华为usg ipsec配置（华为USG IPSec配置详解）

华为USG IPSec配置详解

一、前言

随着网络安全威胁的加剧，各个企业对于网络安全的重视程度也越来越高，而VPN则成为了企业提升网络安全的一种重要方式。IPSec是目前行业中最广泛使用的VPN协议之一，本文将介绍如何在华为USG设备上配置IPSec VPN。

二、环境准备

本次配置环境如下：

设备型号：华为USG6600

软件版本：V500R001C70SPC500

除上述设备外，我们还需要明确以下信息：

1.各个站点的WAN口IP地址、LAN口IP地址、预共享密钥（PSK）等。

2.需要建立的IPSec VPN业务类型：站点对站点（Site-to-Site），还是站点到远程接入用户（Remote Access）。

三、配置过程

1.配置Site-to-Site IPSec VPN

1.1 配置IKE策略

1.1.1 创建IKE策略

首先，我们需要在USG设备上创建一个IKE策略。

``` [USG6600]ike proposal ProposedEncryptionAlg2 [USG6600-ike-ProposedEncryptionAlg2]ike authentication-method pre-share [USG6600-ike-ProposedEncryptionAlg2]ike encryption-algorithm aes-256 [USG6600-ike-ProposedEncryptionAlg2]ike prf hmac-sha2-256 [USG6600-ike-ProposedEncryptionAlg2]ike sa duration 28800 ```

1.1.2 创建IKE策略模板

创建策略之后，我们还需要创建IKE策略模板。在这个模板中，我们需要将刚刚创建好的IKE策略绑定在一起。

``` [USG6600]ike proposal ProposedEncryptionAlg2 [USG6600-ike-ProposedEncryptionAlg2]ike authentication-method pre-share [USG6600-ike-ProposedEncryptionAlg2]ike encryption-algorithm aes-256 [USG6600-ike-ProposedEncryptionAlg2]ike prf hmac-sha2-256 [USG6600-ike-ProposedEncryptionAlg2]ike sa duration 28800 [USG6600-ike-ProposedEncryptionAlg2]quit [USG6600]ike peer any [USG6600-ike-peer-any]ike proposal ProposedEncryptionAlg2 [USG6600-ike-peer-any]quit ```

1.2 配置IPSec策略

1.2.1 创建IPSec策略

创建IPSec策略之前，我们需要先定义一个IPSec协议的加密方式。下面的命令将定义AES-256算法加密，并将其保存为ProposalEncryptionAlg2。

``` [USG6600]ipsec proposal ProposalEncryptionAlg2 [USG6600-ipsec-ProposalEncryptionAlg2]esp authentication-algorithm hmac-sha2-256 [USG6600-ipsec-ProposalEncryptionAlg2]esp encryption-algorithm aes-256 [USG6600-ipsec-ProposalEncryptionAlg2]esp sa duration 28800 ```

1.2.2 创建IPSec策略模板

接着，我们需要创建IPSec策略模板。在这个模板中，我们需要绑定刚刚创建好的IPSec策略，并指定预共享密钥。

``` [USG6600]ipsec proposal ProposalEncryptionAlg2 [USG6600-ipsec-ProposalEncryptionAlg2]esp authentication-algorithm hmac-sha2-256 [USG6600-ipsec-ProposalEncryptionAlg2]esp encryption-algorithm aes-256 [USG6600-ipsec-ProposalEncryptionAlg2]esp sa duration 28800 [USG6600-ipsec-ProposalEncryptionAlg2]quit [USG6600]ipsec policy Site2Site [USG6600-ipsec-Site2Site]protection [SecureCommunication-SA] [ProposalEncryptionAlg2] [ProposedEncryptionAlg2] [USG6600-ipsec-Site2Site]quit [USG6600]ike peer Link-To-Branch-1 [USG6600-ike-peer-Link-To-Branch-1]pre-shared-key cipher huawei@123 [USG6600-ike-peer-Link-To-Branch-1]proposal ProposedEncryptionAlg2 [USG6600-ike-peer-Link-To-Branch-1]policy Site2Site [USG6600-ike-peer-Link-To-Branch-1]quit ```

1.3 配置防火墙策略

1.3.1 创建防火墙策略

在确认IPSec策略配置完成之后，我们需要配置防火墙策略，以定向IPSec VPN报文流量。在此过程中，我们需要将刚刚创建好的IPSec策略绑定在一起。

``` [USG6600-firewall]ipv4 traffic-filter In allow vpn-instance __public__ //__public__为VPN实例名称 [USG6600-firewall]traffic-selector in protected-area 10.1.1.0 0.0.0.255 [USG6600-firewall]traffic-selector out protected-area 20.1.1.0 0.0.0.255 ```

2.配置Remote-Access IPSec VPN

2.1 配置IKE策略

2.1.1 创建IKE策略

与Site-to-Site IPSec VPN配置相似，我们需要在设备上创建一个IKE策略。

``` [USG6600]ike proposal ProposedEncryptionAlg2 [USG6600-ike-ProposedEncryptionAlg2]ike authentication-method pre-share [USG6600-ike-ProposedEncryptionAlg2]ike encryption-algorithm aes-256 [USG6600-ike-ProposedEncryptionAlg2]ike prf hmac-sha2-256 [USG6600-ike-ProposedEncryptionAlg2]ike sa duration 28800 ```

2.1.2 创建IKE策略模板

同样，我们还需要创建IKE策略模板，并将IK策略绑定在一起。

``` [USG6600]ike proposal ProposedEncryptionAlg2 [USG6600-ike-ProposedEncryptionAlg2]ike authentication-method pre-share [USG6600-ike-ProposedEncryptionAlg2]ike encryption-algorithm aes-256 [USG6600-ike-ProposedEncryptionAlg2]ike prf hmac-sha2-256 [USG6600-ike-ProposedEncryptionAlg2]ike sa duration 28800 [USG6600-ike-ProposedEncryptionAlg2]quit [USG6600]ike peer any [USG6600-ike-peer-any]ike proposal ProposedEncryptionAlg2 [USG6600-ike-peer-any]quit ```

2.2 配置IPSec策略

2.2.1 创建IPSec策略

若要配置Remote-Access IPSec VPN，我们需要首先建立一个IPSec策略。

``` [USG6600]ipsec proposal ProposalEncryptionAlg2 [USG6600-ipsec-ProposalEncryptionAlg2] esp authentication-algorithm hmac-sha2-256 [USG6600-ipsec-ProposalEncryptionAlg2] esp encryption-algorithm aes-256 [USG6600-ipsec-ProposalEncryptionAlg2] esp sa duration 28800 ```

2.2.2 创建IPSec策略模板

接着，我们需要创建IPSec策略模板，并在模板中绑定上述IPSec策略。

``` [USG6600]ipsec proposal ProposalEncryptionAlg2 [USG6600-ipsec-ProposalEncryptionAlg2] esp authentication-algorithm hmac-sha2-256 [USG6600-ipsec-ProposalEncryptionAlg2] esp encryption-algorithm aes-256 [USG6600-ipsec-ProposalEncryptionAlg2] esp sa duration 28800 [USG6600-ipsec-ProposalEncryptionAlg2]quit [USG6600]ike peer Remote-Access [USG6600-ike-peer-Remote-Access] proposal ProposedEncryptionAlg2 [USG6600-ike-peer-Remote-Access] pre-shared-key interface Ethernet1/0/1 huawei@123 [USG6600-ike-peer-Remote-Access]ipsec proposal ProposalEncryptionAlg2 [USG6600-ike-peer-Remote-Access]remote-address sr-client [USG6600-ike-peer-Remote-Access]quit ```

2.3 配置VPN Client

2.3.1 配置VPN Client参数

我们需要在VPN Client中填写Remote-Access IPSec VPN需要的相关参数，包括远端地址、预共享密钥等等。

``` 1.远端地址：USG6600设备Dialer接口的IP地址。 2.预共享密钥：huawei@123。 ```

2.3.2 部署SR客户端

Sahana SR客户端云采用Web方式自动安装，不用担心该客户端需要安装繁琐的客户端程序。

四、总结

通过本文，我们详细讲述了在华为USG设备上如何配置IPSec VPN的步骤。无论是Site-to-Site IPSec VPN，还是Remote-Access IPSec VPN，我们都可以轻松地在USG上实现配置。希望此篇文章能够对网络安全工程师在整个IPSec VPN配置过程中有更加深刻的了解。