0xb15aa53)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485759/3294
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 21/1260
Anti-replay : Enable
Anti-replay window size: 1024
=============================== Interface: GigabitEthernet1/0/2
IPSec policy name: "FW1B" Sequence number : 20 Acl group : 3000 Acl rule : 5 Mode : ISAKMP
Connection ID : 439
Encapsulation mode: Tunnel
Holding time : 0d 0h 0m 10s
Tunnel local : 1.1.4.1:500
Tunnel remote : 2.2.2.2:500
Flow source : 10.1.1.0/255.255.255.0 0/0-65535
Flow destination : 10.2.1.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 187192865 (0xb285621)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/3590
Max sent sequence-number: 6
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 5/300
[Inbound ESP SAs]
SPI: 192914366 (0xb7fa3be)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/3590
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 0/0
Anti-replay : Enable
Anti-replay window size: 1024
dis ipsec sa
2022-08-17 13:46:15.780
ipsec sa information:
=============================== Interface: Tunnel1
IPSec policy name: "FW2" Sequence number : 10 Acl group : 3000 Acl rule : 5 Mode : ISAKMP
Connection ID : 22
Encapsulation mode: Tunnel
Holding time : 0d 0h 59m 44s
Tunnel local : 2.2.2.2:500
Tunnel remote : 1.1.3.1:500
Flow source : 10.2.1.0/255.255.255.0 0/0-65535
Flow destination : 10.1.1.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 185969235 (0xb15aa53)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485759/3256
Max sent sequence-number: 27
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 26/1560
[Inbound ESP SAs]
SPI: 201056852 (0xbfbe254)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485759/3256
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 22/1320
Anti-replay : Enable
Anti-replay window size: 1024
=============================== Interface: Tunnel2
IPSec policy name: "FW2B" Sequence number : 20 Acl group : 3000 Acl rule : 5 Mode : ISAKMP
Connection ID : 24
Encapsulation mode: Tunnel
Holding time : 0d 0h 0m 47s
Tunnel local : 2.2.2.2:500
Tunnel remote : 1.1.4.1:500
Flow source : 10.2.1.0/255.255.255.0 0/0-65535
Flow destination : 10.1.1.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 192914366 (0xb7fa3be)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485759/3554
Max sent sequence-number: 34
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 33/1980
[Inbound ESP SAs]
SPI: 187192865 (0xb285621)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485758/3554
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 38/2280
Anti-replay : Enable
Anti-replay window size: 1024
可见协商状态sa不会主动消失
8、检查会话表
[FW1]dis fire se ta
2022-08-17 13:45:52.340
Current Total Sessions : 17
icmp VPN: public --> public 10.1.1.10:2289 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:753 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:3057 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:1777 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:241 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:3313 --> 10.2.1.10:2048
udp VPN: public --> public 1.1.4.1:500 --> 2.2.2.2:500
icmp VPN: public --> public 10.1.1.10:3569 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:1265 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:4849 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:4337 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:3825 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:2801 --> 10.2.1.10:2048
esp VPN: public --> public 2.2.2.2:0 --> 1.1.3.1:0
icmp VPN: public --> public 10.1.1.10:4081 --> 10.2.1.10:2048
esp VPN: public --> public 2.2.2.2:0 --> 1.1.4.1:0
icmp VPN: public --> public 10.1.1.10:4593 --> 10.2.1.10:2048
[FW2]dis fire se ta
2022-08-17 13:46:27.520
Current Total Sessions : 25
icmp VPN: public --> public 10.1.1.10:11761 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:10737 --> 10.2.1.10:2048
esp VPN: public --> public 1.1.3.1:0 --> 2.2.2.2:0
icmp VPN: public --> public 10.1.1.10:13809 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:9969 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:13297 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:9713 --> 10.2.1.10:2048
udp VPN: public --> public 1.1.4.1:500 --> 2.2.2.2:500
icmp VPN: public --> public 10.1.1.10:14065 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:12017 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:10225 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:13553 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:12529 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:10481 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:11249 --> 10.2.1.10:2048
icmp VPN: public --> public 2.2.2.2:1110 --> 1.1.3.1:2048
icmp VPN: public --> public 2.2.2.2:1107 --> 1.1.3.1:2048
icmp VPN: public --> public 10.1.1.10:10993 --> 10.2.1.10:2048
icmp VPN: public --> public 2.2.2.2:1109 --> 1.1.3.1:2048
icmp VPN: public --> public 2.2.2.2:1108 --> 1.1.3.1:2048
esp VPN: public --> public 1.1.4.1:0 --> 2.2.2.2:0
icmp VPN: public --> public 10.1.1.10:12785 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:12273 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:9201 --> 10.2.1.10:2048
icmp VPN: public --> public 10.1.1.10:11505 --> 10.2.1.10:2048
隧道化链路备份
场景
FWB上有两个出口接入ISP,FWA上只有一个出口接入ISP,要求FWB某个物理口上的链路故障不会影响业务。
实现原理
FWB创建一个隧道,基于隧道创建一个IPSEC策略,FWA的物理口上创建一个IPSEC策略。通过Tunnel接口进行链路冗余备份可以实现多条链路的冗余备份,而且与主备链路备份相比,配置更简单,IPSec隧道不需要进行重协商,故可快速完成流量切换,流量切换速度更快。tunnel接口的配置与主被链路备份方式正好相反,tunnel接口配置在总部(即多条公网物理链路)
实验
FW1创建一个隧道,基于隧道创建一个ipsec策略,fw2的物理口创建一个ipsec策略。
tunnel接口需要配置公网IP,并且这个ip,对方可达。
0、底层配置
#1、路由器底层配置
int g0/0/0
undo portswitch
ip add 10.1.21.254 24
int g0/0/1
undo portswitch
ip add 202.100.1.11 24
int g0/0/2
undo portswitch
ip add 202.100.2.11 24
#2、防火墙底层配置
#fw1
sys FW1
int g0/0/0
ip add 192.168.0.10 24
int g0/0/1
ip add 10.1.1.10 24
int g0/0/2
ip add 202.100.1.10 24
int g0/0/3
ip add 202.100.2.10 24
fire zone trust
add int g0/0/1
fire zone untrust
add int g0/0/2
add int g0/0/3
#fw2
sys FW2
int g0/0/0
ip add 192.168.0.11 24
int g0/0/1
ip add 10.1.2.10 24
int g0/0/2
ip add 10.1.21.10 24
fire zone trust
add int g0/0/1
fire zone untrust
add int g0/0/2
quit
ip route-s 0.0.0.0 0 10.1.21.254 1、fw1创建tunnel接口
interface tunnel 1
ip add 11.1.1.1 24 #必须是公网IP地址,并且保证可达
tunnel-protocol ipsec
fire zone untrust
add int tunnel 1
ip route-s 0.0.0.0 0 tunnel 1 2、安全策略配置
security-policy
rule name ike
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 10.1.21.10 mask 255.255.255.255
source-address 11.1.1.1 mask 255.255.255.255
destination-address 10.1.21.10 mask 255.255.255.255
destination-address 11.1.1.1 mask 255.255.255.255
service esp
service protocol udp source-port 0 to 65535 destination-port 500
action permit
rule name ipsec
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
source-address 10.1.2.0 mask 255.255.255.0
destination-address 10.1.1.0 mask 255.255.255.0
destination-address 10.1.2.0 mask 255.255.255.0
action permit 3、ip-link配置
#FW1
ip-link check enable
ip-link name iplink1
destination 202.100.1.11 interface GigabitEthernet0/0/2 mode icmp
ip-link name iplink2
destination 202.100.2.11 interface GigabitEthernet0/0/3 mode icmp 4、路由配置
#FW1
ip route-static 0.0.0.0 0.0.0.0 202.100.1.11 track ip-link iplink1
ip route-static 0.0.0.0 0.0.0.0 202.100.2.11 track ip-link iplink2
ip route-static 10.1.2.0 255.255.255.0 tunnel 1 #关键!!保证把流量引导到tunnel隧道中
#AR1
ip route-static 11.1.1.1 32 202.100.1.10
ip route-static 11.1.1.1 32 202.100.2.10 5、ipsec配置
#fw1
#配置感兴趣流
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#ike提议配置
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#ike对等体配置
ike peer ike1780516513
exchange-mode auto
pre-shared-key Huawei@123
ike-proposal 1
remote-id-type none
dpd type periodic
remote-address 10.1.21.10
#ipsec提议配置
ipsec proposal prop1780516513
encapsulation-mode auto
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#ipsec安全策略配置
ipsec policy ipsec178051616 1 isakmp
security acl 3000
ike-peer ike1780516513
proposal prop1780516513
tunnel local applied-interface
alias ipsec1
sa trigger-mode auto
sa duration traffic-based 5242880
sa duration time-based 3600
#tunnel接口下调用ipsec安全策略
interface Tunnel1
ipsec policy ipsec178051616 #fw2
#配置感兴趣流
acl number 3000
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#配置ike提议
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#配置ike对等体
ike peer ike1780657904
exchange-mode auto
pre-shared-key Huawei@123
ike-proposal 1
remote-id-type none
dpd type periodic
remote-address 11.1.1.1#指的是tunnel接口IP地址,而不是物理接口的IP地址
#配置ipsec提议
ipsec proposal prop1780657904
encapsulation-mode auto
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#配置ipsec安全策略
ipsec policy ipsec1780657438 1 isakmp
security acl 3000
ike-peer ike1780657904
proposal prop1780657904
tunnel local applied-interface
alias ipsec2
sa trigger-mode auto
sa duration traffic-based 5242880
sa duration time-based 3600
#出接口下调用ipsec安全策略
interface GigabitEthernet0/0/2
ipsec policy ipsec1780657438 6、检查
6.1、检查ipsec协商状态
FW1]dis ipsec sa
2022-08-17 00:26:22.150 +08:00
ipsec sa information:
===============================
Interface: Tunnel1
===============================
-----------------------------
IPSec policy name: "ipsec178051616"
Sequence number : 1
Acl group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 9
Encapsulation mode: Tunnel
Holding time : 0d 0h 15m 36s
Tunnel local : 11.1.1.1:500
Tunnel remote : 10.1.21.10:500
Flow source : 10.1.1.0/255.255.255.0 0/0-65535
Flow destination : 10.1.2.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 188944344 (0xb430fd8)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 0/603864
Max sent sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 0/0
[Inbound ESP SAs]
SPI: 184751568 (0xb0315d0)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 0/603864
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 0/0
Anti-replay : Enable
Anti-replay window size: 1024
[FW2]dis ipsec sa
2022-08-17 00:25:01.370 +08:00
ipsec sa information:
===============================
Interface: GigabitEthernet0/0/2
===============================
-----------------------------
IPSec policy name: "ipsec1780657438"
Sequence number : 1
Acl group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 6
Encapsulation mode: Tunnel
Holding time : 0d 0h 14m 12s
Tunnel local : 10.1.21.10:500
Tunnel remote : 11.1.1.1:500
Flow source : 10.1.2.0/255.255.255.0 0/0-65535
Flow destination : 10.1.1.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 184751568 (0xb0315d0)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 5242880/2748
Max sent sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 0/0
[Inbound ESP SAs]
SPI: 188944344 (0xb430fd8)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 5242880/2748
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 0/0
Anti-replay : Enable
Anti-replay window size: 1024
6.2、检查ike协商状态
[FW1]dis ike sa
2022-08-17 00:26:45.930 +08:00
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------
9 10.1.21.10:500 RD|A v2:2 IP 10.1.21.10
8 10.1.21.10:500 RD|A v2:1 IP 10.1.21.10
Number of IKE SA : 2
------------------------------------------------------------------------------------------------------------------------------------
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
[FW2]dis ike sa
2022-08-17 00:25:40.520 +08:00
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------
6 11.1.1.1:500 RD|ST|A v2:2 IP 11.1.1.1
5 11.1.1.1:500 RD|ST|A v2:1 IP 11.1.1.1
Number of IKE SA : 2
------------------------------------------------------------------------------------------------------------------------------------
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING 6.3、连通性测试
6.4、加解密测试
[FW1]dis ipsec sta
2022-08-17 00:39:47.970 +08:00
IPSec statistics information:
Number of IPSec tunnels: 1
Number of standby IPSec tunnels: 0
the security packet statistics:
input/output security packets: 8/4
input/output security bytes: 480/240
input/output dropped security packets: 0/0
the encrypt packet statistics:
send chip: 4, recv chip: 4, send err: 0
local cpu: 4, other cpu: 0, recv other cpu: 0
intact packet: 4, first slice: 0, after slice: 0
the decrypt packet statistics:
send chip: 8, recv chip: 8, send err: 0
local cpu: 8, other cpu: 0, recv other cpu: 0
reass first slice: 0, after slice: 0
dropped security packet detail:
can not find SA: 0, wrong SA: 0
authentication: 0, replay: 0
front recheck: 0, after recheck: 0
change cpu enc: 0, dec change cpu: 0
fib search: 0, output l3: 0
flow err: 0, slice err: 0, byte limit: 0
slave drop: 0
negotiate about packet statistics:
IKE fwd packet ok: 59, err: 0
IKE ctrl packet inbound ok: 59, outbound ok: 87
SoftExpr: 0, HardExpr: 0, DPDOper: 0
trigger ok: 0, switch sa: 1, sync sa: 0
recv IKE nat keepalive: 0, IKE input: 0
6.5、查看fw1\ar1路由
[FW1]dis ip rou
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 202.100.1.11 GigabitEthernet0/0/2
Static 60 0 RD 202.100.2.11 GigabitEthernet0/0/3
10.1.1.0/24 Direct 0 0 D 10.1.1.10 GigabitEthernet0/0/1
10.1.1.10/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1
10.1.2.0/24 Static 60 0 D 11.1.1.1 Tunnel1
11.1.1.0/24 Direct 0 0 D 11.1.1.1 Tunnel1
11.1.1.1/32 Direct 0 0 D 127.0.0.1 Tunnel1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
202.100.1.0/24 Direct 0 0 D 202.100.1.10 GigabitEthernet0/0/2
202.100.1.10/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/2
202.100.2.0/24 Direct 0 0 D 202.100.2.10 GigabitEthernet0/0/3
202.100.2.10/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/3
[R1]dis ip routing-table
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.21.0/24 Direct 0 0 D 10.1.21.254 GigabitEthernet0/0/0
10.1.21.254/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0
10.1.21.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0
11.1.1.1/32 Static 60 0 RD 202.100.1.10 GigabitEthernet0/0/1
Static 60 0 RD 202.100.2.10 GigabitEthernet0/0/2
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
202.100.1.0/24 Direct 0 0 D 202.100.1.11 GigabitEthernet0/0/1
202.100.1.11/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1
202.100.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1
202.100.2.0/24 Direct 0 0 D 202.100.2.11 GigabitEthernet0/0/2
202.100.2.11/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/2
202.100.2.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/2
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
6.6、故障切换
ar1上shutdown接口g0/0/1,检查ar1路由
[R1-GigabitEthernet0/0/1]dis ip routing-table
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.21.0/24 Direct 0 0 D 10.1.21.254 GigabitEthernet0/0/0
10.1.21.254/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0
10.1.21.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0
11.1.1.1/32 Static 60 0 RD 202.100.2.10 GigabitEthernet0/0/2
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
202.100.2.0/24 Direct 0 0 D 202.100.2.11 GigabitEthernet0/0/2
202.100.2.11/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/2
202.100.2.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/2
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
检查fw1路由
[FW1]dis ip rou
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 202.100.2.11 GigabitEthernet0/0/3
10.1.1.0/24 Direct 0 0 D 10.1.1.10 GigabitEthernet0/0/1
10.1.1.10/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1
10.1.2.0/24 Static 60 0 D 11.1.1.1 Tunnel1
11.1.1.0/24 Direct 0 0 D 11.1.1.1 Tunnel1
11.1.1.1/32 Direct 0 0 D 127.0.0.1 Tunnel1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
202.100.1.0/24 Direct 0 0 D 202.100.1.10 GigabitEthernet0/0/2
202.100.1.10/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/2
202.100.2.0/24 Direct 0 0 D 202.100.2.10 GigabitEthernet0/0/3
202.100.2.10/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/3
6.7、检查ipsec状态
[FW1]dis ipsec sa
2022-08-17 00:46:36.620 +08:00
ipsec sa information:
===============================
Interface: Tunnel1
===============================
-----------------------------
IPSec policy name: "ipsec178051616"
Sequence number : 1
Acl group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 9
Encapsulation mode: Tunnel
Holding time : 0d 0h 35m 51s
Tunnel local : 11.1.1.1:500
Tunnel remote : 10.1.21.10:500
Flow source : 10.1.1.0/255.255.255.0 0/0-65535
Flow destination : 10.1.2.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 188944344 (0xb430fd8)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 0/602649
Max sent sequence-number: 5
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 4/240
[Inbound ESP SAs]
SPI: 184751568 (0xb0315d0)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 0/602649
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 8/480
Anti-replay : Enable
Anti-replay window size: 1024
[FW2]dis ipsec sa
2022-08-17 00:47:29.480 +08:00
ipsec sa information:
===============================
Interface: GigabitEthernet0/0/2
===============================
-----------------------------
IPSec policy name: "ipsec1780657438"
Sequence number : 1
Acl group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 6
Encapsulation mode: Tunnel
Holding time : 0d 0h 36m 40s
Tunnel local : 10.1.21.10:500
Tunnel remote : 11.1.1.1:500
Flow source : 10.1.2.0/255.255.255.0 0/0-65535
Flow destination : 10.1.1.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 184751568 (0xb0315d0)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 5242880/1400
Max sent sequence-number: 9
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 8/480
[Inbound ESP SAs]
SPI: 188944344 (0xb430fd8)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 5242880/1400
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 4/240
Anti-replay : Enable
Anti-replay window size: 1024 6.8、检查ike状态
[FW1]dis ike sa
2022-08-17 00:47:07.410 +08:00
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------
9 10.1.21.10:500 RD|A v2:2 IP 10.1.21.10
8 10.1.21.10:500 RD|A v2:1 IP 10.1.21.10
Number of IKE SA : 2
------------------------------------------------------------------------------------------------------------------------------------
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
[FW2]dis ike sa
2022-08-17 00:47:50.210 +08:00
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------
6 11.1.1.1:500 RD|ST|A v2:2 IP 11.1.1.1
5 11.1.1.1:500 RD|ST|A v2:1 IP 11.1.1.1
Number of IKE SA : 2
------------------------------------------------------------------------------------------------------------------------------------
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING 6.9、再次测试联通性
6.10、再次检查加解密状态
[FW1]dis ipsec sta
2022-08-17 00:48:38.220 +08:00
IPSec statistics information:
Number of IPSec tunnels: 1
Number of standby IPSec tunnels: 0
the security packet statistics:
input/output security packets: 12/8
input/output security bytes: 720/480
input/output dropped security packets: 0/0
the encrypt packet statistics:
send chip: 8, recv chip: 8, send err: 0
local cpu: 8, other cpu: 0, recv other cpu: 0
intact packet: 8, first slice: 0, after slice: 0
the decrypt packet statistics:
send chip: 12, recv chip: 12, send err: 0
local cpu: 12, other cpu: 0, recv other cpu: 0
reass first slice: 0, after slice: 0
dropped security packet detail:
can not find SA: 0, wrong SA: 0
authentication: 0, replay: 0
front recheck: 0, after recheck: 0
change cpu enc: 0, dec change cpu: 0
fib search: 0, output l3: 0
flow err: 0, slice err: 0, byte limit: 0
slave drop: 0
negotiate about packet statistics:
IKE fwd packet ok: 75, err: 0
IKE ctrl packet inbound ok: 75, outbound ok: 103
SoftExpr: 0, HardExpr: 0, DPDOper: 0
trigger ok: 0, switch sa: 1, sync sa: 0
recv IKE nat keepalive: 0, IKE input: 0 6.11、检查会话表
[FW1]dis fire se ta ver pro esp
2022-08-17 00:49:34.730 +08:00
Current Total Sessions : 1
esp VPN: public --> public ID: a48f38484db906f5562fc3acc
Zone: untrust --> local TTL: 00:10:00 Left: 00:08:41
Recv Interface: GigabitEthernet0/0/3
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 0000-0000-0000
<--packets: 0 bytes: 0 --> packets: 4 bytes: 496
10.1.21.10:0 --> 11.1.1.1:0 PolicyName: ike
[FW2]dis fire se ta ver pro esp
2022-08-17 00:51:13.320 +08:00
Current Total Sessions : 1
esp VPN: public --> public ID: a48f305918e103b9a62fc3ad0
Zone: untrust --> local TTL: 00:10:00 Left: 00:07:06
Recv Interface: GigabitEthernet0/0/2
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 0000-0000-0000
<--packets: 0 bytes: 0 --> packets: 4 bytes: 496
11.1.1.1:0 --> 10.1.21.10:0 PolicyName: ike 6.12、故障恢复,检查通联情况
[FW1]dis fire se ta ver pro esp
2022-08-17 00:54:57.470 +08:00
Current Total Sessions : 1
esp VPN: public --> public ID: a48f38484db906f5562fc3acc
Zone: untrust --> local TTL: 00:10:00 Left: 00:10:00
Recv Interface: GigabitEthernet0/0/2
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 0000-0000-0000
<--packets: 0 bytes: 0 --> packets: 150 bytes: 18,600
10.1.21.10:0 --> 11.1.1.1:0 PolicyName: ike 发现已经切换了。
主备网关备份
场景
总部有两个FW,两个FW分别由一个公网出口接入isp(双机单isp),FW1上的设备发生故障时,业务可以自动切换。
实现原理
FW1创建一个IPSEC策略,FW2同步策略,网关FW3创建一个ipsec策略。
实验
FW1创建一个IPsec策略,FW2同步策略。路由器创建一个IPSEC策略。
1、fw基本配置
#fw1
int g0/0/1
ip add 10.1.1.100 24
int g0/0/2
ip add 202.100.1.100 24
int g0/0/3
ip add 172.16.1.10 24
fire zone trust
add int g0/0/1
fire zone untrust
add int g0/0/2
fire zone dmz
add int g0/0/3
ip route-s 0.0.0.0 0 202.100.1.254
#fw2
int g0/0/1
ip add 10.1.1.101 24
int g0/0/2
ip add 202.100.1.101 24
int g0/0/3
ip add 172.16.1.11 24
fire zone trust
add int g0/0/1
fire zone untrust
add int g0/0/2
fire zone dmz
add int g0/0/3
ip route-s 0.0.0.0 0 202.100.1.254 2、ar基本配置
#AR1
sys AR1
int g0/0/2
undo ip add
int g0/0/1
undo portswitch
ip add 202.100.1.254 24
int g0/0/0
undo portswitch
ip add 202.100.2.254 24
#AR2
sys AR2
int g0/0/1
undo portswitch
ip add 202.100.2.10 24
int g0/0/0
undo portswitch
ip add 10.1.2.10 24
ip route-s 0.0.0.0 0 202.100.2.254 3、双机热备配置
3.1、fw1
hrp enable
hrp interface GigabitEthernet0/0/3 remote 172.16.1.11
hrp track interface GigabitEthernet0/0/1
hrp track interface GigabitEthernet0/0/2
interface GigabitEthernet0/0/1
vrrp vrid 1 virtual-ip 10.1.1.10 active
interface GigabitEthernet0/0/2
vrrp vrid 2 virtual-ip 202.100.1.10 active
3.2、fw2
hrp enable
hrp interface GigabitEthernet0/0/3 remote 172.16.1.10
hrp track interface GigabitEthernet0/0/1
hrp track interface GigabitEthernet0/0/2
interface GigabitEthernet0/0/1
vrrp vrid 1 virtual-ip 10.1.1.10 standby
interface GigabitEthernet0/0/2
vrrp vrid 2 virtual-ip 202.100.1.10 standby
4、安全策略配置
略
5、配置ipsec
5.1、配置感兴趣流
#fw1
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#ar2
acl number 3000
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 5.2、配置ike安全提议
#fw1
ike proposal 1
encryption-algorithm aes-256 aes-192 aes-128 3des des
dh group14 group5 group2
authentication-algorithm sha2-256 sha1 md5
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#ar2
ike proposal 1
encryption-algorithm aes-cbc-128
dh group2
authentication-algorithm sha2-256
prf hmac-sha2-256 5.3、配置ike对等体
#FW1
ike peer AR2
undo version 2
pre-shared-key Huawei@123
ike-proposal 1
remote-address 202.100.2.10#使用虚拟地址作为对端地址
#AR2
ike peer FW v1
pre-shared-key simple Huawei@123
ike-proposal 1
remote-address 202.100.1.10 5.4、配置ipsec安全提议
#FW1
ipsec proposal FW
esp authentication-algorithm sha2-256 sha1 md5
esp encryption-algorithm aes-256 aes-192 aes-128 3des des
#AR2
ipsec proposal AR2
esp authentication-algorithm sha1
esp encryption-algorithm aes-128
5.5、配置ipsec安全策略
#FW1
ipsec policy FW 10 isakmp
security acl 3000
ike-peer AR2
proposal FW
tunnel local 202.100.1.10#使用虚拟地址作为隧道的发起地址
sa trigger-mode auto
#AR2
ipsec policy AR2 10 isakmp
security acl 3000
ike-peer FW
proposal AR2 5.6、接口绑定安全策略
#FW1
interface GigabitEthernet0/0/2
ipsec policy FW
#AR2
interface GigabitEthernet0/0/1
ipsec policy AR2 6、检查
6.1、检查ike sa
HRP_M[FW1]dis ike sa
2022-08-18 00:41:03.110 +08:00
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------
102 202.100.2.10:500 RD|ST|M v1:2 IP 202.100.2.10
101 202.100.2.10:500 RD|ST|M v1:1 IP 202.100.2.10
Number of IKE SA : 2
HRP_S<FW2>dis ike sa
2022-08-18 00:41:52.780 +08:00
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------
6 202.100.2.10:500 RD|ST|S v1:2 IP 202.100.2.10
5 202.100.2.10:500 RD|ST|S v1:1 IP 202.100.2.10
Number of IKE SA : 2
<AR2>dis ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
130 202.100.1.10 0 RD 2
128 202.100.1.10 0 RD 1 6.2、检查ipsec sa
HRP_M[FW1]dis ipsec sa
2022-08-18 00:42:48.780 +08:00
ipsec sa information:
===============================
Interface: GigabitEthernet0/0/2
===============================
-----------------------------
IPSec policy name: "FW"
Sequence number : 10
Acl group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 102
Encapsulation mode: Tunnel
Holding time : 0d 0h 32m 33s
Tunnel local : 202.100.1.10:500
Tunnel remote : 202.100.2.10:500
Flow source : 10.1.1.0/255.255.255.0 0/0-65535
Flow destination : 10.1.2.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 3679150852 (0xdb4b6304)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA remaining key duration (kilobytes/sec): 1843200/1647
Max sent sequence-number: 9
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 8/480
[Inbound ESP SAs]
SPI: 185315463 (0xb0bb087)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA remaining key duration (kilobytes/sec): 1843200/1647
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 8/480
Anti-replay : Enable
Anti-replay window size: 1024
HRP_S<FW2>dis ipsec sa
2022-08-18 00:43:16.090 +08:00
ipsec sa information:
===============================
Interface: GigabitEthernet0/0/2
===============================
-----------------------------
IPSec policy name: "FW"
Sequence number : 10
Acl group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 6
Encapsulation mode: Tunnel
Holding time : 0d 0h 32m 56s
Tunnel local : 202.100.1.10:500
Tunnel remote : 202.100.2.10:500
Flow source : 10.1.1.0/255.255.255.0 0/0-65535
Flow destination : 10.1.2.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 3679150852 (0xdb4b6304)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA remaining key duration (kilobytes/sec): 1843200/1624
Max sent sequence-number: 12288
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 0/0
[Inbound ESP SAs]
SPI: 185315463 (0xb0bb087)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA remaining key duration (kilobytes/sec): 1843200/1624
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 0/0
Anti-replay : Enable
Anti-replay window size: 1024
<AR2>dis ipsec sa
===============================
Interface: GigabitEthernet0/0/1
Path MTU: 1500
===============================
-----------------------------
IPSec policy name: "AR2"
Sequence number : 10
Acl group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 130
Encapsulation mode: Tunnel
Tunnel local : 202.100.2.10
Tunnel remote : 202.100.1.10
Flow source : 10.1.2.0/255.255.255.0 0/0
Flow destination : 10.1.1.0/255.255.255.0 0/0
Qos pre-classify : Disable
Qos group : -
[Outbound ESP SAs]
SPI: 185315463 (0xb0bb087)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA remaining key duration (bytes/sec): 1887436320/1598
Outpacket count : 8
Outpacket encap count : 8
Outpacket drop count : 0
Max sent sequence-number: 8
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 3679150852 (0xdb4b6304)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA remaining key duration (bytes/sec): 1887436320/1598
Inpacket count : 8
Inpacket decap count : 8
Inpacket drop count : 0
Max received sequence-number: 9
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
6.3、测试连通性
6.4、检查会话表
HRP_M[FW1]dis fire se ta
2022-08-18 00:44:54.350 +08:00
Current Total Sessions : 13
udp VPN: public --> public 172.16.1.11:49152 --> 172.16.1.10:18514
udp VPN: public --> public 172.16.1.10:49152 --> 172.16.1.11:18514
esp VPN: public --> public 202.100.2.10:0 --> 202.100.1.10:0
icmp VPN: public --> public 10.1.1.1:1 --> 10.1.2.1:2048
udp VPN: public --> public 172.16.1.11:16384 --> 172.16.1.10:18514
tcp VPN: default --> default 192.168.0.101:49334 --> 192.168.0.10:8443
HRP_S<FW2>dis fire se ta
2022-08-18 00:45:22.080 +08:00
Current Total Sessions : 11
udp VPN: public --> public 172.16.1.11:49152 --> 172.16.1.10:18514
udp VPN: public --> public 172.16.1.10:49152 --> 172.16.1.11:18514
tcp VPN: default --> default 192.168.0.101:49306 --> 192.168.0.11:8443
udp VPN: public --> public 172.16.1.10:16384 --> 172.16.1.11:18514
6.5、模拟fw1故障
shutdown fw1的g0/0/1接口
6.6、再次测试连通性
HRP_S[FW1]dis ike sa
2022-08-18 00:48:41.930 +08:00
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------
102 202.100.2.10:500 RD|ST|S v1:2 IP 202.100.2.10
101 202.100.2.10:500 RD|ST|S v1:1 IP 202.100.2.10
Number of IKE SA : 2
HRP_M<FW2>dis ike sa
2022-08-18 00:49:08.130 +08:00
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------
6 202.100.2.10:500 RD|ST|M v1:2 IP 202.100.2.10
5 202.100.2.10:500 RD|ST|M v1:1 IP 202.100.2.10
Number of IKE SA : 2 HRP_M<FW2>dis ipsec sa
2022-08-18 00:49:42.940 +08:00
ipsec sa information:
===============================
Interface: GigabitEthernet0/0/2
===============================
-----------------------------
IPSec policy name: "FW"
Sequence number : 10
Acl group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 6
Encapsulation mode: Tunnel
Holding time : 0d 0h 39m 23s
Tunnel local : 202.100.1.10:500
Tunnel remote : 202.100.2.10:500
Flow source : 10.1.1.0/255.255.255.0 0/0-65535
Flow destination : 10.1.2.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 3679150852 (0xdb4b6304)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA remaining key duration (kilobytes/sec): 1843200/1237
Max sent sequence-number: 12292
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 4/240
[Inbound ESP SAs]
SPI: 185315463 (0xb0bb087)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA remaining key duration (kilobytes/sec): 1843200/1237
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 4/240
Anti-replay : Enable
Anti-replay window size: 1024
HRP_S[FW1]dis ipsec sa
2022-08-18 00:50:02.270 +08:00
ipsec sa information:
===============================
Interface: GigabitEthernet0/0/2
===============================
-----------------------------
IPSec policy name: "FW"
Sequence number : 10
Acl group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 102
Encapsulation mode: Tunnel
Holding time : 0d 0h 39m 46s
Tunnel local : 202.100.1.10:500
Tunnel remote : 202.100.2.10:500
Flow source : 10.1.1.0/255.255.255.0 0/0-65535
Flow destination : 10.1.2.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 3679150852 (0xdb4b6304)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA remaining key duration (kilobytes/sec): 1843200/1214
Max sent sequence-number: 24576
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 12/720
[Inbound ESP SAs]
SPI: 185315463 (0xb0bb087)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA remaining key duration (kilobytes/sec): 1843200/1214
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 12/720
Anti-replay : Enable
Anti-replay window size: 1024