本文旨在加强对ipsec配置的熟练度和理解的深度,所以有欠缺地方还请指点一二,感激涕零。
通过定义ipsec保护的数据流将重要的数据引入ipsec隧道,对流经隧道的数据通过安全协议进行加密,实现在网络上传输的安全性。
拓扑图如下所示:
全局网段为192.168.x.x
1、保证网络的可达。
接口配置这里就省略了。
[r4]ip route-static 192.168.20.0 255.255.255.0 192.168.30.2
[r5]ip route-static 192.168.10.0 255.255.255.0 192.168.30.1
2、创建感兴趣流
[r4]acl number 3000
[r4-acl-adv-3000]rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
[r5]acl number 3000
[r5-acl-adv-3000]rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
3、创建ipsec提议
[r4]ipsec proposal ipsec
[r4-ipsec-proposal-ipsec] esp encryption-algorithm 3des
[r5]ipsec proposal ipsec
[r5-ipsec-proposal-ipsec] esp encryption-algorithm 3des
4、创建ike提议
[r4]ike proposal 1
[r4-ike-proposal-1]authentication-algorithm md5
[r4-ike-proposal-1]encryption-algorithm 3des-cbc
[r5]ike proposal 1
[r5-ike-proposal-1]authentication-algorithm md5
[r5-ike-proposal-1]encryption-algorithm 3des-cbc
5、配置ike对等体
[r4]ike peer ipsec v1
[r4-ike-peer-ipsec] pre-shared-key cipher huawei
[r4-ike-peer-ipsec]local-address 192.168.30.1
[r4-ike-peer-ipsec]remote-address 192.168.30.2
[r5]ike peer ipsec v1
[r5-ike-peer-ipsec] pre-shared-key cipher huawei
[r5-ike-peer-ipsec]local-address 192.168.30.2
[r5-ike-peer-ipsec]remote-address 192.168.30.1
6、创建安全策略
[r4]ipsec policy sec 1 isakmp
[r4-ipsec-policy-isakmp-sec-1]security acl 3000
[r4-ipsec-policy-isakmp-sec-1]ike-peer ipsec
[r4-ipsec-policy-isakmp-sec-1]proposal ipsec
[r5]ipsec policy sec 1 isakmp
[r5-ipsec-policy-isakmp-sec-1]security acl 3000
[r5-ipsec-policy-isakmp-sec-1]ike-peer ipsec
[r5-ipsec-policy-isakmp-sec-1]proposal ipsec
7、接口下调用
[r4]interface GigabitEthernet0/0/1
[r4-GigabitEthernet0/0/1]ipsec policy sec
[r5]interface GigabitEthernet0/0/1
[r5-GigabitEthernet0/0/1]ipsec policy sec
抓包分析:
使用的端口号(源/目的)UDP500,最下面(isakmp)则是秘钥管理协议…我还知道啥,里面的也看不太懂…
咱下次在继续哈…