Question:
Most firewalls or UTM deployment modes include the routing mode, the bridge mode, and the hybrid mode. The core configuration is the write rule, A good rule will greatly improve the security of the internal network. Of course, if UTM is used, other security components may be attached. For example, the most common rule is the AV anti-virus component, IPS components, anti-spam components, and some other components such as VPN, this article mainly describes the configurations of USG series devices in common deployment modes. The configurations of firewalls of other vendors are similar, so it is easy to master other devices, we need to be good at summing up and summarizing the knowledge and skills that have the same thing in common!
This article mainly introduces the gateway-to-Gateway mode VPN configuration.
Tutorial topology:
650) this. width = 650; "title =" image "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 417 "alt =" image "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0T4493531-0.png "/>
Environment Description:
1. Firewall A and firewall B work in routing mode.
2. Firewall internal hosts and external networks form a strict Intranet and Internet in two regions );
3. the firewall's internal network port corresponds to the firewall's eth1 and the Internet port corresponds to the firewall's eth2;
4. Implement strict access control between regions to ensure system security;
5. the IP address of the network port in firewall A is 192.168.0.1/24, the IP address of the Internet port is 218.249.22.117/25, and the eth2 interface is connected to the Internet through the network port such as A1-1 on the desk, the default gateway IP address is
218.249.22.113/25. The IP address of the network port in firewall B is 10.30.30.1/24, the IP address of the Internet port is 172.31.22.117/25, and the eth2 interface is connected to the Internet through the network port such as A1-1 on the desk.
The provincial gateway IP address is 172.31.118.1/25.
6. Firewall A is divided into VLANs. By default, the gateway points to 192.168.0.1.
VLAN1: 192.168.1.0/24. The intranet host is set to 192.168.1.10/24 and is directly connected to the eth1 interface of firewall.
VLAN2: 192.168.2.0/24
VLAN3: 192.168.3.0/24
7. the intranet of firewall B is 10.30.30.0/24, and the Intranet host is set to 10.30.30.2/24. It is directly connected to the eth1 interface of firewall B.
8. The VLAN of firewall A and the Intranet of firewall B communicate with each other through VPN.
Specific configuration process:
Configuration of firewall
1. Go to the "Network Configuration" interface to configure the IP addresses of eth1 and eth2. Open eth1 and click "new" to create three vlan interfaces "vlan1, vlan2, and vlan3 ". Save configuration after submission
650) this. width = 650; "title =" image "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 470 "alt =" image "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0T4491595-1.png "/>
2. Go to "Network Settings" basic configuration "Default Gateway" and click "new" to add a gateway IP address. Submit and save.
650) this. width = 650; "title =" image "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 431 "alt =" image "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0T4494040-2.png "/>
3. Go to "Object Management" address object "address node" and click "new" to create four subnets: vlan1, vlan2, vlan3, and remote subnet. Submit and save.
650) this. width = 650; "title =" image "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 457 "alt =" image "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0T4492491-3.png "/>
4. Go to "VPN" IPsec "automatic mode (IKE)" and click "create Phase 1 ". Fill in the parameter in phase 1 of the Creation phase, enter the gateway name in "firewall B", and enter the IP address in the remote gateway firewall B). The gateway address is 172.31.118.1.
Select "master mode", select pre-shared key for authentication, and enter "123456" for pre-shared key ". Click Submit.
650) this. width = 650; "title =" image "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 438 "alt =" image "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0T4493108-4.png "/>
5. Click the first small icon on the right of "Phase 2" to create Phase 2. The page for creating phase 2 is displayed. Enter "Tunnel 1" in the channel name, and click submit and save.
650) this. width = 650; "title =" image "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 415 "alt =" image "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0T4493304-5.png "/>
6. Go to "firewall" Security Policy "and click" new "to create a new security policy. Allow vlan1, vlan2, and vlan3 to access the remote subnet through the IPSEC-encrypted VPN tunnel "Tunnel 1 ". The parameter configuration is as follows: Select eth1 as the source interface, vlan1vlan2 and vlan3 as the source address), eth2 as the target interface, remote subnet as the target address, any as the service, always as the schedule, and IPSEC as the action, select Tunnel 1 and set "Allow inbound" and "Allow outbound" to available. After configuring the parameters, click Submit. Enable and save the security policy. 650) this. width = 650; "title =" image "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 395 "alt =" image "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0T44a1K-6.png "/>
650) this. width = 650; "title =" image "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 936 "alt =" image "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0T449D35-7.png "/>
650) this. width = 650; "title =" image "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 439 "alt =" image "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0T4491225-8.png "/>
7. Follow the steps above to perform similar configuration on firewall B to ensure that parameters such as pre-shared keys and encryption algorithms are consistent.
8. Try to access the peer Intranet at the internal ports of firewall A or firewall B. If the access succeeds, the VPN configuration is successful.
This article is from the "Dream" blog, please be sure to keep this source http://yuntaoliu.blog.51cto.com/1311681/537969