IPSec VPN的配置

在兩個(gè)站點(diǎn)之間建立IPSec VPN

IPSec VPN的配置步驟:

1.按照拓?fù)鋱D配置各個(gè)路由器接口IP地址、PC基礎(chǔ)信息

按照拓?fù)鋱D自行完成,最后查看AR1垃喊、AR2吧恃、AR3的接口ip地址

[AR1]dis ip int brief 
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 3
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 3
The number of interface that is DOWN in Protocol is 1

Interface                         IP Address/Mask      Physical   Protocol  
GigabitEthernet0/0/0              202.108.10.1/30      up         up        
GigabitEthernet0/0/1              10.10.10.1/24        up         up        
GigabitEthernet0/0/2              unassigned           down       down      
NULL0                             unassigned           up         up(s) 

[AR2]dis ip int brief 
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 3
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 3
The number of interface that is DOWN in Protocol is 1

Interface                         IP Address/Mask      Physical   Protocol  
GigabitEthernet0/0/0              202.108.20.1/30      up         up        
GigabitEthernet0/0/1              10.10.20.1/24        up         up        
GigabitEthernet0/0/2              unassigned           down       down      
NULL0

[AR3]dis ip int brief 
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 3
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 3
The number of interface that is DOWN in Protocol is 1

Interface                         IP Address/Mask      Physical   Protocol  
GigabitEthernet0/0/0              202.108.10.2/30      up         up        
GigabitEthernet0/0/1              202.108.20.2/30      up         up        
GigabitEthernet0/0/2              unassigned           down       down      
NULL0
2.在AR1和AR2上通過(guò)靜態(tài)默認(rèn)路由的方式又憨,指定去往對(duì)端的路由
[AR1]ip route-static 0.0.0.0 0 202.108.10.2

[AR2]ip route-static 0.0.0.0 0 202.108.20.2

測(cè)試站點(diǎn)1與站點(diǎn)2之間的連通性

[AR1]ping 202.108.20.1
  PING 202.108.20.1: 56  data bytes, press CTRL_C to break
    Request time out
    Reply from 202.108.20.1: bytes=56 Sequence=2 ttl=254 time=40 ms
    Reply from 202.108.20.1: bytes=56 Sequence=3 ttl=254 time=20 ms
    Reply from 202.108.20.1: bytes=56 Sequence=4 ttl=254 time=30 ms
    Reply from 202.108.20.1: bytes=56 Sequence=5 ttl=254 time=30 ms

  --- 202.108.20.1 ping statistics ---
    5 packet(s) transmitted
    4 packet(s) received
    20.00% packet loss
    round-trip min/avg/max = 20/30/40 ms

從測(cè)試結(jié)果得出AR1與AR2可以連通翠霍。

PC>ping 10.10.20.20

Ping 10.10.20.20: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!

--- 10.10.20.20 ping statistics ---
  5 packet(s) transmitted
  0 packet(s) received
  100.00% packet loss

但是站點(diǎn)1的內(nèi)網(wǎng)主機(jī)PC1與站點(diǎn)2的內(nèi)網(wǎng)主機(jī)之間無(wú)法相互訪問(wèn)。

3.使用高級(jí)IP ACL指定需要通過(guò)IPSec隧道進(jìn)行保護(hù)的流量
[AR1]acl 3010
[AR1-acl-adv-3010]rule permit ip source 10.10.10.0 0.0.0.255 destination 10.10.20.0 0.0.0.255
[AR1-acl-adv-3010]rule deny ip

AR1上只放行源IP為10.10.10.0/24蠢莺,同時(shí)目的IP為10.10.20.0/24的流量

[AR2]acl 3020
[AR2-acl-adv-3020]rule permit ip source 10.10.20.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
[AR2-acl-adv-3020]rule deny ip

AR1上只放行源IP為10.10.20.0/24寒匙,同時(shí)目的IP為10.10.10.0/24的流量。

4.創(chuàng)建IPSec安全提議躏将,并指定IPSec使用的各項(xiàng)參數(shù)
[AR1]ipsec proposal prop10  
[AR1-ipsec-proposal-prop10]encapsulation-mode tunnel 
[AR1-ipsec-proposal-prop10]transform esp    
[AR1-ipsec-proposal-prop10]esp authentication-algorithm sha2-256
[AR1-ipsec-proposal-prop10]esp encryption-algorithm aes-128

AR1創(chuàng)建名為prop10的IPSec安全協(xié)議锄弱,指定了用來(lái)建立連接的各種參數(shù),包括數(shù)據(jù)封裝模式祸憋,安全協(xié)議会宪、認(rèn)證和加密算法。

[AR2]ipsec proposal prop20  
[AR2-ipsec-proposal-prop20]esp authentication-algorithm sha2-256
[AR2-ipsec-proposal-prop20]esp encryption-algorithm aes-128

AR2創(chuàng)建名為prop20的IPSec安全協(xié)議蚯窥,AR1與AR2通過(guò)對(duì)比雙方支持的IPSec安全提議掸鹅,并對(duì)IPSec所需要使用的認(rèn)證和加密算法進(jìn)行協(xié)商。

查看AR1上的IPSec安全協(xié)議

[AR1]dis ipsec proposal 

Number of proposals: 1

IPSec proposal name: prop10                            
 Encapsulation mode: Tunnel                            
 Transform         : esp-new
 ESP protocol      : Authentication SHA2-HMAC-256                             
                     Encryption     AES-128
5.創(chuàng)建IKE安全提議拦赠,并指定IKE使用的各項(xiàng)參數(shù)
[AR1]ike proposal 10
[AR1-ike-proposal-10]authentication-method pre-share 
[AR1-ike-proposal-10]authentication-algorithm sha1
[AR1-ike-proposal-10]encryption-algorithm aes-cbc-128

[AR2]ike proposal 20    
[AR2-ike-proposal-20]authentication-algorithm sha1
[AR2-ike-proposal-20]encryption-algorithm aes-cbc-128

IKE安全提議的編號(hào)取值范圍是1~99巍沙,在IKE安全提議中,指定IKE尾交換和保護(hù)密鑰所使用的認(rèn)證方式荷鼠,認(rèn)證和加密算法句携。

6.創(chuàng)建IKE對(duì)等體,并在其中引用配置的IKE安全提議
[AR1]ike peer ike10 v1
[AR1-ike-peer-ike10]ike-proposal 10 
[AR1-ike-peer-ike10]pre-shared-key cipher huawei123
[AR1-ike-peer-ike10]remote-address 202.108.20.1

[AR2]ike peer ike20 v1  
[AR2-ike-peer-ike20]ike-proposal 20
[AR2-ike-peer-ike20]pre-shared-key cipher huawei123
[AR2-ike-peer-ike20]remote-address 202.108.10.1

使用系統(tǒng)視圖命令ike peer ike20 v1創(chuàng)建了一個(gè)對(duì)等體允乐,在IKE視圖中矮嫉,制定了對(duì)端IP地址、應(yīng)用了之前建立的IKE安全提議喳篇,并定義了預(yù)共享密鑰敞临。

在AR1上查看IKE對(duì)等體

[AR1]dis ike peer verbose 

Number of IKE peers: 1

------------------------------------------
   Peer name              : ike10
   Exchange mode          : main on phase 1
   Pre-shared-key cipher  : "@J*U2S*(7F,YWX*NZ55OA!!
   Proposal               : 10
   Local ID type          : IP
   DPD                    : Disable
   DPD mode               : Periodic
   DPD idle time          : 30
   DPD retransmit interval: 15
   DPD retry limit        : 3
   Host name              : 
   Peer IP address        : 202.108.20.1 
   VPN name               : 
   Local IP address       : 
   Local name             : 
   Remote name            : 
   NAT-traversal          : Disable
   Configured IKE version : Version one
   PKI realm              : NULL
   Inband OCSP            : Disable
  ---- More ----

從輸出命令可以看到,目前為止所配置的與IKE相關(guān)的所有參數(shù)麸澜,對(duì)等體名稱(ike10),IKE安全提議號(hào)(10)奏黑,IKE對(duì)等體IP地址(202.108.20.1)和IKE版本(Version one)炊邦。

7.創(chuàng)建IPSec安全策略,并在其中應(yīng)用ACL熟史、IPSec安全提議和IKE對(duì)等體

配置安全策略

[AR1]ipsec policy po10 10 isakmp 
[AR1-ipsec-policy-isakmp-po10-10]ike-peer ike10
[AR1-ipsec-policy-isakmp-po10-10]proposal prop10
[AR1-ipsec-policy-isakmp-po10-10]security acl 3010

[AR2]ipsec policy po20 20 isakmp 
[AR2-ipsec-policy-isakmp-po20-20]ike-peer ike20 
[AR2-ipsec-policy-isakmp-po20-20]proposal prop20    
[AR2-ipsec-policy-isakmp-po20-20]security acl 3020

將步驟2-5中創(chuàng)建的參數(shù)全部應(yīng)用到了IPSec安全策略中馁害。
在AR1中查看IPSec安全策略

[AR1]dis ipsec policy

===========================================
IPSec policy group: "po10"
Using interface: 
===========================================

    Sequence number: 10
    Security data flow: 3010
    Peer name    :  ike10
    Perfect forward secrecy: None
    Proposal name:  prop10
    IPSec SA local duration(time based): 3600 seconds
    IPSec SA local duration(traffic based): 1843200 kilobytes
    Anti-replay window size: 32
    SA trigger mode: Automatic
    Route inject: None
    Qos pre-classify: Disable

從輸出中可以找到剛才應(yīng)用的IKE對(duì)等體名稱(ike10),IPSec安全提議(prop10)蹂匹,以及指定了搜保護(hù)流量的ACL(3010)碘菜。

8.建立連接的兩端,在面向Internet的接口上應(yīng)用安全策略。
[AR1]interface g0/0/0   
[AR1-GigabitEthernet0/0/0]ipsec policy po10

[AR2]int g0/0/0 
[AR2-GigabitEthernet0/0/0]ipsec policy po20

在AR1和AR2上查看已建立的IKE SA

[AR1]DIS IKE SA
    Conn-ID  Peer            VPN   Flag(s)                Phase  
  ---------------------------------------------------------------
        3    202.108.20.1    0     RD|ST                  2     
        2    202.108.20.1    0     RD|ST                  1     

  Flag Description:
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP

[AR2]dis ike sa
    Conn-ID  Peer            VPN   Flag(s)                Phase  
  ---------------------------------------------------------------
        3    202.108.10.1    0     RD                     2     
        2    202.108.10.1    0     RD                     1     

  Flag Description:
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP

AR1上面多了一個(gè)ST標(biāo)記忍啸,表示AR1是IKE SA協(xié)商過(guò)程的發(fā)起方仰坦。AR1和AR2都有的標(biāo)記RD表示IKE SA已經(jīng)成功建立。

在AR1和AR2上查看已經(jīng)建立的IPSec SA

[AR1]dis ipsec sa br

Number of SAs:2
    Src address     Dst address        SPI    VPN  Protocol     Algorithm
-------------------------------------------------------------------------------
   202.108.10.1    202.108.20.1 1024164772      0    ESP   E:AES-128 A:SHA2_256_
128
   202.108.20.1    202.108.10.1  168286895      0    ESP   E:AES-128 A:SHA2_256_
128

<AR2>dis ipsec sa brief 

Number of SAs:2
    Src address     Dst address        SPI    VPN  Protocol     Algorithm
-------------------------------------------------------------------------------
   202.108.10.1    202.108.20.1 1024164772      0    ESP   E:AES-128 A:SHA2_256_
128
   202.108.20.1    202.108.10.1  168286895      0    ESP   E:AES-128 A:SHA2_256_
128

SPI的作用是唯一標(biāo)識(shí)一個(gè)IPSec SA计雌。在IPSec流量封裝過(guò)程中悄晃,路由器從SADB中查找相應(yīng)的SA的SPI值并添加ESP頭部。

PC1向PC2發(fā)起ping測(cè)試

PC>ping 10.10.20.20

Ping 10.10.20.20: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 10.10.20.20: bytes=32 seq=2 ttl=127 time=31 ms
From 10.10.20.20: bytes=32 seq=3 ttl=127 time=31 ms
From 10.10.20.20: bytes=32 seq=4 ttl=127 time=16 ms
From 10.10.20.20: bytes=32 seq=5 ttl=127 time=15 ms

--- 10.10.20.20 ping statistics ---
  5 packet(s) transmitted
  4 packet(s) received
  20.00% packet loss
  round-trip min/avg/max = 0/23/31 ms
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
  • 人面猴
    序言:七十年代末凿滤,一起剝皮案震驚了整個(gè)濱河市妈橄,隨后出現(xiàn)的幾起案子,更是在濱河造成了極大的恐慌翁脆,老刑警劉巖眷蚓,帶你破解...
    沈念sama閱讀 222,104評(píng)論 6 515
  • 死咒
    序言:濱河連續(xù)發(fā)生了三起死亡事件,死亡現(xiàn)場(chǎng)離奇詭異反番,居然都是意外死亡沙热,警方通過(guò)查閱死者的電腦和手機(jī),發(fā)現(xiàn)死者居然都...
    沈念sama閱讀 94,816評(píng)論 3 399
  • 救了他兩次的神仙讓他今天三更去死
    文/潘曉璐 我一進(jìn)店門恬口,熙熙樓的掌柜王于貴愁眉苦臉地迎上來(lái)校读,“玉大人,你說(shuō)我怎么就攤上這事祖能∏革” “怎么了?”我有些...
    開封第一講書人閱讀 168,697評(píng)論 0 360
  • 道士緝兇錄:失蹤的賣姜人
    文/不壞的土叔 我叫張陵养铸,是天一觀的道長(zhǎng)雁芙。 經(jīng)常有香客問(wèn)我,道長(zhǎng)钞螟,這世上最難降的妖魔是什么兔甘? 我笑而不...
    開封第一講書人閱讀 59,836評(píng)論 1 298
  • ?港島之戀(遺憾婚禮)
    正文 為了忘掉前任,我火速辦了婚禮鳞滨,結(jié)果婚禮上洞焙,老公的妹妹穿的比我還像新娘。我一直安慰自己拯啦,他們只是感情好澡匪,可當(dāng)我...
    茶點(diǎn)故事閱讀 68,851評(píng)論 6 397
  • 惡毒庶女頂嫁案:這布局不是一般人想出來(lái)的
    文/花漫 我一把揭開白布。 她就那樣靜靜地躺著褒链,像睡著了一般唁情。 火紅的嫁衣襯著肌膚如雪。 梳的紋絲不亂的頭發(fā)上甫匹,一...
    開封第一講書人閱讀 52,441評(píng)論 1 310
  • 城市分裂傳說(shuō)
    那天甸鸟,我揣著相機(jī)與錄音惦费,去河邊找鬼。 笑死抢韭,一個(gè)胖子當(dāng)著我的面吹牛薪贫,可吹牛的內(nèi)容都是我干的。 我是一名探鬼主播篮绰,決...
    沈念sama閱讀 40,992評(píng)論 3 421
  • 雙鴛鴦連環(huán)套:你想象不到人心有多黑
    文/蒼蘭香墨 我猛地睜開眼后雷,長(zhǎng)吁一口氣:“原來(lái)是場(chǎng)噩夢(mèng)啊……” “哼!你這毒婦竟也來(lái)了吠各?” 一聲冷哼從身側(cè)響起臀突,我...
    開封第一講書人閱讀 39,899評(píng)論 0 276
  • 萬(wàn)榮殺人案實(shí)錄
    序言:老撾萬(wàn)榮一對(duì)情侶失蹤,失蹤者是張志新(化名)和其女友劉穎贾漏,沒(méi)想到半個(gè)月后候学,有當(dāng)?shù)厝嗽跇淞掷锇l(fā)現(xiàn)了一具尸體,經(jīng)...
    沈念sama閱讀 46,457評(píng)論 1 318
  • ?護(hù)林員之死
    正文 獨(dú)居荒郊野嶺守林人離奇死亡纵散,尸身上長(zhǎng)有42處帶血的膿包…… 初始之章·張勛 以下內(nèi)容為張勛視角 年9月15日...
    茶點(diǎn)故事閱讀 38,529評(píng)論 3 341
  • ?白月光啟示錄
    正文 我和宋清朗相戀三年梳码,在試婚紗的時(shí)候發(fā)現(xiàn)自己被綠了。 大學(xué)時(shí)的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片伍掀。...
    茶點(diǎn)故事閱讀 40,664評(píng)論 1 352
  • 活死人
    序言:一個(gè)原本活蹦亂跳的男人離奇死亡掰茶,死狀恐怖,靈堂內(nèi)的尸體忽然破棺而出蜜笤,到底是詐尸還是另有隱情濒蒋,我是刑警寧澤,帶...
    沈念sama閱讀 36,346評(píng)論 5 350
  • ?日本核電站爆炸內(nèi)幕
    正文 年R本政府宣布把兔,位于F島的核電站沪伙,受9級(jí)特大地震影響,放射性物質(zhì)發(fā)生泄漏县好。R本人自食惡果不足惜围橡,卻給世界環(huán)境...
    茶點(diǎn)故事閱讀 42,025評(píng)論 3 334
  • 男人毒藥:我在死后第九天來(lái)索命
    文/蒙蒙 一、第九天 我趴在偏房一處隱蔽的房頂上張望缕贡。 院中可真熱鬧翁授,春花似錦、人聲如沸晾咪。這莊子的主人今日做“春日...
    開封第一講書人閱讀 32,511評(píng)論 0 24
  • 一樁弒父案,背后竟有這般陰謀
    文/蒼蘭香墨 我抬頭看了看天上的太陽(yáng)禀酱。三九已至,卻和暖如春牧嫉,著一層夾襖步出監(jiān)牢的瞬間剂跟,已是汗流浹背减途。 一陣腳步聲響...
    開封第一講書人閱讀 33,611評(píng)論 1 272
  • 情欲美人皮
    我被黑心中介騙來(lái)泰國(guó)打工, 沒(méi)想到剛下飛機(jī)就差點(diǎn)兒被人妖公主榨干…… 1. 我叫王不留曹洽,地道東北人鳍置。 一個(gè)月前我還...
    沈念sama閱讀 49,081評(píng)論 3 377
  • 代替公主和親
    正文 我出身青樓,卻偏偏與公主長(zhǎng)得像送淆,于是被迫代替她去往敵國(guó)和親税产。 傳聞我的和親對(duì)象是個(gè)殘疾皇子,可洞房花燭夜當(dāng)晚...
    茶點(diǎn)故事閱讀 45,675評(píng)論 2 359

推薦閱讀更多精彩內(nèi)容