（一）实验简介

如图所示，总部网络A和分支机构网络B之间采用网关对网关的组网模式进行资源传输。网络A和网络B分别通过FW_A和FW_B连接到Internet，通过手工方式创建IPSec VPN隧道，提高网络通信的安全性。

网络拓朴结构

（二）实验目的

1. 掌握网关对网关的组网；
2. 掌握手工方式配置两个网络的IPSecVPN；

（三）实验条件

1. 一台CPU支持VT技术，内存4GB以上的计算机；
2. 安装eNSP模拟器B510版，导入USG6000V镜像；
3. 终端工具：SecuretyCRT，Putty，Psftp，XShell等。

（四）网络拓朴图

打开ENSP软件，按如下拓朴图创建实验环境，设置地址:

1. LAN1地址：10.10.10.0/24；
2. LAN2地址：10.20.20.0/24；
3. ISP1地址：10.1.1.0/24；
4. ISP2地址：10.2.2.0/24；

实验8拓朴

（五）配置思路

1. 配置LAN1/LAN2网络；
2. 配置两个防火墙互联；
3. 配置IPSecVPN；

（六）配置步骤

(1)配置LAN1网络

先设置PC1的IP地址

配置PC1的地址

再配置交换机

The device is running!

<Huawei>
<Huawei>system-view 
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable 
Info: Information center is disabled.
[Huawei]sysname LAN1
[LAN1]interface Vlanif 1
[LAN1-Vlanif1]ip address 10.10.10.254 24
[LAN1-Vlanif1]quit
[LAN1]ospf 1
[LAN1-ospf-1]area 0
[LAN1-ospf-1-area-0.0.0.0]network 10.10.10.0 0.0.0.255
[LAN1-ospf-1-area-0.0.0.0]quit
[LAN1-ospf-1]quit
[LAN1]quit
<LAN1>save  
<LAN1>save 
The current configuration will be written to the device.
Are you sure to continue?[Y/N]y
Info: Please input the file name ( *.cfg, *.zip ) [vrpcfg.zip]:
Now saving the current configuration to the slot 0.
Save the configuration successfully.
<LAN1>

(2)配置LAN2网络

先设置PC2的IP地址

配置PC2的地址

再配置交换机

The device is running!

<Huawei>
<Huawei>system-view 
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable 
Info: Information center is disabled.
[Huawei]sysname LAN2
[LAN2]interface Vlanif 1
[LAN2-Vlanif1]ip address 10.20.20.254 24
[LAN2-Vlanif1]quit
[LAN2]ospf 1
[LAN2-ospf-1]area 0
[LAN2-ospf-1-area-0.0.0.0]network 10.20.20.0 0.0.0.255
[LAN2-ospf-1-area-0.0.0.0]quit
[LAN2-ospf-1]quit
[LAN2]quit
<LAN2>save
The current configuration will be written to the device.
Are you sure to continue?[Y/N]y
Info: Please input the file name ( *.cfg, *.zip ) [vrpcfg.zip]:
Now saving the current configuration to the slot 0.
Save the configuration successfully.
<LAN2>

(3)配置FW1的接口、安全域、安全策略、路由协议

The device is running!

Set a password and keep it safe. Otherwise you will not be able to login via the
 console.

Please configure the login password (8-16)
Enter Password:
Confirm Password:
Warning: The authentication mode was changed to password authentication and the 
user level was changed to 15 on con0 at the first user login.
Warning: There is a risk on the user-interface which you login through. Please c
hange the configuration of the user-interface as soon as possible. 

*************************************************************************
*         Copyright (C) 2014-2015 Huawei Technologies Co., Ltd.         *
*                           All rights reserved.                        *
*               Without the owner's prior written consent,              *
*        no decompiling or reverse-engineering shall be allowed.        *
*************************************************************************


<USG6000V1>
<USG6000V1>system-view 
Enter system view, return user view with Ctrl+Z.
[USG6000V1]undo info-center  enable 
Info: Information center is disabled.
[USG6000V1]sysname FW1
[FW2]
[FW2]   //以下为防火墙的接口配置
[FW1]interface GigabitEthernet 1/0/1
[FW1-GigabitEthernet1/0/1]ip address 10.10.10.1 24
[FW1-GigabitEthernet1/0/1]service-manage ping permit 
[FW1-GigabitEthernet1/0/1]quit
[FW1]interface GigabitEthernet 1/0/2
[FW1-GigabitEthernet1/0/2]ip address 10.1.1.1 24
[FW1-GigabitEthernet1/0/2]service-manage ping permit 
[FW1-GigabitEthernet1/0/2]quit
[FW2]
[FW2]   //以下为防火墙的安全域配置
[FW1]firewall zone trust 
[FW1-zone-trust]add interface GigabitEthernet 1/0/1
[FW1-zone-trust]quit
[FW1]firewall zone untrust 
[FW1-zone-untrust]add interface GigabitEthernet 1/0/2
[FW1-zone-untrust]quit
[FW2]   
[FW2]   //以下为防火墙的安全策略配置
[FW1]security-policy 
[FW1-policy-security]rule name lan1_isp1
[FW1-policy-security-rule-lan1_isp1]source-zone local trust untrust
[FW1-policy-security-rule-lan1_isp1]destination-zone local trust untrust 
[FW1-policy-security-rule-lan1_isp1]action permit 
[FW1-policy-security-rule-lan1_isp1]quit
[FW1-policy-security]quit
[FW1]
[FW2]   //以下为防火墙的路由协议配置
[FW1]ospf 1
[FW1-ospf-1]area 0
[FW1-ospf-1-area-0.0.0.0]network 10.10.10.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0]quit
[FW1-ospf-1]quit
[FW1]
[FW1]

(4)配置FW2的接口、安全域、安全策略、路由协议

The device is running!

An initial password is required for the first login via the console.
Set a password and keep it safe. Otherwise you will not be able to login via the
 console.

Please configure the login password (8-16)
Enter Password:
Confirm Password:
Warning: The authentication mode was changed to password authentication and the 
user level was changed to 15 on con0 at the first user login.
Warning: There is a risk on the user-interface which you login through. Please c
hange the configuration of the user-interface as soon as possible. 

*************************************************************************
*         Copyright (C) 2014-2015 Huawei Technologies Co., Ltd.         *
*                           All rights reserved.                        *
*               Without the owner's prior written consent,              *
*        no decompiling or reverse-engineering shall be allowed.        *
*************************************************************************


<USG6000V1> 
<USG6000V1>system-view 
Enter system view, return user view with Ctrl+Z.
[USG6000V1]undo info-center enable 
Info: Information center is disabled.
[USG6000V1]sysname FW2
[FW2]undo info-center enable 
Info: Information center is disabled.
[FW2]
[FW2]   //以下为防火墙的接口配置
[FW2]interface GigabitEthernet 1/0/1
[FW2-GigabitEthernet1/0/1]ip address 10.20.20.1 24
[FW2-GigabitEthernet1/0/1]service-manage ping permit 
[FW2-GigabitEthernet1/0/1]quit
[FW2]interface GigabitEthernet 1/0/2
[FW2-GigabitEthernet1/0/2]ip address 10.2.2.2 24
[FW2-GigabitEthernet1/0/2]service-manage  ping permit 
[FW2-GigabitEthernet1/0/2]quit
[FW2]
[FW2]   //以下为防火墙的安全域配置
[FW2]firewall zone trust 
[FW2-zone-trust]add interface GigabitEthernet 1/0/1
[FW2-zone-trust]quit
[FW2]firewall zone untrust 
[FW2-zone-untrust]add interface GigabitEthernet 1/0/2
[FW2-zone-untrust]quit
[FW2]   
[FW2]   //以下为防火墙的安全策略配置
[FW2]security-policy 
[FW2-policy-security]rule name lan2_isp2
[FW2-policy-security-rule-lan2_isp2]source-zone local trust untrust
[FW2-policy-security-rule-lan2_isp2]destination-zone local trust untrust 
[FW2-policy-security-rule-lan2_isp2]action permit 
[FW2-policy-security-rule-lan2_isp2]quit
[FW2-policy-security]quit
[FW2]   
[FW2]   //以下为防火墙的路由协议配置
[FW2]ospf 1
[FW2-ospf-1]area 0
[FW2-ospf-1-area-0.0.0.0]network 10.20.20.0 0.0.0.255
[FW2-ospf-1-area-0.0.0.0]network 10.2.2.0 0.0.0.255
[FW2-ospf-1-area-0.0.0.0]quit
[FW2-ospf-1]quit
[FW2]

(5)配置网络互连的路由器AR1

The device is running!

<Huawei>
<Huawei>system-view 
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable 
Info: Information center is disabled.
[Huawei]sysname AR1
[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]ip address 10.1.1.2 24
[AR1-GigabitEthernet0/0/0]quit
[AR1]interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1]ip address 10.2.2.1 24
[AR1-GigabitEthernet0/0/1]quit
[AR1]ospf 1
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]network 10.2.2.0 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]quit
[AR1-ospf-1]quit
[AR1]quit
<AR1>sav    
<AR1>save 
  The current configuration will be written to the device. 
  Are you sure to continue? (y/n)[n]:y
  It will take several minutes to save configuration file, please wait.......
  Configuration file had been saved successfully
  Note: The configuration file will take effect after being activated
<AR1>

至此，两个网络之间的互连互通已经完成

用PC1测试

(6)配置FW1的IPSec

<FW1>
<FW1>system-view 
Enter system view, return user view with Ctrl+Z.
[FW1]   
[FW1]acl 3001       //创建访问控制列表规则
[FW1-acl-adv-3001]rule permit ip source 10.10.10.0 0.0.0.255 destination 10.20.2
0.0 0.0.0.255
[FW1-acl-adv-3001]dis this  //查询显示访问控制列表的配置
#
acl number 3001
 rule 5 permit ip source 10.10.10.0 0.0.0.255 destination 10.20.20.0 0.0.0.255
#
return
[FW1-acl-adv-3001]quit
[FW1]
[FW1]       //以下为IPSec安全提议配置
[FW1]ipsec proposal ipsec_p1    //创建IPSec安全提议，并进入IPSec安全提议视图
[FW1-ipsec-proposal-ipsec_p1]transform esp      //配置IPSec安全提议使用的安全协议
[FW1-ipsec-proposal-ipsec_p1]encapsulation-mode tunnel  //配置报文的封装模式为隧道模式
[FW1-ipsec-proposal-ipsec_p1]esp authentication-algorithm sha2-256  //配置ESP协议使用的认证算法
[FW1-ipsec-proposal-ipsec_p1]esp encryption-algorithm  aes-256  //配置ESP协议使用的加密算法
[FW1-ipsec-proposal-ipsec_p1]quit
[FW1]   
[FW1]ike proposal 1     //创建IKE安全提议，并进入IKE安全提议视图
[FW1-ike-proposal-1]quit
[FW1]
[FW1]ike peer ike_p1    //创建IKE对等体，并进入IKE对等体视图
[FW1-ike-peer-ike_p1]ike-proposal 1     //配置IKE对等体使用的IKE安全提
[FW1-ike-peer-ike_p1]pre-shared-key Admin1234   //配置对等体IKE协商预共享密钥
[FW1-ike-peer-ike_p1]remote-address 10.2.2.2        //配置为对端用户分配IP地址
[FW1-ike-peer-ike_p1]quit
[FW1]
[FW1]ipsec policy ipsec_map1 1 isakmp       //创建以ISAKMP方式的IPSec安全策略
[FW1-ipsec-policy-isakmp-ipsec_map1-1]ike-peer ike_p1       //引用IKE对等体
[FW1-ipsec-policy-isakmp-ipsec_map1-1]proposal ipsec_p1     //引用IKE安全提议
[FW1-ipsec-policy-isakmp-ipsec_map1-1]security acl 3001     //引用访问控制列表
[FW1-ipsec-policy-isakmp-ipsec_map1-1]quit
[FW1]
[FW1]interface GigabitEthernet 1/0/2
[FW1-GigabitEthernet1/0/2]ipsec policy ipsec_map1   //在接口中引用IPSec安全策略
[FW1-GigabitEthernet1/0/2]quit
[FW1]
[FW1]

(7)配置FW2的IPSec

[FW2]
[FW2]acl 3002       //创建访问控制列表规则
[FW2-acl-adv-3002]  
[FW2-acl-adv-3002]rule permit ip source 10.20.20.0 0.0.0.255 destination 10.10.1
0.0 0.0.0.255
[FW2-acl-adv-3002]quit
[FW2]       //以下为IPSec安全提议配置
[FW2]ipsec proposal ipsec_p2    //创建IPSec安全提议，并进入IPSec安全提议视图
[FW2-ipsec-proposal-ipsec_p2]transform esp      //配置IPSec安全提议使用的安全协议
[FW2-ipsec-proposal-ipsec_p2]encapsulation-mode  tunnel     //配置报文的封装模式为隧道模式
[FW2-ipsec-proposal-ipsec_p2]esp authentication-algorithm sha2-256  //配置ESP协议使用的认证算法
[FW2-ipsec-proposal-ipsec_p2]esp encryption-algorithm aes-256   //配置ESP协议使用的加密算法
[FW2-ipsec-proposal-ipsec_p2]quit
[FW2]
[FW2]ike proposal 1     //创建IKE安全提议，并进入IKE安全提议视图
[FW2-ike-proposal-1]quit
[FW2]       //以下为IKE对等体配置
[FW2]ike peer ike_p2    //创建IKE对等体，并进入IKE对等体视图
[FW2-ike-peer-ike_p2]ike-proposal 1     //配置IKE对等体使用的IKE安全提
[FW2-ike-peer-ike_p2]pre-shared-key Admin1234   //配置对等体IKE协商预共享密钥
[FW2-ike-peer-ike_p2]remote-address 10.1.1.1        //配置为对端用户分配IP地址
[FW2-ike-peer-ike_p2]quit
[FW2]
[FW2]ipsec policy ipsec_map2 1 isakmp       //创建以ISAKMP方式的IPSec安全策略
[FW2-ipsec-policy-isakmp-ipsec_map2-1]ike-peer ike_p2       //引用IKE对等体
[FW2-ipsec-policy-isakmp-ipsec_map2-1]proposal ipsec_p2     //引用IKE安全提议
[FW2-ipsec-policy-isakmp-ipsec_map2-1]security acl 3002     //引用访问控制列表
[FW2-ipsec-policy-isakmp-ipsec_map2-1]quit
[FW2]
[FW2]interface GigabitEthernet 1/0/2
[FW2-GigabitEthernet1/0/2]ipsec policy ipsec_map2   //在接口中引用IPSec安全策略
[FW2-GigabitEthernet1/0/2]quit
[FW2]

(8)测试IPSec

再次使用ping命令，以激活ike，使用"display ike sa"查看运行情况:

在FW1查看IKE

在FW2查看IKE

（七）参考资料

华为模拟器eNSP软件，
华为模拟器eNSP社区，
HCNA-Security 华为认证网络安全工程师，
HCNP-Security 华为认证网络安全资深工程师，
HUAWEI USG6000V V500R001C10SPC100 典型配置案例，
HUAWEI USG6000V V500R001C10SPC100 管理员指南，
HUAWEI USG6000V V500R001C10SPC100 命令参考 ，
华为ICT相关的英文简称 。