IPSec隧道配置实验(IKE动态协商方式)

时间  2021-01-13 标签 实验 网络 IKE ISAKMP IKE自动协商

实验目的:

采用IKE动态协商方式建立IPSec隧道

组网需求:

R1为企业分支出口路由,R2为企业总部出口路由,总部与分支通过公网建立通信。

企业希望对总部子网与分支子网之间相互访问的流量进行安全保护。总部与分支通过公网建立通信,可以在总部出口路由网关与分支出口路由网关之间建立一个IPSec隧道来实现安全保护。

配置操作:

*****************R1企业分支********************

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname R1-office-Other
[R1-office-Other]int gi 0/0/0
[R1-office-Other-GigabitEthernet0/0/0]ip addr 1.1.1.1 24
[R1-office-Other-GigabitEthernet0/0/0]q
[R1-office-Other]int gi0/0/1
[R1-office-Other-GigabitEthernet0/0/1]ip addr 10.1.1.1 24
[R1-office-Other-GigabitEthernet0/0/1]q
[R1-office-Other]acl 3101                     //配置acl
[R1-office-Other-acl-adv-3101]rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[R1-office-Other-acl-adv-3101]q
[R1-office-Other]ipsec proposal tran1          //配置IPSec安全提议
[R1-office-Other-ipsec-proposal-tran1]esp authentication-algorithm sha2-256
[R1-office-Other-ipsec-proposal-tran1]q
[R1-office-Other]ike proposal 1            //配置IPSec IKE提议
[R1-office-Other-ike-proposal-1]encryption-algorithm aes-cbc-128
[R1-office-Other-ike-proposal-1]dh group14
[R1-office-Other-ike-proposal-1]authentication-algorithm sha 2        //貌似不支持哈希加密算法V2,所以在此用V1
                                                             ^
Error:Too many parameters found at '^' position.
[R1-office-Other-ike-proposal-1]authentication-algorithm sha1
[R1-office-Other-ike-proposal-1]q
[R1-office-Other]ike local-name huawei01
[R1-office-Other]ike peer spub v1                     //配置IKE对等体及使用协议时,不同的软件版本间的配置有差异:V200R008之前的版本命令为ike peer peer-name [v1/v2];V200R008及以后的版本命令为ike peer peer-name和version [1/2],缺省情况下,对等体IKEv1和IKEv2版本同时启用,设备发起协商时会使用IKEv2协议,响应协商时则同时支持IKEv1协议和IKEv2协议。如果设备需要使用IKEv1协议,则可以执行命令undo version 2
[R1-office-Other-ike-peer-spub]exchange-mode aggressive
[R1-office-Other-ike-peer-spub]pre-shared-key cipher huawei                           //配置预共享秘钥认证
[R1-office-Other-ike-peer-spub]ike-proposal 1
[R1-office-Other-ike-peer-spub]local-id-type name            //配置IKE协商 时本端的ID类型。V200R008及之后版本,name参数修改为fqdn
[R1-office-Other-ike-peer-spub]remote-name huawei02   //配置对端IKE peer名称。V200R008及以后版本,设备不支持命令remote-name,其命令功能等同于命令remote-id
[R1-office-Other-ike-peer-spub]local-address 1.1.1.1
[R1-office-Other-ike-peer-spub]remote-address 2.1.1.1
[R1-office-Other-ike-peer-spub]q
[R1-office-Other]ipsec policy map1 10 isakmp        //配置IPSec策略
[R1-office-Other-ipsec-policy-isakmp-map1-10]security acl 3101
[R1-office-Other-ipsec-policy-isakmp-map1-10]ike-peer spub
[R1-office-Other-ipsec-policy-isakmp-map1-10]proposal tran1
[R1-office-Other-ipsec-policy-isakmp-map1-10]q
[R1-office-Other]ip route-static 10.1.2.0 255.255.255.0 1.1.1.2
[R1-office-Other]ip route-static 2.1.1.0 255.255.255.0 1.1.1.2
[R1-office-Other]q
[R1-office-Other]int gi 0/0/0
[R1-office-Other-GigabitEthernet0/0/0]ipsec policy map1
[R1-office-Other-GigabitEthernet0/0/0]

 

*************R2企业总部***********

<Huawei>
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname R2-office-head
[R2-office-head]
[R2-office-head]int gi 0/0/0
[R2-office-head-GigabitEthernet0/0/0]ip addr 2.1.1.1 24
[R2-office-head-GigabitEthernet0/0/0]int gi 0/0/1
[R2-office-head-GigabitEthernet0/0/1]ip addr 10.1.2.1 24
[R2-office-head-GigabitEthernet0/0/1]q
[R2-office-head]acl 3101
[R2-office-head-acl-adv-3101]rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[R2-office-head-acl-adv-3101]q
[R2-office-head]ipsec proposal tran1
[R2-office-head-ipsec-proposal-tran1]esp authentication-algorithm sha2-256
[R2-office-head-ipsec-proposal-tran1]q
[R2-office-head]ike proposal 1
[R2-office-head-ike-proposal-1]authentication-algorithm sha2-256
                                                        ^
Error: Unrecognized command found at '^' position.
[R2-office-head-ike-proposal-1]authentication-algorithm sha1
[R2-office-head-ike-proposal-1]encryption-algorithm aes-cbc-128
[R2-office-head-ike-proposal-1]dh group14
[R2-office-head-ike-proposal-1]q
[R2-office-head]ike local-name huawei02
[R2-office-head]ike peer spua v1
[R2-office-head-ike-peer-spua]exchange-mode aggressive
[R2-office-head-ike-peer-spua]pre-shared-key cipher huawei
[R2-office-head-ike-peer-spua]ike-proposal 1
[R2-office-head-ike-peer-spua]local-id-type name
[R2-office-head-ike-peer-spua]remote-name huawei01
[R2-office-head-ike-peer-spua]local-address 2.1.1.1
[R2-office-head-ike-peer-spua]remote-address 1.1.1.1
[R2-office-head-ike-peer-spua]q
[R2-office-head]ipsec policy use1 10 isakmp
[R2-office-head-ipsec-policy-isakmp-use1-10]security acl 3101
[R2-office-head-ipsec-policy-isakmp-use1-10]ike-peer spua
[R2-office-head-ipsec-policy-isakmp-use1-10]proposal tran1
[R2-office-head-ipsec-policy-isakmp-use1-10]q
[R2-office-head]ip route-static 10.1.1.0 24 2.1.1.2
[R2-office-head]ip route-static 1.1.1.0 24 2.1.1.2
[R2-office-head]int gi 0/0/0
[R2-office-head-GigabitEthernet0/0/0]ipsec policy use1
[R2-office-head-GigabitEthernet0/0/0]q

 

验证配置:

知识点:

1、IKE

IKE属于一种混合型协议,由internet安全关联和秘钥管理协议(ISAKMP)和两种秘钥交换协议组成。用于在v*n中使用的加密秘钥。

2、配置IKE v*n

IKE自动协商方式相对简单,只需要配置好IKE协商安全策略的信息,由IKE自动协商来创建和维护安全联盟。该方式适用于中、大型的动态网络环境中。该方式建立SA的过程分为两个阶段:

第一阶段,协商创建一个通信信道(ISAKMP SA),并对该信道进行认证,为双方进一步的IKE通信提供加密性及数据源认证服务;

第二阶段,使用已建立的ISAKMP SA建立IPSec SA。

3、安全联盟(Security Association,简称SA)

IPsec在两个端点之间提供安全通信,两个端点被称为IPSec ISAKMP网关。是IPSec的基础,也是IPSec的本质。

SA是通信对等体间对某些要素的约定,例如使用哪种协议、协议的操作模式、加密算法(DES、3DES、AES-128、AES-192、AES-256)、特定流中保护数据的共享秘钥以及SA的生存周期等。

安全联盟是单向的,在两个对等体之间的双向通信,最少需要两个安全联盟来分别对两个方向的数据流进行安全保护。

建立安全联盟的方式有两种,一种是手工方式Manual,一种是IKE自动协商(ISAKMP)

4、IPSec工作模式

(1)隧道(tunnel)模式:用户的整个IP数据包被用来计算AH或ESP头,AH或ESP头以及ESP加密的用户数据被封装在一个新的IP数据包中。通常,隧道模式应用在两台设备之间的通讯。

(2)传输(transport)模式:只是传输层数据被用来计算AH或ESP头,AH或ESP头以及ESP加密的用户数据被放置在原IP包头后面。通常,传输模式应用在两台主机之间的通讯,或一台主机和一台设备之间的通讯。

联系我们 沪ICP备13005482号-10