先介绍一下ipsec,导入IPSEC协议,原因有2个,一个是原来的TCP/IP体系中间,没有包括基于安全的设计,任何人,只要能够搭入线路,即可分析所有的通讯数据。IPSEC引进了完整的安全机制,包括加密、认证和数据防篡改功能。另外一个原因,是因为Internet迅速发展,接入越来越方便,很多客户希望能够利用这种上网的带宽,实现异地网络的的互连通。IPSEC协议通过包封装技术,能够利用Internet可路由的地址,封装内部网络的IP地址,实现异地网络的互通。
IPSec 是安全联网的长期方向。它通过端对端的安全性来提供主动的保护以防止专用网络与 Internet 的***。在通信中,只有发送方和接收方才是唯一必须了解 IPSec 保护的计算机。所以它具有以下安全特性:1、身份验证;2、抗重播性;数据完整性;数据可靠性;
因为它的特性,所以在企业网中ipsec在企业中应用很广泛;
下面我们以一个具体例子来说明:首先一个大的公司总部和分支机构分隔在两地(如图);现在需要做到总部和分支机构能够安全通畅的通信。
且看详细配置,简单拓扑图如下:
我们先把各个PC 完成以下:
PC1的地址:
PC2的地址:
PC3的地址:
我们先把三层交换机上的配置完成(交换机模拟外网);
vlan 10 建立vlan
port eth0/1 给VLAN配置端口
quit
vlan 20
port eth0/3
quit
vlan 30
port eth0/5
quit
int vlan 10
ip add 10.1.1.2 255.255.255.0 配置ip地址
quit
int vlan 20
ip add 10.2.2.2 255.255.255.0
quit
int vlan 30
ip add 10.3.3.2 255.255.255.0
quit
我们再看R1的配置:
sysname R1
int eth 0
ip add 192.168.1.1 24 给e0接口配置ip
quit
int eth 1
ip add 10.1.1.1 24 给e1配置ip
quit
ip route 0.0.0.0 0.0.0.0 10.1.1.2 配置默认路由,要和外网通信,必须配默认路由
acl 3001 为了限制流量,做个扩展访问控制列表
rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 写上允许通过的ip和它的目标ip
rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule deny ip source any destination any 其他的全部拒绝
quit
acl 3002 因为两条链路,到R2和到R3,所以再配置一个访问控制列表
rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule deny ip source any destination any
quit
ipsec proposal tran1 然后做安全提议;tran1是提议名称
encapsulation-mode tunnel 报文封装形式采用隧道模式
transform esp-new 安全协议选择ESP
esp-new encryption-algorithm des 需要设置des加密算法
esp-new authentication-algorithm sha1-hmac-96 然后还需设置校验方法MD5
quit
ipsec policy policy1 10 isakmp 创建名为policy1的安全策略,动态协商方式isakmp
security acl 3001 引用访问控制表
proposal tran1 引用安全提议
tunnel remote 10.2.2.1 设置对端(R2)地址
quit
ipsec policy policy1 20 isakmp 因为有两条隧道(分别往R2,R3)所以策略序号不同
security acl 3002
proposal tran1
tunnel remote 10.3.3.1 设置对端(R3)地址
quit
interface eth 1
ipsec policy policy1 把配置的策略应用到这个端口上
quit
ike pre-shared-key abcde remote 10.2.2.1 配置key值并和对方(R2)协商
ike pre-shared-key 12345 remote 10.3.3.1 配置key值并和对方(R3)协商
查看一下刚才配置的信息:
[R1]dis cu
Now create configuration...
Current configuration
!
version 1.74
local-user user1 service-type administrator password simple 123
sysname R1
undo pos-server addr-switch
firewall enable
aaa-enable
aaa accounting-scheme optional
!
ike pre-shared-key 12345 remote 10.3.3.1
ike pre-shared-key abcde remote 10.2.2.1 配置key值,做验证,key值为123456(这就像密码,随意设置);但必须和对方(R3)相同,即和R3协商;
!
acl 3001 match-order auto 这是配置的访问控制列表
rule normal permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule normal permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule normal deny ip source any destination any
!
acl 3002 match-order auto
rule normal permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule normal permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule normal deny ip source any destination any
!
ipsec proposal tran1 提议的信息
esp-new authentication-algorithm sha1-hmac-96
!
ipsec policy policy1 10 isakmp 安全策略的信息
security acl 3001
proposal tran1
tunnel remote 10.2.2.1
!
ipsec policy policy1 20 isakmp
security acl 3002
proposal tran1
tunnel remote 10.3.3.1
!
controller e1 0
!
interface Aux0
async mode flow
link-protocol ppp
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet1
ip address 10.1.1.1 255.255.255.0
ipsec policy policy1 把策略应用放到了e1端口下
!
quit
ip route-static 0.0.0.0 0.0.0.0 10.1.1.2 preference 60 默认路由信息
!
return
R1配置完毕,配置R2:
sysname R2
int eth 0
ip add 192.168.2.1 24
quit
int eth 1
ip add 10.2.2.1 24
quit
ip route 0.0.0.0 0.0.0.0 10.2.2.2
acl 3001
rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule deny ip source any destination any
quit
ipsec proposal tran1
encapsulation-mode tunnel
transform esp-new
esp-new encryption-algorithm des
esp-new authentication-algorithm sha1-hmac-96
quit
ipsec policy policy1 10 isakmp
security acl 3001
proposal tran1
tunnel remote 10.1.1.1
quit
interface eth 1
ipsec policy policy1
quit
ike pre-shared-key abcde remote 10.1.1.1
查看其配置信息:
[R2]dis cu
Now create configuration...
Current configuration
!
version 1.74
local-user user1 service-type administrator password simple 123
sysname R2
undo pos-server addr-switch
firewall enable
aaa-enable
aaa accounting-scheme optional
!
ike pre-shared-key abcde remote 10.1.1.1
!
acl 3001 match-order auto
rule normal permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule normal permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule normal deny ip source any destination any
!
ipsec proposal tran1
esp-new authentication-algorithm sha1-hmac-96
!
ipsec policy policy1 10 isakmp
security acl 3001
proposal tran1
tunnel remote 10.1.1.1
!
interface Aux0
async mode flow
link-protocol ppp
!
interface Ethernet0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet1
ip address 10.2.2.1 255.255.255.0
ipsec policy policy1
!
quit
ip route-static 0.0.0.0 0.0.0.0 10.2.2.2 preference 60
!
return
R2也配置完毕,最后我们看R3的配置:
sysname R3
int eth 0
ip add 192.168.3.1 24
quit
int eth 1
ip add 10.3.3.1 24
quit
ip route 0.0.0.0 0.0.0.0 10.3.3.2
acl 3001
rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule deny ip source any destination any
quit
ipsec proposal tran1
encapsulation-mode tunnel
transform esp-new
esp-new encryption-algorithm des
esp-new authentication-algorithm sha1-hmac-96
quit
ipsec policy policy1 20 isakmp
security acl 3001
proposal tran1
tunnel remote 10.1.1.1
quit
interface eth 1
ipsec policy policy1
quit
ike pre-shared-key 12345 remote 10.1.1.1
查看其信息:
[R3]dis cu
Now create configuration...
Current configuration
!
version 1.74
sysname R3
firewall enable
aaa-enable
aaa accounting-scheme optional
!
ike pre-shared-key 12345 remote 10.1.1.1
!
acl 3001 match-order auto
rule normal permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule normal permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule normal deny ip source any destination any
!
ipsec proposal tran1
esp-new authentication-algorithm sha1-hmac-96
!
ipsec policy policy1 20 isakmp
security acl 3001
proposal tran1
tunnel remote 10.1.1.1
!
interface Aux0
async mode flow
link-protocol ppp
!
interface Ethernet0
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet1
ip address 10.3.3.1 255.255.255.0
ipsec policy policy1
!
quit
ip route-static 0.0.0.0 0.0.0.0 10.3.3.2 preference 60
!
return
好了 现在全部配置完成,最后我们查看其通信情况:
首先PC1 ping PC2 的结果:
从图中我们看出通信正常;再看看PC1 ping PC3 的结果:
也是正常通信;我们再看看PC2 ping PC3 的情况:
好了,全部都能相互通信,这个实验到此结束,希望对大家有所帮助,谢谢。
新手制作,有很多不足之处,请大家多多指教!
转载于:https://blog.51cto.com/sf418/959662