一、【组网和实验环境】
按如上的接口ip先作配置
本文实验采用的交换机是H3C模拟器,下载地址如下:http://forum.h3c.com/forum.php?mod=viewthread&tid=109740&highlight=H3C%E6%A8%A1%E6%8B%9F%E5%99%A8 有兴趣的朋 友可以在论坛上去下载。
二、【实验过程】
配置完成后,用
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=4 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=19 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=30 ms
的报文通过,将触发IKE协商。
由于R1上配置了提议tran1,其中使用的认证算法为md5,但R2上使用的是缺省的IKE提议,默认的认证算法为sha。因此,在进行IKE提议匹配的时候,从优先级最高的提议开始匹配
,因为R2上没有和R1上提议10相匹配的IKE提议,所以双方能够匹配的只有缺省的IKE提议。另外,在进行提议匹配的时候,存活时间是不用进行匹配的,它由IKE协商双方决定。
priority authentication authentication encryption Diffie-Hellman duration
method algorithm algorithm group (seconds)
---------------------------------------------------------------------------
10 PRE_SHARED MD5 DES_CBC MODP_768 5000 没有用这条proposal
default PRE_SHARED SHA DES_CBC MODP_768 86400
priority authentication authentication encryption Diffie-Hellman duration
method algorithm algorithm group (seconds)
---------------------------------------------------------------------------
default PRE_SHARED SHA DES_CBC MODP_768 86400
二、可通过如下显示信息查看到IKE协商成功后生成的两个阶段的SA。
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
14 2.2.2.2 RD 2 IPSEC
13 2.2.2.2 RD 1 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
IKE第二阶段协商生成的IPsec SA用于保护子网10网段之间的数据流,可通过如下显示信息查看。
===============================
Interface: Serial0/6/0
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "map1"
sequence number: 10
mode: isakmp
-----------------------------
connection id: 9
encapsulation mode: tunnel
perfect forward secrecy: None
tunnel:
local address: 1.1.1.1
remote address: 2.2.2.2
Flow :
sour addr: 10.1.1.1/255.255.255.255 port: 0 protocol: IP
dest addr: 10.1.2.1/255.255.255.255 port: 0 protocol: IP
[inbound ESP SAs]
spi: 495682204 (0x1d8b829c)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887436464/2030
max received sequence-number: 4
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 21829635 (0x14d1803)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887436464/2030
max sent sequence-number: 5
udp encapsulation used for nat traversal: N
三【配置文本】
#
version 5.20, Alpha 1011
#
sysname R1
#
password-control login-attempt 3 exceed lock-time 120
#
undo voice vlan mac-address 00e0-bb00-0000
#
ipsec cpu-backup enable
#
undo cryptoengine enable
#
domain default enable system
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
ike proposal 10
authentication-algorithm md5
sa duration 5000
#
ike peer peer
pre-shared-key cipher PMEfbsX04vk=
remote-address 2.2.2.2
#
ipsec proposal tran1
esp authentication-algorithm sha1
#
ipsec policy map1 10 isakmp
security acl 3101
ike-peer peer
proposal tran1
#
acl number 3101
rule 0 permit ip source 10.1.1.1 0 destination 10.1.2.1 0
#
interface Serial0/6/0
link-protocol ppp
ip address 1.1.1.1 255.255.255.0
ipsec policy map1
#
interface Serial0/6/1
link-protocol ppp
#
interface Serial0/6/2
link-protocol ppp
#
interface Serial0/6/3
link-protocol ppp
#
interface NULL0
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.255
#
interface Ethernet0/4/0
port link-mode bridge
#
interface Ethernet0/4/1
port link-mode bridge
#
interface Ethernet0/4/2
port link-mode bridge
#
interface Ethernet0/4/3
port link-mode bridge
#
interface Ethernet0/4/4
port link-mode bridge
#
interface Ethernet0/4/5
port link-mode bridge
#
interface Ethernet0/4/6
port link-mode bridge
#
interface Ethernet0/4/7
port link-mode bridge
#
ip route-static 0.0.0.0 0.0.0.0 Serial0/6/0
#
load xml-configuration
#
user-interface con 0
user-interface vty 0 4
#
return
%Feb 18 15:54:04:31 2013 R2 SHELL/4/LOGIN: Console login from con0
#
version 5.20, Alpha 1011
#
sysname R2
#
password-control login-attempt 3 exceed lock-time 120
#
undo voice vlan mac-address 00e0-bb00-0000
#
ipsec cpu-backup enable
#
undo cryptoengine enable
#
domain default enable system
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
ike peer peer1
pre-shared-key cipher PMEfbsX04vk=
remote-address 1.1.1.1
#
ipsec proposal tran2
esp authentication-algorithm sha1
#
ipsec policy use1 10 isakmp
security acl 3101
ike-peer peer1
proposal tran2
#
acl number 3101
rule 0 permit ip source 10.1.2.1 0 destination 10.1.1.1 0
#
interface Serial0/6/0
link-protocol ppp
ip address 2.2.2.2 255.255.255.0
ipsec policy use1
#
interface Serial0/6/1
link-protocol ppp
#
interface Serial0/6/2
link-protocol ppp
#
interface Serial0/6/3
link-protocol ppp
#
interface NULL0
#
interface LoopBack0
ip address 10.1.2.1 255.255.255.255
#
interface Ethernet0/4/0
port link-mode bridge
#
interface Ethernet0/4/1
port link-mode bridge
#
interface Ethernet0/4/2
port link-mode bridge
#
interface Ethernet0/4/3
port link-mode bridge
#
interface Ethernet0/4/4
port link-mode bridge
#
interface Ethernet0/4/5
port link-mode bridge
#
interface Ethernet0/4/6
port link-mode bridge
#
interface Ethernet0/4/7
port link-mode bridge
#
ip route-static 0.0.0.0 0.0.0.0 Serial0/6/0
#
load xml-configuration
#
user-interface con 0
user-interface vty 0 4
#
return