在两个站点之间建立IPSec VPN
IPSec VPN的配置步骤:
1.按照拓扑图配置各个路由器接口IP地址、PC基础信息
按照拓扑图自行完成,最后查看AR1、AR2、AR3的接口ip地址
[AR1]dis ip int brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 3
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 3
The number of interface that is DOWN in Protocol is 1
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 202.108.10.1/30 up up
GigabitEthernet0/0/1 10.10.10.1/24 up up
GigabitEthernet0/0/2 unassigned down down
NULL0 unassigned up up(s)
[AR2]dis ip int brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 3
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 3
The number of interface that is DOWN in Protocol is 1
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 202.108.20.1/30 up up
GigabitEthernet0/0/1 10.10.20.1/24 up up
GigabitEthernet0/0/2 unassigned down down
NULL0
[AR3]dis ip int brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 3
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 3
The number of interface that is DOWN in Protocol is 1
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 202.108.10.2/30 up up
GigabitEthernet0/0/1 202.108.20.2/30 up up
GigabitEthernet0/0/2 unassigned down down
NULL0
2.在AR1和AR2上通过静态默认路由的方式,指定去往对端的路由
[AR1]ip route-static 0.0.0.0 0 202.108.10.2
[AR2]ip route-static 0.0.0.0 0 202.108.20.2
测试站点1与站点2之间的连通性
[AR1]ping 202.108.20.1
PING 202.108.20.1: 56 data bytes, press CTRL_C to break
Request time out
Reply from 202.108.20.1: bytes=56 Sequence=2 ttl=254 time=40 ms
Reply from 202.108.20.1: bytes=56 Sequence=3 ttl=254 time=20 ms
Reply from 202.108.20.1: bytes=56 Sequence=4 ttl=254 time=30 ms
Reply from 202.108.20.1: bytes=56 Sequence=5 ttl=254 time=30 ms
--- 202.108.20.1 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 20/30/40 ms
从测试结果得出AR1与AR2可以连通。
PC>ping 10.10.20.20
Ping 10.10.20.20: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 10.10.20.20 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
但是站点1的内网主机PC1与站点2的内网主机之间无法相互访问。
3.使用高级IP ACL指定需要通过IPSec隧道进行保护的流量
[AR1]acl 3010
[AR1-acl-adv-3010]rule permit ip source 10.10.10.0 0.0.0.255 destination 10.10.20.0 0.0.0.255
[AR1-acl-adv-3010]rule deny ip
AR1上只放行源IP为10.10.10.0/24,同时目的IP为10.10.20.0/24的流量
[AR2]acl 3020
[AR2-acl-adv-3020]rule permit ip source 10.10.20.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
[AR2-acl-adv-3020]rule deny ip
AR1上只放行源IP为10.10.20.0/24,同时目的IP为10.10.10.0/24的流量。
4.创建IPSec安全提议,并指定IPSec使用的各项参数
[AR1]ipsec proposal prop10
[AR1-ipsec-proposal-prop10]encapsulation-mode tunnel
[AR1-ipsec-proposal-prop10]transform esp
[AR1-ipsec-proposal-prop10]esp authentication-algorithm sha2-256
[AR1-ipsec-proposal-prop10]esp encryption-algorithm aes-128
AR1创建名为prop10的IPSec安全协议,指定了用来建立连接的各种参数,包括数据封装模式,安全协议、认证和加密算法。
[AR2]ipsec proposal prop20
[AR2-ipsec-proposal-prop20]esp authentication-algorithm sha2-256
[AR2-ipsec-proposal-prop20]esp encryption-algorithm aes-128
AR2创建名为prop20的IPSec安全协议,AR1与AR2通过对比双方支持的IPSec安全提议,并对IPSec所需要使用的认证和加密算法进行协商。
查看AR1上的IPSec安全协议
[AR1]dis ipsec proposal
Number of proposals: 1
IPSec proposal name: prop10
Encapsulation mode: Tunnel
Transform : esp-new
ESP protocol : Authentication SHA2-HMAC-256
Encryption AES-128
5.创建IKE安全提议,并指定IKE使用的各项参数
[AR1]ike proposal 10
[AR1-ike-proposal-10]authentication-method pre-share
[AR1-ike-proposal-10]authentication-algorithm sha1
[AR1-ike-proposal-10]encryption-algorithm aes-cbc-128
[AR2]ike proposal 20
[AR2-ike-proposal-20]authentication-algorithm sha1
[AR2-ike-proposal-20]encryption-algorithm aes-cbc-128
IKE安全提议的编号取值范围是1~99,在IKE安全提议中,指定IKE尾交换和保护密钥所使用的认证方式,认证和加密算法。
6.创建IKE对等体,并在其中引用配置的IKE安全提议
[AR1]ike peer ike10 v1
[AR1-ike-peer-ike10]ike-proposal 10
[AR1-ike-peer-ike10]pre-shared-key cipher huawei123
[AR1-ike-peer-ike10]remote-address 202.108.20.1
[AR2]ike peer ike20 v1
[AR2-ike-peer-ike20]ike-proposal 20
[AR2-ike-peer-ike20]pre-shared-key cipher huawei123
[AR2-ike-peer-ike20]remote-address 202.108.10.1
使用系统视图命令ike peer ike20 v1创建了一个对等体,在IKE视图中,制定了对端IP地址、应用了之前建立的IKE安全提议,并定义了预共享密钥。
在AR1上查看IKE对等体
[AR1]dis ike peer verbose
Number of IKE peers: 1
------------------------------------------
Peer name : ike10
Exchange mode : main on phase 1
Pre-shared-key cipher : "@J*U2S*(7F,YWX*NZ55OA!!
Proposal : 10
Local ID type : IP
DPD : Disable
DPD mode : Periodic
DPD idle time : 30
DPD retransmit interval: 15
DPD retry limit : 3
Host name :
Peer IP address : 202.108.20.1
VPN name :
Local IP address :
Local name :
Remote name :
NAT-traversal : Disable
Configured IKE version : Version one
PKI realm : NULL
Inband OCSP : Disable
---- More ----
从输出命令可以看到,目前为止所配置的与IKE相关的所有参数,对等体名称(ike10),IKE安全提议号(10),IKE对等体IP地址(202.108.20.1)和IKE版本(Version one)。
7.创建IPSec安全策略,并在其中应用ACL、IPSec安全提议和IKE对等体
配置安全策略
[AR1]ipsec policy po10 10 isakmp
[AR1-ipsec-policy-isakmp-po10-10]ike-peer ike10
[AR1-ipsec-policy-isakmp-po10-10]proposal prop10
[AR1-ipsec-policy-isakmp-po10-10]security acl 3010
[AR2]ipsec policy po20 20 isakmp
[AR2-ipsec-policy-isakmp-po20-20]ike-peer ike20
[AR2-ipsec-policy-isakmp-po20-20]proposal prop20
[AR2-ipsec-policy-isakmp-po20-20]security acl 3020
将步骤2-5中创建的参数全部应用到了IPSec安全策略中。
在AR1中查看IPSec安全策略
[AR1]dis ipsec policy
===========================================
IPSec policy group: "po10"
Using interface:
===========================================
Sequence number: 10
Security data flow: 3010
Peer name : ike10
Perfect forward secrecy: None
Proposal name: prop10
IPSec SA local duration(time based): 3600 seconds
IPSec SA local duration(traffic based): 1843200 kilobytes
Anti-replay window size: 32
SA trigger mode: Automatic
Route inject: None
Qos pre-classify: Disable
从输出中可以找到刚才应用的IKE对等体名称(ike10),IPSec安全提议(prop10),以及指定了搜保护流量的ACL(3010)。
8.建立连接的两端,在面向Internet的接口上应用安全策略。
[AR1]interface g0/0/0
[AR1-GigabitEthernet0/0/0]ipsec policy po10
[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]ipsec policy po20
在AR1和AR2上查看已建立的IKE SA
[AR1]DIS IKE SA
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
3 202.108.20.1 0 RD|ST 2
2 202.108.20.1 0 RD|ST 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
[AR2]dis ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
3 202.108.10.1 0 RD 2
2 202.108.10.1 0 RD 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
AR1上面多了一个ST标记,表示AR1是IKE SA协商过程的发起方。AR1和AR2都有的标记RD表示IKE SA已经成功建立。
在AR1和AR2上查看已经建立的IPSec SA
[AR1]dis ipsec sa br
Number of SAs:2
Src address Dst address SPI VPN Protocol Algorithm
-------------------------------------------------------------------------------
202.108.10.1 202.108.20.1 1024164772 0 ESP E:AES-128 A:SHA2_256_
128
202.108.20.1 202.108.10.1 168286895 0 ESP E:AES-128 A:SHA2_256_
128
<AR2>dis ipsec sa brief
Number of SAs:2
Src address Dst address SPI VPN Protocol Algorithm
-------------------------------------------------------------------------------
202.108.10.1 202.108.20.1 1024164772 0 ESP E:AES-128 A:SHA2_256_
128
202.108.20.1 202.108.10.1 168286895 0 ESP E:AES-128 A:SHA2_256_
128
SPI的作用是唯一标识一个IPSec SA。在IPSec流量封装过程中,路由器从SADB中查找相应的SA的SPI值并添加ESP头部。
PC1向PC2发起ping测试
PC>ping 10.10.20.20
Ping 10.10.20.20: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 10.10.20.20: bytes=32 seq=2 ttl=127 time=31 ms
From 10.10.20.20: bytes=32 seq=3 ttl=127 time=31 ms
From 10.10.20.20: bytes=32 seq=4 ttl=127 time=16 ms
From 10.10.20.20: bytes=32 seq=5 ttl=127 time=15 ms
--- 10.10.20.20 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 0/23/31 ms
