ensp上ipsec的简单配置
IPsec的简单配置
文章目录
- IPsec的简单配置
-
- 实验环境
- 实验思路
- 具体步骤
-
- 1.配置IP地址
- 2.配置路由
- 3.添加兴趣流
- 4.ike安全提议
- 5.ike对等体配置
- 6.ipsec安全提议
- 7.ipsec安全策略
- 8.在接口应用ipsec安全策略
- 9.测试
- 个人总结
实验环境
实验思路
- 配置IP地址
- 配置路由
- 添加兴趣流
- ike配置
- ipsec配置
- 应用ipsec安全策略
具体步骤
1.配置IP地址
PC1:
IP地址:192.168.1.1
子网掩码:255.255.255.0
网关:192.168.1.254
PC2:
IP地址:192.168.2.2
子网掩码:255.255.255.0
网关:192.168.2.254
AR2:
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 192.168.1.254 24
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]ip add 200.1.1.2 24
AR3:
[R3]int g0/0/0
[R3-GigabitEthernet0/0/0]ip add 200.1.1.3 24
[R3-GigabitEthernet0/0/0]int g0/0/1
[R3-GigabitEthernet0/0/1]ip add 200.1.2.3 24
AR4:
[R4]int g0/0/0
[R4-GigabitEthernet0/0/0]ip add 200.1.2.4 24
[R4-GigabitEthernet0/0/0]int g0/0/1
[R4-GigabitEthernet0/0/1]ip add 192.168.2.254 24
2.配置路由
AR2:
[R2]ospf
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]int g0/0/1
[R2-GigabitEthernet0/0/1]os e a 0
[R2]ip route-static 192.168.2.0 24 200.1.1.3
AR3:
[R3]ospf
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]int g0/0/0
[R3-GigabitEthernet0/0/0]os e a 0
[R3-GigabitEthernet0/0/0]int g0/0/1
[R3-GigabitEthernet0/0/1]os e a 0
AR4:
[R4]ospf
[R4-ospf-1]area 0
[R4-ospf-1-area-0.0.0.0]int g0/0/0
[R4-GigabitEthernet0/0/0]os e a 0
[R4]ip route-static 192.168.1.0 24 200.1.2.3
3.添加兴趣流
AR3:
[R2-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
AR4:
[R4-acl-adv-3000]rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
4.ike安全提议
AR2:
[R2]ike proposal 1
[R2-ike-proposal-1]encryption-algorithm 3des-cbc
[R2-ike-proposal-1]dh group2
[R2-ike-proposal-1]authentication-algorithm md5
AR4:
[R4]ike proposal 1
[R4-ike-proposal-1]encryption-algorithm 3des-cbc
[R4-ike-proposal-1]dh group2
[R4-ike-proposal-1]authentication-algorithm md5
5.ike对等体配置
AR2:
[R2]ike peer r4 v1
[R2-ike-peer-r4]pre-shared-key simple huawei //cypher 为密文,simple为明文
[R2-ike-peer-r4]ike-proposal 1
[R2-ike-peer-r4]remote-address 200.1.2.4
AR4:
[R4]ike peer r2 v1
[R4-ike-peer-r2]pre-shared-key simple huawei
[R4-ike-peer-r2]ike-proposal 1
[R4-ike-peer-r2]remote 200.1.1.2
6.ipsec安全提议
AR2:
[R2]ipsec proposal 1
[R2-ipsec-proposal-1]encapsulation-mode tunnel
[R2-ipsec-proposal-1]esp authentication-algorithm sha2-256
[R2-ipsec-proposal-1]esp encryption-algorithm 3des
AR4:
[R4]ipsec proposal 1
[R4-ipsec-proposal-1]encapsulation-mode tunnel
[R4-ipsec-proposal-1]esp authentication-algorithm sha2-256
[R4-ipsec-proposal-1]esp encryption-algorithm 3des
7.ipsec安全策略
AR2:
[R2]ipsec policy zzy 1 isakmp //狂野模式
[R2-ipsec-policy-isakmp-zzy-1]security acl 3000
[R2-ipsec-policy-isakmp-zzy-1]ike-peer r4
[R2-ipsec-policy-isakmp-zzy-1]proposal 1
AR4:
[R4]ipsec policy zzy 1 isakmp
[R4-ipsec-policy-isakmp-zzy-1]security acl 3000
[R4-ipsec-policy-isakmp-zzy-1]ike-peer r2
[R4-ipsec-policy-isakmp-zzy-1]proposal 1
8.在接口应用ipsec安全策略
AR2:
[R2]int g0/0/1
[R2-GigabitEthernet0/0/1]ipsec policy zzy
AR4:
[R4]int g0/0/0
[R4-GigabitEthernet0/0/0]ipsec policy zzy
9.测试
至此ipsec成功应用
个人总结
IPSEC传输模式一般分两种,传输模式和隧道模式,传输模式指挥插入ESP/AH头部,隧道模式会生成一个新的IP头部,如果使用VPN在公网上传递数据,就要用隧道模式,因为在进入公网时,隧道模式可以给一个公网的IP,如果使用传输模式,还是原私网IP,公网设备无法转发。IPSEC增强了TCP/IP协议组的安全性,对数据和报文头部进行了加密,也有指纹验证,专属的可靠性大大增加