當(dāng)前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

华为USG Firewall Ipsec L2L

發(fā)布時(shí)間：2025/6/16 编程问答 65 豆豆

生活随笔收集整理的這篇文章主要介紹了华为USG Firewall Ipsec L2L 小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.

*需要解決的問題
1、Untrust local inbound /esp ike （做策略放行IKE/ESP流量）
policy interzone local untrust inbound
policy 0
action permit
policy service service-set ike
policy service service-set esp

2、trust untrust inbound /source ip.destination ip (放行IP回傳的流量)
policy interzone trust untrust inbound
policy 0
action permit
policy source 192.168.10.0 mask 24
policy destination 172.16.10.0 mask 24
?
3、trust untrust outbound/source ip.destination ip (放行IP的出去流量)
policy interzone trust untrust outbound
policy 0
action permit
policy source 172.16.10.0 mask 24
policy destination 192.168.10.0 mask 24
?
4、放行端口UDP 500
ip service-set ike type object
service 0 protocol udp destination-port 500

?
<Site_1>dis current-configuration
[V200R003C00]
#
sysname Site_1
#
interface GigabitEthernet0/0/0
ip address 192.168.10.10 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.10.254
#
return
<Site_1>
?
?
<Firewall_1>dis current-configuration
09:01:29 2015/08/31
#
acl number 3000
rule 0 permit ip source 192.168.10.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
#
ike peer fw2
pre-shared-key %$%$a)%OV{\VtHc7c+S#@4|<Fi`W%$%$
remote-address 100.100.200.100
#
ipsec proposal huawei
#
ipsec policy lab 10 isakmp
security acl 3000
ike-peer fw2
proposal huawei
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 100.100.100.100 255.255.255.0
ipsec policy lab

interface GigabitEthernet0/0/1
ip address 192.168.10.254 255.255.255.0
#
firewall zone local
set priority 100

firewall zone trust
set priority 85
add interface GigabitEthernet0/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
#
firewall zone dmz
set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 100.100.100.200
#
ip service-set ike type object
service 0 protocol udp destination-port 500 ---------解決端口號(hào)UDP500
#
sysname Firewall_1

policy interzone local untrust inbound ----------放行IKE ESP流量
policy 0
action permit
policy service service-set ike
policy service service-set esp
#
policy interzone trust untrust inbound ----------允許tr--un 流量進(jìn)來
policy 0
action permit
policy source 172.16.10.0 mask 24
policy destination 192.168.10.0 mask 24
#
policy interzone trust untrust outbound ----------允許tr--un 流量出去
policy 0
action permit
policy source 192.168.10.0 mask 24
policy destination 172.16.10.0 mask 24
#
return
<Firewall_1>
?
?
<Intenet>dis current-configuration
[V200R003C00]
#
sysname Intenet
#
interface GigabitEthernet0/0/0
ip address 100.100.100.200 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 100.100.200.200 255.255.255.0
#
return
<Intenet>
?
?
<Firewall_2>dis current-configuration
09:05:02 2015/08/31
#
acl number 3000
rule 5 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
#
ike peer fw1
pre-shared-key %$%$>iw;;,1n$Xn:taCrVb`6FSJA%$%$
remote-address 100.100.100.100
#
ipsec proposal huawei
#
ipsec policy lab 10 isakmp
security acl 3000
ike-peer fw1
proposal huawei
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 100.100.200.100 255.255.255.0
ipsec policy lab

interface GigabitEthernet0/0/1
ip address 172.16.10.254 255.255.255.0
#
firewall zone local
set priority 100

firewall zone trust
set priority 85
add interface GigabitEthernet0/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
#
firewall zone dmz
set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 100.100.200.200
#
ip service-set ike type object
service 0 protocol udp destination-port 500
#
sysname Firewall_2

pki ocsp response cache refresh interval 0
pki ocsp response cache number 0
#
policy interzone local untrust inbound
policy 0
action permit
policy service service-set ike
policy service service-set esp
#
policy interzone trust untrust inbound
policy 0
action permit
policy source 192.168.10.0 mask 24
policy destination 172.16.10.0 mask 24
#
policy interzone trust untrust outbound
policy 0
action permit
policy source 172.16.10.0 mask 24
policy destination 192.168.10.0 mask 24
#
return
<Firewall_2>
?
?
<Site_2>dis current-configuration
[V200R003C00]
#
sysname Site_2
#
interface GigabitEthernet0/0/1
ip address 172.16.10.10 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 172.16.10.254
#
return
<Site_2>
?
?
Test:
<Firewall_2>dis ipsec sa ----------------------配置詳細(xì)詳細(xì)
09:08:52 2015/08/31

Interface: GigabitEthernet0/0/0
path MTU: 1500

?

IPsec policy name: "lab"
sequence number: 10
mode: isakmp
***: public

connection id: 40001 rule number: 5 encapsulation mode: tunnel

.................................
<Firewall_2>
?
<Firewall_2>dis ipsec statistics ----------------------加密解密的數(shù)據(jù)
09:09:47 2015/08/31
the security packet statistics:
input/output security packets: 23/23
input/output security bytes: 1932/1932
input/output dropped security packets: 0/0
the encrypt packet statistics
send sae:23, recv sae:23, send err:0
local cpu:23, other cpu:0, recv other cpu:0
intact packet:7, first slice:0, after slice:0
the decrypt packet statistics
send sae:23, recv sae:23, send err:0
?
?
<Firewall_2>display ipsec sa brief --------------------看是否與對(duì)端設(shè)備建立的狀態(tài)
09:12:27 2015/08/31
current ipsec sa number: 2
current ipsec tunnel number: 1

Src Address Dst Address SPI Protocol Algorithm

100.100.100.100 100.100.200.100 1982786750 ESP E:DES;A:HMAC-MD5-96;
100.100.200.100 100.100.100.100 2672106707 ESP E:DES;A:HMAC-MD5-96;
<Firewall_2>

轉(zhuǎn)載于:https://blog.51cto.com/9616635/2056335

總結(jié)

以上是生活随笔為你收集整理的华为USG Firewall Ipsec L2L的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。