實驗說明
使用Ensp模擬器實現IPsec隧道實驗。IPSec是一種VPN技術,配置的思路首先是兩個網絡先通,然后配置ACL、IEK和IPSec對等體,從而建立VPN隧道。
實驗拓撲
配置過程
1 配置IP地址以及OSPF路由
# 配置中使用了簡寫命令,不熟悉的可通過Tab補齊
# AR1 路由配置
[Huawei]system-view
[Huawei]sysname AR1
[AR1]interface g0/0/1
[AR1-GigabitEthernet0/0/1]ip ad 192.168.10.254 24
[AR1-GigabitEthernet0/0/1]interface g0/0/0
[AR1-GigabitEthernet0/0/0]ip ad 100.0.0.1 30
[AR1]ospf 1
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]network 192.168.10.254 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]network 100.0.0.1 0.0.0.3# ISP 路由配置
[Huawei]system-view
[Huawei]sysname ISP
[ISP]int g0/0/0
[ISP-GigabitEthernet0/0/0]ip ad 100.0.0.2 30
[ISP-GigabitEthernet0/0/0]int g0/0/1
[ISP-GigabitEthernet0/0/1]ip ad 200.0.0.2 30
[ISP-GigabitEthernet0/0/1]ospf 1
[ISP-ospf-1]area 0
[ISP-ospf-1-area-0.0.0.0]network 100.0.0.2 0.0.0.3
[ISP-ospf-1-area-0.0.0.0]network 200.0.0.2 0.0.0.3# AR2 路由配置
[Huawei]system-view
[Huawei]sys AR2
[AR2]int g0/0/1
[AR2-GigabitEthernet0/0/1]ip ad 192.168.20.254 24
[AR2-GigabitEthernet0/0/1]int g0/0/0
[AR2-GigabitEthernet0/0/0]ip ad 200.0.0.1 30
[AR2]ospf 1
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]network 200.0.0.2 0.0.0.3
[AR2-ospf-1-area-0.0.0.0]network 192.168.20.0 0.0.0.255
2 測試兩臺PC連通性
PC>ipconfigLink local IPv6 address...........: fe80::5689:98ff:fe71:6be9
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.20.1
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.20.254
Physical address..................: 54-89-98-71-6B-E9
DNS server........................:PC>ping 192.168.10.1Ping 192.168.10.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.10.1: bytes=32 seq=2 ttl=125 time=31 ms
From 192.168.10.1: bytes=32 seq=3 ttl=125 time=16 ms
From 192.168.10.1: bytes=32 seq=4 ttl=125 time=31 ms
From 192.168.10.1: bytes=32 seq=5 ttl=125 time=15 ms--- 192.168.10.1 ping statistics ---5 packet(s) transmitted4 packet(s) received20.00% packet lossround-trip min/avg/max = 0/23/31 ms
3 配置IPSec
這個過程有三個步驟:
- 創建ACL描述需要加密的流量匹配規則,被ACL匹配的流量就被加密
- 創建IKE提議,使用默認即可
- 創建IPSec提議,使用默認即可
- 創建IKE對等體,把IKE提議加進入,配置對端IP和密碼
- 創建IPSec對等體,把ACL和IKE對等體、IPSec提議加進去就行了
3.1 創建ACL
這里要記住ACL的編號是3000
# AR1 路由配置
[AR1]acl 3000
[AR1-acl-adv-3000]rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
# 這條acl的意思是允許左邊流量到右邊
# 同樣,我們還需要配置對端流量,即右邊到左邊的# AR2 路由配置
[AR2]acl 3000
[AR2-acl-adv-3000]rule permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
3.2 創建IKE提議
兩邊路由都創建序號為1的提議,使用默認配置。如果你需要自定義,可以通過?查看可以配置的內容,如認證方式和認證算法等。
[AR1]ike proposal 1
[AR1-ike-proposal-1]dis ike proposal # 查看默認配置Number of IKE Proposals: 2-------------------------------------------IKE Proposal: 1Authentication method : pre-sharedAuthentication algorithm : SHA1Encryption algorithm : DES-CBCDH group : MODP-768SA duration : 86400PRF : PRF-HMAC-SHA
-------------------------------------------# AR2 路由配置
[AR2]ike proposal 1
[AR2-ike-proposal-1]dis ike proposal Number of IKE Proposals: 2-------------------------------------------IKE Proposal: 1Authentication method : pre-sharedAuthentication algorithm : SHA1Encryption algorithm : DES-CBCDH group : MODP-768SA duration : 86400PRF : PRF-HMAC-SHA
--------------------------------------------------------------------------------------IKE Proposal: DefaultAuthentication method : pre-sharedAuthentication algorithm : SHA1Encryption algorithm : DES-CBCDH group : MODP-768SA duration : 86400PRF : PRF-HMAC-SHA
-------------------------------------------
3.3創建IPSec提議
創建IPSec提議,名稱為ipsec_proposal,使用默認配置。同樣,你可以自定義他的加密算法等,默認使用DES。
# AR1 路由配置
[AR1]ipsec proposal ipsec_proposal
[AR1-ipsec-proposal-ipsec_proposal]dis ipsec proposalNumber of proposals: 1IPSec proposal name: ipsec_proposal Encapsulation mode: Tunnel Transform : esp-newESP protocol : Authentication MD5-HMAC-96 Encryption DES# AR2 路由配置
[AR2]ipsec proposal ipsec_proposal
[AR2-ipsec-proposal-ipsec_proposal]dis ips propoNumber of proposals: 1IPSec proposal name: ipsec_proposal Encapsulation mode: Tunnel Transform : esp-newESP protocol : Authentication MD5-HMAC-96 Encryption DES
3.4 創建 IKE對等體
創建名為ike_peer的對等體,把ike-proposal 1 加進去
# AR1 路由配置
[AR1]ike peer ike_peer v1
[AR1-ike-peer-ike_peer]pre-shared-key simple huawei # 配置密碼,兩邊要一樣
[AR1-ike-peer-ike_peer]ike-proposal 1 # 配置ike提議
[AR1-ike-peer-ike_peer]remote-address 200.0.0.1 # 配置對端IP# AR2 路由配置
[AR2]ike peer ike_peer v1
[AR2-ike-peer-ike_peer]pre-shared-key simple huawei
[AR2-ike-peer-ike_peer]ike-proposal 1
[AR2-ike-peer-ike_peer]remote-address 100.0.0.1
3.5創建IPSec策略
# AR1 路由配置
[AR1]ipsec policy ipsec_policy 10 isakmp
[AR1-ipsec-policy-isakmp-ipsec_policy-10]security acl 3000 # 添加ACL 3000
[AR1-ipsec-policy-isakmp-ipsec_policy-10]ike-peer ike_peer # 添加ike peer
[AR1-ipsec-policy-isakmp-ipsec_policy-10]proposal ipsec_proposal # 添加ipsec proposal# AR2 路由配置
[AR2]ipsec policy ipsec_policy 10 isakmp
[AR2-ipsec-policy-isakmp-ipsec_policy-10]ike-peer ike_peer
[AR2-ipsec-policy-isakmp-ipsec_policy-10]security acl 3000
[AR2-ipsec-policy-isakmp-ipsec_policy-10]proposal ipsec_proposal
3.6在路由出口處配置ipsec策略
# AR1 路由配置
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ipsec policy ipsec_policy # AR2 路由配置
[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]ipsec policy ipsec_policy
抓包測試
兩臺PC相互Ping,抓包結果如下:
這個ESP包就是對IP加密后的報文。
:系統拆分)
】Sliding Window Maximum)
