IPSec VPN基礎實驗配置
IPSec 簡介
(Internet Protocol Security)是IETF(Internet Engineering Task Force)制定的一組開放的網路安全協議,在IP層通過資料來源認證、資料加密、資料完整性和抗重放功能來保證通信雙方Internet上傳輸資料的安全性,
IPSec 架構
IPSec VPN體系結構主要由AH(Authentication Header)、ESP(Encapsulating Security Payload)和IKE(Internet Key Exchange)協議套件組成,通過AH和ESP這兩個安全協議來實作IP資料報文的安全傳送,
- AH協議:主要提供的功能有資料源驗證、資料完整性校驗和防報文重放功能,然而,AH并不加密所保護的資料報,
- ESP協議:提供AH協議的所有功能外(但其資料完整性校驗不包括IP頭),還可提供對IP報文的加密功能,
- IKE協議:用于自動協商AH和ESP所使用的密碼演算法,建立和維護安全聯盟SA等服務,
專案背景
企業對網路安全性的需求日益提升,而傳統的TCP/IP協議缺乏有效的安全認證和保密機制,IPSec(Internet Protocol Security)作為一種開放標準的安全框架結構,可以用來保證IP資料報文在網路上傳輸的機密性、完整性和防重放,
如下圖所示,AR1為企業總部網關,AR3為企業分部網關,總部與分部通過公網建立通信,總部子網為192.168.1.0/24,分部子網為192.168.2.0/24,AR2模擬ISP,用loopbacke口模擬公網IP,
企業希望對總部子網與分部子網之間相互訪問的流量進行安全保護,總部與分部通過公網建立通信,可以在總部網關與分部網關之間建立一個IPSec隧道來實施安全保護,
本實驗用ACL方式建立IPSec隧道,分別演示手工方式和IKE動態協商方式,
- 手工方式:SA所需的全部資訊都必須手工配置,
- IKE動態協商方式:由IKE協議完成密鑰的自動協商,實作動態協商來創建和維護SA,
IPSec VPN配置步驟(配置思路)
靜態IPSec配置(手工方式配置)
1. 在AR2上配置設備名和介面的IP地址,模擬ISP網路,
<Huawei> system-view
[Huawei] sysname AR2
[AR2] interface GigabitEthernet0/0/0
[AR2-GigabitEthernet0/0/0] ip address 110.1.1.2 255.255.255.0
[AR2-GigabitEthernet0/0/0] quit
[AR2]interface GigabitEthernet0/0/1
[AR2-GigabitEthernet0/0/1] ip address 110.1.2.1 255.255.255.0
[AR2-GigabitEthernet0/0/1] quit
[AR2]interface LoopBack0
[AR2-LoopBack0] ip address 1.1.1.1 255.255.255.0
[AR2-LoopBack0] quit
2. 分別在AR1和AR3上配置設備名、介面的IP地址和默認路由,保證兩路由器之間可以互通,
#在AR1上配置設備名和介面的IP地址
<Huawei> system-view
[Huawei] sysname AR1
[AR1] interface GigabitEthernet0/0/0
[AR1-GigabitEthernet0/0/0] ip address 110.1.1.1 255.255.255.0
[AR1-GigabitEthernet0/0/0] quit
[AR1]interface GigabitEthernet0/0/2
[AR1-GigabitEthernet0/0/2] ip address 192.168.1.254 255.255.255.0
[AR1-GigabitEthernet0/0/2] quit
#在AR1上配置默認路由
[AR1] ip route-static 0.0.0.0 0.0.0.0 110.1.1.2
#在AR3上配置設備名和介面的IP地址
<Huawei> system-view
[Huawei] sysname AR3
[AR3] interface GigabitEthernet0/0/1
[AR3-GigabitEthernet0/0/1] ip address 110.1.2.2 255.255.255.0
[AR3-GigabitEthernet0/0/1] quit
[AR3]interface GigabitEthernet0/0/2
[AR3-GigabitEthernet0/0/2] ip address 192.168.1.254 255.255.255.0
[AR3-GigabitEthernet0/0/2] quit
#在AR3上配置默認路由
[AR3] ip route-static 0.0.0.0 0.0.0.0 110.1.2.1
3. 分別在AR1和AR3上配置ACL,以定義各自需要保護的IPSec資料流,
#在AR1上配置ACL,定義由子網192.168.1.0/24去子網192.168.2.0/24的資料流,
[AR1] acl number 3000
[AR1-acl-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[AR1-acl-adv-3000] quit
#在AR3上配置ACL,定義由子網192.168.2.0/24去子網192.168.1.0/24的資料流,
[AR3] acl number 3000
[AR3-acl-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[AR3-acl-adv-3000] quit
4. 分別在AR1和AR3上配置IPSec安全提議,定義IPSec的保護方法,
#在AR1上配置IPSec安全提議,
[AR1] ipsec proposal pro1
[AR1-ipsec-proposal- pro1] transform ah
[AR1-ipsec-proposal- pro1] ah authentication-algorithm sha2-256
[AR1-ipsec-proposal- pro1] quit
#在AR3上配置IPSec安全提議,
[AR3] ipsec proposal pro1
[AR3-ipsec-proposal- pro1] transform ah
[AR3-ipsec-proposal- pro1] ah authentication-algorithm sha2-256
[AR3-ipsec-proposal- pro1] quit
此時分別在AR1和AR3上執行display ipsec proposal會顯示所配置的資訊
5. 配置安全策略,并參考ACL和IPSec安全提議,確定對何種資料流采取何種保護方法,
#在AR1上配置手工方式安全策略,
[AR1] ipsec policy ipsec 1 manual
[AR1-ipsec-policy-manual-ipsec-1] security acl 3000
[AR1-ipsec-policy-manual-ipsec-1] proposal pro1
[AR1-ipsec-policy-manual-ipsec-1] tunnel local 110.1.1.1
[AR1-ipsec-policy-manual-ipsec-1] tunnel remote 110.1.2.2
[AR1-ipsec-policy-manual-ipsec-1] sa spi inbound ah 12345
[AR1-ipsec-policy-manual-ipsec-1] sa string-key inbound ah cipher huawei
[AR1-ipsec-policy-manual-ipsec-1] sa spi outbound ah 54321
[AR1-ipsec-policy-manual-ipsec-1] sa string-key outbound ah cipher huawei
[AR1-ipsec-policy-manual-ipsec-1] quit
#在AR3上配置手工方式安全策略,
[AR3] ipsec policy ipsec 1 manual
[AR3-ipsec-policy-manual-ipsec-1] security acl 3000
[AR3-ipsec-policy-manual-ipsec-1] proposal pro1
[AR3-ipsec-policy-manual-ipsec-1] tunnel local 110.1.1.1
[AR3-ipsec-policy-manual-ipsec-1] tunnel remote 110.1.2.2
[AR3-ipsec-policy-manual-ipsec-1] sa spi inbound ah 54321
[AR3-ipsec-policy-manual-ipsec-1] sa string-key inbound ah cipher huawei
[AR3-ipsec-policy-manual-ipsec-1] sa spi outbound ah 12345
[AR3-ipsec-policy-manual-ipsec-1] sa string-key outbound ah cipher huawei
[AR3-ipsec-policy-manual-ipsec-1] quit
此時分別在AR1和AR3上執行display ipsec sa會顯示所配置的資訊,
6. 分別在AR1和AR3的介面上應用安全策略組,使介面具有IPSec的保護功能,
#在AR1的介面上參考安全策略組,
[AR1] interface gigabitethernet 0/0/0
[AR1-GigabitEthernet0/0/0] ipsec policy ipsec
[AR1-GigabitEthernet0/0/0] quit
#在AR3的介面上參考安全策略組,
[AR3] interface gigabitethernet 0/0/1
[AR3-GigabitEthernet0/0/1] ipsec policy ipsec
[AR3-GigabitEthernet0/0/1] quit
在總部PC1 ping 分部PC2
抓包分析
7. 分別在AR1和AR3配置NAT,使得內網PC能夠ping通ISP,
#在AR1上配置NAT,
[AR1] acl number 3001
[AR1-acl-adv-3001] rule deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[AR1-acl-adv-3001] rule permit ip
[AR1-acl-adv-3001] quit
[AR1] interface GigabitEthernet0/0/0
[AR1-acl-adv-3001] nat outbound 3001
[AR1-acl-adv-3001] quit
#在AR3上配置NAT,
[AR3] acl number 3001
[AR3-acl-adv-3001] rule deny ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[AR3-acl-adv-3001] rule permit ip
[AR3-acl-adv-3001] quit
[AR3] interface GigabitEthernet0/0/0
[AR3-acl-adv-3001] nat outbound 3001
[AR3-acl-adv-3001] quit
在PC1 ping 1.1.1.1
抓包分析
8.分別在AR1和AR3上修改IPSec安全提議中的安全協議ah為esp
#在AR1上修改IPSec安全提議配置
[AR1] ipsec proposal pro1
[AR1-ipsec-proposal- pro1] transform esp
[AR1-ipsec-proposal- pro1] esp authentication-algorithm sha2-256
[AR1-ipsec-proposal- pro1] esp encryption-algorithm 3des
[AR1-ipsec-proposal- pro1] quit
#在AR3上修改IPSec安全提議配置
[AR3] ipsec proposal pro1
[AR3-ipsec-proposal- pro1] transform esp
[AR3-ipsec-proposal- pro1] esp authentication-algorithm sha2-256
[AR3-ipsec-proposal- pro1] esp encryption-algorithm 3des
[AR3-ipsec-proposal- pro1] quit
此時分別在AR1和AR3上執行display ipsec proposal會顯示所配置的資訊,
9. 分別在AR1和AR3上修改IPSec安全策略配置,
#在AR1上修改IPSec安全策略配置
[AR1] ipsec policy ipsec 1 manual
[AR1-ipsec-policy-manual-ipsec-1] undo sa spi inbound ah
[AR1-ipsec-policy-manual-ipsec-1] sa spi inbound esp 12345
[AR1-ipsec-policy-manual-ipsec-1] undo sa string-key inbound ah
[AR1-ipsec-policy-manual-ipsec-1] sa string-key inbound esp cipher huawei
[AR1-ipsec-policy-manual-ipsec-1] undo sa spi outbound ah
[AR1-ipsec-policy-manual-ipsec-1] sa spi outbound esp 54321
[AR1-ipsec-policy-manual-ipsec-1] undo sa string-key outbound ah
[AR1-ipsec-policy-manual-ipsec-1] sa string-key outbound esp cipher hauwei
[AR1-ipsec-policy-manual-ipsec-1] quit
#在AR3上修改IPSec安全策略配置
[AR3] ipsec policy ipsec 1 manual
[AR3-ipsec-policy-manual-ipsec-1] undo sa spi inbound ah
[AR3-ipsec-policy-manual-ipsec-1] sa spi inbound esp 54321
[AR3-ipsec-policy-manual-ipsec-1] undo sa string-key inbound ah
[AR3-ipsec-policy-manual-ipsec-1] sa string-key inbound esp cipher huawei
[AR3-ipsec-policy-manual-ipsec-1] undo sa spi outbound ah
[AR3-ipsec-policy-manual-ipsec-1] sa spi outbound esp 12345
[AR3-ipsec-policy-manual-ipsec-1] undo sa string-key outbound ah
[AR3-ipsec-policy-manual-ipsec-1] sa string-key outbound esp cipher hauwei
[AR3-ipsec-policy-manual-ipsec-1] quit
此時分別在AR1和AR3上執行display ipsec sa會顯示所配置的資訊,
抓包分析
組態檔
AR1
#
sysname AR1
#
acl number 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
acl number 3001
rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 10 permit ip
#
ipsec proposal pro1
transform ah
ah authentication-algorithm sha2-256
#
ipsec policy ipsec 1 manual
security acl 3000
proposal pro1
tunnel local 110.1.1.1
tunnel remote 110.1.2.2
sa spi inbound ah 54321
sa string-key inbound ah cipher huawei
sa spi outbound ah 12345
sa string-key outbound ah cipher huawei
#
interface GigabitEthernet0/0/0
ip address 110.1.1.1 255.255.255.0
ipsec policy ipsec
nat outbound 3001
#
interface GigabitEthernet0/0/2
ip address 192.168.1.254 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 110.1.1.2
AR2
#
sysname AR2
#
interface GigabitEthernet0/0/0
ip address 110.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 110.1.2.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.0
AR3
#
sysname AR3
#
acl number 3000
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
acl number 3001
rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 10 permit ip
#
ipsec proposal pro1
transform ah
ah authentication-algorithm sha2-256
#
ipsec policy ipsec 1 manual
security acl 3000
proposal pro1
tunnel local 110.1.2.2
tunnel remote 110.1.1.1
sa spi inbound ah 12345
sa string-key inbound ah cipher huawei
sa spi outbound ah 54321
sa string-key outbound ah cipher huawei
#
interface GigabitEthernet0/0/1
ip address 110.1.2.2 255.255.255.0
ipsec policy ipsec
nat outbound 3001
#
interface GigabitEthernet0/0/2
ip address 192.168.2.254 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 110.1.2.1
IKE動態協商方式建立IPSec
1. 沿用上一個實驗的拓撲,在原有配置上修改成IKE協商方式建立IPSec,(其中介面ip地址、默認路由、NAT和IPSec安全提議配置都沿用上個實驗的配置)
2. 分別在AR1和AR3上配置IKE對等體
#在AR1上配置IKE安全提議,
[AR1] ike proposal 10
[AR1-ike-proposal-10] encryption-algorithm des-cbc
[AR1-ike-proposal-10] authentication-algorithm sha1
[AR1-ike-proposal-10] quit
#在AR1上配置IKE對等體,并根據默認配置,配置預共享密鑰和對端ID,
[AR1] ike peer peer v1
[AR1-ike-peer- peer] ike-proposal 10
[AR1-ike-peer- peer] pre-shared-key cipher huawei
[AR1-ike-peer- peer] remote-address 110.1.2.2
[AR1-ike-peer- peer] quit
#在AR3上配置IKE安全提議,
[AR3] ike proposal 10
[AR3-ike-proposal-10] encryption-algorithm des-cbc
[AR3-ike-proposal-10] authentication-algorithm sha1
[AR3-ike-proposal-10] quit
#在AR3上配置IKE對等體,并根據默認配置,配置預共享密鑰和對端ID,
[AR3] ike peer peer v1
[AR3-ike-peer- peer] ike-proposal 10
[AR3-ike-peer- peer] pre-shared-key cipher huawei
[AR3-ike-peer- peer] remote-address 110.1.1.1
[AR3-ike-peer- peer] quit
3. 分別在AR1和AR3上創建安全策略
#在AR1上配置IKE動態協商方式安全策略,
[AR1] ipsec policy ipsec1 1 isakmp
[AR1-ipsec-policy-isakmp- ipsec1-1] ike-peer peer
[AR1-ipsec-policy-isakmp- ipsec1-1] proposal pro1
[AR1-ipsec-policy-isakmp- ipsec1-1] security acl 3000
[AR1-ipsec-policy-isakmp- ipsec1-1] quit
#在AR3上配置IKE動態協商方式安全策略,
[AR3] ipsec policy ipsec1 1 isakmp
[AR3-ipsec-policy-isakmp- ipsec1-1] ike-peer peer
[AR3-ipsec-policy-isakmp- ipsec1-1] proposal pro1
[AR3-ipsec-policy-isakmp- ipsec1-1] security acl 3000
[AR3-ipsec-policy-isakmp- ipsec1-1] quit
此時分別在AR1和AR3上執行display ipsec policy name ipsec1會顯示所配置的資訊,
4. 分別在AR1和AR3的介面上應用各自的安全策略組,使介面具有IPSec的保護功能
#在AR1的介面上修改參考的安全策略組,
[AR1] interface gigabitethernet 0/0/0
[AR1-GigabitEthernet0/0/0] undo ipsec policy ipsec
[AR1-GigabitEthernet0/0/0] ipsec policy ipsec1
[AR1-GigabitEthernet0/0/0] quit
#在AR3的介面上修改參考安全策略組,
[AR3] interface gigabitethernet 0/0/1
[AR3-GigabitEthernet0/0/1] undo ipsec policy ipsec
[AR3-GigabitEthernet0/0/1] ipsec policy ipsec1
[AR3-GigabitEthernet0/0/1] quit
在總部的PC1上ping分部的PC2和ISP,
5. 分別在AR1和AR3上執行display ike sa和display ipsec ca,結果如下
組態檔
AR1
#
sysname AR1
#
acl number 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
acl number 3001
rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 10 permit ip
#
ipsec proposal pro1
esp authentication-algorithm sha2-256
esp encryption-algorithm 3des
#
ipsec policy ipsec 1 manual
security acl 3000
proposal pro1
tunnel local 110.1.1.1
tunnel remote 110.1.2.2
sa spi inbound esp 12345
sa string-key inbound esp cipher huawei
sa spi outbound esp 54321
sa string-key outbound esp cipher hauwei
#
ike proposal 10
#
ike peer peer v1
pre-shared-key cipher huawei
ike-proposal 10
remote-address 110.1.2.2
#
ipsec policy ipsec1 1 isakmp
security acl 3000
ike-peer peer
proposal pro1
#
interface GigabitEthernet0/0/0
ip address 110.1.1.1 255.255.255.0
ipsec policy ipsec1
nat outbound 3001
#
interface GigabitEthernet0/0/2
ip address 192.168.1.254 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 110.1.1.2
AR3
#
sysname AR3
#
acl number 3000
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
acl number 3001
rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 10 permit ip
#
ipsec proposal pro1
esp authentication-algorithm sha2-256
esp encryption-algorithm 3des
#
ipsec policy ipsec 1 manual
security acl 3000
proposal pro1
tunnel local 110.1.2.2
tunnel remote 110.1.1.1
sa spi inbound esp 54321
sa string-key inbound esp cipher huawei
sa spi outbound esp 12345
sa string-key outbound esp cipher huawei
#
ike proposal 10
#
ike peer peer v1
pre-shared-key cipher hauwei
ike-proposal 10
remote-address 110.1.1.1
#
ipsec policy ipsec1 1 isakmp
security acl 3000
ike-peer peer
proposal pro1
#
interface GigabitEthernet0/0/1
ip address 110.1.2.2 255.255.255.0
ipsec policy ipsec1
nat outbound 3001
#
interface GigabitEthernet0/0/2
ip address 192.168.2.254 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 110.1.2.1
作者:二月初二
排版:梁漢榮、十六
審核:正月十六
點擊下方“正月十六作業室”查看更多學習資源
正月十六作業室
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/281200.html
標籤:其他
上一篇:撿到了一枚鳥蛋!