本文主要是介绍IPsec+预共享密钥的lKE主模式,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
目标
- 配置IPsec+预共享密钥的lKE主模式
步骤一、配置各接口IP地址
步骤二、搭建公网环境
[RTA]ospf 1
[RTA-ospf-1] area 0.0.0.0
[RTA-ospf-1-area-0.0.0.0]network 1.1.1.0 0.0.0.255
[RTA-ospf-1-area-0.0.0.0]quit
[RTA-ospf-1] quit
[SWA]ospf 1
[SWA-ospf-1 ]area 0.0.0.0
[SWA-ospf-1-area-0.0.0.0]network 1.1.1.0 0.0.0.255
[SWA-ospf-1-area-0.0.0.0]network 2.2.2.0 0.0.0.255
[SWA-ospf-1-area-0.0.0.0]quit
[SWA-ospf-1] quit
[RTB]ospf 1
[RTB-ospf-1]area 0.0.0.0
[RTB-ospf-1-area-0.0.0.0] network 2.2.2.0 0.0.0.255
[RTB-ospf-1-area-0.0.0.0] quit
[RTB-ospf-1]quit
注意:请不要将路由器与PC互联的互联接口地址加入到OSPF中,使得SWA中只存在公网路由
在RTA、RTB中为私网配置静态路由
[RTA]ip route-static 192.168.2.0 255.255.255.0 1.1.1.2
[RTB]ip route-static 192.168.1.0 255.255.255.0 2.2.2.2
查看PCA和PCB的互访情况
<PCA>ping 192.168.2.2
Ping 192.168.2.2 (192.168.2.2): 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- Ping statistics for 192.168.2.2 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
<H3C>%Oct 18 15:29:21:839 2022 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.2.2: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.
注意:此时由于SWA中未存在私网路由,导致两端无法进行通信
步骤三、配置IKEproposal(默认为主模式)
[RTA]ike proposal 1
//创建安全提议,并进入提议试图
[RTA-ike-proposal-1]authentication-method pre-share
//配置IKE安全提议的认证方式
[RTA-ike-proposal-1]authentication-algorithm md5
//配置IKE的认证算法建议
[RTA-ike-proposal-1]encryption-algorithm 3des-cbc
//配置IKE安全提议的加密算法
[RTA-ike-proposal-1]quit
[RTB]ike proposal 1
[RTB-ike-proposal-1]authentication-method pre-share
[RTB-ike-proposal-1]authentication-algorithm md5
[RTB-ike-proposal-1]encryption-algorithm 3des-cbc
[RTB-ike-proposal-1]quit
步骤四、配置IKE keychain
[RTA]ike keychain keychain1
[RTA-ike-keychain-kechain1]pre-shared-key address 2.2.2.1 255.255.255.252 key simple h3c
//配置与对等体使用的预共享密钥
[RTB]ike keychain keychain1
[RTB-ike-keychain-kechain1]pre-shared-key address 1.1.1.1 255.255.255.252 key simple h3c
//配置与对等体使用的预共享密钥
步骤五、配置IKE profile
[RTA]ike profile profile1
[RTA-ike-profile-profile1]local-identity address 1.1.1.1
//指定本端标识
[RTA-ike-profile-profile1]match remote identity address 2.2.2.1 30
//匹配对端标识信息
[RTA-ike-profile-profile1]keychain keychain1
//指定要使用的密钥链
[RTA-ike-profile-profile1]proposal 1
//配置IKE安全策略的IKE安全提议
[RTA-ike-profile-profile1]quit
[RTB]ike profile profile1
[RTB-ike-profile-profile1]local-identity address 2.2.2.1
//指定本端标识
[RTB-ike-profile-profile1]match remote identity address 1.1.1.1 30
//匹配对端标识信息
[RTB-ike-profile-profile1]keychain keychain1
//指定要使用的密钥链
[RTB-ike-profile-profile1]proposal 1
//配置IKE安全策略的IKE安全提议
[RTB-ike-profile-profile1]quit
步骤六、配置安全ACL
[RTA]acl advanced 3000
[RTA-acl-ipv4-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[RTA-acl-ipv4-adv-3000]quit
[RTB]acl advanced 3000
[RTB-acl-ipv4-adv-3000]rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[RTB-acl-ipv4-adv-3000]quit
步骤七、配置IPSec安全提议
[RTA]ipsec transform-set tran1
[RTA-ipsec-transform-set-tran1]esp authentication-algorithm sha1
//指定ESP认证算法为sha1
[RTA-ipsec-transform-set-tran1]esp encryption-algorithm aes-cbc-128
//指定ESP加密算法
[RTA-ipsec-transform-set-tran1]quit
[RTB]ipsec transform-set tran1
[RTB-ipsec-transform-set-tran1]esp authentication-algorithm sha1
//指定ESP认证算法为sha1
[RTB-ipsec-transform-set-tran1]esp encryption-algorithm aes-cbc-128
//指定ESP加密算法
[RTB-ipsec-transform-set-tran1]quit
步骤八、配置并应用安全策略
[RTA]ipsec policy policy1 1 isakmp
[RTA-ipsec-policy-isakmp-policy1-1]remote-address 2.2.2.1
//指定IPsec隧道对端IP地址
[RTA-ipsec-policy-isakmp-policy1-1]security acl 3000
//配置流量保护参数
[RTA-ipsec-policy-isakmp-policy1-1]transform-set tran1
//指定IPsec转换集
[RTA-ipsec-policy-isakmp-policy1-1]ike-profile profile1
//配置IKE (Internet Key Exchange)安全策略
[RTA-ipsec-policy-isakmp-policy1-1]quit
[RTA]int GigabitEthernet 0/0
[RTA-GigabitEthernet0/0]ipsec apply policy policy1
//在接口上应用安全策略
[RTA-GigabitEthernet0/0]quit
[RTB]ipsec policy policy1 1 isakmp
[RTB-ipsec-policy-isakmp-policy1-1]remote-address 1.1.1.1
[RTB-ipsec-policy-isakmp-policy1-1]security acl 3000
[RTB-ipsec-policy-isakmp-policy1-1]transform-set tran1
[RTB-ipsec-policy-isakmp-policy1-1]ike-profile profile1
[RTB-ipsec-policy-isakmp-policy1-1]quit
[RTB]int GigabitEthernet 0/0
[RTB-GigabitEthernet0/0]ipsec apply policy policy1
[RTB-GigabitEthernet0/0]quit
步骤九、检验配置
在RTA上检查配置参数
[RTA]display ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
1 PRE-SHARED-KEY MD5 3DES-CBC Group 1 86400
default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400
[RTA]display ipsec transform-set
IPsec transform set: tran1
State: complete
Encapsulation mode: tunnel
ESN: Disabled
PFS:
Transform: ESP
ESP protocol:
Integrity: SHA1
Encryption: AES-CBC-128
[RTA]display ipsec policy
-------------------------------------------
IPsec Policy: policy1
Interface: GigabitEthernet0/0
-------------------------------------------
-----------------------------
Sequence number: 1
Mode: ISAKMP
-----------------------------
Traffic Flow Confidentiality: Disabled
Security data flow: 3000
Selector mode: standard
Local address:
Remote address: 2.2.2.1
Remote address switchback mode: Disabled
Transform set: tran1
IKE profile: profile1
IKEv2 profile:
smart-link policy:
SA trigger mode: Traffic-based
SA duration(time based): 3600 seconds
SA duration(traffic based): 1843200 kilobytes
SA soft-duration buffer(time based): --
SA soft-duration buffer(traffic based): --
SA idle time: --
SA df-bit:
[RTA]display ike sa
Connection-ID Local Remote Flag DOI
-------------------------------------------------------------------------
3 1.1.1.1 2.2.2.1 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
[RTA]display ike sa verbose
-----------------------------------------------
Connection ID: 3
Outside VPN:
Inside VPN:
Profile: profile1
Transmitting entity: Initiator
Initiator cookie: 2efe58a340b427fa
Responder cookie: 7c9936703ae0cf8e
-----------------------------------------------
Local IP/port: 1.1.1.1/500
Local ID type: IPV4_ADDR
Local ID: 1.1.1.1
Remote IP/port: 2.2.2.1/500
Remote ID type: IPV4_ADDR
Remote ID: 2.2.2.1
Authentication-method: PRE-SHARED-KEY
Authentication-algorithm: MD5
Encryption-algorithm: 3DES-CBC
Life duration(sec): 86400
Remaining key duration(sec): 86249
Exchange-mode: Main
Diffie-Hellman group: Group 1
NAT traversal: Not detected
Extend authentication: Disabled
Assigned IP address:
Vendor ID index:0xffffffff
Vendor ID sequence number:0x0
[RTA]display ipsec sa
-------------------------------
Interface: GigabitEthernet0/0
-------------------------------
-----------------------------
IPsec policy: policy1
Sequence number: 1
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1428
Tunnel:
local address: 1.1.1.1
remote address: 2.2.2.1
Flow:
sour addr: 192.168.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 192.168.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 1127444029 (0x43336e3d)
Connection ID: 21474836481
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3495
Max received sequence-number: 4
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 4064298561 (0xf2404641)
Connection ID: 21474836480
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3495
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N
Status: Active
再次测试PCA与PCB的连通性
[H3C]ping 192.168.2.2
Ping 192.168.2.2 (192.168.2.2): 56 data bytes, press CTRL_C to break
Request time out
56 bytes from 192.168.2.2: icmp_seq=1 ttl=253 time=2.000 ms
56 bytes from 192.168.2.2: icmp_seq=2 ttl=253 time=3.000 ms
56 bytes from 192.168.2.2: icmp_seq=3 ttl=253 time=2.000 ms
56 bytes from 192.168.2.2: icmp_seq=4 ttl=253 time=6.000 ms
--- Ping statistics for 192.168.2.2 ---
5 packet(s) transmitted, 4 packet(s) received, 20.0% packet loss
round-trip min/avg/max/std-dev = 2.000/3.250/6.000/1.639 ms
[H3C]%Oct 19 10:03:33:629 2022 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.2.2: 5 packet(s) transmitted, 4 packet(s) received, 20.0% packet loss, round-trip min/avg/max/std-dev = 2.000/3.250/6.000/1.639 ms.
可见除第一个ICMP Echo Request包被报告超时之外,其他的都成功收到Echo Reply包。这是因为第一个包触发了IKE协商,在IPsec SA成功建立之前,这个包无法获得IPsec服务,只能被丢弃。而IPsec SA很快就成功建立了,后续的包也就可以顺利到达目的。
这篇关于IPsec+预共享密钥的lKE主模式的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
