ipsec ip替换_两端内网IP地址段相同通过静态地址转换实现IPSEC互联互通

最新推荐文章于 2024-12-17 17:51:03 发布

原创最新推荐文章于 2024-12-17 17:51:03 发布 · 1.9k 阅读

4 ·

CC 4.0 BY-SA版权

文章标签：

#ipsec ip替换

博客详细介绍了两个分支路由器的配置步骤，包括网络互通配置、静态地址转换、IPSEC感兴趣流的ACL配置、IPSEC VPN配置等，还展示了测试信息，如ping信息、IPSEC信息和NAT信息，最终实现了两个分支间192.168.1.1主机的互访。

1.分支1路由器配置步骤：

#网络互通配置省略，loopback 0~n模拟内网主机

interface LoopBack1

ip address 192.168.1.1 255.255.255.255

interface LoopBack2

ip address 192.168.1.2 255.255.255.255

interface LoopBack3

ip address 192.168.1.3 255.255.255.255

#配置静态地址转换，先把内网地址转换成10.10.1.0/24网段

nat static outbound net-to-net 192.168.1.1 192.168.1.10 global 10.10.1.0 255.255.255.0

interface GigabitEthernet0/0

ip address 10.10.12.1 255.255.255.0

nat static enable

#配置IPSEC感兴趣流的ACL，匹配转换后的地址10.10.1.0/24访问对端转换后的地址10.10.2.0/24

acl advanced 3000

rule 0 permit ip source 10.10.1.0 0.0.0.255 destination 10.10.2.0 0.0.0.255

#配置IPSEC VPN部分，详细说明略。

ike keychain 1

pre-shared-key address 10.10.23.1 255.255.255.255 key simple 123456

ike proposal 1

encryption-algorithm 3des-cbc

authentication-algorithm md5

ike profile 1

keychain 1

match remote identity address 10.10.23.1 255.255.255.255

proposal 1

ipsec transform-set 1

esp encryption-algorithm 3des-cbc

esp authentication-algorithm md5esp

ipsec policy map 1 isakmp

transform-set 1

security acl 3000

local-address 10.10.12.1

remote-address 10.10.23.1

ike-profile 1

#端口下发IPSEC策略

interface GigabitEthernet0/0

ipsec apply policy map

2.分支2路由器配置步骤：

#网络互通配置省略，loopback 0~n模拟内网主机

interface LoopBack1

ip address 192.168.1.1 255.255.255.255

interface LoopBack2

ip address 192.168.1.2 255.255.255.255

interface LoopBack3

ip address 192.168.1.3 255.255.255.255

#配置静态地址转换，先把内网地址转换成10.10.2.0/24网段

nat static outbound net-to-net 192.168.1.1 192.168.1.10 global 10.10.2.0 255.255.255.0

interface GigabitEthernet0/1

ip address 10.10.23.1 255.255.255.0

nat static enable

#配置IPSEC感兴趣流的ACL，匹配转换后的地址10.10.1.0/24访问对端转换后的地址10.10.2.0/24

acl advanced 3000

rule 0 permit ip source 10.10.2.0 0.0.0.255 destination 10.10.1.0 0.0.0.255

#配置IPSEC VPN部分，详细说明略。

ike keychain 1

pre-shared-key address 10.10.12.1 255.255.255.255 key simple 123456

ike proposal 1

encryption-algorithm 3des-cbc

authentication-algorithm md5

ike profile 1

keychain 1

match remote identity address 10.10.12.1 255.255.255.255

proposal 1

ipsec transform-set 1

esp encryption-algorithm 3des-cbc

esp authentication-algorithm md5esp

ipsec policy map 1 isakmp

transform-set 1

security acl 3000

local-address 10.10.23.1

remote-address 10.10.12.1

ike-profile 1

#端口下发IPSEC策略

interface GigabitEthernet0/1

ipsec apply policy map

3.测试：

#分支1的ping 信息如下：

ping -a 192.168.1.1 10.10.2.1

Ping 10.10.2.1 (10.10.2.1) from 192.168.1.1: 56 data bytes, press CTRL_C to break

Request time out

56 bytes from 10.10.2.1: icmp_seq=1 ttl=255 time=5.049 ms

56 bytes from 10.10.2.1: icmp_seq=2 ttl=255 time=3.938 ms

56 bytes from 10.10.2.1: icmp_seq=3 ttl=255 time=2.831 ms

56 bytes from 10.10.2.1: icmp_seq=4 ttl=255 time=3.825 ms

#分支1的IPSEC信息如下(分支2略)：

dis ike sa

Connection-ID Remote Flag DOI

------------------------------------------------------------------

2 10.10.23.1 RD IPsec

Flags:

RD--READY RL--REPLACED FD-FADING

dis ipsec sa

-------------------------------

Interface: GigabitEthernet0/0

-------------------------------

-----------------------------

IPsec policy: map

Sequence number: 1

Mode: ISAKMP

-----------------------------

Tunnel id: 0

Encapsulation mode: tunnel

Perfect forward secrecy:

Path MTU: 1443

Tunnel:

local address: 10.10.12.1

remote address: 10.10.23.1

Flow:

sour addr: 10.10.1.0/255.255.255.0 port: 0 protocol: ip

dest addr: 10.10.2.0/255.255.255.0 port: 0 protocol: ip

[Inbound ESP SAs]

SPI: 4065022879 (0xf24b539f)

Connection ID: 12884901889

Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

SA duration (kilobytes/sec): 1843200/3600

SA remaining duration (kilobytes/sec): 1843199/3371

Max received sequence-number: 4

Anti-replay check enable: Y

Anti-replay window size: 64

UDP encapsulation used for NAT traversal: N

Status: Active

[Outbound ESP SAs]

SPI: 1506215480 (0x59c70638)

Connection ID: 12884901888

Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

SA duration (kilobytes/sec): 1843200/3600

SA remaining duration (kilobytes/sec): 1843199/3371

Max sent sequence-number: 4

UDP encapsulation used for NAT traversal: N

Status: Active

#分支1的NAT 信息如下：

*Oct 23 01:16:11:924 2015 H3C NAT/7/COMMON:

PACKET: (GigabitEthernet0/0-out) Protocol: ICMP

192.168.1.1: 0 - 10.10.2.1: 0(VPN: 0) ------>

10.10.1.1: 0 - 10.10.2.1: 0(VPN: 0)

*Oct 23 01:16:11:928 2015 H3C NAT/7/COMMON:

PACKET: (GigabitEthernet0/0-in) Protocol: ICMP

10.10.2.1: 0 - 10.10.1.1: 0(VPN: 0) ------>

10.10.2.1: 0 - 192.168.1.1: 0(VPN: 0)

#对应分支2的NAT信息如下：

*Oct 23 01:16:12:509 2015 H3C NAT/7/COMMON:

PACKET: (GigabitEthernet0/1-in) Protocol: ICMP

10.10.1.1: 0 - 10.10.2.1: 0(VPN: 0) ------>

10.10.1.1: 0 - 192.168.1.1: 0(VPN: 0)

*Oct 23 01:16:12:510 2015 H3C NAT/7/COMMON:

PACKET: (GigabitEthernet0/1-out) Protocol: ICMP

192.168.1.1: 0 - 10.10.1.1: 0(VPN: 0) ------>

10.10.2.1: 0 - 10.10.1.1: 0(VPN: 0)

从以上信息可以看出，通过静态地址转换实现了两个分支间192.168.1.1两个主机之间的互访。