一、实验原理
IPsec在互联网中提供端到端的数据报通信安全,通过加密和认证方式保护IP数据报及其封装的数据。IPsec是一个框架协议,包括AH、ESP、SA、IKE等协议。IPsec可以采用直接传输和隧道封装两种模式工作,在通过互联网承载的站点间VPN中通常采用隧道模式。隧道模式是将原始IP数据报作为有效载荷封装在IPsec报头里。
二、实验拓扑图
三、实验步骤
1. 将MSR36-20_4路由器重命名为R_SH进行配置
[R_SH]int ge 0/0
[R_SH-GigabitEthernet0/0]ip address 10.1.1.254 24
[R_SH-GigabitEthernet0/0]quit
[R_SH]int se 1/0
[R_SH-Serial1/0]ip address 219.230.139.1 24
[R_SH-Serial1/0]quit
[R_SH]save
// 启用OSFP
[R_SH]ospf 1
[R_SH-ospf-1]area 0
[R_SH-ospf-1-area-0.0.0.0]network 219.230.139.0 0.0.0.255
[R_SH-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[R_SH-ospf-1-area-0.0.0.0]quit
[R_SH-ospf-1]save
2.第二阶段,定义IKE策略
//一、第一阶段,定义IKE策略
//定义预共享密钥
//设置对等体地址,预设身份认证口令
[R_SH]ike keychain key1
[R_SH-ike-keychain-key1]pre-shared-key address 202.96.34.1 key simple ike
//注意:如果配置错误,我们可以删除配置的预共享密钥,重新配置
[R_SH-ike-keychain-key1]undo pre-shared-key address 202.96.34.1
//进入创建IKE提议,进入配置模式
[R_SH]ike proposal 1
//创建IKE提议的配置文件
[R_SH-ike-proposal-1]ike profile profile1
//(1)进入配置文件模式,设置本端IP地址
[R_SH-ike-profile-profile1]local-identity address 219.230.139.1
[R_SH-ike-profile-profile1]proposal 1
//(2)设置采用的预共享密钥key1
[R_SH-ike-profile-profile1]keychain key1
//(3)设置对端IP地址
[R_SH-ike-profile-profile1]match remote identity address 202.96.34.1
3.第二阶段,定义安全提议
//二、第二阶段,定义安全提议
//创建安全提议
[R_SH]ipsec transform-set tran1
//选择隧道封装模式
[R_SH-ipsec-transform-set-tran1]encapsulation-mode tunnel
//协商封装协议
[R_SH-ipsec-transform-set-tran1]protocol esp
//协商认证算法
[R_SH-ipsec-transform-set-tran1]esp authentication-algorithm sha1
//协商加密算法
[R_SH-ipsec-transform-set-tran1]esp encryption-algorithm 3des-cbc
4.第三阶段访问控制列表,应用控制策略
//三、第三阶段访问控制列表,应用控制策略
//创建高级访问控制列表ACL,进入ACL配置模式
[R_SH]acl advanced 3000
//定义访问控制规则
[R_SH-acl-ipv4-adv-3000]rule permit ip source 10.1.1.0 0.0.0.255 destination 10.
1.2.0 0.0.0.255
[R_SH-acl-ipv4-adv-3000]quit
//创建密钥管理策略,进入策略配置模式
[R_SH]ipsec policy policy1 10 isakmp
[R_SH-ipsec-policy-isakmp-policy1-10]security acl 3000
[R_SH-ipsec-policy-isakmp-policy1-10]ike-profile profile1
[R_SH-ipsec-policy-isakmp-policy1-10]transform-set tran1
[R_SH-ipsec-policy-isakmp-policy1-10]remote-address 202.96.34.1
//在接口se0/1上应用上述密钥管理策略
[R_SH]int ser 1/0
[R_SH-Serial1/0]ipsec apply policy policy1
[R_SH-Serial1/0]save
5.将MSR36-20_1路由器重命名为R_ISP进行配置
(二)配置运营商路由器R_ISP
<H3C>sys
System View: return to User View with Ctrl+Z.
[H3C]sysname R_ISP
[R_ISP]int se 1/0
[R_ISP-Serial1/0]ip address 219.230.139.2 24
[R_ISP-Serial1/0]quit
[R_ISP]int se 2/0
[R_ISP-Serial2/0]ip address 202.96.34.2 24
[R_ISP-Serial2/0]quit
[R_ISP]save
//配置动态路由
[R_ISP]ospf 1
[R_ISP-ospf-1]area 0
[R_ISP-ospf-1-area-0.0.0.0]network 219.230.139.0 0.0.0.255
[R_ISP-ospf-1-area-0.0.0.0]network 202.96.34.0 0.0.0.255
[R_ISP-ospf-1-area-0.0.0.0]save
6.将MSR36-20_4路由器重新命名为R_B进行配置
[R_BJ]int se 1/0
[R_BJ-Serial1/0]ip address 202.96.34.1 24
[R_BJ-Serial1/0]quit
[R_BJ]int ge 0/0
[R_BJ-GigabitEthernet0/0]ip address 10.1.2.254 24
[R_BJ-GigabitEthernet0/0]quit
[R_BJ]save
//配置动态路由协议ospf
[R_BJ]ospf 1
[R_BJ-ospf-1]area 0
[R_BJ-ospf-1-area-0.0.0.0]network 10.1.2.0 0.0.0.255
[R_BJ-ospf-1-area-0.0.0.0]network 202.96.34.0 0.0.0.255
[R_BJ-ospf-1-area-0.0.0.0]save
//配置IKE提议
//设置对等体IP地址,配置身份验证密码
[R_BJ]ike keychain key1
[R_BJ-ike-keychain-key1]pre-shared-key address 219.230.139.1 key simple ike
[R_BJ]ike profile profile1
[R_BJ-ike-profile-profile1]local-identity address 202.96.34.1
[R_BJ-ike-profile-profile1]proposal 1
[R_BJ-ike-profile-profile1]keychain key1
[R_BJ-ike-profile-profile1]match remote identity address 219.230.139.1
[R_BJ-ike-profile-profile1]save
//配置安全提议
[R_BJ]ipsec transform-set tran1
[R_BJ-ipsec-transform-set-tran1]encapsulation-mode tunnel
[R_BJ-ipsec-transform-set-tran1]protocol esp
[R_BJ-ipsec-transform-set-tran1]esp authentication-algorithm sha1
[R_BJ-ipsec-transform-set-tran1]esp encryption-algorithm 3des-cbc
[R_BJ-ipsec-transform-set-tran1]save
//配置高级访问控制列表ACL
[R_BJ]acl advance 3000
[R_BJ-acl-ipv4-adv-3000]rule permit ip source 10.1.2.0 0.0.0.255 destination 10.
1.1.0 0.0.0.255
[R_BJ-acl-ipv4-adv-3000]save
//配置安全策略Policy
[R_BJ]ipsec policy policy1 10 isakmp
[R_BJ-ipsec-policy-isakmp-policy1-10]security acl 3000
[R_BJ-ipsec-policy-isakmp-policy1-10]ike-profile profile1
[R_BJ-ipsec-policy-isakmp-policy1-10]transform-set tran1
[R_BJ-ipsec-policy-isakmp-policy1-10]remote-address 219.230.139.1
[R_BJ-ipsec-policy-isakmp-policy1-10]save
//将上述策略应用到路由器接口
[R_BJ]int se1/0
[R_BJ-Serial1/0]ipsec apply policy policy1
[R_BJ-Serial1/0]save
四、最后实验结果
PC1与PC2之间能够相互ping通