基于VPF部署虚拟网络

一、实验目的和拓扑

在防火墙之间构建站点到站点VPN，并且解决防火墙的虚拟防火墙VPF内部和VPF之间的虚拟网络部署问题

二、基本配置

（一）在防火墙上配置VPF

1、FW1设置

ip vpn-instance VRF_IN
 ipv4-family
#
ip vpn-instance VRF_OUT
 ipv4-family

#

将两个接口分别加入trust和untrue区域并加入相应的VRF中
interface GigabitEthernet1/0/0
 undo shutdown
 ip binding vpn-instance VRF_OUT
 ip address 155.1.121.12 255.255.255.0
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip binding vpn-instance VRF_IN
 ip address 10.1.12.12 255.255.255.0
#

设置静态路由

[FW1]IP route-static vpn-instance VRF_OUT 0.0.0.0 0 155.1.121.1

验证效果

[FW1]ping -vpn-instance VRF_OUT 150.1.1.1
  PING 150.1.1.1: 56  data bytes, press CTRL_C to break
    Reply from 150.1.1.1: bytes=56 Sequence=1 ttl=255 time=33 ms

2、FW2设置

#
ip vpn-instance VRF_A
 ipv4-family
#

将两个接口分别加入trust和untrue区域并加入相应的VRF中

#
interface GigabitEthernet1/0/0
 undo shutdown
 ip binding vpn-instance VRF_A
 ip address 155.1.131.13 255.255.255.0
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip binding vpn-instance VRF_A
 ip address 10.1.13.13 255.255.255.0
#

设置静态路由

ip route-static vpn-instance VRF_A 0.0.0.0 0.0.0.0 155.1.131.1

三、详细配置

（一）配置IPsecVPN

1、FW1配置

#
acl number 3000 vpn-instance VRF_OUT
 rule 5 permit ip source 10.1.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
#
ipsec proposal LAN_SET
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128
 dh group14
 authentication-algorithm sha2-512 sha2-384 sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
ike proposal 10
 encryption-algorithm 3des
 dh group14
 authentication-algorithm sha1
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
ike peer FW2
 pre-shared-key HUAWEI
 ike-proposal 10
 sa binding vpn-instance VRF_OUT  //配置IPSEC隧道流量所述的vpn实例
 remote-address 155.1.131.13
#
ipsec policy LAN_MAP 10 isakmp
 security acl 3000
 ike-peer FW2
 proposal LAN_SET

 sa trigger-mode auto

 sa bingding vpn-instance VRF_A  //指定IPsec隧道绑定的vpn实例

 #

2、FW2配置

#
acl number 3000 vpn-instance VRF_A
 rule 5 permit ip source 10.1.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
#
ipsec proposal LAN_SET
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128
 dh group14
 authentication-algorithm sha2-512 sha2-384 sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
ike proposal 10
 encryption-algorithm 3des
 dh group2
 authentication-algorithm sha1
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
ike peer FW1
 pre-shared-key HUAWEI
 ike-proposal 10
 sa binding vpn-instance VRF_A  //配置IPSEC隧道流量所述的vpn实例
 remote-address 155.1.121.12
#
ipsec policy LAN_MAP 10 isakmp
 security acl 3000
 ike-peer FW1
 proposal LAN_SET

 sa trigger-mode auto

 sa bingding vpn-instance VRF_A  //指定IPsec隧道绑定的vpn实例
#

（二）配置安全策略

#
security-policy
 rule name LOCAL_TO_ANY
  source-zone local
  action permit
 rule name OUT_TO_LOCAL
  source-zone untrust
  destination-zone local
  service protocol 50
  service protocol udp destination-port 500
  action permit
 rule name OUT_TO_IN
  source-zone untrust
  destination-zone trust
  source-address 10.1.0.0 mask 255.255.0.0
  destination-address 10.1.0.0 mask 255.255.0.0
  action permit
 rule name IN_TO_OUT
  source-zone trust
  destination-zone untrust
  action permit
#

（三）多虚拟防火墙VRF之间的渗透

#
ip vpn-instance VRF_IN
 ipv4-family
  route-distinguisher 12:10
  vpn-target 12:10 export-extcommunity
  vpn-target 12:155 import-extcommunity
#
ip vpn-instance VRF_OUT
 ipv4-family
  route-distinguisher 12:155
  vpn-target 12:155 export-extcommunity
  vpn-target 12:10 import-extcommunity
#

#
bgp 65000
 router-id 10.1.12.12
 #
 ipv4-family unicast
  undo synchronization
 #
 ipv4-family vpn-instance VRF_IN
  network 10.1.12.0 255.255.255.0
 #
 ipv4-family vpn-instance VRF_OUT
  default-route imported
  import-route static
#

验证路由表

[FW1]DIS BGP vpnv4 vpn-instance VRF_IN routing-table 
 BGP Local router ID is 10.1.12.12 
 Status codes: * - valid, > - best, d - damped,
               h - history,  i - internal, s - suppressed, S - Stale
               Origin : i - IGP, e - EGP, ? - incomplete

 VPN-Instance VRF_IN, Router ID 10.1.12.12:

 Total Number of Routes: 2
      Network            NextHop        MED        LocPrf    PrefVal Path/Ogn

 *>   10.1.12.0/24       0.0.0.0         0                     0      i
 *>   155.1.121.0/24     155.1.121.12    0                     0      i

[FW1]dis ip routing-table vpn-instance VRF_OUT
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: VRF_OUT
         Destinations : 4        Routes : 4        

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   Static  60   0          RD   155.1.121.1     GigabitEthernet1/0/0
      10.1.12.0/24  BGP     255  0           D   10.1.12.12      GigabitEthernet1/0/1
    155.1.121.0/24  Direct  0    0           D   155.1.121.12    GigabitEthernet1/0/0
   155.1.121.12/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/0

四、结果验证

受防火墙模拟器限制，本结果仅能在真机上完成