IPsec+预共享密钥的lKE主模式

本文主要是介绍IPsec+预共享密钥的lKE主模式，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

目标

配置IPsec+预共享密钥的lKE主模式

步骤一、配置各接口IP地址

步骤二、搭建公网环境

[RTA]ospf 1

[RTA-ospf-1] area 0.0.0.0

[RTA-ospf-1-area-0.0.0.0]network 1.1.1.0 0.0.0.255

[RTA-ospf-1-area-0.0.0.0]quit

[RTA-ospf-1] quit

[SWA]ospf 1

[SWA-ospf-1 ]area 0.0.0.0

[SWA-ospf-1-area-0.0.0.0]network 1.1.1.0 0.0.0.255

[SWA-ospf-1-area-0.0.0.0]network 2.2.2.0 0.0.0.255

[SWA-ospf-1-area-0.0.0.0]quit

[SWA-ospf-1] quit

[RTB]ospf 1

[RTB-ospf-1]area 0.0.0.0

[RTB-ospf-1-area-0.0.0.0] network 2.2.2.0 0.0.0.255

[RTB-ospf-1-area-0.0.0.0] quit

[RTB-ospf-1]quit

注意：请不要将路由器与PC互联的互联接口地址加入到OSPF中，使得SWA中只存在公网路由

在RTA、RTB中为私网配置静态路由

[RTA]ip route-static 192.168.2.0 255.255.255.0 1.1.1.2

[RTB]ip route-static 192.168.1.0 255.255.255.0 2.2.2.2

查看PCA和PCB的互访情况

<PCA>ping 192.168.2.2

Ping 192.168.2.2 (192.168.2.2): 56 data bytes, press CTRL_C to break

Request time out

--- Ping statistics for 192.168.2.2 ---

5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss

<H3C>%Oct 18 15:29:21:839 2022 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.2.2: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.

注意：此时由于SWA中未存在私网路由，导致两端无法进行通信

步骤三、配置IKEproposal（默认为主模式）

[RTA]ike proposal 1

//创建安全提议，并进入提议试图

[RTA-ike-proposal-1]authentication-method pre-share

//配置IKE安全提议的认证方式

[RTA-ike-proposal-1]authentication-algorithm md5

//配置IKE的认证算法建议

[RTA-ike-proposal-1]encryption-algorithm 3des-cbc

//配置IKE安全提议的加密算法

[RTA-ike-proposal-1]quit

[RTB]ike proposal 1

[RTB-ike-proposal-1]authentication-method pre-share

[RTB-ike-proposal-1]authentication-algorithm md5

[RTB-ike-proposal-1]encryption-algorithm 3des-cbc

[RTB-ike-proposal-1]quit

步骤四、配置IKE keychain

[RTA]ike keychain keychain1

[RTA-ike-keychain-kechain1]pre-shared-key address 2.2.2.1 255.255.255.252 key simple h3c

//配置与对等体使用的预共享密钥

[RTB]ike keychain keychain1

[RTB-ike-keychain-kechain1]pre-shared-key address 1.1.1.1 255.255.255.252 key simple h3c

//配置与对等体使用的预共享密钥

步骤五、配置IKE profile

[RTA]ike profile profile1

[RTA-ike-profile-profile1]local-identity address 1.1.1.1

//指定本端标识

[RTA-ike-profile-profile1]match remote identity address 2.2.2.1 30

//匹配对端标识信息

[RTA-ike-profile-profile1]keychain keychain1

//指定要使用的密钥链

[RTA-ike-profile-profile1]proposal 1

//配置IKE安全策略的IKE安全提议

[RTA-ike-profile-profile1]quit

[RTB]ike profile profile1

[RTB-ike-profile-profile1]local-identity address 2.2.2.1

//指定本端标识

[RTB-ike-profile-profile1]match remote identity address 1.1.1.1 30

//匹配对端标识信息

[RTB-ike-profile-profile1]keychain keychain1

//指定要使用的密钥链

[RTB-ike-profile-profile1]proposal 1

//配置IKE安全策略的IKE安全提议

[RTB-ike-profile-profile1]quit

步骤六、配置安全ACL

[RTA]acl advanced 3000

[RTA-acl-ipv4-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

[RTA-acl-ipv4-adv-3000]quit

[RTB]acl advanced 3000

[RTB-acl-ipv4-adv-3000]rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

[RTB-acl-ipv4-adv-3000]quit

步骤七、配置IPSec安全提议

[RTA]ipsec transform-set tran1

[RTA-ipsec-transform-set-tran1]esp authentication-algorithm sha1

//指定ESP认证算法为sha1

[RTA-ipsec-transform-set-tran1]esp encryption-algorithm aes-cbc-128

//指定ESP加密算法

[RTA-ipsec-transform-set-tran1]quit

[RTB]ipsec transform-set tran1

[RTB-ipsec-transform-set-tran1]esp authentication-algorithm sha1

//指定ESP认证算法为sha1

[RTB-ipsec-transform-set-tran1]esp encryption-algorithm aes-cbc-128

//指定ESP加密算法

[RTB-ipsec-transform-set-tran1]quit

步骤八、配置并应用安全策略

[RTA]ipsec policy policy1 1 isakmp

[RTA-ipsec-policy-isakmp-policy1-1]remote-address 2.2.2.1

//指定IPsec隧道对端IP地址

[RTA-ipsec-policy-isakmp-policy1-1]security acl 3000

//配置流量保护参数

[RTA-ipsec-policy-isakmp-policy1-1]transform-set tran1

//指定IPsec转换集

[RTA-ipsec-policy-isakmp-policy1-1]ike-profile profile1

//配置IKE (Internet Key Exchange)安全策略

[RTA-ipsec-policy-isakmp-policy1-1]quit

[RTA]int GigabitEthernet 0/0

[RTA-GigabitEthernet0/0]ipsec apply policy policy1

//在接口上应用安全策略

[RTA-GigabitEthernet0/0]quit

[RTB]ipsec policy policy1 1 isakmp

[RTB-ipsec-policy-isakmp-policy1-1]remote-address 1.1.1.1

[RTB-ipsec-policy-isakmp-policy1-1]security acl 3000

[RTB-ipsec-policy-isakmp-policy1-1]transform-set tran1

[RTB-ipsec-policy-isakmp-policy1-1]ike-profile profile1

[RTB-ipsec-policy-isakmp-policy1-1]quit

[RTB]int GigabitEthernet 0/0

[RTB-GigabitEthernet0/0]ipsec apply policy policy1

[RTB-GigabitEthernet0/0]quit

步骤九、检验配置

在RTA上检查配置参数

[RTA]display ike proposal

Priority Authentication Authentication Encryption Diffie-Hellman Duration

method algorithm algorithm group (seconds)

----------------------------------------------------------------------------

1 PRE-SHARED-KEY MD5 3DES-CBC Group 1 86400

default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400

[RTA]display ipsec transform-set

IPsec transform set: tran1

State: complete

Encapsulation mode: tunnel

ESN: Disabled

PFS:

Transform: ESP

ESP protocol:

Integrity: SHA1

Encryption: AES-CBC-128

[RTA]display ipsec policy

-------------------------------------------

IPsec Policy: policy1

Interface: GigabitEthernet0/0

-------------------------------------------

-----------------------------

Sequence number: 1

Mode: ISAKMP

-----------------------------

Traffic Flow Confidentiality: Disabled

Security data flow: 3000

Selector mode: standard

Local address:

Remote address: 2.2.2.1

Remote address switchback mode: Disabled

Transform set: tran1

IKE profile: profile1

IKEv2 profile:

smart-link policy:

SA trigger mode: Traffic-based

SA duration(time based): 3600 seconds

SA duration(traffic based): 1843200 kilobytes

SA soft-duration buffer(time based): --

SA soft-duration buffer(traffic based): --

SA idle time: --

SA df-bit:

[RTA]display ike sa

Connection-ID Local Remote Flag DOI

-------------------------------------------------------------------------

3 1.1.1.1 2.2.2.1 RD IPsec

Flags:

RD--READY RL--REPLACED FD-FADING RK-REKEY

[RTA]display ike sa verbose

-----------------------------------------------

Connection ID: 3

Outside VPN:

Inside VPN:

Profile: profile1

Transmitting entity: Initiator

Initiator cookie: 2efe58a340b427fa

Responder cookie: 7c9936703ae0cf8e

-----------------------------------------------

Local IP/port: 1.1.1.1/500

Local ID type: IPV4_ADDR

Local ID: 1.1.1.1

Remote IP/port: 2.2.2.1/500

Remote ID type: IPV4_ADDR

Remote ID: 2.2.2.1

Authentication-method: PRE-SHARED-KEY

Authentication-algorithm: MD5

Encryption-algorithm: 3DES-CBC

Life duration(sec): 86400

Remaining key duration(sec): 86249

Exchange-mode: Main

Diffie-Hellman group: Group 1

NAT traversal: Not detected

Extend authentication: Disabled

Assigned IP address:

Vendor ID index:0xffffffff

Vendor ID sequence number:0x0

[RTA]display ipsec sa

-------------------------------

Interface: GigabitEthernet0/0

-------------------------------

-----------------------------

IPsec policy: policy1

Sequence number: 1

Mode: ISAKMP

-----------------------------

Tunnel id: 0

Encapsulation mode: tunnel

Perfect Forward Secrecy:

Inside VPN:

Extended Sequence Numbers enable: N

Traffic Flow Confidentiality enable: N

Transmitting entity: Initiator

Path MTU: 1428

Tunnel:

local address: 1.1.1.1

remote address: 2.2.2.1

Flow:

sour addr: 192.168.1.0/255.255.255.0 port: 0 protocol: ip

dest addr: 192.168.2.0/255.255.255.0 port: 0 protocol: ip

[Inbound ESP SAs]

SPI: 1127444029 (0x43336e3d)

Connection ID: 21474836481

Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1

SA duration (kilobytes/sec): 1843200/3600

SA remaining duration (kilobytes/sec): 1843199/3495

Max received sequence-number: 4

Anti-replay check enable: Y

Anti-replay window size: 64

UDP encapsulation used for NAT traversal: N

Status: Active

[Outbound ESP SAs]

SPI: 4064298561 (0xf2404641)

Connection ID: 21474836480

Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1

SA duration (kilobytes/sec): 1843200/3600

SA remaining duration (kilobytes/sec): 1843199/3495

Max sent sequence-number: 4

UDP encapsulation used for NAT traversal: N

Status: Active

再次测试PCA与PCB的连通性

[H3C]ping 192.168.2.2

Ping 192.168.2.2 (192.168.2.2): 56 data bytes, press CTRL_C to break

Request time out

56 bytes from 192.168.2.2: icmp_seq=1 ttl=253 time=2.000 ms

56 bytes from 192.168.2.2: icmp_seq=2 ttl=253 time=3.000 ms

56 bytes from 192.168.2.2: icmp_seq=3 ttl=253 time=2.000 ms

56 bytes from 192.168.2.2: icmp_seq=4 ttl=253 time=6.000 ms

--- Ping statistics for 192.168.2.2 ---

5 packet(s) transmitted, 4 packet(s) received, 20.0% packet loss

round-trip min/avg/max/std-dev = 2.000/3.250/6.000/1.639 ms

[H3C]%Oct 19 10:03:33:629 2022 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.2.2: 5 packet(s) transmitted, 4 packet(s) received, 20.0% packet loss, round-trip min/avg/max/std-dev = 2.000/3.250/6.000/1.639 ms.

可见除第一个ICMP Echo Request包被报告超时之外,其他的都成功收到Echo Reply包。这是因为第一个包触发了IKE协商，在IPsec SA成功建立之前，这个包无法获得IPsec服务，只能被丢弃。而IPsec SA很快就成功建立了，后续的包也就可以顺利到达目的。

这篇关于IPsec+预共享密钥的lKE主模式的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！