IPsec+预共享密钥的lKE主模式

目标

• 配置IPsec+预共享密钥的lKE主模式

步骤一、配置各接口IP地址

步骤二、搭建公网环境

[RTA]ospf 1

[RTA-ospf-1] area 0.0.0.0

[RTA-ospf-1-area-0.0.0.0]network 1.1.1.0 0.0.0.255

[RTA-ospf-1-area-0.0.0.0]quit

[RTA-ospf-1] quit

[SWA]ospf 1

[SWA-ospf-1 ]area 0.0.0.0

[SWA-ospf-1-area-0.0.0.0]network 1.1.1.0 0.0.0.255

[SWA-ospf-1-area-0.0.0.0]network 2.2.2.0 0.0.0.255

[SWA-ospf-1-area-0.0.0.0]quit

[SWA-ospf-1] quit

[RTB]ospf 1

[RTB-ospf-1]area 0.0.0.0

[RTB-ospf-1-area-0.0.0.0] network 2.2.2.0 0.0.0.255

[RTB-ospf-1-area-0.0.0.0] quit

[RTB-ospf-1]quit

注意：请不要将路由器与PC互联的互联接口地址加入到OSPF中，使得SWA中只存在公网路由

 

在RTA、RTB中为私网配置静态路由

[RTA]ip route-static 192.168.2.0 255.255.255.0 1.1.1.2

[RTB]ip route-static 192.168.1.0 255.255.255.0 2.2.2.2

查看PCA和PCB的互访情况

<PCA>ping 192.168.2.2

Ping 192.168.2.2 (192.168.2.2): 56 data bytes, press CTRL_C to break

Request time out

Request time out

Request time out

Request time out

Request time out

--- Ping statistics for 192.168.2.2 ---

5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss

<H3C>%Oct 18 15:29:21:839 2022 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.2.2: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.

注意：此时由于SWA中未存在私网路由，导致两端无法进行通信

步骤三、配置IKEproposal（默认为主模式）

[RTA]ike proposal 1

//创建安全提议，并进入提议试图

[RTA-ike-proposal-1]authentication-method pre-share

//配置IKE安全提议的认证方式

[RTA-ike-proposal-1]authentication-algorithm md5

//配置IKE的认证算法建议

[RTA-ike-proposal-1]encryption-algorithm 3des-cbc

//配置IKE安全提议的加密算法

[RTA-ike-proposal-1]quit

[RTB]ike proposal 1

[RTB-ike-proposal-1]authentication-method pre-share

[RTB-ike-proposal-1]authentication-algorithm md5

[RTB-ike-proposal-1]encryption-algorithm 3des-cbc

[RTB-ike-proposal-1]quit

步骤四、配置IKE keychain

[RTA]ike keychain keychain1

[RTA-ike-keychain-kechain1]pre-shared-key address 2.2.2.1 255.255.255.252 key simple h3c

//配置与对等体使用的预共享密钥

[RTB]ike keychain keychain1

[RTB-ike-keychain-kechain1]pre-shared-key address 1.1.1.1 255.255.255.252 key simple h3c

//配置与对等体使用的预共享密钥

步骤五、配置IKE profile

[RTA]ike profile profile1

[RTA-ike-profile-profile1]local-identity address 1.1.1.1

//指定本端标识

[RTA-ike-profile-profile1]match remote identity address 2.2.2.1 30

//匹配对端标识信息

[RTA-ike-profile-profile1]keychain keychain1

//指定要使用的密钥链

[RTA-ike-profile-profile1]proposal 1

//配置IKE安全策略的IKE安全提议

[RTA-ike-profile-profile1]quit

[RTB]ike profile profile1

[RTB-ike-profile-profile1]local-identity address 2.2.2.1

//指定本端标识

[RTB-ike-profile-profile1]match remote identity address 1.1.1.1 30

//匹配对端标识信息

[RTB-ike-profile-profile1]keychain keychain1

//指定要使用的密钥链

[RTB-ike-profile-profile1]proposal 1

//配置IKE安全策略的IKE安全提议

[RTB-ike-profile-profile1]quit

步骤六、配置安全ACL

[RTA]acl advanced 3000

[RTA-acl-ipv4-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

[RTA-acl-ipv4-adv-3000]quit

[RTB]acl advanced 3000

[RTB-acl-ipv4-adv-3000]rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

[RTB-acl-ipv4-adv-3000]quit

步骤七、配置IPSec安全提议

[RTA]ipsec transform-set tran1

[RTA-ipsec-transform-set-tran1]esp authentication-algorithm sha1

//指定ESP认证算法为sha1

[RTA-ipsec-transform-set-tran1]esp encryption-algorithm aes-cbc-128

//指定ESP加密算法

[RTA-ipsec-transform-set-tran1]quit

[RTB]ipsec transform-set tran1

[RTB-ipsec-transform-set-tran1]esp authentication-algorithm sha1

//指定ESP认证算法为sha1

[RTB-ipsec-transform-set-tran1]esp encryption-algorithm aes-cbc-128

//指定ESP加密算法

[RTB-ipsec-transform-set-tran1]quit

步骤八、配置并应用安全策略

[RTA]ipsec policy policy1 1 isakmp

[RTA-ipsec-policy-isakmp-policy1-1]remote-address 2.2.2.1

//指定IPsec隧道对端IP地址

[RTA-ipsec-policy-isakmp-policy1-1]security acl 3000

//配置流量保护参数

[RTA-ipsec-policy-isakmp-policy1-1]transform-set tran1

//指定IPsec转换集

[RTA-ipsec-policy-isakmp-policy1-1]ike-profile profile1

//配置IKE (Internet Key Exchange)安全策略

[RTA-ipsec-policy-isakmp-policy1-1]quit

[RTA]int GigabitEthernet 0/0

[RTA-GigabitEthernet0/0]ipsec apply policy policy1

//在接口上应用安全策略

[RTA-GigabitEthernet0/0]quit

[RTB]ipsec policy policy1 1 isakmp

[RTB-ipsec-policy-isakmp-policy1-1]remote-address 1.1.1.1

[RTB-ipsec-policy-isakmp-policy1-1]security acl 3000

[RTB-ipsec-policy-isakmp-policy1-1]transform-set tran1

[RTB-ipsec-policy-isakmp-policy1-1]ike-profile profile1

[RTB-ipsec-policy-isakmp-policy1-1]quit

[RTB]int GigabitEthernet 0/0

[RTB-GigabitEthernet0/0]ipsec apply policy policy1

[RTB-GigabitEthernet0/0]quit

步骤九、检验配置

在RTA上检查配置参数

[RTA]display ike proposal

 Priority Authentication Authentication Encryption  Diffie-Hellman Duration

              method       algorithm    algorithm       group      (seconds)

----------------------------------------------------------------------------

 1        PRE-SHARED-KEY     MD5        3DES-CBC    Group 1        86400

 default  PRE-SHARED-KEY     SHA1       DES-CBC     Group 1        86400

[RTA]display ipsec transform-set

IPsec transform set: tran1

  State: complete

  Encapsulation mode: tunnel

  ESN: Disabled

  PFS:

  Transform: ESP

  ESP protocol:

    Integrity: SHA1

    Encryption: AES-CBC-128

[RTA]display ipsec policy

-------------------------------------------

IPsec Policy: policy1

Interface: GigabitEthernet0/0

-------------------------------------------

  -----------------------------

  Sequence number: 1

  Mode: ISAKMP

  -----------------------------

  Traffic Flow Confidentiality: Disabled

  Security data flow: 3000

  Selector mode: standard

  Local address:

  Remote address: 2.2.2.1

  Remote address switchback mode: Disabled

  Transform set:  tran1

  IKE profile: profile1

  IKEv2 profile:

  smart-link policy:

  SA trigger mode: Traffic-based

  SA duration(time based): 3600 seconds

  SA duration(traffic based): 1843200 kilobytes

  SA soft-duration buffer(time based): --

  SA soft-duration buffer(traffic based): --

  SA idle time: --

  SA df-bit:

[RTA]display ike sa

    Connection-ID   Local               Remote              Flag      DOI

-------------------------------------------------------------------------

    3               1.1.1.1             2.2.2.1             RD        IPsec

Flags:

RD--READY RL--REPLACED FD-FADING RK-REKEY

[RTA]display ike sa verbose

   -----------------------------------------------

   Connection ID: 3

   Outside VPN:

   Inside VPN:

   Profile: profile1

   Transmitting entity: Initiator

   Initiator cookie: 2efe58a340b427fa

   Responder cookie: 7c9936703ae0cf8e

   -----------------------------------------------

   Local IP/port: 1.1.1.1/500

   Local ID type: IPV4_ADDR

   Local ID: 1.1.1.1

   Remote IP/port: 2.2.2.1/500

   Remote ID type: IPV4_ADDR

   Remote ID: 2.2.2.1

   Authentication-method: PRE-SHARED-KEY

   Authentication-algorithm: MD5

   Encryption-algorithm: 3DES-CBC

   Life duration(sec): 86400

   Remaining key duration(sec): 86249

   Exchange-mode: Main

   Diffie-Hellman group: Group 1

   NAT traversal: Not detected

   Extend authentication: Disabled

   Assigned IP address:

   Vendor ID index:0xffffffff

   Vendor ID sequence number:0x0

[RTA]display ipsec sa

-------------------------------

Interface: GigabitEthernet0/0

-------------------------------

  -----------------------------

  IPsec policy: policy1

  Sequence number: 1

  Mode: ISAKMP

  -----------------------------

    Tunnel id: 0

    Encapsulation mode: tunnel

    Perfect Forward Secrecy:

    Inside VPN:

    Extended Sequence Numbers enable: N

    Traffic Flow Confidentiality enable: N

    Transmitting entity: Initiator

    Path MTU: 1428

    Tunnel:

        local  address: 1.1.1.1

        remote address: 2.2.2.1

    Flow:

        sour addr: 192.168.1.0/255.255.255.0  port: 0  protocol: ip

        dest addr: 192.168.2.0/255.255.255.0  port: 0  protocol: ip

    [Inbound ESP SAs]

      SPI: 1127444029 (0x43336e3d)

      Connection ID: 21474836481

      Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843199/3495

      Max received sequence-number: 4

      Anti-replay check enable: Y

      Anti-replay window size: 64

      UDP encapsulation used for NAT traversal: N

      Status: Active

    [Outbound ESP SAs]

      SPI: 4064298561 (0xf2404641)

      Connection ID: 21474836480

      Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843199/3495

      Max sent sequence-number: 4

      UDP encapsulation used for NAT traversal: N

      Status: Active

再次测试PCA与PCB的连通性

[H3C]ping 192.168.2.2

Ping 192.168.2.2 (192.168.2.2): 56 data bytes, press CTRL_C to break

Request time out

56 bytes from 192.168.2.2: icmp_seq=1 ttl=253 time=2.000 ms

56 bytes from 192.168.2.2: icmp_seq=2 ttl=253 time=3.000 ms

56 bytes from 192.168.2.2: icmp_seq=3 ttl=253 time=2.000 ms

56 bytes from 192.168.2.2: icmp_seq=4 ttl=253 time=6.000 ms

--- Ping statistics for 192.168.2.2 ---

5 packet(s) transmitted, 4 packet(s) received, 20.0% packet loss

round-trip min/avg/max/std-dev = 2.000/3.250/6.000/1.639 ms

[H3C]%Oct 19 10:03:33:629 2022 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.2.2: 5 packet(s) transmitted, 4 packet(s) received, 20.0% packet loss, round-trip min/avg/max/std-dev = 2.000/3.250/6.000/1.639 ms.

可见除第一个ICMP Echo Request包被报告超时之外,其他的都成功收到Echo Reply包。这是因为第一个包触发了IKE协商，在IPsec SA成功建立之前，这个包无法获得IPsec服务，只能被丢弃。而IPsec SA很快就成功建立了，后续的包也就可以顺利到达目的。