需求场景 企业总部与企业分支通过互联网建立VPN,总部与分支A使用固定IP地址,分支B为DHCP动态地址。
现状:
1、企业总部与企业分支A、B办公环境均已使用飞塔防火墙做为出口网关接入互联网;可访问互联网资源;
2、企业总部与企业分支A已建立IPSEC VPN
3、总部内网服务器101.1.1 3389已对公网映射为 20.0.0.10 8389;
新增需求:
1、分支机构B与总部建立IPSEC VPN,实现机构间数据共享;
2、IPSEC VPN的配置不对用户访问互联网产生影响。
现网总部与分支A、B设备已配置源地址转换及安全策略,三个机构均可访问互联网,同时总部内部服务器已对公网进行映射,总部与分支A已建立IPSEC VPN。
现网配置如下:
fwa # show
config system global
set hostname “fwa”
end
config system interface
edit “port1”
set ip 10.1.1.254 255.255.255.0
set allowaccess ping
next
edit “port2”
set ip 20.0.0.1 255.255.255.0
set allowaccess ping
next
end
config firewall address
edit “inuser”
set subnet 10.1.1.0 255.255.255.0
next
edit “localvpn“
set subnet 10.1.1.0 255.255.255.0
next
edit “remotevpn”
set subnet 172.16.0.0 255.255.255.0
next
end
config vpn ipsec phase1
edit “tofwb”
set interface “port2”
set ike-version 2
set proposal des-md5
set remote-gw 20.1.1.1
set psksecret 123456
next
end
config vpn ipsec phase2
edit “tofwb”
set phase1name “tofwb”
set proposal des-md5
set keepalive enable
set auto-negotiate enable
set encapsulation tunnel-mode
set src-subnet 10.1.1.0 255.255.255.0
set dst-subnet 172.16.0.0 255.255.255.0
next
end
config firewall ippool
edit “snat_pool”
set startip 20.0.0.2
set endip 20.0.0.2
next
end
config firewall vip
edit “rdp8389”
set extip 20.0.0.10
set extintf “port2”
set portforward enable
set mappedip 10.1.1.1
set extport 8389
set mappedport 3389
next
end
config firewall policy
edit 1
set srcintf “port1”
set dstintf “port2”
set srcaddr “localvpn”
set dstaddr “remotevpn”
set action ipsec
set schedule “always”
set service “ALL”
set inbound enable
set outbound enable
set vpntunnel “tofwb”
next
edit 10
set srcintf “port1”
set dstintf “port2”
set srcaddr “inuser”
set dstaddr “all”
set action accept
set schedule “always”
set service “ALL”
set nat enable
set ippool enable
set poolname “snat_pool”
next
edit 11
set srcintf “port2”
set dstintf “port1”
set srcaddr “all”
set dstaddr “rdp8389”
set action accept
set schedule “always”
set service “ALL”
set nat enable
next
end
config router static
edit 10
set device “port2”
set gateway 20.0.0.100
next
end现网配置如下:
fwb #show
config system global
set hostname “fwb”
end
config system interface
edit “port1”
set ip 172.16.0.254 255.255.255.0
set allowaccess ping
next
edit “port2”
set ip 20.1.1.1 255.255.255.0
set allowaccess ping
next
end
config firewall address
edit “localvpn”
set subnet 172.16.0.0 255.255.255.0
next
edit “remotevpn”
set subnet 10.1.1.0 255.255.255.0
next
end
config vpn ipsec phase1
edit “tofwa”
set interface “port2”
set ike-version 2
set proposal des-md5
set remote-gw 20.0.0.1
set psksecret 123456
next
end
config vpn ipsec phase2
edit “tofwa”
set phase1name “tofwa”
set proposal des-md5
set keepalive enable
set auto-negotiate enable
set encapsulation tunnel-mode
set src-subnet 10.1.1.0 255.255.255.0
set dst-subnet 172.16.0.0 255.255.255.0
next
end
config firewall policy
edit 1
set srcintf “port1”
set dstintf “port2”
set srcaddr “localvpn”
set dstaddr “remotevpn”
set action ipsec
set schedule “always”
set service “ALL”
set inbound enable
set outbound enable
set vpntunnel “tofwa”
next
edit 10
set srcintf “port1”
set dstintf “port2”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ALL”
set nat enable
next
end
config router static
edit 10
set device “port2”
set gateway 20.1.1.100
next
end
fwc # show
config system global
set hostname “fwc”
end
config system interface
edit “port1”
set ip 172.16.1.254 255.255.255.0
set allowaccess ping
next
edit “port2”
set mode dhcp
set allowaccess ping
set defaultgw enable
next
end
config firewall policy
edit 10
set srcintf “port1”
set dstintf “port2”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ALL”
set nat enable
next
endfwa #新增IPSEC VPN配置
config firewall address
edit “vpntofwc“
set subnet 172.16.1.0 255.255.255.0
next
end
config vpn ipsec phase1
edit “tofwc“
set type dynamic
set interface “port2”
set ike-version 2
set peertype one
set proposal des-md5
set localid “fwa_fqdn“
set localid-type fqdn
set peerid “fwc_fqdn“
set psksecret 123456
next
end
config vpn ipsec phase2
edit “tofwc_p2”
set phase1name “tofwc“
set proposal des-md5
set keepalive enable
set src-subnet 10.1.1.0 255.255.255.0
set dst-subnet 172.16.1.0 255.255.255.0
next
end
config firewall policy
edit 2
set srcintf “port1”
set dstintf “port2”
set srcaddr “localvpn“
set dstaddr “vpntofwc“
set action ipsec
set schedule “always”
set service “ALL”
set inbound enable
set outbound enable
set vpntunnel “tofwc“
next
move 2 before 10
end
fwc # 新增IPSEC VPN配置
config firewall address
edit “localvpn“
set subnet 172.16.1.0 255.255.255.0
next
edit “remotevpn“
set subnet 10.1.1.0 255.255.255.0
next
end
config vpn ipsec phase1
edit “tofwa“
set interface “port2”
set ike-version 2
set proposal des-md5
set localid “fwc_fqdn“
set localid-type fqdn
set remote-gw 20.0.0.1
set psksecret 123456
next
end
config vpn ipsec phase2
edit “tofwa_p2”
set phase1name “tofwa“
set proposal des-md5
set keepalive enable
set auto-negotiate enable
set src-subnet 172.16.1.0 255.255.255.0
set dst-subnet 10.1.1.0 255.255.255.0
next
end
config firewall policy
edit 1
set srcintf “port1”
set dstintf “port2”
set srcaddr “localvpn“
set dstaddr “remotevpn“
set action ipsec
set schedule “always”
set service “ALL”
set inbound enable
set outbound enable
set vpntunnel “tofwa“
next
move 1 before 10
end验证 测试IPSEC VPN 连通性
在分支机构用户终端 ping 10.1.1.1 ,确认总部服务器可达
在总部及分支机构B防火墙上使用 get vpn ipsec tunnel details 命令验证IPSEC VPN 隧道状态和加解密数据包情况
防火墙FWA最终配置如下:
fwa #show
config system global
set hostname “fwa”
end
config system interface
edit “port1”
set ip 10.1.1.254 255.255.255.0
set allowaccess ping
next
edit “port2”
set ip 20.0.0.1 255.255.255.0
set allowaccess ping
next
end
config firewall address
edit “inuser”
set subnet 10.1.1.0 255.255.255.0
next
edit “localvpn”
set subnet 10.1.1.0 255.255.255.0
next
edit “remotevpn”
set subnet 172.16.0.0 255.255.255.0
next
edit “vpntofwc”
set subnet 172.16.1.0 255.255.255.0
next
end
config vpn ipsec phase1
edit “tofwb”
set interface “port2”
set ike-version 2
set proposal des-md5
set localid “fwa_fqdn”
set remote-gw 20.1.1.1
set psksecret 123456
next
edit “tofwc”
set type dynamic
set interface “port2”
set ike-version 2
set peertype one
set proposal des-md5
set localid “fwa_fqdn”
set localid-type fqdn
set peerid “fwc_fqdn”
set psksecret 123456
next
end
config vpn ipsec phase2
edit “tofwb”
set phase1name “tofwb”
set proposal des-md5
set keepalive enable
set auto-negotiate enable
set src-subnet 10.1.1.0 255.255.255.0
set dst-subnet 172.16.0.0 255.255.255.0
next
edit “tofwc_p2”
set phase1name “tofwc”
set proposal des-md5
set keepalive enable
set src-subnet 10.1.1.0 255.255.255.0
set dst-subnet 172.16.1.0 255.255.255.0
next
end
config firewall ippool
edit “snat_pool”
set startip 20.0.0.2
set endip 20.0.0.2
next
end
config firewall vip
edit “rdp8389”
set extip 20.0.0.10
set extintf “port2”
set portforward enable
set mappedip 10.1.1.1
set extport 8389
set mappedport 3389
next
end
config firewall policy
edit 1
set srcintf “port1”
set dstintf “port2”
set srcaddr “localvpn”
set dstaddr “remotevpn”
set action ipsec
set schedule “always”
set service “ALL”
set inbound enable
set outbound enable
set vpntunnel “tofwb”
next
edit 2
set srcintf “port1”
set dstintf “port2”
set srcaddr “localvpn”
set dstaddr “vpntofwc”
set action ipsec
set schedule “always”
set service “ALL”
set inbound enable
set outbound enable
set vpntunnel “tofwc”
next
edit 10
set srcintf “port1”
set dstintf “port2”
set srcaddr “inuser”
set dstaddr “all”
set action accept
set schedule “always”
set service “ALL”
set nat enable
set ippool enable
set poolname “snat_pool”
next
edit 11
set srcintf “port2”
set dstintf “port1”
set srcaddr “all”
set dstaddr “rdp8389”
set action accept
set schedule “always”
set service “ALL”
set nat enable
next
end
config router static
edit 10
set device “port2”
set gateway 20.0.0.100
next
end防火墙FWC最终配置如下:
fwc # show
config system global
set hostname “fwc”
end
config system interface
edit “port1”
set ip 172.16.1.254 255.255.255.0
set allowaccess ping
next
edit “port2”
set mode dhcp
set allowaccess ping
set defaultgw enable
next
end
config firewall address
edit “localvpn”
set subnet 172.16.1.0 255.255.255.0
next
edit “remotevpn”
set subnet 10.1.1.0 255.255.255.0
next
end
config vpn ipsec phase1
edit “tofwa”
set interface “port2”
set ike-version 2
set proposal des-md5
set localid “fwc_fqdn”
set localid-type fqdn
set remote-gw 20.0.0.1
set psksecret 123456
next
end
config vpn ipsec phase2
edit “tofwa_p2”
set phase1name “tofwa”
set proposal des-md5
set keepalive enable
set auto-negotiate enable
set src-subnet 172.16.1.0 255.255.255.0
set dst-subnet 10.1.1.0 255.255.255.0
next
end
config firewall policy
edit 1
set srcintf “port1”
set dstintf “port2”
set srcaddr “localvpn”
set dstaddr “remotevpn”
set action ipsec
set schedule “always”
set service “ALL”
set inbound enable
set outbound enable
set vpntunnel “tofwa”
next
edit 10
set srcintf “port1”
set dstintf “port2”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ALL”
set nat enable
next
end防火墙FWA最终配置如下: