IPsec+预共享密钥的IKE野蛮模式 |
您所在的位置:网站首页 › ipsec协商模式 › IPsec+预共享密钥的IKE野蛮模式 |
IPsec+预共享密钥的IKE野蛮模式
|
目标 配置 IPsec+预共享密钥的IKE 野蛮模式步骤一、配置各接口IP地址 步骤二、配置默认路由 [RTB]ip route-static 0.0.0.0 0 2.2.2.2 步骤三:配置公网连接 在 SWA 上配置 DHCP Server。设置 RTA 从 SWA 动态获得 IP 地址和默认路由。 [SWA]dhcp enable [SWA]dhcp server ip-pool 1 [SWA-dhcp-pool-1]network 1.1.1.0 mask 255.255.255.0 [SWA-dhcp-pool-1]gateway-list 1.1.1.2 [SWA-dhcp-pool-1]quit [RTA]interface GigabitEthernet0/0 [RTA-GigabitEthernet0/1] ip address dhcp-alloc 步骤四:配置 IKE proposal [RTA]ike proposal 1 //配置IKE安全提议 [RTA-ike-proposal-1]authentication-method pre-share //配置IKE安全提议的认证方式 [RTA-ike-proposal-1]authentication-algorithm md5 //配置IKE的认证算法建议 [RTA-ike-proposal-1]encryption-algorithm 3des-cbc //配置IKE安全提议的加密算法 [RTA-ike-proposal-1]quit [RTB]ike proposal 1 //配置IKE安全提议 [RTB-ike-proposal-1]authentication-method pre-share //配置IKE安全提议的认证方式 [RTB-ike-proposal-1]authentication-algorithm md5 //配置IKE的认证算法建议 [RTB-ike-proposal-1]encryption-algorithm 3des-cbc //配置IKE安全提议的加密算法 [RTB-ike-proposal-1]quit 步骤五:配置 IKE 身份信息 [RTA]ike identity fqdn rta //使用FQDN作为标识 [RTB]ike identity fqdn rtb //使用FQDN作为标识 步骤六:配置 IKE keychain [RTA]ike keychain keychain1 [RTA-ike-keychain-keychain1]pre-shared-key address 2.2.2.1 255.255.255.0 keysimple h3c //配置与对等体使用的预共享密钥 [RTA-ike-keychain-keychain1]quit [RTB]ike keychain keychain1 [RTB-ike-keychain-keychain1]pre-shared-key hostname rta 255.255.255.0 key simple h3c //通过主机名指定对等体 [RTB-ike-keychain-keychain1]quit 步骤七:配置 IKE profile 配置 IKE profile,并设置 IKE 第一阶段协商模式为野蛮模式: [RTA]ike profile profile1 //创建安全提议,并进入提议试图 [RTA-ike-profile-profile1]exchange-mode aggressive //修改协商模式为野蛮模式 [RTA-ike-profile-profile1]match remote identity fqdn rtb //配置对等体的策略匹配信息 [RTA-ike-profile-profile1]keychain keychain1 //指定要使用的密钥链 [RTA-ike-profile-profile1]proposal 1 //配置IKE安全策略的IKE安全提议 [RTA-ike-profile-profile1]quit [RTB]ike profile profile1 [RTB-ike-profile-profile1]exchange-mode aggressive //修改协商模式为野蛮模式 [RTB-ike-profile-profile1]match remote identity fqdn rta //匹配对端标识信息 [RTB-ike-profile-profile1]keychain keychain1 //指定要使用的密钥链 [RTB-ike-profile-profile1]proposal 1 //配置IKE安全策略的IKE安全提议 [RTB-ike-profile-profile1]quit 步骤八:配置安全 ACL 安全 ACL 应匹配 192.168.1.0/24 网段与 192.168.2.0/24 网段之间的数据流。 [RTA]acl advanced 3000 [RTA-acl-ipv4-adv-3000] rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 [RTA-acl-ipv4-adv-3001]quit [RTB]acl advanced 3000 [RTB-acl-ipv4-adv-3000] rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 [RTB-acl-ipv4-adv-3000]quit 步骤九:配置 IPsec 安全提议 [RTA]ipsec transform-set tran1 [RTA-ipsec-proposal-prop1]esp authentication-algorithm sha1 //指定ESP认证算法为sha1 [RTA-ipsec-proposal-prop1]esp encryption-algorithm aes-cbc-128 //指定ESP加密算法 [RTA-ipsec-transform-set-tran1]quit [RTB]ipsec transform-set tran1 [RTB-ipsec-transform-set-tran1]esp authentication-algorithm sha1 //指定ESP认证算法为sha1 [RTB-ipsec-transform-set-tran1]esp encryption-algorithm aes-cbc-128 //指定ESP加密算法 [RTB-ipsec-transform-set-tran1]quit 步骤十:配置并应用 IPsec 安全策略 配置 IPsec 安全策略,并将其应用于通往对方的物理接口上: [RTA]ipsec policy policy1 1 isakmp //指定IPsec隧道对端IP地址 [RTA-ipsec-policy-isakmp-policy1-1]remote-address 2.2.2.1 //指定IPsec隧道对端IP地址 [RTA-ipsec-policy-isakmp-policy1-1]security acl 3000 //配置流量保护参数 [RTA-ipsec-policy-isakmp-policy1-1]transform-set tran1 //指定IPsec转换集 [RTA-ipsec-policy-isakmp-policy1-1]ike-profile profile1 //配置IKE (Internet Key Exchange)安全策略 [RTA-ipsec-policy-isakmp-policy1-1]quit [RTA]interface GigabitEthernet 0/0 [RTA-GigabitEthernet0/0]ipsec apply policy policy1 //在接口上应用安全策略 [RTA-GigabitEthernet0/0]quit RTB 作为响应方,无法获取对端的 IP 地址,需要配置成模板形式。 [RTB]ipsec policy-template templete1 1 [RTB-ipsec-policy-template-templete1-1]security acl 3000 [RTB-ipsec-policy-template-templete1-1]transform-set tran1 [RTB-ipsec-policy-template-templete1-1]ike-profile proflie1 [RTB]ipsec policy policy1 1 isakmp template templete1 [RTB]interface GigabitEthernet 0/0 [RTB-GigabitEthernet0/0]ipsec apply policy policy1 [RTB-GigabitEthernet0/0]quit 步骤十一:检验配置 在 RTA 和 RTB 上用 display 命令检查配置参数: [RTA]display ike proposal Priority Authentication Authentication Encryption Diffie-Hellman Duration method algorithm algorithm group (seconds) ---------------------------------------------------------------------------- 1 PRE-SHARED-KEY MD5 3DES-CBC Group 1 86400 default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400 [RTA]display ipsec policy ------------------------------------------- IPsec Policy: policy1 Interface: GigabitEthernet0/0 ------------------------------------------- ----------------------------- Sequence number: 1 Mode: ISAKMP ----------------------------- Traffic Flow Confidentiality: Disabled Security data flow: 3000 Selector mode: standard Local address: Remote address: 2.2.2.1 Remote address switchback mode: Disabled Transform set: tran1 IKE profile: profile1 IKEv2 profile: smart-link policy: SA trigger mode: Traffic-based SA duration(time based): 3600 seconds SA duration(traffic based): 1843200 kilobytes SA soft-duration buffer(time based): -- SA soft-duration buffer(traffic based): -- SA idle time: -- SA df-bit: [RTB]display ipsec policy-template ------------------------------------------- IPsec Policy Template: templete1 ------------------------------------------- ----------------------------- Sequence number: 1 ----------------------------- Traffic Flow Confidentiality: Disabled Security data flow : 3000 Selector mode: standard Local address: IKE profile: profile1 IKEv2 profile: Remote address: Transform set: tran1 IPsec SA local duration(time based): 3600 seconds IPsec SA local duration(traffic based): 1843200 kilobytes SA idle time: -- SA df-bit: 在 RTA 与 RTB 上查看 IPsec/IKE 相关信息: [RTA]display ike sa verbose ----------------------------------------------- Connection ID: 4 Outside VPN: Inside VPN: Profile: profile1 Transmitting entity: Initiator Initiator cookie: b3bcaddf7a4212a5 Responder cookie: b3c52817b752a0fb ----------------------------------------------- Local IP/port: 1.1.1.1/500 Local ID type: FQDN Local ID: rta Remote IP/port: 2.2.2.1/500 Remote ID type: FQDN Remote ID: rtb Authentication-method: PRE-SHARED-KEY Authentication-algorithm: MD5 Encryption-algorithm: 3DES-CBC Life duration(sec): 86400 Remaining key duration(sec): 83201 Exchange-mode: Aggressive Diffie-Hellman group: Group 1 NAT traversal: Not detected Extend authentication: Disabled Assigned IP address: Vendor ID index:0xffffffff Vendor ID sequence number:0x0 看到 IKE 的协商模式是野蛮模式(Aggressive) [RTB]display ike sa verbose ----------------------------------------------- Connection ID: 4 Outside VPN: Inside VPN: Profile: profile1 Transmitting entity: Responder Initiator cookie: b3bcaddf7a4212a5 Responder cookie: b3c52817b752a0fb ----------------------------------------------- Local IP/port: 2.2.2.1/500 Local ID type: FQDN Local ID: rtb Remote IP/port: 1.1.1.1/500 Remote ID type: FQDN Remote ID: rta Authentication-method: PRE-SHARED-KEY Authentication-algorithm: MD5 Encryption-algorithm: 3DES-CBC Life duration(sec): 86400 Remaining key duration(sec): 83178 Exchange-mode: Aggressive Diffie-Hellman group: Group 1 NAT traversal: Not detected Extend authentication: Disabled Assigned IP address: Vendor ID index:0xffffffff Vendor ID sequence number:0x0 步骤十二:检验隧道工作状况 从 PCA 检测与 PCB 的连通性: ping 192.168.2.2 Ping 192.168.2.2 (192.168.2.2): 56 data bytes, press CTRL_C to break Request time out 56 bytes from 192.168.2.2: icmp_seq=1 ttl=253 time=3.000 ms 56 bytes from 192.168.2.2: icmp_seq=2 ttl=253 time=1.000 ms 56 bytes from 192.168.2.2: icmp_seq=3 ttl=253 time=2.000 ms 56 bytes from 192.168.2.2: icmp_seq=4 ttl=253 time=1.000 ms --- Ping statistics for 192.168.2.2 --- 5 packet(s) transmitted, 4 packet(s) received, 20.0% packet loss round-trip min/avg/max/std-dev = 1.000/1.750/3.000/0.829 ms %Oct 19 14:35:39:639 2022 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.2.2: 5 packet(s) transmitted, 4 packet(s) received, 20.0% packet loss, round-trip min/avg/max/std-dev = 1.000/1.750/3.000/0.829 ms. 可见除第一个 ICMP Echo Request 包被报告超时之外,其他的都成功收到 Echo Reply 包。 这是因为第一个包触发了 IKE 协商,在 IPsec SA 成功建立之前,这个包无法得到 IPsec 服务, 只能被丢弃。而 IPsec SA 很快就成功建立了,后续的包也就可以顺利到达目的 |
【本文地址】
今日新闻 |
推荐新闻 |