实验拓扑图
整个实验是在新华三的HCL模拟器上做的
整体的一个配置思路,是根据实验题目来的
首先是配置ipsec,ike,在这里都是的ipse我都是依靠ike来自动建立的
然后是GRE的配置
流程
- 配置高级ACL
- ike
- 提议(提议默认的就是预共享密钥,默认就行)
- 创建预共享密钥
- 选择对端的地址,密钥是什么
- 创建ikecel
- 调用安全提议
- 调用密钥
- 指定对端地址(可以是FQDN,也可以是user-FQDN)
- 指定本端地址(与之对应)
- 是否开启野蛮模式(默认主模式)
- 配置ipsec
- 配置变换集
- 使用的协议(AH,ESP,默认就是ESP)
- 使用的模式(传输模式和隧道模式,默认是隧道模式)
- 配置加密算法
- 配置验证方法
- 配置ipsec策略(或是策略模板)
- 调用acl
- 调用ikecel
- 调用变换集
- 指定对端地址(野蛮模式应该不需要)
- 配置变换集
- 配置GRE
- 配置源地址(本端公网地址)
- 配置目标地址(对端公网地址)
- 配置tun口的IP地址
- 配置保活机制(默认就行)
- 下发ipsec(在本次实验中使用)
- 配置路由(静态或是动态,目的是让流量走GRE)
- 测试
- 抓包分析
注意
1. 感兴趣就是高级Acl配置,双方要是镜像操作
2.这里的ipsec感兴趣流是抓的私网流量,这里具体是ipsec加密GRE还是GRE加密IPSec我还确定
3.ipsec下发在GRE端口下,不是下发在公网端口下
4.我在配置的时候,一些相同的都是通用是没有在配置,如ipsec的变换集,ike是提议
1.配置IP地址(省略)
第一步,依据图示配置相应的IP地址,接口的最后一个地址为设备的序列号,例如192.168.1.1,192.168.2.1,网关地址统一为.254
2.根据图示的VPN标识,配置相应的IPsec VPN
#R1操作
#配置ike
[gg1]ike proposal 1 #创建默认的ike提议
[gg1-ike-proposal-1]qu
[gg1]ike key gg3 #创建需要对接的预共享密钥
[gg1-ike-keychain-gg3]pre-shared-key add 192.168.16.3 key sim gg #这里用是GRE的地址,
[gg1]ike key gg4
[gg1-ike-keychain-gg4]pre-shared-key add 192.168.17.4 key sim gg
[gg1]ike profile gg3 #创建ike策略
[gg1-ike-profile-gg3]key gh3 #调用预共享密钥
[gg1-ike-profile-gg3]proposal 1 #调用ike提议
[gg1-ike-profile-gg3]local-identity address 192.168.16.1 #本端地址
[gg1-ike-profile-gg3]match remote identity address 192.168.16.3 #对端地址
[gg1]ike profile gg4 #跟gg3一样的操作
[gg1-ike-profile-gg4]key gh4
[gg1-ike-profile-gg4]proposal 1
[gg1-ike-profile-gg4]local-identity add 192.168.17.1
[gg1-ike-profile-gg4]match remote identity add 192.168.17.4
#配置感兴趣流 这里感兴趣流抓的是对端私网
[gg1]acl adv 3000
[gg1-acl-ipv4-adv-3000]rule per ip so 192.168.1.0 0.0.0.255 des 192.168.2.0 0.0.0.255 #源为自己,目的为对方
[gg1]acl adv 3001
[gg1-acl-ipv4-adv-3001]rule per ip so 192.168.1.0 0.0.0.255 des 192.168.3.0 0.0.0.255
#配置ipsec
[gg1]ipsec transform-set tongyong #配置ipsec变换集
因为默认的esp协议和隧道模式,所以在这里没有配模式和相应的协议
[gg1-ipsec-transform-set-tongyong]esp authentication-algorithm sha1 #验证算法
[gg1-ipsec-transform-set-tongyong]esp encryption-algorithm aes-cbc-128 #加密算法
[gg1]ipsec policy gh 1 isakmp #配置ipsec策略基于ike策略
[gg1-ipsec-policy-isakmp-gh-1]security acl 3000 #调用感兴趣流
[gg1-ipsec-policy-isakmp-gh-1]ike-profile gg3 #调用ike策略
[gg1-ipsec-policy-isakmp-gh-1]transform-set tongyong #调用变换集
[gg1-ipsec-policy-isakmp-gh-1]remote-address 192.168.16.3 #对端地址也是GRE的地址
[gg1]ipsec policy gh 2 isakmp
[gg1-ipsec-policy-isakmp-gh-2]security acl 3001
[gg1-ipsec-policy-isakmp-gh-2]ike-profile gh4
[gg1-ipsec-policy-isakmp-gh-2]transform-set tongyong
[gg1-ipsec-policy-isakmp-gh-2]remote-address 192.168.17.4
#R3操作
#配置acl
[gg3]acl adv 3000
[gg3-acl-ipv4-adv-3000]rule per ip so 192.168.2.0 0.0.0.255 des 192.168.1.0 0.0.0.255
#配置ike
[gg3]ike proposal 1
[gg3-ike-proposal-1]qu
[gg3]ike key gg1
[gg3-ike-keychain-gh1]pre-shared-key add 192.168.16.1 key sim gg
[gg3]ike profile gg1
[gg3-ike-profile-gg1]key gg1
[gg3-ike-profile-gg1]proposal 1
[gg3-ike-profile-gg1]local-identity add 192.168.16.3
[gg3-ike-profile-gg1]match remote id add 192.168.16.1
#配置ipsec
[gg3]ipsec transform-set tongyong
[gg3-ipsec-transform-set-tongyong]esp authentication-algorithm sha1
[gg3-ipsec-transform-set-tongyong]esp encryption-algorithm aes-cbc-128
[gg3]ipsec policy gg14 1 isakmp
[gg3-ipsec-policy-isakmp-gg14-1]security acl 3000
[gg3-ipsec-policy-isakmp-gg14-1]ike-profile gg1
[gg3-ipsec-policy-isakmp-gg14-1]transform-set tongyong
[gg3-ipsec-policy-isakmp-gg14-1]remote-address 192.168.16.1
#R4操作
#配置acl
[gg4]acl adv 3000
[gg4-acl-ipv4-adv-3000]rule per ip so 192.168.3.0 0.0.0.255 des 192.168.1.0 0.0.0.255
#配置ike
[gg4]ike proposal 1
[gg4-ike-proposal-1]qu
[gg4]ike key gg1
[gg4-ike-keychain-gh1]pre-shared-key add 192.168.17.1 key sim gg
[gg4]ike profile gg1
[gg4-ike-profile-gg1]proposal 1
[gg4-ike-profile-gg1]key gg1
[gg4-ike-profile-gg1]local-identity address 192.168.17.4
[gg4-ike-profile-gg1]match remote identity add 192.168.17.1
#配置ipsec
[gg4]ipsec transform-set tongyong
[gg4-ipsec-transform-set-tongyong]esp authentication-algorithm sha1
[gg4-ipsec-transform-set-tongyong]esp encryption-algorithm aes-cbc-128
[gg4]ipsec policy gg13 1 isakmp
[gg4-ipsec-policy-isakmp-gg13-1]security acl 3000
[gg4-ipsec-policy-isakmp-gg13-1]ike-profile gg1
[gg4-ipsec-policy-isakmp-gg13-1]transform-set tongyong
[gg4-ipsec-policy-isakmp-gg13-1]remote-address 192.168.17.1
后面都是配置IPsec都是相同的操作,只有前半段的命令后面有注解
3.配置GRE
#R1操作
[gg1]int tun0 mo gre #创建GRE类型的隧道
[gg1-Tunnel0]ip add 192.168.16.1 24 #配置随道地址
[gg1-Tunnel0]so 100.1.1.1 #基于本端公网源地址
[gg1-Tunnel0]destination 200.1.1.3 #对端公网地址
[gg1-Tunnel0]keepalive #保活
[gg1-Tunnel0]ipsec app policy gh #接口应用
[gg]int tun 1 mo gre
[gg1-Tunnel1]ip add 192.168.17.1 24
[gg1-Tunnel1]so 100.1.1.1
[gg1-Tunnel1]destination 100.2.2.4
[gg1-Tunnel1]keepalive
[gg1-Tunnel0]ipsec app policy gh
#这里通过配置ospf,来保证双方的通信
[gg1]ospf 1 router-id 1.1.1.1
[gg1-ospf-1]a 0
[gg1-ospf-1-area-0.0.0.0]net 192.168.1.0 0.0.0.255 #私网本地
[gg1-ospf-1-area-0.0.0.0]net 192.168.16.0 0.0.0.255 #隧道地址gg3
[gg1-ospf-1-area-0.0.0.0]net 192.168.17.0 0.0.0.255 #gg4
[gg1]ip route-static 192.168.2.0 24 tun0 #将去往对端私网地址的流量指定走GRE隧道
[gg1]ip route-static 192.168.3.0 24 tun1
#R3操作
[gg3]int tun 0 mode gre
[gg3-Tunnel0]ip add 192.168.16.3 24
[gg3-Tunnel0]so 200.1.1.3
[gg3-Tunnel0]desti 100.1.1.1
[gg3-Tunnel0]keepalive
[gg3]ospf 1 router-id 3.3.3.3
[gg3-ospf-1]a 0
[gg3-ospf-1-area-0.0.0.0]net 192.168.2.0 0.0.0.255
[gg3-ospf-1-area-0.0.0.0]net 192.168.16.0 0.0.0.255
[gg3]ip route-static 192.168.1.0 24 tun 0
#R4操作
[gg4]int tun 1 mode gre
[gg4-Tunnel1]ip add 192.168.17.4 24
[gg4-Tunnel1]so 100.2.2.4
[gg4-Tunnel1]desti 100.1.1.1
[gg4-Tunnel1]keepalive
[gg4]ospf 1 router-id 4.4.4.4
[gg4-ospf-1]a 0
[gg4-ospf-1-area-0.0.0.0]net 192.168.3.0 0.0.0.255
[gg4-ospf-1-area-0.0.0.0]net 192.168.17.0 0.0.0.255
[gg4]ip route-static 192.168.1.0 24 tun 1
在配置GRE这里,我觉得我应该是有多余的配置命令,但是能力不到位,不确定是那几条,也没去实验。
4.测试pc5能够ping通pc6和pc7
<H3C>ping 192.168.2.7
Ping 192.168.2.7 (192.168.2.7): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.7: icmp_seq=0 ttl=253 time=2.000 ms
56 bytes from 192.168.2.7: icmp_seq=1 ttl=253 time=3.000 ms
5
<H3C>%Apr 29 14:49:25:479 2022 H3C PING/6/PING_STATISTICS: Ping
ping 192.168.3.6
Ping 192.168.3.6 (192.168.3.6): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.3.6: icmp_seq=0 ttl=253 time=1.000 ms
56 bytes from 192.168.3.6: icmp_seq=1 ttl=253 time=1.000 ms
5.通过对pc6和pc7做相应的配置,使其ping通
#R3操作
#配置acl
[gg3]acl adv 3001
[gg3-acl-ipv4-adv-3001]rule per ip so 192.168.2.0 0.0.0.255 des 192.168.3.0 0.0.0.255
#配置ike
[gg3]ike key gh4
[gg3-ike-keychain-gh4]pre-shared-key address 192.168.19.4 key sim gh
[gg3]ike proposal 1
[gg3-ike-proposal-1]qu
[gg3]ike profile gh4
[gg3-ike-profile-gh4]key gh4
[gg3-ike-profile-gh4]proposal 1
[gg3-ike-profile-gh4]local-identity add 192.168.19.3
[gg3-ike-profile-gh4]match remote id add 192.168.19.4
#配置ipsec
[gg3]ipsec policy gh14 2 isakmp
[gg3-ipsec-policy-isakmp-gh14-2]security acl 3001
[gg3-ipsec-policy-isakmp-gh14-2]transform-set tongyong
[gg3-ipsec-policy-isakmp-gh14-2]ike-profile gh4
[gg3-ipsec-policy-isakmp-gh14-2]remote-address 192.168.19.4
#配置gre
[gg3]int tun 2 mo gre
[gg3-Tunnel2]ip add 192.168.19.3 24
[gg3-Tunnel2]so 200.1.1.3
[gg3-Tunnel2]desti 100.2.2.4
[gg3-Tunnel2]keepalive
[gg1-Tunnel2]ipsec app policy gh14
[gg3]ip route-static 192.168.2.0 24 tun 2
[gg3]ospf 1
[gg3-ospf-1]a 0
[gg3-ospf-1-area-0.0.0.0]net 192.168.19.0 0.0.0.255
# R4操作
#配置acl
[gg4]acl adv 3001
[gg4-acl-ipv4-adv-3001]rule per ip source 192.168.3.0 0.0.0.255 des 192.168.2.0 0.0.0.255
#配置ike
[gg4]ike key gh3
[gg4-ike-keychain-gh3]pre-shared-key address 192.168.19.3 key sim gh
[gg4]ike profile gh3
[gg4-ike-profile-gh3]key gh3
[gg4-ike-profile-gh3]proposal 1
[gg4-ike-profile-gh3]local-identity address 192.168.19.4
[gg4-ike-profile-gh3]match remote identity add 192.168.19.3
#配置ipsec
[gg4]ipsec policy gh13 2 isakmp
[gg4-ipsec-policy-isakmp-gh13-2]ike-profile gh3
[gg4-ipsec-policy-isakmp-gh13-2]security acl 3001
[gg4-ipsec-policy-isakmp-gh13-2]transform-set tongyong
[gg4-ipsec-policy-isakmp-gh13-2]remote-address 192.168.19.3
#配置GRE
[gg4]int tun 2 mo gre
[gg4-Tunnel2]ip add 192.168.19.4 24
[gg4-Tunnel2]so 100.2.2.4
[gg4-Tunnel2]desti 200.1.1.3
[gg4-Tunnel2]keepalive
[gg4]ip route-static 192.168.2.0 24 tun 2
[gg1-Tunnel2]ipsec app policy gh13
[gg4]ospf 1
[gg4-ospf-1]a 0
[gg4-ospf-1-area-0.0.0.0]net 192.168.19.0 0.0.0.255
#测试
<H3C>
<H3C>ping 192.168.2.7
Ping 192.168.2.7 (192.168.2.7): 56 data bytes, press CTRL_C to break
Request time out
56 bytes from 192.168.2.7: icmp_seq=1 ttl=253 time=1.000 ms
56 bytes from 192.168.2.7: icmp_seq=2 ttl=253 time=2.000 ms
56 bytes from 192.168.2.7: icmp_seq=3 ttl=253 time=1.000 ms
56 bytes from 192.168.2.7: icmp_seq=4 ttl=253 time=2.000 ms
--- Ping statistics for 192.168.2.7 ---
5 packet(s) transmitted, 4 packet(s) received, 20.0% packet loss
round-trip min/avg/max/std-dev = 1.000/1.500/2.000/0.500 ms
<H3C>%May 13 15:22:09:666 2022 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.2.7: 5 packet(s) transmitted, 4 packet(s) received, 20.0% packet loss, round-trip min/avg/max/std-dev = 1.000/1.500/2.000/0.500 ms.
其中命令都是简写的,刚做好的时候,抓包是有的但是没有保存,然后现在恢复的时候,以抓包tun口就自动协议down,找不到问题所在。