H3C IPSec配置实例
配置步骤:
一、.使得R1与R3之间(公网之间)能够通信
[R1]ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
[R3]ip route-static 0.0.0.0 0.0.0.0 23.1.1.2
二、IPSEC配置
R1配置:
1.配置感兴趣的数据流
[R1]acl num 3000
[R1-acl-adv-3000]rule permit ip source 192.168.1.1 0.0.0.0 destination 192.168.2.1 0.0.0.0
2.IKE策略配置
[R1]ike proposal 10 //创建IKE提议,并进入IKE视图
[R1-ike-proposal-10]encryption-algorithm 3des-cbc //IKE提议使用的加密算法
[R1-ike-proposal-10]authentication-method pre-share //IKE提议使用的密钥处理方式
[R1-ike-proposal-10]authentication-algorithm md5 //IKE提议使用的验证算法
[R1-ike-proposal-10]dh group2 //IKE提议使用的DH交换组
[R1-ike-proposal-10]sa duration 86400 //ISAKMP SA生存周期
[R1-ike-proposal-10]
3.配置IKE对等体及密钥
[R1]ike peer R3 //创建IKE对等体,并进入IKE对等体视图
[R1-ike-peer-r3]exchange-mode main //IKE对等体的协商模式
[R1-ike-peer-r3]pre-shared-key h3c //IKE对等体的密钥
[R1-ike-peer-r3]local-address 12.1.1.1 //本端安全网关地址
[R1-ike-peer-r3]remote-address 23.1.1.3 //对端安全网关地址
[R1-ike-peer-r3]remote-name R3 //对端安全网关名称
[R1]ike local-name R1 //本端安全网关名称
[R1]
4. IPSEC安全提议配置
[R1]ipsec proposal r1 //创建IPSEC安全提议
[R1-ipsec-proposal-r1]transform esp //安全协议
[R1-ipsec-proposal-r1]esp encryption-algorithm 3des //ESP协议采用加密算法
[R1-ipsec-proposal-r1]esp authentication-algorithm md5 //ESP协议采用验证算法
[R1-ipsec-proposal-r1]encapsulation-mode tunnel //ESP协议采用工作模式
[R1-ipsec-proposal-r1]
5.配置IKE协商的安全策略
[R1]ipsec policy 1 10 isakmp //创建一条安全策略
[R1-ipsec-policy-isakmp-1-10]security acl 3000 //配置安全c策略所引用的ACL
[R1-ipsec-policy-isakmp-1-10]proposal r1 //配安全策略所引用的安全提议
[R1-ipsec-policy-isakmp-1-10]ike-peer r3 //引用的IKE对等体
[R1-ipsec-policy-isakmp-1-10]pfs dh-group5 //DH组
[R1-ipsec-policy-isakmp-1-10]sa duration time-based 86400 //ipsec SA生存周期
[R1-ipsec-policy-isakmp-1-10]q
6.在接口上应用安全策略
[R1]int s0/2/0
[R1-Serial0/2/0]ipsec policy 1 //在接口上应用安全策略
[R1]
R3的配置
[R3]ip route-static 0.0.0.0 0.0.0.0 23.1.1.2
[R3]acl number 3000
[R3-acl-adv-3000]rule pe
[R3-acl-adv-3000]rule permit ip source 192.168.2.1 0.0.0.0 destination 192.168.1.1 0.0.0.0
[R3-acl-adv-3000]q
[R3]ike proposal 10
[R3-ike-proposal-10]encryption-algorithm 3des-cbc
[R3-ike-proposal-10]authentication-method pre-share
[R3-ike-proposal-10]authentication-algorithm md5
[R3-ike-proposal-10]dh group2
[R3-ike-proposal-10]sa duration 86400
[R3-ike-proposal-10]q
[R3]ike peer R1
[R3-ike-peer-r1]exchange-mode main
[R3-ike-peer-r1]pre-shared-key h3c
[R3-ike-peer-r1]local-a 23.1.1.3
[R3-ike-peer-r1]remote-address 12.1.1.1
[R3-ike-peer-r1]remote-name R1
[R3-ike-peer-r1]Q
[R3]ipsec proposal r3
[R3-ipsec-proposal-r3]transform esp
[R3-ipsec-proposal-r3]esp encryption-algorithm 3des
[R3-ipsec-proposal-r3]esp authentication-algorithm md5
[R3-ipsec-proposal-r3]encapsulation-mode tunnel
[R3-ipsec-proposal-r3]q
[R3]ipsec policy 1 10 isakmp
[R3-ipsec-policy-isakmp-1-10]security acl 3000
[R3-ipsec-policy-isakmp-1-10]proposal r3
[R3-ipsec-policy-isakmp-1-10]ike-peer R1
[R3-ipsec-policy-isakmp-1-10]sa duration time-based 86400
[R3-ipsec-policy-isakmp-1-10]q
[R3]int s0/2/0
[R3-Serial0/2/0]ipsec policy 1
[R3-Serial0/2/0]q
三、测试实验结果
[R1]ping -a 192.168.1.1 192.168.2.1
PING 192.168.2.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=255 time=5 ms
Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=20 ms
Request time out
Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=26 ms
Request time out
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
3 packet(s) received
40.00% packet loss
round-trip min/avg/max = 5/17/26 ms
[R1]
此时两个内网之间能够正常通信。实验完成
调试命令:
1.显示IKE对等体配置参数
[R1]dis ike peer
---------------------------
IKE Peer: r3
exchange mode: main on phase 1
pre-shared-key cipher nw1kqzgZJnA=
peer id type: ip
peer ip address: 23.1.1.3
local ip address: 12.1.1.1
peer name: R3
nat traversal: disable
dpd:
---------------------------
[R1]
2.显示当前ISAKMP SA的信息
[R1]dis ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
3 23.1.1.3 RD|ST 2 IPSEC
2 23.1.1.3 RD|ST 1 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
[R1]
3.显示每个IKE提议的配置参数
[R1]dis ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
3 23.1.1.3 RD|ST 2 IPSEC
2 23.1.1.3 RD|ST 1 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
[R1]dis ike pro
[R1]dis ike proposal
priority authentication authentication encryption Diffie-Hellman duration
method algorithm algorithm group (seconds)
---------------------------------------------------------------------------
10 PRE_SHARED MD5 3DES_CBC MODP_1024 86400
default PRE_SHARED SHA DES_CBC MODP_768 86400
[R1]
4.显示IPsec安全策略信息
[R1]dis ipsec policy
===========================================
IPsec Policy Group: "1"
Using interface: {Serial0/2/0}
===========================================
-----------------------------
IPsec policy name: "1"
sequence number: 10
mode: isakmp
-----------------------------
security data flow : 3000
selector mode: standard
ike-peer name: r3
perfect forward secrecy: DH group 5
proposal name: r1
IPsec sa local duration(time based): 86400 seconds
IPsec sa local duration(traffic based): 1843200 kilobytes
[R1]
5.显示IPSEC安全提议信息
[R1]dis ipsec proposal
IPsec proposal name: r1
encapsulation mode: tunnel
transform: esp-new
ESP protocol: authentication md5-hmac-96, encryption 3des
[R1]
6.显示IPSEC SA的信息
[R1]dis ipsec sa
===============================
Interface: Serial0/2/0
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "1"
sequence number: 10
mode: isakmp
-----------------------------
connection id: 3
encapsulation mode: tunnel
perfect forward secrecy: DH group 5
tunnel:
local address: 12.1.1.1
remote address: 23.1.1.3
Flow :
sour addr: 192.168.1.1/255.255.255.255 port: 0 protocol: IP
dest addr: 192.168.2.1/255.255.255.255 port: 0 protocol: IP
[inbound ESP SAs]
spi: 2476921505 (0x93a2d2a1)
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887435624/84789
max received sequence-number: 14
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 1974141924 (0x75ab03e4)
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887435624/84789
max sent sequence-number: 15
udp encapsulation used for nat traversal: N
[R1]
7.显示IPSEC处理的报文信息
[R1]dis ipsec statistics
the security packet statistics:
input/output security packets: 14/14
input/output security bytes: 1176/1176
input/output dropped security packets: 0/1
dropped security packet detail:
not enough memory: 0
can't find SA: 1
queue is full: 0
authentication has failed: 0
wrong length: 0
replay packet: 0
packet too long: 0
wrong SA: 0
[R1]