IPSec
本博客主要是配置,感觉写IPSec需要挺久的,因为我急着找工作,所以就先复习配置吧。希望以后有机能写个博客完整的讲清楚IPSec中安全联盟,ike 认证等具体的知识点。
IPSec配置主要分为几个主要步骤
ok,因为是配置,所以选择搭了一个超简单的拓扑,就两个路由器,同一网段。
配置步骤
1. 路由(此处是直连,省略了)
2. 创建ACL感兴趣流
[R6]acl 3000
[R6-acl-adv-3000]rule 5 permit ip source 67.1.1.0 0.0.0.255 destination 67.1.1.0 0.0.0.255
3. 配置安全提议
R6]ike proposal 1 //配置一个安全提议
[R6-ike-proposal-1]authentication-method pre-share //配置IKE认证方式为共享密钥
[R6-ike-proposal-1]authentication-algorithm sha1 //配置IKE认证算法为sha1
[R6-ike-proposal-1]encryption-algorithm aes-cbc-128 //配置IKE完整性算法
[R6-ike-proposal-1]dh group2 //配置IKE密钥协商DH组
[R6-ike-proposal-1]q
[R6]ike peer R7 v2 //创建对等体名字为R7
[R6-ike-peer-R7]pre-shared-key cipher huawei //配置共享密钥
[R6-ike-peer-R7]remote-address 67.1.1.7 //配置对等体ip地址
[R6-ike-peer-R7]ike-proposal 1 //调用IKE安全提议
[R6-ike-peer-R7]q
4. 配置IPSec安全提议
[R6]ipsec proposal test //配置一个IPSec安全提议
[R6-ipsec-proposal-test]encapsulation-mode tunnel //封装方式
[R6-ipsec-proposal-test]esp encryption-algorithm aes -128 //配置ESP加密算法
[R6-ipsec-proposal-test]esp authentication-algorithm sha1 //配置ESP协议认证算法
5. 创建安全策略,名称为map
[R6]ipsec policy map 1 isakmp
[R6-ipsec-policy-isakmp-map-1]ike-peer R7 //调用对等体
[R6-ipsec-policy-isakmp-map-1]proposal test //调用IPSec安全提议
[R6-ipsec-policy-isakmp-map-1]security acl 3000 //配置感兴趣流
[R6-ipsec-policy-isakmp-map-1]q
6. 应用安全策略
[R6]int g 0/0/0
[R6-GigabitEthernet0/0/0]ipsec policy map
结果:
传输的数据是经过加密的。
【配置】:
R6:
```bash
[V200R003C00]
#
sysname R6
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
set cpu-usage threshold 80 restore 75
#
acl number 3000
rule 5 permit ip source 67.1.1.0 0.0.0.255 destination 67.1.1.0 0.0.0.255
#
ipsec proposal test
esp authentication-algorithm sha1
esp encryption-algorithm aes-128
#
ike proposal 1
encryption-algorithm aes-cbc-128
dh group2
#
ike peer R7 v2
pre-shared-key cipher %$%$}H"z!S,^u*;l(AQmOU4+,.2n%$%$
ike-proposal 1
remote-address 67.1.1.7
#
ipsec policy map 1 isakmp
security acl 3000
ike-peer R7
proposal test
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 67.1.1.6 255.255.255.0
ipsec policy map
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
R7:
[V200R003C00]
#
sysname R7
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
set cpu-usage threshold 80 restore 75
#
acl number 3000
rule 5 permit ip source 67.1.1.0 0.0.0.255 destination 67.1.1.0 0.0.0.255
#
ipsec proposal test
esp authentication-algorithm sha1
esp encryption-algorithm aes-128
#
ike proposal 1
encryption-algorithm aes-cbc-128
dh group2
#
ike peer R6 v2
pre-shared-key cipher %$%$}H"z!S,^u*;l(AQmOU4+,.2n%$%$
ike-proposal 1
remote-address 67.1.1.6
#
ipsec policy map 1 isakmp
security acl 3000
ike-peer R6
proposal test
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 67.1.1.7 255.255.255.0
ipsec policy map
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return