45-IPsec典型配置举例
本章节下载: 45-IPsec典型配置举例 (172.24 KB)
目 录
本章介绍了采用手工方式或IKE协商方式建立基于ACL的IPsec隧道,保护源地址或目的地址为本机的报文的IPsec典型配置案例。
目前,设备通过ACL来识别由IPsec隧道保护的流量时,受保护的流量只能是源地址或目的地址为本机的报文。ACL中定义的匹配转发流量的规则不生效,即:IPsec不会对设备转发的任何数据流和语音流进行保护。
表1 配置适用的产品与软件版本关系
产品 |
软件版本 |
S5830V2&S5820V2系列以太网交换机 |
Release 2208P01,Release 2210 |
如图1所示,通过在Switch A和Switch B之间建立基于ACL的IPsec隧道,保护Switch A与Switch B之间的数据流。实现Switch B将设备的日志文件安全的传输到Switch A上的目的。具体需求如下:
· Switch A开启FTP服务器功能,并创建一个FTP类型的本地用户(设置用户名、密码、授权角色network-admin)。
· Switch B作为FTP客户端,将目录logfile下的日志文件logfile.log传送到Switch A的根目录,并命名为remotelog.log。
· Switch A和Switch B之间的IPsec隧道:采用手工建立IPsec安全策略;IPsec封装形式为隧道模式;安全协议采用ESP协议;加密算法采用AES-CBC-192,认证算法采用HMAC-SHA1。
图1 采用手工方式建立基于ACL的IPsec隧道组网图
基于ACL建立IPsec隧道就是由ACL来指定要保护的数据流范围。在本举例中,要保护的是Switch A和Switch B之间数据流,因此需要在Switch A配置一条ACL规则,允许Switch A(2.2.2.1)到Switch B(2.2.3.1)的报文通过;在Switch B配置一条ACL规则,允许Switch B(2.2.3.1)到Switch A(2.2.2.1)的报文通过;然后分别在Switch A和Switch B上分别配置IPsec安全策略,并将IPsec安全策略绑定在Vlan-int1接口上来完成IPsec的配置。
在IPsec安全策略中定义的ACL既可用于过滤接口入方向数据流,也可用于过滤接口出方向数据流。
请保证Switch A与Switch B之间路由可达。
(1) 配置Switch A
# 配置Vlan-interface1接口的IP地址。
<SwitchA> system-view
[SwitchA] interface vlan-interface 1
[SwitchA-Vlan-interface1] ip address 2.2.2.1 255.255.255.0
[SwitchA-Vlan-interface1] quit
# 在Switch A上创建一个ftp类型的本地用户,密码为QQwwee12345^&*(),并授权用户角色network-admin,工作路径为设备根目录。
[SwitchA] local-user ftp class manage
New local user added.
[SwitchA-luser-manage-ftp] password simple QQwwee12345^&*()
[SwitchA-luser-manage-ftp] authorization-attribute user-role network-admin
[SwitchA-luser-manage-ftp] authorization-attribute work-directory flash:/
[SwitchA-luser-manage-ftp] service-type ftp
[SwitchA-luser-manage-ftp] quit
# 开启Switch A的FTP服务器功能。
[SwitchA] ftp server enable
[SwitchA] quit
# 配置一个访问控制列表,定义由Switch A去Switch B的数据流。
[SwitchA] acl number 3101
[SwitchA-acl-adv-3101] rule 0 permit ip source 2.2.2.1 0 destination 2.2.3.1 0
[SwitchA-acl-adv-3101] quit
# 创建IPsec安全提议tran1。
[SwitchA] ipsec transform-set tran1
# 配置安全协议对IP报文的封装形式为隧道模式。
[SwitchA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# 配置采用的安全协议为ESP。
[SwitchA-ipsec-transform-set-tran1] protocol esp
# 配置ESP协议采用的加密算法为AES-CBC-192,认证算法为HMAC-SHA1。
[SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192
[SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[SwitchA-ipsec-transform-set-tran1] quit
# 创建一条手工方式的IPsec安全策略,名称为map1,序列号为10。
[SwitchA] ipsec policy map1 10 manual
# 指定引用ACL 3101。
[SwitchA-ipsec-policy-manual-map1-10] security acl 3101
# 指定引用的IPsec安全提议为tran1。
[SwitchA-ipsec-policy-manual-map1-10] transform-set tran1
# 指定IPsec隧道对端IP地址为2.2.3.1。
[SwitchA-ipsec-policy-manual-map1-10] remote-address 2.2.3.1
# 配置ESP协议的出方向SPI为12345,入方向SPI为54321。
[SwitchA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345
[SwitchA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321
# 配置ESP协议的出方向SA的密钥为明文字符串abcdefg,入方向SA的密钥为明文字符串gfedcba。
[SwitchA-ipsec-policy-manual-map1-10] sa string-key outbound esp simple abcdefg
[SwitchA-ipsec-policy-manual-map1-10] sa string-key inbound esp simple gfedcba
[SwitchA-ipsec-policy-manual-map1-10] quit
# 在Vlan-interface1接口上应用安全策略组。
[SwitchA] interface vlan-interface 1
[SwitchA-Vlan-interface1] ipsec apply policy map1
(2) 配置Switch B
# 配置Vlan-interface1接口的IP地址。
<SwitchB> system-view
[SwitchB] interface vlan-interface 1
[SwitchB-Vlan-interface1] ip address 2.2.3.1 255.255.255.0
[SwitchB-Vlan-interface1] quit
# 配置一个访问控制列表,定义由Switch B去Switch A的数据流。
[SwitchB] acl number 3101
[SwitchB-acl-adv-3101] rule 0 permit ip source 2.2.3.1 0 destination 2.2.2.1 0
[SwitchB-acl-adv-3101] quit
# 创建IPsec安全提议tran1。
[SwitchB] ipsec transform-set tran1
# 配置安全协议对IP报文的封装形式为隧道模式。
[SwitchB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# 配置采用的安全协议为ESP。
[SwitchB-ipsec-transform-set-tran1] protocol esp
# 配置ESP协议采用的加密算法为AES-CBC-192,认证算法为HMAC-SHA1。
[SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192
[SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[SwitchB-ipsec-transform-set-tran1] quit
# 创建一条手工方式的IPsec安全策略,名称为use1,序列号为10。
[SwitchB] ipsec policy use1 10 manual
# 指定引用ACL 3101。
[SwitchB-ipsec-policy-manual-use1-10] security acl 3101
# 指定引用的IPsec安全提议为tran1。
[SwitchB-ipsec-policy-manual-use1-10] transform-set tran1
# 指定IPsec隧道对端IP地址为2.2.2.1。
[SwitchB-ipsec-policy-manual-use1-10] remote-address 2.2.2.1
# 配置ESP协议的出方向SPI为54321,入方向SPI为12345。
[SwitchB-ipsec-policy-manual-use1-10] sa spi outbound esp 54321
[SwitchB-ipsec-policy-manual-use1-10] sa spi inbound esp 12345
# 配置ESP协议的出方向SA的密钥为明文字符串gfedcba,入方向SA的密钥为明文字符串abcdefg。
[SwitchB-ipsec-policy-manual-use1-10] sa string-key outbound esp simple gfedcba
[SwitchB-ipsec-policy-manual-use1-10] sa string-key inbound esp simple abcdefg
[SwitchB-ipsec-policy-manual-use1-10] quit
# 在Vlan-interface1接口上应用安全策略组。
[SwitchB] interface vlan-interface 1
[SwitchB-Vlan-interface1] ipsec apply policy use1
[SwitchB-Vlan-interface1] quit
[SwitchB] quit
# 切换工作路径到当前工作路径的logfile子目录下。
<SwitchB> cd logfile
# 可查看到logfile子目录下有系统日志文件logfile.log。
<SwitchB> dir
Directory of flash:/logfile
0 -rw- 8104793 Jan 01 2013 02:50:25 logfile.log
524288 KB total (200384 KB free)
# 以用户名ftp、密码QQwwee12345^&*()登录到Switch A。
<SwitchB> ftp 2.2.2.1
Connected to 2.2.2.1 (2.2.2.1).
220 FTP service ready.
User (2.2.2.1:(none)): ftp
331 Password required for ftp.
Password:
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
# 配置FTP文件传输的模式为ASCII模式。
ftp> ascii
200 TYPE is now ASCII
# 上传logfile.log文件,并以remotelog.log文件名保存。
ftp> put logfile.log remotelog.log
227 Entering Passive Mode (2,2,2,1,97,0)
150 Accepted data connection
226 File successfully transferred
8209754 bytes sent in 15.7 seconds (511.3 kbyte/s)
# 终止与FTP服务器Switch A的连接,并退回到用户视图。
ftp> bye
221-Goodbye. You uploaded 7813 and downloaded 0 kbytes.
221 Logout.
<SwitchB>
以上配置完成后,在Switch A上用dir命令可以查看设备根目录下已有文件remotelog.log。说明Switch B已经将自己的日志文件传送到Switch A上。
同时,Switch A与Switch B之间数据流的传输将受到生成的IPsec SA的保护。可通过以下显示查看Switch A上手工创建的IPsec SA。
[SwitchA] display ipsec sa
-------------------------------
Interface: Vlan-interface 1
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: manual
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Path MTU: 1427
Tunnel:
local address: 2.2.2.1
remote address: 2.2.3.1
Flow:
as defined in ACL 3101
[Inbound ESP SA]
SPI: 54321 (0x0000d431)
Transform set: ESP-ENCRYPT-AES-CBC-192 ESP-AUTH-SHA1
No duration limit for this SA
[Outbound ESP SA]
SPI: 12345 (0x00003039)
Transform set: ESP-ENCRYPT-AES-CBC-192 ESP-AUTH-SHA1
No duration limit for this SA
Switch B上也会产生相应的IPsec SA来保护IPv4报文,查看方式与Switch A同,此处略。
· Switch A
#
vlan 1
#
interface Vlan-interface1
ip address 2.2.2.1 255.255.255.0
ipsec apply policy map1
#
acl number 3101
rule 0 permit ip source 2.2.2.1 0 destination 2.2.3.1 0
#
local-user ftp class manage
password hash $h$6$amh8I6+/j6x03x7t$lrP/4F6Xrg6zIZXoXPAxthwntD4fNjRMkoQBsL2PBnN
/E0epHve0jNI5Od1v8a/wJqezOpmLN1+hf5KH5SX41w==
service-type ftp
authorization-attribute work-directory flash:/
authorization-attribute user-role network-operator
authorization-attribute user-role network-admin
#
ipsec transform-set tran1
esp encryption-algorithm aes-cbc-192
esp authentication-algorithm sha1
#
ipsec policy map1 10 manual
transform-set tran1
security acl 3101
remote-address 2.2.3.1
sa spi inbound esp 54321
sa string-key inbound esp cipher $c$3$rXNId7KfWdMTuvtKJz4d/L1cfU3EHjyyg/M=
sa spi outbound esp 12345
sa string-key outbound esp cipher $c$3$itXmPlqD73B03dhD6AMAUkrM5iWwjIMoWwo=
#
· Switch B
#
vlan 1
#
interface Vlan-interface1
ip address 2.2.3.1 255.255.255.0
ipsec apply policy use1
#
acl number 3101
rule 0 permit ip source 2.2.3.1 0 destination 2.2.2.1 0
#
ipsec transform-set tran1
esp encryption-algorithm aes-cbc-192
esp authentication-algorithm sha1
#
ipsec policy map1 10 manual
transform-set tran1
security acl 3101
remote-address 2.2.2.1
sa spi inbound esp 12345
sa string-key inbound esp cipher $c$3$itXmPlqD73B03dhD6AMAUkrM5iWwjIMoWwo=
sa spi outbound esp 54321
sa string-key outbound esp cipher $c$3$rXNId7KfWdMTuvtKJz4d/L1cfU3EHjyyg/M=
#
表2 配置适用的产品与软件版本关系
产品 |
软件版本 |
S5830V2&S5820V2系列以太网交换机 |
Release 2208P01,Release 2210 |
如图2所示,通过在Switch A和Switch B之间建立基于ACL的IPsec隧道,保护Switch A与Switch B之间的数据流。实现Switch B将设备的配置文件安全的传输到Switch A上的目的。具体需求如下:
· Switch A开启FTP服务器功能,并创建一个FTP类型的本地用户(设置用户名、密码、授权角色network-admin)。
· Switch B作为FTP客户端,将根目录下的配置文件basic.cfg传送到Switch A的根目录,并命名为remotebasic.cfg。
· Switch A和Switch B之间的IPsec隧道:采用IKE建立IPsec安全策略;使用缺省的IKE提议;预共享密钥认证方法。
图2 IKE方式建立基于ACL的IPsec隧道组网图
基于ACL建立IPsec隧道就是由ACL来指定要保护的数据流范围。在本举例中,要保护的是Switch A和Switch B之间数据流,因此需要在Switch A配置一条ACL规则,允许Switch A(2.2.2.1)到Switch B(2.2.3.1)的报文通过;在Switch B配置一条ACL规则,允许Switch B(2.2.3.1)到Switch A(2.2.2.1)的报文通过;然后分别在Switch A和Switch B上分别配置IPsec安全策略,并将IPsec安全策略绑定在Vlan-int1接口上来完成IPsec的配置。
在IPsec安全策略中定义的ACL既可用于过滤接口入方向数据流,也可用于过滤接口出方向数据流。
请保证Switch A与Switch B之间路由可达。
(1) 配置Switch A
# 配置Vlan-interface1的IP地址。
<SwitchA> system-view
[SwitchA] interface vlan-interface 1
[SwitchA-vlan-interface1] ip address 2.2.2.1 255.255.255.0
[SwitchA-vlan-interface1] quit
# 在Switch A上创建一个ftp类型的本地用户,密码为QQwwee12345^&*(),并授权用户角色network-admin,工作路径为设备根目录。
[SwitchA] local-user ftp class manage
New local user added.
[SwitchA-luser-manage-ftp] password simple QQwwee12345^&*()
[SwitchA-luser-manage-ftp] authorization-attribute user-role network-admin
[SwitchA-luser-manage-ftp] authorization-attribute work-directory flash:/
[SwitchA-luser-manage-ftp] service-type ftp
[SwitchA-luser-manage-ftp] quit
# 开启Switch A的FTP服务器功能。
[SwitchA] ftp server enable
[SwitchA] quit
# 配置ACL 3101,定义由Switch A去Switch B的数据流。
[SwitchA] acl number 3101
[SwitchA-acl-adv-3101] rule 0 permit ip source 2.2.2.1 0 destination 2.2.3.1 0
[SwitchA-acl-adv-3101] quit
# 配置安全提议tran1。
[SwitchA] ipsec transform-set tran1
# 配置安全协议对IP报文的封装形式为隧道模式。
[SwitchA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# 配置采用的安全协议为ESP。
[SwitchA-ipsec-transform-set-tran1] protocol esp
# 配置ESP协议采用的加密算法为AES-CBC-192,认证算法为HMAC-SHA1。
[SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192
[SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[SwitchA-ipsec-transform-set-tran1] quit
# 创建IKE keychain,名称为keychain1。
[SwitchA] ike keychain keychain1
# 配置与IP地址为2.2.3.1的对端使用的预共享密钥为明文12345zxcvb!@#$%ZXCVB。
[SwitchA-ike-keychain-keychain1] pre-shared-key address 2.2.3.1 255.255.255.0 key simple 12345zxcvb!@#$%ZXCVB
[SwitchA-ike-keychain-keychain1] quit
# 创建IKE profile,名称为profile1。
[SwitchA] ike profile profile1
# 指定引用的IKE keychain为keychain1。
[SwitchA-ike-profile-profile1] keychain keychain1
# 配置匹配对端身份的规则为IP地址2.2.3.1/24。
[SwitchA-ike-profile-profile1] match remote identity address 2.2.3.1 255.255.255.0
[SwitchA-ike-profile-profile1] quit
# 创建一条IKE协商方式的IPsec安全策略,名称为map1,顺序号为10。
[SwitchA] ipsec policy map1 10 isakmp
# 配置IPsec隧道的对端IP地址为2.2.3.1。
[SwitchA-ipsec-policy-isakmp-map1-10] remote-address 2.2.3.1
# 指定引用ACL 3101。
[SwitchA-ipsec-policy-isakmp-map1-10] security acl 3101
# 指定引用的安全提议为tran1。
[SwitchA-ipsec-policy-isakmp-map1-10] transform-set tran1
# 指定引用的IKE profile为profile1。
[SwitchA-ipsec-policy-isakmp-map1-10] ike-profile profile1
[SwitchA-ipsec-policy-isakmp-map1-10] quit
# 在Vlan-interface1上应用安全策略组。
[SwitchA] interface vlan-interface 1
[SwitchA-Vlan-interface1] ipsec apply policy map1
(2) 配置Switch B
# 配置Vlan-interface1的IP地址。
<SwitchB> system-view
[SwitchB] interface Vlan-interface1
[SwitchB-Vlan-interface1] ip address 2.2.3.1 255.255.255.0
[SwitchB-Vlan-interface1] quit
# 配置ACL 3101,定义由Switch B去Switch A的数据流。
[SwitchB] acl number 3101
[SwitchB-acl-adv-3101] rule 0 permit ip source 2.2.3.1 0 destination 2.2.2.1 0
[SwitchB-acl-adv-3101] quit
# 创建IPsec安全提议tran1。
[SwitchB] ipsec transform-set tran1
# 配置安全协议对IP报文的封装形式为隧道模式。
[SwitchB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# 配置采用的安全协议为ESP。
[SwitchB-ipsec-transform-set-tran1] protocol esp
# 配置ESP协议采用的加密算法为AES-CBC-192,认证算法为HMAC-SHA1。
[SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192
[SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[SwitchB-ipsec-transform-set-tran1] quit
# 创建IKE keychain,名称为keychain1。
[SwitchB] ike keychain keychain1
# 配置与IP地址为2.2.2.1的对端使用的预共享密钥为明文12345zxcvb!@#$%ZXCVB。
[SwitchB-ike-keychain-keychain1] pre-shared-key address 2.2.2.1 255.255.255.0 key simple 12345zxcvb!@#$%ZXCVB
[SwitchB-ike-keychain-keychain1] quit
# 创建IKE profile,名称为profile1。
[SwitchB] ike profile profile1
# 指定引用的IKE keychain为keychain1。
[SwitchB-ike-profile-profile1] keychain keychain1
# 配置匹配对端身份的规则为IP地址2.2.2.1/24。
[SwitchB-ike-profile-profile1] match remote identity address 2.2.2.1 255.255.255.0
[SwitchB-ike-profile-profile1] quit
# 创建一条IKE协商方式的IPsec安全策略,名称为use1,顺序号为10。
[SwitchB] ipsec policy use1 10 isakmp
# 配置IPsec隧道的对端IP地址为2.2.2.1。
[SwitchB-ipsec-policy-isakmp-use1-10] remote-address 2.2.2.1
# 指定引用ACL 3101。
[SwitchB-ipsec-policy-isakmp-use1-10] security acl 3101
# 指定引用的安全提议为tran1。
[SwitchB-ipsec-policy-isakmp-use1-10] transform-set tran1
# 指定引用的IKE profile为profile1。
[SwitchB-ipsec-policy-isakmp-use1-10] ike-profile profile1
[SwitchB-ipsec-policy-isakmp-use1-10] quit
# 在Vlan-interface1上应用安全策略组。
[SwitchB] interface vlan-interface 1
[SwitchB-Vlan-interface1] ipsec apply policy use1
[SwitchB-Vlan-interface1] quit
[SwitchB] quit
# 以用户名ftp、密码QQwwee12345^&*()登录到Switch A。
<SwitchB> ftp 2.2.2.1
Connected to 2.2.2.1 (2.2.2.1).
220 FTP service ready.
User (2.2.2.1:(none)): ftp
331 Password required for ftp.
Password:
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
# 配置FTP文件传输的模式为ASCII模式。
ftp> ascii
200 TYPE is now ASCII
# 上传basic.cfg文件,并以remotebasic.cfg文件名保存。
ftp> put basic.cfg remotebasic.cfg
227 Entering Passive Mode (2,2,2,1,97,0)
150 Accepted data connection
226 File successfully transferred
4209754 bytes sent in 7.7 seconds (510.3 kbyte/s)
# 终止与FTP服务器Switch A的连接,并退回到用户视图。
ftp> bye
221-Goodbye. You uploaded 7813 and downloaded 0 kbytes.
221 Logout.
<SwitchB>
以上配置完成后,在Switch A上用dir命令可以查看设备根目录下已有文件remotebasic.cfg。说明Switch B已经将自己的配置文件传送到Switch A上。
# 可通过如下显示信息查看到Switch A和Switch B上的IKE提议。因为没有配置任何IKE提议,则只显示缺省的IKE提议。
[SwitchA] display ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400
[SwitchB] display ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400
# 可通过如下显示信息查看到Switch A上IKE第一阶段协商成功后生成的IKE SA。
[SwitchA] display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
1 2.2.3.1 RD IPSEC
Flags:
RD--READY RL--REPLACED FD-FADING
# 可通过如下显示信息查看到Switch A上IKE第二阶段协商生成的IPsec SA。
[SwitchA] display ipsec sa
-------------------------------
Interface: Vlan-interface1
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: isakmp
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect forward secrecy:
Path MTU: 1427
Tunnel:
local address: 2.2.2.1
remote address: 2.2.3.1
Flow:
sour addr: 2.2.2.1/255.255.255.255 port: 0 protocol: 0
dest addr: 2.2.3.1/255.255.255.255 port: 0 protocol: 0
[Inbound ESP SAs]
SPI: 3491473451 (0xd01ba82b)
Transform set: ESP-ENCRYPT-AES-CBC-192 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3484
Max received sequence-number: 4
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for nat traversal: N
Status: active
[Outbound ESP SAs]
SPI: 399193207 (0x17cb3477)
Transform set: ESP-ENCRYPT-AES-CBC-192 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843198/3484
Max sent sequence-number: 11
UDP encapsulation used for nat traversal: N
Status: active
# 可通过如下显示信息查看到Switch B上IKE第一阶段协商成功后生成的IKE SA。
[SwitchB] display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
1 2.2.2.1 RD IPSEC
Flags:
RD--READY RL--REPLACED FD-FADING
# 可通过如下显示信息查看到Switch B上IKE第二阶段协商生成的IPsec SA。
[SwitchB] display ipsec sa
-------------------------------
Interface: Vlan-interface1
-------------------------------
-----------------------------
IPsec policy: use1
Sequence number: 10
Mode: isakmp
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect forward secrecy:
Path MTU: 1427
Tunnel:
local address: 2.2.3.1
remote address: 2.2.2.1
Flow:
sour addr: 2.2.3.1/255.255.255.255 port: 0 protocol: 0
dest addr: 2.2.2.1/255.255.255.255 port: 0 protocol: 0
[Inbound ESP SAs]
SPI: 399193207 (0x17cb3477)
Transform set: ESP-ENCRYPT-AES-CBC-192 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843198/3135
Max received sequence-number: 11
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for nat traversal: N
Status: active
[Outbound ESP SAs]
SPI: 3491473451 (0xd01ba82b)
Transform set: ESP-ENCRYPT-AES-CBC-192 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3135
Max sent sequence-number: 4
UDP encapsulation used for nat traversal: N
Status: active
· Switch A
#
vlan 1
#
interface Vlan-interface1
ip address 2.2.2.1 255.255.255.0
ipsec apply policy map1
#
acl number 3101
rule 0 permit ip source 2.2.3.1 0 destination 2.2.2.1 0
#
local-user ftp class manage
password hash $h$6$amh8I6+/j6x03x7t$lrP/4F6Xrg6zIZXoXPAxthwntD4fNjRMkoQBsL2PBnN
/E0epHve0jNI5Od1v8a/wJqezOpmLN1+hf5KH5SX41w==
service-type ftp
authorization-attribute work-directory flash:/
authorization-attribute user-role network-operator
authorization-attribute user-role network-admin
#
ipsec transform-set tran1
esp encryption-algorithm aes-cbc-192
esp authentication-algorithm sha1
#
ipsec policy map1 10 isakmp
transform-set tran1
security acl 3101
remote-address 2.2.3.1
ike-profile profile1
#
ike profile profile1
keychain keychain1
match remote identity address 2.2.3.1 255.255.255.0
#
ike keychain keychain1
pre-shared-key address 2.2.3.1 255.255.255.0 key cipher $c$3$p6g9j9AdHRhon
Mmm2DPiD+h072CimdWt/DFy5AFFDMXjd3LNuh6n
#
· Switch B
#
vlan 1
#
interface Vlan-interface1
ip address 2.2.3.1 255.255.255.0
ipsec apply policy use1
#
acl number 3101
rule 0 permit ip source 2.2.3.1 0 destination 2.2.2.1 0
#
ipsec transform-set tran1
esp encryption-algorithm aes-cbc-192
esp authentication-algorithm sha1
#
ipsec policy map1 10 isakmp
transform-set tran1
security acl 3101
remote-address 2.2.2.1
ike-profile profile1
#
ike profile profile1
keychain keychain1
match remote identity address 2.2.2.1 255.255.255.0
#
ike keychain keychain1
pre-shared-key address 2.2.2.1 255.255.255.0 key cipher $c$3$swMEtAyl3cCez
0qj3V2ML1NWrx3fMy0YxI0FfXXTNXPbcGxtQJHK
#
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!