目标
- 配置 IPsec+预共享密钥的IKE 野蛮模式
步骤一、配置各接口IP地址
步骤二、配置默认路由
[RTB]ip route-static 0.0.0.0 0 2.2.2.2
步骤三:配置公网连接
在 SWA 上配置 DHCP Server。设置 RTA 从 SWA 动态获得 IP 地址和默认路由。
[SWA]dhcp enable
[SWA]dhcp server ip-pool 1
[SWA-dhcp-pool-1]network 1.1.1.0 mask 255.255.255.0
[SWA-dhcp-pool-1]gateway-list 1.1.1.2
[SWA-dhcp-pool-1]quit
[RTA]interface GigabitEthernet0/0
[RTA-GigabitEthernet0/1] ip address dhcp-alloc
步骤四:配置 IKE proposal
[RTA]ike proposal 1
//配置IKE安全提议
[RTA-ike-proposal-1]authentication-method pre-share
//配置IKE安全提议的认证方式
[RTA-ike-proposal-1]authentication-algorithm md5
//配置IKE的认证算法建议
[RTA-ike-proposal-1]encryption-algorithm 3des-cbc
//配置IKE安全提议的加密算法
[RTA-ike-proposal-1]quit
[RTB]ike proposal 1
//配置IKE安全提议
[RTB-ike-proposal-1]authentication-method pre-share
//配置IKE安全提议的认证方式
[RTB-ike-proposal-1]authentication-algorithm md5
//配置IKE的认证算法建议
[RTB-ike-proposal-1]encryption-algorithm 3des-cbc
//配置IKE安全提议的加密算法
[RTB-ike-proposal-1]quit
步骤五:配置 IKE 身份信息
[RTA]ike identity fqdn rta
//使用FQDN作为标识
[RTB]ike identity fqdn rtb
//使用FQDN作为标识
步骤六:配置 IKE keychain
[RTA]ike keychain keychain1
[RTA-ike-keychain-keychain1]pre-shared-key address 2.2.2.1 255.255.255.0 keysimple h3c
//配置与对等体使用的预共享密钥
[RTA-ike-keychain-keychain1]quit
[RTB]ike keychain keychain1
[RTB-ike-keychain-keychain1]pre-shared-key hostname rta 255.255.255.0 key simple h3c
//通过主机名指定对等体
[RTB-ike-keychain-keychain1]quit
步骤七:配置 IKE profile
配置 IKE profile,并设置 IKE 第一阶段协商模式为野蛮模式:
[RTA]ike profile profile1
//创建安全提议,并进入提议试图
[RTA-ike-profile-profile1]exchange-mode aggressive
//修改协商模式为野蛮模式
[RTA-ike-profile-profile1]match remote identity fqdn rtb
//配置对等体的策略匹配信息
[RTA-ike-profile-profile1]keychain keychain1
//指定要使用的密钥链
[RTA-ike-profile-profile1]proposal 1
//配置IKE安全策略的IKE安全提议
[RTA-ike-profile-profile1]quit
[RTB]ike profile profile1
[RTB-ike-profile-profile1]exchange-mode aggressive
//修改协商模式为野蛮模式
[RTB-ike-profile-profile1]match remote identity fqdn rta
//匹配对端标识信息
[RTB-ike-profile-profile1]keychain keychain1
//指定要使用的密钥链
[RTB-ike-profile-profile1]proposal 1
//配置IKE安全策略的IKE安全提议
[RTB-ike-profile-profile1]quit
步骤八:配置安全 ACL
安全 ACL 应匹配 192.168.1.0/24 网段与 192.168.2.0/24 网段之间的数据流。
[RTA]acl advanced 3000
[RTA-acl-ipv4-adv-3000] rule 0 permit ip source 192.168.1.0 0.0.0.255 destination
192.168.2.0 0.0.0.255
[RTA-acl-ipv4-adv-3001]quit
[RTB]acl advanced 3000
[RTB-acl-ipv4-adv-3000] rule 0 permit ip source 192.168.2.0 0.0.0.255 destination
192.168.1.0 0.0.0.255
[RTB-acl-ipv4-adv-3000]quit
步骤九:配置 IPsec 安全提议
[RTA]ipsec transform-set tran1
[RTA-ipsec-proposal-prop1]esp authentication-algorithm sha1
//指定ESP认证算法为sha1
[RTA-ipsec-proposal-prop1]esp encryption-algorithm aes-cbc-128
//指定ESP加密算法
[RTA-ipsec-transform-set-tran1]quit
[RTB]ipsec transform-set tran1
[RTB-ipsec-transform-set-tran1]esp authentication-algorithm sha1
//指定ESP认证算法为sha1
[RTB-ipsec-transform-set-tran1]esp encryption-algorithm aes-cbc-128
//指定ESP加密算法
[RTB-ipsec-transform-set-tran1]quit
步骤十:配置并应用 IPsec 安全策略
配置 IPsec 安全策略,并将其应用于通往对方的物理接口上:
[RTA]ipsec policy policy1 1 isakmp
//指定IPsec隧道对端IP地址
[RTA-ipsec-policy-isakmp-policy1-1]remote-address 2.2.2.1
//指定IPsec隧道对端IP地址
[RTA-ipsec-policy-isakmp-policy1-1]security acl 3000
//配置流量保护参数
[RTA-ipsec-policy-isakmp-policy1-1]transform-set tran1
//指定IPsec转换集
[RTA-ipsec-policy-isakmp-policy1-1]ike-profile profile1
//配置IKE (Internet Key Exchange)安全策略
[RTA-ipsec-policy-isakmp-policy1-1]quit
[RTA]interface GigabitEthernet 0/0
[RTA-GigabitEthernet0/0]ipsec apply policy policy1
//在接口上应用安全策略
[RTA-GigabitEthernet0/0]quit
RTB 作为响应方,无法获取对端的 IP 地址,需要配置成模板形式。
[RTB]ipsec policy-template templete1 1
[RTB-ipsec-policy-template-templete1-1]security acl 3000
[RTB-ipsec-policy-template-templete1-1]transform-set tran1
[RTB-ipsec-policy-template-templete1-1]ike-profile proflie1
[RTB]ipsec policy policy1 1 isakmp template templete1
[RTB]interface GigabitEthernet 0/0
[RTB-GigabitEthernet0/0]ipsec apply policy policy1
[RTB-GigabitEthernet0/0]quit
步骤十一:检验配置
在 RTA 和 RTB 上用 display 命令检查配置参数:
[RTA]display ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
1 PRE-SHARED-KEY MD5 3DES-CBC Group 1 86400
default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400
[RTA]display ipsec policy
-------------------------------------------
IPsec Policy: policy1
Interface: GigabitEthernet0/0
-------------------------------------------
-----------------------------
Sequence number: 1
Mode: ISAKMP
-----------------------------
Traffic Flow Confidentiality: Disabled
Security data flow: 3000
Selector mode: standard
Local address:
Remote address: 2.2.2.1
Remote address switchback mode: Disabled
Transform set: tran1
IKE profile: profile1
IKEv2 profile:
smart-link policy:
SA trigger mode: Traffic-based
SA duration(time based): 3600 seconds
SA duration(traffic based): 1843200 kilobytes
SA soft-duration buffer(time based): --
SA soft-duration buffer(traffic based): --
SA idle time: --
SA df-bit:
[RTB]display ipsec policy-template
-------------------------------------------
IPsec Policy Template: templete1
-------------------------------------------
-----------------------------
Sequence number: 1
-----------------------------
Traffic Flow Confidentiality: Disabled
Security data flow : 3000
Selector mode: standard
Local address:
IKE profile: profile1
IKEv2 profile:
Remote address:
Transform set: tran1
IPsec SA local duration(time based): 3600 seconds
IPsec SA local duration(traffic based): 1843200 kilobytes
SA idle time: --
SA df-bit:
在 RTA 与 RTB 上查看 IPsec/IKE 相关信息:
[RTA]display ike sa verbose
-----------------------------------------------
Connection ID: 4
Outside VPN:
Inside VPN:
Profile: profile1
Transmitting entity: Initiator
Initiator cookie: b3bcaddf7a4212a5
Responder cookie: b3c52817b752a0fb
-----------------------------------------------
Local IP/port: 1.1.1.1/500
Local ID type: FQDN
Local ID: rta
Remote IP/port: 2.2.2.1/500
Remote ID type: FQDN
Remote ID: rtb
Authentication-method: PRE-SHARED-KEY
Authentication-algorithm: MD5
Encryption-algorithm: 3DES-CBC
Life duration(sec): 86400
Remaining key duration(sec): 83201
Exchange-mode: Aggressive
Diffie-Hellman group: Group 1
NAT traversal: Not detected
Extend authentication: Disabled
Assigned IP address:
Vendor ID index:0xffffffff
Vendor ID sequence number:0x0
看到 IKE 的协商模式是野蛮模式(Aggressive)
[RTB]display ike sa verbose
-----------------------------------------------
Connection ID: 4
Outside VPN:
Inside VPN:
Profile: profile1
Transmitting entity: Responder
Initiator cookie: b3bcaddf7a4212a5
Responder cookie: b3c52817b752a0fb
-----------------------------------------------
Local IP/port: 2.2.2.1/500
Local ID type: FQDN
Local ID: rtb
Remote IP/port: 1.1.1.1/500
Remote ID type: FQDN
Remote ID: rta
Authentication-method: PRE-SHARED-KEY
Authentication-algorithm: MD5
Encryption-algorithm: 3DES-CBC
Life duration(sec): 86400
Remaining key duration(sec): 83178
Exchange-mode: Aggressive
Diffie-Hellman group: Group 1
NAT traversal: Not detected
Extend authentication: Disabled
Assigned IP address:
Vendor ID index:0xffffffff
Vendor ID sequence number:0x0
步骤十二:检验隧道工作状况
从 PCA 检测与 PCB 的连通性:
<H3C>ping 192.168.2.2
Ping 192.168.2.2 (192.168.2.2): 56 data bytes, press CTRL_C to break
Request time out
56 bytes from 192.168.2.2: icmp_seq=1 ttl=253 time=3.000 ms
56 bytes from 192.168.2.2: icmp_seq=2 ttl=253 time=1.000 ms
56 bytes from 192.168.2.2: icmp_seq=3 ttl=253 time=2.000 ms
56 bytes from 192.168.2.2: icmp_seq=4 ttl=253 time=1.000 ms
--- Ping statistics for 192.168.2.2 ---
5 packet(s) transmitted, 4 packet(s) received, 20.0% packet loss
round-trip min/avg/max/std-dev = 1.000/1.750/3.000/0.829 ms
<H3C>%Oct 19 14:35:39:639 2022 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.2.2: 5 packet(s) transmitted, 4 packet(s) received, 20.0% packet loss, round-trip min/avg/max/std-dev = 1.000/1.750/3.000/0.829 ms.
可见除第一个 ICMP Echo Request 包被报告超时之外,其他的都成功收到 Echo Reply 包。
这是因为第一个包触发了 IKE 协商,在 IPsec SA 成功建立之前,这个包无法得到 IPsec 服务,
只能被丢弃。而 IPsec SA 很快就成功建立了,后续的包也就可以顺利到达目的
扫一扫
4335
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
