设置使用区域防火墙的 IPsec 隧道
在 IBM Cloud® Virtual Router Appliance 以前的版本中,使用基于策略路由的 IPsec 隧道不能很好地与区域防火墙配合使用。 在 18.01 版本中,通过使用“虚拟功能点”启用指定隧道的流量,一组新命令解决了这一问题。 功能点作为一个接口,提供了一个可纳入区域策略配置的端点。
下面的示例提供了两个系统之间的 IPsec 配置:
系统 A
vyatta@acs-jmat-migsim01:~$ show configuration commands | grep ipsec
set security vpn ipsec esp-group ESP01 pfs 'enable'
set security vpn ipsec esp-group ESP01 proposal 1 encryption 'aes256'
set security vpn ipsec esp-group ESP01 proposal 1 hash 'sha2_512'
set security vpn ipsec ike-group IKE01 proposal 1 dh-group '2'
set security vpn ipsec ike-group IKE01 proposal 1 encryption 'aes256'
set security vpn ipsec ike-group IKE01 proposal 1 hash 'sha2_512'
set security vpn ipsec site-to-site peer 50.23.177.59 authentication pre-shared-secret '********'
set security vpn ipsec site-to-site peer 50.23.177.59 default-esp-group 'ESP01'
set security vpn ipsec site-to-site peer 50.23.177.59 ike-group 'IKE01'
set security vpn ipsec site-to-site peer 50.23.177.59 local-address '169.47.243.43'
set security vpn ipsec site-to-site peer 50.23.177.59 tunnel 1 local prefix '172.16.200.1/30'
set security vpn ipsec site-to-site peer 50.23.177.59 tunnel 1 remote prefix '172.16.100.1/30'
系统 B
vyatta@acs-jmat-1801-1a:~$ show configuration commands | grep ipsec
set security vpn ipsec esp-group ESP01 pfs 'enable'
set security vpn ipsec esp-group ESP01 proposal 1 encryption 'aes256'
set security vpn ipsec esp-group ESP01 proposal 1 hash 'sha2_512'
set security vpn ipsec ike-group IKE01 proposal 1 dh-group '2'
set security vpn ipsec ike-group IKE01 proposal 1 encryption 'aes256'
set security vpn ipsec ike-group IKE01 proposal 1 hash 'sha2_512'
set security vpn ipsec site-to-site peer 169.47.243.43 authentication pre-shared-secret 'iamsecret'
set security vpn ipsec site-to-site peer 169.47.243.43 default-esp-group 'ESP01'
set security vpn ipsec site-to-site peer 169.47.243.43 ike-group 'IKE01'
set security vpn ipsec site-to-site peer 169.47.243.43 local-address '50.23.177.59'
set security vpn ipsec site-to-site peer 169.47.243.43 tunnel 1 local prefix '172.16.100.1/30'
set security vpn ipsec site-to-site peer 169.47.243.43 tunnel 1 remote prefix '172.16.200.1/30'
该配置设置了一个通用隧道,在两个系统之间路由 172.16.x.x
流量。 系统 B 将 172.16.100.1
作为环回地址,以提供测试端点,而系统 A 则在路由 VLAN 上安装了一台虚拟机,以提供穿越隧道的源流量。
您可以在此处查看结果:
[root@acs-jmat-migserver ~]# ping -c 5 172.16.100.1
PING 172.16.100.1 (172.16.100.1) 56(84) bytes of data.
64 bytes from 172.16.100.1: icmp_seq=1 ttl=63 time=44.5 ms
64 bytes from 172.16.100.1: icmp_seq=2 ttl=63 time=44.6 ms
64 bytes from 172.16.100.1: icmp_seq=3 ttl=63 time=44.8 ms
64 bytes from 172.16.100.1: icmp_seq=4 ttl=63 time=44.9 ms
64 bytes from 172.16.100.1: icmp_seq=5 ttl=63 time=44.6 ms
--- 172.16.100.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 44.578/44.750/44.993/0.244 ms
本例说明了 IPsec 隧道中的双向通信。 接下来,可以对系统 A 的所有接口应用简单的“允许所有”区域策略:
set security firewall name ALLOWALL default-action 'drop'
set security firewall name ALLOWALL rule 10 action 'accept'
set security firewall name ALLOWALL rule 10 protocol 'tcp'
set security firewall name ALLOWALL rule 10 state 'enable'
set security firewall name ALLOWALL rule 20 action 'accept'
set security firewall name ALLOWALL rule 20 protocol 'icmp'
set security firewall name ALLOWALL rule 20 state 'enable'
set security firewall name ALLOWALL rule 30 action 'accept'
set security firewall name ALLOWALL rule 30 protocol 'udp'
set security firewall name ALLOWALL rule 30 state 'enable'
然后,在所有三个接口之间添加策略:
set security zone-policy zone INTERNET interface 'dp0bond1'
set security zone-policy zone INTERNET to PRIVATE firewall 'ALLOWALL'
set security zone-policy zone INTERNET to SERVERS firewall 'ALLOWALL'
set security zone-policy zone PRIVATE interface 'dp0bond0'
set security zone-policy zone PRIVATE to INTERNET firewall 'ALLOWALL'
set security zone-policy zone PRIVATE to SERVERS firewall 'ALLOWALL'
set security zone-policy zone SERVERS interface 'dp0bond0.1341'
set security zone-policy zone SERVERS to INTERNET firewall 'ALLOWALL'
set security zone-policy zone SERVERS to PRIVATE firewall 'ALLOWALL'
应用策略后,尽管流量被设置为 allow all
,但流量不再流动。
基于策略的配置与不同的对等设备
本节概述了在基于策略的设置中 IPsec VPN 隧道的配置,其中涉及多个远程对等设备。
对等点 1 的 IP 地址为 10.10.10.1
set security vpn ipsec site-to-site peer 10.10.10.1 authentication pre-shared-secret '********'
set security vpn ipsec site-to-site peer 10.10.10.1 default-esp-group ESP01
set security vpn ipsec site-to-site peer 10.10.10.1 ike-group IKE01
set security vpn ipsec site-to-site peer 10.10.10.1 local-address 10.10.9.1
该配置在以下位置设置了隧道 2 到对等点 1 10.10.10.1
set security vpn ipsec site-to-site peer 10.10.10.1 tunnel 2 local prefix 192.168.3.1/32
set security vpn ipsec site-to-site peer 10.10.10.1 tunnel 2 remote prefix 192.168.4.1/32
set security vpn ipsec site-to-site peer 10.10.10.1 tunnel 2 uses vfp2
对等点 2 的 IP 地址为 192.168.1.1
set security vpn ipsec site-to-site peer 192.168.1.1 authentication pre-shared-secret '********'
set security vpn ipsec site-to-site peer 192.168.1.1 default-esp-group ESP01
set security vpn ipsec site-to-site peer 192.168.1.1 ike-group IKE01
set security vpn ipsec site-to-site peer 192.168.1.1 local-address 10.10.9.1
该配置将隧道 1 设置为连接到对等点 2,位于 192.168.1.1
set security vpn ipsec site-to-site peer 192.168.1.1 tunnel 1 local prefix 192.168.3.1/32
set security vpn ipsec site-to-site peer 192.168.1.1 tunnel 1 remote prefix 192.168.4.1/32
set security vpn ipsec site-to-site peer 192.168.1.1 tunnel 1 uses vfp1
在 Vyatta 中配置基于策略的 IPsec VPN 通道时,如果多个对等体(如主对等体和次对等体)共享一个本地和远程前缀,则每次只有一个通道处于活动状态。 Vyatta 无法区分在基于策略的设置中使用相同前缀对的多个隧道的流量,因此会出现这种行为。 要启用具有相同前缀配置的多条隧道,如主要和次要故障转移路径,请使用基于路由的 VPN。 基于路由的 VPN 具有更大的灵活性,即使本地和远程前缀相同,也可同时运行多个隧道。