晚上好,同学们!
分支到总部、园区到云,最常见就是IPSec Site-to-Site。
不同厂商对接经常踩在IKE/提案/感兴趣流/NAT豁免这些点上。
今天用一套标准化模板,帮你快速打通华为USG与第三方的IPSec。
今日文章阅读福利:《网络工程师手册》
扫添加小助理微信,备注【网工】,即可获取。
一、对接要素(统一口径给对端)
· 公网IP:双方出接口地址
· 内部网段:本地与对端的感兴趣流(CIDR)
· IKE/SA参数:加密/认证算法、DH组、生命周期
· NAT:VPN流量必须NAT豁免
· 版本:优先IKEv2(兼容性差时再退回v1 Main)
二、拓扑与规划
· USG出口:GE0/0/2(Untrust)=203.0.113.1/30
· 本地内网:192.168.10.0/24
· 对端公网:203.0.113.2
· 对端内网:10.10.0.0/24
· 算法:AES256/SHA256,DH Group14,SA生命周期3600s
三、配置步骤(USG,策略型IPSec)
1)ACL定义感兴趣流
[USG] acl number 3000
[USG-acl-basic-3000] rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 10.10.0.0 0.0.255.255
[USG-acl-basic-3000] quit
2)IKE(v1或v2)
[USG] ike proposal 10
[USG-ike-proposal-10] encryption-algorithm aes-cbc-256
[USG-ike-proposal-10] authentication-algorithm sha2-256
[USG-ike-proposal-10] dh group14
[USG-ike-proposal-10] quit
[USG] ike peer BRANCH v1
[USG-ike-peer-BRANCH] pre-shared-key cipher HUAWEI@2025!
[USG-ike-peer-BRANCH] remote-address 203.0.113.2
[USG-ike-peer-BRANCH] ike-proposal 10
[USG-ike-peer-BRANCH] quit
3)IPSec提案与策略
[USG] ipsec proposal 10
[USG-ipsec-proposal-10] transform esp-aes-256 esp-sha256
[USG-ipsec-proposal-10] sa duration time-based 3600
[USG-ipsec-proposal-10] quit
[USG] ipsec policy POL-TO-BRANCH 10 isakmp
[USG-ipsec-policy-POL-TO-BRANCH-10] security acl 3000
[USG-ipsec-policy-POL-TO-BRANCH-10] ike-peer BRANCH
[USG-ipsec-policy-POL-TO-BRANCH-10] proposal 10
[USG-ipsec-policy-POL-TO-BRANCH-10] tunnel local 203.0.113.1 remote 203.0.113.2
[USG-ipsec-policy-POL-TO-BRANCH-10] quit
# 绑定到公网出接口
[USG] interface GigabitEthernet0/0/2
[USG-GigabitEthernet0/0/2] ipsec policy POL-TO-BRANCH
[USG-GigabitEthernet0/0/2] quit
4)NAT豁免与安全策略
# NAT 豁免:VPN 流量不做 SNAT
[USG] nat-policy
[USG-nat-policy] rule name NO-NAT-VPN
[USG-nat-policy-rule-NO-NAT-VPN] source-zone trust
[USG-nat-policy-rule-NO-NAT-VPN] destination-zone untrust
[USG-nat-policy-rule-NO-NAT-VPN] source-address 192.168.10.0 255.255.255.0
[USG-nat-policy-rule-NO-NAT-VPN] destination-address 10.10.0.0 255.255.0.0
[USG-nat-policy-rule-NO-NAT-VPN] action no-nat
[USG-nat-policy-rule-NO-NAT-VPN] quit
[USG-nat-policy] quit
# 安全策略放行
[USG] security-policy
[USG-policy] rule name TRUST-TO-VPN
[USG-policy-rule-TRUST-TO-VPN] source-zone trust
[USG-policy-rule-TRUST-TO-VPN] destination-zone untrust
[USG-policy-rule-TRUST-TO-VPN] destination-address 10.10.0.0 255.255.0.0
[USG-policy-rule-TRUST-TO-VPN] action permit
[USG-policy-rule-TRUST-TO-VPN] quit
[USG-policy] quit
常见坑
· 感兴趣流不对称(掩码/方向错误),SA不建立或单通
· 忘记NAT豁免;被出网SNAT抢先命中
· IKE与IPSec算法/生存期与对端不一致,协商失败
四、验证与排错
[USG] display ike sa
[USG] display ipsec sa
[USG] display ipsec statistics
[USG] diagnose ike statistics
· IKE/IPSec SA均为Established;有入/出包计数增长
· 抓包定位:公网口是否有IKE/ESP(UDP 500/4500、协议50)
最佳实践
· 优先IKEv2,确保两端时间同步;预共享密钥定期轮换
· 多网段场景用对象组与多条ACL清晰管理
· 与路由策略配合,避免默认路由覆盖导致流量绕行
我们今天就分享到这,下次再见啦!
