华为防火墙配置点到点IPSec隧道

小乔

总部网关和分支机构网关之间建立可以互相访问的IPSec VPN。总部网关IP地址固定，总部经过NAT转换后访问Internet。分支机构通过ADSL获取IP地址，每次获取的IP地址不同。
组网需求
如图1所示，USG_A连接总部（HQ），USG_B连接分支机构（Branch）。USG_A的IP地址固定，总部可通过NAT转换后访问Internet；分支机构通过ADSL接口上网，IP地址不固定。分支机构的内网设备通过DHCP方式从USG_B接口获取IP地址。
要求通过配置IKE自动协商建立IPSec隧道，实现分支机构与总部之间可以互相访问。
图1 分支机构通过域名访问总部（ADSL拨号）组网图

配置思路
根据组网需求，配置思路如下：
1 分支机构设备配置ADSL接口，实现设备上网。
2 隧道两端设备分别通过NAT策略区分是上网数据或IPSec数据，仅对上网数据进行NAT处理。
3 总部采用模板方式配置IPSec，以响应多个分支机构的需求；分支机构采用非模板方式配置IPSec。
4 分支机构要访问总部，需要在USG_B上开启域名解析以及DDNS策略，以便将获取的IP地址与网络中的DNS服务器中的域名建立对应关系，并及时更新。

操作步骤
1 配置USG_A
# 配置GigabitEthernet 0/0/1接口。
<USG_A> system-view
[USG_A] interface GigabitEthernet 0/0/1
[USG_A-GigabitEthernet0/0/1] ip address 10.1.1.1 24
[USG_A-GigabitEthernet0/0/1] quit
# 将GigabitEthernet 0/0/1接口加入Trust区域。
[USG_A] firewall zone trust
[USG_A-zone-trust] add interface GigabitEthernet 0/0/1
[USG_A-zone-trust] quit
# 配置GigabitEthernet 0/0/2接口。
<USG_A> system-view
[USG_A] interface GigabitEthernet 0/0/2
[USG_A-GigabitEthernet0/0/2] ip address 202.10.12.1 24
[USG_A-GigabitEthernet0/0/2] quit
# 将GigabitEthernet 0/0/2接口加入Untrust区域。
[USG_A] firewall zone trust
[USG_A-zone-untrust] add interface GigabitEthernet 0/0/2
[USG_A-zone-untrust] quit
# 配置Trust和Untrust域间包过滤。
[USG_A] policy interzone trust untrust outbound
[USG_A-policy-interzone-trust-untrust-outbound] policy 1
[USG_A-policy-interzone-trust-untrust-outbound-1] policy source 10.1.1.0 0.0.0.255
[USG_A-policy-interzone-trust-untrust-outbound-1] action permit
[USG_A-policy-interzone-trust-untrust-outbound-1] quit
[USG_A-policy-interzone-trust-untrust-outbound] quit
# 配置Trust和Local域间出方向的缺省包过滤，以及Untrust和Local域间入方向的缺省包过滤。
[USG_A] firewall packet-filter default permit interzone local trust direction outbound
[USG_A] firewall packet-filter default permit interzone local untrust direction inbound
# 配置缺省路由，假设下一跳是202.10.12.2。
[USG_A] ip route-static 0.0.0.0 0 202.10.12.2
# 配置ACL，匹配IPSec流量。
[USG_A] acl 3001
[USG_A-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.1 0.0.0.255
[USG_A-acl-adv-3001] quit
# 配置IPSec安全提议，参数使用缺省值。
[USG_A] ipsec proposal 1
[USG_A-ipsec-proposal-1] quit
# 配置IKE安全提议，参数使用缺省值。
[USG_A] ike proposal 1
[USG_A-ike-proposal-1] quit
# 配置IKE Peer。
[USG_A] ike peer 1
[USG_A-ike-peer-1] exchange-mode aggressive
[USG_A-ike-peer-1] ike-proposal 1
[USG_A-ike-peer-1] local-id-type ip
[USG_A-ike-peer-1] remote-domain www.adsl.3322.org
[USG_A-ike-peer-1] pre-shared-key abcde
[USG_A-ike-peer-1] quit
# 配置IPSec安全策略map。
[USG_A] ipsec policy map 1 isakmp
[USG_A-ipsec-policy-isakmp-map-1] security acl 3001
[USG_A-ipsec-policy-isakmp-map-1] proposal 1
[USG_A-ipsec-policy-isakmp-map-1] ike-peer 1
[USG_A-ipsec-policy-manual-map-1] quit
# 应用IPSec安全策略map到接口。
[USG_A] interface GigabitEthernet 0/0/2
[USG_A-GigabitEthernet0/0/2] ipsec policy map
[USG_A-GigabitEthernet0/0/2] quit
# 配置NAT，对上网流量进行NAT，对IPSec流量不进行NAT。
[USG_A] nat-policy interzone trust untrust outbound
[USG_A-nat-policy-interzone-trust-untrust-outbound] policy 1
[USG_A-nat-policy-interzone-trust-untrust-outbound-1] policy source 10.1.1.0 0.0.0.255
[USG_A-nat-policy-interzone-trust-untrust-outbound-1] policy destination 10.1.3.0 0.0.0.255
[USG_A-nat-policy-interzone-trust-untrust-outbound-1] action no-nat
[USG_A-nat-policy-interzone-trust-untrust-outbound-1] quit
[USG_A-nat-policy-interzone-trust-untrust-outbound] policy 2
[USG_A-nat-policy-interzone-trust-untrust-outbound-1] policy source 10.1.1.0 0.0.0.255
[USG_A-nat-policy-interzone-trust-untrust-outbound-2] action source-nat
[USG_A-nat-policy-interzone-trust-untrust-outbound-2] easy-ip GigabitEthernet 0/0/2
[USG_A-nat-policy-interzone-trust-untrust-outbound-2] quit
[USG_A-nat-policy-interzone-trust-untrust-outbound] quit

2 配置USG_B
# 配置GigabitEthernet 0/0/1接口，开启DHCP，对内网用户自动分配IP地址。
<USG_B> system-view
[USG_B] interface GigabitEthernet 0/0/1
[USG_B-GigabitEthernet0/0/1] ip address 10.1.3.1 24
[USG_B-GigabitEthernet0/0/1] dhcp select interface
[USG_B-GigabitEthernet0/0/1] quit
# 配置ADSL接口，实现上网。
[USG_B] dialer-rule 10 ip permit
[USG_B] interface Dialer 1
[USG_B-Dialer1] dialer user adsluser
[USG_B-Dialer1] dialer bundle 5
[USG_B-Dialer1] dialer-group 10
[USG_B-Dialer1] ip address ppp-negotiate
[USG_B-Dialer1] ppp pap local-user adsluser password cipher Admin@123
[USG_B-Dialer1] ppp chap user adsluser
[USG_B-Dialer1] ppp chap password cipher Admin@123
[USG_B-Dialer1] quit
[USG_B] firewall zone untrust
[USG_B-zone-untrust] add interface Dialer 1
[USG_B-zone-untrust] quit
[USG_B] interface Atm 2/0/0
[USG_B-Atm2/0/0] pppoe-client dial-bundle-number 5
[USG_B-Atm2/0/0] quit
# 配置Trust和Untrust域间包过滤。
[USG_B] policy interzone trust untrust outbound
[USG_B-policy-interzone-trust-untrust-outbound] policy 1
[USG_B-policy-interzone-trust-untrust-outbound-1] policy source 10.1.3.0 0.0.0.255
[USG_B-policy-interzone-trust-untrust-outbound-1] action permit
[USG_B-policy-interzone-trust-untrust-outbound-1] quit
[USG_B-policy-interzone-trust-untrust-outbound] quit
# 配置Trust和Local域间出方向的缺省包过滤，以及Untrust和Local域间入方向的缺省包过滤。
[USG_B] firewall packet-filter default permit interzone local trust direction outbound
[USG_B] firewall packet-filter default permit interzone local untrust direction inbound
# 配置缺省路由。
[USG_B] ip route-static 0.0.0.0 0 Dialer1
# 配置ACL，匹配IPSec流量。
[USG_B] acl 3001
[USG_B-acl-adv-3001] rule permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[USG_B-acl-adv-3001] quit
# 配置IPSec安全提议1。参数使用缺省值。
[USG_B] ipsec proposal 1
[USG_B-ipsec-proposal-1] quit
# 配置IKE安全提议。参数使用缺省值。
[USG_B] ike proposal 1
[USG_B-ike-proposal-1] quit
# 配置IKE对等体。
[USG_B] ike peer 1
[USG_B-ike-peer-1] exchange-mode aggressive
[USG_B-ike-peer-1] ike-proposal 1
[USG_B-ike-peer-1] remote-address 202.10.12.1
[USG_B-ike-peer-1] pre-shared-key abcde
[USG_B-ike-peer-1] quit
# 配置IPSec安全策略。
[USG_B] ipsec policy map 1 isakmp
[USG_B-ipsec-policy-template-map-1] security acl 3001
[USG_B-ipsec-policy-template-map-1] proposal 1
[USG_B-ipsec-policy-template-map-1] ike-peer 1
[USG_B-ipsec-policy-template-map-1] quit
# 在Dialer1接口上应用安全策略。
[USG_B] interface Dialer 1
[USG_B-Dialer1] ipsec policy map
[USG_B-Dialer1] quit
# 开启域名解析，USG_B通过域名能访问DDNS Server。
[USG_B] dns resolve
[USG_B] dns server 200.1.1.1
# 向DDNS服务提供商申请DDNS服务。
请联系DDNS服务提供商，并根据DDNS服务提供商的说明操作。假设选择的DDNS服务提供商为：www.3322.org；申请得到的用户名和密码都为：abc123；DDNS Client的域名为：www.adsl.3322.org。
# 配置DDNS策略。
[USG_B] ddns policy abc
[USG_B-ddns-policy-abc] ddns client www.adsl.3322.org
[USG_B-ddns-policy-abc] ddns server www.3322.org
[USG_B-ddns-policy-abc] ddns username abc123 password abc123
[USG_B-ddns-policy-abc] quit
# 应用DDNS策略。
[USG_B] ddns client enable
[USG_B] interface Dialer 1
[USG_B-Dialer1] ddns apply policy abc
[USG_B-Dialer1] quit