ipsec+ike野蛮模式配置实验

 

 
 
 一、【组网和实验环境】
 
 

 
 
 
按如上的接口ip先作配置
 本文实验采用的交换机是H3C模拟器,下载地址如下:http://forum.h3c.com/forum.php?
 
mod=viewthread&tid=109740&highlight=H3C%E6%A8%A1%E6%8B%9F%E5%99%A8 有兴趣的朋 友可以在论坛上去下载。
 
二、【实验过程】
 
先查看R2通过PPP协商后是否被分配了IP地址
<R2>dis int s
<R2>dis int Serial 0/6/0
Serial0/6/0 current state: UP  
Line protocol current state: UP
Description: Serial0/6/0 Interface
The Maximum Transmit Unit is 1500, Hold timer is 10(sec) 
Internet Address is negotiated, 20.1.12.2/32
Link layer protocol is PPP 
LCP opened, IPCP opened
Output queue : (Urgent queuing : Size/Length/Discards)  0/50/0
Output queue : (Protocol queuing : Size/Length/Discards)  0/500/0 
Output queue : (FIFO queuing : Size/Length/Discards)  0/75/0
Interface is V35
    41 packets input,  518 bytes
    41 packets output,  514 bytes
 
 
用R2ping对端的Loopback地址,可以通
2>  ping -a 192.168.2.1 192.168.1.1
  PING 192.168.1.1: 56  data bytes, press CTRL_C to break
    Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=255 time=20 ms
    Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=255 time=20 ms
    Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=255 time=26 ms
 
 
查看ike 和ipsec的sa是否已经建立
<R2>
<R2>
<R2>dis ike sa
    total phase-1 SAs:  1
    connection-id  peer            flag        phase   doi
  ----------------------------------------------------------
        6          20.1.12.1       RD|ST         1     IPSEC 
        7          20.1.12.1       RD|ST         2     IPSEC 
 
  flag meaning
  RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
<R2>
<R2>
<R2>
<R2>dis ipsec sa
===============================
Interface: Serial0/6/0
    path MTU: 1500
===============================
 
  -----------------------------
  IPsec policy name: "policy2"
  sequence number: 10
  mode: isakmp
  -----------------------------
    connection id: 4
    encapsulation mode: tunnel
    perfect forward secrecy: None
    tunnel:
        local  address: 20.1.12.2
        remote address: 20.1.12.1
    Flow :
        sour addr: 192.168.2.1/255.255.255.255  port: 0  protocol: IP
        dest addr: 192.168.1.1/255.255.255.255  port: 0  protocol: IP
 
    [inbound ESP SAs] 
      spi: 256854815 (0xf4f4b1f)
      proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1
      sa remaining key duration (bytes/sec): 1887436464/3341
      max received sequence-number: 4
      udp encapsulation used for nat traversal: N
 
    [outbound ESP SAs] 
      spi: 52604977 (0x322b031)
      proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1
      sa remaining key duration (bytes/sec): 1887436464/3341
      max sent sequence-number: 5
      udp encapsulation used for nat traversal: N
 
 
已经建立,实验成功。
 
 
三【配置文本】
 
 
 version 5.20, Alpha 1011
#
 sysname R1
#
 password-control login-attempt 3 exceed lock-time 120
#
 undo voice vlan mac-address 00e0-bb00-0000
#
 ike local-name rta
#
 ipsec cpu-backup enable
#
 undo cryptoengine enable
#
 ip pool 1 20.1.12.2 20.1.12.254
#
 domain default enable system
#
vlan 1
#
domain system
 access-limit disable
 state active   
 idle-cut disable
 self-service-url disable
#
ike peer rtb
 exchange-mode aggressive
 pre-shared-key cipher J5fBBpuCrvQ=
 id-type name
 remote-name rtb
#
ipsec proposal tran1
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ipsec policy policy1 10 isakmp
 security acl 3000
 ike-peer rtb
 proposal tran1
#
acl number 3000
 rule 0 permit ip source 192.168.1.1 0 destination 192.168.2.1 0
 rule 1 deny ip
#
interface Serial0/6/0
 link-protocol ppp
 remote address pool 1
 ip address 20.1.12.1 255.255.255.0
 ipsec policy policy1
#
interface Serial0/6/1
 link-protocol ppp
#
interface Serial0/6/2
 link-protocol ppp
#
interface Serial0/6/3
 link-protocol ppp
#
interface NULL0
#
interface LoopBack0
 ip address 192.168.1.1 255.255.255.255
#
interface Ethernet0/4/0
 port link-mode bridge
#
interface Ethernet0/4/1
 port link-mode bridge
#
interface Ethernet0/4/2
 port link-mode bridge
#
interface Ethernet0/4/3
 port link-mode bridge
#
interface Ethernet0/4/4
 port link-mode bridge
#
interface Ethernet0/4/5
 port link-mode bridge
#
interface Ethernet0/4/6
 port link-mode bridge
#
interface Ethernet0/4/7
 port link-mode bridge
#
 ip route-static 0.0.0.0 0.0.0.0 Serial0/6/0
#
 load xml-configuration
#
user-interface con 0
user-interface vty 0 4
#
return
 
 
 
<R2>DIS CU
#
 version 5.20, Alpha 1011
#
 sysname R2
#
 password-control login-attempt 3 exceed lock-time 120
#
 undo voice vlan mac-address 00e0-bb00-0000
#
 ike local-name rtb
#
 ipsec cpu-backup enable
#
 undo cryptoengine enable
#
 domain default enable system
#
vlan 1
#
domain system
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable
#
ike peer rta
 exchange-mode aggressive
 pre-shared-key cipher J5fBBpuCrvQ=
 id-type name
 remote-name rta
 remote-address 20.1.12.1
#
ipsec proposal tran2
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ipsec policy policy2 10 isakmp
 security acl 3000
 ike-peer rta
 proposal tran2
#
acl number 3000
 rule 0 permit ip source 192.168.2.1 0 destination 192.168.1.1 0
 rule 1 deny ip
#
interface Serial0/6/0
 link-protocol ppp
 ip address ppp-negotiate
 ipsec policy policy2
#
interface Serial0/6/1
 link-protocol ppp
#
interface Serial0/6/2
 link-protocol ppp
#
interface Serial0/6/3
 link-protocol ppp
#
interface NULL0
#
interface LoopBack0
 ip address 192.168.2.1 255.255.255.255
#
interface Ethernet0/4/0
 port link-mode bridge
#
interface Ethernet0/4/1
 port link-mode bridge
#               
interface Ethernet0/4/2
 port link-mode bridge
#
interface Ethernet0/4/3
 port link-mode bridge
#
interface Ethernet0/4/4
 port link-mode bridge
#
interface Ethernet0/4/5
 port link-mode bridge
#
interface Ethernet0/4/6
 port link-mode bridge
#
interface Ethernet0/4/7
 port link-mode bridge
#
 ip route-static 0.0.0.0 0.0.0.0 Serial0/6/0
#
 load xml-configuration
#
user-interface con 0
user-interface vty 0 4
#
return
 
 

你可能感兴趣的:(IPSec,IKE野蛮模式)