先介绍一下ipsec,导入IPSEC协议,原因有2个,一个是原来的TCP/IP体系中间,没有包括基于安全的设计,任何人,只要能够搭入线路,即可分析所有的通讯数据。IPSEC引进了完整的安全机制,包括加密、认证和数据防篡改功能。另外一个原因,是因为Internet迅速发展,接入越来越方便,很多客户希望能够利用这种上网的带宽,实现异地网络的的互连通。IPSEC协议通过包封装技术,能够利用Internet可路由的地址,封装内部网络的IP地址,实现异地网络的互通。 

       IPSec 是安全联网的长期方向。它通过端对端的安全性来提供主动的保护以防止专用网络与 Internet 的***。在通信中,只有发送方和接收方才是唯一必须了解 IPSec 保护的计算机。所以它具有以下安全特性:1、身份验证;2、抗重播性;数据完整性;数据可靠性;

     因为它的特性,所以在企业网中ipsec在企业中应用很广泛;

     下面我们以一个具体例子来说明:首先一个大的公司总部和分支机构分隔在两地(如图);现在需要做到总部和分支机构能够安全通畅的通信。

且看详细配置,简单拓扑图如下:

 

 

wps_clip_p_w_picpath-6805

 

我们先把各个PC 完成以下:

PC1的地址:

wps_clip_p_w_picpath-9140

PC2的地址:

 

wps_clip_p_w_picpath-9277

PC3的地址:

wps_clip_p_w_picpath-9378

我们先把三层交换机上的配置完成(交换机模拟外网);

vlan 10           建立vlan

port eth0/1     给VLAN配置端口


quit

vlan 20
port eth0/3
quit

vlan 30
port eth0/5
quit

int vlan 10
ip add 10.1.1.2 255.255.255.0    配置ip地址
quit

int vlan 20
ip add 10.2.2.2 255.255.255.0
quit

int vlan 30
ip add 10.3.3.2 255.255.255.0
quit

我们再看R1的配置:

 

sysname R1

int eth 0
ip add 192.168.1.1 24    给e0接口配置ip
quit

int eth 1
ip add 10.1.1.1 24          给e1配置ip
quit

ip route 0.0.0.0 0.0.0.0 10.1.1.2  配置默认路由,要和外网通信,必须配默认路由

acl 3001              为了限制流量,做个扩展访问控制列表
rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255             写上允许通过的ip和它的目标ip
rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule deny ip source any destination any   其他的全部拒绝
quit

acl 3002              因为两条链路,到R2和到R3,所以再配置一个访问控制列表
rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule deny ip source any destination any
quit

ipsec proposal tran1     然后做安全提议;tran1是提议名称
encapsulation-mode tunnel        报文封装形式采用隧道模式
transform esp-new                    安全协议选择ESP
esp-new encryption-algorithm des       需要设置des加密算法
esp-new authentication-algorithm sha1-hmac-96   然后还需设置校验方法MD5
quit

ipsec policy policy1 10 isakmp    创建名为policy1的安全策略,动态协商方式isakmp
security acl 3001           引用访问控制表
proposal tran1              引用安全提议
tunnel remote 10.2.2.1     设置对端(R2)地址
quit

ipsec policy policy1 20 isakmp  因为有两条隧道(分别往R2,R3)所以策略序号不同
security acl 3002
proposal tran1    
tunnel remote 10.3.3.1      设置对端(R3)地址
quit

interface eth 1                
ipsec policy policy1        把配置的策略应用到这个端口上
quit

ike pre-shared-key abcde remote 10.2.2.1      配置key值并和对方(R2)协商
ike pre-shared-key 12345 remote 10.3.3.1     配置key值并和对方(R3)协商

查看一下刚才配置的信息:

 

[R1]dis cu   

  Now create configuration...

  Current configuration

  !

    version 1.74

    local-user user1 service-type administrator password simple 123

    sysname R1

    undo pos-server addr-switch

    firewall enable

    aaa-enable

    aaa accounting-scheme optional

  !

  ike pre-shared-key 12345 remote 10.3.3.1

  ike pre-shared-key abcde remote 10.2.2.1     配置key值,做验证,key值为123456(这就像密码,随意设置);但必须和对方(R3)相同,即和R3协商;

 

  !

  acl 3001 match-order auto    这是配置的访问控制列表

    rule normal permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

    rule normal  permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255   

rule normal deny ip source any destination any

  !

  acl 3002 match-order auto

    rule normal permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

     rule normal permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

rule normal deny ip source any destination any

  !

  ipsec proposal tran1          提议的信息

    esp-new authentication-algorithm sha1-hmac-96

  !

  ipsec policy policy1 10 isakmp          安全策略的信息

    security acl 3001

    proposal tran1

    tunnel remote 10.2.2.1

  !

  ipsec policy policy1 20 isakmp

    security acl 3002

    proposal tran1

    tunnel remote 10.3.3.1

  !

  controller e1 0

  !

  interface Aux0

    async mode flow

    link-protocol ppp

  !

  interface Ethernet0

    ip address 192.168.1.1 255.255.255.0 

  !

  interface Ethernet1

    ip address 10.1.1.1 255.255.255.0

    ipsec policy policy1                   把策略应用放到了e1端口下

  !

  quit

  ip route-static 0.0.0.0 0.0.0.0 10.1.1.2 preference 60         默认路由信息

  !                                      

  return

R1配置完毕,配置R2:

sysname R2

int eth 0
ip add 192.168.2.1 24
quit

int eth 1
ip add 10.2.2.1 24
quit

ip route 0.0.0.0 0.0.0.0 10.2.2.2

acl 3001
rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 
rule deny ip source any destination any
quit

ipsec proposal tran1
encapsulation-mode tunnel
transform esp-new
esp-new encryption-algorithm des
esp-new authentication-algorithm sha1-hmac-96
quit

ipsec policy policy1 10 isakmp
security acl 3001
proposal tran1    
tunnel remote 10.1.1.1
quit

interface eth 1
ipsec policy policy1
quit

ike pre-shared-key abcde remote 10.1.1.1

 

查看其配置信息:

[R2]dis cu

  Now create configuration...

  Current configuration

  !

    version 1.74

    local-user user1 service-type administrator password simple 123

    sysname R2

    undo pos-server addr-switch

    firewall enable

    aaa-enable

    aaa accounting-scheme optional

  !

  ike pre-shared-key abcde remote 10.1.1.1

  !

  acl 3001 match-order auto

    rule normal permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

    rule normal permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

    rule normal deny ip source any destination any

  !

  ipsec proposal tran1

    esp-new authentication-algorithm sha1-hmac-96

  !

  ipsec policy policy1 10 isakmp

    security acl 3001                    

    proposal tran1

    tunnel remote 10.1.1.1

  !

  interface Aux0

    async mode flow

    link-protocol ppp

  !

  interface Ethernet0

    ip address 192.168.2.1 255.255.255.0

  !

  interface Ethernet1

    ip address 10.2.2.1 255.255.255.0

    ipsec policy policy1

  !

  quit

  ip route-static 0.0.0.0 0.0.0.0 10.2.2.2 preference 60

  !

  return

R2也配置完毕,最后我们看R3的配置:

sysname R3

int eth 0
ip add 192.168.3.1 24
quit

int eth 1
ip add 10.3.3.1 24
quit

ip route 0.0.0.0 0.0.0.0 10.3.3.2

acl 3001
rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule deny ip source any destination any
quit

ipsec proposal tran1
encapsulation-mode tunnel
transform esp-new
esp-new encryption-algorithm des
esp-new authentication-algorithm sha1-hmac-96
quit

ipsec policy policy1 20 isakmp
security acl 3001
proposal tran1
tunnel remote 10.1.1.1
quit

interface eth 1
ipsec policy policy1
quit

ike pre-shared-key 12345 remote 10.1.1.1

 

查看其信息:

[R3]dis cu

  Now create configuration...

  Current configuration

  !

    version 1.74

    sysname R3

    firewall enable

    aaa-enable

    aaa accounting-scheme optional

  !

  ike pre-shared-key 12345 remote 10.1.1.1

  !

  acl 3001 match-order auto

    rule normal permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

    rule normal permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

    rule normal deny ip source any destination any

  !

  ipsec proposal tran1

    esp-new authentication-algorithm sha1-hmac-96

  !

  ipsec policy policy1 20 isakmp

    security acl 3001

    proposal tran1                       

    tunnel remote 10.1.1.1

  !

  interface Aux0

    async mode flow

    link-protocol ppp

  !

  interface Ethernet0

    ip address 192.168.3.1 255.255.255.0

  !

  interface Ethernet1

    ip address 10.3.3.1 255.255.255.0

    ipsec policy policy1

  !

  quit

  ip route-static 0.0.0.0 0.0.0.0 10.3.3.2 preference 60

  !

  return

好了 现在全部配置完成,最后我们查看其通信情况:

 

首先PC1  ping  PC2 的结果:

 

wps_clip_p_w_picpath-8190

从图中我们看出通信正常;再看看PC1  ping  PC3 的结果:

wps_clip_p_w_picpath-8425

也是正常通信;我们再看看PC2  ping  PC3  的情况:

 

 

wps_clip_p_w_picpath-8631

 

好了,全部都能相互通信,这个实验到此结束,希望对大家有所帮助,谢谢。

 

新手制作,有很多不足之处,请大家多多指教!