Kayan Haber Alanı
Başlangıç / Huawei / Site to Site IPsec VPN Huawei

Site to Site IPsec VPN Huawei

  1. Cihaz isim ve Ip address yapılandırması.
    system-view
    Enter system view, return user view with Ctrl+Z.
    [Huawei]sysname Router1
    [Router1]interface serial 0/0/1
    [Router1-Serial0/0/1]ip address 10.0.12.1 24
    [Router1-Serial0/0/1]interface LoopBack 0
    [Router1-LoopBack0]ip address 10.0.1.1 24
    [Router1]interface loopback 1
    [Router1-LoopBack1]ip address 10.0.11.11 24
    system-view
    Enter system view, return user view with Ctrl+Z.
    [Huawei]sysname Router2
    [Router2]interface serial 0/0/1
    [Router2-Serial0/0/1]ip address 10.0.12.2 24
    [Router2-Serial0/0/1]interface serial 0/0/2
    [Router2-Serial0/0/2]ip address 10.0.23.2 24
    [Router2-Serial0/0/2]interface LoopBack0
    [Router2-LoopBack0]ip address 10.0.2.2 24
    system-view
    Enter system view, return user view with Ctrl+Z.
    [Huawei]sysname Router3
    [Router3]interface serial 0/0/2
    [Router3-Serial0/0/2]ip address 10.0.23.3 24
    [Router3-Serial0/0/2]interface loopback 0
    [Router3-LoopBack0]ip address 10.0.3.3 24
    [Router3]interface loopback 1
    [Router3-LoopBack1]ip address 10.0.33.33 24
  2. OSPF yapılandırması.
    [Router1]ospf router-id 10.0.1.1
    [Router1-ospf-1]area 0
    [Router1-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255
    [Router1-ospf-1-area-0.0.0.0]network 10.0.1.0 0.0.0.255
    [Router1-ospf-1-area-0.0.0.0]network 10.0.11.0 0.0.0.255
    [Router2]ospf router-id 10.0.2.2
    [Router2-ospf-1]area 0
    [Router2-ospf-1-area-0.0.0.0]network 10.0.2.0 0.0.0.255
    [Router2-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255
    [Router2-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255
    [Router3]ospf router-id 10.0.3.3
    [Router3-ospf-1]area 0
    [Router3-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255
    [Router3-ospf-1-area-0.0.0.0]network 10.0.3.0 0.0.0.255
    [Router3-ospf-1-area-0.0.0.0]network 10.0.33.0 0.0.0.255
    OSPF komşuluklarının kurulduğunu kontrol edelim.
    [Router2]display ospf peer brief
    OSPF Process 1 with Router ID 10.0.2.2
    Peer Statistic Information
    —————————————————————————-
    Area Id Interface Neighbor id State
    0.0.0.0 Serial0/0/1 10.0.1.1 Full
    0.0.0.0 Serial0/0/2 10.0.3.3 Full
    —————————————————————————-
    [Router1]display ip routing-table
    Route Flags: R – relay, D – download to fib
    ——————————————————————————
    Routing Tables: Public
    Destinations : 13 Routes : 13
    Destination/Mask Proto Pre Cost Flags NextHop Interface
    10.0.1.0/24 Direct 0 0 D 10.0.1.1 LoopBack0
    10.0.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
    10.0.2.2/32 OSPF 10 1562 D 10.0.12.2 Serial0/0/1
    10.0.3.3/32 OSPF 10 3124 D 10.0.12.2 Serial0/0/1
    10.0.11.0/24 Direct 0 0 D 10.0.11.11 LoopBack1
    10.0.11.11/32 Direct 0 0 D 127.0.0.1 LoopBack1
    10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial0/0/1
    10.0.12.1/32 Direct 0 0 D 127.0.0.1 Serial0/0/1
    10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial0/0/1
    10.0.23.0/24 OSPF 10 3124 D 10.0.12.2 Serial0/0/1
    10.0.33.33/32 OSPF 10 3124 D 10.0.12.2 Serial0/0/1
    127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
    127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
    [Router3]display ip routing-table
    Route Flags: R – relay, D – download to fib
    ——————————————————————————
    Routing Tables: Public
    Destinations : 13 Routes : 13
    Destination/Mask Proto Pre Cost Flags NextHop Interface
    10.0.1.1/32 OSPF 10 3124 D 10.0.23.2 Serial0/0/2
    10.0.2.2/32 OSPF 10 1562 D 10.0.23.2 Serial0/0/2
    10.0.3.0/24 Direct 0 0 D 10.0.3.3 LoopBack0
    10.0.3.3/32 Direct 0 0 D 127.0.0.1 LoopBack0
    10.0.11.11/32 OSPF 10 3124 D 10.0.23.2 Serial0/0/2
    10.0.12.0/24 OSPF 10 3124 D 10.0.23.2 Serial0/0/2
    10.0.23.0/24 Direct 0 0 D 10.0.23.3 Serial0/0/2
    10.0.23.2/32 Direct 0 0 D 10.0.23.2 Serial0/0/2
    10.0.23.3/32 Direct 0 0 D 127.0.0.1 Serial0/0/2
    10.0.33.0/24 Direct 0 0 D 10.0.33.33 LoopBack1
    10.0.33.33/32 Direct 0 0 D 127.0.0.1 LoopBack1
    127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
    127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
  3. ACL yapılandırması.
    [Router1]acl 3001
    [Router1-acl-adv-3001]rule 5 permit ip source 10.0.1.0 0.0.0.255 destination 10.0.3.0 0.0.0.255
    [Router3]acl 3001
    [Router3-acl-adv-3001]rule 5 permit ip source 10.0.3.0 0.0.0.255 destination 10.0.1.0 0.0.0.255
    4.IPsec VPN konfigürasyonu.
    IPsec proposal oluşturmak ve kullanılacak güvenlik protokollerini belirtmek için IPsec proposal moduna girelimve ayarlarını yapılandıralım .
    Cihazlarında aynı protokollerde olmasına dikkat edelim.
    [Router1]ipsec proposal tran1
    [Router1-ipsec-proposal-tran1]esp authentication-algorithm sha1
    [Router1-ipsec-proposal-tran1]esp encryption-algorithm 3des
    [Router3]ipsec proposal tran1
    [Router3-ipsec-proposal-tran1]esp authentication-algorithm sha1
    [Router3-ipsec-proposal-tran1]esp encryption-algorithm 3des
    Yapılandırmanın doğruluğunu kontrol etmek için display ipsec proposal komutunu kullanalım.
    display ipsec proposal
    Number of proposals: 1
    IPSec proposal name: tran1
    Encapsulation mode: Tunnel
    Transform : esp-new
    ESP protocol : Authentication SHA1-HMAC-96
    Encryption 3DES
    display ipsec proposal
    Number of proposals: 1
    IPSec proposal name: tran1
    Encapsulation mode: Tunnel
    Transform : esp-new
    ESP protocol : Authentication SHA1-HMAC-96
    Encryption 3DES
  4. IPsec Policy konfigürasyonu.
    [Router1]ipsec policy P1 10 manual
    [Router1-ipsec-policy-manual-P1-10]security acl 3001
    [Router1-ipsec-policy-manual-P1-10]proposal tran1
    [Router1-ipsec-policy-manual-P1-10]tunnel remote 10.0.23.3
    [Router1-ipsec-policy-manual-P1-10]tunnel local 10.0.12.1
    [Router1-ipsec-policy-manual-P1-10]sa spi outbound esp 54321
    [Router1-ipsec-policy-manual-P1-10]sa spi inbound esp 12345
    [Router1-ipsec-policy-manual-P1-10]sa string-key outbound esp simple huawei
    [Router1-ipsec-policy-manual-P1-10]sa string-key inbound esp simple huawei
    [Router3]ipsec policy P1 10 manual
    [Router3-ipsec-policy-manual-P1-10]security acl 3001
    [Router3-ipsec-policy-manual-P1-10]proposal tran1
    [Router3-ipsec-policy-manual-P1-10]tunnel remote 10.0.12.1
    [Router3-ipsec-policy-manual-P1-10]tunnel local 10.0.23.3
    [Router3-ipsec-policy-manual-P1-10]sa spi outbound esp 12345
    [Router3-ipsec-policy-manual-P1-10]sa spi inbound esp 54321
    [Router3-ipsec-policy-manual-P1-10]sa string-key outbound esp simple huawei
    [Router3-ipsec-policy-manual-P1-10] sa string-key inbound esp simple huawei
    Display IPsec policy komutuyla konfigürasyonu kontrol edelim.

display ipsec policy

IPSec policy group: “P1”

Using interface:

Sequence number: 10
Security data flow: 3001
Tunnel local address: 10.0.12.1
Tunnel remote address: 10.0.23.3
Qos pre-classify: Disable
Proposal name:tran1
Inbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 12345 (0x3039)
ESP string-key: huawei
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Outbound ESP setting:
ESP SPI: 54321 (0xd431)
ESP string-key: huawei
ESP encryption hex key:
ESP authentication hex key:

display ipsec policy

IPSec policy group: “P1”

Using interface:

Sequence number: 10
Security data flow: 3001
Tunnel local address: 10.0.23.3
Tunnel remote address: 10.0.12.1
Qos pre-classify: Disable
Proposal name:tran1
Inbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 54321 (0xd431)
ESP string-key: huawei
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Outbound ESP setting:
ESP SPI: 12345 (0x3039)
ESP string-key: huawei
ESP encryption hex key:
ESP authentication hex key:
6.Interface’lere IPsec Policy uygulamak.
Interfacelerde fiziksel olarak IPsec olusturalm.
[Router1]interface Serial 0/0/1
[Router1-Serial0/0/1]ipsec policy P1
[Router3]interface Serial 0/0/2
[Router3-Serial0/0/2]ipsec policy P1

  1. Cihazlar arası bağlantıları kontrol edlim.
    Cihazlar arası bağlantıları test ettikten sonra IPsec konfigürasyonlarnıda gözlemleyelim.
    ping -a 10.0.11.11 10.0.33.33
    PING 10.0.33.33: 56 data bytes, press CTRL_C to break
    Reply from 10.0.33.33: bytes=56 Sequence=1 ttl=254 time=70 ms
    Reply from 10.0.33.33: bytes=56 Sequence=2 ttl=254 time=80 ms
    Reply from 10.0.33.33: bytes=56 Sequence=3 ttl=254 time=50 ms
    Reply from 10.0.33.33: bytes=56 Sequence=4 ttl=254 time=100 ms
    Reply from 10.0.33.33: bytes=56 Sequence=5 ttl=254 time=50 ms
    — 10.0.33.33 ping statistics —
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 50/70/100 ms
    display ipsec statistics esp
    Inpacket count : 0
    Inpacket auth count :0
    Inpacket decap count : 0
    Outpacket count :0
    Outpacket auth count : 0
    Outpacket encap count : 0
    Inpacket drop count :0
    Outpacket drop count : 0
    BadAuthLen count : 0
    AuthFail count :0
    PktDuplicateDrop count : 0
    PktSeqNoTooSmallDrop count: 0
    PktInSAMissDrop count : 0
    Sadece IPsec VPN trafiğini gözlemleyelim.
    ping -a 10.0.1.1 10.0.3.3
    PING 10.0.3.3: 56 data bytes, press CTRL_C to break
    Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=40 ms
    Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=30 ms
    Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=70 ms
    Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=60 ms
    Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=30 ms
    — 10.0.3.3 ping statistics —
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 30/46/70 ms
    display ipsec statistics esp
    Inpacket count : 5
    Inpacket auth count : 0
    Inpacket decap count : 0
    Outpacket count : 5
    Outpacket auth count : 0
    Outpacket encap count : 0
    Inpacket drop count :0
    Outpacket drop count : 0
    BadAuthLen count : 0
    AuthFail count : 0
    PktDuplicateDrop count : 0
    PktSeqNoTooSmallDrop count: 0
    PktInSAMissDrop count : 0
    8.ACL i yeniden tanımlayalım.
    ACL’i OSPF i tanımlatmak için yeniden tanımlıyoruz.
    [Router1]acl 3001
    [Router1-acl-adv-3001]rule 5 permit ospf source any destination any
    [Router3]acl 3001
    [Router3-acl-adv-3001]rule 5 permit ospf source any destination any
    Komşulukları kotrol ediyoruz.
    display ospf peer brief
    OSPF Process 1 with Router ID 10.0.1.1
    Peer Statistic Information
    —————————————————————————-
    Area Id Interface Neighbor id State
    0.0.0.0 Serial0/0/1 10.0.2.2 Init
    —————————————————————————-
    display ip routing-table
    Route Flags: R – relay, D – download to fib
    ——————————————————————————
    Routing Tables: Public
    Destinations : 13 Routes : 13
    Destination/Mask Proto Pre Cost Flags NextHop Interface
    10.0.1.0/24 Direct 0 0 D 10.0.1.1 LoopBack0
    10.0.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
    10.0.2.2/32 OSPF 0 0 D 10.0.12.2 Serial0/0/1
    10.0.3.3/32 OSPF 0 0 D 10.0.12.2 Serial0/0/1
    10.0.11.0/24 Direct 0 0 D 10.0.11.11 LoopBack1
    10.0.11.11/32 Direct 0 0 D 127.0.0.1 LoopBack1
    10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial0/0/1
    10.0.12.1/32 Direct 0 0 D 127.0.0.1 Serial0/0/1
    10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial0/0/1
    10.0.23.0/24 OSPF 0 0 D 10.0.12.2 Serial0/0/1
    10.0.33.33/32 OSPF 0 0 D 10.0.12.2 Serial0/0/1
    127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
    127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
    display ospf peer brief
    OSPF Process 1 with Router ID 10.0.3.3
    Peer Statistic Information
    —————————————————————————-
    Area Id Interface Neighbor id State
    0.0.0.0 Serial0/0/2 10.0.2.2 Init
    —————————————————————————-
    display ip routing-table
    Route Flags: R – relay, D – download to fib
    ——————————————————————————
    Routing Tables: Public
    Destinations : 13 Routes : 13
    Destination/Mask Proto Pre Cost Flags NextHop Interface
    10.0.1.1/32 OSPF 0 0 D 10.0.23.2 Serial0/0/2
    10.0.2.2/32 OSPF 0 0 D 10.0.23.2 Serial0/0/2
    10.0.3.0/24 Direct 0 0 D 10.0.3.3 LoopBack0
    10.0.3.3/32 Direct 0 0 D 127.0.0.1 LoopBack0
    10.0.11.11/32 OSPF 0 0 D 10.0.23.2 Serial0/0/2
    10.0.12.0/24 OSPF 0 0 D 10.0.23.2 Serial0/0/2
    10.0.23.0/24 Direct 0 0 D 10.0.23.3 Serial0/0/2
    10.0.23.2/32 Direct 0 0 D 10.0.23.2 Serial0/0/2
    10.0.23.3/32 Direct 0 0 D 127.0.0.1 Serial0/0/2
    10.0.33.0/24 Direct 0 0 D 10.0.33.33 LoopBack1
    10.0.33.33/32 Direct 0 0 D 127.0.0.1 LoopBack1
    127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
    127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
    Sonuç…..
    dis current-configuration
    #
    sysname Router2
    #
    interface Serial0/0/1
    link-protocol ppp
    ip address 10.0.12.2 255.255.255.0
    #
    interface Serial0/0/2
    link-protocol ppp
    ip address 10.0.23.2 255.255.255.0
    #
    interface LoopBack0
    ip address 10.0.2.2 255.255.255.0
    #
    ospf 1 router-id 10.0.2.2
    area 0.0.0.0
    network 10.0.2.0 0.0.0.255
    network 10.0.12.0 0.0.0.255
    network 10.0.23.0 0.0.0.255
    #
    user-interface con 0
    user-interface vty 0 4
    user-interface vty 16 20
    #
    Return
    display current-configuration
    #
    sysname Router3
    #
    acl number 3001
    rule 5 permit ospf
    #
    ipsec proposal tran1
    esp authentication-algorithm sha1
    esp encryption-algorithm 3des
    #
    ipsec policy P1 10 manual
    security acl 3001
    proposal tran1
    tunnel local 3.23.0.10
    tunnel remote 1.12.0.10
    sa spi inbound esp 835977216
    sa string-key inbound esp simple huawei
    sa spi outbound esp 959447040
    sa string-key outbound esp simple huawei
    #
    interface Serial0/0/2
    link-protocol ppp
    ip address 10.0.23.3 255.255.255.0
    ipsec policy P1
    #
    interface LoopBack0
    ip address 10.0.3.3 255.255.255.0
    #
    interface LoopBack1
    ip address 10.0.33.33 255.255.255.0
    #
    ospf 1 router-id 10.0.3.3
    area 0.0.0.0
    network 10.0.23.0 0.0.0.255
    network 10.0.3.0 0.0.0.255
    network 10.0.33.0 0.0.0.255
    #
    user-interface con 0
    user-interface vty 0 4
    user-interface vty 16 20
    #
    return

Hakkında: Cem Kemal Erbaş

Kontrol Ediliyor

Next Generation Firewall (NGFW) Huawei

Next Generation Firewall (NGFW) üzerinden geçen trafiği, Application identification, User identification ve Content identification temellerine …

Bir cevap yazın