IPsec在企业网中的应用

IPsec的原理：

“Internet 协议安全性 (IPSec)”是一种开放标准的框架结构，通过使用加密的安全服务以确保在 Internet 协议 (IP) 网络上进行保密而安全的通讯。

IPSec 是安全联网的长期方向。它通过端对端的安全性来提供主动的保护以防止 专用网络与 Internet 的攻击。在通信中，只有发送方和接收方才是唯一必须了解 IPSec 保护的计算机。在 Windows 2000、Windows XP 和 Windows Server 2003 家族中，IPSec 提供了一种能力，以保护工作组、局域网计算机、域 客户端和服务器、分支机构（物理上为远程机构）、Extranet 以及漫游客户端之间的通信

IPsec的特性：

1.    安全特性

2.       基于电子证书的公钥认证

3.       预置共享密钥认证

4.       公钥加密

5.       Hash 函数和数据完整性

6.       加密和数据可靠性

7.       密钥管理

案例拓扑图：

本案例是某公司总部与分支机构需要搭建专线，由于资金问题，在路由器上实现虚链路技术。R1代表公司总部，R2和R3代表分支机构，三层交换机代表Internet网络

 

主要配置：

 

R1

[R1-Ethernet1]ip add 1.1.1.2 30

[R1-Ethernet1]undo shut

[R1-Ethernet1]qu

[R1]ip route 0.0.0.0 0 1.1.1.1

[R1]acl 3000

[R1-acl-3000]rule permit ip source 192.168.1.0 0.0.0.255 dest 192.168.2.0 0.0.0.255

[R1-acl-3000]rule deny ip source any dest any   //设置防控列表

[R1]ipsec proposal tran1

[R1-ipsec-proposal-tran1]qu

[R1]ipsec policy policy1 10 isakmp         //设置名为policy1的安全策略，别设置为自动协商，且协议号为10

[R1-ipsec-policy-policy1-10]security acl 3000   //把3000的防控列表应用于此安全策略

[R1-ipsec-policy-policy1-10]proposal  tran1

[R1-ipsec-policy-policy1-10]tunnel remote 1.1.2.2   //设置与R2的虚链路

[R1-ipsec-policy-policy1-10]qu

[R1]ike pre-shared-key 123456 remote 1.1.2.2

[R1]int et1

[R1-Ethernet1]ipsec policy policy1

 

 

 

[R1]acl 3001

[R1-acl-3001]rule permit ip source 192.168.1.0 0.0.0.255 dest 192.168.3.0 0.0.0.255

 Rule has been added to normal packet-filtering rules 

[R1-acl-3001]rule deny ip source any dest any     //设置3001的防控列表

 Rule has been added to normal packet-filtering rules

[R1-acl-3001]qu

[R1]ipsec policy policy1 11 isakmp  //设置名为 policy1的安全策略，别设为自动协商，且协议号为11

[R1-ipsec-policy-policy1-11]security acl 3001  //把3001的防控列表应用于此安全策略

[R1-ipsec-policy-policy1-11]proposa tran2

[R1-ipsec-policy-policy1-11]qu

[R1]ike pre-shared-key 123456 re 1.1.3.2    //设置与R3的虚链路

[R1]int e1

[R1-Ethernet1]ipsec po policy2

 The ipsec policy name entered doesn't exist.

 

 

[R1]dis cu

 !

 ike pre-shared-key 123456 remote 1.1.3.2

 ike pre-shared-key 123456 remote 1.1.2.2

 !

 acl 3000 match-order auto

    rule normal permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

    rule normal deny ip source any destination any

 !

 acl 3001 match-order auto

    rule normal permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

    rule normal deny ip source any destination any

 !

 ipsec proposal tran2

 !                                       

 ipsec proposal tran1

 !

 ipsec policy policy1 10 isakmp

    security acl 3000

    proposal tran1

    tunnel remote 1.1.2.2

 !

 ipsec policy policy1 11 isakmp

    security acl 3001

    proposal tran2

    tunnel remote 1.1.3.2

 !

 interface Ethernet0

    ip address 192.168.1.1 255.255.255.0

 !

  interface Ethernet1

    ip address 1.1.1.2 255.255.255.252

    ipsec policy policy1

 ip route-static 0.0.0.0 0.0.0.0 1.1.1.1 preference 60

 !

 return

 

 

R2的配置

[R2]dis cu

  ike pre-shared-key 123456 remote 1.1.1.2

 !

 acl 3000 match-order auto

    rule normal permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0

.0.0.255

    rule normal deny ip source any destination any

 !

 ipsec proposal tran2

 !

 ipsec policy policy2 10 isakmp

    security acl 3000

    proposal tran2

    tunnel remote 1.1.1.2

 !

 interface Ethernet0

    ip address 192.168.2.1 255.255.255.0

 !

 interface Ethernet1

    ip address 1.1.2.2 255.255.255.252

    ipsec policy policy2

 ip route-static 0.0.0.0 0.0.0.0 1.1.2.1 preference 60

 !

 Return

R3的配置

[Router]dis cu

 ike pre-shared-key 123456 remote 1.1.1.2

 !

 acl 3001 match-order auto

    rule normal permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

    rule normal deny ip source any destination any

 !

 ipsec proposal tran3

 !

 ipsec policy policy3 11 isakmp

    security acl 3001

   proposal tran3

    tunnel remote 1.1.1.2

 !

 interface Ethernet0

    ip address 192.168.3.1 255.255.255.0

 !

 interface Ethernet1

    ip address 1.1.3.2 255.255.255.252

    ipsec policy policy3

 !

 ip route-static 0.0.0.0 0.0.0.0 1.1.3.1 preference 60

 !

 Return

中心网络（交换机）的配置：

[s11]dis cu

#

 sysname s11

 domain default enable system

#

 local-server nas-ip 127.0.0.1 key huawei

 

local-user user1

 password simple 123

 service-type telnet level 3

#

vlan 1

#

vlan 10

#

vlan 20

#

vlan 30

#

interface Vlan-interface1

 ip address 192.168.101.21 255.255.255.0

#

interface Vlan-interface10

 ip address 1.1.1.1 255.255.255.252

#

interface Vlan-interface20

 ip address 1.1.2.1 255.255.255.252

#

interface Vlan-interface30

 ip address 1.1.3.1 255.255.255.252

#

interface Aux0/0

#

interface Ethernet0/1

#

interface Ethernet0/2

 port access vlan 10

#

interface Ethernet0/3

 port access vlan 20

#

interface Ethernet0/4

 port access vlan 30

#

user-interface aux 0

user-interface vty 0 4

 authentication-mode scheme

#

return

本实验在华为（Quidway2600，QuidwayS3526E）上进行配置

成功配置后通信截图：