H3C IPSec配置實例

 

 配置步驟：

一、.使得R1與R3之間（公網之間）能夠通信

[R1]ip route-static 0.0.0.0 0.0.0.0 12.1.1.2

[R3]ip route-static 0.0.0.0 0.0.0.0 23.1.1.2

 

二、IPSEC配置

R1配置：

1.配置感興趣的數據流

[R1]acl  num 3000

[R1-acl-adv-3000]rule  permit  ip source  192.168.1.1 0.0.0.0 destination 192.168.2.1 0.0.0.0

 

2.IKE策略配置

[R1]ike proposal  10                             //創建IKE提議，並進入IKE視圖

[R1-ike-proposal-10]encryption-algorithm 3des-cbc     //IKE提議使用的加密算法

[R1-ike-proposal-10]authentication-method  pre-share  //IKE提議使用的密鑰處理方式

[R1-ike-proposal-10]authentication-algorithm  md5    //IKE提議使用的驗證算法

[R1-ike-proposal-10]dh group2                     //IKE提議使用的DH交換組

[R1-ike-proposal-10]sa duration 86400               //ISAKMP SA生存周期

[R1-ike-proposal-10]

 

3.配置IKE對等體及密鑰

[R1]ike peer  R3                         //創建IKE對等體，並進入IKE對等體視圖

[R1-ike-peer-r3]exchange-mode main         //IKE對等體的協商模式

[R1-ike-peer-r3]pre-shared-key h3c           //IKE對等體的密鑰

[R1-ike-peer-r3]local-address 12.1.1.1         //本端安全網關地址

[R1-ike-peer-r3]remote-address 23.1.1.3       //對端安全網關地址

[R1-ike-peer-r3]remote-name R3             //對端安全網關名稱

[R1]ike local-name  R1                   //本端安全網關名稱

[R1]

 

 

4. IPSEC安全提議配置

[R1]ipsec  proposal r1                                //創建IPSEC安全提議

 [R1-ipsec-proposal-r1]transform  esp                   //安全協議

[R1-ipsec-proposal-r1]esp encryption-algorithm  3des       //ESP協議采用加密算法

[R1-ipsec-proposal-r1]esp authentication-algorithm  md5    //ESP協議采用驗證算法

[R1-ipsec-proposal-r1]encapsulation-mode tunnel           //ESP協議采用工作模式

[R1-ipsec-proposal-r1]

 

5.配置IKE協商的安全策略

[R1]ipsec  policy 1 10 isakmp                           //創建一條安全策略

[R1-ipsec-policy-isakmp-1-10]security acl 3000             //配置安全c策略所引用的ACL

[R1-ipsec-policy-isakmp-1-10]proposal  r1                //配安全策略所引用的安全提議

[R1-ipsec-policy-isakmp-1-10]ike-peer r3                  //引用的IKE對等體

[R1-ipsec-policy-isakmp-1-10]pfs dh-group5                //DH組

[R1-ipsec-policy-isakmp-1-10]sa duration time-based  86400  //ipsec SA生存周期

[R1-ipsec-policy-isakmp-1-10]q

 

6.在接口上應用安全策略

[R1]int s0/2/0

[R1-Serial0/2/0]ipsec  policy 1   //在接口上應用安全策略

[R1]

 

 

 

R3的配置

[R3]ip route-static 0.0.0.0 0.0.0.0 23.1.1.2

[R3]acl number  3000

[R3-acl-adv-3000]rule pe

[R3-acl-adv-3000]rule permit  ip source 192.168.2.1 0.0.0.0 destination  192.168.1.1 0.0.0.0

[R3-acl-adv-3000]q

 

[R3]ike proposal  10

[R3-ike-proposal-10]encryption-algorithm  3des-cbc

[R3-ike-proposal-10]authentication-method pre-share

[R3-ike-proposal-10]authentication-algorithm md5

[R3-ike-proposal-10]dh group2

[R3-ike-proposal-10]sa duration 86400

[R3-ike-proposal-10]q

 

[R3]ike peer R1

[R3-ike-peer-r1]exchange-mode main

[R3-ike-peer-r1]pre-shared-key  h3c

[R3-ike-peer-r1]local-a 23.1.1.3

[R3-ike-peer-r1]remote-address 12.1.1.1

[R3-ike-peer-r1]remote-name R1

[R3-ike-peer-r1]Q

 

[R3]ipsec proposal r3

[R3-ipsec-proposal-r3]transform esp

[R3-ipsec-proposal-r3]esp encryption-algorithm  3des

[R3-ipsec-proposal-r3]esp authentication-algorithm md5

[R3-ipsec-proposal-r3]encapsulation-mode tunnel

[R3-ipsec-proposal-r3]q

 

[R3]ipsec  policy 1 10 isakmp

[R3-ipsec-policy-isakmp-1-10]security  acl 3000

[R3-ipsec-policy-isakmp-1-10]proposal  r3

[R3-ipsec-policy-isakmp-1-10]ike-peer R1     

[R3-ipsec-policy-isakmp-1-10]sa duration  time-based  86400

[R3-ipsec-policy-isakmp-1-10]q

 

[R3]int s0/2/0

[R3-Serial0/2/0]ipsec  policy  1

[R3-Serial0/2/0]q

 

三、測試實驗結果

 [R1]ping -a 192.168.1.1 192.168.2.1

  PING 192.168.2.1: 56  data bytes, press CTRL_C to break

    Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=255 time=5 ms

    Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=20 ms

    Request time out

    Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=26 ms

    Request time out

 

  --- 192.168.2.1 ping statistics ---

    5 packet(s) transmitted

    3 packet(s) received

    40.00% packet loss

    round-trip min/avg/max = 5/17/26 ms

 [R1]

此時兩個內網之間能夠正常通信。實驗完成

 

 

 

 

調試命令：

1.顯示IKE對等體配置參數

[R1]dis ike peer

 

---------------------------

 IKE Peer: r3

   exchange mode: main on phase 1

   pre-shared-key cipher nw1kqzgZJnA=

   peer id type: ip

   peer ip address: 23.1.1.3

   local ip address: 12.1.1.1

   peer name: R3

   nat traversal: disable

   dpd:

---------------------------

 

[R1]

 

2.顯示當前ISAKMP SA的信息

[R1]dis ike sa

    total phase-1 SAs:  1

    connection-id  peer            flag        phase   doi

  ----------------------------------------------------------

        3          23.1.1.3        RD|ST         2     IPSEC

        2          23.1.1.3        RD|ST         1     IPSEC

 

  flag meaning

  RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT

[R1]

 

 

 

3.顯示每個IKE提議的配置參數

[R1]dis ike sa

    total phase-1 SAs:  1

    connection-id  peer            flag        phase   doi

  ----------------------------------------------------------

        3          23.1.1.3        RD|ST         2     IPSEC

        2          23.1.1.3        RD|ST         1     IPSEC

 

  flag meaning

  RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT

[R1]dis ike pro

[R1]dis ike proposal

 priority authentication authentication encryption Diffie-Hellman duration

              method       algorithm    algorithm     group       (seconds)

---------------------------------------------------------------------------

  10       PRE_SHARED     MD5         3DES_CBC        MODP_1024      86400   

  default  PRE_SHARED     SHA         DES_CBC         MODP_768       86400   

[R1]

 

4.顯示IPsec安全策略信息

[R1]dis ipsec  policy

 

===========================================

IPsec Policy Group: "1"

Using interface: {Serial0/2/0}

===========================================

 

  -----------------------------

  IPsec policy name: "1"

  sequence number: 10

  mode: isakmp

  -----------------------------

    security data flow : 3000

    selector mode: standard

    ike-peer name:  r3

    perfect forward secrecy: DH group 5

    proposal name:  r1

    IPsec sa local duration(time based): 86400 seconds

    IPsec sa local duration(traffic based): 1843200 kilobytes

[R1]

 

 

5.顯示IPSEC安全提議信息

[R1]dis ipsec  proposal

 

  IPsec proposal name: r1

    encapsulation mode: tunnel

    transform: esp-new

    ESP protocol: authentication md5-hmac-96, encryption 3des

[R1]

 

 

 

 

6.顯示IPSEC SA的信息

[R1]dis ipsec  sa

===============================

Interface: Serial0/2/0

    path MTU: 1500

===============================

 

  -----------------------------

  IPsec policy name: "1"

  sequence number: 10

  mode: isakmp

  -----------------------------

    connection id: 3

    encapsulation mode: tunnel

    perfect forward secrecy: DH group 5

    tunnel:

        local  address: 12.1.1.1

        remote address: 23.1.1.3

    Flow :

        sour addr: 192.168.1.1/255.255.255.255  port: 0  protocol: IP

        dest addr: 192.168.2.1/255.255.255.255  port: 0  protocol: IP

 

    [inbound ESP SAs]

      spi: 2476921505 (0x93a2d2a1)

      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

      sa remaining key duration (bytes/sec): 1887435624/84789

      max received sequence-number: 14

      udp encapsulation used for nat traversal: N

 

    [outbound ESP SAs]

      spi: 1974141924 (0x75ab03e4)

      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

      sa remaining key duration (bytes/sec): 1887435624/84789

      max sent sequence-number: 15

      udp encapsulation used for nat traversal: N

[R1]

 

7.顯示IPSEC處理的報文信息

[R1]dis ipsec  statistics

  the security packet statistics:

    input/output security packets: 14/14

    input/output security bytes: 1176/1176

    input/output dropped security packets: 0/1

    dropped security packet detail:

      not enough memory: 0

      can't find SA: 1

      queue is full: 0

      authentication has failed: 0

      wrong length: 0

      replay packet: 0

      packet too long: 0

      wrong SA: 0

[R1]