H3C_防火墙典型配置案例集(V7)-6W100-H3C_防火墙IPsec典型配置案例(V7) - 副本
合集下载
相关主题
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
# 配置接口 Ten-GigabitEthernet5/0/12 的 IP。
[Sysname] interface ten-gigabitethernet5/0/12 [Sysname-Ten-GigabitEthernet5/0/12] port link-mode route [Sysname-Ten-GigabitEthernet5/0/12] ip address 220.0.0.100 255.255.255.0 [Sysname-Ten-GigabitEthernet5/0/12] quit
(3) 配置 IKE 提议。
[Sysname] ike proposal 1 [Sysname-ike-proposal-1] authentication-method rsa-signature [Sysname-ike-proposal-1] quit
(4) 配置 IKE profile。
[Sysname] ike signature-identity from-certificate [Sysname] ike profile profile1 [Sysname-ike-profile-profile1] certificate domain domain1 [Sysname-ike-profile-profile1] exchange-mode aggressive [Sysname-ike-profile-profile1] proposal 1 [Sysname-ike-profile-profile1] local-identity dn [Sysname-ike-profile-profile1] match remote certificate domain1 [Sysname-ike-profile-profile1] quit
# 配置 PKI 域 domain1。
[Sysname] pki domain domain1 [Sysname-pki-domain-domain1] undo crl check enable [Sysname-pki-domain-domain1] certificate request from ra [Sysname-pki-domain-domain1] certificate request entity entity1 [Sysname-pki-domain-domain1] quit
3 配置举例
3.1 组网需求
Host A 和 Host B 是内网设备,两者通过 IPsec 证书认证方式进行报文交互。 图1 IPsec 组网图
XGE5/0/11 192.100.0.1/24
220.0.0.200/24
Host A 192.100.0.2/24
XGE5/0/12 220.0.0.100/24
<Sysname> system-view [Sysname] interface ten-gigabitethernet5/0/11 [Sysname-Ten-GigabitEthernet5/0/11] port link-mode route [Sysname-Ten-GigabitEthernet5/0/11] ip address 192.100.0.1 255.255.255.0 [Sysname-Ten-GigabitEthernet5/0/11] quit
1
3.3 使用版本
本举例是在 M9000 Version 7.1.051, Ess 9105 版本上和 F5000-S 的 T3803P02 版本上进行配置和验 证的。
3.4 配置步骤
3.4.1 M9000 的配置
申请证书有在线申请和本地导入两种方式,本配置采用本地导入方式。
(1) 配置接口 Ten-GigabitEthernet5/0/11、Ten-GigabitEthernet5/0/12 的 IP 地址。 # 配置接口 Ten-GigabitEthernet5/0/11 的 IP 地址。
# 导入 CA 证书 m9000.cer。
[Sysname] pki import domain domain1 der ca filename m9000.cer The trusted CA's finger print is:
MD5 fingerprint:7B6F 9F0B F2E8 8336 935A FB5B 7D03 64E7 SHA1 fingerprint:2040 0532 2D90 817A 3E8F 5B47 DEBD 0A0E 5250 EB7D Is the finger print correct?(Y/N):y
# 导入本地证书 m9000.pfx。
2
[Sysname] pki import domain domain1 p12 local filename m9000.pfx Please input the password: The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters . Valid characters include a to z, A to Z, 0 to 9, and hyphens (-). Please enter the key pair name[default name: domain1]:
H3C 防火墙 IPsec 典型配置案例
Copyright © 2014 杭州华三通信技术有限公司 版权所有,保留一切权利。 非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部, 并不得以任何形式传播。本文档中的信息可能变动,恕不另行通知。
目录
1 简介 ······················································································································································ 1 2 配置前提 ··············································································································································· 1 3 配置举例 ··············································································································································· 1
i
1 简介
本文档介绍 M9000 多业务安全网关和 F5000-S 设备建立 IPsec 隧道的方法,其中 IKE 的认证使用 证书方式。
2 配置前提
本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请参考相关产品 手册,或以设备实际情况为准。 本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺 省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置 不冲突。 本文档假设您已了解 IPsec 特性。
M9000
IP network
220.0.10.200/24
GE0/1
GE0/2
220.0.10.100/24
192.200.0.1/24
Host B
F5000-S
192.200.0.2/24
3.2 配置思路
(1) 配置 M9000,主要思路如下: • 在 Ten-GigabitEthernet5/0/12 上启用 IPsec。 • 配置 IKE 安全提议时,启用证书认证方式。 • 配置去往 192.200.0.0/24 网段的路由。 (2) 配置 F5000-S,主要思路如下: • 在 GigabitEthernet0/1 上启用 IPsec。 • 配置 IKE 安全提议时,启用证书认证方式。 • 配置去往 192.100.0.0/24 网段的路由。
3.4.1 M9000 的配置 ····························································································································2 3.4.2 F5000-S的配置 ·························································································································· 5 3.5 验证配置 ··············································································································································· 7 3.6 配置文件 ··············································································································································· 9 4 相关资料 ············································································································································· 12
3.1 组网需求 ··············································································································································· 1 3.2 配置思路 ··············································································································································· 1 3.3 使用版本 ··············································································································································· 2 3.4 配置步骤 ··············································································································································· 2
(2) 配置 PKI 证书(此处已预先把证书文件 m9000ห้องสมุดไป่ตู้cer 和 m9000.pfx 导入设备中)。 # 配置 PKI 实体 entity1。
[Sysname] pki entity entity1 [Sysname-pki-entity-entity1] common-name m9000 [Sysname-pki-entity-entity1] quit
[Sysname] interface ten-gigabitethernet5/0/12 [Sysname-Ten-GigabitEthernet5/0/12] port link-mode route [Sysname-Ten-GigabitEthernet5/0/12] ip address 220.0.0.100 255.255.255.0 [Sysname-Ten-GigabitEthernet5/0/12] quit
(3) 配置 IKE 提议。
[Sysname] ike proposal 1 [Sysname-ike-proposal-1] authentication-method rsa-signature [Sysname-ike-proposal-1] quit
(4) 配置 IKE profile。
[Sysname] ike signature-identity from-certificate [Sysname] ike profile profile1 [Sysname-ike-profile-profile1] certificate domain domain1 [Sysname-ike-profile-profile1] exchange-mode aggressive [Sysname-ike-profile-profile1] proposal 1 [Sysname-ike-profile-profile1] local-identity dn [Sysname-ike-profile-profile1] match remote certificate domain1 [Sysname-ike-profile-profile1] quit
# 配置 PKI 域 domain1。
[Sysname] pki domain domain1 [Sysname-pki-domain-domain1] undo crl check enable [Sysname-pki-domain-domain1] certificate request from ra [Sysname-pki-domain-domain1] certificate request entity entity1 [Sysname-pki-domain-domain1] quit
3 配置举例
3.1 组网需求
Host A 和 Host B 是内网设备,两者通过 IPsec 证书认证方式进行报文交互。 图1 IPsec 组网图
XGE5/0/11 192.100.0.1/24
220.0.0.200/24
Host A 192.100.0.2/24
XGE5/0/12 220.0.0.100/24
<Sysname> system-view [Sysname] interface ten-gigabitethernet5/0/11 [Sysname-Ten-GigabitEthernet5/0/11] port link-mode route [Sysname-Ten-GigabitEthernet5/0/11] ip address 192.100.0.1 255.255.255.0 [Sysname-Ten-GigabitEthernet5/0/11] quit
1
3.3 使用版本
本举例是在 M9000 Version 7.1.051, Ess 9105 版本上和 F5000-S 的 T3803P02 版本上进行配置和验 证的。
3.4 配置步骤
3.4.1 M9000 的配置
申请证书有在线申请和本地导入两种方式,本配置采用本地导入方式。
(1) 配置接口 Ten-GigabitEthernet5/0/11、Ten-GigabitEthernet5/0/12 的 IP 地址。 # 配置接口 Ten-GigabitEthernet5/0/11 的 IP 地址。
# 导入 CA 证书 m9000.cer。
[Sysname] pki import domain domain1 der ca filename m9000.cer The trusted CA's finger print is:
MD5 fingerprint:7B6F 9F0B F2E8 8336 935A FB5B 7D03 64E7 SHA1 fingerprint:2040 0532 2D90 817A 3E8F 5B47 DEBD 0A0E 5250 EB7D Is the finger print correct?(Y/N):y
# 导入本地证书 m9000.pfx。
2
[Sysname] pki import domain domain1 p12 local filename m9000.pfx Please input the password: The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters . Valid characters include a to z, A to Z, 0 to 9, and hyphens (-). Please enter the key pair name[default name: domain1]:
H3C 防火墙 IPsec 典型配置案例
Copyright © 2014 杭州华三通信技术有限公司 版权所有,保留一切权利。 非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部, 并不得以任何形式传播。本文档中的信息可能变动,恕不另行通知。
目录
1 简介 ······················································································································································ 1 2 配置前提 ··············································································································································· 1 3 配置举例 ··············································································································································· 1
i
1 简介
本文档介绍 M9000 多业务安全网关和 F5000-S 设备建立 IPsec 隧道的方法,其中 IKE 的认证使用 证书方式。
2 配置前提
本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请参考相关产品 手册,或以设备实际情况为准。 本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺 省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置 不冲突。 本文档假设您已了解 IPsec 特性。
M9000
IP network
220.0.10.200/24
GE0/1
GE0/2
220.0.10.100/24
192.200.0.1/24
Host B
F5000-S
192.200.0.2/24
3.2 配置思路
(1) 配置 M9000,主要思路如下: • 在 Ten-GigabitEthernet5/0/12 上启用 IPsec。 • 配置 IKE 安全提议时,启用证书认证方式。 • 配置去往 192.200.0.0/24 网段的路由。 (2) 配置 F5000-S,主要思路如下: • 在 GigabitEthernet0/1 上启用 IPsec。 • 配置 IKE 安全提议时,启用证书认证方式。 • 配置去往 192.100.0.0/24 网段的路由。
3.4.1 M9000 的配置 ····························································································································2 3.4.2 F5000-S的配置 ·························································································································· 5 3.5 验证配置 ··············································································································································· 7 3.6 配置文件 ··············································································································································· 9 4 相关资料 ············································································································································· 12
3.1 组网需求 ··············································································································································· 1 3.2 配置思路 ··············································································································································· 1 3.3 使用版本 ··············································································································································· 2 3.4 配置步骤 ··············································································································································· 2
(2) 配置 PKI 证书(此处已预先把证书文件 m9000ห้องสมุดไป่ตู้cer 和 m9000.pfx 导入设备中)。 # 配置 PKI 实体 entity1。
[Sysname] pki entity entity1 [Sysname-pki-entity-entity1] common-name m9000 [Sysname-pki-entity-entity1] quit