IPSEC技术应用
isakmp模式
F1配置:
[f1]inter eth0/0
[f1-Ethernet0/0]ip address 192.168.1.254 24
[f1-Ethernet0/0]loopback
[f1-Ethernet0/0]inter eth0/1
[f1-Ethernet0/1]ip address 1.1.1.1 24
[f1-Ethernet0/1]quit
[f1]ip route 0.0.0.0 0 1.1.1.2做路由
加区域:
[f1]fire zone trust
[f1-zone-trust]add inter eth0/0
[f1-zone-trust]quit
[f1]fire zone untrust
[f1-zone-untrust]add inter eth0/1
制做控制列表:
[f1]acl num 3000
[f1-acl-adv-3000]rule 10 permit ip source 192.168.1.0 0.0.0.255 dest 192.168.2.0 0.0.0.255
[f1-acl-adv-3000]rule 20 deny ip source any dest any
[f1-acl-adv-3000]quit
做安全提议:
[f1]ipsec proposal tran1安全提议名字
[f1-ipsec-proposal-tran1]?
Ipsec-proposal view commands:
display
Display current system information
encapsulation-mode Specify the packet encapsulation mode
esp
Specify the ESP protocol(RFC2406) parameters
nslookup
Query Internet name servers
ping
Ping function
quit
Exit from current command view
return
Exit to User View
save
Save current configuration
tracert
Trace route function
transform
Specify the security protocol(s) used to transform the
packet
undo
Cancel current setting
vrbd
Show application version
[f1-ipsec-proposal-tran1]encap ?
transport Only the payload of IP packet is protected(transport mode)
tunnel
The entire IP packet is protected(tunnel mode)
[f1-ipsec-proposal-tran1]encap tunnel 制定安全协议报文封装模式(隧道)
[f1-ipsec-proposal-tran1]transform ?
ah
AH protocol defined in RFC2402
ah-esp ESP protocol first, then AH protocol
esp
ESP protocol defined in RFC2406
[f1-ipsec-proposal-tran1]transform esp 制定对报文进行安全转换的安全协议(esp)
[f1-ipsec-proposal-tran1]esp encry des 加密算法类型
[f1-ipsec-proposal-tran1]esp auth md5 验证算法类型
[f1-ipsec-proposal-tran1]quit
建立邻居:
[f1]ike peer f2
共享密钥:
[f1-ike-peer-f2]pre-shared-key simple 123456
目的:
[f1-ike-peer-f2]remote-address 1.1.2.1
制作安全策略:
[f1]ipsec policy policy1 10 isakmp
[f1-ipsec-policy-isakmp-policy1-10]security acl 3000
[f1-ipsec-policy-isakmp-policy1-10]proposal tran1
建立邻居
[f1-ipsec-policy-isakmp-policy1-10]ike-peer f2
应用到接口:
[f1]inter eth0/1
[f1-Ethernet0/1]ipsec policy policy1
配置f2:
[f2]inter eth0/0
[f2-Ethernet0/0]ip address 192.168.2.254 24
[f2-Ethernet0/0]inter eth0/1
[f2-Ethernet0/1]ip address 1.1.2.1 24
[f2-Ethernet0/1]quit
[f2]ip route 0.0.0.0 0 1.1.2.2
[f2]fire pack defau permi
[f2]fire zone trust
[f2-zone-trust]add inter eth0/0
The interface has been added to trust security zone.
[f2-zone-trust]quit
[f2]fire zone untrust
[f2-zone-untrust]add inter eth0/1
[f2-zone-untrust]quit
[f2]acl num 3000
[f2-acl-adv-3000]rule 10 permit ip source 192.168.2.0 0.0.0.255 dest 192.168.1.0 0.0.0.255
[f2-acl-adv-3000]rule 20 deny ip source any dest any
[f2-acl-adv-3000]quit
[f2]ipsec proposal tran1
[f2-ipsec-proposal-tran1]encap tunnel
[f2-ipsec-proposal-tran1]transform esp
[f2-ipsec-proposal-tran1]esp encry des
[f2-ipsec-proposal-tran1]esp auth md5
[f2-ipsec-proposal-tran1]quit
建立邻居:
[f2]ike peer f1
[f2-ike-peer-f1]pre-share?
pre-shared-key
[f2-ike-peer-f1]pre-shared-key 123456
[f2-ike-peer-f1]remote-address 1.1.1.1
做策略:
[f2]ipsec policy policy1 10 isakmp
[f2-ipsec-policy-isakmp-policy1-10]security acl 3000
[f2-ipsec-policy-isakmp-policy1-10]proposal tran1
[f2-ipsec-policy-isakmp-policy1-10]ike-peer f1
[f2-ipsec-policy-isakmp-policy1-10]quit
[f2]inter eth0/1
[f2-Ethernet0/1]
[f2-Ethernet0/1]ipsec policy polict1
No such policy exists.
[f2-Ethernet0/1]ipsec policy policy1
配置交换机:
[Quidway]vlan 10
[Quidway-vlan10]port eth0/10
[Quidway-vlan10]ip address 1.1.1.2 255.255.255.0
^
% Unrecognized command found at '^' position.
[Quidway-vlan10]vlan 20
[Quidway-vlan20]port eth0/20
[Quidway]inter vlan 10
[Quidway-Vlan-interface10]
%Dec 14 10:30:20 2012 Quidway L2INF/5/VLANIF LINK STATUS CHANGE:
Vlan-interface10: turns into UP state
[Quidway-Vlan-interface10]ip address 1.1.1.2 255.255.255.0
[Quidway-Vlan-interface10]
%Dec 14 10:30:38 2012 Quidway IFNET/5/UPDOWN:Line protocol on the interface Vlan-interface10 turns into UP state
[Quidway-Vlan-interface10]inter vlan 20
[Quidway-Vlan-interface20]
%Dec 14 10:30:45 2012 Quidway L2INF/5/VLANIF LINK STATUS CHANGE:
Vlan-interface20: turns into UP state
[Quidway-Vlan-interface20]ip address 1.1.2.2 255.255.255.0
测试:
[f2]dis ip rout 查看路由表
Routing Table: public net
Destination/Mask
Protocol Pre Cost Nexthop Interface
0.0.0.0/0
STATIC 60 0 1.1.2.2 Ethernet0/1
1.1.2.0/24
DIRECT 0 0 1.1.2.1 Ethernet0/1
1.1.2.1/32
DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.0/8
DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32
DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.2.0/24
DIRECT 0 0 192.168.2.254 Ethernet0/0
192.168.2.254/32
DIRECT 0 0 127.0.0.1 InLoopBack0
[f2]ping -a 192.168.2.254 192.168.1.254
PING 192.168.1.254: 56 data bytes, press CTRL_C to break
Request time out
Reply from 192.168.1.254: bytes=56 Sequence=2 ttl=255 time=17 ms
Reply from 192.168.1.254: bytes=56 Sequence=3 ttl=255 time=16 ms
Reply from 192.168.1.254: bytes=56 Sequence=4 ttl=255 time=16 ms
Reply from 192.168.1.254: bytes=56 Sequence=5 ttl=255 time=15 ms
--- 192.168.1.254 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 15/16/17 ms
野蛮模式
野蛮模式:
F1自动获得
配置f2:
[f2]inter eth0/0
[f2-Ethernet0/0]ip addres 192.168.2.254 24
[f2-Ethernet0/0]loopback
[f2-Ethernet0/0]inter eth0/1
[f2-Ethernet0/1]ip address 1.1.2.1 24
[f2]ip route 0.0.0.0 0 1.1.2.2
加区域:
[f2]firewall packet-filter default permit
[f2]firewall zone trust
[f2-zone-trust]add inter eth0/0
[f2]firewall zone untrust
[f2-zone-untrust]add inter eth0/1
做控制列表:
[f2]acl number 3000
[f2-acl-adv-3000]rule 10 permit ip source 192.168.2.0 0.0.0.255 dest 192.168.1.0 0.0.0.255
[f2-acl-adv-3000]rule 20 deny ip source any dest any
做安全提议:
[f2]ipsec proposal tran1
[f2-ipsec-proposal-tran1]encapsulation-mode tunnel
[f2-ipsec-proposal-tran1]transform esp
[f2-ipsec-proposal-tran1]esp encryption-algorithm des
[f2-ipsec-proposal-tran1]esp authentication-algorithm md5
做邻居;
[f2]ike peer f1
[f2-ike-peer-f1]?
Ike-peer 系统视图命令:
certificate
设置证书的参数
display
显示当前系统信息
dpd
配置peer的DPD
exchange-mode
指定IKE阶段一使用的协商模式
id-type
设置地址或名字作为ID
local
设置隧道本端子网类型
local-address
指定本端IP地址
nat
使用udp封装进行nat透传
nslookup
查询域名服务
peer
设置隧道对端子网类型
ping
检查网络连接或主机是否可达
pre-shared-key 指定预共享密钥
quit
退出当前的命令视图
remote-address 指定对端IP地址
remote-name
指定对端网关名
return
退到用户视图
save
保存当前有效配置
tracert
跟踪到达目的地的路由
undo
取消当前设置
vrbd
显示VRP版本
[f2-ike-peer-f1]exchange-mode ?
aggressive 野蛮模式
main
主模式
[f2-ike-peer-f1]exchange-mode aggressive
[f2-ike-peer-f1]id-type name
设置名字作为id
[f2-ike-peer-f1]pre-shared-key simple 123456
[f2-ike-peer-f1]remote-name f1
[f2-ike-peer-f1]local-address 1.1.2.1
[f2]ike local-name f2
做策略:
[f2]ipsec policy policy1 10 isakmp
[f2-ipsec-policy-isakmp-policy1-10]security acl 3000
[f2-ipsec-policy-isakmp-policy1-10]proposal tran1
[f2-ipsec-policy-isakmp-policy1-10]ike-peer f1
应用:
[f2]inter eth0/1
[f2-Ethernet0/1]ipsec policy policy1
建立控制列表:
[f1]acl number 3000
[f1-acl-adv-3000]rule 10 permit ip source 192.168.1.0 0.0.0.255 dest 192.168.2.0 0.0.0.255
[f1-acl-adv-3000]rule 20 deny ip source any dest any
安全提议:
[f1]ipsec proposal tran1
[f1-ipsec-proposal-tran1]encap
[f1-ipsec-proposal-tran1]encapsulation-mode tunnel
[f1-ipsec-proposal-tran1]transform esp
[f1-ipsec-proposal-tran1]esp encry
[f1-ipsec-proposal-tran1]esp encryption-algorithm des
[f1-ipsec-proposal-tran1]esp auth
[f1-ipsec-proposal-tran1]esp authentication-algorithm md5
建立邻居:
[f1]ike peer f2
[f1-ike-peer-f2]exchange-mode aggressive
[f1-ike-peer-f2]id-type name
[f1-ike-peer-f2]remote-address 1.1.2.1
[f1-ike-peer-f2]remote-name f2
密钥:
[f1-ike-peer-f2]pre-shared-key simple 123456
安全策略:
[f1-ike-peer-f2]quit
[f1]ipsec policy policy1 10 isakmp
[f1-ipsec-policy-isakmp-policy1-10]security acl 3000
[f1-ipsec-policy-isakmp-policy1-10]proposal tran1
[f1-ipsec-policy-isakmp-policy1-10]ike-peer f2
[f1-ipsec-policy-isakmp-policy1-10]quit
应用:
[f1]inter eth0/1
[f1-Ethernet0/1]ipsec policy policy1
设置接口为自动获得地址:
[f1]inter eth0/1
[f1-Ethernet0/1]ip ?
address
设置接口的IP地址
fast-forwarding 快转开关信息
policy
使能策略路由
relay
中继
urpf
单播反向路径查找功能
[f1-Ethernet0/1]ip address ?
X.X.X.X
IP地址
bootp-alloc 使用BOOTP协商分配IP地址
dhcp-alloc
使用DHCP协商分配IP地址
[f1-Ethernet0/1]ip address dhcp-alloc
[f1-Ethernet0/1]
%2012/12/13 00:51:52:687 f1 IFNET/4/UPDOWN:链路协议在接口Ethernet0/1上状态变为UP
[f1]inter eth0/0
[f1-Ethernet0/0]ip address 192.168.1.254 24
[f1-Ethernet0/0]loopback
[f1]ip route 0.0.0.0 0 1.1.1.2
交换机配置:
[Quidway]vlan 10
[Quidway-vlan10]port eth0/10
[Quidway-vlan10]vlan 20
[Quidway-vlan20]port eth0/20
[Quidway-vlan20]quit
[Quidway]inter vlan 10
[Quidway-Vlan-interface10]ip address 1.1.1.2 255.255.255.0
[Quidway]inter vlan 20
[Quidway-Vlan-interface20]
%Dec 14 12:10:27 2012 Quidway L2INF/5/VLANIF LINK STATUS CHANGE:
Vlan-interface20: turns into UP state
[Quidway-Vlan-interface20]ip address 1.1.2.2 255.255.255.0
做dhcp服务器:
[Quidway]dhcp server ip-pool f1
[Quidway-dhcp-f1]network 1.1.1.0 mask 255.255.255.0
[Quidway-dhcp-f1]gateway-list 1.1.1.2
测试:
[f1]ping -a 192.168.1.254 192.168.2.254
PING 192.168.1.254: 56 data bytes, press CTRL_C to break
Request time out
Reply from 192.168.2.254: bytes=56 Sequence=2 ttl=255 time=17 ms
Reply from 192.168.2.254: bytes=56 Sequence=3 ttl=255 time=16 ms
Reply from 192.168.2.254: bytes=56 Sequence=4 ttl=255 time=16 ms
Reply from 192.168.2.254: bytes=56 Sequence=5 ttl=255 time=15 ms
--- 192.168.1.254 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 15/16/17 ms