10-SECBLADE_VPN配置举例
本章节下载 (120.09 KB)
SecBlade VPN模块支持丰富的VPN业务,其中IPSec(IP Security,IP安全)协议族为IP数据报提供了高质量的、可互操作的、基于密码学的安全性。特定的通信方之间在IP层通过加密与数据源验证等方式,来保证数据报在网络上传输时的私有性、完整性、真实性和防重放。
相关术语:
AH(Authentication Header)是报文头验证协议,主要提供的功能有数据源验证、数据完整性校验和防报文重放功能;然而,AH并不加密所保护的数据报。
ESP(Encapsulating Security Payload)是封装安全载荷协议,它除提供AH协议的所有功能之外,还可提供对IP报文的加密功能。
软件版本:S9500-CMW310-R1628版本及以后升级版本(R2126及以上版本不支持)
硬件版本:LSB1IPSEC8DB0单板
无
如图4-1所示,VLAN 76和VLAN 77之间的私网报文通过S9505上所连接的IPSEC单板的加密处理实现了安全通信。
图4-1 IPSec典型组网图
# 配置VLAN,并将连接PC的接口以及9505之间互连的接口加入到各自的VLAN当中。
<S9500_1> system-view
[S9505_1] vlan 50
[S9505_1-vlan50] port Ethernet 2/1/1
[S9505_1-vlan50] quit
[S9505_1] vlan 77
[S9505_1-vlan77] port Ethernet 2/1/2
[S9505_1-vlan77] quit
# 配置SecBlade的Module,并将VLAN 50和VLAN 77配置为security-vlan,同时将配置好的module和插入的IPSec单板关联起来。
[S9505_1] secblade module test
[S9505_1-secblade-test] security-vlan 50
[S9505_1-secblade-test] security-vlan 77
[S9505_1-secblade-test] map to slot 3
# 配置接口IP地址。
[SecBlade_VPN] interface GigabitEthernet 0/0.50
[SecBlade_VPN-GigabitEthernet0/0] ip address 172.16.50.2 24
[SecBlade_VPN-GigabitEthernet0/0] vlan-type dot1q vid 50
[SecBlade_VPN-GigabitEthernet0/0] quit
[SecBlade_VPN] interface GigabitEthernet 0/0.77
[SecBlade_VPN-GigabitEthernet0/0] ip address 10.13.77.2 24
[SecBlade_VPN-GigabitEthernet0/0] vlan-type dot1q vid 77
[SecBlade_VPN-GigabitEthernet0/0] quit
# 配置ACL规则。
[SecBlade_VPN] acl number 3000
[SecBlade_VPN-acl-adv-3000] rule permit ip source 10.13.77.0 0.0.0.255 destination 10.13.76.0 0.0.0.255
[SecBlade_VPN-acl-adv-3000] quit
# 配置IPSec IKE。
[SecBlade_VPN] ike peer peer
[SecBlade_VPN-ike-peer-peer] pre-shared-key vpn
[SecBlade_VPN-ike-peer-peer] remote-address 172.16.50.1
[SecBlade_VPN] quit
# 配置IPSec协议。
[SecBlade_VPN Router] ipsec proposal h3c
[SecBlade_VPN Router-ipsec-proposal-tran] encapsulation-mode tunnel
[SecBlade_VPN Router-ipsec-proposal-tran] transform ah-esp
[SecBlade_VPN Router-ipsec-proposal-tran] ah authentication-algorithm sha1
[SecBlade_VPN Router-ipsec-proposal-tran] esp encryption-algorithm 3des
[SecBlade_VPN Router-ipsec-proposal-tran] esp authentication-algorithm sha1
# 配置IPSec策略。
[SecBlade_VPN] ipsec policy h3cpolicy 10 isakmp
[SecBlade_VPN-ipsec-policy-isakmp-h3cpolicy-10] ike-peer peer
[SecBlade_VPN-ipsec-policy-isakmp-h3cpolicy-10] proposal h3c
[SecBlade_VPN-ipsec-policy-isakmp-h3cpolicy-10] security acl 3000
[SecBlade_VPN-ipsec-policy-isakmp-h3cpolicy-10] quit
# 在外网子接口上应用安全策略。
[SecBlade_VPN] interface GigabitEthernet 0/0.50
[SecBlade_VPN-GigabitEthernet0/0.50] ipsec policy h3cpolicy
[SecBlade_VPN-GigabitEthernet0/0.50] quit
# 配置静态路由。
[SecBlade_VPN] ip route-static 10.13.76.0 255.255.255.0 172.16.50.1
该设备的配置过程同S9505_1设备上的配置过程。
该设备的配置过程同S9505_1设备上的SecBlade的配置过程。
关键配置如下:
#
secblade module test
security-vlan 50 77
map to slot 3
#
#
sysname SecBlade_VPN
#
radius scheme system
#
domain system
#
ike peer peer
pre-shared-key vpn
remote-address 172.16.50.1
#
ipsec proposal h3c
#
ipsec policy h3cpolicy 10 isakmp
security acl 3000
pfs dh-group1
ike-peer peer
proposal h3c
#
acl number 3000
rule 0 permit ip source 10.13.77.0 0.0.0.255 destination 10.13.76.0 0.0.0.255
#
interface Aux0
async mode flow
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface GigabitEthernet0/0
#
interface GigabitEthernet0/0.50
ip address 172.16.50.2 255.255.255.0
vlan-type dot1q vid 50
ipsec policy h3cpolicy
#
interface GigabitEthernet0/0.77
ip address 10.13.77.2 255.255.255.0
vlan-type dot1q vid 77
#
interface Encrypt1/0
#
interface NULL0
#
ip route-static 10.13.76.0 255.255.255.0 172.16.50.1 preference 60
#
user-interface con 0
user-interface aux 0
authentication-mode password
user-interface vty 0 4
authentication-mode none
#
return
关键配置如下:
#
secblade module test
security-vlan 50 76
map to slot 1
#
#
sysname SecBlade_VPN
#
radius scheme system
#
domain system
#
ike peer peer
pre-shared-key vpn
remote-address 172.16.50.2
local-address 172.16.50.1
#
ipsec proposal h3c
#
ipsec policy h3cpolicy 10 isakmp
security acl 3000
pfs dh-group1
ike-peer peer
proposal h3c
#
acl number 3000
rule 0 permit ip source 10.13.76.0 0.0.0.255 destination 10.13.77.0 0.0.0.255
#
interface Aux0
async mode flow
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface GigabitEthernet0/0
#
interface GigabitEthernet0/0.50
ip address 172.16.50.1 255.255.255.0
vlan-type dot1q vid 50
ipsec policy h3cpolicy
#
interface GigabitEthernet0/0.76
ip address 10.13.76.2 255.255.255.0
vlan-type dot1q vid 76
#
interface Encrypt1/0
shutdown
#
interface NULL0
#
ip route-static 10.13.77.0 255.255.255.0 172.16.50.2 preference 60
#
user-interface con 0
user-interface aux 0
authentication-mode password
user-interface vty 0 4
authentication-mode none
user privilege level 3
#
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!