实验拓扑图
实验平台 | ENSP510 |
---|---|
实验设备 | AR2220 3台、PC 2台 |
实验目的
用IPSec隧道对私网与私网通信流量数据进行安全保护
配置命令
// 配置静态路由
[AR1]ip route-static 202.138.162.0 24 202.138.163.2
[AR1]ip route-static 10.1.2.0 24 202.138.162.1
[AR3]ip route-static 202.138.163.0 24 202.138.162.2
[AR3]ip route-static 10.1.1.0 24 202.138.163.1
// 配置ACL,定义要保护的数据流
[AR1]acl number 3101
[AR1-acl-adv-3101]rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[AR3]acl number 3101
[AR3-acl-adv-3101]rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
// 创建IPSec安全提议
[AR1]ipsec proposal tran1
[AR1-ipsec-proposal-tran1]esp authentication-algorithm sha2-256
[AR1-ipsec-proposal-tran1]esp encryption-algorithm aes-128
[AR1-ipsec-proposal-tran1]quit
[AR3]ipsec proposal tran1
[AR3-ipsec-proposal-tran1]esp authentication-algorithm sha2-256
[AR3-ipsec-proposal-tran1]esp encryption-algorithm aes-128
[AR3-ipsec-proposal-tran1]quit
显示配置信息
// 创建安全策略
[AR1]ipsec policy map1 10 manual
[AR1-ipsec-policy-manual-map1-10]security acl 3101
[AR1-ipsec-policy-manual-map1-10]proposal tran1
[AR1-ipsec-policy-manual-map1-10]tunnel remote 202.138.162.1
[AR1-ipsec-policy-manual-map1-10]tunnel local 202.138.163.1
[AR1-ipsec-policy-manual-map1-10]sa spi outbound esp 12345
[AR1-ipsec-policy-manual-map1-10]sa spi inbound esp 54321
[AR1-ipsec-policy-manual-map1-10]sa string-key outbound esp cipher huawei
[AR1-ipsec-policy-manual-map1-10]sa string-key inbound esp cipher huawei
[AR1-ipsec-policy-manual-map1-10]quit
[AR3]ipsec policy use1 10 manual
[AR3-ipsec-policy-manual-use1-10]security acl 3101
[AR3-ipsec-policy-manual-use1-10]proposal tran1
[AR3-ipsec-policy-manual-use1-10]tunnel remote 202.138.163.1
[AR3-ipsec-policy-manual-use1-10]tunnel local 202.138.162.1
[AR3-ipsec-policy-manual-use1-10]sa spi outbound esp 54321
[AR3-ipsec-policy-manual-use1-10]sa spi inbound esp 12345
[AR3-ipsec-policy-manual-use1-10]sa string-key outbound esp cipher huawei
[AR3-ipsec-policy-manual-use1-10]sa string-key inbound esp cipher huawei
[AR3-ipsec-policy-manual-use1-10]quit
查看安全策略配置信息
// 在接口上引用安全策略
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]ipsec policy map1
[AR1-GigabitEthernet0/0/1]quit
[AR3]int g0/0/1
[AR3-GigabitEthernet0/0/1]ipsec policy use1
[AR3-GigabitEthernet0/0/1]quit
查看配置结果
测试
用PC1 ping PC2
Wireshark对AR1上的G0/0/1接口抓包截图