1.实验目的

掌握华为设备上IKE方案实施站点到站点的虚拟私有网络(HCNP独家新增课程)
IPSec在IP层通过加密与数据来源认证等方式,来保证数据包在网络上传输时的私有性、真实性、完整性和抗重放。
IPSec加密和验证算法所使用的密钥可以手工配置,也可以通过因特网密钥交换IKE(Internet Key Exchange)协议动态协商。IKE协议建立在Internet安全联盟和密钥管理协议ISAKMP(Internet Security Association and Key Management Protocol)框架之上,采用DH(Diffie-Hellman)算法在不安全的网络上安全地分发密钥、验证身份,以保证数据传输的安全性。IKE协议可提升密钥的安全性,并降低IPSec管理复杂度。

目的
在Internet的传输中,绝大部分数据的内容都是明文传输的,这样就会存在很多潜在的危险,比如:密码、银行帐户的信息被窃取、篡改,用户的身份被冒充,遭受网络恶意×××等。网络中部署IPSec后,可对传输的数据进行保护处理,降低信息泄漏的风险。

受益
IPSec通过加密与验证等方式,从以下几个方面保障了用户业务数据在Internet中的安全传输:
数据来源验证:接收方验证发送方身份是否合法。
数据加密:发送方对数据进行加密,以密文的形式在Internet上传送,接收方对接收的加密数据进行解密后处理或直接转发。
数据完整性:接收方对接收的数据进行验证,以判定报文是否被篡改。
抗重放:接收方拒绝旧的或重复的数据包,防止恶意用户通过重复发送捕获到的数据包所进行的×××。

2.实施拓扑图

在华为设备上实战站点到站点的虚拟私有网络_第1张图片

3.实验步骤

3.1 路由问题

ip route-static 0.0.0.0 0.0.0.0 12.1.1.2 //该路由可以解决到达对端通信点以及对端加解密点的通信问题

3.2 实施ACL匹配感兴趣流

这些流量将被×××做安全处理
acl number 3000
rule 5 permit ip source 10.1.10.0 0.0.0.255 destination 10.1.20.0 0.0.0.255

3.3 配置IPSEC提案

ipsec proposal 10
esp authentication-algorithm sha2-384
esp encryption-algorithm aes-128

3.4 配置IKE提案

ike proposal 10
encryption-algorithm aes-cbc-128
dh group2

3.5配置IKE对等体组,协商对等体

ike peer R2 v1
pre-shared-key simple qytang
ike-proposal 10
remote-address 12.1.1.2

3.6配置策略汇总

ipsec policy P1 10 isakmp
security acl 3000
ike-peer R2
proposal 10

4.将策略调用在接口

interface GigabitEthernet0/0/0
ip address 12.1.1.1 255.255.255.0
ipsec policy P1
AR2的配置几乎和AR1相同,大部分内容比如acl将流量的源目对调即可,请参考如下配置

acl number 3000  
 rule 5 permit ip source 10.1.20.0 0.0.0.255 destination 10.1.10.0 0.0.0.255 
#
ipsec proposal 10
 esp authentication-algorithm sha2-384
 esp encryption-algorithm aes-128
#
ike proposal 10
 encryption-algorithm aes-cbc-128
 dh group2                                
#
ike peer R1 v1
 pre-shared-key simple qytang
 ike-proposal 10
 remote-address 12.1.1.1
#
ipsec policy P1 10 isakmp
 security acl 3000
 ike-peer R1
 proposal 10
#

interface GigabitEthernet0/0/0            
 ip address 12.1.1.2 255.255.255.0 
 ipsec policy P1
#

interface GigabitEthernet0/0/2
 ip address 10.1.20.254 255.255.255.0 

#
ip route-static 0.0.0.0 0.0.0.0 12.1.1.1

5.验证IPSEC的各种状态以便排错

在华为设备上实战站点到站点的虚拟私有网络_第2张图片
验证:

[Gateway1]display ike sa 
    Conn-ID  Peer            ×××   Flag(s)                Phase  
  ---------------------------------------------------------------
        2    12.1.1.2        0     RD|ST                  2     
        1    12.1.1.2        0     RD|ST                  1     

  Flag Description:
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
[Gateway1]dis ike peer 

Number of IKE peers: 1

  Peer name       Exchange    Remote         NAT     
                  mode        name           traversal
-------------------------------------------------------
  R2              Main                       Disable 
[Gateway1]dis ike statistics v1

----------------------------------------------------------

 IKE V1 statistics information
 Number of total peers                        : 18
 Number of policy peers                       : 1
 Number of profile peers                      : 17
 Number of proposals                          : 2
 Number of established V1 phase 1 SAs         : 1
 Number of established V1 phase 2 SAs         : 1
 Number of total V1 phase 1 SAs               : 1
 Number of total V1 phase 2 SAs               : 1
 Number of total SAs                          : 2
 Keep alive time                              : 0
 Keep alive interval                          : 0
 keepalive spi list                           : Disable
----------------------------------------------------------
[Gateway1]dis ipsec sa // 查看IPSEC SA,它用于确定网络的两侧,同时进行数据加解密

===============================
Interface: GigabitEthernet0/0/0
 Path MTU: 1500
===============================

  -----------------------------
  IPSec policy name: "P1"
  Sequence number  : 10
  Acl Group        : 3000
  Acl rule         : 5
  Mode             : ISAKMP
  -----------------------------
    Connection ID     : 2
    Encapsulation mode: Tunnel
    Tunnel local      : 12.1.1.1
    Tunnel remote     : 12.1.1.2
    Flow source       : 10.1.10.0/255.255.255.0 0/0
    Flow destination  : 10.1.20.0/255.255.255.0 0/0
    Qos pre-classify  : Disable

    [Outbound ESP SAs] 
      SPI: 1214314935 (0x4860f9b7)
      Proposal: ESP-ENCRYPT-AES-128 SHA2-384-192
      SA remaining key duration (bytes/sec): 1887283200/3079
      Max sent sequence-number: 10
      UDP encapsulation used for NAT traversal: N

    [Inbound ESP SAs] 
      SPI: 2003986867 (0x777269b3)
      Proposal: ESP-ENCRYPT-AES-128 SHA2-384-192
      SA remaining key duration (bytes/sec): 1887436260/3079
      Max received sequence-number: 9
      Anti-replay window size: 32
      UDP encapsulation used for NAT traversal: N
[Gateway1]dis ipsec policy 

===========================================
IPSec policy group: "P1"
Using interface: GigabitEthernet0/0/0
===========================================

    Sequence number: 10
    Security data flow: 3000
    Peer name    :  R2
    Perfect forward secrecy: None
    Proposal name:  10
    IPSec SA local duration(time based): 3600 seconds
    IPSec SA local duration(traffic based): 1843200 kilobytes
    Anti-replay window size: 32
    SA trigger mode: Automatic
    Route inject: None
    Qos pre-classify: Disable
[Gateway1]dis ipsec statistics esp 
 Inpacket count            : 9
 Inpacket auth count       : 0
 Inpacket decap count      : 0
 Outpacket count           : 10
 Outpacket auth count      : 0
 Outpacket encap count     : 0
 Inpacket drop count       : 0
 Outpacket drop count      : 0
 BadAuthLen count          : 0
 AuthFail count            : 0
 InSAAclCheckFail count    : 0
 PktDuplicateDrop count    : 0
 PktSeqNoTooSmallDrop count: 0
 PktInSAMissDrop count     : 0

需要注意的是ensp的acl并不一定匹配,如下所示
dis acl all
Total quantity of nonempty ACL number is 1

Advanced ACL 3000, 1 rule
Acl's step is 5
rule 5 permit ip source 10.1.10.0 0.0.0.255 destination 10.1.20.0 0.0.0.255

6.查看安全处理的报文

下图帮您认识ESP报文,您不能在看到icmp报文,因为数据被加密处理
在华为设备上实战站点到站点的虚拟私有网络_第3张图片