实验说明
使用Ensp模拟器实现IPsec隧道实验。IPSec是一种VPN技术,配置的思路首先是两个网络先通,然后配置ACL、IEK和IPSec对等体,从而建立VPN隧道。
实验拓扑
配置过程
1 配置IP地址以及OSPF路由
# 配置中使用了简写命令,不熟悉的可通过Tab补齐
# AR1 路由配置
[Huawei]system-view
[Huawei]sysname AR1
[AR1]interface g0/0/1
[AR1-GigabitEthernet0/0/1]ip ad 192.168.10.254 24
[AR1-GigabitEthernet0/0/1]interface g0/0/0
[AR1-GigabitEthernet0/0/0]ip ad 100.0.0.1 30
[AR1]ospf 1
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]network 192.168.10.254 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]network 100.0.0.1 0.0.0.3# ISP 路由配置
[Huawei]system-view
[Huawei]sysname ISP
[ISP]int g0/0/0
[ISP-GigabitEthernet0/0/0]ip ad 100.0.0.2 30
[ISP-GigabitEthernet0/0/0]int g0/0/1
[ISP-GigabitEthernet0/0/1]ip ad 200.0.0.2 30
[ISP-GigabitEthernet0/0/1]ospf 1
[ISP-ospf-1]area 0
[ISP-ospf-1-area-0.0.0.0]network 100.0.0.2 0.0.0.3
[ISP-ospf-1-area-0.0.0.0]network 200.0.0.2 0.0.0.3# AR2 路由配置
[Huawei]system-view
[Huawei]sys AR2
[AR2]int g0/0/1
[AR2-GigabitEthernet0/0/1]ip ad 192.168.20.254 24
[AR2-GigabitEthernet0/0/1]int g0/0/0
[AR2-GigabitEthernet0/0/0]ip ad 200.0.0.1 30
[AR2]ospf 1
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]network 200.0.0.2 0.0.0.3
[AR2-ospf-1-area-0.0.0.0]network 192.168.20.0 0.0.0.255
2 测试两台PC连通性
PC>ipconfigLink local IPv6 address...........: fe80::5689:98ff:fe71:6be9
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.20.1
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.20.254
Physical address..................: 54-89-98-71-6B-E9
DNS server........................:PC>ping 192.168.10.1Ping 192.168.10.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.10.1: bytes=32 seq=2 ttl=125 time=31 ms
From 192.168.10.1: bytes=32 seq=3 ttl=125 time=16 ms
From 192.168.10.1: bytes=32 seq=4 ttl=125 time=31 ms
From 192.168.10.1: bytes=32 seq=5 ttl=125 time=15 ms--- 192.168.10.1 ping statistics ---5 packet(s) transmitted4 packet(s) received20.00% packet lossround-trip min/avg/max = 0/23/31 ms
3 配置IPSec
这个过程有三个步骤:
- 创建ACL描述需要加密的流量匹配规则,被ACL匹配的流量就被加密
- 创建IKE提议,使用默认即可
- 创建IPSec提议,使用默认即可
- 创建IKE对等体,把IKE提议加进入,配置对端IP和密码
- 创建IPSec对等体,把ACL和IKE对等体、IPSec提议加进去就行了
3.1 创建ACL
这里要记住ACL的编号是3000
# AR1 路由配置
[AR1]acl 3000
[AR1-acl-adv-3000]rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
# 这条acl的意思是允许左边流量到右边
# 同样,我们还需要配置对端流量,即右边到左边的# AR2 路由配置
[AR2]acl 3000
[AR2-acl-adv-3000]rule permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
3.2 创建IKE提议
两边路由都创建序号为1的提议,使用默认配置。如果你需要自定义,可以通过?查看可以配置的内容,如认证方式和认证算法等。
[AR1]ike proposal 1
[AR1-ike-proposal-1]dis ike proposal # 查看默认配置Number of IKE Proposals: 2-------------------------------------------IKE Proposal: 1Authentication method : pre-sharedAuthentication algorithm : SHA1Encryption algorithm : DES-CBCDH group : MODP-768SA duration : 86400PRF : PRF-HMAC-SHA
-------------------------------------------# AR2 路由配置
[AR2]ike proposal 1
[AR2-ike-proposal-1]dis ike proposal Number of IKE Proposals: 2-------------------------------------------IKE Proposal: 1Authentication method : pre-sharedAuthentication algorithm : SHA1Encryption algorithm : DES-CBCDH group : MODP-768SA duration : 86400PRF : PRF-HMAC-SHA
--------------------------------------------------------------------------------------IKE Proposal: DefaultAuthentication method : pre-sharedAuthentication algorithm : SHA1Encryption algorithm : DES-CBCDH group : MODP-768SA duration : 86400PRF : PRF-HMAC-SHA
-------------------------------------------
3.3创建IPSec提议
创建IPSec提议,名称为ipsec_proposal,使用默认配置。同样,你可以自定义他的加密算法等,默认使用DES。
# AR1 路由配置
[AR1]ipsec proposal ipsec_proposal
[AR1-ipsec-proposal-ipsec_proposal]dis ipsec proposalNumber of proposals: 1IPSec proposal name: ipsec_proposal Encapsulation mode: Tunnel Transform : esp-newESP protocol : Authentication MD5-HMAC-96 Encryption DES# AR2 路由配置
[AR2]ipsec proposal ipsec_proposal
[AR2-ipsec-proposal-ipsec_proposal]dis ips propoNumber of proposals: 1IPSec proposal name: ipsec_proposal Encapsulation mode: Tunnel Transform : esp-newESP protocol : Authentication MD5-HMAC-96 Encryption DES
3.4 创建 IKE对等体
创建名为ike_peer的对等体,把ike-proposal 1 加进去
# AR1 路由配置
[AR1]ike peer ike_peer v1
[AR1-ike-peer-ike_peer]pre-shared-key simple huawei # 配置密码,两边要一样
[AR1-ike-peer-ike_peer]ike-proposal 1 # 配置ike提议
[AR1-ike-peer-ike_peer]remote-address 200.0.0.1 # 配置对端IP# AR2 路由配置
[AR2]ike peer ike_peer v1
[AR2-ike-peer-ike_peer]pre-shared-key simple huawei
[AR2-ike-peer-ike_peer]ike-proposal 1
[AR2-ike-peer-ike_peer]remote-address 100.0.0.1
3.5创建IPSec策略
# AR1 路由配置
[AR1]ipsec policy ipsec_policy 10 isakmp
[AR1-ipsec-policy-isakmp-ipsec_policy-10]security acl 3000 # 添加ACL 3000
[AR1-ipsec-policy-isakmp-ipsec_policy-10]ike-peer ike_peer # 添加ike peer
[AR1-ipsec-policy-isakmp-ipsec_policy-10]proposal ipsec_proposal # 添加ipsec proposal# AR2 路由配置
[AR2]ipsec policy ipsec_policy 10 isakmp
[AR2-ipsec-policy-isakmp-ipsec_policy-10]ike-peer ike_peer
[AR2-ipsec-policy-isakmp-ipsec_policy-10]security acl 3000
[AR2-ipsec-policy-isakmp-ipsec_policy-10]proposal ipsec_proposal
3.6在路由出口处配置ipsec策略
# AR1 路由配置
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ipsec policy ipsec_policy # AR2 路由配置
[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]ipsec policy ipsec_policy
抓包测试
两台PC相互Ping,抓包结果如下:
这个ESP包就是对IP加密后的报文。
:系统拆分)
】Sliding Window Maximum)
