- 产品与解决方案
- 行业解决方案
- 服务
- 支持
- 合作伙伴
- 关于我们
22-H3C VSR1000虚拟路由器IPsec典型配置举例
本章节下载: 22-H3C VSR1000虚拟路由器IPsec典型配置举例 (1 MB)
H3C VSR1000虚拟路由器IPsec典型配置举例
|
Copyright © 2014杭州华三通信技术有限公司 版权所有,保留一切权利。 非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部, 并不得以任何形式传播。本文档中的信息可能变动,恕不另行通知。 |
|
本文档介绍IPsec的典型配置举例。
本文档不严格与具体软件版本对应,如果使用过程中与产品实际情况有差异,请参考相关产品手册,或以设备实际情况为准。
本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
本文档假设您已了解IPsec特性。
如图1所示,PPP用户Host与Device建立L2TP隧道,Windows server 2003作为CA服务器,要求:
· 通过L2TP隧道访问Corporate network。
· 用IPsec对L2TP隧道进行数据加密。
· 采用RSA证书认证方式建立IPsec隧道。
图1 基于证书认证的L2TP over IPsec配置组网图
由于使用证书认证方式建立IPsec隧道,所以需要在ike profile中配置local-identity为dn,指定从本端证书中的主题字段取得本端身份。
本举例是在E0301版本上进行配置和验证的。
(1) 配置各接口IP地址
# 配置接口GigabitEthernet1/0的IP地址。
<Device> system-view
[Device] interface gigabitethernet 1/0
[Device-GigabitEthernet1/0] ip address 192.168.100.50 24
[Device-GigabitEthernet1/0] quit
# 配置接口GigabitEthernet2/0的IP地址。
[Device] interface gigabitethernet 2/0
[Device-GigabitEthernet2/0] ip address 102.168.1.11 24
[Device-GigabitEthernet2/0] quit
# 配置接口GigabitEthernet3/0的IP地址。
[Device] interface gigabitethernet 3/0
[Device-GigabitEthernet3/0] ip address 192.168.1.1 24
[Device-GigabitEthernet3/0] quit
(2) 配置L2TP
# 创建本地PPP用户l2tpuser,设置密码为hello。
[Device] local-user l2tpuser class network
[Device-luser-network-l2tpuser] password simple hello
[Device-luser-network-l2tpuser] service-type ppp
[Device-luser-network-l2tpuser] quit
# 配置ISP域system对PPP用户采用本地验证。
[Device] domain system
[Device-isp-system] authentication ppp local
[Device-isp-system] quit
# 启用L2TP服务。
[Device] l2tp enable
# 创建接口Virtual-Template0,配置接口的IP地址为172.16.0.1/24。
[Device] interface virtual-template 0
[Device-Virtual-Template0] ip address 172.16.0.1 255.255.255.0
# 配置PPP认证方式为PAP。
[Device-Virtual-Template0] ppp authentication-mode pap
# 配置为PPP用户分配的IP地址为172.16.0.2。
[Device-Virtual-Template0] remote address 172.16.0.2
[Device-Virtual-Template0] quit
# 创建LNS模式的L2TP组1。
[Device] l2tp-group 1 mode lns
# 配置LNS侧本端名称为lns。
[Device-l2tp1] tunnel name lns
# 关闭L2TP隧道验证功能。
[Device-l2tp1] undo tunnel authentication
# 指定接收呼叫的虚拟模板接口为VT0。
[Device-l2tp1] allow l2tp virtual-template 0
[Device-l2tp1] quit
(3) 配置PKI证书
# 配置PKI实体 security。
[Device] pki entity security
[Device-pki-entity-security] common-name device
[Device-pki-entity-security] quit
# 新建PKI域。
[Device] pki domain headgate
[Device-pki-domain-headgate] ca identifier LYQ
[Device-pki-domain-headgate] certificate request url http://192.168.1.51/certsrv/mscep/mscep.dll
[Device-pki-domain-headgate] certificate request from ra
[Device-pki-domain-headgate] certificate request entity security
[Device-pki-domain-headgate] undo crl check enable
[Device-pki-domain-headgate] public-key rsa general name abc length 1024
[Device-pki-domain-headgate] quit
# 生成RSA算法的本地密钥对。
[Device] public-key local create rsa name abc
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512,it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
..........................++++++
.++++++
Create the key pair successfully.
# 获取CA证书并下载至本地。
[Device] pki retrieve-certificate domain headgate ca
The trusted CA's finger print is:
MD5 fingerprint:8649 7A4B EAD5 42CF 5031 4C99 BFS3 2A99
SHA1 fingerprint:61A9 6034 181E 6502 12FA 5A5F BA12 0EA0 5187 031C
Is the finger print correct?(Y/N):y
Retrieved the certificates successfully.
# 手工申请本地证书。
[Device] pki request-certificate domain headgate
Start to request general certificate ...
Certificate requested successfully.
(4) 配置IPsec隧道
# 创建IKE安全提议。
[Device] ike proposal 1
[Device-ike-proposal-1] authentication-method rsa-signature
[Device-ike-proposal-1] encryption-algorithm 3des-cbc
[Device-ike-proposal-1] dh group2
[Device-ike-proposal-1] quit
# 配置IPsec安全提议。
[Device] ipsec transform-set tran1
[Device-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[Device-ipsec-transform-set-tran1] esp encryption-algorithm 3des
[Device-ipsec-transform-set-tran1] quit
# 配置IKE profile。
[Device] ike profile profile1
[Device-ike-profile-profile1] local-identity dn
[Device-ike-profile-profile1] certificate domain headgate
[Device-ike-profile-profile1] proposal 1
[Device-ike-profile-profile1] match remote certificate device
[Device-ike-profile-profile1] quit
# 在采用数字签名认证时,指定总从本端证书中的主题字段取得本端身份。
[Device]ike signature-identity from-certificate
# 创建一条IPsec安全策略模板,名称为template1,序列号为1。
[Device] ipsec policy-template template1 1
[Device-ipsec-policy-template-template1-1] transform-set tran1
[Device-ipsec-policy-template-template1-1] ike-profile profile1
[Device-ipsec-policy-template-template1-1] quit
# 引用IPsec安全策略模板创建一条IPsec安全策略,名称为policy1,顺序号为1。
[Device] ipsec policy policy1 1 isakmp template template1
# 在接口上应用IPsec安全策略。
[Device] interface gigabitethernet 2/0
[Device-GigabitEthernet2/0] ipsec apply policy policy1
[Device-GigabitEthernet2/0] quit
(1) 从证书服务器上申请客户端证书
# 登录到证书服务器:http://192.168.1.51/certsrv ,点击“申请一个证书”。
图1 进入申请证书页面
# 点击“高级证书申请”。
图2 高级证书申请
# 选择第一项:创建并向此CA提交一个申请。
图3 创建并向CA提交一个申请
# 填写相关信息。
· 需要的证书类型,选择“客户端身份验证证书”;
· 密钥选项的配置,勾选“标记密钥为可导出”前的复选框。
# 点击<提交>,弹出一提示框 :在对话框中选择“是”。
# 点击安装此证书。
图4 安装证书
(2) iNode客户端的配置(使用iNode版本为:iNode PC 5.2(E0409))
# 打开L2TP VPN连接,并单击“属性…(Y)”。
图5 打开L2TP连接
# 输入LNS服务器的地址,并启用IPsec安全协议,验证证方法选择证书认证。
图6 基本配置
# 单击<高级(C)>按钮,进入“L2TP设置”页签,设置L2TP参数如下图所示。
图7 L2TP设置
# 单击“IPsec设置”页签,配置IPsec参数。
图8 IPsec参数设置
# 单击“IKE设置”页签,配置IKE参数。
图9 IKE参数设置
# 单击“路由设置”页签,添加访问Corporate network的路由。
图10 路由设置
# 完成上述配置后,单击<确定>按钮,回到L2TP连接页面。
# 在L2TP连接对话框中,输入用户名“l2tpuser”和密码“hello”,单击<连接>按钮。
图11 连接L2TP
# 在弹出的对话框中选择申请好的证书,单击<确定>按钮。
图12 证书选择
# 通过下图可以看到L2TP连接成功。
图13 连接成功
图14 连接成功
# 在Device上使用display ike sa命令,可以看到IPsec隧道第一阶段的SA正常建立。
<Device> display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
10 102.168.1.1 RD IPSEC
Flags:
RD--READY RL--REPLACED FD-FADING
# 在Device上使用display ipsec sa命令可以看到IPsec SA的建立情况。
<Device> display ipsec sa
-------------------------------
Interface: GigabitEthernet2/0
-------------------------------
-----------------------------
IPsec policy: policy1
Sequence number: 1
Mode: template
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect forward secrecy:
Path MTU: 1443
Tunnel:
local address: 102.168.1.11
remote address: 102.168.1.1
Flow:
sour addr: 102.168.1.11/255.255.255.255 port: 1701 protocol: udp
dest addr: 102.168.1.1/255.255.255.255 port: 0 protocol: udp
[Inbound ESP SAs]
SPI: 2187699078 (0x8265a386)
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843197/3294
Max received sequence-number: 51
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 3433374591 (0xcca5237f)
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843197/3294
Max sent sequence-number: 52
UDP encapsulation used for NAT traversal: N
Status: Active
#
interface Virtual-Template0
ppp authentication-mode pap
remote address 172.16.0.2
ip address 172.16.0.1 255.255.255.0
#
interface GigabitEthernet1/0
ip address 192.168.100.50 255.255.255.0
#
interface GigabitEthernet2/0
ip address 102.168.1.11 255.255.255.0
ipsec apply policy policy1
#
interface GigabitEthernet3/0
ip address 192.168.1.1 255.255.255.0
#
domain system
authentication ppp local
#
local-user l2tpuser class network
password cipher $c$3$nl46fURLtkCkcbdnB6irTXma+E6u0c+h
service-type ppp
authorization-attribute user-role network-operator
#
pki domain headgate
ca identifier LYQ
certificate request url http://192.168.1.51/certsrv/mscep/mscep.dll
certificate request from ra
certificate request entity security
public-key rsa general name abc
undo crl check enable
#
pki entity security
common-name host
#
ipsec transform-set tran1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm sha1
#
ipsec policy-template template1 1
transform-set tran1
ike-profile profile1
#
ipsec policy policy1 1 isakmp template template1
#
l2tp-group 1 mode lns
allow l2tp virtual-template 0
undo tunnel authentication
tunnel name lns
#
l2tp enable
#
ike signature-identity from-certificate
#
ike profile profile1
certificate domain headgate
local-identity dn
match remote certificate device
proposal 1
#
ike proposal 1
authentication-method rsa-signature
encryption-algorithm 3des-cbc
dh group2
#
如图15所示,企业远程办公网络通过IPsec VPN接入企业总部,要求:通过GRE隧道传输两网络之间的IPsec加密数据。
· 为了对数据先进行IPsec处理,再进行GRE封装,访问控制列表需匹配数据的原始范围,并且要将IPsec应用到GRE隧道接口上。
· 为了对网络间传输的数据先进行IPsec封装,再进行GRE封装,需要配置IPsec隧道的对端IP地址为GRE隧道的接口地址。
本举例是在E0301版本上进行配置和验证的。
(1) 配置各接口IP地址
# 配置接口GigabitEthernet1/0的IP地址。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0
[DeviceA-GigabitEthernet1/0] ip address 192.168.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0] tcp mss 1350
[DeviceA-GigabitEthernet1/0] quit
# 配置接口GigabitEthernet2/0的IP地址。
[DeviceA] interface gigabitethernet 2/0
[DeviceA-GigabitEthernet2/0] ip address 202.115.22.48 255.255.255.0
[DeviceA-GigabitEthernet2/0] quit
(2) 配置GRE隧道
# 创建Tunnel0接口,并指定隧道模式为GRE over IPv4隧道。
[DeviceA] interface tunnel 0 mode gre
# 配置Tunnel0接口的IP地址为10.1.1.1/24。
[DeviceA-Tunnel0] ip address 10.1.1.1 255.255.255.0
# 配置Tunnel0接口的源端地址为202.115.22.48/24(Device A的GigabitEthernet2/0的IP地址)。
[DeviceA-Tunnel0] source 202.115.22.48
# 配置Tunnel0接口的目的端地址为202.115.24.50/24(Device B的GigabitEthernet2/0的IP地址)。
[DeviceA-Tunnel0] destination 202.115.24.50
[DeviceA-Tunnel0] quit
# 配置从Device A经过Tunnel0接口到Remote office network的静态路由。
[DeviceA] ip route-static 192.168.2.1 255.255.255.0 tunnel 0
(3) 配置IPsec VPN
# 配置IKE keychain。
[DeviceA] ike keychain keychain1
[DeviceA-ike-keychain-keychain1] pre-shared-key address 10.1.1.2 255.255.255.0 key simple 123
[DeviceA-ike-keychain-keychain1] quit
# 创建ACL3000,定义需要IPsec保护的数据流。
[DeviceA] acl number 3000
[DeviceA-acl-adv-3000] rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[DeviceA-acl-adv-3000] quit
# 配置IPsec安全提议。
[DeviceA] ipsec transform-set tran1
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
# 创建一条IKE协商方式的IPsec安全策略,名称为policy1,序列号为1。
[DeviceA] ipsec policy policy1 1 isakmp
[DeviceA-ipsec-policy-isakmp-policy1-1] security acl 3000
[DeviceA-ipsec-policy-isakmp-policy1-1] remote-address 10.1.1.2
[DeviceA-ipsec-policy-isakmp-policy1-1] transform-set tran1
[DeviceA-ipsec-policy-isakmp-policy1-1] quit
# 在GRE隧道接口上应用安全策略。
[DeviceA] interface tunnel 0
[DeviceA-Tunnel0] ipsec apply policy policy1
[DeviceA-Tunnel0] quit
(1) 配置各接口IP地址
# 配置接口GigabitEthernet1/0的IP地址。
<DevoceB> system-view
[DeviceB] interface gigabitethernet 1/0
[DeviceB-GigabitEthernet1/0] ip address 192.168.2.1 255.255.255.0
[DeviceB-GigabitEthernet1/0] tcp mss 1350
[DeviceB-GigabitEthernet1/0] quit
# 配置接口GigabitEthernet2/0的IP地址。
[DeviceB] interface gigabitethernet 2/0
[DeviceB-GigabitEthernet2/0] ip address 202.115.24.50 255.255.255.0
[DeviceB-GigabitEthernet2/0] quit
(2) 配置GRE隧道
# 创建Tunnel0接口,并指定隧道模式为GRE over IPv4隧道。
[DeviceB] interface tunnel 0 mode gre
# 配置Tunnel0接口的IP地址为10.1.1.2/24。
[DeviceB-Tunnel0] ip address 10.1.1.2 255.255.255.0
# 配置Tunnel0接口的源端地址为202.115.24.50/24(Device B的GigabitEthernet2/0的IP地址)。
[DeviceB-Tunnel0] source 202.115.24.50
# 配置Tunnel0接口的目的端地址为202.115.22.48/24(Device A的GigabitEthernet2/0的IP地址)。
[DeviceB-Tunnel0] destination 202.115.22.48
[DeviceB-Tunnel0] quit
# 配置从DeviceB经过Tunnel0接口到Corporate network的静态路由。
[DeviceB] ip route-static 192.168.1.1 255.255.255.0 tunnel 0
(3) 配置IPsec VPN
# 配置IKE keychain。
[DeviceB] ike keychain keychain1
[DeviceB-ike-keychain-keychain1] pre-shared-key address 10.1.1.1 255.255.255.0 key simple 123
[DeviceB-ike-keychain-keychain1] quit
# 创建ACL3000,定义需要IPsec保护的数据流。
[DeviceB] acl number 3000
[DeviceB-acl-adv-3000] rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[DeviceB-acl-adv-3000] quit
# 配置IPsec安全提议。
[DeviceB] ipsec transform-set tran1
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
# 创建一条IKE协商方式的IPsec安全策略,名称为policy1,序列号为1。
[DeviceB] ipsec policy policy1 1 isakmp
[DeviceB-ipsec-policy-isakmp-policy1-1] security acl 3000
[DeviceB-ipsec-policy-isakmp-policy1-1] remote-address 10.1.1.1
[DeviceB-ipsec-policy-isakmp-policy1-1] transform-set tran1
[DeviceB-ipsec-policy-isakmp-policy1-1] quit
# 在GRE隧道接口上应用安全策略。
[DeviceB] interface tunnel 0
[DeviceB-Tunnel0] ipsec apply policy policy1
[DeviceB-Tunnel0] quit
# 以Corporate network的主机192.168.1.2向Remote office network的主机192.168.2.2发起通信为例,从192.168.1.2 ping 192.168.2.2,会触发IPsec协商,建立IPsec隧道,在成功建立IPsec隧道后,可以ping通。
C:\Users\corporatenetwork> ping 192.168.2.2
Pinging 192.168.2.2 with 32 bytes of data:
Request timed out.
Reply from 192.168.2.2: bytes=32 time=2ms TTL=254
Reply from 192.168.2.2: bytes=32 time=2ms TTL=254
Reply from 192.168.2.2: bytes=32 time=1ms TTL=254
Ping statistics for 192.168.2.2:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms
# 在Device A上使用display ike sa命令,可以看到第一阶段的SA正常建立。
<DeviceA> display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
1 10.1.1.2 RD IPSEC
Flags:
RD--READY RL--REPLACED FD-FADING
# 在Device A上使用display ipsec sa命令可以看到IPsec SA的建立情况。
<DeviceA> display ipsec sa
-------------------------------
Interface: Tunnel0
-------------------------------
-----------------------------
IPsec policy: policy1
Sequence number: 1
Mode: isakmp
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect forward secrecy:
Path MTU: 1419
Tunnel:
local address: 10.1.1.1
remote address: 10.1.1.2
Flow:
sour addr: 192.168.1.1/255.255.255.255 port: 0 protocol: ip
dest addr: 192.168.2.1/255.255.255.255 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3128557135 (0xba79fe4f)
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3550
Max received sequence-number: 3
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 2643166978 (0x9d8b8702)
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3550
Max sent sequence-number: 3
UDP encapsulation used for NAT traversal: N
Status: Active
# 在Device A上通过命令display interface tunnel 0可以查看经过GRE隧道传输的流量情况。
<DeviceA> display interface tunnel 0
Tunnel0
Current state: UP
Line protocol state: UP
Description: Tunnel0 Interface
Bandwidth: 64kbps
Maximum Transmit Unit: 1476
Internet Address is 10.1.1.1/24 Primary
Tunnel source 202.115.22.48, destination 202.115.24.50
Tunnel keepalive disabled
Tunnel TTL 255
Tunnel protocol/transport GRE/IP
GRE key disabled
Checksumming of GRE packets disabled
Output queue - Urgent queuing: Size/Length/Discards 0/100/0
Output queue - Protocol queuing: Size/Length/Discards 0/500/0
Output queue - FIFO queuing: Size/Length/Discards 0/75/0
Last clearing of counters: Never
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 40 packets, 3300 bytes, 0 drops
Output: 41 packets, 3464 bytes, 0 drops
# 从Remote office network的主机向Corporate network的主机发起通信验证方法相同,此不赘述。
· Device A:
#
interface GigabitEthernet1/0
ip address 192.168.1.1 255.255.255.0
tcp mss 1350
#
interface GigabitEthernet2/0
ip address 202.115.22.48 255.255.255.0
#
interface Tunnel0 mode gre
ip address 10.1.1.1 255.255.255.0
source 202.115.22.48
destination 202.115.24.50
ipsec apply policy policy1
#
ip route-static 192.168.2.0 24 Tunnel0
#
acl number 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
ipsec transform-set tran1
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec policy policy1 1 isakmp
transform-set tran1
security acl 3000
remote-address 10.1.1.2
#
ike keychain keychain1
pre-shared-key address 10.1.1.2 255.255.255.0 key cipher $c$3$n6jdlYtuR+K6mijQ8qp4hMMjV/iteA==
#
· Devoce B
#
interface GigabitEthernet1/0
ip address 192.168.2.1 255.255.255.0
tcp mss 1350
#
interface GigabitEthernet2/0
ip address 202.115.22.50 255.255.255.0
#
interface Tunnel0 mode gre
ip address 10.1.1.2 255.255.255.0
source 202.115.24.50
destination 202.115.22.48
ipsec apply policy policy1
#
ip route-static 192.168.1.1 24 Tunnel0
#
acl number 3000
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec transform-set tran1
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec policy policy1 1 isakmp
transform-set tran1
security acl 3000
remote-address 10.1.1.1
#
ike keychain keychain1
pre-shared-key address 10.1.1.1 255.255.255.0 key cipher $c$3$n6jdlYtuR+K6mijQ8qp4hMMjV/iteA==
#
如图16所示,企业远程办公网络通过GRE隧道与企业总部传输数据,要求:对通过GRE隧道的数据进行IPsec加密处理。
· 为了对经GRE封装的数据进行IPsec加密,将IPsec策略应用在物理接口上,访问控制列表源和目的地址为物理接口地址。
· 为了使IPsec保护整个GRE隧道,应用IPsec策略的接口和GRE隧道源、目的接口必须是同一接口。
本举例是在E0301版本上进行配置和验证的。
(1) 配置各接口IP地址
# 配置接口GigabitEthernet1/0的IP地址。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0
[DeviceA-GigabitEthernet1/0] ip address 192.168.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0] quit
# 配置接口GigabitEthernet2/0的IP地址。
[DeviceA] interface gigabitethernet 2/0
[DeviceA-GigabitEthernet2/0] ip address 202.115.22.48 255.255.255.0
[DeviceA-GigabitEthernet2/0] quit
(2) 配置GRE隧道
# 创建Tunnel0接口,并指定隧道模式为GRE over IPv4隧道。
[DeviceA] interface tunnel 0 mode gre
# 配置Tunnel0接口的IP地址为10.1.1.1/24。
[DeviceA-Tunnel0] ip address 10.1.1.1 255.255.255.0
# 配置Tunnel0接口的源端地址为202.115.22.48/24(Device A的GigabitEthernet2/0的IP地址)。
[DeviceA-Tunnel0] source 202.115.22.48
# 配置Tunnel0接口的目的端地址为202.115.24.50/24(Device B的GigabitEthernet2/0的IP地址)。
[DeviceA-Tunnel0] destination 202.115.24.50
[DeviceA-Tunnel0] quit
# 配置从Device A经过Tunnel0接口到Remote office network的静态路由。
[DeviceA] ip route-static 192.168.2.1 255.255.255.0 tunnel 0
(3) 配置IPsec VPN
# 配置IKE keychain。
[DeviceA] ike keychain keychain1
[DeviceA-ike-keychain-keychain1] pre-shared-key address 202.115.24.50 255.255.255.0 key simple 123
[DeviceA-ike-keychain-keychain1] quit
# 创建ACL3000,定义需要IPsec保护的数据流。
[DeviceA] acl number 3000
[DeviceA-acl-adv-3000] rule 0 permit gre source 202.115.22.48 0 destination 202.115.24.50 0
[DeviceA-acl-adv-3000] quit
# 配置IPsec安全提议。
[DeviceA] ipsec transform-set tran1
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
# 创建一条IKE协商方式的IPsec安全策略,名称为policy1,序列号为1。
[DeviceA] ipsec policy policy1 1 isakmp
[DeviceA-ipsec-policy-isakmp-policy1-1] security acl 3000
[DeviceA-ipsec-policy-isakmp-policy1-1] remote-address 202.115.24.50
[DeviceA-ipsec-policy-isakmp-policy1-1] transform-set tran1
[DeviceA-ipsec-policy-isakmp-policy1-1] quit
# 在接口GigabitEthernet2/0上应用安全策略。
[DeviceA] interface gigabitethernet 2/0
[DeviceA-GigabitEthernet2/0] ipsec apply policy policy1
[DeviceA-GigabitEthernet2/0] quit
(1) 配置各接口IP地址
# 配置接口GigabitEthernet1/0的IP地址。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0
[DeviceB-GigabitEthernet1/0] ip address 192.168.2.1 255.255.255.0
[DeviceB-GigabitEthernet1/0] quit
# 配置接口GigabitEthernet2/0的IP地址。
[DeviceB] interface gigabitethernet 2/0
[DeviceB-GigabitEthernet2/0] ip address 202.115.24.50 255.255.255.0
[DeviceB-GigabitEthernet2/0] quit
(2) 配置GRE隧道
# 创建Tunnel0接口,并指定隧道模式为GRE over IPv4隧道。
[DeviceB] interface tunnel 0 mode gre
# 配置Tunnel0接口的IP地址为10.1.1.2/24。
[DeviceB-Tunnel0] ip address 10.1.1.2 255.255.255.0
# 配置Tunnel0接口的源端地址为202.115.24.50/24(Device B的GigabitEthernet2/0的IP地址)。
[DeviceB-Tunnel0] source 202.115.24.50
# 配置Tunnel0接口的目的端地址为202.115.22.48/24(Device A的GigabitEthernet2/0的IP地址)。
[DeviceB-Tunnel0] destination 202.115.22.48
[DeviceB-Tunnel0] quit
# 配置从DeviceB经过Tunnel0接口到Corporate network的静态路由。
[DeviceB] ip route-static 192.168.1.1 255.255.255.0 tunnel 0
(3) 配置IPsec VPN
# 配置IKE keychain。
[DeviceB] ike keychain keychain1
[DeviceB-ike-keychain-keychain1] pre-shared-key address 202.115.22.48 255.255.255.0 key simple 123
[DeviceB-ike-keychain-keychain1] quit
# 创建ACL3000,定义需要IPsec保护的数据流。
[DeviceB] acl number 3000
[DeviceB-acl-adv-3000] rule 0 permit gre source 202.115.24.50 0 destination 202.115.22.48 0
[DeviceB-acl-adv-3000] quit
# 配置IPsec安全提议。
[DeviceB] ipsec transform-set tran1
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
# 创建一条IKE协商方式的IPsec安全策略,名称为policy1,序列号为1。
[DeviceB] ipsec policy policy1 1 isakmp
[DeviceB-ipsec-policy-isakmp-policy1-1] security acl 3000
[DeviceB-ipsec-policy-isakmp-policy1-1] remote-address 202.115.22.48
[DeviceB-ipsec-policy-isakmp-policy1-1] transform-set tran1
[DeviceB-ipsec-policy-isakmp-policy1-1] quit
# 在接口GigabitEthernet2/0上应用安全策略。
[DeviceB] interface gigabitethernet 2/0
[DeviceB-GigabitEthernet2/0] ipsec apply policy policy1
[DeviceB-GigabitEthernet2/0] quit
# 以Corporate network的主机192.168.1.2向Remote office network的主机192.168.2.2发起通信为例,从192.168.1.2 ping 192.168.2.2,会触发IPsec协商,建立IPsec隧道,在成功建立IPsec隧道后,可以ping通。
C:\Users\corporatenetwork> ping 192.168.2.2
Pinging 192.168.2.2 with 32 bytes of data:
Request timed out.
Reply from 192.168.2.2: bytes=32 time=2ms TTL=254
Reply from 192.168.2.2: bytes=32 time=2ms TTL=254
Reply from 192.168.2.2: bytes=32 time=1ms TTL=254
Ping statistics for 192.168.2.2:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms
# 在Device A上使用display ike sa命令,可以看到第一阶段的SA正常建立。
<DeviceA> display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
2 202.115.22.49 RD IPSEC
Flags:
RD--READY RL--REPLACED FD-FADING
# 在Device A上使用display ipsec sa命令可以看到IPsec SA的建立情况。
<DeviceA> display ipsec sa
-------------------------------
Interface: GigabitEthernet2/0
-------------------------------
-----------------------------
IPsec policy: policy1
Sequence number: 1
Mode: isakmp
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect forward secrecy:
Path MTU: 1443
Tunnel:
local address: 202.115.22.48
remote address: 202.115.24.50
Flow:
sour addr: 202.115.22.48/255.255.255.255 port: 0 protocol: gre
dest addr: 202.115.24.50/255.255.255.255 port: 0 protocol: gre
[Inbound ESP SAs]
SPI: 2130348402 (0x7efa8972)
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3573
Max received sequence-number: 3
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 2811839266 (0xa7994322)
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3573
Max sent sequence-number: 3
UDP encapsulation used for NAT traversal: N
Status: Active
# 在Device A上通过命令display interface tunnel 0可以查看经过GRE隧道传输的流量情况。
<DeviceA> display interface tunnel 0
Tunnel0
Current state: UP
Line protocol state: UP
Description: Tunnel0 Interface
Bandwidth: 64kbps
Maximum Transmit Unit: 1476
Internet Address is 10.1.1.1/24 Primary
Tunnel source 202.115.22.48, destination 202.115.24.50
Tunnel keepalive disabled
Tunnel TTL 255
Tunnel protocol/transport GRE/IP
GRE key disabled
Checksumming of GRE packets disabled
Output queue - Urgent queuing: Size/Length/Discards 0/100/0
Output queue - Protocol queuing: Size/Length/Discards 0/500/0
Output queue - FIFO queuing: Size/Length/Discards 0/75/0
Last clearing of counters: Never
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 43 packets, 3480 bytes, 0 drops
Output: 45 packets, 3740 bytes, 2 drops
# 从Remote office network的主机向Corporate network的主机发起通信验证方法相同,此不赘述。
· Device A:
#
interface GigabitEthernet1/0
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet2/0
ip address 202.115.22.48 255.255.255.0
ipsec apply policy policy1
#
interface Tunnel0 mode gre
ip address 10.1.1.1 255.255.255.0
source 202.115.22.48
destination 202.115.24.50
#
ip route-static 192.168.2.0 24 Tunnel0
#
acl number 3000
rule 0 permit gre source 202.115.22.48 0 destination 202.115.24.50 0
#
ipsec transform-set tran1
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec policy policy1 1 isakmp
transform-set tran1
security acl 3000
remote-address 202.115.24.50
#
ike keychain keychain1
pre-shared-key address 202.115.24.50 255.255.255.0 key cipher $c$3$n6jdlYtuR+K6mijQ8
qp4hMMjV/iteA==
#
· Devoce B:
#
interface GigabitEthernet1/0
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet2/0
ip address 202.115.24.50 255.255.255.0
ipsec apply policy policy1
#
interface Tunnel0 mode gre
ip address 10.1.1.2 255.255.255.0
source 202.115.24.50
destination 202.115.22.48
#
ip route-static 192.168.1.1 24 Tunnel0
#
acl number 3000
rule 0 permit ip source 202.115.24.50 0 destination 202.115.22.48 0
#
ipsec transform-set tran1
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec policy policy1 1 isakmp
transform-set tran1
security acl 3000
remote-address 202.115.22.48
#
ike keychain keychain1
pre-shared-key address 202.115.22.48 255.255.255.0 key cipher $c$3$n6jdlYtuR+K6mijQ8
qp4hMMjV/iteA==
#
如图17所示组网,要求:
· 在Device A和Device B之间建立IPsec隧道,对Host A所在的子网(10.1.1.0/24)与Host B所在的子网(10.1.2.0/24)之间的数据流进行安全保护。
· Device B上通过两条链路接入互联网,在这两条链路上配置相同的IPsec隧道形成备份。
· 使用IKE自动协商方式建立SA,安全协议采用ESP协议,加密算法采用DES,认证算法采用SHA1-HMAC-96。
· 在Device B上配置共享源接口安全策略,实现数据流量在不同接口间平滑切换。
图17 IPsec同流双隧道组网图
本举例是在E0301版本上进行配置和验证的。
(1) 配置各接口IP地址
# 配置接口GigabitEthernet1/0的IP地址。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0
[DeviceA-GigabitEthernet1/0] ip address 2.2.1.2 255.255.255.0
[DeviceA-GigabitEthernet1/0] quit
# 配置接口GigabitEthernet2/0的IP地址。
[DeviceA] interface gigabitethernet 2/0
[DeviceA-GigabitEthernet2/0] ip address 10.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet2/0] quit
# 配置访问10.1.2.0网段的静态路由。
[DeviceA] ip route-static 10.1.2.0 255.255.255.0 2.2.2.3
[DeviceA] ip route-static 10.1.2.0 255.255.255.0 4.4.4.5
# 配置到Device B上Loopback0接口的静态路由。
[DeviceA] ip route-static 3.3.3.3 255.255.255.255 2.2.2.3
[DeviceA] ip route-static 3.3.3.3 255.255.255.255 4.4.4.5
(2) 配置IPsec VPN
# 配置IKE keychain。
[DeviceA] ike keychain keychain1
[DeviceA-ike-keychain-keychain1] pre-shared-key address 3.3.3.3 255.255.255.255 key simple 123
[DeviceA-ike-keychain-keychain1] quit
# 创建ACL3000,定义需要IPsec保护的数据流。
[DeviceA] acl number 3000
[DeviceA-acl-adv-3000] rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[DeviceA-acl-adv-3000] quit
# 配置IPsec安全提议。
[DeviceA] ipsec transform-set tran1
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
# 创建一条IKE协商方式的IPsec安全策略,名称为policy1,序列号为1。
[DeviceA] ipsec policy policy1 1 isakmp
[DeviceA-ipsec-policy-isakmp-policy1-1] security acl 3000
[DeviceA-ipsec-policy-isakmp-policy1-1] remote-address 3.3.3.3
[DeviceA-ipsec-policy-isakmp-policy1-1] transform-set tran1
[DeviceA-ipsec-policy-isakmp-policy1-1] quit
# 在接口GigabitEthernet1/0上应用安全策略。
[DeviceA] interface gigabitethernet 1/0
[DeviceA-GigabitEthernet1/0] ipsec apply policy policy1
[DeviceA-GigabitEthernet1/0] quit
(1) 配置各接口IP地址
# 配置接口GigabitEthernet1/0的IP地址。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0
[DeviceB-GigabitEthernet1/0] ip address 2.2.2.3 255.255.255.0
[DeviceB-GigabitEthernet1/0] quit
# 配置接口GigabitEthernet2/0的IP地址。
[DeviceB] interface gigabitethernet 2/0
[DeviceB-GigabitEthernet2/0] ip address 4.4.4.5 255.255.255.0
[DeviceB-GigabitEthernet2/0] quit
# 配置接口GigabitEthernet3/0的IP地址。
[DeviceB] interface gigabitethernet 3/0
[DeviceB-GigabitEthernet3/0] ip address 10.1.2.1 255.255.255.0
[DeviceB-GigabitEthernet3/0] quit
# 配置接口Loopback 0的IP地址。
[DeviceB] interface loopback 0
[DeviceB-LoopBack0] ip address 3.3.3.3 255.255.255.0
[DeviceB-LoopBack0] quit
# 配置访问10.1.1.0网段的静态路由。
[DeviceA] ip route-static 10.1.1.0 255.255.255.0 gigabitethernet 1/0 2.2.1.2
[DeviceA] ip route-static 10.1.1.0 255.255.255.0 gigabitethernet 2/0 2.2.1.2
(2) 配置IPsec VPN
# 配置IKE keychain。
[DeviceB] ike keychain keychain1
[DeviceB-ike-keychain-keychain1] pre-shared-key address 2.2.1.2 255.255.255.0 key simple 123
[DeviceB-ike-keychain-keychain1] quit
# 创建ACL3000,定义需要IPsec保护的数据流。
[DeviceB] acl number 3000
[DeviceB-acl-adv-3000] rule 0 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[DeviceB-acl-adv-3000] quit
# 配置IPsec安全提议。
[DeviceB] ipsec transform-set tran1
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
# 创建一条IKE协商方式的IPsec安全策略,名称为policy1,序列号为1。
[DeviceB] ipsec policy policy1 1 isakmp
[DeviceB-ipsec-policy-isakmp-policy1-1] security acl 3000
[DeviceB-ipsec-policy-isakmp-policy1-1] remote-address 2.2.1.2
[DeviceB-ipsec-policy-isakmp-policy1-1] transform-set tran1
[Device-ipsec-policy-isakmp-policy1-1] quit
# 在接口GigabitEthernet1/0上应用安全策略。
[DeviceB] interface gigabitethernet 1/0
[DeviceB-GigabitEthernet1/0] ipsec apply policy policy1
[DeviceB-GigabitEthernet1/0] quit
# 在接口GigabitEthernet2/0上应用安全策略。
[DeviceB] interface gigabitethernet 2/0
[DeviceB-GigabitEthernet2/0] ipsec apply policy policy1
[DeviceB-GigabitEthernet2/0] quit
# 配置IPsec安全策略policy1为共享源接口安全策略,共享源接口为Loopback0。
[DeviceB] ipsec policy policy1 local-address loopback 0
# 从Host A ping Host B,会触发IPsec协商,建立IPsec隧道,在成功建立IPsec隧道后,可以ping通。
C:\Users\hosta> ping 10.1.2.2
Pinging 10.1.2.2 with 32 bytes of data:
Request timed out.
Reply from 10.1.2.2: bytes=32 time=3ms TTL=126
Reply from 10.1.2.2: bytes=32 time=1ms TTL=126
Reply from 10.1.2.2: bytes=32 time=5ms TTL=126
Ping statistics for 10.1.2.2:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 5ms, Average = 3ms
# 在Device A上使用display ike sa命令,可以看到第一阶段的SA正常建立。
[DeviceA] display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
9 3.3.3.3 RD IPSEC
Flags:
RD--READY RL--REPLACED FD-FADING
# 在Device A上使用display ipsec sa命令可以看到IPsec SA的建立情况。
[DeviceA] display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0
-------------------------------
-----------------------------
IPsec policy: policy1
Sequence number: 1
Mode: isakmp
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect forward secrecy:
Path MTU: 1443
Tunnel:
local address: 2.2.1.2
remote address: 3.3.3.3
Flow:
sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 1851852454 (0x6e6106a6)
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3035
Max received sequence-number: 3
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 718692851 (0x2ad661f3)
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3035
Max sent sequence-number: 3
UDP encapsulation used for NAT traversal: N
Status: Active
# 从Host B向Host A发起通信验证方法相同,此不赘述。
· Device A:
#
interface GigabitEthernet1/0
ip address 2.2.1.2 255.255.255.0
ipsec apply policy policy1
#
interface GigabitEthernet2/0
ip address 10.1.1.1 255.255.255.0
#
ip route-static 3.3.3.3 32 2.2.2.3
ip route-static 3.3.3.3 32 4.4.4.5
ip route-static 10.1.2.0 24 2.2.2.3
ip route-static 10.1.2.0 24 4.4.4.5
#
acl number 3000
rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec transform-set tran1
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec policy policy1 1 isakmp
transform-set tran1
security acl 3000
remote-address 3.3.3.3
#
ike keychain keychain1
pre-shared-key address 3.3.3.3 255.255.255.255 key cipher $c$3$n6jdlYtuR+K6mijQ8qp4hMMjV/iteA==
#
· Device B:
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.0
#
interface GigabitEthernet1/0
ip address 2.2.2.3 255.255.255.0
ipsec apply policy policy1
#
interface GigabitEthernet2/0
ip address 4.4.4.5 255.255.255.0
ipsec apply policy policy1
#
interface GigabitEthernet3/0
ip address 10.1.2.1 255.255.255.0
#
ip route-static 10.1.1.0 24 GigabitEthernet1/0 2.2.1.2
ip route-static 10.1.1.0 24 GigabitEthernet2/0 2.2.1.2
#
acl number 3000
rule 0 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec transform-set tran1
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec policy policy1 1 isakmp
transform-set tran1
security acl 3000
remote-address 2.2.1.2
#
ipsec policy policy1 local-address LoopBack0
#
ike keychain keychain1
pre-shared-key address 2.2.1.2 255.255.255.0 key cipher $c$3$n6jdlYtuR+K6mijQ8
qp4hMMjV/iteA==
#
· 《H3C VSR1000虚拟路由器配置指导》中的“安全配置指导”
· 《H3C VSR1000虚拟路由器命令参考》中的“安全命令参考”
· 《H3C VSR1000虚拟路由器配置指导》中的“三层技术-IP业务配置指导”
· 《H3C VSR1000虚拟路由器命令参考》中的“三层技术-IP业务命令参考”
· 《H3C VSR1000虚拟路由器配置指导》中的“二层技术-广域网接入配置指导”
· 《H3C VSR1000虚拟路由器命令参考》中的“二层技术-广域网接入命令参考”
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!
支持
