华为 Router配置采用手工方式建立IPSec隧道

一、组网需求

1、如图所示,RouterA为企业分支网关,RouterB为企业总部网关,分支与总部通过公网建立通信。分支子网为10.1.1.0/24,总部子网为10.1.2.0/24。
企业希望对分支子网与总部子网之间相互访问的流量进行安全保护。分支与总部通过公网建立通信,可以在分支网关与总部网关之间建立一个IPSec隧道来实施安全保护。由于维护网关较少,可以考虑采用手工方式建立IPSec隧道。

2、网络拓扑

华为 Router配置采用手工方式建立IPSec隧道_第1张图片

3、采用如下思路配置采用手工方式建立IPSec隧道:

配置接口的IP地址和到对端的静态路由,保证两端路由可达。
配置ACL,以定义需要IPSec保护的数据流。
配置IPSec安全提议,定义IPSec的保护方法。
配置安全策略,并引用ACL和IPSec安全提议,确定对何种数据流采取何种保护方法。
在接口上应用安全策略组,使接口具有IPSec的保护功能。

二、操作步骤

1、配置接口IP地址

system-view
[Huawei]sysname RouterA
[RouterA]interface  GigabitEthernet  0/0/2
[RouterA-GigabitEthernet0/0/2]ip address  10.1.1.1 24
[RouterA-GigabitEthernet0/0/2]q
[RouterA]interface  GigabitEthernet  0/0/1
[RouterA-GigabitEthernet0/0/1]ip address  202.138.163.1 24
[RouterA-GigabitEthernet0/0/1]q

system-view
[Huawei]sysname RouterB
[RouterB]interface  GigabitEthernet  0/0/1
[RouterB-GigabitEthernet0/0/1]ip address  202.138.162.1 24
[RouterB-GigabitEthernet0/0/1]q
[RouterB]interface  GigabitEthernet 0/0/2
[RouterB-GigabitEthernet0/0/2]ip address  10.1.2.1 24
[RouterB-GigabitEthernet0/0/2]q

system-view 
[Huawei]sysname Internet
[Internet]interface  GigabitEthernet  0/0/1
[Internet-GigabitEthernet0/0/1]ip address  202.138.163.2 24
[Internet-GigabitEthernet0/0/1]q
[Internet]interface  GigabitEthernet  0/0/0
[Internet-GigabitEthernet0/0/0]ip address  202.138.162.2 24
[Internet-GigabitEthernet0/0/0]q

2、配置静态路由

[RouterA]ip route-static 202.138.162.0 255.255.255.0 202.138.163.2
[RouterA]ip route-static 10.1.2.0 255.255.255.0 202.138.163.2

[RouterB]ip route-static 202.138.163.0 255.255.255.0 202.138.162.2
[RouterB]ip route-static 10.1.1.0 255.255.255.0 202.138.162.2

[Internet]ip route-static 10.1.2.0 255.255.255.0 202.138.162.1
[Internet]ip route-static 10.1.1.0 255.255.255.0 202.138.163.1

3、在Router上配置ACL,定义各自要保护的数据流

[RouterA]acl number 3001
[RouterA-acl-adv-3001]rule  permit  ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[RouterA-acl-adv-3001]q

[RouterB]acl number 3001
[RouterB-acl-adv-3001]rule  permit  ip source 10.1.2.0 0.0.0.255 destination  10.1.1.0 0.0.0.255
[RouterB-acl-adv-3001]q

4、在Router上创建IPSec安全提议

[RouterA]ipsec proposal  tran1
[RouterA-ipsec-proposal-tran1]esp authentication-algorithm sha1
[RouterA-ipsec-proposal-tran1]quit

[RouterB]ipsec proposal tran1
[RouterB-ipsec-proposal-tan1]esp authentication-algorithm sha1
[RouterB-ipsec-proposal-tan1]quit

查看

[RouterA]display  ipsec proposal name tran1

IPSec proposal name: tran1                            
 Encapsulation mode: Tunnel                            
 Transform         : esp-new
 ESP protocol      : Authentication SHA1-HMAC-96                             
                     Encryption     DES

5、在Router上配置手工方式安全策略

[RouterA]ipsec policy map1 10 manual
[RouterA-ipsec-policy-manual-map1-10]security acl 3001
[RouterA-ipsec-policy-manual-map1-10]proposal tran1
[RouterA-ipsec-policy-manual-map1-10]tunnel remote 202.138.162.1
[RouterA-ipsec-policy-manual-map1-10]tunnel local 202.138.163.1
[RouterA-ipsec-policy-manual-map1-10]sa spi outbound esp 12345
[RouterA-ipsec-policy-manual-map1-10]sa spi inbound esp 54321
[RouterA-ipsec-policy-manual-map1-10]sa string-key outbound esp simple abc
[RouterA-ipsec-policy-manual-map1-10]sa string-key inbound esp simple cba
[RouterA-ipsec-policy-manual-map1-10]quit

[RouterB]ipsec policy use1 10 manual 
[RouterB-ipsec-policy-manual-use1-10]security acl 3001
[RouterB-ipsec-policy-manual-use1-10]proposal tran1 
[RouterB-ipsec-policy-manual-use1-10]tunnel remote 202.138.163.1
[RouterB-ipsec-policy-manual-use1-10]tunnel local 202.138.162.1
[RouterB-ipsec-policy-manual-use1-10]sa spi  outbound esp 54321
[RouterB-ipsec-policy-manual-use1-10]sa spi inbound esp 12345
[RouterB-ipsec-policy-manual-use1-10]sa string-key outbound esp simple cba
[RouterB-ipsec-policy-manual-use1-10]sa string-key inbound esp simple abc
[RouterB-ipsec-policy-manual-use1-10]quit

查看

[RouterA]display  ipsec policy name map1 

===========================================
IPSec policy group: "map1"
Using interface: 
===========================================

    Sequence number: 10
    Security data flow: 3001
    Tunnel local  address: 202.138.163.1
    Tunnel remote address: 202.138.162.1
    Qos pre-classify: Disable
    Proposal name:tran1
    Inbound AH setting: 
      AH SPI: 
      AH string-key: 
      AH authentication hex key: 
    Inbound ESP setting: 
      ESP SPI: 54321 (0xd431)
      ESP string-key: cba
      ESP encryption hex key: 
      ESP authentication hex key: 
    Outbound AH setting: 
      AH SPI: 
      AH string-key: 
      AH authentication hex key: 
    Outbound ESP setting: 
      ESP SPI: 12345 (0x3039)
      ESP string-key: abc
      ESP encryption hex key: 
      ESP authentication hex key: 

6、在Router接口上引用安全策略组

[RouterA]interface  GigabitEthernet  0/0/1
[RouterA-GigabitEthernet0/0/1]ipsec  policy  map1
[RouterA-GigabitEthernet0/0/1]quit

[RouterB]interface GigabitEthernet 0/0/1
[RouterB-GigabitEthernet0/0/1]ipsec policy use1
[RouterB-GigabitEthernet0/0/1]quit

7、验证结果

配置成功后,在主机PC10.1.1.2上执行ping操作仍然可以ping通主机PC 10.1.2.2,执行命令display ipsec statistics esp可以查看数据包的统计信息

[RouterA]display ipsec sa
===============================
Interface: GigabitEthernet0/0/1
 Path MTU: 1500
===============================
  -----------------------------
  IPSec policy name: "map1"
  Sequence number  : 10
  Acl Group        : 3001
  Acl rule         : 0
  Mode             : Manual
  -----------------------------
    Encapsulation mode: Tunnel
    Tunnel local      : 202.138.163.1
    Tunnel remote     : 202.138.162.1
    Qos pre-classify  : Disable

    [Outbound ESP SAs] 
      SPI: 12345 (0x3039)
      Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
      No duration limit for this SA

    [Inbound ESP SAs] 
      SPI: 54321 (0xd431)
      Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
      No duration limit for this SA

 

 

你可能感兴趣的:(网络)