- IPsec协议简介
IPsec(Internet Protocol Security)是一系列安全协议的总称,它是由IETF开发,可以为双方提供访问控制,数据的完整性,来源认证,抗重播,加密数据以及对数据分流服务;IPSEC属于三层网络协议
2. IPsec工作模式
隧道(tunnel)模式:用户的整个IP数据包被用来计算AH或ESP头,AH或ESP头以及ESP加密的用户数据被封装在一个新的IP数据包中。通常,隧道模式应用在两个安全网关之间的通讯。
传输(transport)模式:只是传输层数据被用来计算AH或ESP头,AH或ESP头以及ESP加密的用户数据被放置在原IP包头后面。通常,传输模式应用在两台主机之间的通讯,或一台主机和一个安全网关之间的通讯。
3. IPSEC的配置
创建加密访问控制列表
定义安全提议
选择加密算法与认证算法
创建安全策略
在接口上应用安全策略组
以下用一个案例来详细说明:
实验拓扑:
internet部分我们用防火墙代替
配置步骤
防火墙上只需在接口配置ip地址即可
[F4]int et0/1
[F4-Ethernet0/1]ip add 192.168.4.2 24
[F4-Ethernet0/1]
%Aug 9 09:38:38:232 2012 F4 IFNET/4/UPDOWN:Line protocol on the interface Ethernet0/1 is UP
[F4-Ethernet0/1]
[F4-Ethernet0/1]int et0/2
[F4-Ethernet0/2]ip add 192.168.5.2 24
[F4-Ethernet0/2]int et0/3
[F4-Ethernet0/3]ip add 192.168.6.2 24
[F4-Ethernet0/3]
%Aug 9 09:39:16:841 2012 F4 IFNET/4/UPDOWN:Line protocol on the interface Ethernet0/3 is UP
R9
[R9]int e1
[R9-Ethernet1]ip add 192.168.1.1 24
[R9-Ethernet1]int e0
[R9-Ethernet0]ip add 192.168.4.1 24
[R9-Ethernet0]
%01:12:14: Line protocol ip on the interface Ethernet0 is UP
[R9-Ethernet0]quit
[R9]
[R9]
[R9]acl 3000
[R9-acl-3000]rule permit ip source ?
X.X.X.X IP address of source host
any Any source host
[R9-acl-3000]rule permit ip source 192.168.1.0 0.0.0.255 des 192.168.2.0 0.0.0.255
Rule has been added to normal packet-filtering rules
[R9-acl-3000]rule deny ip source any des any
Rule has been added to normal packet-filtering rules 配置访问控制列表
[R9-acl-3000]quit
[R9]acl 3001
[R9-acl-3001]rule permit ip source 192.168.1.0 0.0.0.255 des 192.168.3.0 0.0.0.255
Rule has been added to normal packet-filtering rules
[R9-acl-3001]rule deny ip source any des any
Rule has been added to normal packet-filtering rules
[R9-acl-3001]quit
[R9]ipsec proposal tran1
[R9-ipsec-proposal-tran1]encaps? ---------------- 定义安全定义
encapsulation-mode
[R9-ipsec-proposal-tran1]encaps tunnel ?
<cr>
[R9-ipsec-proposal-tran1]encaps tunnel ---------------------- 定义数据封装模式
[R9-ipsec-proposal-tran1]transform esp
[R9-ipsec-proposal-tran1]esp encry ?
3des Specify using triple DES
blowfish Specify using blowfish
cast Specify using cast
des Specify using DES
skipjack Specify using skipjack
[R9-ipsec-proposal-tran1]esp encry des -------------- 数据加密方式
[R9-ipsec-proposal-tran1]esp authent ?
md5-hmac-96 Specify using HMAC-MD5 algorithm
sha1-hmac-96 Specify using HMAC-SHA1 algorithm
[R9-ipsec-proposal-tran1]esp authent sha --------------- 数据认证方式
[R9-ipsec-proposal-tran1]quit
[R9]ipsec policy policy 10 isakmp
[R9-ipsec-policy-policy-10]proposal tran1
[R9-ipsec-policy-policy-10]security acl 3000
[R9-ipsec-policy-policy-10]tunnel remote 192.168.5.1
[R9-ipsec-policy-policy-10]quit ------------------ 将acl引用到安全策略中
[R9]ipsec policy policy1 20 isakmp
[R9-ipsec-policy-policy1-20]security acl 3001
[R9-ipsec-policy-policy1-20]tunnel remote 192.168.6.1
[R9-ipsec-policy-policy1-20]quit
[R9]ip route 0.0.0.0 0 192.168.4.2
[R9]int e0
[R9-Ethernet0]ipsec policy policy1 ---------------- 将策略运用到端口上
[R9-Ethernet0]quit
[R9]ike pre?
pre-shared-key
[R9]ike pre abcde remote 192.168.5.1
[R9]ike pre abcdef remote 192.168.6.1
以下路由器配置***与R9对应
R6
[R6]int e1
[R6-Ethernet1]ip add 192.168.2.1 24
[R6-Ethernet1]int e0
[R6-Ethernet0]ip add 192.168.5.1 24
[R6]acl 3000
[R6-acl-3000]rule permit ip sour 192.168.2.0 0.0.0.255 des 192.168.1.0 0.0.0.255
Rule has been added to normal packet-filtering rules
[R6-acl-3000]rule deny ip sour any des any
Rule has been added to normal packet-filtering rules
[R6-acl-3000]quit
[R6]ipsec proposal tran1
[R6-ipsec-proposal-tran1]encap tunne
[R6-ipsec-proposal-tran1]tran esp
[R6-ipsec-proposal-tran1]esp enry des
[R6-ipsec-proposal-tran1]esp auth sha
[R6-ipsec-proposal-tran1]quit
[R6]ipsec policy policy1 10 isakmp
[R6-ipsec-policy-policy1-10]secur ?
acl specify the security traffic by access-list
[R6-ipsec-policy-policy1-10]secur acl 3000
[R6-ipsec-policy-policy1-10]proposal tran1
[R6-ipsec-policy-policy1-10]tunnel remote ?
X.X.X.X remote host ip address.
[R6-ipsec-policy-policy1-10]tunnel remote 192.168.4.1
[R6-ipsec-policy-policy1-10]quit
[R6]int e0
[R6-Ethernet0]ipsec policy policy1
[R6-Ethernet0]uit
Incorrect command
[R6-Ethernet0]quit
[R6]ike pre abcde remote 192.168.4.1 ----------- ike协商要与R9对应
R16
[r16]int e0
[r16-Ethernet0]ip add 192.168.6.1 24
[r16-Ethernet0]
%01:23:30: Line protocol ip on the interface Ethernet0 is UP
[r16-Ethernet0]int e1
[r16-Ethernet1]ip add 192.168.3.1 24
[r16-Ethernet1]quit
[r16]ip route 0.0.0.0 0 192.168.6.2
[r16]acl 3000
[r16-acl-3000]rule permit ip source 192.168.3.0 0.0.0.255 des 192.168.1.0 0.0.0.255
Rule has been added to normal packet-filtering rules
[r16-acl-3000]rule deny ip source any des any
Rule has been added to normal packet-filtering rules
[r16-acl-3000]quit
[r16]ipsec proposal tran1
[r16-ipsec-proposal-tran1]enca ?
transport Specify only the payload(data) of the IP packet is protected
tunnel Specify the entire IP packet is protected
[r16-ipsec-proposal-tran1]enca tunnel
[r16-ipsec-proposal-tran1]esp encry ?
3des Specify using triple DES
blowfish Specify using blowfish
cast Specify using cast
des Specify using DES
skipjack Specify using skipjack
[r16-ipsec-proposal-tran1]esp encry des
[r16-ipsec-proposal-tran1]esp aut ?
md5-hmac-96 Specify using HMAC-MD5 algorithm
sha1-hmac-96 Specify using HMAC-SHA1 algorithm
[r16-ipsec-proposal-tran1]esp aut sha
[r16-ipsec-proposal-tran1]quit
[r16]ipsec policy ?
STRING<1-15> ipsec policy name.
[r16]ipsec policy policy1 10 ?
<cr> if this ipsec policy has been created
isakmp indicaties that IKE will be used to establish the IPSec SA
manual indicaties that IKE will NOT be used to establish the IPSec SA
[r16]ipsec policy policy1 10 isakmp
[r16-ipsec-policy-policy1-10]security 3000
Incorrect command
[r16-ipsec-policy-policy1-10]secu?
security
[r16-ipsec-policy-policy1-10]security ?
acl specify the security traffic by access-list
[r16-ipsec-policy-policy1-10]security acl 3000 ?
<cr>
[r16-ipsec-policy-policy1-10]security acl 3000
[r16-ipsec-policy-policy1-10]proposal tran1
[r16-ipsec-policy-policy1-10]tunnel remote 192.168.4.1
[r16-ipsec-policy-policy1-10]quit
[r16]int e0
[r16-Ethernet0]ipsec policy policy1
[r16-Ethernet0]quit
[r16]ike pre abcdef remote 192.168.4.1--------- ike要与R9的相对应
[r16]
实验验证结果
