华为路由器:ipsec技术
程序员文章站
2024-03-20 22:02:34
...
实验拓扑
R1 按照拓扑配置好IP地址
这里省略。
R2配置
[R2]ip route-static 0.0.0.0 0 10.10.10.2 #加一条路由,使得两个公网IP互通
[R2]acl 3000
[R2-acl-adv-3000]rule permit ip source 192.168.11.0 0.0.0.255 destination 192.16
8.12.0 0.0.0.255
创建ipsec的安全提议
[R2]ipsec proposal pokes
[R2-ipsec-proposal-pokes]q
[R2]dis ipsec proposal name pokes #先查看一下
IPSec proposal name: pokes
Encapsulation mode: Tunnel #封装方式
Transform : esp-new #传输级
ESP protocol : Authentication MD5-HMAC-96 #认证算法
Encryption DES #加密算法
创建安全策略
[R2]ipse
[R2]ipsec policy zhpr 10 manual #创建手动安全策略zhpr 10
[R2-ipsec-policy-manual-zhpr-10]security acl 3000 #调用acl
[R2-ipsec-policy-manual-zhpr-10]proposal pokes #调用安全提议
[R2-ipsec-policy-manual-zhpr-10]tunnel local 10.10.10.1 #指定隧道源地址
[R2-ipsec-policy-manual-zhpr-10]tunnel remote 10.10.20.1 #指定隧道目标地址
[R2-ipsec-policy-manual-zhpr-10]sa spi inbound esp 123456 #设置安全联盟的安全索引SPI
[R2-ipsec-policy-manual-zhpr-10]sa string-key inbound esp simple 234567 #设置安全联盟的认证**
[R2-ipsec-policy-manual-zhpr-10]sa spi outbound esp 123456
[R2-ipsec-policy-manual-zhpr-10]sa string-key outbound esp simple 234567
接口下调用policy策略
[R2]in g0/0/0 #公网出口
[R2-GigabitEthernet0/0/0]ipsec policy zhpr
[R2]dis ipsec policy brief #查看ipsec接口信息
Number of policies group : 1
Number of policies : 1
Policy name Mode ACL Peer name Local address Remote address
--------------------------------------------------------------------------------
zhpr-10 manual 3000 10.10.10.1 10.10.20.1
[R2]
注意事项:
-
sa spi inbound esp 123456要和对端的outbound保持一致。 -
sa string-key inbound esp simple 234567要和对端的outbound保持一致。
建议配置好一端之后复制粘贴,粘贴时改掉源地址和目标地址。
R3配置
[R3]ip route-static 0.0.0.0 0 10.10.20.2
[R3]acl 3000
[R3-acl-adv-3000]rule permit ip source 192.168.12.0 0.0.0.255 destination 192.16
8.11.0 0.0.0.255
[R2]ipse
[R2]ipsec policy zhpr 10 manual
[R3-ipsec-policy-manual-zhpr-10] security acl 3000
[R3-ipsec-policy-manual-zhpr-10] proposal pokes
[R3-ipsec-policy-manual-zhpr-10] tunnel local 10.10.20.1
[R3-ipsec-policy-manual-zhpr-10] tunnel remote 10.10.10.1
[R3-ipsec-policy-manual-zhpr-10] sa spi inbound esp 123456
[R3-ipsec-policy-manual-zhpr-10] sa string-key inbound esp simple 234567
[R3-ipsec-policy-manual-zhpr-10] sa spi outbound esp 123456
[R3-ipsec-policy-manual-zhpr-10] sa string-key outbound esp simple 234567
[R3-ipsec-policy-manual-zhpr-10]q
[R3]in g0/0/0
[R3-GigabitEthernet0/0/0]ips
[R3-GigabitEthernet0/0/0]ipsec po
[R3-GigabitEthernet0/0/0]ipsec policy zhpr
[R3]dis ipsec policy brief
Number of policies group : 1
Number of policies : 1
Policy name Mode ACL Peer name Local address Remote address
--------------------------------------------------------------------------------
zhpr-10 manual 3000 10.10.20.1 10.10.10.1
测试结果
PC>ping 192.168.12.1
Ping 192.168.12.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.12.1: bytes=32 seq=2 ttl=127 time=15 ms
From 192.168.12.1: bytes=32 seq=3 ttl=127 time=16 ms
From 192.168.12.1: bytes=32 seq=4 ttl=127 time=31 ms
From 192.168.12.1: bytes=32 seq=5 ttl=127 time=16 ms
--- 192.168.12.1 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 0/19/31 ms
PC>
PC>ping 192.168.11.1
Ping 192.168.11.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.11.1: bytes=32 seq=2 ttl=127 time=16 ms
From 192.168.11.1: bytes=32 seq=3 ttl=127 time=15 ms
From 192.168.11.1: bytes=32 seq=4 ttl=127 time=32 ms
From 192.168.11.1: bytes=32 seq=5 ttl=127 time=31 ms
--- 192.168.11.1 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 0/23/32 ms
PC>
其实生成过程中,搭建ipset都是购买硬件设备来实现,而且功能强大,用路由器做实属有点low.