组网需求
如图1所示,RouterA为公司远程分支网关,RouterB为公司总部网关,分支与总部通过公网建立通信。分支子网为10.1.1.0/24,总部子网为10.1.2.0/24。同时,分支网关通过PPPoE方式接入公网,PPPoE_Server为分支网关分配IP地址的服务器。
公司希望对分支子网与总部子网之间相互访问的流量进行安全保护。分支与总部通过公网建立通信,可以在分支网关与总部网关之间建立一个IPSec隧道来实施安全保护。由于分支网关作为PPPoE客户端获取IP地址,总部无法获取其IP地址,所以总部网关只能响应分支网关发起的IPSec协商。
图1 配置PPPoE拨号分支与总部建立IPSec隧道组网图
配置思路
采用如下思路配置PPPoE用户发起协商建立IPSec隧道示例:
- 在RouterA上配置PPPoE客户端,使其能从服务器端获取IP地址。
- 配置IPSec隧道以IKE动态协商方式建立。其中RouterB作为响应方,接受RouterA发起的IPSec协商。
操作步骤
- 在RouterA上配置PPPoE客户端,使其能从服务器端获取IP地址
# 配置拨号访问组,指定允许所有的IPv4报文通过。
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] dialer-rule
[RouterA-dialer-rule] dialer-rule 1 ip permit
[RouterA-dialer-rule] quit
# 创建拨号口,配置拨号口相关参数。
[RouterA] interface dialer 1
[RouterA-Dialer1] link-protocol ppp
[RouterA-Dialer1] ppp pap local-user user@huawei.com password cipher Huawei@1234
[RouterA-Dialer1] ip address ppp-negotiate
[RouterA-Dialer1] dialer user huawei
[RouterA-Dialer1] dialer bundle 1
[RouterA-Dialer1] dialer-group 1
[RouterA-Dialer1] quit
# 在物理接口下绑定拨号口,建立PPPoE会话。
[RouterA] interface ethernet1/0/0
[RouterA-Ethernet1/0/0] pppoe-client dial-bundle-number 1
[RouterA-Ethernet1/0/0] quit
# 配置接口的IP地址。
[RouterA] interface ethernet 2/0/0
[RouterA-Ethernet2/0/0] ip address 10.1.1.0 255.255.255.0
[RouterA-Ethernet2/0/0] quit
# 配置到对端的静态路由,指定到达PC B的下一跳地址为拨号口Dialer1。
[RouterA] ip route-static 6.6.6.0 24 dialer1
[RouterA] ip route-static 10.1.2.0 24 dialer1
- 在RouterA上配置以IKE动态协商方式建立IPSec隧道的参数
# 配置ACL,定义由子网10.1.1.0/24去子网10.1.2.0/24的数据流。
[RouterA] acl number 3003
[RouterA-acl-adv-3003] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[RouterA-acl-adv-3003] quit
# 配置IPSec安全提议。
[RouterA] ipsec proposal prop1
[RouterA-ipsec-proposal-prop1] quit
这里使用了IPSec安全提议的缺省值,此时执行display ipsec proposal可以查看所配置的信息。
[RouterA] display ipsec proposal
Number of Proposals: 1
IPSec proposal name: prop1
Encapsulation mode: Tunnel
Transform : esp-new
ESP protocol : Authentication SHA1-HMAC-96
Encryption DES
# 配置IKE对等体。
[RouterA] ike peer rut1 v1
[RouterA-ike-peer-rut1] pre-shared-key simple huawei
[RouterA-ike-peer-rut1] remote-address 6.6.6.6
[RouterA-ike-peer-rut1] quit
这里没有引用IKE安全提议,而是采用了系统提供的缺省配置,缺省配置如下。
Number of IKE Proposals: 1
-------------------------------------------
IKE Proposal: Default
Authentication method : pre-shared
Authentication algorithm : SHA1
Encryption algorithm : DES-CBC
DH group : MODP-768
SA duration : 86400
PRF : PRF-HMAC-SHA
-------------------------------------------
此时在RouterA上执行display ike peer可以查看所配置的信息。
[RouterA] display ike peer name rut1 verbose
------------------------------------------
Peer name : rut1
Exchange mode : main on phase 1
Pre-shared-key : huawei
Local ID type : IP
DPD : Disable
DPD mode : Periodic
DPD idle time : 30
DPD retransmit interval: 15
DPD retry limit : 3
Host name :
Peer IP address : 6.6.6.6
VPN name :
Local IP address :
Local name :
Remote name :
NAT-traversal : Disable
Configured IKE version : Version one
PKI realm : NULL
Inband OCSP : Disable
------------------------------------------
# 配置安全策略。
[RouterA] ipsec policy policy1 10 isakmp
[RouterA-ipsec-policy-isakmp-policy1-10] ike-peer rut1
[RouterA-ipsec-policy-isakmp-policy1-10] proposal prop1
[RouterA-ipsec-policy-isakmp-policy1-10] security acl 3003
[RouterA-ipsec-policy-isakmp-policy1-10] quit
此时执行display ipsec policy可以查看所配置的信息。
[RouterA] display ipsec policy name policy1
===========================================
IPSec policy group: "policy1"
Using interface:
===========================================
Sequence number: 10
Security data flow: 3003
Peer name : rut1
Perfect forward secrecy: None
Proposal name: prop1
IPSec SA local duration(time based): 3600 seconds
IPSec SA local duration(traffic based): 1843200 kilobytes
Anti-replay window size: 32
SA trigger mode: Automatic
Route inject: None
Qos pre-classify: Disable
# 在拨号接口下引用安全策略组。
[RouterA] interface dialer 1
[RouterA-Dialer1] ipsec policy policy1
[RouterA-Dialer1] quit
- 在RouterB上配置建立IKE动态协商方式的IPSec隧道的参数,RouterB作为协商响应方
# 配置接口的IP地址和到对端的静态路由。
<Huawei> system-view
[Huawei] sysname RouterB
[RouterB] interface ethernet 1/0/0
[RouterB-Ethernet1/0/0] ip address 6.6.6.6 255.255.255.0
[RouterB-Ethernet1/0/0] quit
[RouterB] interface ethernet 2/0/0
[RouterB-Ethernet2/0/0] ip address 10.1.2.1 255.255.255.0
[RouterB-Ethernet2/0/0] quit
# 配置到对端的静态路由,此处假设下一跳地址为6.6.6.254。
[RouterB] ip route-static 10.1.1.0 255.255.255.0 6.6.6.254
# 配置IPSec安全提议。
[RouterB] ipsec proposal prop1
[RouterB-ipsec-proposal-prop1] quit
# 配置IKE对等体。
由于RouterB上采用策略模板方式配置安全策略,作为协商的响应方,IKE对等体中无需指定对端IP地址。
[RouterB] ike peer rut1 v1
[RouterB-ike-peer-rut1] pre-shared-key simple huawei
[RouterB-ike-peer-rut1] quit
此时在RouterB上执行display ike peer可以查看所配置的信息。
[RouterB] display ike peer name rut1 verbose
------------------------------------------
Peer name : rut1
Exchange mode : main on phase 1
Pre-shared-key : huawei
Local ID type : IP
DPD : Disable
DPD mode : Periodic
DPD idle time : 30
DPD retransmit interval: 15
DPD retry limit : 3
Host name :
Peer IP address :
VPN name :
Local IP address :
Local name :
Remote name :
NAT-traversal : Disable
Configured IKE version : Version one
PKI realm : NULL
Inband OCSP : Disable
------------------------------------------
# 配置策略模板。
[RouterB] ipsec policy-template temp1 10
[RouterB-ipsec-policy-templet-temp1-10] ike-peer rut1
[RouterB-ipsec-policy-templet-temp1-10] proposal prop1
[RouterB-ipsec-policy-templet-temp1-10] quit
此时执行display ipsec policy-template可以查看所配置的信息,
[RouterB] display ipsec policy-template name temp1
===============================================
IPSec policy template group: "temp1"
===============================================
Sequence number: 1
Security data flow: 3003
Peer name : rut1
Perfect forward secrecy: None
Proposal name: prop1
IPSec SA local duration(time based): 3600 seconds
IPSec SA local duration(traffic based): 1843200 kilobytes
Anti-replay window size: 32
Route inject: None
Qos pre-classify: Disable
===============================================
# 在安全策略中引用策略模板。
[RouterB] ipsec policy policy1 10 isakmp template temp1
# 在接口上引用安全策略组。
[RouterB] interface ethernet 1/0/0
[RouterB-Ethernet1/0/0] ipsec policy policy1
[RouterB-Ethernet1/0/0] quit
- 检查配置结果
# 配置成功后,在PC A上执行ping操作仍然可以ping通PC B,它们之间的数据传输将被加密,执行命令display ipsec statistics esp可以查看数据包的统计信息。
# 在RouterA上执行display ike sa操作,结果如下。
[RouterA] display ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
246 6.6.6.6 0 RD|ST 2
245 6.6.6.6 0 RD|ST 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
# 在RouterB上执行display ike sa操作,结果如下。
[RouterB] display ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
2 7.7.7.254 0 RD 2
1 7.7.7.254 0 RD 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
# 在RouterA上执行display ipsec sa可以查看所配置的信息。
[RouterA] display ipsec sa
===============================
Interface: Dialer1
Path MTU: 1500
===============================
-----------------------------
IPSec policy name: "policy1"
Sequence number : 10
Acl Group : 3003
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 246
Encapsulation mode: Tunnel
Tunnel local : 7.7.7.254
Tunnel remote : 6.6.6.6
Flow source : 10.1.1.0/255.255.255.0 0/0
Flow destination : 10.1.2.0/255.255.255.0 0/0
Qos pre-classify : Disable
[Outbound ESP SAs]
SPI: 503811799 (0x1e078ed7)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/1360
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 374552495 (0x165337af)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/1360
Max received sequence-number: 0
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
# 在RouterB上执行display ipsec sa可以查看所配置的信息。
[RouterB] display ipsec sa
===============================
Interface: Ethernet 1/0/0
Path MTU: 1492
===============================
-----------------------------
IPSec policy name: "policy1"
Sequence number : 10
Acl Group : 0
Acl rule : 0
Mode : Template
-----------------------------
Connection ID : 2
Encapsulation mode: Tunnel
Tunnel local : 6.6.6.6
Tunnel remote : 7.7.7.254
Flow source : 10.1.2.0/255.255.255.0 0/0
Flow destination : 10.1.1.0/255.255.255.0 0/0
Qos pre-classify : Disable
[Outbound ESP SAs]
SPI: 374552495 (0x165337af)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/1300
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 503811799 (0x1e078ed7)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/1300
Max received sequence-number: 0
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
配置文件
- RouterA的配置文件
- #
- sysname RouterA
- #
- acl number 3003
- rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
- #
- ipsec proposal prop1
- #
- ike peer rut1 v1
- pre-shared-key simple huawei
- remote-address 6.6.6.6
- #
- ipsec policy policy1 10 isakmp
- security acl 3003
- ike-peer rut1
- proposal prop1
- #
- interface Dialer1
- link-protocol ppp
- ppp pap local-user user@huawei.com password cipher %@%@/|S75*sxcH2@FQL=wn#2@I`a%@%@
- ip address ppp-negotiate
- dialer user huawei
- dialer bundle 1
- dialer-group 1
- ipsec policy policy1
- #
- interface Ethernet1/0/0
- pppoe-client dial-bundle-number 1
- #
- interface Ethernet2/0/0
- ip address 10.1.1.1 255.255.255.0
- #
- dialer-rule
- dialer-rule 1 ip permit
- #
- ip route-static 6.6.6.0 255.255.255.0 dialer1
- ip route-static 10.1.2.0 255.255.255.0 Dialer1
- #
- return
- RouterB的配置文件
- #
- sysname RouterB
- #
- ipsec proposal prop1
- #
- ike peer rut1 v1
- pre-shared-key simple huawei
- #
- ipsec policy-template temp1
- ike-peer rut1
- proposal prop1
- #
- ipsec policy policy1 10 isakmp template temp1
- #
- interface Ethernet1/0/0
- ip address 6.6.6.6 255.255.255.0
- ipsec policy policy1
- #
- interface Ethernet2/0/0
- ip address 10.1.2.1 255.255.255.0
- #
- ip route-static 10.1.1.0 255.255.255.0 6.6.6.254
- #
return