使用 IPsec VPN 建立腾讯云 VPC 到用户 IDC 的连接时,在配置完腾讯云 VPN 网关后,您还需在用户 IDC 本地站点的网关设备中进行 VPN 配置。本文介绍华为防火墙的配置。
说明:
本文以华为 USG 系列防火墙为例,介绍 IPSec VPN 配置过程,更多详细信息以及其他业务服务,请联系厂商获取相应型号设备配置指导。
前提条件
数据准备
本文 IPsec VPN 配置数据举例如下:
配置项 | 示例值 |
网络配置 | VPC 信息 |
VPN 网关公网 IP | 159.75.**.242 |
IDC 信息 | 内网 CIDR |
网关公网 IP | 120.235.**.76 |
上行公网网口 | GE1/0/2 |
下行公网网口 | GE1/0/1 |
IPsec 连接配置 | IKE 配置 |
身份认证方法 | 预共享密钥 |
PSK | 123456 |
加密算法 | AES-128 |
认证算法 | MD5 |
协商模式 | main |
本端标识 | IP Address:120.235.225.76 |
远端标识 | IP Address:159.75.41.242 |
DH group | DH2 |
IKE SA Lifetime | 86400 |
IPsec 信息 | 加密算法 |
认证算法 | MD5 |
报文封装模式 | Tunnel |
安全协议 | ESP |
PFS | disable |
IPsec sa Lifetime | 3600s |
操作步骤
1. 配置接口 IP 地址,并将接口加入安全区域。
[HUAWEI] interface GigabitEthernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] ip address 172.16.0.1 16 /*内网网关地址*/[HUAWEI-GigabitEthernet1/0/1] quit[HUAWEI] interface GigabitEthernet 1/0/2[HUAWEI-GigabitEthernet1/0/2] ip address 120.235.**.76 24[HUAWEI-GigabitEthernet1/0/2] service-manage ping permit /*允许云端ping公网探测*/[HUAWEI-GigabitEthernet1/0/2] quit[HUAWEI] interface tunnel 1[HUAWEI-Tunnel1] ip address unnumbered interface GigabitEthernet1/0/2[HUAWEI-Tunnel1] tunnel-protocol ipsec[HUAWEI-Tunnel1] service-manage ping permit[HUAWEI-Tunnel1] quit[HUAWEI] firewall zone trust[HUAWEI-zone-trust] add interface GigabitEthernet 1/0/1 /*接口加入防火墙安全区*/[HUAWEI-zone-trust] quit[HUAWEI] firewall zone untrust[HUAWEI-zone-untrust] add interface GigabitEthernet 1/0/2[HUAWEI-zone-untrust] add interface tunnel 1[HUAWEI-zone-untrust] quit
2. 配置域间安全策略。
[HUAWEI] security-policy[HUAWEI-policy-security] rule name 1 /*明文跨域策略*/[HUAWEI-policy-security-rule-1] source-zone untrust[HUAWEI-policy-security-rule-1] destination-zone trust[HUAWEI-policy-security-rule-1] source-address 10.1.1.0 24[HUAWEI-policy-security-rule-1] destination-address 172.16.0.0 16[HUAWEI-policy-security-rule-1] action permit[HUAWEI-policy-security-rule-1] quit[HUAWEI-policy-security] rule name 2 /*明文跨域策略*/[HUAWEI-policy-security-rule-2] source-zone trust[HUAWEI-policy-security-rule-2] destination-zone untrust[HUAWEI-policy-security-rule-2] source-address 172.16.0.0 16[HUAWEI-policy-security-rule-2] destination-address 10.1.1.0 24[HUAWEI-policy-security-rule-2] action permit[HUAWEI-policy-security-rule-2] quit[HUAWEI-policy-security] rule name 3 /*密文跨域策略*/[HUAWEI-policy-security-rule-3] source-zone local[HUAWEI-policy-security-rule-3] destination-zone untrust[HUAWEI-policy-security-rule-3] source-address 120.235.**.76 32[HUAWEI-policy-security-rule-3] destination-address 159.75.**.242 32[HUAWEI-policy-security-rule-3] action permit[HUAWEI-policy-security-rule-3] quit[HUAWEI-policy-security] rule name 4 /*密文跨域策略*/[HUAWEI-policy-security-rule-4] source-zone untrust[HUAWEI-policy-security-rule-4] destination-zone local[HUAWEI-policy-security-rule-4] source-address 159.75.**.242 32[HUAWEI-policy-security-rule-4] destination-address 120.235.**.76 32[HUAWEI-policy-security-rule-4] action permit[HUAWEI-policy-security-rule-4] quit
3. 配置访问控制列表,定义需要保护的数据流。
[HUAWEI] acl 3000[HUAWEI-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 172.16.0.0 0.0.255.255[HUAWEI-acl-adv-3000] quit
4. 配置 IPSec 安全协议。
[HUAWEI] ipsec proposal tran1[HUAWEI-ipsec-proposal-tran1] transform esp[HUAWEI-ipsec-proposal-tran1] encapsulation-mode tunnel[HUAWEI-ipsec-proposal-tran1] esp authentication-algorithm md5[HUAWEI-ipsec-proposal-tran1] esp encryption-algorithm aes-128[HUAWEI-ipsec-proposal-tran1] quit
5. 创建 IKE 安全协议。
[HUAWEI] ike proposal 1[HUAWEI-ike-proposal-1] encryption-algorithm aes-128[HUAWEI-ike-proposal-1] authentication-algorithm md5[HUAWEI-ike-proposal-1] dh group2[HUAWEI-ike-proposal-1] quit
6. 配置 IKE 对策略。
[HUAWEI] ike peer tencent[HUAWEI-ike-peer-asa] undo version 2[HUAWEI-ike-peer-asa] exchange-mode main[HUAWEI-ike-peer-asa] ike-proposal 1[HUAWEI-ike-peer-asa] remote-address 159.75.**.242 //腾讯侧公网地址[HUAWEI-ike-peer-asa] pre-shared-key 123456[HUAWEI-ike-peer-asa] quit
7. 配置 IPSec 策略。
[HUAWEI] ipsec policy map1 1 isakmp[HUAWEI-ipsec-policy-isakmp-map1-1] security acl 3000[HUAWEI-ipsec-policy-isakmp-map1-1] proposal tran1[HUAWEI-ipsec-policy-isakmp-map1-1] ike-peer tencent[HUAWEI-ipsec-policy-isakmp-map1-1] quit
8. 在 Tunnel 接口上应用 IPSec 策略。
[HUAWEI] interface Tunnel 1[HUAWEI-Tunnel1] ipsec policy map1[HUAWEI-Tunnel1] quit
9. 配置内层路由,引流到 tunnel 口。
[HUAWEI] ip route-static 10.1.1.0 24 tunnel 1
10. 配置外层出方向路由。
例如:上联网关为120.235.**.1
[HUAWEI] ip route-static 0.0.0.0 0.0.0.0 120.235.**.1
