涛子 - 简单就是美

成单纯魁增,永继振国兴,克复宗清政,广开家必升
  博客园  :: 首页  :: 新随笔  :: 联系 :: 订阅 订阅  :: 管理
华为防火墙ipsec互联


1. 网络规划

设备名 端口 地址 用途 设备名 端口 地址 用途 设备名 端口 地址 用途
ar1 g0/0/0 11.0.0.1 互联网地址 A企业fw1 g1/0/6 11.0.0.2 互联网地址 B企业fw2 g1/0/6 12.0.0.2 互联网地址
g0/0/1 12.0.0.1 互联网地址 g1/0/0 172.16.1.1 内网地址 to lssw1 g1/0/0 172.16.2.1 内网地址 to to lssw2
pc1 e0/0/1 192.168.10.10 内网地址 lsw1 g0/0/1 172.16.1.2 内网地址 to fw1 lsw2 g0/0/1 172.16.2.2 内网地址 to fw2
pc2 e0/0/1 192.168.20.10 内网地址 g0/0/2 192.168.10.1 内网地址 to pc1 g0/0/2 192.168.20.1 内网地址 to pc2

2. fw1配置

!Software Version V500R005C10SPC300
!Last configuration was saved at 2025-07-14 03:46:09 UTC
#
sysname FW1
#
 l2tp domain suffix-separator @
#
 ipsec sha2 compatible enable 
#
undo telnet server enable
undo telnet ipv6 server enable
#
 update schedule location-sdb weekly Sun 07:27
#
 firewall defend action discard
#
 banner enable
#
 user-manage web-authentication security port 8887
 undo privacy-statement english
 undo privacy-statement chinese
page-setting
 user-manage security version tlsv1.1 tlsv1.2
password-policy
 level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
 web-manager security version tlsv1.1 tlsv1.2
 web-manager enable
 web-manager security enable
 undo web-manager config-guide enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
 undo ips log merge enable
#
 decoding uri-cache disable
#
 update schedule ips-sdb daily 01:03
 update schedule av-sdb daily 01:03
 update schedule sa-sdb daily 01:03
 update schedule cnc daily 01:03
 update schedule file-reputation daily 01:03
#
ip vpn-instance default
 ipv4-family
#
 time-range worktime
  period-range 08:00:00 to 18:00:00 working-day   
#
acl number 3000
 rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 
#
ipsec proposal prop27616493566
 encapsulation-mode auto
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256 
#
ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128 
 dh group14 
 authentication-algorithm sha2-512 sha2-384 sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
ike proposal 1
 encryption-algorithm aes-256 
 dh group14 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
ike peer ike276164935668
 exchange-mode auto
 pre-shared-key %^%#sV44G2U9wR(BfR'Gs/>-"tim'^3j21r]8=Zj8DO<%^%#
 ike-proposal 1
 remote-id-type none
 local-id 11.0.0.2
 dpd type periodic
#
ipsec policy-template tpl276164935668 1
 security acl 3000
 ike-peer ike276164935668
 proposal prop27616493566
 tunnel local 11.0.0.2
 alias site1_to_all 
 sa duration traffic-based 10485760
 sa duration time-based 3600
 /* 反向路由注入 */
 route inject dynamic
#
ipsec policy ipsec2761649355 10000 isakmp template tpl276164935668
#
aaa
 authentication-scheme default
 authentication-scheme admin_local
 authentication-scheme admin_radius_local
 authentication-scheme admin_hwtacacs_local
 authentication-scheme admin_ad_local
 authentication-scheme admin_ldap_local
 authentication-scheme admin_radius
 authentication-scheme admin_hwtacacs
 authentication-scheme admin_ad
 authorization-scheme default
 accounting-scheme default
 domain default
  service-type internetaccess ssl-vpn l2tp ike
  internet-access mode password
  reference user current-domain
 manager-user audit-admin 
  password cipher @%@%'!z@9:'&a;iH$<AbfR/7C~W]jR)[4g:[BMDHYTIRCB<Y~W`C@%@%
  service-type web terminal 
  level 15 

 manager-user api-admin 
  password cipher @%@%0+8q-V#5PCwv<P2Ld/n,QeaiA\m,;tT-+;sGbu"k<*HBealQ@%@%
  level 15 

 manager-user admin 
  password cipher @%@%e3};5MtzoRdxQ/AQK\CT`$-d|89"JbC)IB+~@O#L`i^'$-g`@%@%
  service-type web terminal ssh 
  level 15 
  authentication-scheme admin_local 

 role system-admin
 role device-admin
 role device-admin(monitor)
 role audit-admin
 bind manager-user audit-admin role audit-admin
 bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
 undo shutdown
 ip binding vpn-instance default
 ip address 192.168.110.201 255.255.255.0
 alias GE0/METH
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 172.16.1.1 255.255.255.0
 service-manage ping permit
#
interface GigabitEthernet1/0/1
 undo shutdown
#
interface GigabitEthernet1/0/2
 undo shutdown
#
interface GigabitEthernet1/0/3
 undo shutdown
#
interface GigabitEthernet1/0/4
 undo shutdown
#
interface GigabitEthernet1/0/5
 undo shutdown
#
interface GigabitEthernet1/0/6
 undo shutdown
 ip address 11.0.0.2 255.255.255.0
 service-manage ping permit
 ipsec policy ipsec2761649355
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/6
#
firewall zone dmz
 set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/6 11.0.0.1
ip route-static 192.168.10.0 255.255.255.0 GigabitEthernet1/0/0 172.16.1.2
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh user admin
ssh user admin authentication-type password
ssh user admin service-type all
ssh user admin sftp-directory hda1:
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
#
firewall detect ftp
#
user-interface con 0
 authentication-mode aaa
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-linkif
 mode proportion-of-weight
#
right-manager server-group
#
device-classification
 device-group pc
 device-group mobile-terminal
 device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
 default policy logging
 default session logging
 default traffic logging enable
 default packet-filter intrazone enable
 rule name ipsec_site1_to_site2
  policy logging
  session logging
  traffic logging enable
  source-zone trust
  destination-zone untrust
  source-address 192.168.10.0 mask 255.255.255.0
  destination-address 192.168.20.0 mask 255.255.255.0
  action permit
 rule name ipsec_site2_to_site1
  policy logging
  session logging
  traffic logging enable
  source-zone untrust
  destination-zone trust
  source-address 192.168.20.0 mask 255.255.255.0
  destination-address 192.168.10.0 mask 255.255.255.0
  action permit
 rule name ipsec_local_to_site2
  policy logging
  session logging
  traffic logging enable
  source-zone local
  destination-zone untrust
  source-address 11.0.0.2 mask 255.255.255.255
  destination-address 12.0.0.2 mask 255.255.255.255
  action permit
 rule name ipsec_site2_to_local
  policy logging
  session logging
  traffic logging enable
  source-zone untrust
  destination-zone local
  source-address 12.0.0.2 mask 255.255.255.255
  destination-address 11.0.0.2 mask 255.255.255.255
  action permit
 rule name internet_vlan10
  policy logging
  session logging
  traffic logging enable
  source-zone trust
  destination-zone untrust
  source-address 192.168.10.0 mask 255.255.255.0
  action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
 /* ipsec子网访问不做nat转换 */
 rule name ipsec_site1_to_site2
  source-zone trust
  destination-zone untrust
  source-address 192.168.10.0 mask 255.255.255.0
  destination-address 192.168.20.0 mask 255.255.255.0
  action no-nat
 rule name internet_vlan10
  source-zone trust
  destination-zone untrust
  source-address 192.168.10.0 mask 255.255.255.0
  action source-nat easy-ip
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return

3. lssw1配置


#
sysname LSW1
#
vlan batch 10 254
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
 ip address 192.168.10.1 255.255.255.0 
#
interface Vlanif254
 ip address 172.16.1.2 255.255.255.0 
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 254
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 172.16.1.1
#
user-interface con 0
user-interface vty 0 4
#
return

4. 配置web
网络接口
静态路由
IPSEC
IPSEC
安全策略
NAT策略

posted on 2025-06-30 11:43  北京涛子  阅读(22)  评论(0)    收藏  举报