一、实验目的和拓扑
在防火墙之间构建站点到站点VPN,并且解决防火墙的虚拟防火墙VPF内部和VPF之间的虚拟网络部署问题
二、基本配置
(一)在防火墙上配置VPF
1、FW1设置
ip vpn-instance VRF_IN
ipv4-family
#
ip vpn-instance VRF_OUT
ipv4-family
#
将两个接口分别加入trust和untrue区域并加入相应的VRF中
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance VRF_OUT
ip address 155.1.121.12 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
ip binding vpn-instance VRF_IN
ip address 10.1.12.12 255.255.255.0
#
设置静态路由
[FW1]IP route-static vpn-instance VRF_OUT 0.0.0.0 0 155.1.121.1
验证效果
[FW1]ping -vpn-instance VRF_OUT 150.1.1.1
PING 150.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 150.1.1.1: bytes=56 Sequence=1 ttl=255 time=33 ms
2、FW2设置
#
ip vpn-instance VRF_A
ipv4-family
#
将两个接口分别加入trust和untrue区域并加入相应的VRF中
#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance VRF_A
ip address 155.1.131.13 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
ip binding vpn-instance VRF_A
ip address 10.1.13.13 255.255.255.0
#
设置静态路由
ip route-static vpn-instance VRF_A 0.0.0.0 0.0.0.0 155.1.131.1
三、详细配置
(一)配置IPsecVPN
1、FW1配置
#
acl number 3000 vpn-instance VRF_OUT
rule 5 permit ip source 10.1.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
#
ipsec proposal LAN_SET
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike proposal 10
encryption-algorithm 3des
dh group14
authentication-algorithm sha1
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer FW2
pre-shared-key HUAWEI
ike-proposal 10
sa binding vpn-instance VRF_OUT //配置IPSEC隧道流量所述的vpn实例
remote-address 155.1.131.13
#
ipsec policy LAN_MAP 10 isakmp
security acl 3000
ike-peer FW2
proposal LAN_SET
sa trigger-mode auto
sa bingding vpn-instance VRF_A //指定IPsec隧道绑定的vpn实例
#
2、FW2配置
#
acl number 3000 vpn-instance VRF_A
rule 5 permit ip source 10.1.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
#
ipsec proposal LAN_SET
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike proposal 10
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer FW1
pre-shared-key HUAWEI
ike-proposal 10
sa binding vpn-instance VRF_A //配置IPSEC隧道流量所述的vpn实例
remote-address 155.1.121.12
#
ipsec policy LAN_MAP 10 isakmp
security acl 3000
ike-peer FW1
proposal LAN_SET
sa trigger-mode auto
sa bingding vpn-instance VRF_A //指定IPsec隧道绑定的vpn实例
#
(二)配置安全策略
#
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name OUT_TO_LOCAL
source-zone untrust
destination-zone local
service protocol 50
service protocol udp destination-port 500
action permit
rule name OUT_TO_IN
source-zone untrust
destination-zone trust
source-address 10.1.0.0 mask 255.255.0.0
destination-address 10.1.0.0 mask 255.255.0.0
action permit
rule name IN_TO_OUT
source-zone trust
destination-zone untrust
action permit
#
(三)多虚拟防火墙VRF之间的渗透
#
ip vpn-instance VRF_IN
ipv4-family
route-distinguisher 12:10
vpn-target 12:10 export-extcommunity
vpn-target 12:155 import-extcommunity
#
ip vpn-instance VRF_OUT
ipv4-family
route-distinguisher 12:155
vpn-target 12:155 export-extcommunity
vpn-target 12:10 import-extcommunity
#
#
bgp 65000
router-id 10.1.12.12
#
ipv4-family unicast
undo synchronization
#
ipv4-family vpn-instance VRF_IN
network 10.1.12.0 255.255.255.0
#
ipv4-family vpn-instance VRF_OUT
default-route imported
import-route static
#
验证路由表
[FW1]DIS BGP vpnv4 vpn-instance VRF_IN routing-table
BGP Local router ID is 10.1.12.12
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
VPN-Instance VRF_IN, Router ID 10.1.12.12:
Total Number of Routes: 2
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.1.12.0/24 0.0.0.0 0 0 i
*> 155.1.121.0/24 155.1.121.12 0 0 i
[FW1]dis ip routing-table vpn-instance VRF_OUT
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: VRF_OUT
Destinations : 4 Routes : 4
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 155.1.121.1 GigabitEthernet1/0/0
10.1.12.0/24 BGP 255 0 D 10.1.12.12 GigabitEthernet1/0/1
155.1.121.0/24 Direct 0 0 D 155.1.121.12 GigabitEthernet1/0/0
155.1.121.12/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
四、结果验证
受防火墙模拟器限制,本结果仅能在真机上完成