USG与juniper IPSEC VPN 测试报告
产品型号:USG5000
产品名称:中端防火墙
测试单位:华为技术有限公司
目 录
一、 测试目标 3
二、 测试拓扑及IP地址 3
三、 测试过程 3
1. IPSEC VPN配置主模式 4
2. 命令行配置 7
3. IPSEC VPN野蛮模式中心端配置 11
4. 命令行配置 15
四、 测试结果 19
一、 测试目标
主要测试功能 华为USG 防火墙与juniper产品进行IPSEC VPN 对接。数据在中心端各分部都需要访问,分部接入主要有两种一种是有公网的一种是动态IP的所以采用IPSEC 主模式与野蛮模式两种VPN 接入方式。华为USG 为中心端,juniper模拟两种不同的VPN 。
二、 测试拓扑及IP地址
三、 测试过程
1. IPSEC VPN配置主模式
IPSEC VPN测试表 |
| | | |
本端 | | 对端 | |
设备名称 | USG5000 | 设备名称 | juniper |
VPN模式 | 公司to公司 | VPN模式 | 公司to公司 |
协商模式 | 主模式 | 协商模式 | 主模式 |
共享密钥 | 123456 | 共享密钥 | 123456 |
IKE阶段 | | IKE阶段 | |
认证算法 | MD5 | 认证算法 | MD5 |
加密算法 | 3DES | 加密算法 | 3DES |
DH组 | DH-Group2 | DH组 | DH-Group2 |
IPSEC阶段 | | IPSEC阶段 | |
封装模式 | 隧道模式 | 封装模式 | 隧道模式 |
安全提议 | ESP | 安全提议 | ESP |
ESP加密 | MD5 | ESP加密 | MD5 |
ESP认证 | 3DES | ESP认证 | 3DES |
NAT穿越 | no | NAT穿越 | no |
本地网段 | 10.10.10.0/24 | 本地网段 | 20.20.20.0/24 |
| | | |
| | | |
2. 命令行配置
[USG]DIS CUR
18:16:05 2013/06/28
#
sysname USG
#
l2tp domain suffix-parator @
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
#
ip df-unreachables enable
#
firewall ipv6 ssion link-state check
firewall ipv6 statistic system enable
#
dns resolve
#
vlan batch 1
#
firewall statistic system enable
#
dns proxy enable
#
licen-rver domain
#
runmode firewall
#
update schedule ips daily 0:55
update schedule av daily 0:55
curity rver domain
#
web-manager enable
#
ur-manage web-authentication port 8888
#
l2fwdfast enable
#
acl number 3000
rule 5 permit ip source 10.10.10.0 0.0.0.255 destination 20.20.20.0 0.0.0.255
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike peer ike28618347778
pre-shared-key %$%$(>up5*Gp|#mItg84&7mFOG>5%$%$
ike-proposal 1
remote-address 192.168.20.1
undo nat traversal
#
ipc proposal prop28618347778
esp encryption-algorithm 3des
#
ipc policy ipc2861834777 1 isakmp
curity acl 3000
ike-peer ike28618347778
proposal prop28618347778
local-address 192.168.10.1
#
interface Vlanif1
ip address 192.168.1.244 255.255.255.0
#
interface Cellular5/0/0
link-protocol ppp
#
interface Ethernet0/0/0
ip address 192.168.10.1 255.255.255.0
ipc policy ipc2861834777 auto-neg
#
interface Ethernet1/0/0
portswitch
port link-type access
#
interface Ethernet1/0/1
portswitch
port link-type access
#
interface Ethernet1/0/2
portswitch
port link-type access
#
interface Ethernet1/0/3
portswitch
port link-type access
#
interface Ethernet1/0/4
portswitch
port link-type access
#
interface Ethernet1/0/5
portswitch
port link-type access
#
interface Ethernet1/0/6
portswitch
port link-type access
#
interface Ethernet1/0/7
portswitch
port link-type access
#
interface NULL0
#
firewall zone local
t priority 100
#
firewall zone trust
t priority 85
add interface Ethernet1/0/0
add interface Ethernet1/0/1
add interface Ethernet1/0/2
add interface Ethernet1/0/3
add interface Ethernet1/0/4
add interface Ethernet1/0/5
add interface Ethernet1/0/6
add interface Ethernet1/0/7
add interface Vlanif1
#
firewall zone untrust
t priority 5
add interface Ethernet0/0/0
#
firewall zone dmz
t priority 50
#
aaa
local-ur admin password cipher %$%$2yA9)~!l,#gel>;VwZ@&OjaX%$%$
local-ur admin rvice-type web terminal telnet
local-ur admin level 15
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
domain dot1x
#
#
nqa-jitter tag-version 1
#
ip route-static 0.0.0.0 0.0.0.0 192.168.10.2
#
banner enable
#
ur-interface con 0
ur-interface tty 2
authentication-mode password
modem both
ur-interface vty 0 4
authentication-mode aaa
protocol inbound all
#
slb
#
cwmp
#
right-manager rver-group
#
return
[USG]
3. IPSEC VPN野蛮模式中心端配置
IPSEC VPN测试表 |
| | | |
本端 | | 对端 | |
设备名称 | USG5000 | 设备名称 | juniper |
VPN模式 | 中心to分支 | VPN模式 | 分支to中心 |
协商模式 | 野蛮模式 | 协商模式 | 野蛮模式 |
共享密钥 | 123456 | 共享密钥 | 123456 |
IKE阶段 | | IKE阶段 | |
认证算法 | MD5 | 认证算法 | MD5 |
加密算法 | 3DES | 加密算法 | 3DES |
DH组 | DH-Group2 | DH组 | DH-Group2 |
IPSEC阶段 | | IPSEC阶段 | |
封装模式 | 隧道模式 | 封装模式 | 隧道模式 |
安全提议 | ESP | 安全提议 | ESP |
ESP加密 | MD5 | ESP加密 | MD5 |
ESP认证 | 3DES | ESP认证 | 3DES |
NAT穿越 | yes | NAT穿越 | yes |
本地网段 | 10.10.10.0/24 | 本地网段 | 20.20.20.0/24 |
| | | |
4. 命令行配置
[USG]dis cur
18:21:52 2013/06/28
#
sysname USG
#
l2tp domain suffix-parator @
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
#
ip df-unreachables enable
#
firewall ipv6 ssion link-state check
firewall ipv6 statistic system enable
#
dns resolve
#
vlan batch 1
#
firewall statistic system enable
#
dns proxy enable
#
licen-rver domain
#
runmode firewall
#
update schedule ips daily 0:55
update schedule av daily 0:55
curity rver domain
#
web-manager enable
#
ur-manage web-authentication port 8888
#
l2fwdfast enable
#
acl number 3000
rule 5 permit ip source 10.10.10.0 0.0.0.255 destination 20.20.20.0 0.0.0.255
#
acl number 3001
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike peer ike28618152823
exchange-mode aggressive
pre-shared-key %$%$j-,X6zy_bQ~\[Z&ue%G<P]TK%$%$
ike-proposal 1
#
ipc proposal prop28618152823
esp encryption-algorithm 3des
#
ipc policy-template tpl28618152823 1
curity acl 3000
ike-peer ike28618152823
proposal prop28618152823
#
ipc policy ipc2861815282 1 isakmp template tpl28618152823
#
interface Vlanif1
ip address 192.168.1.244 255.255.255.0
#
interface Cellular5/0/0
link-protocol ppp
#
interface Ethernet0/0/0
ip address 192.168.10.1 255.255.255.0
ipc policy ipc2861815282 auto-neg
#
interface Ethernet1/0/0
portswitch
port link-type access
#
interface Ethernet1/0/1
portswitch
port link-type access
#
interface Ethernet1/0/2
portswitch
port link-type access
#
interface Ethernet1/0/3
portswitch
port link-type access
#
interface Ethernet1/0/4
portswitch
port link-type access
#
interface Ethernet1/0/5
portswitch
port link-type access
#
interface Ethernet1/0/6
portswitch
port link-type access
#
interface Ethernet1/0/7
portswitch
port link-type access
#
interface NULL0
#
firewall zone local
t priority 100
#
firewall zone trust
t priority 85
add interface Ethernet1/0/0
add interface Ethernet1/0/1
add interface Ethernet1/0/2
add interface Ethernet1/0/3
add interface Ethernet1/0/4
add interface Ethernet1/0/5
add interface Ethernet1/0/6
add interface Ethernet1/0/7
add interface Vlanif1
#
firewall zone untrust
t priority 5
add interface Ethernet0/0/0
#
firewall zone dmz
t priority 50
#
aaa
local-ur admin password cipher %$%$2yA9)~!l,#gel>;VwZ@&OjaX%$%$
local-ur admin rvice-type web terminal telnet
local-ur admin level 15
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
domain dot1x
#
#
nqa-jitter tag-version 1
#
ip route-static 0.0.0.0 0.0.0.0 192.168.10.2
#
banner enable
#
ur-interface con 0
ur-interface tty 2
authentication-mode password
modem both
ur-interface vty 0 4
authentication-mode aaa
protocol inbound all
#
slb
#
cwmp
#
right-manager rver-group
#
return
[USG]
四、 测试结果
通过以上测试证明华为USG和 juniper做IPSEC对接实现业务访问没有问题,用户可以根据自身的情况选择相应型号。
