IPSec实验

本节介绍如何使用华为路由器，建立IPSec VPN，来保障俩个站点之间正常的通信

1.拓扑图

2.步骤

2.1 在r4和r5上配置静态路由，指定对端的路由
2.2 使用高级IP acl 指定进行保护的流量（指定流量的源地址和目的IP地址）
2.3 创建IPSec安全提议并指定IPSec使用的各项参数
2.4 创建IKE安全提议，并指定IKE使用的各项参数
2.5 创建IKE对等体。并在其中引用配置的安全提议
2.6 创建IPSec安全策略，并在其中引用ACL，IPSec安全提议和IKE对等体
2.7建立连接的俩端，在面向lnternet的接口上应用安全策略

3.配置
3.1配置所有的IP地址和静态路由

r4：
interface GigabitEthernet0/0/0ip address 10.10.10.254 255.255.255.0 
#
interface GigabitEthernet0/0/1ip address 45.1.1.1 255.255.255.0 
静态路由：
ip route-static 20.20.20.0 255.255.255.0 45.1.1.5
ip route-static 56.1.1.0 255.255.255.0 45.1.1.5
#

r5：
[r5]int g0/0/0
[r5-GigabitEthernet0/0/0]ip address 45.1.1.5 24
[r5-GigabitEthernet0/0/0]int g0/0/1
[r5-GigabitEthernet0/0/1]ip address 56.1.1.1 24

r6：
interface GigabitEthernet0/0/0ip address 56.1.1.6 255.255.255.0 interface GigabitEthernet0/0/1ip address 20.20.20.254 255.255.255.0 
静态路由：
ip route-static 10.10.10.0 255.255.255.0 56.1.1.1
ip route-static 45.1.1.0 255.255.255.0 56.1.1.1

3.2在r4和r6上使用高级IP acl定义需要过ipsec vpn的流量

[r4]acl  3010  
[r4-acl-adv-3010]
[r4-acl-adv-3010] rule  permit ip source 10.10.10.0 0.0.0.255 destination 20.20
.20.0 0.0.0.255 
[r4-acl-adv-3010] rule 10 deny ip 

[r6]acl 3020  
[r6-acl-adv-3020]
[r6-acl-adv-3020] rule  permit ip source 20.20.20.0 0.0.0.255 destination 10.10
.10.0 0.0.0.255 [r6-acl-adv-3020] rule  deny ip

3.3在r4和r6上配置IPSec安全提议

r4：
[r4]ipsec proposal huawei10（自定义名字）
[r4-ipsec-proposal-huawei10]encapsulation-mode  tunnel 
[r4-ipsec-proposal-huawei10]transform esp（指定IPSec所使用的安全协议）
[r4-ipsec-proposal-huawei10]esp authentication-algorithm sha2-256（算法）	
[r4-ipsec-proposal-huawei10]esp encryption-algorithm aes-128

r6：
[r6]ipsec proposal huawei20（自定义名字）
[r6-ipsec-proposal-huawei10]encapsulation-mode  tunnel 
[r6-ipsec-proposal-huawei10]transform esp（指定IPSec所使用的安全协议）
[r6-ipsec-proposal-huawei10]esp authentication-algorithm sha2-256（算法）	
[r6-ipsec-proposal-huawei10]esp encryption-algorithm aes-128

查看安全提议：

[r4]display ipsec proposalNumber of proposals: 1IPSec proposal name: huawei                            Encapsulation mode: Tunnel                            Transform         : esp-newESP protocol      : Authentication SHA2-HMAC-256                             Encryption     AES-128[r6]dis ipsec proposalNumber of proposals: 1IPSec proposal name: huawei2                            Encapsulation mode: Tunnel                            Transform         : esp-newESP protocol      : Authentication SHA2-HMAC-256                             Encryption     AES-128

3.4在r4和r6上创建ike安全提议

[r4]ike proposal 10	
[r4-ike-proposal-10]authentication-algorithm sha1 （认证算法也与设备的型号有关）	
[r4-ike-proposal-10]authentication-method pre-share （默认的认证方式是预共享密钥）	
[r4-ike-proposal-10]encryption-algorithm aes-cbc-128（加密算法）
[r4-ike-proposal-10]q
同理		
[r6-ike-proposal-10]authentication-algorithm sha1 
[r6-ike-proposal-10]authentication-algorithm	
[r6-ike-proposal-10]authentication-method pre-share 	
[r6-ike-proposal-10]encryption-algorithm aes-cbc-128
[r6-ike-proposal-10]q

3.5在r4和r6上创建ike对等体

[r4]ike peer huawei10 v1
[r4-ike-peer-huawei10]ike	
[r4-ike-peer-huawei10]ike-proposal 10
[r4-ike-peer-huawei10]pre-shared-key  cipher huawei
[r4-ike-peer-huawei10]remote-address 56.1.1.6（对端的g0/0/0ip地址）[r4-ike-peer-huawei10]q
[r6]ike peer huawei20 v1 	
[r6-ike-peer-huawei20]ike-proposal 10	
[r6-ike-peer-huawei20]pre-shared-key cip huawei
[r6-ike-peer-huawei20]remote-address 45.1.1.1
[r6-ike-peer-huawei20]q
[r6]

查看ike对等体

[r4]dis ike peer verbose Number of IKE peers: 1------------------------------------------Peer name              : huawei10Exchange mode          : main on phase 1Pre-shared-key cipher  : N`C55QK<`=/Q=^Q`MAF4<1!!Proposal               : 10Local ID type          : IPDPD                    : DisableDPD mode               : PeriodicDPD idle time          : 30DPD retransmit interval: 15DPD retry limit        : 3Host name              : Peer IP address        : 56.1.1.6VPN name               : Local IP address       : Local name             : Remote name            : NAT-traversal          : DisableConfigured IKE version : Version onePKI realm              : NULLInband OCSP            : Disable[r6]dis ike peer verbose Number of IKE peers: 1------------------------------------------Peer name              : huawei20Exchange mode          : main on phase 1Pre-shared-key cipher  : N`C55QK<`=/Q=^Q`MAF4<1!!Proposal               : 10Local ID type          : IPDPD                    : DisableDPD mode               : PeriodicDPD idle time          : 30DPD retransmit interval: 15DPD retry limit        : 3Host name              : Peer IP address        : 45.1.1.1 VPN name               : Local IP address       : Local name             : Remote name            : NAT-traversal          : DisableConfigured IKE version : Version onePKI realm              : NULLInband OCSP            : Disable
------------------------------------------

3.6在r4和r6上配置ipsec策略

[r4]ipsec policy hw 10 isakmp 
[r4-ipsec-policy-isakmp-hw-10]ike-peer huawei10
[r4-ipsec-policy-isakmp-hw-10]proposal huawei	
[r4-ipsec-policy-isakmp-hw-10]security acl 3010
[r4-ipsec-policy-isakmp-hw-10]q[r6]ipsec policy hw2 10 isakmp 
[r6-ipsec-policy-isakmp-hw2-10]ike-peer huawei20
[r6-ipsec-policy-isakmp-hw2-10]proposal huawei2
[r6-ipsec-policy-isakmp-hw2-10]security acl 3020
[r6-ipsec-policy-isakmp-hw2-10]q

查看ipsec安全策略

[r4]display ipsec policy===========================================
IPSec policy group: "hw"
Using interface: 
===========================================Sequence number: 10Security data flow: 3010Peer name    :  huawei10Perfect forward secrecy: NoneProposal name:  huaweiIPSec SA local duration(time based): 3600 secondsIPSec SA local duration(traffic based): 1843200 kilobytesAnti-replay window size: 32SA trigger mode: AutomaticRoute inject: NoneQos pre-classify: Disable[r6]dis ipsec policy===========================================
IPSec policy group: "hw2"
Using interface: 
===========================================Sequence number: 10Security data flow: 3020Peer name    :  huawei20Perfect forward secrecy: NoneProposal name:  huawei2IPSec SA local duration(time based): 3600 secondsIPSec SA local duration(traffic based): 1843200 kilobytesAnti-replay window size: 32SA trigger mode: AutomaticRoute inject: NoneQos pre-classify: Disable

3.7在r4和r6上应用IPSec安全策略

[r4]int g0/0/1
[r4-GigabitEthernet0/0/1]ipsec po	
[r4-GigabitEthernet0/0/1]ipsec policy hw[r6]int g0/0/0
[r6-GigabitEthernet0/0/0]ipsec	
[r6-GigabitEthernet0/0/0]ipsec policy hw2
[r6-GigabitEthernet0/0/0]dis this
[V200R003C00]
#
interface GigabitEthernet0/0/0ip address 56.1.1.6 255.255.255.0 ipsec policy hw2

查看以创建的ike sa

[r4]dis ike saConn-ID  Peer            VPN   Flag(s)                Phase  ---------------------------------------------------------------7    56.1.1.6        0     RD                     2     6    56.1.1.6        0     RD                     1     Flag Description:RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUTHRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP[r6]dis ike saConn-ID  Peer            VPN   Flag(s)                Phase  ---------------------------------------------------------------9    45.1.1.1        0     RD|ST                  2     8    45.1.1.1        0     RD|ST                  1     Flag Description:RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUTHRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP

3.8 pc1向pc2发起ping


抓包查看

由此可知lnternet中路由器无法知道这个数据包是哪种类型的信息，只有数据到达r6才能读到携带的真数据，并把数据进行下一步处理。

本文来自互联网用户投稿，文章观点仅代表作者本人，不代表本站立场，不承担相关法律责任。如若转载，请注明出处。 如若内容造成侵权/违法违规/事实不符，请点击【内容举报】进行投诉反馈！