IPSec实验

本节介绍如何使用华为路由器，建立IPSec VPN，来保障俩个站点之间正常的通信

1.拓扑图

2.步骤

2.1 在r4和r5上配置静态路由，指定对端的路由
2.2 使用高级IP acl 指定进行保护的流量（指定流量的源地址和目的IP地址）
2.3 创建IPSec安全提议并指定IPSec使用的各项参数
2.4 创建IKE安全提议，并指定IKE使用的各项参数
2.5 创建IKE对等体。并在其中引用配置的安全提议
2.6 创建IPSec安全策略，并在其中引用ACL，IPSec安全提议和IKE对等体
2.7建立连接的俩端，在面向lnternet的接口上应用安全策略

3.配置
3.1配置所有的IP地址和静态路由

r4：
interface GigabitEthernet0/0/0
 ip address 10.10.10.254 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 45.1.1.1 255.255.255.0 
静态路由：
ip route-static 20.20.20.0 255.255.255.0 45.1.1.5
ip route-static 56.1.1.0 255.255.255.0 45.1.1.5
#

r5：
[r5]int g0/0/0
[r5-GigabitEthernet0/0/0]ip address 45.1.1.5 24
[r5-GigabitEthernet0/0/0]int g0/0/1
[r5-GigabitEthernet0/0/1]ip address 56.1.1.1 24

r6：
interface GigabitEthernet0/0/0
 ip address 56.1.1.6 255.255.255.0 
 
interface GigabitEthernet0/0/1
 ip address 20.20.20.254 255.255.255.0 
静态路由：
ip route-static 10.10.10.0 255.255.255.0 56.1.1.1
ip route-static 45.1.1.0 255.255.255.0 56.1.1.1

3.2在r4和r6上使用高级IP acl定义需要过ipsec 的流量

[r4]acl  3010  
[r4-acl-adv-3010]
[r4-acl-adv-3010] rule  permit ip source 10.10.10.0 0.0.0.255 destination 20.20
.20.0 0.0.0.255 
[r4-acl-adv-3010] rule 10 deny ip 

[r6]acl 3020  
[r6-acl-adv-3020]
[r6-acl-adv-3020] rule  permit ip source 20.20.20.0 0.0.0.255 destination 10.10
.10.0 0.0.0.255 

[r6-acl-adv-3020] rule  deny ip

3.3在r4和r6上配置IPSec安全提议

r4：
[r4]ipsec proposal huawei10（自定义名字）
[r4-ipsec-proposal-huawei10]encapsulation-mode  tunnel 
[r4-ipsec-proposal-huawei10]transform esp（指定IPSec所使用的安全协议）
[r4-ipsec-proposal-huawei10]esp authentication-algorithm sha2-256（算法）	
[r4-ipsec-proposal-huawei10]esp encryption-algorithm aes-128

r6：
[r6]ipsec proposal huawei20（自定义名字）
[r6-ipsec-proposal-huawei10]encapsulation-mode  tunnel 
[r6-ipsec-proposal-huawei10]transform esp（指定IPSec所使用的安全协议）
[r6-ipsec-proposal-huawei10]esp authentication-algorithm sha2-256（算法）	
[r6-ipsec-proposal-huawei10]esp encryption-algorithm aes-128

查看安全提议：

[r4]display ipsec proposal

Number of proposals: 1

IPSec proposal name: huawei                            
 Encapsulation mode: Tunnel                            
 Transform         : esp-new
 ESP protocol      : Authentication SHA2-HMAC-256                             
                     Encryption     AES-128

[r6]dis ipsec proposal

Number of proposals: 1

IPSec proposal name: huawei2                            
 Encapsulation mode: Tunnel                            
 Transform         : esp-new
 ESP protocol      : Authentication SHA2-HMAC-256                             
                     Encryption     AES-128

3.4在r4和r6上创建ike安全提议

[r4]ike proposal 10	
[r4-ike-proposal-10]authentication-algorithm sha1 （认证算法也与设备的型号有关）	
[r4-ike-proposal-10]authentication-method pre-share （默认的认证方式是预共享密钥）	
[r4-ike-proposal-10]encryption-algorithm aes-cbc-128（加密算法）
[r4-ike-proposal-10]q
同理		
[r6-ike-proposal-10]authentication-algorithm sha1 
[r6-ike-proposal-10]authentication-algorithm	
[r6-ike-proposal-10]authentication-method pre-share 	
[r6-ike-proposal-10]encryption-algorithm aes-cbc-128
[r6-ike-proposal-10]q

3.5在r4和r6上创建ike对等体

[r4]ike peer huawei10 v1
[r4-ike-peer-huawei10]ike	
[r4-ike-peer-huawei10]ike-proposal 10
[r4-ike-peer-huawei10]pre-shared-key  cipher huawei
[r4-ike-peer-huawei10]remote-address 56.1.1.6（对端的g0/0/0ip地址）

[r4-ike-peer-huawei10]q
[r6]ike peer huawei20 v1 	
[r6-ike-peer-huawei20]ike-proposal 10	
[r6-ike-peer-huawei20]pre-shared-key cip huawei
[r6-ike-peer-huawei20]remote-address 45.1.1.1
[r6-ike-peer-huawei20]q
[r6]

查看ike对等体

[r4]dis ike peer verbose 

Number of IKE peers: 1

------------------------------------------
   Peer name              : huawei10
   Exchange mode          : main on phase 1
   Pre-shared-key cipher  : N`C55QK<`=/Q=^Q`MAF4<1!!
   Proposal               : 10
   Local ID type          : IP
   DPD                    : Disable
   DPD mode               : Periodic
   DPD idle time          : 30
   DPD retransmit interval: 15
   DPD retry limit        : 3
   Host name              : 
   Peer IP address        : 56.1.1.6
   VPN name               : 
   Local IP address       : 
   Local name             : 
   Remote name            : 
   NAT-traversal          : Disable
   Configured IKE version : Version one
   PKI realm              : NULL
   Inband OCSP            : Disable

[r6]dis ike peer verbose 

Number of IKE peers: 1

------------------------------------------
   Peer name              : huawei20
   Exchange mode          : main on phase 1
   Pre-shared-key cipher  : N`C55QK<`=/Q=^Q`MAF4<1!!
   Proposal               : 10
   Local ID type          : IP
   DPD                    : Disable
   DPD mode               : Periodic
   DPD idle time          : 30
   DPD retransmit interval: 15
   DPD retry limit        : 3
   Host name              : 
   Peer IP address        : 45.1.1.1 
   VPN name               : 
   Local IP address       : 
   Local name             : 
   Remote name            : 
   NAT-traversal          : Disable
   Configured IKE version : Version one
   PKI realm              : NULL
   Inband OCSP            : Disable
------------------------------------------

3.6在r4和r6上配置ipsec策略

[r4]ipsec policy hw 10 isakmp 
[r4-ipsec-policy-isakmp-hw-10]ike-peer huawei10
[r4-ipsec-policy-isakmp-hw-10]proposal huawei	
[r4-ipsec-policy-isakmp-hw-10]security acl 3010
[r4-ipsec-policy-isakmp-hw-10]q

[r6]ipsec policy hw2 10 isakmp 
[r6-ipsec-policy-isakmp-hw2-10]ike-peer huawei20
[r6-ipsec-policy-isakmp-hw2-10]proposal huawei2
[r6-ipsec-policy-isakmp-hw2-10]security acl 3020
[r6-ipsec-policy-isakmp-hw2-10]q

查看ipsec安全策略

[r4]display ipsec policy

===========================================
IPSec policy group: "hw"
Using interface: 
===========================================

    Sequence number: 10
    Security data flow: 3010
    Peer name    :  huawei10
    Perfect forward secrecy: None
    Proposal name:  huawei
    IPSec SA local duration(time based): 3600 seconds
    IPSec SA local duration(traffic based): 1843200 kilobytes
    Anti-replay window size: 32
    SA trigger mode: Automatic
    Route inject: None
    Qos pre-classify: Disable

[r6]dis ipsec policy

===========================================
IPSec policy group: "hw2"
Using interface: 
===========================================

    Sequence number: 10
    Security data flow: 3020
    Peer name    :  huawei20
    Perfect forward secrecy: None
    Proposal name:  huawei2
    IPSec SA local duration(time based): 3600 seconds
    IPSec SA local duration(traffic based): 1843200 kilobytes
    Anti-replay window size: 32
    SA trigger mode: Automatic
    Route inject: None
    Qos pre-classify: Disable

3.7在r4和r6上应用IPSec安全策略

[r4]int g0/0/1
[r4-GigabitEthernet0/0/1]ipsec po	
[r4-GigabitEthernet0/0/1]ipsec policy hw

[r6]int g0/0/0
[r6-GigabitEthernet0/0/0]ipsec	
[r6-GigabitEthernet0/0/0]ipsec policy hw2
[r6-GigabitEthernet0/0/0]dis this
[V200R003C00]
#
interface GigabitEthernet0/0/0
 ip address 56.1.1.6 255.255.255.0 
 ipsec policy hw2

查看以创建的ike sa

[r4]dis ike sa
    Conn-ID  Peer            VPN   Flag(s)                Phase  
  ---------------------------------------------------------------
        7    56.1.1.6        0     RD                     2     
        6    56.1.1.6        0     RD                     1     

  Flag Description:
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP

[r6]dis ike sa
    Conn-ID  Peer            VPN   Flag(s)                Phase  
  ---------------------------------------------------------------
        9    45.1.1.1        0     RD|ST                  2     
        8    45.1.1.1        0     RD|ST                  1     

  Flag Description:
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP

3.8 pc1向pc2发起ping


抓包查看

由此可知lnternet中路由器无法知道这个数据包是哪种类型的信息，只有数据到达r6才能读到携带的真数据，并把数据进行下一步处理。