IPsec配置指引

1. WEB页面VPN配置过程说明：

   登录设备WEB管理界面，在导航栏中选择“网络 ＞ IPsec”，选择新建IPsec策略。

   1. 基本配置：命名策略，选择出接口为本端接口，本端地址为出接口公网IP，对端地址为华为云VPN网关IP，认证方式选择预共享密钥，密钥信息与华为云配置一致，本端ID及对端ID均选择IP地址。
   2. 待加密数据流：新建配置，源地址为客户侧子网网段，目标地址为华为云子网网段，多条子网请分开填写，填写的条目数为两端子网数量的乘积，协议选择any，动作允许。
   3. 安全提议：IKE参数与IPsec参数与华为云配置一致，注意IKE版本只勾选与华为云匹配的选项，推荐开启周期性DPD检测。
   4. 安全策略：添加客户侧私网网段与华为云私网网段互访的安全策略，服务为ANY，动作允许，推荐置顶这两条安全策略规则。
   5. NAT策略：添加源地址为客户侧私网网段，目标为华为云私网网段动作为不做转换的nat规则，并将该规则置顶。
   

   • 安全策略中需要添加本地公网IP与华为云网关IP的互访规则，协议为UDP的500、4500和IP协议ESP与AH，确保协商流和加密流数据正常传输。
   • 不可以将公网IP的协商流进行NAT转发，必须确保本地公网IP访问华为云的流量不被NAT。
   • 确保访问目标子网的路由指向公网出接口下一跳。
   • 待加密数据流的网段请填写真实IP和掩码，请勿调用地址对象。
   • 若客户侧网络存在多出口时，请确保客户侧访问华为云VPN网关IP及私网网段从建立连接的公网出口流出，推荐使用静态路由配置选择出口网络。
2. 命令行配置说明：

   #增加地址对象

   ip address-set HWCloud_subnet192.168.10.0/24 type objectaddress 0 192.168.10.0 mask 24#ip address-set HWCloud_subnet192.168.20.0/24 type objectaddress 0 192.168.20.0 mask 24

   #配置一阶段提议，ike v1与ike v2的配置方式相同，ikev1使用认证、加密，ikev2使用加密、完整性、prf

   ike proposal 100authentication-algorithm sha2-256encryption-algorithm aes-128authentication-method pre-shareintegrity-algorithm hmac-sha2-256prf hmac-sha2-256dh group14sa duration 86400

   #配置对等体，指定版本，调用一阶段提议（undo version 2时需要配置exchange-mode参数）

   ike peer IKE-PEERundo version 1pre-shared-key ******ike-proposal 100remote-address 11.11.11.11dpd type periodic

   #配置感兴趣流

   acl number 3999rule 0 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255rule 1 permit ip source 172.16.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255rule 2 permit ip source 172.16.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255rule 4 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255rule 5 permit ip source 172.16.20.0 0.0.0.255 destination 192.168.20.0 0.0.0.255rule 6 permit ip source 172.16.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

   #配置二阶段提议

   IPsec proposal IPsec-PH2transform espencapsulation-mode tunnelesp authentication-algorithm sha2-256esp encryption-algorithm aes-128

   #配置IPsec policy，调用ike peer、二阶段提议、ACL，注意PFS配置

   IPsec policy IPsec-HW 1 isakmpproposal IPsec-PH2security acl 3999ike-peer IKE-PEERtunnel local 22.22.22.22pfs dh-group14sa duration time-based 3600

   #全局配置，设定TCP分片大小

   firewall tcp-mss 1300#IPsec policy 绑定接口interface GigabitEthernet1/0/1ip address B.B.B.Y 255.255.255.0IPsec apply policy IPsec-HW#security-policyrule name IPsec-OUTpolicy loggingsession loggingsource-zone trustdestination-zone untrustsource-address address-set Customer-subnet172.16.10.0/24source-address address-set Customer-subnet172.16.20.0/24source-address address-set Customer-subnet172.16.30.0/24destination-address address-set HWCloud_subnet192.168.10.0/24destination-address address-set HWCloud_subnet192.168.20.0/24action permitrule name IPsec-INpolicy loggingsession loggingsource-zone untrustdestination-zone trustsource-address address-set HWCloud_subnet192.168.10.0/24source-address address-set HWCloud_subnet192.168.20.0/24destination-address address-set Customer-subnet172.16.10.0/24destination-address address-set Customer-subnet172.16.20.0/24destination-address address-set Customer-subnet172.16.30.0/24action permitrule name IPsec-NEG-passlogging enablecounting enablesource-ip 11.11.11.11 255.255.255.255source-ip 22.22.22.22 255.255.255.255destination-ip 11.11.11.11 255.255.255.255destination-ip 22.22.22.22 255.255.255.255action permitrule name Policy-Internet……#nat policyrule name IPsec_NONATdescription IPsec_NONATsource-zone trustdestination-zone untrustsource-address address-set Customer-subnet172.16.10.0/24source-address address-set Customer-subnet172.16.20.0/24source-address address-set Customer-subnet172.16.30.0/24destination-address address-set HWCloud_subnet192.168.10.0/24destination-address address-set HWCloud_subnet192.168.20.0/24action no-natrule name Snat_Internet……

   #路由配置，访问华为云子网路由由公网接口流出

   ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1 22.22.22.1