IPSec实验

本节介绍如何使用华为路由器,建立IPSec VPN,来保障俩个站点之间正常的通信 1.拓扑图 2.步骤 2.1 在r4和r5上配置静态路由,指定对端的路由
本节介绍如何使用华为路由器,建立IPSec VPN,来保障俩个站点之间正常的通信

1.拓扑图
在这里插入图片描述
2.步骤

2.1 在r4和r5上配置静态路由,指定对端的路由
2.2 使用高级IP acl 指定进行保护的流量(指定流量的源地址和目的IP地址)
2.3 创建IPSec安全提议并指定IPSec使用的各项参数
2.4 创建IKE安全提议,并指定IKE使用的各项参数
2.5 创建IKE对等体。并在其中引用配置的安全提议
2.6 创建IPSec安全策略,并在其中引用ACL,IPSec安全提议和IKE对等体
2.7建立连接的俩端,在面向lnternet的接口上应用安全策略

3.配置
3.1配置所有的IP地址和静态路由
在这里插入图片描述
在这里插入图片描述

r4:
interface GigabitEthernet0/0/0ip address 10.10.10.254 255.255.255.0 
#
interface GigabitEthernet0/0/1ip address 45.1.1.1 255.255.255.0 
静态路由:
ip route-static 20.20.20.0 255.255.255.0 45.1.1.5
ip route-static 56.1.1.0 255.255.255.0 45.1.1.5
#
r5:
[r5]int g0/0/0
[r5-GigabitEthernet0/0/0]ip address 45.1.1.5 24
[r5-GigabitEthernet0/0/0]int g0/0/1
[r5-GigabitEthernet0/0/1]ip address 56.1.1.1 24
r6:
interface GigabitEthernet0/0/0ip address 56.1.1.6 255.255.255.0 interface GigabitEthernet0/0/1ip address 20.20.20.254 255.255.255.0 
静态路由:
ip route-static 10.10.10.0 255.255.255.0 56.1.1.1
ip route-static 45.1.1.0 255.255.255.0 56.1.1.1

3.2在r4和r6上使用高级IP acl定义需要过ipsec vpn的流量

[r4]acl  3010  
[r4-acl-adv-3010]
[r4-acl-adv-3010] rule  permit ip source 10.10.10.0 0.0.0.255 destination 20.20
.20.0 0.0.0.255 
[r4-acl-adv-3010] rule 10 deny ip 
[r6]acl 3020  
[r6-acl-adv-3020]
[r6-acl-adv-3020] rule  permit ip source 20.20.20.0 0.0.0.255 destination 10.10
.10.0 0.0.0.255 [r6-acl-adv-3020] rule  deny ip

3.3在r4和r6上配置IPSec安全提议

r4:
[r4]ipsec proposal huawei10(自定义名字)
[r4-ipsec-proposal-huawei10]encapsulation-mode  tunnel 
[r4-ipsec-proposal-huawei10]transform esp(指定IPSec所使用的安全协议)
[r4-ipsec-proposal-huawei10]esp authentication-algorithm sha2-256(算法)	
[r4-ipsec-proposal-huawei10]esp encryption-algorithm aes-128
r6:
[r6]ipsec proposal huawei20(自定义名字)
[r6-ipsec-proposal-huawei10]encapsulation-mode  tunnel 
[r6-ipsec-proposal-huawei10]transform esp(指定IPSec所使用的安全协议)
[r6-ipsec-proposal-huawei10]esp authentication-algorithm sha2-256(算法)	
[r6-ipsec-proposal-huawei10]esp encryption-algorithm aes-128

查看安全提议:

[r4]display ipsec proposalNumber of proposals: 1IPSec proposal name: huawei                            Encapsulation mode: Tunnel                            Transform         : esp-newESP protocol      : Authentication SHA2-HMAC-256                             Encryption     AES-128[r6]dis ipsec proposalNumber of proposals: 1IPSec proposal name: huawei2                            Encapsulation mode: Tunnel                            Transform         : esp-newESP protocol      : Authentication SHA2-HMAC-256                             Encryption     AES-128

3.4在r4和r6上创建ike安全提议

[r4]ike proposal 10	
[r4-ike-proposal-10]authentication-algorithm sha1 (认证算法也与设备的型号有关)	
[r4-ike-proposal-10]authentication-method pre-share (默认的认证方式是预共享密钥)	
[r4-ike-proposal-10]encryption-algorithm aes-cbc-128(加密算法)
[r4-ike-proposal-10]q
同理		
[r6-ike-proposal-10]authentication-algorithm sha1 
[r6-ike-proposal-10]authentication-algorithm	
[r6-ike-proposal-10]authentication-method pre-share 	
[r6-ike-proposal-10]encryption-algorithm aes-cbc-128
[r6-ike-proposal-10]q

3.5在r4和r6上创建ike对等体

[r4]ike peer huawei10 v1
[r4-ike-peer-huawei10]ike	
[r4-ike-peer-huawei10]ike-proposal 10
[r4-ike-peer-huawei10]pre-shared-key  cipher huawei
[r4-ike-peer-huawei10]remote-address 56.1.1.6(对端的g0/0/0ip地址)[r4-ike-peer-huawei10]q
[r6]ike peer huawei20 v1 	
[r6-ike-peer-huawei20]ike-proposal 10	
[r6-ike-peer-huawei20]pre-shared-key cip huawei
[r6-ike-peer-huawei20]remote-address 45.1.1.1
[r6-ike-peer-huawei20]q
[r6]

查看ike对等体

[r4]dis ike peer verbose Number of IKE peers: 1------------------------------------------Peer name              : huawei10Exchange mode          : main on phase 1Pre-shared-key cipher  : N`C55QK<`=/Q=^Q`MAF4<1!!Proposal               : 10Local ID type          : IPDPD                    : DisableDPD mode               : PeriodicDPD idle time          : 30DPD retransmit interval: 15DPD retry limit        : 3Host name              : Peer IP address        : 56.1.1.6VPN name               : Local IP address       : Local name             : Remote name            : NAT-traversal          : DisableConfigured IKE version : Version onePKI realm              : NULLInband OCSP            : Disable[r6]dis ike peer verbose Number of IKE peers: 1------------------------------------------Peer name              : huawei20Exchange mode          : main on phase 1Pre-shared-key cipher  : N`C55QK<`=/Q=^Q`MAF4<1!!Proposal               : 10Local ID type          : IPDPD                    : DisableDPD mode               : PeriodicDPD idle time          : 30DPD retransmit interval: 15DPD retry limit        : 3Host name              : Peer IP address        : 45.1.1.1 VPN name               : Local IP address       : Local name             : Remote name            : NAT-traversal          : DisableConfigured IKE version : Version onePKI realm              : NULLInband OCSP            : Disable
------------------------------------------

3.6在r4和r6上配置ipsec策略

[r4]ipsec policy hw 10 isakmp 
[r4-ipsec-policy-isakmp-hw-10]ike-peer huawei10
[r4-ipsec-policy-isakmp-hw-10]proposal huawei	
[r4-ipsec-policy-isakmp-hw-10]security acl 3010
[r4-ipsec-policy-isakmp-hw-10]q[r6]ipsec policy hw2 10 isakmp 
[r6-ipsec-policy-isakmp-hw2-10]ike-peer huawei20
[r6-ipsec-policy-isakmp-hw2-10]proposal huawei2
[r6-ipsec-policy-isakmp-hw2-10]security acl 3020
[r6-ipsec-policy-isakmp-hw2-10]q

查看ipsec安全策略

[r4]display ipsec policy===========================================
IPSec policy group: "hw"
Using interface: 
===========================================Sequence number: 10Security data flow: 3010Peer name    :  huawei10Perfect forward secrecy: NoneProposal name:  huaweiIPSec SA local duration(time based): 3600 secondsIPSec SA local duration(traffic based): 1843200 kilobytesAnti-replay window size: 32SA trigger mode: AutomaticRoute inject: NoneQos pre-classify: Disable[r6]dis ipsec policy===========================================
IPSec policy group: "hw2"
Using interface: 
===========================================Sequence number: 10Security data flow: 3020Peer name    :  huawei20Perfect forward secrecy: NoneProposal name:  huawei2IPSec SA local duration(time based): 3600 secondsIPSec SA local duration(traffic based): 1843200 kilobytesAnti-replay window size: 32SA trigger mode: AutomaticRoute inject: NoneQos pre-classify: Disable

3.7在r4和r6上应用IPSec安全策略

[r4]int g0/0/1
[r4-GigabitEthernet0/0/1]ipsec po	
[r4-GigabitEthernet0/0/1]ipsec policy hw[r6]int g0/0/0
[r6-GigabitEthernet0/0/0]ipsec	
[r6-GigabitEthernet0/0/0]ipsec policy hw2
[r6-GigabitEthernet0/0/0]dis this
[V200R003C00]
#
interface GigabitEthernet0/0/0ip address 56.1.1.6 255.255.255.0 ipsec policy hw2

查看以创建的ike sa

[r4]dis ike saConn-ID  Peer            VPN   Flag(s)                Phase  ---------------------------------------------------------------7    56.1.1.6        0     RD                     2     6    56.1.1.6        0     RD                     1     Flag Description:RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUTHRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP[r6]dis ike saConn-ID  Peer            VPN   Flag(s)                Phase  ---------------------------------------------------------------9    45.1.1.1        0     RD|ST                  2     8    45.1.1.1        0     RD|ST                  1     Flag Description:RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUTHRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP

3.8 pc1向pc2发起ping
在这里插入图片描述
在这里插入图片描述
抓包查看
在这里插入图片描述
由此可知lnternet中路由器无法知道这个数据包是哪种类型的信息,只有数据到达r6才能读到携带的真数据,并把数据进行下一步处理。