IPSec原理:
IPSec 是一系列网络安全协议的总称,它是由IETF(Internet Engineering Task
Force,Internet 工程任务组)开发的,可为通讯双方提供访问控制、无连接的完整
性、数据来源认证、反重放、加密以及对数据流分类加密等服务来保证数据包在网络上传输时的私有性、完整性、真实性和防重放 。
1:私有性指对用户数据进行加密保护,用密文的形式传送
2:完整性指对接收的数据进行验证,以判定报文是否被篡改
3:真实性指验证数据源,以保证数据来自真实的发送者
4:防重放指防止恶意用户通过重复发送捕获到的数据包所进行的***,即接收方会拒绝旧的或重复的数据包
IPSec 是网络层的安全机制。通过对网络层包信息的保护,上层应用程序即使没有
实现安全性,也能够自动从网络层提供的安全性中获益。这打消了人们对×××
(Virtual Private Network,虚拟专用网络)安全性的顾虑,使得××× 得以广泛应
用。
IPSec通过AH和ESP两个安全协议实现了上述目标。。为简化IPSec的使用和管理,还可以通过IKE进行自动协商交换密匙、建立和维护安全联盟的服务。
IPSec 对报文的处理过程如下(以AH 协议为例):(1) 对报文添加认证头:从IPSec 队列中读出IP 模块送来的IP 报文,根据配置选
择的协议模式(传输或是隧道模式)对报文添加AH 头,再由IP 层转发。
(2) 对报文进行认证后解去认证头:IP 层收到IP 报文经解析是本机地址,并且协
议号为51,则查找相应的协议开关表项,调用相应的输入处理函数。此处理
函数对报文进行认证和原来的认证值比较,若相等则去掉添加的AH 头,还原
出原始的IP 报文再调用IP 输入流程进行处理;否则此报文被丢弃。
IPSec 是网络层的安全机制。通过对网络层包信息的保护,上层应用程序即使没有实现安全性,也能够自动从网络层提供的安全性中获益。这打消了人们对×××(Virtual Private Network,虚拟专用网络)安全性的顾虑。使得××× 得以广泛应用。
安全联盟(SA)
1:安全联盟(SA)是IPsec的基础,也是本质。SA是通信对等体间对某些要素的约定。例如:使用哪种协议(AH、ESP)、协议的操作模式(隧道模式和传输模式)、加密算法
(DES、3DES等)、特定流中保护数据的共享密钥以及密钥的生存周期等
2:安全联盟(SA)是单向的、在两个对等体之间的双向通信,最少需要两个安全联盟来分别两个方向的数据流进行安全保护。安全联盟由一个三元组来唯一标识,这个三元组包括
SPI(安全参数索引)、目的ip地址、安全协议号(AH或ESP)。SPI是为唯一标识SA而生成的一个32比特的数据,他在AH或ESP投中传输。
3:安全联盟可通过手工配置(manual)和自动协商(ISAKMP)两种方式建立。手工建立(manual)安全联盟的方式是指用户通过在两端手工设置一些参数,然后在接口上应用安
全策略建立安全联盟。自动协商方式(ISAKMP)由IKE 生成和维护,通信双方基于各自的安全策略库经过匹配和协商,最终建立安全联盟而不需要用户的干预。手动方式配置相对
复杂,对于节点较多的情况则使用自动协商方式比较合适。
网络拓扑图:
防火墙配置信息:
sysname F2
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
local-user user1
password simple 123
service-type telnet
level 3
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 192.168.101.42 255.255.255.0
#
interface Ethernet0/1
ip address 172.16.1.2 255.255.255.0
#
interface Ethernet0/2
ip address 172.16.2.2 255.255.255.0
#
interface Ethernet0/3
ip address 172.16.3.2 255.255.255.0
#
interface Ethernet0/4
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
set priority 85
#
firewall zone untrust
add interface Ethernet0/1
add interface Ethernet0/2
add interface Ethernet0/3
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
R3配置步骤:
[R3]interface ethernet 1
[R3-Ethernet1]ip address 192.168.2.1 255.255.255.0
[R3-Ethernet1]int ethernet 0
[R3-Ethernet0]ip add 172.16.2.1 255.255.255.0
[R3-Ethernet0]qu
[R3]ip route-static 192.168.1.0 255.255.255.0 172.16.2.2
[R3]acl 3000
[R3-acl-3000]rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
Rule has been added to normal packet-filtering rules
[R3-acl-3000]rule deny ip source any destination any
Rule has been added to normal packet-filtering rules
[R3-acl-3000]qu
[R3]ipsec proposal tran1
[R3-ipsec-proposal-tran1]encapsulation tunnel
[R3-ipsec-proposal-tran1]transform esp-new
[R3-ipsec-proposal-tran1]
[R3-ipsec-proposal-tran1]esp-new encryption-algorithm des
[R3-ipsec-proposal-tran1]esp-new authentication sha1-hmac-96
[R3-ipsec-proposal-tran1]qu
[R3]ipsec policy policy1 10 manual
[R3-ipsec-policy-policy1-10]security acl 3000
[R3-ipsec-policy-policy1-10]proposal tran1
[R3-ipsec-policy-policy1-10]tunnel local 172.16.2.1
[R3-ipsec-policy-policy1-10]tunnel remote 172.16.1.1
[R3-ipsec-policy-policy1-10]sa outbound esp spi 12345
[R3-ipsec-policy-policy1-10]sa outbound esp string-key abcdef
[R3-ipsec-policy-policy1-10]sa inbound esp spi 54321
[R3-ipsec-policy-policy1-10]sa inbound esp string-key fedcba
[R3-ipsec-policy-policy1-10]qu
[R3]interface ethernet 0
[R3-Ethernet0]ipsec policy policy1
[R3-Ethernet0]qu
R3配置信息:
[R3]display current-configuration
Now create configuration...
Current configuration
!
version 1.74
local-user user1 service-type administrator password simple 123
sysname R3
undo pos-server addr-switch
firewall enable
aaa-enable
aaa accounting-scheme optional
!
acl 3000 match-order auto
rule normal permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule normal deny ip source any destination any
!
ipsec proposal tran1
esp-new authentication-algorithm sha1-hmac-96
!
ipsec policy policy1 10 manual
security acl 3000
proposal tran1
tunnel local 172.16.2.1
tunnel remote 172.16.1.1
sa inbound esp spi 54321
sa inbound esp string-key fedcba
sa outbound esp spi 12345
sa outbound esp string-key abcdef
!
controller e1 0
!
interface Aux0
async mode flow
link-protocol ppp
!
interface Ethernet0
ip address 172.16.2.1 255.255.255.0
ipsec policy policy1
!
interface Ethernet1
ip address 192.168.2.1 255.255.255.0
!
interface Serial0
link-protocol ppp
!
interface Serial1
link-protocol ppp
!
quit
ip route-static 192.168.1.0 255.255.255.0 172.16.2.2 preference 60
!
return
R5配置信息:
[Router]dis cu
Now create configuration...
Current configuration
!
version 1.74
local-user user1 service-type administrator password simple 123
firewall enable
aaa-enable
aaa accounting-scheme optional
!
acl 3000 match-order auto
rule normal permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule normal deny ip source any destination any
!
acl 3001 match-order auto
rule normal permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule normal deny ip source any destination any
!
ipsec proposal wangjian
esp-new authentication-algorithm sha1-hmac-96
!
ipsec proposal donghao
esp-new authentication-algorithm sha1-hmac-96
!
ipsec policy policy1 10 manual
security acl 3000
proposal wangjian
tunnel local 172.16.1.1
tunnel remote 172.16.2.1
sa inbound esp spi 12345
sa inbound esp string-key abcdef
sa outbound esp spi 54321
sa outbound esp string-key fedcba
!
ipsec policy policy1 11 manual
security acl 3001
proposal wangjian
tunnel local 172.16.1.1
tunnel remote 172.16.3.1
sa inbound esp spi 12345
sa inbound esp string-key abcdef
sa outbound esp spi 54321
sa outbound esp string-key fedcba
!
interface Aux0
async mode flow
link-protocol ppp
!
interface Ethernet0
ip address 172.16.1.1 255.255.255.0
ipsec policy policy1
!
interface Ethernet1
ip address 192.168.1.1 255.255.255.0
!
interface Serial0
link-protocol ppp
!
interface Serial1
link-protocol ppp
!
interface Async0
physical-mode async
async mode protocol
link-protocol ppp
!
interface Async1
physical-mode async
async mode protocol
link-protocol ppp
!
interface Async2
physical-mode async
async mode protocol
link-protocol ppp
!
interface Async3
physical-mode async
async mode protocol
link-protocol ppp
!
interface Async4
physical-mode async
async mode protocol
link-protocol ppp
!
interface Async5
physical-mode async
async mode protocol
link-protocol ppp
!
interface Async6
physical-mode async
async mode protocol
link-protocol ppp
!
interface Async7
physical-mode async
async mode protocol
link-protocol ppp
!
voice-setup
!
subscriber-line 0
!
subscriber-line 1
!
quit
!
quit
ip route-static 0.0.0.0 0.0.0.0 172.16.1.2 preference 60
!
return
[Router]
[Router]dis ipsec policy all
ipsec policy name: policy1
ipsec policy sequence: 10
negotiation mode: manual
security acl: 3000
local address: 172.16.1.1
remote address: 172.16.2.1
proposal name: wangjian
ah(inbound) setting:
ah spi:
ah string-key:
ah hex-key-string:
esp(inbound) setting:
esp spi: 12345 (0x3039)
esp string-key: abcdef
esp encryption-hex:
esp authen-hex:
ah(outbound) setting:
ah spi:
ah string-key:
ah hex-key-string:
esp(outbound) setting:
esp spi: 54321 (0xd431)
esp string-key: fedcba
esp encryption-hex:
esp authen-hex:
OutBound SA has been established.
InBound SA has been established.
ipsec policy name: policy1
ipsec policy sequence: 11
negotiation mode: manual
security acl: 3001
local address: 172.16.1.1
remote address: 172.16.3.1
proposal name: wangjian
ah(inbound) setting:
ah spi:
ah string-key:
ah hex-key-string:
esp(inbound) setting:
esp spi: 12345 (0x3039)
esp string-key: abcdef
esp encryption-hex:
esp authen-hex:
ah(outbound) setting:
ah spi:
ah string-key:
ah hex-key-string:
esp(outbound) setting:
esp spi: 54321 (0xd431)
esp string-key: fedcba
esp encryption-hex:
esp authen-hex:
OutBound SA has been established.
InBound SA has NOT been established.
[Router]
[Router]dis ipsec sa all
interface name: Ethernet0
path MTU: 1500
ipsec policy name: policy1
ipsec policy sequence: 10
negotiation mode: manual
in use settings = {tunnel}
local address: 172.16.1.1
remote address: 172.16.2.1
esp SAs(inbound):
spi: 12345 (0x3039)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
No duration limit for this sa
esp SAs(outbound):
spi: 54321 (0xd431)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
No duration limit for this sa
interface name: Ethernet0
path MTU: 1500
ipsec policy name: policy1
ipsec policy sequence: 11
negotiation mode: manual
in use settings = {tunnel}
local address: 172.16.1.1
remote address: 172.16.3.1
esp SAs(outbound):
spi: 54321 (0xd431)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
No duration limit for this sa
[Router]
[Router]dis ipsec pr
proposal set name: donghao
proposal set mode: tunnel
transform: esp-new
ESP protocol: authentication sha1-hmac-96, encryption-algorithm des
proposal set name: wangjian
proposal set mode: tunnel
transform: esp-new
ESP protocol: authentication sha1-hmac-96, encryption-algorithm des
[Router]
[Router]dis ipsec statis
the security packet statistics:
input/output security packets: 0/0
input/output security bytes: 0/0
input/output dropped security packets: 0/0
dropped security packet detail:
no enough memory: 0
can't find SA: 0
queue is full: 0
authen is failed: 0
invalid length: 0
replay packet: 0
too long packet: 0
invalid SA: 0
[Router]
R12配置步骤:
[R12]interface e 0
[R12-Ethernet0]ip add 172.16.3.1 255.255.255.0
[R12]interface loopback 1
[R12-LoopBack1]ip add 192.168.3.1 255.255.255.0
[R12]acl 3000
[R12-acl-3000]rule permit ip source 192.168.3.0 0.0.0.255 dest 192.168.1.0 0.0.0.255
[R12-acl-3000]rule deny ip source any dest any
[R12]ipsec proposal huawei
[R12-ipsec-proposal-huawei]encapsulation-mode tunnel
[R12-ipsec-proposal-huawei]esp-new authentication-algorithm sha1-hmac-96
[R12-ipsec-proposal-huawei]esp-new encryption-algorithm des
[R12-ipsec-proposal-huawei]transform esp-new
[R12-ipsec-proposal-huawei]qu
[R12]ipsec policy cisco 10 manual
[R12-ipsec-policy-cisco-10]proposal huawei
[R12-ipsec-policy-cisco-10] security acl 3000
[R12-ipsec-policy-cisco-10]tunnel local 172.16.3.1
[R12-ipsec-policy-cisco-10]tunnel remote 172.16.1.1
[R12]interface e 0
[R12-Ethernet0]ipsec policy cisco
[R12-ipsec-policy-cisco-10]sa inbound esp spi 54321
[R12-ipsec-policy-cisco-10]sa inbound esp string-key fedcba
[R12-ipsec-policy-cisco-10]sa outbound esp spi 12345
[R12-ipsec-policy-cisco-10]sa outbound esp string-key abcdef
[R12]ip route-static 172.16.1.0 255.255.255.0 172.16.3.2
R12配置信息:
[R12]
[R12]dis cu
Now create configuration...
Current configuration
!
version 1.74
local-user user1 service-type administrator password simple 123
sysname R12
firewall enable
aaa-enable
aaa accounting-scheme optional
!
acl 3000 match-order auto
rule normal permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule normal deny ip source any destination any
!
ipsec proposal huawei
esp-new authentication-algorithm sha1-hmac-96
!
ipsec policy cisco 11 manual
security acl 3000
proposal huawei
tunnel local 172.16.3.1
tunnel remote 172.16.1.1
sa inbound esp spi 54321
sa inbound esp string-key fedcba
sa outbound esp spi 12345
sa outbound esp string-key abcdef
!
interface Aux0
async mode flow
link-protocol ppp
!
interface Ethernet0
ip address 172.16.3.1 255.255.255.0
ipsec policy cisco
!
interface Serial0
link-protocol ppp
!
interface Serial1
link-protocol ppp
!
interface LoopBack1
ip address 192.168.3.1 255.255.255.0
!
quit
ip route-static 0.0.0.0 0.0.0.0 172.16.3.2 preference 60
!
return
[R12]
转载于:https://blog.51cto.com/418182153/959498