IPSec_×××之H3C
一、部署IPsec关键点:
1) 先定义 ACL 和保证需要加密的数据 IP层可达;
2) 要定义 IKE Proposal、IKE Peer、IPSec Proposal 和 IPSec Policy;
3) 注意上述配置中只有 IPSec Policy 配置需引用 IPSec Proposal 和 IKE Peer;
4) 将定义好的 IPSec Policy 绑定到指定的出接口。
二、实验Toplogy
三、实验步骤:
1、省略R1、R2、R3的接口IP配置
2、R1:
1.配置需要加密传送的ACL
[R1]acl num 3000
[R1-acl-adv-3000]rule permit ip source 1.1.1.1 0.0.0.0 destination 3.3.3.3 0.0.0.0
2.IKE策略配置
[R1]ike proposal 10 //创建IKE提议,并进入IKE视图
[R1-ike-proposal-10]encryption-algorithm 3des-cbc //使用3DES的加密算法
[R1-ike-proposal-10]authentication-method pre-share //使用预设口令身份验证方式
[R1-ike-proposal-10]authentication-algorithm md5 //使用md5的认证算法
[R1-ike-proposal-10]dh group2 //使用的DH交换组
[R1-ike-proposal-10]sa duration 86400 //ISAKMP SA生存周期
[R1-ike-proposal-10]q
3.配置IKE对等体及密钥
[R1]ike peer R3 //创建IKE对等体,并进入IKE对等体视图
[R1-ike-peer-r3]exchange-mode main //IKE对等体的协商模式
[R1-ike-peer-r3]pre-shared-key h3c //IKE对等体的密钥
[R1-ike-peer-r3]local-address 12.1.1.1 //本端安全网关地址
[R1-ike-peer-r3]remote-address 23.1.1.3 //对等体安全网关地址
[R1-ike-peer-r3]remote-name R3 //对等体安全网关名称
[R1]ike local-name R1 //本端安全网关名称
4. IPSEC安全提议配置
[R1]ipsec proposal r1 //创建IPSEC安全提议
[R1-ipsec-proposal-r1]transform esp //安全协议
[R1-ipsec-proposal-r1]esp encryption-algorithm 3des //ESP协议采用加密算法
[R1-ipsec-proposal-r1]esp authentication-algorithm md5 //ESP协议采用认证算法
[R1-ipsec-proposal-r1]encapsulation-mode tunnel //ESP协议采用工作模式
[R1-ipsec-proposal-r1]q
5.配置IKE协商的安全策略
[R1]ipsec policy 1 10 isakmp //创建一条安全策略
[R1-ipsec-policy-isakmp-1-10]security acl 3000 //配置加密传送所需的ACL
[R1-ipsec-policy-isakmp-1-10]proposal r1 //配安全策略所引用的安全提议
[R1-ipsec-policy-isakmp-1-10]ike-peer r3 //引用的IKE对等体
[R1-ipsec-policy-isakmp-1-10]pfs dh-group2 //DH组
[R1-ipsec-policy-isakmp-1-10]sa duration time-based 86400 //ipsec SA生存周期
[R1-ipsec-policy-isakmp-1-10]q
6.在接口上应用安全策略
[R1]int s0/2/0
[R1-Serial0/2/0]ipsec policy 1 //在接口上应用安全策略
7、最后在出口指缺省路由
[R1]ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
R3:
[R3]ip route-static 0.0.0.0 0.0.0.0 23.1.1.2
[R3]acl number 3000
[R3-acl-adv-3000]rule permit ip source 3.3.3.3 0.0.0.0 destination 1.1.1.1 0.0.0.0
[R3]ike proposal 10
[R3-ike-proposal-10]encryption-algorithm 3des-cbc
[R3-ike-proposal-10]authentication-method pre-share
[R3-ike-proposal-10]authentication-algorithm md5
[R3-ike-proposal-10]dh group2
[R3-ike-proposal-10]sa duration 86400
[R3-ike-proposal-10]q
[R3]ike peer R1
[R3-ike-peer-r1]exchange-mode main
[R3-ike-peer-r1]pre-shared-key h3c
[R3-ike-peer-r1]local-a 23.1.1.3
[R3-ike-peer-r1]remote-address 12.1.1.1
[R3-ike-peer-r1]remote-name R1
[R3-ike-peer-r1]q
[R3]ipsec proposal r3
[R3-ipsec-proposal-r3]transform esp
[R3-ipsec-proposal-r3]esp encryption-algorithm 3des
[R3-ipsec-proposal-r3]esp authentication-algorithm md5
[R3-ipsec-proposal-r3]encapsulation-mode tunnel
[R3-ipsec-proposal-r3]q
[R3]ipsec policy 1 10 isakmp
[R3-ipsec-policy-isakmp-1-10]security acl 3000
[R3-ipsec-policy-isakmp-1-10]proposal r3
[R3-ipsec-policy-isakmp-1-10]ike-peer R1
[R1-ipsec-policy-isakmp-1-10]pfs dh-group2
[R3-ipsec-policy-isakmp-1-10]sa duration time-based 86400
[R3-ipsec-policy-isakmp-1-10]q
[R3]int s0/2/0
[R3-Serial0/2/0]ipsec policy 1
[R3-Serial0/2/0]q
四、测试结果
[R1]ping -a 1.1.1.1 3.3.3.3
五、调试命令:
1.显示IKE对等体配置参数
[R1]dis ike peer
---------------------------
IKE Peer: r3
exchange mode: main on phase 1
pre-shared-key cipher nw1kqzgZJnA=
peer id type: ip
peer ip address: 23.1.1.3
local ip address: 12.1.1.1
peer name: R3
nat traversal: disable
dpd:
---------------------------
[R1]
2.显示当前ISAKMP SA的信息
[R1]dis ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
3 23.1.1.3 RD|ST 2 IPSEC
2 23.1.1.3 RD|ST 1 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
[R1]
3.显示每个IKE提议的配置参数
[R1]dis ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
3 23.1.1.3 RD|ST 2 IPSEC
2 23.1.1.3 RD|ST 1 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
[R1]dis ike proposal
priority authentication authentication encryption Diffie-Hellman duration
method algorithm algorithm group (seconds)
---------------------------------------------------------------------------
10 PRE_SHARED MD5 3DES_CBC MODP_1024 86400
default PRE_SHARED SHA DES_CBC MODP_768 86400
[R1]
4.显示IPsec安全策略信息
[R1]dis ipsec policy
===========================================
IPsec Policy Group: "1"
Using interface: {Ethernet0/1/0}
===========================================
-----------------------------
IPsec policy name: "1"
sequence number: 10
mode: isakmp
-----------------------------
security data flow : 3000
selector mode: standard
ike-peer name: r3
perfect forward secrecy: DH group 2
proposal name: r1
IPsec sa local duration(time based): 86400 seconds
IPsec sa local duration(traffic based): 1843200 kilobytes
[R1]
5.显示IPSEC安全提议信息
[R1]dis ipsec proposal
IPsec proposal name: r1
encapsulation mode: tunnel
transform: esp-new
ESP protocol: authentication md5-hmac-96, encryption 3des
[R1]
6.显示IPSEC SA的信息
[R1]dis ipsec sa
===============================
Interface: Ethernet0/1/0
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "1"
sequence number: 10
mode: isakmp
-----------------------------
connection id: 3
encapsulation mode: tunnel
perfect forward secrecy: DH group 2
tunnel:
local address: 12.1.1.1
remote address: 23.1.1.3
Flow :
sour addr: 1.1.1.1/255.255.255.255 port: 0 protocol: IP
dest addr: 3.3.3.3/255.255.255.255 port: 0 protocol: IP
ersal: N
[outbound ESP SAs]
spi: 1974141924 (0x75ab03e4)
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887435624/84789
max sent sequence-number: 15
udp encapsulation used for nat traversal: N
[R1]
7.显示IPSEC处理的报文信息
[R1]dis ipsec statistics
the security packet statistics:
input/output security packets: 14/14
input/output security bytes: 1176/1176
input/output dropped security packets: 0/1
dropped security packet detail:
not enough memory: 0
can't find SA: 1
queue is full: 0
authentication has failed: 0
wrong length: 0
replay packet: 0
packet too long: 0
wrong SA: 0
[R1]