组网需求
如图1所示,企业A有两个分支,分别通过LCCE接入到IP网络。分支1部署本地局域网,将LCCE1部署为网关设备。分支2部署本地局域网,将LCCE2部署为网关设备。
现企业希望通过L2TPv3隧道传输的业务进行安全保护,防止被窃取或篡改等。此时,可以配置L2TPv3 over IPSec的方式来加密保护企业的业务。
图1 配置分支机构之间通过L2TPv3 over IPSec方式实现安全互通组网图
配置思路
采用如下思路配置分支机构之间通过L2TPv3 over IPSec方式实现安全互通:
-
配置路由,保证LCCE1和LCCE2两端路由可达。
-
全局使能L2TPv3功能。
-
创建Tunnel接口并配置L2TPv3隧道参数。
-
配置Link-bridge,绑定Tunnel接口和AC接口。
-
配置ACL,定义需要IPSec保护的数据流。
-
配置IPSec安全提议,定义IPSec的保护方法。
-
配置IKE对等体,定义对等体间IKE协商时的属性。
-
配置安全策略,并引用ACL、IPSec安全提议和IKE对等体,确定对何种数据流采取何种保护方法。
-
在接口上应用安全策略组,使接口具有IPSec的保护功能。
操作步骤
- 分别在LCCE1和LCCE2上配置PW接口的IP地址和到对端的静态路由
# 在LCCE1上配置PW接口的IP地址。
<Huawei> system-view [Huawei] sysname LCCE1 [LCCE1] interface gigabitethernet 0/0/1 [LCCE1-GigabitEthernet0/0/1] ip address 10.1.1.2 24 [LCCE1-GigabitEthernet0/0/1] quit
# 在LCCE1上配置到对端的静态路由,此处假设到对端的下一跳地址为10.1.1.3。
[LCCE1]ip route-static 10.1.2.0 255.255.255.0 10.1.1.3
# 在LCCE2上配置PW接口的IP地址。
<Huawei> system-view [Huawei] sysname LCCE2 [LCCE2] interface gigabitethernet 0/0/1 [LCCE2-GigabitEthernet0/0/1] ip address 10.1.2.2 24 [LCCE2-GigabitEthernet0/0/1] quit
# 在LCCE2上配置到对端的静态路由,此处假设到对端的下一跳地址为10.1.2.3。
[LCCE2]ip route-static 10.1.1.0 255.255.255.0 10.1.2.3
- 全局使能L2TPv3功能
# 在LCCE1上使能L2TPv3功能。
[LCCE1] l2tpv3 enable
# 在LCCE2上使能L2TPv3功能。
[LCCE2] l2tpv3 enable
- 配置Tunnel接口下L2TPv3参数
# 在LCCE1上创建Tunnel并配置Tunnel下的参数。
[LCCE1] interface tunnel 0/0/1 [LCCE1-Tunnel0/0/1] tunnel-protocol svpn [LCCE1-Tunnel0/0/1] encapsulation l2tpv3 static [LCCE1-Tunnel0/0/1] l2tpv3 local session-id 1 [LCCE1-Tunnel0/0/1] l2tpv3 remote session-id 4 [LCCE1-Tunnel0/0/1] l2tpv3 local cookie length 4 plain lower-value 11 [LCCE1-Tunnel0/0/1] l2tpv3 remote cookie length 4 plain lower-value 22 [LCCE1-Tunnel0/0/1] tunnel-source 10.1.1.2 [LCCE1-Tunnel0/0/1] tunnel-destination 10.1.2.2 [LCCE1-Tunnel0/0/1] quit
# 在LCCE2上创建Tunnel并配置Tunnel下的参数。
[LCCE2] interface tunnel 0/0/1 [LCCE2-Tunnel0/0/1] tunnel-protocol svpn [LCCE2-Tunnel0/0/1] encapsulation l2tpv3 static [LCCE2-Tunnel0/0/1] l2tpv3 local session-id 4 [LCCE2-Tunnel0/0/1] l2tpv3 remote session-id 1 [LCCE2-Tunnel0/0/1] l2tpv3 local cookie length 4 plain lower-value 22 [LCCE2-Tunnel0/0/1] l2tpv3 remote cookie length 4 plain lower-value 11 [LCCE2-Tunnel0/0/1] tunnel-source 10.1.2.2 [LCCE2-Tunnel0/0/1] tunnel-destination 10.1.1.2 [LCCE2-Tunnel0/0/1] quit
- 配置Link-bridge功能
# 在LCCE1上配置Link-bridge功能,使AC接口和Tunnel接口绑定。
[LCCE1] interface GigabitEthernet 0/0/2 [LCCE1-GigabitEthernet0/0/2] link-bridge tunnel0/0/1 tagged
# 在LCCE2上配置Link-bridge功能,使AC接口和Tunnel接口绑定。
[LCCE2] interface GigabitEthernet 0/0/2 [LCCE2-GigabitEthernet0/0/2] link-bridge tunnel0/0/1 tagged
- 配置ACL,定义各自要保护的数据流
隧道封装为IP协议(协议号是115),不支持UDP协议。
# 在LCCE1上配置ACL。
[LCCE1] acl number 3000 [LCCE1-acl-adv-3000] rule permit 115 source 10.1.1.2 0 destination 10.1.2.2 0 [LCCE1-acl-adv-3000] quit
# 在LCCE2上配置ACL。
[LCCE2] acl number 3000 [LCCE2-acl-adv-3000] rule permit 115 source 10.1.2.2 0 destination 10.1.1.2 0 [LCCE2-acl-adv-3000] quit
- 创建IPSec安全提议 # 在LCCE1上配置IPSec安全提议。
[LCCE1] ipsec proposal rtb [LCCE1-ipsec-proposal-rtb] esp authentication-algorithm sha2-256 [LCCE1-ipsec-proposal-rtb] esp encryption-algorithm aes-192 [LCCE1-ipsec-proposal-rtb] quit
# 在LCCE2上配置IPSec安全提议。[LCCE2] ipsec proposal rta [LCCE2-ipsec-proposal-rta] esp authentication-algorithm sha2-256 [LCCE2-ipsec-proposal-rta] esp encryption-algorithm aes-192 [LCCE2-ipsec-proposal-rta] quit
- 配置IKE对等体
# 在LCCE1上配置IKE安全提议。
[LCCE1] ike proposal 1 [LCCE1-ike-proposal-1] encryption-algorithm aes-256 [LCCE1-ike-proposal-1] authentication-algorithm sha2-256 [LCCE1-ike-proposal-1] quit
# 在LCCE1上配置IKE对等体,并根据默认配置,配置预共享密钥和对端ID。
[LCCE1] ike peer rtb [LCCE1-ike-peer-rtb] ike-proposal 1 [LCCE1-ike-peer-rtb] pre-shared-key cipher huawei@123 [LCCE1-ike-peer-rtb] remote-address 10.1.2.2 [LCCE1-ike-peer-rtb] quit
# 在LCCE2上配置IKE安全提议。
[LCCE2] ike proposal 1 [LCCE2-ike-proposal-1] encryption-algorithm aes-256 [LCCE2-ike-proposal-1] authentication-algorithm sha2-256 [LCCE2-ike-proposal-1] quit
# 在LCCE2上配置IKE对等体,并根据默认配置,配置预共享密钥和对端ID。
[LCCE2] ike peer rta [LCCE2-ike-peer-rta] ike-proposal 1 [LCCE2-ike-peer-rta] pre-shared-key cipher huawei@123 [LCCE2-ike-peer-rta] remote-address 10.1.1.2 [LCCE2-ike-peer-rta] quit
- 创建安全策略
# 在LCCE1上配置IKE动态协商方式安全策略。
[LCCE1] ipsec policy rtb 1 isakmp [LCCE1-ipsec-policy-isakmp-rtb-1] ike-peer rtb [LCCE1-ipsec-policy-isakmp-rtb-1] proposal rtb [LCCE1-ipsec-policy-isakmp-rtb-1] security acl 3000 [LCCE1-ipsec-policy-isakmp-rtb-1] quit
# 在LCCE2上配置IKE动态协商方式安全策略。
[LCCE2] ipsec policy rta 1 isakmp [LCCE2-ipsec-policy-isakmp-rta-1] ike-peer rta [LCCE2-ipsec-policy-isakmp-rta-1] proposal rta [LCCE2-ipsec-policy-isakmp-rta-1] security acl 3000 [LCCE2-ipsec-policy-isakmp-rta-1] quit
- 接口上应用各自的安全策略组,使接口具有IPSec的保护功能
# 在LCCE1的PW接口上引用安全策略组。
[LCCE1] interface gigabitethernet0/0/1 [LCCE1-GigabitEthernet0/0/1] ipsec policy rtb [LCCE1-GigabitEthernet0/0/1] quit
# 在LCCE2的PW接口上引用安全策略组。
[LCCE2] interface gigabitethernet0/0/1 [LCCE2-GigabitEthernet0/0/1] ipsec policy rta [LCCE2-GigabitEthernet0/0/1] quit
- 验证配置结果
# 配置成功后,在主机PC1执行ping操作仍然可以ping通主机PC2,它们之间的数据传输将被加密。
分别在LCCE1和LCCE2上执行display ipsec sa会显示所配置的信息,以LCCE1为例。
[LCCE1] display ipsec sa ipsec sa information: =============================== Interface: GigabitEthernet0/0/1 =============================== ----------------------------- IPSec policy name: "rtb" Sequence number : 1 Acl group : 3000 Acl rule : 5 Mode : ISAKMP ----------------------------- Connection ID : 9 Encapsulation mode: Tunnel Tunnel local : 10.1.1.2 Tunnel remote : 10.1.2.2 Flow source : 10.1.1.2/255.255.255.255 0/0 Flow destination : 10.1.2.2/255.255.255.255 0/0 [Outbound ESP SAs] SPI: 1380002640 (0x52412b50) Proposal: ESP-ENCRYPT-AES-192 ESP-AUTH-SHA2-256-128 SA remaining key duration (kilobytes/sec): 1532270/3514 Outpacket count : 2686500 Outpacket encap count : 2686495 Outpacket drop count : 0 Max sent sequence-number: 2686293 UDP encapsulation used for NAT traversal: N [Inbound ESP SAs] SPI: 2595661893 (0x9ab6a845) Proposal: ESP-ENCRYPT-AES-192 ESP-AUTH-SHA2-256-128 SA remaining key duration (kilobytes/sec): 1490295/3514 Inpacket count : 3068764 Inpacket decap count : 3068761 Inpacket drop count : 0 Max received sequence-number: 3068590 UDP encapsulation used for NAT traversal: N Anti-replay : Enable Anti-replay window size: 1024
# 分别在LCCE1和LCCE2上执行display interface brief可以查看接口与IP相关的简要信息,包括IP地址、子网掩码、物理链路和协议的Up/Down状态以及处于不同状态的接口数目,以LCCE1显示为例。
[LCCE1] display interface brief PHY: Physical *down: administratively down (l): loopback (s): spoofing (b): BFD down ^down: standby (e): ETHOAM down InUti/OutUti: input utility/output utility Interface PHY Protocol InUti OutUti inErrors outErrors Atm8/0/0 down down 0% 0% 0 0 Atm8/0/1 down down 0% 0% 0 0 Atm8/0/2 down down 0% 0% 0 0 Atm8/0/3 down down 0% 0% 0 0 Cellular0/0/0 down down 0% 0% 0 0 Cellular0/0/1 down down 0% 0% 0 0 Ethernet1/0/0 up up 0% 0% 0 0 Ethernet1/0/1 up down 0.01% 0% 0 0 Ethernet2/0/0 down down 0% 0% 0 0 GigabitEthernet0/0/0 up up 0.01% 0.01% 0 0 GigabitEthernet0/0/1 up up 0.01% 0% 0 0 GigabitEthernet0/0/2 up up 0.01% 0% 0 0 GigabitEthernet0/0/3 up down 0.01% 0% 0 0 GigabitEthernet3/0/0 down down 0% 0% 0 0 MFR0/0/1 down down 0% 0% 0 0 Mp-group0/0/1 down down 0% 0% 0 0 NULL0 up up(s) 0% 0% 0 0 Serial4/0/0 up up 0.05% 0.05% 0 0 Serial6/0/0 down down 0% 0% 0 0 Serial6/0/1 down down 0% 0% 0 0 Serial6/0/2 down down 0% 0% 0 0 Serial6/0/3 down down 0% 0% 0 0 Serial6/0/4 down down 0% 0% 0 0 Serial6/0/5 down down 0% 0% 0 0 Serial6/0/6 down down 0% 0% 0 0 Serial6/0/7 down down 0% 0% 0 0 Tunnel0/0/1 up up(s) 0% 0% 0 0 Virtual-Template1 up down 0% 0% 0 0
# 分别在LCCE1和LCCE2上执行display interface tunnel 0/0/1可以查看Tunnel接口状态为UP(spoofing)状态,以LCCE1显示为例。
[LCCE1] display interface tunnel 0/0/1 Tunnel0/0/1 current state : UP Line protocol current state : UP (spoofing) Description:HUAWEI, AR Series, Tunnel0/0/1 Interface Route Port,The Maximum Transmit Unit is 1500 Internet protocol processing : disabled Encapsulation is TUNNEL, loopback not set Tunnel protocol/transport SVPN/IP Current system time: 2016-02-25 17:10:48 300 seconds input rate 0 bits/sec, 0 packets/sec 300 seconds output rate 0 bits/sec, 0 packets/sec 99 seconds input rate 0 bits/sec, 0 packets/sec 99 seconds output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes 0 input error 0 packets output, 0 bytes 0 output error Input bandwidth utilization : 0% Output bandwidth utilization : 0%