1. IPSec简介
IPSec 是包括安全协议(Security Protocol)和密钥交换协议(IKE),由IETF(Internet Engineering TaskForce,Internet 工程任务组)开发的,可为通讯双方提供访问控制、无连接的完整性、数据来源认证、反重放、加密以及对数据流分类加密等服务的一系列网络安全协议的总称,其中安全协议又包括AH(头验证协议)和ESP(安全封装载荷);而IKE是一种基于ISAKMP(Internet Security Association and Key Management Protocol,互联网安全关联和密钥管理协议)中TCP/IP框架,合并了Oakley(密钥交换协议)的一部分和SKEME(密钥技术协议)的混合协议。
2.IPSec ××× 的应用场景
1.Site-to-Site(站点到站点或者网关到网关):如弯曲评论的3个机构分布在互联网的3个不同的地方,各使用一个商务领航网关相互建立×××隧道,企业内网(若干PC)之间的数据通过这些网关建立的IPSec隧道实现安全互联。
2.End-to-End(端到端或者PC到PC):两个PC之间的通信由两个PC之间的IPSec会话保护,而不是网关。
3.End-to-Site(端到站点或者PC到网关):两个PC之间的通信由网关和异地PC之间的IPSec进行保护。
×××只是IPSec的一种应用方式,IPSec其实是IP Security的简称,它的目的是 为IP提供高安全性特性,×××则是在实现这种安全特性的方式下产生的解决方案。IPSec是一个框架性架构,具体由两类协议组成:
1.AH协议(Authentication Header,使用较少):可以同时提供数据完整性确认、数据来源确认、防重放等安全特性;AH常用摘要算法(单向Hash函数)MD5和SHA1实现该特性。
2.ESP协议(Encapsulated Security Payload,使用较广):可以同时提供数据完整性确认、数据加密、防重放等安全特性;ESP通常使用DES、3DES、AES等加密算法实现数据加密,使用MD5或SHA1来实现数据完整性。
为何AH使用较少呢?因为AH无法提供数据加密,所有数据在传输时以明文传输,而ESP提供数据加密;其次AH因为提供数据来源确认(源IP地址一旦改变,AH校验失败),所以无法穿越NAT。当然,IPSec在极端的情况下可以同时使用AH和ESP实现最完整的安全特性,但是此种方案极其少见。
3.IPSec封装模式
介绍完IPSec ×××的场景和IPSec协议组成,再来看一下IPSec提供的两种封装模式(传输Transport模式和隧道Tunnel模式)
上图是传输模式的封装结构,再来对比一下隧道模式:
可以发现传输模式和隧道模式的区别:
1.传输模式在AH、ESP处理前后IP头部保持不变,主要用于End-to-End的应用场景。
2.隧道模式则在AH、ESP处理之后再封装了一个外网IP头,主要用于Site-to-Site的应用场景。
从上图我们还可以验证上一节所介绍AH和ESP的差别。下图是对传输模式、隧道模式适用于何种场景的说明。
从这张图的对比可以看出:
1.隧道模式可以适用于任何场景
2.传输模式只能适合PC到PC的场景
隧道模式虽然可以适用于任何场景,但是隧道模式需要多一层IP头(通常为20字节长度)开销,所以在PC到PC的场景,建议还是使用传输模式。
安全联盟可通过手工配置和自动协商两种方式建立。
手工配置安全联盟的方式是指用户通过在两端手工设置 SA 的全部信息,然后在接口上应用安全策略建立安全联盟,缺点是配置复杂,而且不支持一些高级特性(如定时更新密钥),适用于小型企业。
自动协商方式由IKE 生成和维护,通信双方基于各自的安全策略库经过匹配和协商,最终建立安全联盟而不需要用户的干预,配置简单,适用于大型企业。在自动协商中又分为主模式与野蛮模式,野蛮模式交换与主模式交换的主要差别在于,野蛮模式不提供身份保护。在对身份保护要求不高的场合,使用交换报文较少的野蛮模式可以提高协商的速度;在对身份保护要求较高的场合,则应该使用主模式。
6.IPsec配置案例
所需设备
PC机 3台
H3C防火墙 3台
华为quidways2600系列交换机 1台
隧道两条
北京总部<--->上海总部
北京总部<--->广州总部
拓扑图
配置分为两种:手工配置和自动协商
第一种:手工配置
quidway配置
<Quidway>system-view
Enter system view, return to user view with Ctrl+Z.
[Quidway]vlan 10 //创建vlan10
[Quidway-vlan10]port e0/10
[Quidway-vlan10]int vlan10
[Quidway-Vlan-interface10]ip add 1.1.1.2 255.255.255.0
[Quidway-Vlan-interface10]vlan 20 //创建vlan20
[Quidway-vlan20]port e0/20
[Quidway-vlan20]int vlan20
[Quidway-Vlan-interface20]ip add 2.2.2.2 255.255.255.0
[Quidway-Vlan-interface10]vlan 30 //创建vlan30
[Quidway-vlan30]port e0/24
[Quidway-vlan30]int vlan30
[Quidway-Vlan-interface30]ip add 3.3.3.3 255.255.255.0
FW-1配置
[H3C]system-view //基本配置
[H3C]sysname FW-1
[FW-1]int eth0/0
[FW-1-Ethernet0/0]ip add 192.168.4.1 24
[FW-1-Ethernet0/0]int eth0/4
[FW-1-Ethernet0/4]ip add 1.1.1.1 24
%Dec 29 01:32:02:319 2013 FW-1 IFNET/4/UPDOWN:Line protocol on the interface Ethernet0/4 is UP
[FW-1-Ethernet0/4]quit
[FW-1]firewall zone untrust
[FW-1-zone-untrust]add int eth0/4
[FW-1-zone-untrust]firewall zone trust
[FW-1-zone-trust]add int eth0/0
The interface has been added to trust security zone.
[FW-1-zone-trust]quit
[FW-1]ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
隧道1:北京<<--->>上海
[FW-1]acl number 3000 match-order auto //配置访控列表
[FW-1-acl-adv-3000]rule 10 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[FW-1-acl-adv-3000]rule 20 deny ip source any destination any
[FW-1-acl-adv-3000]quit
[FW-1]dis acl all //查看访控列表
Total ACL Number: 1
Advanced ACL 3000, 2 rules, match-order is auto
Acl's step is 1
rule 10 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 (0 times matched)
rule 20 deny ip (0 times matched)
[FW-1]ipsec proposal tran1 //配置ipsec安全提议,名称tran1
[FW-1-ipsec-proposal-tran1]encapsulation-mode tunnel //建立隧道模式
[FW-1-ipsec-proposal-tran1]transform esp //选择esp安全协议
[FW-1-ipsec-proposal-tran1]esp authentication-algorithm md5 //验证算法md5
[FW-1-ipsec-proposal-tran1]esp encryption-algorithm des //加密算法des
[FW-1-ipsec-proposal-tran1]quit
[FW-1]ipsec policy policy1 10 manual //安全策略表policy1 子规则10 手工方式(比较麻烦)
[FW-1-ipsec-policy-manual-policy1-10]security acl 3000 //应用访控列表
[FW-1-ipsec-policy-manual-policy1-10]proposal tran1 //应用隧道tran1
[FW-1-ipsec-policy-manual-policy1-10]tunnel local 1.1.1.1 //隧道源地址
[FW-1-ipsec-policy-manual-policy1-10]tunnel remote 2.2.2.1 //隧道目标地址
[FW-1-ipsec-policy-manual-policy1-10]sa spi outbound esp 12345 //出去的安全联盟索引号
[FW-1-ipsec-policy-manual-policy1-10]sa string-key outbound esp abcde //验证方法及密钥
[FW-1-ipsec-policy-manual-policy1-10]sa spi inbound esp 54321 //进来的安全联盟索引号
[FW-1-ipsec-policy-manual-policy1-10]sa string-key inbound esp qazwsx //验证方法及密钥
[FW-1-ipsec-policy-manual-policy1-10]quit
[FW-1]int eth0/4 //应用到接口
[FW-1-Ethernet0/4]ipsec policy policy1
查看配置信息
ipsec policy policy1 10 manual
security acl 3000
proposal tran1
tunnel local 1.1.1.1
tunnel remote 2.2.2.1
sa spi inbound esp 54321
sa string-key inbound esp qazwsx
sa spi outbound esp 12345
sa string-key outbound esp abcde
隧道2:北京<<--->>广州
[FW-1]acl number 3001 match-order auto
[FW-1-acl-adv-3001]rule 10 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[FW-1-acl-adv-3001]rule 20 deny ip source any destination any
[FW-1-acl-adv-3001]quit
[FW-1]ipsec proposal tran2
[FW-1-ipsec-proposal-tran2]encapsulation-mode tunnel
[FW-1-ipsec-proposal-tran2]transform esp
[FW-1-ipsec-proposal-tran2]esp authentication-algorithm md5
[FW-1-ipsec-proposal-tran2]esp encryption-algorithm des
[FW-1-ipsec-proposal-tran2]quit
[FW-1]ipsec policy policy1 20 manual
[FW-1-ipsec-policy-manual-policy1-20]security acl 3001
[FW-1-ipsec-policy-manual-policy1-20]proposal tran2
[FW-1-ipsec-policy-manual-policy1-20]tunnel local 1.1.1.1
[FW-1-ipsec-policy-manual-policy1-20]tunnel remote 3.3.3.1
[FW-1-ipsec-policy-manual-policy1-20]sa spi outbound esp 123456
[FW-1-ipsec-policy-manual-policy1-20]sa string-key outbound esp abcdef
[FW-1-ipsec-policy-manual-policy1-20]sa spi inbound esp 654321
[FW-1-ipsec-policy-manual-policy1-20]sa string-key inbound esp qazwsx1
[FW-1-ipsec-policy-manual-policy1-20]quit
查看配置信息
ipsec policy policy1 20 manual
security acl 3001
proposal tran2
tunnel local 1.1.1.1
tunnel remote 3.3.3.1
sa spi inbound esp 654321
sa string-key inbound esp qazwsx1
sa spi outbound esp 123456
sa string-key outbound esp abcdef
FW-2配置
[H3C]system-view
[H3C]sysname FW-1
[FW-2]int eth0/0
[FW-2-Ethernet0/0]ip add 192.168.2.1 24
[FW-2-Ethernet0/0]int eth0/4
[FW-2-Ethernet0/4]ip add 2.2.2.1 24
%Dec 29 01:42:02:319 2013 FW-2 IFNET/4/UPDOWN:Line protocol on the interface Ethernet0/4 is UP
[FW-2-Ethernet0/4]quit
[FW-2]firewall zone untrust
[FW-2-zone-untrust]add int eth0/4
[FW-2-zone-untrust]firewall zone trust
[FW-2-zone-trust]add int eth0/0
The interface has been added to trust security zone.
[FW-2-zone-trust]quit
[FW-2]ip route-static 0.0.0.0 0.0.0.0 2.2.2.2
隧道1:上海<<--->>北京
[FW-2]acl number 3000 match-order auto
[FW-2-acl-adv-3000]rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.4.0 0.0.0.255
[FW-2-acl-adv-3000]rule 20 deny ip source any destination any
[FW-2-acl-adv-3000]quit
[FW-2]dis acl all
Total ACL Number: 1
Advanced ACL 3000, 2 rules, match-order is auto
Acl's step is 1
rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.4.0 0.0.0.255 (0 times matched)
rule 20 deny ip (0 times matched)
[FW-2]ipsec proposal tran1
[FW-2-ipsec-proposal-tran1]encapsulation-mode tunnel
[FW-2-ipsec-proposal-tran1]transform esp
[FW-2-ipsec-proposal-tran1]esp authentication-algorithm md5
[FW-2-ipsec-proposal-tran1]esp encryption-algorithm des
[FW-2-ipsec-proposal-tran1]quit
[FW-2]ipsec policy policy1 10 manual
[FW-2-ipsec-policy-manual-policy1-10]security acl 3000
[FW-2-ipsec-policy-manual-policy1-10]proposal tran1
[FW-2-ipsec-policy-manual-policy1-10]tunnel local 2.2.2.1
[FW-2-ipsec-policy-manual-policy1-10]tunnel remote 1.1.1.1
[FW-2-ipsec-policy-manual-policy1-10]sa spi outbound esp 54321 //出去的sa参数和对方进来的sa参数要一致
[FW-2-ipsec-policy-manual-policy1-10]sa string-key outbound esp qazwsx
[FW-2-ipsec-policy-manual-policy1-10]sa spi inbound esp 12345 //进来的sa参数和对方出去的sa参数要一致
[FW-2-ipsec-policy-manual-policy1-10]sa string-key inbound esp abcde
[FW-2-ipsec-policy-manual-policy1-10]quit
[FW-2]int eth0/4
[FW-2-Ethernet0/4]ipsec policy policy1
查看配置信息
ipsec policy policy1 10 manual
security acl 3000
proposal tran1
tunnel local 2.2.2.1
tunnel remote 1.1.1.1
sa spi inbound esp 12345
sa string-key inbound esp abcde
sa spi outbound esp 54321
sa string-key outbound esp qazwsx
FW-3配置
[H3C]system-view
[H3C]sysname FW-3
[FW-3]int eth0/0
[FW-3-Ethernet0/0]ip add 192.168.3.1 24
[FW-3-Ethernet0/0]int eth0/4
[FW-3-Ethernet0/4]ip add 3.3.3.1 24
%Dec 29 01:52:02:319 2013 FW-3 IFNET/4/UPDOWN:Line protocol on the interface Ethernet0/4 is UP
[FW-3-Ethernet0/4]quit
[FW-3]firewall zone untrust
[FW-3-zone-untrust]add int eth0/4
[FW-3-zone-untrust]firewall zone trust
[FW-3-zone-trust]add int eth0/0
The interface has been added to trust security zone.
[FW-3-zone-trust]quit
[FW-3]ip route-static 0.0.0.0 0.0.0.0 3.3.3.2
隧道2:广州<<--->>北京
[FW-3]acl number 3000 match-order auto
[FW-3-acl-adv-3000]rule 10 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.4.0 0.0.0.255
[FW-3-acl-adv-3000]rule 20 deny ip source any destination any
[FW-3-acl-adv-3000]quit
[FW-3]dis acl all
Total ACL Number: 1
Advanced ACL 3000, 2 rules, match-order is auto
Acl's step is 1
rule 10 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.4.0 0.0.0.255 (0 times matched)
rule 20 deny ip (0 times matched)
[FW-3]ipsec proposal tran2
[FW-3-ipsec-proposal-tran2]encapsulation-mode tunnel
[FW-3-ipsec-proposal-tran2]transform esp
[FW-3-ipsec-proposal-tran2]esp authentication-algorithm md5
[FW-3-ipsec-proposal-tran2]esp encryption-algorithm des
[FW-3-ipsec-proposal-tran2]quit
[FW-3]ipsec policy policy1 20 manual
[FW-3-ipsec-policy-manual-policy1-10]security acl 3000
[FW-3-ipsec-policy-manual-policy1-10]proposal tran1
[FW-3-ipsec-policy-manual-policy1-10]tunnel local 3.3.3.1
[FW-3-ipsec-policy-manual-policy1-10]tunnel remote 1.1.1.1
[FW-3-ipsec-policy-manual-policy1-10]sa spi outbound esp 123456
[FW-3-ipsec-policy-manual-policy1-10]sa string-key outbound esp abcdef
[FW-3-ipsec-policy-manual-policy1-10]sa spi inbound esp 654321
[FW-3-ipsec-policy-manual-policy1-10]sa string-key inbound esp qazwsx1
[FW-3-ipsec-policy-manual-policy1-10]quit
[FW-3]int eth0/4
[FW-3-Ethernet0/4]ipsec policy policy1
查看配置信息
ipsec policy policy1 20 manual
security acl 3000
proposal tran2
tunnel local 3.3.3.1
tunnel remote 1.1.1.1
sa spi inbound esp 123456
sa string-key inbound esp abcdef
sa spi outbound esp 654321
sa string-key outbound esp qazwsx1
经测试:隧道1 北京<<--->>上海可以通信;隧道2 北京<<--->>广州可以通信,由于上海<<--->>广州没有建立隧道,无法通信。
第二种:协商获得
quidway配置
<Quidway>system-view
Enter system view, return to user view with Ctrl+Z.
[Quidway]vlan 10 //创建vlan10
[Quidway-vlan10]port e0/10
[Quidway-vlan10]int vlan10
[Quidway-Vlan-interface10]ip add 1.1.1.2 255.255.255.0
[Quidway-Vlan-interface10]vlan 20 //创建vlan20
[Quidway-vlan20]port e0/20
[Quidway-vlan20]int vlan20
[Quidway-Vlan-interface20]ip add 2.2.2.2 255.255.255.0
[Quidway-Vlan-interface10]vlan 30 //创建vlan30
[Quidway-vlan30]port e0/24
[Quidway-vlan30]int vlan30
[Quidway-Vlan-interface30]ip add 3.3.3.3 255.255.255.0
FW-1配置
[H3C]system-view
[H3C]sysname FW-1
[FW-1]int eth0/0
[FW-1-Ethernet0/0]ip add 192.168.4.1 24
[FW-1-Ethernet0/0]int eth0/4
[FW-1-Ethernet0/4]ip add 1.1.1.1 24
%Dec 29 01:32:02:319 2013 FW-1 IFNET/4/UPDOWN:Line protocol on the interface Ethernet0/4 is UP
[FW-1-Ethernet0/4]quit
[FW-1]firewall zone untrust
[FW-1-zone-untrust]add int eth0/4
[FW-1-zone-untrust]firewall zone trust
[FW-1-zone-trust]add int eth0/0
The interface has been added to trust security zone.
[FW-1-zone-trust]quit
[FW-1]ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
隧道1 北京<<--->>上海
[FW-1]acl number 3000 match-order auto
[FW-1-acl-adv-3000]rule 10 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[FW-1-acl-adv-3000]rule 20 deny ip source any destination any
[FW-1-acl-adv-3000]quit
[FW-1]dis acl all
Total ACL Number: 1
Advanced ACL 3000, 2 rules, match-order is auto
Acl's step is 1
rule 10 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 (0 times matched)
rule 20 deny ip (0 times matched)
[FW-1]ipsec proposal tran1
[FW-1-ipsec-proposal-tran1]encapsulation-mode tunnel
[FW-1-ipsec-proposal-tran1]transform esp
[FW-1-ipsec-proposal-tran1]esp authentication-algorithm md5
[FW-1-ipsec-proposal-tran1]esp encryption-algorithm des
[FW-1-ipsec-proposal-tran1]quit
[FW-1]ike peer FW-2 //配置ike邻居
[FW-1-ike-peer-fw-2]local-address 1.1.1.1
[FW-1-ike-peer-fw-2]remote-address 2.2.2.1
[FW-1-ike-peer-fw-2]pre-shared-key 123456 //协商共享密钥
[FW-1-ike-peer-fw-2]quit
[FW-1]dis ike peer
--------------------------
IKE Peer: fw-2
exchange mode: main on phase 1
pre-shared-key: 123456
peer id type: ip
peer ip address: 2.2.2.1
local ip address: 1.1.1.1
peer name:
nat traversal: disable
dpd:
---------------------------
[FW-1]ipsec policy policy1 10 isakmp //使用ike自动协商
[FW-1-ipsec-policy-isakmp-policy1-10]security acl 3000
[FW-1-ipsec-policy-isakmp-policy1-10]proposal tran1
[FW-1-ipsec-policy-isakmp-policy1-10]ike-peer fw-2
[FW-1-ipsec-policy-isakmp-policy1-10]quit
[FW-1]dis ipsec proposal
IPsec proposal name: tran1
encapsulation mode: tunnel
transform: esp-new
ESP protocol: authentication md5-hmac-96, encryption des
[FW-1]dis ipsec policy
===========================================
IPsec Policy Group: "policy1"
Using interface: {}
===========================================
-----------------------------
IPsec policy name: "policy1"
sequence number: 10
mode: isakmp
-----------------------------
security data flow : 3000
selector mode: standard
ike-peer name: fw-2
perfect forward secrecy: None
proposal name: tran1
IPsec sa local duration(time based): 3600 seconds
IPsec sa local duration(traffic based): 1843200 kilobytes
[FW-1]int eth0/4
[FW-1-Ethernet0/4]ipsec policy policy1
隧道2 北京<<--->>广州
[FW-1]acl number 3001 match-order auto
[FW-1-acl-adv-3001]rule 10 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[FW-1-acl-adv-3001]rule 20 deny ip source any destination any
[FW-1-acl-adv-3001]quit
[FW-1]ipsec proposal tran2
[FW-1-ipsec-proposal-tran2]encapsulation-mode tunnel
[FW-1-ipsec-proposal-tran2]transform esp
[FW-1-ipsec-proposal-tran2]esp authentication-algorithm md5
[FW-1-ipsec-proposal-tran2]esp encryption-algorithm des
[FW-1-ipsec-proposal-tran2]quit
[FW-1]ike peer FW-3
[FW-1-ike-peer-fw-3]local-address 1.1.1.1
[FW-1-ike-peer-fw-3]remote-address 3.3.3.1
[FW-1-ike-peer-fw-3]pre-shared-key 123456
[FW-1-ike-peer-fw-3]quit
[FW-1]ipsec policy policy1 20 isakmp
[FW-1-ipsec-policy-isakmp-policy1-20]security acl 3001
[FW-1-ipsec-policy-isakmp-policy1-20]proposal tran1
[FW-1-ipsec-policy-isakmp-policy1-20]ike-peer fw-3
[FW-1-ipsec-policy-isakmp-policy1-20]quit
FW-2配置
[H3C]system-view
[H3C]sysname FW-1
[FW-2]int eth0/0
[FW-2-Ethernet0/0]ip add 192.168.2.1 24
[FW-2-Ethernet0/0]int eth0/4
[FW-2-Ethernet0/4]ip add 2.2.2.1 24
%Dec 29 01:42:02:319 2013 FW-2 IFNET/4/UPDOWN:Line protocol on the interface Ethernet0/4 is UP
[FW-2-Ethernet0/4]quit
[FW-2]firewall zone untrust
[FW-2-zone-untrust]add int eth0/4
[FW-2-zone-untrust]firewall zone trust
[FW-2-zone-trust]add int eth0/0
The interface has been added to trust security zone.
[FW-2-zone-trust]quit
[FW-2]ip route-static 0.0.0.0 0.0.0.0 2.2.2.2
[FW-2]acl number 3000 match-order auto
[FW-2-acl-adv-3000]rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.4.0 0.0.0.255
[FW-2-acl-adv-3000]rule 20 deny ip source any destination any
[FW-2-acl-adv-3000]quit
[FW-2]dis acl all
Total ACL Number: 1
Advanced ACL 3000, 2 rules, match-order is auto
Acl's step is 1
rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.4.0 0.0.0.255 (0 times matched)
rule 20 deny ip (0 times matched)
[FW-2]ipsec proposal tran1
[FW-2-ipsec-proposal-tran1]encapsulation-mode tunnel
[FW-2-ipsec-proposal-tran1]transform esp
[FW-2-ipsec-proposal-tran1]esp authentication-algorithm md5
[FW-2-ipsec-proposal-tran1]esp encryption-algorithm des
[FW-2-ipsec-proposal-tran1]quit
[FW-2]ike peer FW-1
[FW-2-ike-peer-fw-1]local-address 2.2.2.1
[FW-2-ike-peer-fw-1]remote-address 1.1.1.1
[FW-2-ike-peer-fw-1]pre-shared-key 123456
[FW-2-ike-peer-fw-1]quit
[FW-2]dis ike peer
---------------------------
IKE Peer: fw-1
exchange mode: main on phase 1
pre-shared-key: 123456
peer id type: ip
peer ip address: 1.1.1.1
local ip address: 2.2.2.1
peer name:
nat traversal: disable
dpd:
---------------------------
[FW-2]ipsec policy policy1 10 isakmp
[FW-2-ipsec-policy-isakmp-policy1-10]security acl 3000
[FW-2-ipsec-policy-isakmp-policy1-10]proposal tran1
[FW-2-ipsec-policy-isakmp-policy1-10]ike-peer fw-1
[FW-2-ipsec-policy-isakmp-policy1-10]quit
[FW-2]dis ipsec policy
===========================================
IPsec Policy Group: "policy1"
Using interface: {}
===========================================
-----------------------------
IPsec policy name: "policy1"
sequence number: 10
mode: isakmp
-----------------------------
security data flow : 3000
selector mode: standard
ike-peer name: fw-1
perfect forward secrecy: None
proposal name: tran1
IPsec sa local duration(time based): 3600 seconds
IPsec sa local duration(traffic based): 1843200 kilobytes
[FW-2]int eth0/4
[FW-2-Ethernet0/4]ipsec policy policy1
FW-3配置
[H3C]system-view
[H3C]sysname FW-3
[FW-3]int eth0/0
[FW-3-Ethernet0/0]ip add 192.168.3.1 24
[FW-3-Ethernet0/0]int eth0/4
[FW-3-Ethernet0/4]ip add 3.3.3.1 24
[FW-3-Ethernet0/4]quit
[FW-3]firewall zone untrust
[FW-3-zone-untrust]add int eth0/4
[FW-3-zone-untrust]firewall zone trust
[FW-3-zone-trust]add int eth0/0
The interface has been added to trust security zone.
[FW-3-zone-trust]quit
[FW-3]ip route-static 0.0.0.0 0.0.0.0 3.3.3.2
隧道2 广州<<--->>北京
[FW-3]acl number 3000 match-order auto
[FW-3-acl-adv-3000]rule 10 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.4.0 0.0.0.255
[FW-3-acl-adv-3000]rule 20 deny ip source any destination any
[FW-3-acl-adv-3000]quit
[FW-3]dis acl all
Total ACL Number: 1
Advanced ACL 3000, 2 rules, match-order is auto
Acl's step is 1
rule 10 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.4.0 0.0.0.255 (0 times matched)
rule 20 deny ip (0 times matched)
[FW-3]ipsec proposal tran2
[FW-3-ipsec-proposal-tran2]encapsulation-mode tunnel
[FW-3-ipsec-proposal-tran2]transform esp
[FW-3-ipsec-proposal-tran2]esp authentication-algorithm md5
[FW-3-ipsec-proposal-tran2]esp encryption-algorithm des
[FW-3-ipsec-proposal-tran2]quit
[FW-3]ike peer FW-1
[FW-3-ike-peer-fw-1]local-address 3.3.3.1
[FW-3-ike-peer-fw-1]remote-address 1.1.1.1
[FW-3-ike-peer-fw-1]pre-shared-key 123456
[FW-3-ike-peer-fw-1]quit
[FW-3]ipsec policy policy1 20 isakmp
[FW-3-ipsec-policy-isakmp-policy1-20]security acl 3000
[FW-3-ipsec-policy-isakmp-policy1-20]proposal tran2
[FW-3-ipsec-policy-isakmp-policy1-20]ike-peer fw-1
[FW-3-ipsec-policy-isakmp-policy1-20]quit
[FW-3]int eth0/4
[FW-3-Ethernet0/4]ipsec policy policy1
经测试:隧道1 北京<<--->>上海可以通信;隧道2 北京<<--->>广州可以通信,由于上海<<--->>广州没有建立隧道,无法通信。