IPsec XXX
一、ipsec XXX 配置步骤(主模式+快速模式)
前提:公网互通
FW1:
1.配置ike 安全提议
- 加密算法——DES,3DES,AES
- 认证算法——MD5,SHA1,SHA2
- 认证方式——pre-share, digital-envelope(数字信封) rsa-signature (数字签名)
- DH组——DH18
[FW1]ike proposal 1
[FW1-ike-proposal-1]dis th (里面有默认模板如下)
2022-08-31 12:47:04.850
#
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
分别配置:
- 加密算法——3DES
- 认证算法——MD5
- 认证方式——pre-share
- DH组——DH18
[FW1-ike-proposal-1]dis th
2022-08-31 12:55:05.790
#
ike proposal 1
encryption-algorithm 3des - 加密算法——3DES
dh group18 DH组——DH18
authentication-algorithm md5 - 认证算法——MD5
authentication-method pre-share - 认证方式——pre-share
integrity-algorithm hmac-sha2-256 ( 默认配置 ikev2版本时用到)
prf hmac-sha2-256 ( 默认配置 ikev2版本时用到)
#
return
2.配置ike 对等体(ike peer)
- 1.配置版本
- 2.对端地址
- 3.交换模式
- 4.调用ike proposal 1
- 5.配置预预共享密钥
[FW1]ike peer fw2
[FW1-ike-peer-fw2]undo version 2 (默认是v2版本,我们这里采用v1版本进行配置,所以undo v2)
[FW1-ike-peer-fw2]remote-address 2.2.2.2
[FW1-ike-peer-fw2]exchange-mode main (第一阶段使用主模式)
[FW1-ike-peer-fw2]ike-proposal 1 (调用ike 安全提议)
[FW1-ike-peer-fw2]pre-shared-key huawei@123 (预共享密钥)
3.配置ipsec 安全提议
- 封装模式
- 安全协议
- esp认证算法
- esp加密算法
[FW1]ipsec proposal 2
[FW1-ipsec-proposal-2]encapsulation-mode tunnel (隧道模式)
[FW1-ipsec-proposal-2]transform esp (esp协议)
[FW1-ipsec-proposal-2]esp authentication-algorithm md5 (esp 认证方式)
[FW1-ipsec-proposal-2]esp encryption-algorithm aes-128 (esp 加密方式)
4.配置感兴趣流
与fw2 互为镜像
[FW1-acl-adv-3000]dis th
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
5.配置ipsec 策略调用配置
- 1.调用ike peer
- 2.调用ipsec proposal
- 3.调用感兴趣流
[FW1]ipsec policy policy1 1 isakmp (ipsec 策略名为policy1,序号1 isakmp——自动建立隧道)
[FW1-ipsec-policy-isakmp-policy1-1]dis th
ipsec policy policy1 1 isakmp
security acl 3000
ike-peer fw2
proposal 2
6.接口调用ipsec 策略
[FW1-GigabitEthernet1/0/1]ipsec policy policy1 (该接口是建立隧道的接口)
7.引流 (流量送入隧道)
[FW1]ip route-static 192.168.1.0 24 1.1.1.254
FW2配置相同:
1.ike 安全提议
ike proposal 1
encryption-algorithm 3des
dh group18
authentication-algorithm md5
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
2.ike peer
1.配置版本
- 2.对端地址
- 3.交换模式 [FW2-ike-peer-fw1]exchange-mode main (默认不显示)
- 4.调用ike proposal 1
- 5.配置预预共享密钥
ike peer fw1
undo version 2
pre-shared-key %^%#[#@C%gEeF8!&O*C_]^vG@q"U"dg^ZOa>eKF0I@/*%^%# (预共享密钥huawei@123)
ike-proposal 1
remote-address 1.1.1.1
3.ipsec 安全提议
[FW2]ipsec proposal 2
[FW2-ipsec-proposal-2]encapsulation-mode tunnel
[FW2-ipsec-proposal-2]transform esp
[FW2-ipsec-proposal-2]esp authentication-algorithm md5
[FW2-ipsec-proposal-2]esp encryption-algorithm aes-128
4.acl 感兴趣流
这里要与fw1 互为镜像
acl number 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
5.ipsec 策略,调用配置
ipsec policy policy1 1 isakmp
security acl 3000
ike-peer fw1
proposal 2
6.接口调用
[FW2-GigabitEthernet1/0/1]ipsec policy policy1
7.引流
[FW2]ip route-static 10.1.1.0 24 2.2.2.254
二、安全策略配置
先将安全策略默认为允许验证实验结果
security-policy
default action permit
1.pc1 ping pc2 抓包:
第一阶段主模式报文6个
第二阶段快速模式报文3个
2.查看ike sa建立情况
3.查看ipsec sa 建立情况
4.查看会话表
5.配置安全策略:
从会话表看出流量包括:
业务流量10.1.1.1<–>192.168.1.1 ,即trust<->untrust,双向流量
隧道流量 1.1.1.1<–>2.2.2.2,local<–>untrust,双向流量(注意要放行esp,udp协议)
[FW1-policy-security-rule-pc1_pc3]dis th
2022-09-02 04:47:51.090
#
rule name pc1_pc3
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
source-address 192.168.1.0 mask 255.255.255.0
destination-address 10.1.1.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
service icmp
action permit
#
[FW1-policy-security-rule-tunnle]dis th
2022-09-02 04:52:25.770
#
rule name tunnle
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 1.1.1.1 mask 255.255.255.255
source-address 2.2.2.2 mask 255.255.255.255
destination-address 1.1.1.1 mask 255.255.255.255
destination-address 2.2.2.2 mask 255.255.255.255
service esp
service icmp
service udp
action permit
rule name tunnel
#
将策略恢复为默认禁止
[FW2-policy-security]default action deny
Warning: Setting the default interzone packet filtering to deny may affect actu
al data traffic. You are advised to configure the security policy based on the a
ctual services. Are you sure you want to continue? [Y/N]y
6.pc1 ping pc3 能够ping通