华为USG系列IPSEC-VPN实施经验总结

一、网络环境介绍在清江酒店的USG防火墙调试IPSECVPN的时候发现官方的配置手册有些问题，所以详细整理下实施过程出现的问题及解决方法。网络情况简介：清江酒店总部设在武汉，宜昌，海口等地有10个分支机构，只有总部可以确认为固定IP，分支机构无法确认，有的固定，有的用ADSL。本案例用2个分支介绍。了解了客户的基本网络状况后开始跟客户商量设计调试方案，选用IPSEC野蛮模式组网。在实施过程中发现以下问题：配置手册中IPSECVPN配置实例不完善，NAT部分没有写（要阻止VPN之间的数据访问做NAT转换），导致配置的时候不知道问题出在哪，在NAT中完善了转换策略后，问题解决。因为野蛮模式配置是用ikelocal-name进行验证的，初步在IKE协商参数配置中加入了remote-name这项，配置完成后IPSECVPN建立成功，分支和总部用内网IP可以直接访问，第二天总部防火墙重启了一次后VPN怎么都建立不起来，打400后发现在IKE协商参数配置中使用了remote-name出现问题，导致VPN连接不上，去掉remote-name后问题解决。二、配置过程详细介绍下面详细介绍下配置过程，总部内网用的/24网段，其它分支采用192.168.X.X/24网段。防火墙的软件版本都是V100R005。（一）总部配置配置本地IKE本地用户名ikelocal-nameqndc配置ACLaclnumber3001创建序号3001的高级访问控制列表rule5permitipsource55destination55总部到分支1的内网网段VPN触发策略rule10permitipsource55destination55总部到分支2的内网网段VPN触发策略配置IKE安全提议ikeproposal10创建名称为10的IKE安全提议authentication-algorithmmd5选择加密的算法为md5配置IKEPEERikepeera创建名称为a的IKEPEERexchange-modeaggressive模式选择野蛮模式pre-shared-key123456IKE协商的密钥为123456ike-proposal10绑定IKE安全提议undoversion2选择V1的版本local-id-typename使用野蛮模式的IKElocal-name验证nattraversal打开NAT穿越创建IPSEC安全提议ipsecproposaltran1创建名称为tran1的IPSEC安全提议espauthentication-algorithmsha1选择安全算法为哈希算法sha1配置IPSEC安全策略模板ipsecpolicy-templatemap1创建名称为map的策略模板securityacl3001绑定触发ACLike-peera选择前面创建的ike-peeraproposaltran1选择前面创建的IPSEC安全提议tran1创建IPSEC安全策略ipsecpolicymap11isakmptemplatemap创建名称为map1的IPSEC安全策略绑定map策略模板在外网接口上应用IPSEC安全策略interfaceEthernet0/0/0ipaddress0648ipsecpolicymap1应用map1的IPSECVPN策略配置目的地址为192.168.X.X/16网段不做NAT转换；这步不配的话内网数据直接做NAT转换了，不会通过VPN隧道，那么前面的配置就白做了。nat-policyinterzonetrustuntrustoutbound进入NAT配置视图policy1策略1（这是优先级，数字越小越优先）actionno-nat不做NAT转换policydestination55目的地址为/16不做NAT转换policy2策略2actionsource-nat基于源地址的转换policysource55源地址为/24做NAT转换easy-ipEthernet0/0/0转换的外网地址为Ethernet0/0/0的接口地址#一定要注意策略的优先级，反了就没有作用了。ipaddress#interfaceCellular5/0/0link-protocolppp#interfaceEthernet0/0/0ipaddress0648ipsecpolicymap1#interfaceEthernet1/0/0portswitchportlink-typeaccess#interfaceEthernet1/0/1portswitchportlink-typeaccess#interfaceEthernet1/0/2portswitchportlink-typeaccess#interfaceEthernet1/0/3portswitchportlink-typeaccess#interfaceEthernet1/0/4portswitchportlink-typeaccess#interfaceEthernet1/0/5portswitchportlink-typeaccess#interfaceEthernet1/0/6portswitchportlink-typeaccess#interfaceEthernet1/0/7portswitchportlink-typeaccess#interfaceNULL0#firewallzonelocalsetpriority100#firewallzonetrustsetpriority85addinterfaceEthernet1/0/0addinterfaceEthernet1/0/1addinterfaceEthernet1/0/2addinterfaceEthernet1/0/3addinterfaceEthernet1/0/4addinterfaceEthernet1/0/5addinterfaceEthernet1/0/6addinterfaceEthernet1/0/7addinterfaceVlanif1#firewallzoneuntrustsetpriority5addinterfaceEthernet0/0/0#iproute-static05#nat-policyinterzonetrustuntrustoutboundpolicy1actionno-natpolicydestination55policy2actionsource-natpolicysource55easy-ipEthernet0/0/0#2、分之1的配置#ikelocal-namefenzhi-1#firewallpacket-filterdefaultpermitinterzonelocaltrustdirectioninboundfirewallpacket-filterdefaultpermitinterzonelocaltrustdirectionoutboundfirewallpacket-filterdefaultpermitinterzonelocaluntrustdirectioninboundfirewallpacket-filterdefaultpermitinterzonelocaluntrustdirectionoutboundfirewallpacket-filterdefaultpermitinterzonelocaldmzdirectioninboundfirewallpacket-filterdefaultpermitinterzonelocaldmzdirectionoutboundfirewallpacket-filterdefaultpermitinterzonetrustuntrustdirectioninboundfirewallpacket-filterdefaultpermitinterzonetrustuntrustdirectionoutboundfirewallpacket-filterdefaultpermitinterzonetrustdmzdirectioninboundfirewallpacket-filterdefaultpermitinterzonetrustdmzdirectionoutboundfirewallpacket-filterdefaultpermitinterzonedmzuntrustdirectioninboundfirewallpacket-filterdefaultpermitinterzonedmzuntrustdirectionoutbound#l2fwdfastenable#aclnumber3001rule5permitipsource55destination55#ikeproposal10authentication-algorithmmd5#ikepeeraexchange-modeaggressivepre-shared-key123456ike-proposal10undoversion2local-id-typenameremote-address06nattraversal#ipsecproposaltran1espauthentication-algorithmsha1#ipsecpolicymap110isakmpsecurityacl3001ike-peeraproposaltran1#interfaceVlanif1ipaddress#interfaceCellular5/0/0link-protocolppp#interfaceEthernet0/0/0ipaddress26ipsecpolicymap1#interfaceEthernet1/0/0portswitchportlink-typeaccess#interfaceEthernet1/0/1portswitchportlink-typeaccess#interfaceEthernet1/0/2portswitchportlink-typeaccess#interfaceEthernet1/0/3portswitchportlink-typeaccess#interfaceEthernet1/0/4portswitchportlink-typeaccess#interfaceEthernet1/0/5portswitchportlink-typeaccess#interfaceEthernet1/0/6portswitchportlink-typeaccess#interfaceEthernet1/0/7portswitchportlink-typeaccess#interfaceEthernet2/0/0#interfaceNULL0#firewallzonelocalsetpriority100#firewallzonetrustsetpriority85detectftpaddinterfaceEthernet1/0/0addinterfaceEthernet1/0/1addinterfaceEthernet1/0/2addinterfaceEthernet1/0/3addinterfaceEthernet1/0/4addinterfaceEthernet1/0/5addinterfaceEthernet1/0/6addinterfaceEthernet1/0/7addinterfaceVlanif1#firewallzoneuntrustsetpriority5detectftpaddinterfaceEthernet0/0/0addinterfaceEthernet2/0/0#iproute-static#nat-policyinterzonetrustuntrustoutboundpolicy1actionno-natpolicydestination55policy2actionsource-natpolicysource55easy-ipEthernet0/0/0#分之2的配置文档#ikelocal-namefenzhi-2#firewallpacket-filterdefaultpermitinterzonelocaltrustdirectioninboundfirewallpacket-filterdefaultpermitinterzonelocaltrustdirectionoutboundfirewallpacket-filterdefaultpermitinterzonelocaluntrustdirectioninboundfirewallpacket-filterdefaultpermitinterzonelocaluntrustdirectionoutboundfirewallpacket-filterdefaultpermitinterzonelocaldmzdirectioninboundfirewallpacket-filterdefaultpermitinterzonelocaldmzdirectionoutboundfirewallpacket-filterdefaultpermitinterzonetrustuntrustdirectioninboundfirewallpacket-filterdefaultpermitinterzonetrustuntrustdirectionoutboundfirewallpacket-filterdefaultpermitinterzonetrustdmzdirectioninboundfirewallpacket-filterdefaultpermitinterzonetrustdmzdirectionoutboundfirewallpacket-filterdefaultpermitinterzonedmzuntrustdirectioninboundfirewallpacket-filterdefaultpermitinterzonedmzuntrustdirectionoutbound#l2fwdfastenable#aclnumber3001rule5permitipsource55destination55#ikeproposal10authentication-algorithmmd5#ikepeeraexchange-modeaggressivepre-shared-key123456ike-proposal10undoversion2local-id-typenameremote-address06nattraversal#ipsecproposaltran1espauthentication-algorithmsha1#ipsecpolicymap110isakmpsecurityacl3001ike-peeraproposaltran1#interfaceVlanif1ipaddress#interfaceCellular5/0/0link-protocolppp#interfaceEthernet0/0/0ipaddress0ipsecpolicymap1#interfaceEthernet1/0/0portswitchportlink-typeaccess#interfaceEthernet1/0/1portswitchportlink-typeaccess#interfaceEthernet1/0/2portswitchportlink-typeaccess#interfaceEthernet1/0/3portswitchportlink-typeaccess#interfaceEthernet1/0/4portswitchportlink-typeaccess#interfaceE