- 产品与解决方案
- 行业解决方案
- 服务
- 支持
- 合作伙伴
- 关于我们
05-IPsec配置
本章节下载: 05-IPsec配置 (3.07 MB)
目 录
1.8.4 设置IPsec隧道模式下封装后外层IP头的DF位
1.11.1 网关与网关之间采用手工方式建立保护IPv4报文的IPsec隧道配置举例
1.11.2 网关与网关之间采用IKE方式建立保护IPv4报文的IPsec隧道配置举例(预共享密钥认证方式)
1.11.3 网关与网关之间采用IKE方式建立保护IPv4报文的IPsec隧道配置举例(RSA数字签名认证方式)
1.11.4 网关与网关之间采用IKE方式建立保护IPv4报文的IPsec隧道配置举例(SM2-DE数字信封认证方式)
1.11.5 网关与网关之间采用IKEv2方式建立保护IPv4报文的IPsec隧道配置举例(预共享密钥认证方式)
1.11.6 网关与网关之间采用IKEv2方式建立保护IPv4报文的IPsec隧道配置举例(RSA数字签名认证方式)
1.11.7 网关与网关之间存在NAT设备时采用IKE方式建立保护IPv4报文的IPsec隧道配置举例
1.11.8 网关与网关之间存在NAT设备时采用IKEv2方式建立保护IPv4报文的IPsec隧道配置举例
1.11.9 主机与网关之间采用IKE方式建立保护IPv4报文的IPsec隧道配置举例(远程扩展认证方式)
1.11.10 主机与网关之间采用IKE方式建立保护IPv4报文的IPsec隧道配置举例(本地扩展认证及地址授权方式)
1.11.11 网关与网关之间采用IKE方式建立保护IPv6报文的IPsec隧道配置举例
1.11.12 总部采用IPsec策略模板方式与分支建立保护IPv4报文的IPsec隧道配置举例
1.11.17 基于路由模式的总部采用双链路与分支建立IPsec隧道配置举例(基于NQA探测结果切换链路)
1.11.18 基于IPsec隧道接口建立保护IPv4报文的IPsec隧道配置举例
IPsec(IP Security,IP安全)是IETF制定的三层隧道加密协议,它为互联网上传输的数据提供了高质量的、基于密码学的安全保证,是一种传统的实现三层VPN(Virtual Private Network,虚拟专用网络)的安全技术。IPsec通过在特定通信方之间(例如两个安全网关之间)建立“通道”,来保护通信方之间传输的用户数据,该通道通常称为IPsec隧道。
根据组网方式不同,可以将IPsec分为点到点IPsec和点到多点IPsec,具体介绍如下:
· 点到点IPsec
点到点IPsec通过在两台设备之间建立一条专用的IPsec隧道,实现两个局域网(如总部与分支机构)之间的安全通信,确保数据在传输过程中经过加密和完整性保护。
图1-1 点到点IPsec示意图
· 点到多点IPsec
点到多点IPsec允许一个中心设备(如总部网关)同时与多个远端设备(如多个分支机构)建立独立的IPsec隧道,实现中心局域网与多个分支局域网之间的安全通信,确保数据在传输过程中经过加密和完整性保护。
图1-2 点到多点IPsec示意图
IPsec提供了两大安全机制:认证和加密。认证机制使IP通信的数据接收方能够确认数据发送方的真实身份以及数据在传输过程中是否遭篡改。加密机制通过对数据进行加密运算来保证数据的机密性,以防数据在传输过程中被窃听。
IPsec为IP层的数据报文提供的安全服务具体包括以下几种:
· 数据机密性(Confidentiality):发送方通过网络传输用户报文前,IPsec对报文进行加密。
· 数据完整性(Data Integrity):接收方对发送方发送来的IPsec报文进行认证,以确保数据在传输过程中没有被篡改。
· 数据来源认证(Data Origin Authentication):接收方认证发送IPsec报文的发送端是否合法。
· 抗重放(Anti-Replay):接收方可检测并拒绝接收过时或重复的IPsec报文。
IPsec可为IP层上的数据提供安全保护,其优点包括如下几个方面:
· 支持IKE(Internet Key Exchange,互联网密钥交换),可实现密钥的自动协商功能,减少了密钥协商的开销。可以通过IKE建立和维护SA(Security Association,安全联盟),简化了IPsec的使用和管理。
· 所有使用IP协议进行数据传输的应用系统和服务都可以使用IPsec,而不必对这些应用系统和服务本身做任何修改。
· 对数据的加密是以数据包为单位的,而不是以整个数据流为单位,这不仅灵活而且有助于进一步提高IP数据包的安全性,可以有效防范网络攻击。
SA(Security Association,安全联盟)是IPsec的基础,也是IPsec的本质。IPsec在两个端点之间提供安全通信,这类端点被称为IPsec对等体。SA是IPsec对等体间对某些要素的约定,例如,使用的安全协议(AH、ESP或两者结合使用)、协议报文的封装模式(传输模式或隧道模式)、认证算法(HMAC-MD5、HMAC-SHA1或SM3)、加密算法(DES、3DES、AES或SM)、特定流中保护数据的共享密钥以及密钥的生存时间等。
SA是单向的,在两个对等体之间的双向通信,最少需要两个SA来分别对两个方向的数据流进行安全保护。同时,如果两个对等体希望同时使用AH和ESP来进行安全通信,则每个对等体都会针对每一种协议来构建一个独立的SA。
SA由一个三元组来唯一标识,这个三元组包括SPI(Security Parameter Index,安全参数索引)、目的IP地址和安全协议号。其中,SPI是用于标识SA的一个32比特的数值,它在AH和ESP头中传输。
SA有手工配置和IKE自动协商两种生成方式:
· 手工方式:通过命令行配置SA的所有信息。该方式的配置比较复杂,而且不支持一些高级特性(例如定时更新密钥),优点是可以不依赖IKE而单独实现IPsec功能。该方式主要用于需要安全通信的对等体数量较少,或小型静态的组网环境中。
· IKE自动协商方式:对等体之间通过IKE协议自动协商生成SA,并由IKE协议维护该SA。该方式的配置相对比较简单,扩展能力强。在中、大型的动态网络环境中,推荐使用IKE自动协商建立SA。
手工方式建立的SA永不老化。通过IKE协商建立的SA具有生存时间,当生存时间到达时,旧的SA会被删除。
IKE协商建立的SA在生存时间到达前会提前协商一个新的SA来替换旧的SA。从SA建立到启动新SA协商的这段时间是软超时时间。缺省情况下,系统会基于SA的生存时间使用默认算法计算一个软超时时间。系统允许配置一个软超时缓冲来控制软超时时间,计算公式为:软超时时间=生存时间-软超时缓冲。
IKE协商建立的SA有两种形式的生存时间:
· 基于时间的生存时间,定义了一个SA从建立到删除的时间;
· 基于流量的生存时间,定义了一个SA允许处理的最大流量。
可同时存在基于时间和基于流量两种方式的SA生存时间,只要其中一种到达,就会删除旧的SA
IPsec协议不是一个单独的协议,它为IP层上的网络数据安全提供了一整套安全体系结构,包括安全协议AH(Authentication Header,认证头)和ESP(Encapsulating Security Payload,封装安全载荷)、IKE(Internet Key Exchange,互联网密钥交换)以及用于网络认证及加密的一些算法等。其中,AH协议和ESP协议用于提供安全服务,IKE协议用于密钥交换。关于IKE的详细介绍请参见“安全配置指导”中的“IKE”,本节不做介绍。
IPsec策略和IPsec安全框架用于在两个对等体之间建立IPsec隧道,保护两个对等体之间需要被安全防护的报文。
一个IPsec策略是若干具有相同名字、不同顺序号的IPsec策略表项的集合,IPsec策略被应用在接口上,用于控制对等体之间建立IPsec隧道,由ACL定义要保护的数据范围。IPsec策略主要定义了以下内容:
· 要保护的数据流的范围:由ACL定义。
· 对数据流实施何种保护:由IPsec安全提议定义。
· IPsec SA的生成方式:手工方式、IKE协商方式。
· 保护路径的起点或终点:即对等体的IP地址。
在同一个IPsec策略中,顺序号越小的IPsec策略表项优先级越高。当从一个接口发送数据时,接口将按照顺序号从小到大的顺序逐一匹配引用的IPsec策略中的每一条安全策略表项。如果数据匹配上了某一条安全策略表项引用的ACL,则停止匹配,并对其使用当前这条安全策略表项进行处理,即根据已经建立的IPsec SA或者触发IKE协商生成的IPsec SA对报文进行封装处理;如果数据与所有安全策略表项引用的ACL都不匹配,则直接被正常转发,IPsec不对数据加以保护。
应用了IPsec策略的接口收到数据报文时,对于目的地址是本机的IPsec报文,根据报文头里携带的SPI查找本地的IPsec SA,并根据匹配的IPsec SA对报文进行解封装处理;解封装后的IP报文若能与ACL的permit规则匹配上则采取后续处理,否则被丢弃。
IPsec策略除了可以应用到以太网接口等实际物理接口上之外,还能够应用到Tunnel、Virtual Template等虚接口上,对GRE、L2TP等流量进行保护。
IPsec安全框架(IPsec Profile)与IPsec策略类似,但不需要使用ACL指定要保护的数据流的范围。一个IPsec安全框架由名字唯一确定。IPsec安全框架包括如下两种:
· 手工方式的IPsec安全框架:定义了对数据流进行IPsec保护所使用的安全提议,以及SA参数,应用于IPv6路由协议中。
· IKE协商方式的IPsec安全框架:定义了对数据流进行IPsec保护所使用的安全提议,IKE profile和SA参数,应用于隧道接口上。
GRE over IPsec是一种结合了通用路由封装(GRE)与IP安全协议(IPsec)优势的混合型隧道技术,主要用于在IPsec加密隧道中传输原本无法直接承载的通信类型,如组播、广播及非IP数据包。该方案通过两层封装机制,在保持数据机密性与完整性的同时,扩展了加密隧道的适用范围。
在实际应用中,GRE over IPsec常用于企业跨站点互联、远程分支机构接入以及需要安全传输组播业务(如IPTV等)的场景,为复杂网络环境提供了灵活且可靠的安全隧道解决方案。
图1-3 GRE over IPsec隧道示意图
GRE over IPsec的运行机制主要分为两个阶段:GRE封装与IPsec封装。
(1) 首先,原始数据(如组播、广播或非IP报文)进入隧道时,会先由GRE协议进行封装,为其添加一个新的IP头部,从而将原始数据转换为一个标准的单播IP数据包。这个新增的IP头部的源地址和目的地址分别对应 GRE 隧道两端的接口地址。
(2) 随后,该经过GRE封装的IP数据包会被提交给IPsec协议进行处理。IPsec会依据其安全策略,对GRE报文进行加密和完整性认证,并添加相应的IPsec头部。在此过程中,可以选择两种封装模式:隧道模式会为报文再添加一个全新的外层IP头部;而传输模式则仅在原有GRE-IP头部之后插入IPsec头部,不新增额外的IP层。
(3) 最终,这个依次经过GRE和IPsec处理的报文,其受IPsec保护的数据流范围,正是从GRE隧道的源端地址到目的端地址之间的整个通信过程,从而确保了端到端传输的私密性与可靠性。
图1-4 GRE over IPsec报文封装示意图
由于GRE封装已经引入了一个额外的IP头,若再使用IPsec隧道模式,会因添加第二个外层IP头而导致报文总长度增加。这更容易触发网络路径上的分片操作,可能影响传输性能。因此,在GRE over IPsec应用场景中,通常推荐采用IPsec传输模式,以避免不必要的开销和潜在的分片问题。
在GRE over IPsec的运行机制中,IPsec所保护的对象是经过GRE封装后的完整IP数据包。因此在通过ACL所定义需要保护的数据流非原始的用户数据流,而是以GRE隧道两端点地址为标识的数据流。具体而言,ACL中指定的源和目的网段,应分别设置为GRE隧道起点和终点所对应接口的IP地址。这两个地址即是建立IPsec安全联盟的两端网关的接口地址。
IPsec over GRE是一种将加密与隧道技术相结合的网络通信方案,其核心特点在于先加密后封装的处理流程。与GRE over IPsec不同,该技术首先通过IPsec对原始数据(如单播IP报文)进行加密和认证,随后再由GRE协议对已加密的IPsec报文进行外层封装,使其能够在预先建立的GRE隧道中传输。
IPsec over GRE的一个典型应用场景是在不改变现有网络拓扑的情况下增强通信安全。例如,若两个站点之间已通过GRE隧道实现互联,后期希望提升数据保密性,则可在维持原有GRE隧道配置的基础上,叠加IPsec加密功能,形成IPsec over GRE的部署模式。这种做法的优点在于无需调整已有路由与隧道架构,实施相对简便。
IPsec over GRE也存在一定局限性,例如通常不支持穿越网络地址转换(NAT)设备,且在加密后额外增加的GRE封装头部可能略微增加带宽开销。同时,由于IPsec本身不支持对组播或广播等流量的直接处理,因此IPsec over GRE隧道同样无法承载组播数据(如视频会议流或某些路由协议报文)。因此,该方案更适用于组播需求不高、且网络路径中无NAT干扰的点对点安全互联环境。
图1-5 IPsec over GRE隧道示意图
L2TP over IPsec是一种集成了二层隧道协议与IP安全协议优势的虚拟专用网络技术,其工作流程遵循“先隧道封装、后加密保护”的顺序。该方案首先利用L2TP对用户数据进行封装,建立从客户端到服务端的逻辑隧道,并在此过程中完成用户身份认证与私有地址分配;随后,再通过IPsec协议对已封装的L2TP报文实施加密和完整性校验,从而确保传输过程的机密性与防篡改能力。
在封装结构上,L2TP会添加一个以隧道起点与终点地址为源目的IP的外层IP头部;IPsec则在此基础上施加安全封装,其保护范围覆盖整个L2TP隧道所承载的数据流。为提高传输效率并避免因封装层数过多导致报文分片,实践中通常建议采用IPsec的传输模式而非隧道模式,以减少额外的IP头部开销。
L2TP over IPsec主要应用于企业远程接入场景,例如分支机构或移动用户安全访问总部内部网络。通过结合L2TP在用户管理与地址分配方面的灵活性,以及IPsec在数据加密方面的可靠性,L2TP over IPsec能够在公共互联网上构建兼具身份管控与通信安全的企业级远程访问通道。
图1-6 L2TP over IPsec隧道示意图
与IPsec相关的协议规范有:
· RFC 2401:Security Architecture for the Internet Protocol
· RFC 2402:IP Authentication Header
· RFC 2406:IP Encapsulating Security Payload
· RFC 4552:Authentication/Confidentiality for OSPFv3
安装了业务板NSQM1FWEFGA0的M9006、M9010、M9014和M9016-V款型,不支持本特性。
非缺省vSystem不支持本特性的部分功能,具体包括:
· 配置量子加密方式的IPsec策略
· 配置解封装后IPsec报文的ACL检查功能
· 配置IPsec智能选路功能
· 配置IPsec掩码过滤功能
· 配置IPsec流量重叠检测功能
· 配置IPsec分片功能
· 配置本端允许建立IPsec隧道的最大数
· 配置IPsec报文日志信息记录功能
· 配置IPsec协商事件日志功能
· 配置IPsec告警功能
· 开启IPsec P2MP隧道表项事件日志功能
非缺省vSystem对具体命令的支持情况,请见本特性的命令参考。有关vSystem的详细介绍请参见“虚拟化技术配置指导”中的“vSystem”。
通常情况下,由于IKE协议采用UDP的500端口进行通信,IPsec的AH和ESP协议分别使用51或50号协议来工作,因此为保障IKE和IPsec的正常运行,需要确保应用了IKE和IPsec配置的接口上没有禁止掉属于以上端口和协议的流量。
通过IPsec策略方式建立的IPsec隧道不支持保护组播流量,若需要保护组播流量,请配置基于IPsec隧道接口方式建立IPsec隧道。
IPsec的配置过程遵循一套逻辑清晰、分步实施的配置框架,其核心步骤可归纳为四个关键环节:
(1) 定义需保护的数据流:首先明确需要加密传输的通信对象,可以通过配置ACL或基于路由的方式来实现。该步骤确定IPsec隧道将对哪些源/目的地址、协议或端口范围的流量实施安全保护。
(2) 设定安全保护方法:通过IPsec安全提议和IKE profile方式定义保护数据流的方法。
(3) 关联保护对象与保护方法:通过创建IPsec策略或IPsec安全框架,将第一步定义的待保护数据流与第二步设定的安全方法进行绑定,形成一个完整的安全策略条目。
(4) 使IPsec保护生效:将配置好的IPsec策略或安全框架应用到具体的物理接口、逻辑接口或IPv6路由协议中,对符合要求的指定流量按预定规则进行加密传输。
图1-7 IPsec配置流程图
IPsec安全提议是IPsec策略的一个组成部分,它用于定义IPsec需要使用的安全协议、加密/认证算法以及封装模式,为IPsec协商SA提供各种安全参数。
IPsec包括AH和ESP两种安全协议,它们定义了对IP报文的封装格式以及可提供的安全服务。
· AH协议(IP协议号为51)定义了AH头在IP报文中的封装格式,如图1-8所示。AH可提供数据来源认证、数据完整性校验和抗重放功能,它能保护报文免受篡改,但不能防止报文被窃听,适合用于传输非机密数据。AH使用的认证算法有HMAC-MD5和HMAC-SHA1等。AH协议不支持NAT穿越功能。
· ESP协议(IP协议号为50)定义了ESP头和ESP尾在IP报文中的封装格式,如图1-8所示。ESP可提供数据加密、数据来源认证、数据完整性校验和抗重放功能。与AH不同的是,ESP将需要保护的用户数据进行加密后再封装到IP包中,以保证数据的机密性。ESP使用的加密算法有DES、3DES、AES等。同时,作为可选项,ESP还可以提供认证服务,使用的认证算法有HMAC-MD5和HMAC-SHA1等。虽然AH和ESP都可以提供认证服务,但是AH提供的认证服务要强于ESP。
在实际使用过程中,可以根据具体的安全需求同时使用这两种协议或仅使用其中的一种。设备支持的AH和ESP联合使用的方式为:先对报文进行ESP封装,再对报文进行AH封装。
IPsec支持两种封装模式:传输模式和隧道模式。
该模式下的安全协议主要用于保护上层协议报文,仅传输层数据被用来计算安全协议头,生成的安全协议头以及加密的用户数据(仅针对ESP封装)被放置在原IP头后面。若要求端到端的安全保障,即数据包进行安全传输的起点和终点为数据包的实际起点和终点时,才能使用传输模式。如图1-9所示,通常传输模式用于保护两台主机之间的数据。
该模式下的安全协议用于保护整个IP数据包,用户的整个IP数据包都被用来计算安全协议头,生成的安全协议头以及加密的用户数据(仅针对ESP封装)被封装在一个新的IP数据包中。这种模式下,封装后的IP数据包有内外两个IP头,其中的内部IP头为原有的IP头,外部IP头由提供安全服务的设备添加。在安全保护由设备提供的情况下,数据包进行安全传输的起点或终点不为数据包的实际起点和终点时(例如安全网关后的主机),则必须使用隧道模式。如图1-10所示,通常隧道模式用于保护两个安全网关之间的数据。
不同的安全协议及组合在隧道和传输模式下的数据封装形式如图1-11所示。
IPsec使用的认证算法主要是通过杂凑函数实现的。杂凑函数是一种能够接受任意长度的消息输入,并产生固定长度输出的算法,该算法的输出称为消息摘要。IPsec对等体双方都会计算一个摘要,接收方将发送方的摘要与本地的摘要进行比较,如果二者相同,则表示收到的IPsec报文是完整未经篡改的,以及发送方身份合法。目前,IPsec使用基于HMAC(Hash-based Message Authentication Code,基于散列的消息鉴别码)的认证算法和SM3认证算法。HMAC认证算法包括HMAC-MD5和HMAC-SHA。其中,HMAC-MD5算法的计算速度快,而HMAC-SHA算法的安全强度高。
IPsec使用的加密算法属于对称密钥系统,这类算法使用相同的密钥对数据进行加密和解密。目前设备的IPsec使用的加密算法包括:
· DES:使用56比特的密钥对一个64比特的明文块进行加密。
· 3DES:使用三个56比特(共168比特)的密钥对明文块进行加密。
· AES:使用128比特、192比特或256比特的密钥对明文块进行加密。
· SM:使用128比特的密钥对明文块进行加密。
这些加密算法的安全性由高到低依次是:AES/SM、3DES、DES,安全性高的加密算法实现机制复杂,运算速度慢。
IPsec的认证和加/解密处理在设备上既可以通过软件实现,也可以通过硬件加密引擎实现。通过软件实现的IPsec,由于复杂的加密/解密、认证算法会占用大量的CPU资源,将会影响设备整体处理效率;通过硬件加密引擎实现的IPsec,由于复杂的算法处理由硬件完成,因此可以提高设备的处理效率。
若设备支持通过硬件加密引擎进行认证和加/解密处理,则设备会首先将需要处理的数据发送给硬件加密引擎,由硬件加密引擎对数据进行处理之后再发送回设备,最后由设备进行转发。
关于加密引擎的详细介绍请参见“安全配置指导”中的“加密引擎”。
· 可对IPsec安全提议进行修改,但对已协商成功的IPsec SA,新修改的安全提议并不起作用,即仍然使用原来的安全提议,只有新协商的SA使用新的安全提议。若要使修改对已协商成功的IPsec SA生效,则需要执行reset ipsec sa命令。
· 传输模式必须应用于数据流的源地址和目的地址与IPsec隧道两端地址相同的情况下。如果要配置应用于IPv6路由协议的手工方式的安全框架,则该安全框架引用的安全提议仅支持传输模式的封装。
· 隧道模式通常应用于数据流的源地址和目的地址与IPsec隧道两端地址不相同的情况下。如果要配置应用于隧道接口上的安全框架所引用的安全提议,则该安全提议仅支持隧道模式的封装。
· IKEv1协商时发起方的PFS强度必须大于或等于响应方的PFS强度,否则协商会失败。IKEv2不受该限制。不配置PFS特性的一端,按照对端的PFS特性要求进行IKE协商。
· 可以使用命令为一个安全协议指定多个认证或者加密算法,算法优先级以配置顺序为准。
· 以下这些算法只适用于IKEv2协商:
表1-1 IKEv2协商适用的算法
|
参数 |
取值 |
|
加密算法 |
aes-ctr-128/aes-ctr-192/aes-ctr-256 camellia-cbc-128/camellia-cbc-192/camellia-cbc-256 gmac-128/gmac-192/gmac-256/ gcm-128/gcm-192/gcm-256 |
|
认证算法 |
aes-xcbc-mac |
(1) 进入系统视图。
system-view
(2) 创建IPsec安全提议,并进入IPsec安全提议视图。
ipsec transform-set transform-set-name
(3) 配置IPsec安全提议采用的安全协议。
protocol { ah | ah-esp | esp }
缺省情况下,采用ESP安全协议。
(4) 配置协议(esp或ah-esp)采用的加密算法。
esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc | gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 | null | sm1-cbc-128 | sm4-cbc } *
缺省情况下,ESP协议没有采用任何加密算法。
非ESP协议,请忽略本步骤。
(5) 配置协议(esp或ah-esp)采用的认证算法。
esp authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *
缺省情况下,ESP协议没有采用任何认证算法。
非ESP协议,请忽略本步骤。
aes-xcbc-mac认证算法仅适用于IKEv2协商。
(6) 配置协议(ah或ah-esp)采用的认证算法。
ah authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *
缺省情况下,AH协议没有采用任何认证算法。
采用ESP协议时,请忽略本步骤。
aes-xcbc-mac认证算法仅适用于IKEv2协商。
(7) 配置安全协议对IP报文的封装模式。
encapsulation-mode { transport | tunnel }
缺省情况下,安全协议采用隧道模式对IP报文进行封装。
(8) (可选)配置使用IPsec安全策略发起协商时使用PFS特性。
pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group15 | dh-group16 | dh-group18 | dh-group19 | dh-group20 | dh-group21 | dh-group23 | dh-group24 }
缺省情况下,使用IPsec安全策略发起协商时不使用PFS特性。
有关PFS(Perfect Forward Secrecy,完善的前向安全性)功能的详细介绍请参见“安全配置指导”中的“IKE”。
(9) (可选)开启ESN功能。
esn enable [ both ]
缺省情况下,ESN功能处于关闭状态。
本功能仅适用于IKEv2协商的IPsec SA。
在传输模式下,设备通过ACL来识别由IPsec隧道保护的流量时,受保护的流量只能是源地址或目的地址为本机的报文。例如:可配置IPsec隧道对设备发送给日志服务器的日志信息进行保护。ACL中定义的匹配转发流量的规则不生效,IPsec不会对设备转发的任何数据流和语音流进行保护。
将引用了ACL的IPsec策略应用到接口上后,该接口上匹配ACL的报文将会受到IPsec保护。这里的接口包括以太网接口等实际物理接口,以及Tunnel、Virtual Template等虚接口。
具体的保护机制如下:
· 只要接口发送的报文与该接口上应用的IPsec策略中的ACL的permit规则匹配,就会受到出方向IPsec SA的保护并进行封装处理。
· 接口接收到目的地址是本机的IPsec报文时,首先根据报文头里携带的SPI查找本地的入方向IPsec SA,由对应的入方向IPsec SA进行解封装处理。解封装后的IP报文若能与ACL的permit规则匹配上则采取后续处理,否则被丢弃。
目前,设备支持的数据流的保护方式包括以下三种:
· 标准方式:一条IPsec隧道保护一条数据流。ACL中的每一个规则对应的数据流分别由一条单独创建的IPsec隧道来保护。缺省采用该方式。
· 聚合方式:一条IPsec隧道保护ACL中定义的所有数据流。ACL中的所有规则对应的数据流只会由一条创建的IPsec隧道来保护。该方式仅用于和老版本的设备互通。
· 主机方式:一条IPsec隧道保护一条主机到主机的数据流。ACL中的每一个规则对应的不同主机之间的数据流分别由一条单独创建的IPsec隧道来保护。这种方式下,受保护的网段之间存在多条数据流的情况下,将会消耗更多的系统资源。
IPsec隧道保护匹配ACL的报文配置任务如下:
(1) 配置ACL
(2) 配置IPsec安全提议
(3) 配置IPsec安全策略
请选择以下一项任务进行配置:
(4) 在接口上应用IPsec策略
(5) (可选)配置IPsec隧道保护匹配ACL的报文的辅助功能
(6) (可选)配置IPsec日志和告警功能
IPsec通过配置ACL来定义需要保护的数据流。在IPsec应用中,ACL规则中的permit关键字表示与之匹配的流量需要被IPsec保护,而deny关键字则表示与之匹配的流量不需要保护。一个ACL中可以配置多条规则,首个与数据流匹配上的规则决定了对该数据流的处理方式。
在IPsec策略中定义的ACL既可用于过滤接口入方向数据流,也可用于过滤接口出方向数据流。
· 设备出入方向的数据流都使用IPsec策略中定义的ACL规则来做匹配依据。具体是,出方向的数据流正向匹配ACL规则,入方向的数据流反向匹配ACL规则。例如,对于应用于IPsec策略中的某ACL规则:rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255,设备使用其正向过滤出方向上从1.1.1.0/24网段发往2.2.2.0/24网段的数据流,反向过滤入方向上从2.2.2.0/24网段发往1.1.1.0/24网段的数据流。
· 在出方向上,与ACL的permit规则匹配的报文将被IPsec保护,未匹配上任何规则或与deny规则匹配上的报文将不被IPsec保护。
· 在入方向上,与ACL的permit规则匹配上的未被IPsec保护的报文将被丢弃;目的地址为本机的被IPsec保护的报文将被进行解封装处理。缺省情况下解封装后的IP报文若能与ACL的permit规则匹配上则采取后续处理,否则被丢弃。若解封装后IPsec报文的ACL检查功能处于关闭状态,则解封装后的IP报文不与ACL匹配,直接进行后续处理。
需要注意的是:
· 仅对确实需要IPsec保护的数据流配置permit规则,避免盲目地使用关键字any。这是因为,在一个permit规则中使用any关键字就代表所有指定范围上出方向的流量都需要被IPsec保护,所有对应入方向上被IPsec保护的报文将被接收并处理,入方向上未被IPsec保护的报文都将被丢弃。这种情况下,一旦入方向收到的某流量是未被IPsec保护的,那么该流量就会被丢弃,这会造成一些本不需要IPsec处理的流量丢失,影响正常的业务传输。
· 当一个安全策略下有多条优先级不同的安全策略表项时,合理使用deny规则。避免本应该与优先级较低的安全策略表项的ACL permit规则匹配而被IPsec保护的出方向报文,因为先与优先级较高的安全策略表项的ACL deny规则匹配上,而没有被IPsec保护,继而在接收端被丢弃。
下面是一个deny规则的错误配置示例。Device A和Device B上分别配置如下所示的IPsec策略,当Device A连接的1.1.2.0/24网段用户访问Device B连接的3.3.3.0/24网段时,报文在Device A的应用了IPsec策略testa的出接口上优先与顺序号为1的安全策略表项匹配,并匹配上了IPv4 ACL 3000的rule 1,因此Device A认为它不需要IPsec保护,而未进行IPsec封装。该报文到达Device B后,在应用了IPsec策略testb的入接口上与IPv4 ACL 3001的rule 0匹配,并被判断为应该受IPsec保护但未被保护的报文而丢弃。
Device A上的关键配置如下:
acl advanced 3000
rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255
rule 1 deny ip
acl advanced 3001
rule 0 permit ip source 1.1.2.0 0.0.0.255 destination 3.3.3.0 0.0.0.255
rule 1 deny ip
#
ipsec policy testa 1 isakmp <---优先级高的安全策略表项
security acl 3000
ike-profile aa
transform-set 1
#
ipsec policy testa 2 isakmp <---优先级低的安全策略表项
security acl 3001
ike-profile bb
transform-set 1
Device B上的关键配置如下:
acl advanced 3001
rule 0 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.2.0 0.0.0.255
rule 1 deny ip
#
ipsec policy testb 1 isakmp
security acl 3001
ike-profile aa
transform-set 1
为保证Device A连接的1.1.2.0/24网段用户访问Device B连接的3.3.3.0/24网段的报文可被正确处理,建议将Device A上的IPv4 ACL 3000中的deny规则删除。
为保证IPsec对等体上能够成功建立SA,建议两端设备上用于IPsec的ACL配置为镜像对称,即保证两端定义的要保护的数据流范围的源和目的尽量对称。例如,图1-12中Device A和Device B上的ACL配置都是完全镜像对称的,因此用于保护主机Host A与主机Host C之间、子网Network 1与子网Network 2之间流量的SA均可成功建立。
若IPsec对等体上的ACL配置非镜像,那么只有在一端的ACL规则定义的范围是另外一端的子集时,SA协商可以成功。如图1-13所示,Device A上的ACL规则允许的范围(Host A->Host C)是Device B上ACL规则允许的范围(Network 2->Network 1)的子集。
需要注意的是,在这种ACL配置下,并不是任何一端发起的SA协商都可以成功,仅当保护范围小(细粒度)的一端向保护范围大(粗粒度)的一端发起的协商才能成功,反之则SA协商失败。这是因为,协商响应方要求协商发起方发送过来的数据必须在响应方可以接受的范围之内。其结果就是,从细粒度一端向粗粒度一端发送报文时,细粒度侧设备发起的SA协商可以成功,例如Host A->Host C;从粗粒度一方向细粒度一方发送报文时,粗粒度侧设备发起的SA协商不能成功,例如Host C->Host A、Host C->Host B、Host D->Host A等。
为满足VPN实例中的用户流量能够通过IPsec隧道来保护,需要保证连接VPN用户流量的设备上定义的要保护的数据流范围中明确指定了数据流所属的VPN实例。
图1-14 VPN实例组网
以上组网环境中,Device A设备上的ACL配置如下:
#
acl advanced 3400
rule 0 permit ip vpn-instance vpn1 source 1.1.1.0 0.0.0.255 destination 3.3.3.0 0.0.0.255
#
同时,还必须在IKE profile视图中配置内部VPN实例为vpn1。
#
ike profile vpn1
keychain vpn1
match remote identity address 8.8.8.1 255.255.255.255
inside-vpn vpn-instance vpn1
#
IKE协商方式的IPsec策略有以下两种配置方式:
· 直接配置IPsec策略:在安全策略视图中定义需要协商的各参数;
· 引用IPsec策略模板配置IPsec策略:首先在IPsec策略模板中定义需要协商的各参数,然后通过引用IPsec策略模板创建一条IPsec策略。应用了该类IPsec策略的接口不能发起协商,仅可以响应远端设备的协商请求。由于IPsec策略模板中未定义的可选参数由发起方来决定,而响应方会接受发起方的建议,因此这种方式适用于通信对端(例如对端的IP地址)未知的情况下,允许这些对端设备向本端设备主动发起协商。
IPsec策略模板与直接配置的IKE协商方式的IPsec策略中可配置的参数类似,但是配置较为简单,除了IPsec安全提议和IKE profile之外的其它参数均为可选。应用了引用IPsec策略模板配置的IPsec策略的接口不能发起协商,仅可以响应远端设备的协商请求。IPsec策略模板中未定义的可选参数由发起方来决定,而响应方会接受发起方的建议,例如IPsec策略模板下的用于定义保护对象范围的ACL是可选的,该参数在未配置的情况下,相当于支持最大范围的保护,即完全接受协商发起端的ACL设置。
IPsec隧道两端的配置必须符合以下要求:
· IPsec策略引用的IPsec安全提议中应包含相同的安全协议、认证/加密算法和报文封装模式。
· IPsec策略引用的IKE profile参数相匹配。
· 一条IKE协商方式的IPsec策略中最多可以引用六个IPsec安全提议。IKE协商过程中,IKE将会在隧道两端配置的IPsec策略中查找能够完全匹配的IPsec安全提议。如果IKE在两端找不到完全匹配的IPsec安全提议,则SA不能协商成功,需要被保护的报文将被丢弃。
· IKE协商的发起方必须配置IPsec隧道的对端地址,响应方可选配,且当前端点的对端地址与对端的本端地址应保持一致。
对于IKE协商建立的IPsec SA,遵循以下原则:
· 采用隧道两端设置的IPsec SA生存时间中较小者。
· 可同时存在基于时间和基于流量两种方式的IPsec SA生存时间,只要到达指定的时间或指定的流量,IPsec SA就会老化。
· 一条IPsec策略只能引用一个IKEv1 profile或者一个IKEv2 profile。同时引用时IKEv2 profile的优先级高于IKEv1 profile的优先级。
IKEv1 profile的相关配置请参见“安全配置指导”中的“IKE”。
IKEv2 profile的相关配置请参见“安全配置指导”中的“IKEv2”。
(1) 进入系统视图。
system-view
(2) 创建一条IKE协商方式的IPsec策略,并进入IPsec策略视图。
ipsec { ipv6-policy | policy } policy-name seq-number isakmp
(3) (可选)配置IPsec策略的描述信息。
description text
缺省情况下,无描述信息。
(4) (可选)配置触发建立IPsec SA的模式。
sa trigger-mode { auto | traffic-based }
缺省情况下,触发建立IPSec SA的模式为流量触发。
若IPsec策略/IPsec策略模板引用的ACL被指定为聚合方式或主机方式,则该IPsec策略/IPsec策略模板无法通过自动触发模式建立IPsec SA。
(5) 指定IPsec策略引用的ACL。
security acl [ ipv6 ] { acl-number | name acl-name } [ aggregation | per-host ]
缺省情况下,IPsec策略没有指定ACL。
一条IPsec策略只能引用一个ACL。
(6) 指定IPsec策略引用的IPsec安全提议。
transform-set transform-set-name&<1-6>
缺省情况下,IPsec策略没有引用IPsec安全提议。
(7) 指定IPsec策略引用的IKE profile或者IKEv2 profile。
¡ 指定IPsec策略引用的IKE profile。
ike-profile profile-name
缺省情况下,IPsec策略没有引用IKE profile。
¡ 指定IPsec策略引用的IKEv2 profile。
ikev2-profile profile-name
缺省情况下,IPsec策略没有引用IKEv2 profile。
(8) 指定IPsec隧道的本端IP地址。
local-address { ipv4-address | ipv6 ipv6-address }
缺省情况下,IPsec隧道的本端IPv4地址为应用IPsec策略的接口的主IPv4地址,本端IPv6地址为应用IPsec策略的接口的第一个IPv6地址。
此处指定的IPsec隧道本端IP地址必须与IKE使用的标识本端身份的IP地址一致。在VRRP组网环境中,IPsec隧道本端IP地址为应用IPsec策略接口所在备份组的虚拟IP地址。
IPsec隧道的本端IP地址不得为应用IPsec策略的接口的从IP地址。
(9) 指定IPsec隧道的对端IP地址。
remote-address { [ ipv6 ] host-name | ipv4-address | ipv6 ipv6-address } [ primary ] [ track track-id ]
缺省情况下,未指定IPsec隧道的对端IP地址。
为实现IPsec对端地址回切功能,需要至少指定两条IPsec隧道的对端IP地址,包括一条首选地址。IPsec隧道的对端地址都需要与Track项关联。
(10) (可选)开启IPsec对端地址回切功能。
remote-address switch-back enable
缺省情况下,IPsec对端地址回切功能处于关闭状态。
为实现本功能需要配置IPsec反向路由注入和IKE的DPD探测功能,并配置NQA和Track相关功能。关于NQA和Track的相关配置,请分别参见“网络管理和监控配置指导”中的“NQA”和“可靠性配置指导”中的“Track”。
(11) (可选)配置IPsec SA的生存时间或空闲超时时间。
¡ 配置IPsec SA的生存时间。
sa duration { time-based seconds | traffic-based kilobytes }
缺省情况下,IPsec策略下的IPsec SA生存时间为当前全局的IPsec SA生存时间。
¡ 配置IPsec SA的软超时缓冲参数。
sa soft-duration buffer { time-based seconds | traffic-based kilobytes }
缺省情况下,未配置软超时缓冲参数。
¡ 配置IPsec SA的空闲超时时间。
sa idle-time seconds
缺省情况下,IPsec策略下的IPsec SA空闲超时时间为当前全局的IPsec SA空闲超时时间。
(12) (可选)开启TFC(Traffic Flow Confidentiality)填充功能。
tfc enable
缺省情况下,TFC填充功能处于关闭状态。
本功能仅适用于IKEv2协商的IPsec SA。
(13) (可选)启用IPsec策略表项。
policy enable
缺省情况下,IPsec策略表项处于启用状态。
(14) (可选)配置IPsec策略表项的别名。
policy alias alias-name
缺省情况下,IPsec策略表项的别名为IPsec策略名-IPsec策略表项序号。
(1) 进入系统视图。
system-view
(2) 创建一个IPsec策略模板,并进入IPsec策略模板视图。
ipsec { ipv6-policy-template | policy-template } template-name seq-number
(3) (可选)配置IPsec策略模板的描述信息。
description text
缺省情况下,无描述信息。
(4) (可选)指定IPsec策略模板引用的ACL。
security acl [ ipv6 ] { acl-number | name acl-name } [ aggregation | per-host ]
缺省情况下,IPsec策略模板没有指定ACL。
一条IPsec策略模板只能引用一个ACL。
(5) 指定IPsec策略模板引用的安全提议。
transform-set transform-set-name&<1-6>
缺省情况下IPsec策略模板没有引用IPsec安全提议。
(6) 指定IPsec策略模板引用的IKE profile或者IKEv2 profile。
¡ 指定IPsec策略模板引用的IKE profile。
ike-profile profile-name
缺省情况下,IPsec策略模板没有引用IKE profile。
不能引用已经被其它IPsec策略或IPsec策略模板引用的IKE profile。
¡ 指定IPsec策略模板引用的IKEv2 profile。
ikev2-profile profile-name
缺省情况下,IPsec策略模板没有引用IKEv2 profile。
(7) 指定IPsec隧道的本端IP地址和对端IP地址。
¡ 指定IPsec隧道的本端IP地址。
local-address { ipv4-address | ipv6 ipv6-address }
缺省情况下,IPsec隧道的本端IPv4地址为应用IPsec策略的接口的主IPv4地址,本端IPv6地址为应用IPsec策略的接口的第一个IPv6地址。
IPsec隧道本端IP地址必须与IKE对等体使用的标识本端身份的IP地址一致。VRRP组网环境中, IPsec隧道本端IP地址为应用IPsec策略的接口所在备份组的虚拟IP地址。
IPsec隧道的本端IP地址不得为应用IPsec策略的接口的从IP地址。
¡ 指定IPsec隧道的对端IP地址。
remote-address { [ ipv6 ] host-name | ipv4-address | ipv6 ipv6-address }
缺省情况下,未指定IPsec隧道的对端IP地址。
(8) (可选)配置IPsec SA的生存时间或者空闲超时时间。
¡ 配置IPsec SA的生存时间。
sa duration { time-based seconds | traffic-based kilobytes }
缺省情况下,IPsec策略模板下的IPsec SA生存时间为当前全局的IPsec SA生存时间。
¡ 配置IPsec SA的空闲超时时间。
sa idle-time seconds
缺省情况下,IPsec策略模板下的IPsec SA空闲超时时间为当前全局的IPsec SA空闲超时时间。
(9) (可选)开启TFC(Traffic Flow Confidentiality)填充功能。
tfc enable
缺省情况下,TFC填充功能处于关闭状态。
(10) (可选)启用IPsec策略模板表项。
policy enable
缺省情况下,IPsec策略模板表项处于启用状态。
(11) (可选)配置IPsec策略模板表项的别名。
policy alias alias-name
缺省情况下,IPsec策略模板表项的别名为template-IPsec策略模板名-IPsec策略模板表项序号。
(12) 退回系统视图。
quit
(13) 引用安全策略模板创建一条IKE协商方式的安全策略。
ipsec { ipv6-policy | policy } policy-name seq-number isakmp template template-name
为保证SA能够成功生成,IPsec隧道两端的配置必须符合以下要求:
· IPsec策略引用的IPsec安全提议应采用相同的安全协议、加密/认证算法和报文封装模式。
· 当前端点的IPv4对端地址应与对端应用IPsec策略的接口的主IPv4地址保持一致;当前端点的IPv6对端地址应与对端应用IPsec策略的接口的第一个IPv6地址保持一致。
· 应分别设置inbound和outbound两个方向的IPsec SA参数,且保证每一个方向上的IPsec SA的唯一性:对于出方向IPsec SA,必须保证三元组(对端IP地址、安全协议、SPI)唯一;对于入方向IPsec SA,必须保证SPI唯一。
· 本端和对端IPsec SA的SPI及密钥必须是完全匹配的。即,本端的入方向IPsec SA的SPI及密钥必须和对端的出方向IPsec SA的SPI及密钥相同;本端的出方向IPsec SA的SPI及密钥必须和对端的入方向IPsec SA的SPI及密钥相同。
· 两端IPsec SA使用的密钥应当以相同的方式输入,即如果一端以字符串方式输入密钥,另一端必须也以字符串方式输入密钥。如果先后以不同的方式输入了密钥,则最后设定的密钥有效。
· 对于ESP协议,以字符串方式输入密钥时,系统会自动地同时生成认证算法的密钥和加密算法的密钥。
(1) 进入系统视图。
system-view
(2) 创建一条手工方式的IPsec策略,并进入IPsec策略视图。
ipsec { ipv6-policy | policy } policy-name seq-number manual
(3) (可选)配置IPsec策略的描述信息。
description text
缺省情况下,无描述信息。
(4) 指定IPsec策略引用的ACL。
security acl [ ipv6 ] { acl-number | name acl-name }
缺省情况下,IPsec策略没有引用ACL。
一条安全策略只能引用一个ACL。
(5) 指定IPsec策略所引用的安全提议。
transform-set transform-set-name
缺省情况下,IPsec策略没有引用IPsec安全提议。
一条手工方式的IPsec策略只能引用一个安全提议。
(6) 指定IPsec隧道的对端IP地址。
remote-address { ipv4-address | ipv6 ipv6-address }
缺省情况下,未指定IPsec隧道的对端地址。
(7) 配置IPsec SA的入方向SPI。
sa spi inbound { ah | esp } spi-number
缺省情况下,不存在IPsec SA的入方向SPI。
(8) 配置IPsec SA的出方向SPI。
sa spi outbound { ah | esp } spi-number
缺省情况下,不存在IPsec SA的出方向SPI。
(9) 配置IPsec SA使用的密钥。
¡ 配置AH协议的认证密钥(以十六进制方式输入)。
sa hex-key authentication { inbound | outbound } ah { cipher | simple } string
¡ 配置AH协议的认证密钥(以字符串方式输入)。
sa string-key { inbound | outbound } ah { cipher | simple } string
¡ 配置ESP协议的认证密钥和加密密钥(以字符串方式输入)。
sa string-key { inbound | outbound } esp { cipher | simple } string
¡ 配置ESP协议的认证密钥(以十六进制方式输入)。
sa hex-key authentication { inbound | outbound } esp { cipher | simple } string
¡ 配置ESP协议的加密密钥(以十六进制方式输入)。
sa hex-key encryption { inbound | outbound } esp { cipher | simple } string
缺省情况下,未配置IPsec SA使用的密钥。
根据本安全策略引用的安全提议中指定的安全协议,配置AH协议或ESP协议的密钥,或者两者都配置。
(10) (可选)配置IPsec策略表项的别名。
policy alias alias-name
缺省情况下,IPsec策略表项的别名为IPsec策略名-IPsec策略表项序号。
为使定义的IPsec SA生效,应在每个要加密的数据流和要解密的数据流所在接口上应用一个IPsec策略,以对数据进行保护。当取消IPsec策略在接口上的应用后,此接口便不再具有IPsec的安全保护功能。
在将IKE方式的IPsec策略应用到多个接口上时,请使用共享源接口的IPsec策略;手工方式的IPsec策略只能应用到一个接口上。
在接口上应用IPsec策略后,用户无需配置放通该接口IPsec和IKE报文的安全策略,该接口将自动放通IKE报文和IPsec报文,其中IKE报文用于建立IPsec隧道,IPsec报文为IPsec隧道传输的报文。但是需要IPsec保护的流量依然需要配置相应的安全策略,只有符合安全策略规则的报文才能通过。有关安全策略的详细信息,请参见“安全配置指导”中的“安全策略”。
(1) 进入系统视图。
system-view
(2) 进入接口视图。
interface interface-type interface-number
(3) 应用IPsec策略。
ipsec apply { ipv6-policy | policy } policy-name
缺省情况下,接口上没有应用IPsec策略。
一个接口下最多只能应用一个IPv4/IPv6类型的IPsec策略,但可以同时应用一个IPv4类型的IPsec策略和一个IPv6类型的IPsec策略。
将IPsec安全框架应用到某一IPv6路由协议(目前支持保护OSPFv3、IPv6 BGP、RIPng路由协议)后,设备产生的需要IPsec保护的某一IPv6路由协议的所有报文都要进行封装处理,而设备接收到的不受IPsec保护的以及解封装失败的业务协议报文都要被丢弃。
由于IPsec的密钥交换机制仅适用于两点之间的通信保护,在广播网络一对多的情形下,IPsec无法实现自动交换密钥,同样,由于广播网络一对多的特性,要求各设备对于接收、发送的报文均使用相同的SA参数(相同的SPI及密钥),因此该方式下必须手工配置用来保护IPv6路由协议报文的IPsec SA。手工方式的IPsec安全框架定义了对数据流进行IPsec保护所使用的安全提议,以及SA的SPI、SA使用的密钥。
IPsec隧道两端的配置必须符合以下要求:
· IPsec安全框架引用的IPsec安全提议应采用相同的安全协议、加密/认证算法和报文封装模式。
· 本端出方向IPsec SA的SPI和密钥必须和本端入方向IPsec SA的SPI和密钥保持一致。
· 同一个范围内的、所有设备上的IPsec SA的SPI和密钥均要保持一致。该范围与协议相关:对于OSPFv3,是OSPFv3邻居之间或邻居所在的区域;对于RIPng,是RIPng直连邻居之间或邻居所在的进程;对于BGP,是BGP邻居之间或邻居所在的一个组。
· 两端IPsec SA使用的密钥应当以相同的方式输入,即如果一端以字符串方式输入密钥,另一端必须也以字符串方式输入密钥。如果先后以不同的方式输入了密钥,则最后设定的密钥有效。
· 对于ESP协议,以字符串方式输入密钥时,系统会自动地同时生成认证算法的密钥和加密算法的密钥。
(1) 进入系统视图。
system-view
(2) 创建一个手工方式的IPsec安全框架,并进入IPsec安全框架视图。
ipsec profile profile-name manual
进入已创建的IPsec安全框架时,可以不指定协商方式manual。
(3) (可选)配置IPsec安全框架的描述信息。
description text
缺省情况下,无描述信息。
(4) 指定IPsec安全框架引用的IPsec安全提议。
transform-set transform-set-name
缺省情况下,IPsec安全框架没有引用IPsec安全提议。
要引用的IPsec安全提议所采用的封装模式必须为传输模式。
(5) 配置IPsec SA的SPI。
sa spi { inbound | outbound } { ah | esp } spi-number
缺省情况下,未配置IPsec SA的SPI。
(6) 配置IPsec SA使用的密钥。
¡ 配置AH协议的认证密钥(以十六进制方式输入)。
sa hex-key authentication { inbound | outbound } ah { cipher | simple } string
¡ 配置AH协议的认证密钥(以字符串方式输入)。
sa string-key { inbound | outbound } ah { cipher | simple } string
¡ 配置ESP协议的认证密钥和加密密钥(以字符串方式输入)。
sa string-key { inbound | outbound } esp { cipher | simple } string
¡ 配置ESP协议的认证密钥(以十六进制方式输入)。
sa hex-key authentication { inbound | outbound } esp { cipher | simple } string
¡ 配置ESP协议的加密密钥(以十六进制方式输入)。
sa hex-key encryption { inbound | outbound } esp { cipher | simple } string
缺省情况下,未配置IPsec SA使用的密钥。
根据本安全框架引用的安全提议中指定的安全协议,配置AH协议或ESP协议的密钥,或者两者都配置。
(7) (可选)配置IPsec安全框架的别名。
profile alias alias-name
缺省情况下,IPsec安全框架的别名为profile-安全框架名称。
(8) 在IPv6路由协议上应用IPsec安全框架
有关在IPv6路由协议上应用IPsec安全框架的相关配置,请分别参见“三层技术-IP路由配置指导”中的“IPv6 BGP”、“OSPFv3”和“RIPng”。
在隧道接口上应用IPsec安全框架后,路由到该隧道接口的报文都会受到IPsec的保护,除非用户指定该报文不需要被IPsec保护。此方式建立的IPsec的封装模式必须为隧道模式。该类应用通常也被称为在VTI(Virtual Tunnel Interface)上应用IPsec。
相比于保护匹配ACL的报文,保护隧道接口上报文的IPsec有以下优势:
· 支持保护组播报文。
· 支持动态路由协议在IPsec隧道两端的传播。
· 简化配置。不需要通过ACL规则对流量进行筛选,路由表会将流量引导到隧道口上。
隧道接口对报文的封装/解封装发生在隧道接口上。进入设备的报文被路由到应用了IPsec安全框架的隧道接口后,此隧道接口会对这些报文进行封装/解封装处理。如图1-15所示,隧道接口对报文进行封装的过程如下:
(1) Device将从入接口接收到的IP明文送到转发模块进行路由处理;
(2) 转发模块依据路由查询结果,将IP明文发送到隧道接口进行封装:原始IP报文加密后被封装在一个新的IP报文中,新IP头中的源地址和目的地址分别为隧道接口的源端地址和目的端地址。
(3) 隧道接口完成对IP明文的封装处理后,将IP密文再次送到转发模块进行路由处理;
(4) 转发模块根据新IP头中的目的IP地址进行第二次路由查询后,将IP密文通过隧道接口的实际物理出接口转发出去。
如图1-16所示,隧道接口对报文进行解封装的过程如下:
(1) Device将从入接口接收到的IP密文送到转发模块进行路由处理;
(2) 转发模块识别到此IP密文的目的IP地址为本设备隧道接口源端地址且IP协议号为AH或ESP时,会将IP密文送到相应的隧道接口进行解封装:将IP密文的外层IP头去掉,对内层IP报文进行解密处理。
(3) 隧道接口完成对IP密文的解封装处理之后,将IP明文重新送回转发模块进行路由处理;
(4) 转发模块根据IP明文的目的IP地址进行第二次路由查询后,将IP明文从隧道的实际物理出接口转发出去。
IPsec隧道两端的配置必须符合以下要求:
· IPsec安全框架引用的IPsec安全提议中应包含具有相同的安全协议、认证/加密算法和报文封装模式的IPsec安全提议。
· IPsec安全框架引用的IKE profile参数相匹配。
· 一条IKE协商方式的IPsec安全框架中最多可以引用六个IPsec安全提议。IKE协商过程中,IKE将会在隧道两端配置的IPsec安全框架中查找能够完全匹配的IPsec安全提议。如果IKE在两端找不到完全匹配的IPsec安全提议,则SA不能协商成功,需要被保护的报文将被丢弃。
对于IKE协商建立的IPsec SA,遵循以下原则:
· 采用隧道两端设置的IPsec SA生存时间中较小者。
· 可同时存在基于时间和基于流量两种方式的IPsec SA生存时间,只要到达指定的时间或指定的流量,IPsec SA就会老化。
IKE协商方式的IPsec安全框架定义了对数据流进行IPsec保护所使用的安全提议,以及IKE profile
(1) 进入系统视图。
system-view
(2) 创建一个IKE协商方式的IPsec安全框架,并进入IPsec安全框架视图。
ipsec profile profile-name isakmp
进入已创建的IPsec安全框架时,可以不指定协商方式isakmp。
(3) (可选)配置IPsec安全框架的描述信息。
description text
缺省情况下,无描述信息。
(4) 指定IPsec安全框架引用的IPsec安全提议。
transform-set transform-set-name&<1-6>
缺省情况下,IPsec安全框架没有引用IPsec安全提议。
要引用的IPsec安全提议所采用的封装模式必须为隧道模式。
(5) 指定IPsec安全框架引用的IKE profile。
ike-profile profile-name
缺省情况下,IPsec安全框架没有引用IKE profile。若系统视图下配置了IKE profile,则使用系统视图下配置的IKE profile进行性协商,否则使用全局的IKE参数进行协商。
只能引用一个IKE profile,IKE profile的相关配置请参见“安全配置指导”中的“IKE”。
(6) (可选)指定IPsec安全框架引用的IKEv2 profile。
ikev2-profile profile-name
缺省情况下,IPsec安全框架没有引用IKEv2 profile。若同时引用IKE profile和IKEv2 profile,优先使用IKEv2 profile进行协商。
只能引用一个IKEv2 profile,IKEv2 profile的相关配置请参见“安全配置指导”中的“IKEv2”。
(7) (可选)配置IPsec SA的生存时间。
sa duration { time-based seconds | traffic-based kilobytes }
缺省情况下,IPsec安全框架下的IPsec SA生存时间为当前全局的IPsec SA生存时间。
(8) (可选)配置IPsec SA的软超时缓冲参数。
sa soft-duration buffer { time-based seconds | traffic-based kilobytes }
缺省情况下,未配置软超时缓冲参数。
(9) (可选)配置IPsec SA的空闲超时时间。
sa idle-time seconds
缺省情况下,IPsec安全框架下的IPsec SA空闲超时时间为当前全局的IPsec SA空闲超时时间。
(10) (可选)配置IPsec安全框架的别名。
profile alias alias-name
缺省情况下,IPsec安全框架的别名为profile-安全框架名称。
(11) 进入系统视图。
system-view
(12) 创建一个Tunnel接口,指定隧道模式,并进入该Tunnel接口视图。
interface tunnel number mode gre
(13) 在隧道接口上应用IPsec安全框架。
tunnel protection ipsec profile profile-name [ acl [ ipv6 ] { acl-number | name acl-name } ]
缺省情况下,隧道接口下未应用IPsec安全框架。
IPsec通信双方的IPsec安全框架所引用的IPsec安全提议中的安全协议、认证/加密算法可以不一致。
SDWAN方式的IPsec安全框架,用于在SDWAN设备上生成IPsec SA。该类型的IPsec安全框架不限制对端IP地址,不需要进行ACL配置,即所有路由到SDWAN隧道接口的流量都会被IPsec保护,配置简单,易于维护。
(1) 进入系统视图。
system-view
(2) 创建一个SDWAN方式的IPsec安全框架,并进入IPsec安全框架视图。
ipsec profile profile-name sdwan
进入已创建的IPsec安全框架时,可以不指定协商方式sdwan。
(3) (可选)配置IPsec安全框架的描述信息。
description text
缺省情况下,无描述信息。
(4) 指定IPsec安全框架引用的IPsec安全提议。
transform-set transform-set-name&
缺省情况下,IPsec安全框架没有引用IPsec安全提议。
引用的IPsec安全提议所采用的封装模式必须为传输模式。
(5) (可选)配置IPsec SA的生存时间。
sa duration time-based seconds
缺省情况下,IPsec安全框架下的IPsec SA生存时间为当前全局的IPsec SA生存时间。
在SDWAN隧道接口上应用SDWAN方式的IPsec安全框架后,SDWAN设备将创建IPsec SA,用于对路由到SDWAN隧道接口的流量进行IPsec保护。
(6) 进入系统视图。
system-view
(7) 创建一个Tunnel接口,指定隧道模式为SDWAN类型,并进入该Tunnel接口视图。
interface tunnel number mode sdwan udp
(8) 在隧道接口上应用IPsec安全框架。
tunnel protection ipsec profile profile-name
缺省情况下,隧道接口下未应用IPsec安全框架。
(9) 配置在指定slot上处理当前接口的流量。
(独立运行模式)
service slot slot-number
(IRF模式)
service chassis chassis-number slot slot-number
缺省情况下,未指定处理当前接口流量的slot,业务处理在接收报文的slot上进行。
不同方式的IPsec策略或安全框架对IPsec安全性功能的支持情况不同,具体支持情况请参见表1-2中的详细信息。
表1-2 IPsec安全性功能支持情况描述表
|
功能名称 |
IPsec策略(用于非隧道接口) |
手工方式IPsec安全框架(用于IPv6路由协议) |
IKE方式IPsec安全框架(用于隧道接口) |
SDWAN方式IPsec安全框架(用于SDWAN隧道接口) |
|
支持 |
不支持 |
不支持 |
不支持 |
|
|
支持 |
不支持 |
不支持 |
不支持 |
|
|
支持 |
支持 |
支持 |
支持 |
|
|
支持 |
支持 |
支持 |
支持 |
|
|
支持 |
不支持 |
支持 |
不支持 |
|
|
支持 |
不支持 |
支持 |
支持 |
在隧道模式下,接口入方向上解封装的IPsec报文的内部IP头有可能不在当前IPsec策略引用的ACL的保护范围内,如网络中一些恶意伪造的攻击报文就可能有此问题,所以设备需要重新检查解封装后的报文的IP头是否在ACL保护范围内。开启该功能后可以保证ACL检查不通过的报文被丢弃,从而提高网络安全性。
(1) 进入系统视图。
system-view
(2) 开启解封装后IPsec报文的ACL检查功能。
ipsec decrypt-check enable
缺省情况下,解封装后IPsec报文的ACL检查功能处于开启状态。
重放报文,通常是指设备再次接收到的已经被IPsec处理过的报文。IPsec通过滑动窗口(抗重放窗口)机制检测重放报文。AH和ESP协议报文中带有序列号,如果收到的报文的序列号与已经解封装过的报文序列号相同,或收到的报文的序列号出现得较早,即已经超过了抗重放窗口的范围,则认为该报文为重放报文。
对重放报文的解封装无意义,并且解封装过程涉及密码学运算,会消耗设备大量的资源,导致业务可用性下降,造成了拒绝服务攻击。通过开启IPsec抗重放检测功能,将检测到的重放报文在解封装处理之前丢弃,可以降低设备资源的消耗。
在某些特定环境下,业务数据报文的接收顺序可能与正常的顺序差别较大,虽然并非有意的重放攻击,但会被抗重放检测认为是重放报文,导致业务数据报文被丢弃,影响业务的正常运行。因此,这种情况下就可以通过关闭IPsec抗重放检测功能来避免业务数据报文的错误丢弃,也可以通过适当地增大抗重放窗口的宽度,来适应业务正常运行的需要。
· 只有IKE协商的IPsec SA才能够支持抗重放检测,手工方式生成的IPsec SA不支持抗重放检测。因此该功能开启与否对手工方式生成的IPsec SA没有影响。
· 使用较大的抗重放窗口宽度会引起系统开销增大,导致系统性能下降,与抗重放检测用于降低系统在接收重放报文时的开销的初衷不符,因此建议在能够满足业务运行需要的情况下,使用较小的抗重放窗口宽度。
· IPsec抗重放检测功能缺省是开启的,是否关闭该功能请根据实际需求慎重使用。
(1) 进入系统视图。
system-view
(2) 开启IPsec抗重放检测功能。
ipsec anti-replay check
缺省情况下,IPsec抗重放检测功能处于开启状态。
(3) 配置IPsec抗重放窗口宽度。
ipsec anti-replay window width
缺省情况下,IPsec抗重放窗口宽度为64。
IPsec抗重放窗口和序号的同步功能是指,以指定的报文间隔将接口上IPsec入方向抗重放窗口的左侧值和出方向IPsec报文的抗重放序号进行备份。当配置了防重放窗口和序号的同步间隔的IPsec策略/IPsec安全框架被应用到接口/IPv6路由协议上时,若IPsec冗余备份功能处于开启状态,则可以保证主备切换时IPsec流量不间断和抗重放保护不间断。
(1) 进入系统视图。
system-view
(2) 开启IPsec冗余备份功能。
ipsec redundancy enable
缺省情况下,IPsec冗余备份功能处于关闭状态。
(3) 进入IPsec策略视图/IPsec策略模板视图/IPsec安全框架视图。
¡ 进入IPsec策略视图。
ipsec { ipv6-policy | policy } policy-name seq-number [ isakmp | manual ]
¡ 进入IPsec策略模板视图。
ipsec { ipv6-policy-template | policy-template } template-name seq-number
¡ 进入IPsec安全框架视图。
ipsec profile profile-name [ isakmp | manual ]
(4) 配置防重放窗口和序号的同步间隔。
redundancy replay-interval inbound inbound-interval outbound outbound-interval
缺省情况下,同步入方向防重放窗口的报文间隔为1000个报文,同步出方向IPsec SA防重放序号的报文间隔为100000个报文。
此功能用来配置对本端IPsec隧道数目的限制。本端允许建立IPsec隧道的最大数与内存资源有关。内存充足时可以设置较大的数值,提高IPsec的并发性能;内存不足时可以设置较小的数值,降低IPsec占用内存的资源。
(1) 进入系统视图。
system-view
(2) 配置本端允许建立IPsec隧道的最大数。
ipsec limit max-tunnel tunnel-limit
缺省情况下,不限制本端允许建立IPsec隧道的最大数。
缺省情况下,如果IPsec对等体两端均采用IKE协商方式的IPsec安全框架建立IPsec SA,则两端均会主动发起协商,对等体之间将存在两个协商IPsec SA的过程,但对等体之间最终只会建立一个IPsec SA,该协商过程将会造成设备CPU资源的浪费。此时可以配置本功能,指定本端只能作为建立IPsec SA的响应方,不主动发起协商,可以有效解决此问题,同时也有助于IPsec故障的诊断和定位。
建议在中心-分支组网环境中的中心侧配置本功能。
(1) 进入系统视图。
system-view
(2) 进入IPsec策略视图/IPsec策略模板视图/IPsec安全框架视图。
¡ 进入IPsec策略视图。
ipsec { ipv6-policy | policy } policy-name seq-number isakmp
¡ 进入IPsec策略模板视图。
ipsec { ipv6-policy-template | policy-template } template-name seq-number
¡ 进入IPsec安全框架视图。
ipsec profile profile-name isakmp
(3) 开启本端仅作为协商IPsec SA的响应方功能。
responder-only enable
缺省情况下,本端仅作为协商IPsec SA的响应方功能处于关闭状态。
此功能用来配置IPsec SA生存时间和空闲超时功能。对于IKE协商建立的IPsec SA,遵循以下原则:
· 采用隧道两端设置的IPsec SA生存时间中较小者。
· 可同时存在基于时间和基于流量两种方式的IPsec SA生存时间,只要到达指定的时间或指定的流量,IPsec SA就会老化。
(1) 进入系统视图。
system-view
(2) 配置IPsec SA生存时间或者IPsec SA空闲超时时间。
¡ 配置IPsec SA生存时间。
ipsec sa global-duration { time-based seconds | traffic-based kilobytes }
缺省情况下,IPsec SA基于时间的生存时间为3600秒,基于流量的生存时间为1843200千字节。
¡ 配置IPsec SA的全局软超时缓冲参数。
ipsec sa global-soft-duration buffer { time-based seconds | traffic-based kilobytes }
缺省情况下,未配置全局软超时缓冲参数。
¡ 开启IPsec SA空闲超时功能,并配置IPsec SA空闲超时时间。
ipsec sa idle-time seconds
缺省情况下, IPsec SA空闲超时功能处于关闭状态。
不同方式的IPsec策略或安全框架对IPsec可靠性功能的支持情况不同,具体支持情况请参见表1-3中的详细信息。
表1-3 IPsec可靠性功能支持情况描述表
|
功能名称 |
IPsec策略(用于非隧道接口) |
手工方式IPsec安全框架(用于IPv6路由协议) |
IKE方式IPsec安全框架(用于隧道接口) |
SDWAN方式IPsec安全框架(用于SDWAN隧道接口) |
|
支持 |
不支持 |
不支持 |
不支持 |
|
|
支持 |
支持 |
支持 |
不支持 |
|
|
支持 |
不支持 |
支持 |
不支持 |
|
|
支持 |
不支持 |
不支持 |
不支持 |
|
|
支持 |
不支持 |
不支持 |
不支持 |
|
|
支持 |
不支持 |
不支持 |
不支持 |
RRI(Reverse Route Injection,反向路由注入)功能是一种自动添加到达IPsec VPN私网静态路由的机制,可以实现为受IPsec保护的流量自动添加静态路由的功能。在大规模组网中,这种自动添加静态路由的机制可以简化用户配置,减少在企业总部网关设备上配置静态路由的工作量,并且可以根据IPsec SA的创建和删除进行静态路由的动态增加和删除,增强了IPsec VPN的可扩展性。
某企业在企业分支与企业总部之间的所有流量通过IPsec进行保护,企业总部网关上需要配置静态路由,将总部发往分支的数据引到应用IPsec策略的接口上来。如果未配置RRI,当企业分支众多或者内部网络规划发生变化时,就需要同时增加或调整总部网关上的静态路由配置,该项工作量大且容易出现配置错误。
企业总部侧网关设备GW上配置RRI功能后,每一个IPsec隧道建立之后,GW都会自动为其添加一条相应的静态路由。通过RRI创建的路由表项可以在路由表中查询到,其目的地址为受保护的对端网络,下一跳地址为IPsec隧道的对端地址或指定的地址,它使得发往对端的流量被强制通过IPsec保护并转发。
RRI创建的静态路由和手工配置的静态路由一样,可以向内网设备进行广播,允许内网设备选择合适的路由对IPsec VPN流量进行转发。也可以为RRI创建的静态路由配置优先级,从而更灵活地应用路由管理策略。例如:当设备上还有其他方式配置到达相同目的地的路由时,如果为它们指定相同的优先级,则可实现负载分担,如果指定不同的优先级,则可实现路由备份。同时,还可以通过修改静态路由的Tag值,使得设备能够在路由策略中根据Tag值对这些RRI生成的静态路由进行灵活的控制。
图1-17 IPsec VPN总部-分支组网图
开启RRI功能时,会删除相应IPsec策略协商出的所有IPsec SA。当有新的流量触发生成IPsec SA时,根据新协商的IPsec生成路由信息。
关闭RRI功能时,会删除相应IPsec策略协商出的所有IPsec SA。
RRI生成的静态路由随IPsec SA的创建而创建,随IPsec SA的删除而删除。
RRI功能在隧道模式和传输模式下都支持。
若修改了RRI生成的静态路由的优先级或Tag属性,则会删除由相应IPsec策略建立的IPsec SA和已添加的静态路由,修改后的属性值在下次生成IPsec SA且添加静态路由时生效。
在RRI功能开启的情况下,对于与未指定目的IP地址的ACL规则相匹配的报文流触发协商出的IPsec SA,设备并不会为其自动生成一条静态路由。因此,如果IPsec策略/IPsec策略模板引用了此类型的ACL规则,则需要通过手工配置一条到达对端受保护网络的静态路由。
(1) 进入系统视图。
system-view
(2) 进入IPsec策略视图或者IPsec策略模板视图。
¡ 进入IPsec策略视图。
ipsec { policy | ipv6-policy } policy-name seq-number isakmp
¡ 进入IPsec策略模板视图。
ipsec { ipv6-policy-template | policy-template } template-name seq-number
(3) 开启IPsec反向路由注入功能。
reverse-route [ next-hop [ ipv6 ] ip-address ] dynamic
缺省情况下,IPsec反向路由注入功能处于关闭状态。
(4) (可选)配置IPsec反向路由功能生成的静态路由的优先级。
reverse-route preference number
缺省情况下,IPsec反向路由注入功能生成的静态路由的优先级为60。
(5) (可选)配置IPsec反向路由功能生成的静态路由的Tag值。
reverse-route tag tag-value
缺省情况下,IPsec反向路由注入功能生成的静态路由的tag值为0。
通过配置IPsec分片功能,可以选择在报文进行IPsec封装之前是否进行分片:
· IPsec封装前分片功能处于开启状态时,设备会先判断报文在经过IPsec封装之后大小是否会超过发送接口的MTU值,如果封装后的大小超过发送接口的MTU值,那么会先对其分片再封装。
· IPsec封装后分片功能处于开启状态时,无论报文封装后大小是否超过发送接口的MTU值,设备会直接对其先进行IPsec封装处理,再由后续业务对其进行分片。
该功能仅对需要进行IPsec封装的IPv4报文有效。
(1) 进入系统视图。
system-view
(2) 配置IPsec分片功能。
ipsec fragmentation { after-encryption | before-encryption }
缺省情况下,IPsec封装前分片功能处于开启状态。
IP报文头中的DF(Don’t Fragment,不分片)位用于控制报文是否允许被分片。在隧道模式下,IPsec会在原始报文外封装一个新的IP头,称为外层IP头。IPsec的DF位设置功能允许用户设置IPsec封装后的报文外层IP头的DF位,并支持以下三种设置方式:
· clear:表示清除外层IP头的DF位,IPsec封装后的报文可被分片。
· set:表示设置外层IP头的DF位,IPsec封装后的报文不能被分片。
· copy:表示外层IP头的DF位从原始报文IP头中拷贝。
封装后外层IP头的DF位可以在IPsec策略视图/IPsec策略模板视图/IPsec安全框架视图、接口视图和系统视图下分别配置,IPsec策略/IPsec策略模板/IPsec安全框架下的配置优先级最高。如果IPsec策略/IPsec策略模板/IPsec安全框架下未配置IPsec DF位,将使用接口下配置的IPsec DF位;如果接口下也未配置IPsec DF位,将使用系统视图下配置的全局IPsec DF位。
· 该功能仅在IPsec的封装模式为隧道模式时有效,仅用于设置IPsec隧道模式封装后的外层IP头的DF位,原始报文IP头的DF位不会被修改。
· 只有IKE协商方式的IPsec才能够支持本功能。
· 如果有多个接口应用了共享源接口安全策略,则这些接口上必须使用相同的DF位设置。
· 转发报文时对报文进行分片、重组,可能会导致报文的转发延时较大。若设置了封装后IPsec报文的DF位,则不允许对IPsec报文进行分片,可以避免引入分片延时。这种情况下,要求IPsec报文转发路径上各个接口的MTU大于IPsec报文长度,否则,会导致IPsec报文被丢弃。如果无法保证转发路径上各个接口的MTU大于IPsec报文长度,则建议清除DF位。
(1) 进入系统视图。
system-view
(2) 进入IPsec策略视图/IPsec策略模板视图/IPsec安全框架视图。
¡ 进入IPsec策略视图。
ipsec { ipv6-policy | policy } policy-name seq-number isakmp
¡ 进入IPsec策略模板视图。
ipsec { ipv6-policy-template | policy-template } template-name seq-number
¡ 进入IPsec安全框架视图。
ipsec profile profile-name isakmp
(3) 为IPsec策略/IPsec策略模板/IPsec安全框架设置IPsec封装后外层IP头的DF位。
sa df-bit { clear | copy | set }
缺省情况下,未设置IPsec封装后外层IP头的DF位,采用接口或全局设置的DF位。
(1) 进入系统视图。
system-view
(2) 进入接口视图。
interface interface-type interface-number
(3) 为当前接口设置IPsec封装后外层IP头的DF位。
ipsec df-bit { clear | copy | set }
缺省情况下,接口下未设置IPsec封装后外层IP头的DF位,采用全局设置的DF位。
(1) 进入系统视图。
system-view
(2) 为全局设置IPsec封装后外层IP头的DF位。
ipsec global-df-bit { clear | copy | set }
缺省情况下,IPsec封装后外层IP头的DF位从原始报文IP头中拷贝。
在中心-分支组网环境中,当有新的分支加入组网时,如果新分支侧配置的保护数据流范围过大,可能会导致其他分支的流量被引入到该分支,导致报文转发错误。配置本功能后,当中心侧设备与分支侧设备进行IPsec SA协商时,如果中心侧需要保护数据流的源、目的IP地址的掩码长度大于或等于本功能配置的值,则允许继续协商;否则,IPsec SA协商失败,设备将生成掩码过滤失败的告警信息,提示用户当前需要保护数据流的掩码设置过小。当IPsec SA协商失败时,管理员需要针对当前组网环境,重新规划分支侧的ACL配置。
仅IPv4网络支持本功能。
本功能仅在设备采用IPsec策略模板方式协商IPsec SA时生效。
建议在中心-分支组网环境中的中心侧配置本功能。
(1) 进入系统视图。
system-view
(2) 配置IPsec掩码过滤功能。
ipsec netmask-filter { destination-mask mask-length | source-mask mask-length } *
缺省情况下,未配置IPsec掩码过滤功能。
在中心-分支组网环境中,通常中心侧采用IPsec策略模板方式协商IPsec SA。当分支侧分支众多时,需保护的数据流范围可能会重叠。此时通过开启本功能,在协商IPsec SA时,设备会检测新建隧道与已有隧道的需保护数据流是否存在重叠。若重叠,则IPsec SA协商失败,设备将生成IPsec流量重叠检测失败的告警信息,提示用户当前需要保护的数据流存在流量重叠。当IPsec SA协商失败时,管理员需要针对当前组网环境,重新规划分支侧的ACL配置。
中心侧设备判断是否存在IPsec流量重叠的方法为:检测待保护数据流的目的IP地址范围是否与已有隧道保护的数据流的目的IP地址范围重叠。若重叠,则认为待保护的数据流与已有隧道保护的数据流发生了重叠。
本功能具有如下使用限制:
· 建议在中心-分支组网环境中的中心侧配置本功能。
· 仅在设备采用IPsec策略模板方式协商IPsec SA时生效。
· 仅支持对新建的IPsec SA进行流量重叠检测,不支持对已有的IPsec SA进行流量重叠检测。
· 仅支持在同一接口、同一VPN实例下进行流量重叠检测。
· 不支持对IPsec重协商后生成的IPsec SA进行流量重叠检测。
· 流量重叠检测时不会判断源IP地址范围是否与已有隧道保护的数据流的源IP地址范围重叠。
· 流量重叠检测对设备性能有一定的影响,建议仅在进行网络升级扩容等操作时开启,并在操作完成后及时关闭。
(1) 进入系统视图。
system-view
(2) 开启IPsec流量重叠检测功能。
ipsec flow-overlap check enable
缺省情况下,IPsec流量重叠检测功能处于关闭状态。
为了提高网络的可靠性,通常核心设备到ISP(Internet Service Provider,互联网服务提供商)都会有两条出口链路,它们互为备份或者为负载分担的关系。由于在不同的接口上应用安全策略时,各个接口将分别协商生成IPsec SA。因此,则在主备链路切换时,接口状态的变化会触发重新进行IKE协商,从而导致数据流的暂时中断。这种情况下,两个接口上的IPsec SA就需要能够平滑切换。
通过将一个IPsec策略与一个源接口绑定,使之成为共享源接口IPsec策略,可以实现主备链路切换时受IPsec保护的业务流量不中断。具体机制为:应用相同IPsec策略的多个物理接口共同使用一个指定的源接口(称为共享源接口)协商IPsec SA,当这些物理接口对应的链路切换时,如果该源接口的状态不变化,就不会删除该接口协商出的IPsec SA,也不需要重新触发IKE协商,各物理接口继续使用已有的IPsec SA保护业务流量。
· 只有IKE协商方式的IPsec策略才能配置为IPsec共享源接口安全策略。
· 一个IPsec策略只能与一个源接口绑定。
· 一个源接口可以同时与多个IPsec策略绑定。
· 删除与共享源接口IPsec策略绑定的共享源接口时,将使得该共享源接口IPsec策略恢复为普通IPsec策略。
· 若一个IPsec策略为共享源接口IPsec策略,但该IPsec策略中未指定隧道本端地址,则IKE将使用共享源接口地址作为IPsec隧道的本端地址进行IKE协商;如果共享源接口IPsec策略中指定了隧道本端地址,则将使用指定的隧道本端地址进行IKE协商。
(1) 进入系统视图。
system-view
(2) 配置IPsec策略为IPsec共享源接口安全策略。
ipsec { ipv6-policy | policy } policy-name local-address interface-type interface-number
缺省情况下,IPsec策略不是共享源接口IPsec策略,即未将IPsec策略与任何源接口绑定。
不同方式的IPsec策略或安全框架对IPsec高级功能的支持情况不同,具体支持情况请参见表1-4中的详细信息。
表1-4 IPsec高级功能支持情况描述表
|
功能名称 |
IPsec策略(用于非隧道接口) |
手工方式IPsec安全框架(用于IPv6路由协议) |
IKE方式IPsec安全框架(用于隧道接口) |
SDWAN方式IPsec安全框架(用于SDWAN隧道接口) |
|
支持 |
不支持 |
不支持 |
不支持 |
|
|
支持 |
不支持 |
不支持 |
不支持 |
|
|
支持 |
支持 |
支持 |
支持 |
|
|
支持 |
支持 |
支持 |
支持 |
|
|
支持 |
支持 |
支持 |
不支持 |
|
|
不支持 |
不支持 |
支持 |
不支持 |
为了提高网络的稳定性和可靠性,企业通常会在网络出口配置多条链路。不同链路之间存在通信质量差异,实时状态也不尽相同,选择一条高质量的链路对于企业通信来说尤为重要。IPsec智能选路功能(IPsec Smart Link)在有多条可使用的链路能够到达目的网络的情况下,实时地自动探测链路的时延、丢包率,动态切换到满足通信质量要求的链路上建立IPsec隧道。用户也可以根据自己的实际需求手工指定使用的链路。
IPsec智能选路可以很好地解决以下问题:
· 网络出口多链路进行流量负载分担时,可能会出现一部分链路拥塞、另一部分链路闲置的情况;
· 用户无法基于链路传输质量或者服务费用自己选择链路;
· 当网络出口设备与目的设备之间的链路出现故障时,如果流量被转发到该故障链路上,会造成访问失败。
IPsec智能选路功能配置在企业分支网关设备上,实现在不同的链路之间选择一条符合质量要求的链路与总部建立IPsec隧道。
要实现IPsec智能选路功能,需要配置IPsec智能选路策略,通过该策略定义添加待选链路及选择链路的丢包率和时延阈值,并将IPsec智能选路策略应用在某个IPsec策略中。完成IPsec智能选路功能的配置后,设备根据IPsec策略识别出需要保护的报文时,会选择一条符合质量要求的链路建立一个相应的IPsec隧道实现总部和分支的通信。设备会将此IPsec策略自动应用到此链路所指定的本端接口上,无需用户手动配置。
IPsec智能选路的过程如下:
(1) 设备根据配置的IPsec智能选路策略探测周期定时发送探测报文获取当前使用链路的丢包率和时延。
(2) 当探测结果超过管理员设置的阈值时,设备会根据IPsec智能选路链路的优先级顺序从高到低循环切换,从中选择第一条符合质量要求的链路进行数据传输。如果链路都不符合质量要求,且循环次数达到配置的上限值后:
¡ 丢包率和延迟存在差异的情况下选择相对最优的链路。
¡ 如果丢包率和延迟都一样,则选择优先级最低的链路,等待10分钟后再重新探测。
· 配置企业分支网关设备时,需要注意的是:
¡ 一个IPsec智能选路策略只能被一个IPsec策略引用,一个IPsec策略也只能引用一个IPsec智能选路策略。
¡ 引用了IPsec智能选路策略的IPsec策略不要配置local-address和remote-address。
¡ 使用IPsec智能选路策略时,手动添加的静态路由不能与智能选路自动生成的静态路由目的地址相同,如果存在相同的情况,请删除手动添加的静态路由。
· 配置总部网关设备时,需要注意的是:
¡ 总部接口引用的安全策略必须是模板方式;
¡ 总部配置IKE时对端地址必须指定为任意地址0.0.0.0 0或者指定为在分支上的所有具体对端地址。
· IPsec智能选路功能仅支持IPv4。
(1) 进入系统视图。
system-view
(2) 配置IPsec智能选路策略。
¡ 创建一条IPsec智能选路策略,并进入IPsec智能选路策略视图。
ipsec smart-link policy policy-name
缺省情况下,不存在IPsec智能选路策略。
IPsec智能选路策略只能被IKE方式的IPsec策略引用,不能被模板方式和手工方式的IPsec策略引用。
¡ 配置IPsec智能选路的链路。
link link-id interface interface-type interface-number [ local local-address nexthop nexthop-address ] remote remote-address
缺省情况下,不存在IPsec智能选路链路。
¡ 开启IPsec智能选路功能。
smart-link enable
缺省情况下,IPsec智能选路功能处于关闭状态。
只有在IPsec智能选路功能处于开启状态的情况下,链路质量探测功能和链路切换功能才会生效。
¡ (可选)手动激活指定的IPsec智能选路的链路。
activate link link-id
手动激活链路后,会直接切换到该链路上建立IPsec隧道。
在智能选路功能开启的情况下,手动激活链路后,如果该链路的丢包率或时延高于设定的阈值,设备同样会进行链路的循环切换。循环切换的起始链路是手动激活的这条链路,循环切换的终止链路仍然是优先级最低的链路。
在智能选路功能关闭的情况下不会进行链路自动切换。
¡ (可选)调整IPsec智能选路的链路优先级。
move link link-id1 before link-id2
缺省情况下,IPsec按照配置的先后顺序选择链路,先配置的链路优先级高,后配置的链路优先级低。
也可使用move link命令移动链路的先后顺序来调整链路的优先级。当链路进行切换时,会按照链路的优先级从高到低顺序切换。
¡ (可选)配置IPsec智能选路链路循环切换的最大次数。
link-switch cycles number
缺省情况下,IPsec智能选路链路循环切换的最大次数为3。
循环切换的最大次数取值为0时,表示不限制链路循环切换的次数。
¡ 配置IPsec智能选路链路探测报文的发送时间间隔和每个探测周期内发送探测报文的总数。
link-probe { interval interval | count number }
缺省情况下,IPsec智能选路链路探测报文的发送时间间隔为1秒,每个探测周期内发送探测报文的总数为10个。
¡ 配置IPsec智能选路链路探测报文的源IP地址和目的IP地址。
link-probe source source-address destination destination-address
缺省情况下,使用IPsec智能选路链路中配置的本端IP地址和对端IP地址作为探测报文的源IP地址和目的IP地址。
¡ 配置IPsec智能选路链路切换的阈值。
link-switch threshold { loss loss-ratio | delay delay }
缺省情况下,IPsec智能选路策略下丢包率阈值为30%,时延阈值为500毫秒。
(3) 退回系统视图。
quit
(4) 进入接口视图。
interface interface-type { interface-number | interface-number.subnumber }
(5) 配置接口的网关地址。
gateway gateway-address [ no-route ]
缺省情况下,接口上未配置网关地址。
当IPsec智能选路链路中没有指定下一跳且不能自动获取时,必须在此接口上配置网关地址。
当本端接口通过DHCP或PPPoE方式获取IP地址时,配置的gateway不生效,获取的网关地址为Server端下发的下一跳。
(6) 退回系统视图。
quit
(7) 进入IPsec策略视图。
ipsec policy policy-name seq-number isakmp
(8) 配置IPsec策略引用的IPsec智能选路策略。
smart-link policy policy-name
缺省情况下,IPsec策略未引用IPsec智能选路策略。
当在接口上同时应用了IPsec策略与QoS策略时,缺省情况下,QoS使用封装后报文的外层IP头信息来对报文进行分类。但如果希望QoS基于被封装报文的原始IP头信息对报文进行分类,则需要配置QoS预分类功能来实现。
· 若在接口上同时配置IPsec和QoS,同一个IPsec SA保护的数据流如果被QoS分类进入不同队列,会导致部分报文发送乱序。由于IPsec具有抗重放功能,IPsec入方向上对于抗重放窗口之外的报文会进行丢弃,从而导致丢包现象。因此当IPsec与QoS配合使用时,必须保证IPsec分类与QoS分类规则配置保持一致。
· IPsec的分类规则完全由引用的ACL规则确定,QoS策略及QoS分类的相关介绍请参见“ACL和QoS配置指导”中的“QoS”。
(1) 进入系统视图。
system-view
(2) 进入IPsec策略视图或者IPsec策略模板视图。
¡ 进入IPsec策略视图。
ipsec { ipv6-policy | policy } policy-name seq-number [ isakmp | manual ]
¡ 进入IPsec策略模板视图。
ipsec { ipv6-policy-template | policy-template } template-name seq-number
(3) 开启QoS预分类功能。
qos pre-classify
开启IPsec报文日志记录功能后,设备会在丢弃IPsec报文的情况下,例如入方向找不到对应的IPsec SA、AH/ESP认证失败、ESP加密失败等时,输出相应的日志信息,该日志信息内容主要包括报文的源和目的IP地址、报文的SPI值、报文的序列号信息,以及设备丢包的原因。
(1) 进入系统视图。
system-view
(2) 开启IPsec报文日志记录功能。
ipsec logging packet enable
缺省情况下,IPsec报文日志记录功能处于关闭状态。
开启IPsec协商事件日志记录功能后,设备会输出IPsec协商过程中的相关日志。
(1) 进入系统视图。
system-view
(2) 开启IPsec协商事件日志功能。
ipsec logging negotiation enable
缺省情况下,IPsec协商事件日志功能处于关闭状态。
开启IPsec的Trap功能后,IPsec会生成告警信息,用于向网管软件报告该模块的重要事件。生成的告警信息将被发送到设备的SNMP模块,通过设置SNMP中告警信息的发送参数,来决定告警信息输出的相关属性。有关告警信息的详细介绍,请参见“网络管理和监控配置指导”中的“SNMP”。
如果希望生成并输出某种类型的IPsec告警信息,则需要保证IPsec的全局告警功能以及相应类型的告警功能均处于开启状态。
(1) 进入系统视图。
system-view
(2) 开启IPsec的全局告警功能。
snmp-agent trap enable ipsec global
缺省情况下,IPsec的全局告警功能处于关闭状态。
(3) 开启IPsec的指定告警功能。
snmp-agent trap enable ipsec [ auth-failure | connection-start | connection-stop | decrypt-failure | encrypt-failure | invalid-sa-failure | no-sa-failure | policy-add | policy-attach | policy-delete | policy-detach | tunnel-start | tunnel-stop ] *
缺省情况下,IPsec的所有告警功能均处于关闭状态。
开启IPsec P2MP隧道表项日志记录功能后,当IPsec P2MP隧道学习表项和删除表项时,设备会输出相关日志信息。有关日志信息的详细介绍,请参见“网络管理和监控配置指导”中的“信息中心”。
(1) 进入系统视图。
system-view
(2) 开启IPsec P2MP隧道表项日志功能。
ipsec logging ipsec-p2mp enable
缺省情况下,IPsec的P2MP隧道表项日志记录功能处于关闭状态。
在完成上述配置后,在任意视图下执行display命令可以显示配置后IPsec的运行情况,通过查看显示信息认证配置的效果。
在用户视图下执行reset命令可以清除IPsec统计信息。
非缺省vSystem不支持部分显示和维护命令,具体情况请见本特性的命令参考。
表1-5 IPsec显示和维护
|
操作 |
命令 |
|
显示IPsec的全局配置信息 |
display ipsec global-info |
|
显示IPsec安全策略的信息 |
display ipsec { ipv6-policy | policy } [ policy-name [ seq-number ] ] |
|
显示IPsec安全策略模板的信息 |
display ipsec { ipv6-policy-template | policy-template } [ template-name [ seq-number ] ] |
|
显示IPsec P2MP隧道表项的信息 |
(独立运行模式) display ipsec p2mp tunnel-table interface tunnel tunnel-number [ ipv4 | ipv6 ] [ slot slot-number ] (IRF模式) display ipsec p2mp tunnel-table interface tunnel tunnel-number [ ipv4 | ipv6 ] [ chassis chassis-number slot slot-number ] |
|
显示IPsec安全框架的信息 |
display ipsec profile [ profile-name ] |
|
显示IPsec引流规则 |
(独立运行模式) display ipsec record rule slot slot-number (IRF模式) display ipsec record rule chassis chassis-number slot slot-number |
|
显示IPsec SA的相关信息 |
(独立运行模式) display ipsec record sa { inbound | outbound } slot slot-number (IRF模式) display ipsec record sa { inbound | outbound } chassis chassis-number slot slot-number |
|
显示IPsec SA的相关信息 |
display ipsec sa [ brief | count | interface interface-type interface-number | { ipv6-policy | policy } policy-name [ seq-number ] | profile profile-name | remote [ ipv6 ] ip-address ] |
|
显示本端SDWAN模式的IPsec SA的相关信息 |
display ipsec sdwan-sa local [ brief | count | interface tunnel tunnel-number | spi spi-number ] |
|
显示对端SDWAN模式的IPsec SA的相关信息 |
display ipsec sdwan-sa remote [ brief | count ] |
|
显示SDWAN模式的IPsec隧道的报文统计信息 |
display ipsec sdwan-statistics [ tunnel-id tunnel-id ] |
|
显示SDWAN模式的IPsec隧道信息 |
display ipsec sdwan-tunnel [ brief | count | remote-site site-id device-id interface-id | tunnel-id tunnel-id ] |
|
显示IPsec智能选路策略的配置信息 |
display ipsec smart-link policy [ brief | name policy-name ] |
|
显示IPsec处理报文的统计信息 |
display ipsec statistics [ tunnel-id tunnel-id ] |
|
显示IPsec安全提议的信息 |
display ipsec transform-set [ transform-set-name ] |
|
显示IPsec隧道的信息 |
display ipsec tunnel [ count | tunnel-id tunnel-id ] |
|
清除已经建立的IPsec SA |
reset ipsec sa [ { ipv6-policy | policy } policy-name [ seq-number ] | profile profile-name | remote { ipv4-address | ipv6 ipv6-address } | spi { ipv4-address | ipv6 ipv6-address } { ah | esp } spi-num ] |
|
清除SDWAN模式的IPsec SA |
reset ipsec sdwan-sa [ local [ interface tunnel tunnel-number ] | remote ] |
|
清除SDWAN模式的IPsec隧道的报文统计信息 |
reset ipsec sdwan-statistics [ tunnel-id tunnel-id ] |
|
清除SDWAN模式的IPsec隧道信息 |
reset ipsec sdwan-tunnel [ tunnel-id tunnel-id ] |
|
清除IPsec的报文统计信息 |
reset ipsec statistics [ tunnel-id tunnel-id ] |
在Device A和Device B之间建立一条IPsec隧道,对Host A所在的子网(10.1.1.0/24)与Host B所在的子网(10.1.2.0/24)之间的数据流进行安全保护。具体要求如下:
· 封装形式为隧道模式。
· 安全协议采用ESP协议。
· 加密算法采用128比特的AES,认证算法采用HMAC-SHA1。
· 手工方式建立IPsec SA。
图1-18 保护IPv4报文的IPsec配置组网图
表1-6 组网图示例接口与设备实际接口对应关系
|
组网图示例接口 |
设备实际接口 |
|
Interface1 |
GigabitEthernet1/0/1 |
|
Interface2 |
GigabitEthernet1/0/2 |
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 10.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为2.2.2.2,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceA] ip route-static 10.1.2.0 24 2.2.2.2
[DeviceA] ip route-static 2.2.3.1 24 2.2.2.2
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device A可以向Device B发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name ipseclocalout
[DeviceA-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceA-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.1
[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.3.1
[DeviceA-security-policy-ip-1-ipseclocalout] action pass
[DeviceA-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device A可以接收和处理来自Device B的IPsec隧道协商报文,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name ipseclocalin
[DeviceA-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceA-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.3.1
[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.1
[DeviceA-security-policy-ip-2-ipseclocalin] action pass
[DeviceA-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host A与Host B之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-3-trust-untrust] action pass
[DeviceA-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-4-untrust-trust] action pass
[DeviceA-security-policy-ip-4-untrust-trust] quit
[DeviceA-security-policy-ip] quit
(5) 定义需要保护的数据流
# 配置一个IPv4高级ACL,定义要保护由子网10.1.1.0/24去往子网10.1.2.0/24的数据流。
[DeviceA] acl advanced 3101
[DeviceA-acl-ipv4-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[DeviceA-acl-ipv4-adv-3101] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceA] ipsec transform-set tran1
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceA-ipsec-transform-set-tran1] protocol esp
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
(7) 配置IPsec策略,建立IPsec隧道,保护需要防护的数据流
# 创建一条手工方式的IPsec策略,引用需要保护数据流的ACL和所需的IPsec安全提议,指定对端的IP地址,具体配置步骤如下。
[DeviceA] ipsec policy map1 10 manual
[DeviceA-ipsec-policy-manual-map1-10] security acl 3101
[DeviceA-ipsec-policy-manual-map1-10] transform-set tran1
[DeviceA-ipsec-policy-manual-map1-10] remote-address 2.2.3.1
[DeviceA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345
[DeviceA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321
[DeviceA-ipsec-policy-manual-map1-10] sa string-key outbound esp simple abcdefg
[DeviceA-ipsec-policy-manual-map1-10] sa string-key inbound esp simple gfedcba
[DeviceA-ipsec-policy-manual-map1-10] quit
(8) 在接口上应用IPsec策略,对接口上的流量进行保护
# 在接口GigabitEthernet1/0/2上应用IPsec策略,具体配置步骤如下。
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] ipsec apply policy map1
[DeviceA-GigabitEthernet1/0/2] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 10.1.2.1 255.255.255.0
[DeviceB-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为2.2.3.2,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceB] ip route-static 10.1.1.0 24 2.2.3.2
[DeviceB] ip route-static 2.2.2.1 24 2.2.3.2
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device B可以向Device A发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name ipseclocalout
[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.3.1
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.1
[DeviceB-security-policy-ip-1-ipseclocalout] action pass
[DeviceB-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device B可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name ipseclocalin
[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.1
[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.3.1
[DeviceB-security-policy-ip-2-ipseclocalin] action pass
[DeviceB-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host B与Host A之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-3-trust-untrust] action pass
[DeviceB-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-4-untrust-trust] action pass
[DeviceB-security-policy-ip-4-untrust-trust] quit
[DeviceB-security-policy-ip] quit
(5) 定义需要保护的数据流
# 配置一个IPv4高级ACL,定义要保护由子网10.1.2.0/24去往子网10.1.1.0/24的数据流。
[DeviceB] acl advanced 3101
[DeviceB-acl-ipv4-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[DeviceB-acl-ipv4-adv-3101] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceB] ipsec transform-set tran1
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceB-ipsec-transform-set-tran1] protocol esp
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
(7) 配置IPsec策略,建立IPsec隧道,保护需要防护的数据流
# 创建一条手工方式的IPsec策略,引用需要保护数据流的ACL和所需的IPsec安全提议,指定对端的IP地址,具体配置步骤如下。
[DeviceB] ipsec policy use1 10 manual
[DeviceB-ipsec-policy-manual-use1-10] security acl 3101
[DeviceB-ipsec-policy-manual-use1-10] transform-set tran1
[DeviceB-ipsec-policy-manual-use1-10] remote-address 2.2.2.1
[DeviceB-ipsec-policy-manual-use1-10] sa spi outbound esp 54321
[DeviceB-ipsec-policy-manual-use1-10] sa spi inbound esp 12345
[DeviceB-ipsec-policy-manual-use1-10] sa string-key outbound esp simple gfedcba
[DeviceB-ipsec-policy-manual-use1-10] sa string-key inbound esp simple abcdefg
[DeviceB-ipsec-policy-manual-use1-10] quit
(8) 在接口上应用IPsec策略,对接口上的流量进行保护
# 在接口GigabitEthernet1/0/2上应用IPsec策略,具体配置步骤如下。
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] ipsec apply policy use1
[DeviceB-GigabitEthernet1/0/2] quit
# 以上配置完成后,Device A和Device B之间的IPsec隧道就建立好了,子网10.1.1.0/24与子网10.1.2.0/24之间数据流的传输将受到生成的IPsec SA的保护。可通过以下显示查看Device A上手工创建的IPsec SA。
[DeviceA] display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/2
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Alisa: map1-10
Mode: Manual
-----------------------------
Tunnel id: 549
Encapsulation mode: tunnel
Path MTU: 1443
Tunnel:
local address/port: 2.2.2.1/0
remote address/port: 2.2.3.1/0
Flow:
as defined in ACL 3101
[Inbound ESP SA]
SPI: 54321 (0x0000d431)
Connection ID: 1
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
No duration limit for this SA
[Outbound ESP SA]
SPI: 12345 (0x00003039)
Connection ID: 2
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
No duration limit for this SA
# Device B上也会产生相应的IPsec SA来保护IPv4报文,查看方式与Device A同,此处略。
#
sysname DeviceA
#
interface gigabitethernet 1/0/1
ip address 10.1.1.1 255.255.255.0
#
ip route-static 10.1.2.0 24 2.2.2.2
ip route-static 2.2.3.1 24 2.2.2.2
security-zone name trust
import interface gigabitethernet 1/0/1
#
security-zone name untrust
import interface gigabitethernet 1/0/2
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 2.2.2.1
destination-ip-host 2.2.3.1
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 2.2.3.1
destination-ip-host 2.2.2.1
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.1.0 24
destination-ip-subnet 10.1.2.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.2.0 24
destination-ip-subnet 10.1.1.0 24
action pass
#
acl advanced 3101
rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy map1 10 manual
security acl 3101
transform-set tran1
remote-address 2.2.3.1
sa spi outbound esp 12345
sa spi inbound esp 54321
sa string-key outbound esp simple abcdefg
sa string-key inbound esp simple gfedcba
#
interface gigabitethernet 1/0/2
ipsec apply policy map1
#
#
sysname DeviceB
#
interface gigabitethernet 1/0/1
ip address 10.1.2.1 255.255.255.0
#
ip route-static 10.1.1.0 24 2.2.3.2
ip route-static 2.2.2.1 24 2.2.3.2
security-zone name trust
import interface gigabitethernet 1/0/1
#
security-zone name untrust
import interface gigabitethernet 1/0/2
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 2.2.3.1
destination-ip-host 2.2.2.1
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 2.2.2.1
destination-ip-host 2.2.3.1
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.2.0 24
destination-ip-subnet 10.1.1.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.1.0 24
destination-ip-subnet 10.1.2.0 24
action pass
#
acl advanced 3101
rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy use1 10 manual
security acl 3101
transform-set tran1
remote-address 2.2.2.1
sa spi outbound esp 54321
sa spi inbound esp 12345
sa string-key outbound esp simple gfedcba
sa string-key inbound esp simple abcdefg
#
interface gigabitethernet 1/0/2
ipsec apply policy use1
#
在Device A和Device B之间建立一条IPsec隧道,对Host A所在的子网(10.1.1.0/24)与Host B所在的子网(10.1.2.0/24)之间的数据流进行安全保护。具体要求如下:
· 封装形式为隧道模式。
· 安全协议采用ESP协议。
· 加密算法采用128比特的AES,认证算法采用HMAC-SHA1。
· IKE协商方式建立IPsec SA。
图1-19 保护IPv4报文的IPsec配置组网图
表1-7 组网图示例接口与设备实际接口对应关系
|
组网图示例接口 |
设备实际接口 |
|
Interface1 |
GigabitEthernet1/0/1 |
|
Interface2 |
GigabitEthernet1/0/2 |
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 10.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为2.2.2.2,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceA] ip route-static 10.1.2.0 24 2.2.2.2
[DeviceA] ip route-static 2.2.3.1 24 2.2.2.2
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device A可以向Device B发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name ipseclocalout
[DeviceA-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceA-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.1
[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.3.1
[DeviceA-security-policy-ip-1-ipseclocalout] action pass
[DeviceA-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device A可以接收和处理来自Device B的IPsec隧道协商报文,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name ipseclocalin
[DeviceA-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceA-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.3.1
[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.1
[DeviceA-security-policy-ip-2-ipseclocalin] action pass
[DeviceA-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host A与Host B之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-3-trust-untrust] action pass
[DeviceA-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-4-untrust-trust] action pass
[DeviceA-security-policy-ip-4-untrust-trust] quit
[DeviceA-security-policy-ip] quit
(5) 定义需要保护的数据流
# 配置一个IPv4高级ACL,定义要保护由子网10.1.1.0/24去往子网10.1.2.0/24的数据流。
[DeviceA] acl advanced 3101
[DeviceA-acl-ipv4-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[DeviceA-acl-ipv4-adv-3101] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceA] ipsec transform-set tran1
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceA-ipsec-transform-set-tran1] protocol esp
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
(7) 配置IKE keychain,约定通信双方使用的密钥信息
# 创建并配置IKE keychain,协商双方配置的预共享密钥必须完全相同,具体配置步骤如下。
[DeviceA] ike keychain keychain1
[DeviceA-ike-keychain-keychain1] pre-shared-key address 2.2.3.1 255.255.255.0 key simple 123456TESTplat&!
[DeviceA-ike-keychain-keychain1] quit
(8) 配置IKE profile,约定建立IKE SA所需的安全参数
[DeviceA] ike profile profile1
[DeviceA-ike-profile-profile1] keychain keychain1
[DeviceA-ike-profile-profile1] match remote identity address 2.2.3.1 255.255.255.0
[DeviceA-ike-profile-profile1] quit
(9) 配置IPsec策略,建立IPsec隧道,保护需要防护的数据流
# 创建一条IKE协商方式的IPsec策略,引用需要保护数据流的ACL和所需的IPsec安全提议,指定本端和对端的IP地址,引用IKE profile,具体配置步骤如下。
[DeviceA] ipsec policy map1 10 isakmp
[DeviceA-ipsec-policy-isakmp-map1-10] security acl 3101
[DeviceA-ipsec-policy-isakmp-map1-10] transform-set tran1
[DeviceA-ipsec-policy-isakmp-map1-10] local-address 2.2.2.1
[DeviceA-ipsec-policy-isakmp-map1-10] remote-address 2.2.3.1
[DeviceA-ipsec-policy-isakmp-map1-10] ike-profile profile1
[DeviceA-ipsec-policy-isakmp-map1-10] quit
(10) 在接口上应用IPsec策略,对接口上的流量进行保护
# 在接口GigabitEthernet1/0/2上应用安全策略,具体配置步骤如下。
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] ipsec apply policy map1
[DeviceA-GigabitEthernet1/0/2] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 10.1.2.1 255.255.255.0
[DeviceB-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为2.2.3.2,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceB] ip route-static 10.1.1.0 24 2.2.3.2
[DeviceB] ip route-static 2.2.2.1 24 2.2.3.2
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device B可以向Device A发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name ipseclocalout
[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.3.1
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.1
[DeviceB-security-policy-ip-1-ipseclocalout] action pass
[DeviceB-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device B可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name ipseclocalin
[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.1
[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.3.1
[DeviceB-security-policy-ip-2-ipseclocalin] action pass
[DeviceB-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host B与Host A之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-3-trust-untrust] action pass
[DeviceB-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-4-untrust-trust] action pass
[DeviceB-security-policy-ip-4-untrust-trust] quit
[DeviceB-security-policy-ip] quit
(5) 定义数据流需要保护的数据流
# 配置一个IPv4高级ACL,定义要保护由子网10.1.2.0/24去往子网10.1.1.0/24的数据流。
[DeviceB] acl advanced 3101
[DeviceB-acl-ipv4-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[DeviceB-acl-ipv4-adv-3101] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceB] ipsec transform-set tran1
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceB-ipsec-transform-set-tran1] protocol esp
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
(7) 配置IKE keychain,约定通信双方使用的密钥信息
# 创建并配置IKE keychain,协商双方配置的预共享密钥必须完全相同,具体配置步骤如下。
[DeviceB] ike keychain keychain1
[DeviceB-ike-keychain-keychain1] pre-shared-key address 2.2.2.1 255.255.255.0 key simple 123456TESTplat&!
[DeviceB-ike-keychain-keychain1] quit
(8) 配置IKE profile,约定建立IKE SA所需的安全参数
[DeviceB] ike profile profile1
[DeviceB-ike-profile-profile1] keychain keychain1
[DeviceB-ike-profile-profile1] match remote identity address 2.2.2.1 255.255.255.0
[DeviceB-ike-profile-profile1] quit
(9) 配置IPsec策略,建立IPsec隧道,保护需要防护的数据流
# 创建一条IKE协商方式的安全策略,引用需要保护数据流的ACL和所需的IPsec安全提议,指定本端和对端的IP地址,引用IKE profile,具体配置步骤如下。
[DeviceB] ipsec policy use1 10 isakmp
[DeviceB-ipsec-policy-isakmp-use1-10] security acl 3101
[DeviceB-ipsec-policy-isakmp-use1-10] transform-set tran1
[DeviceB-ipsec-policy-isakmp-use1-10] local-address 2.2.3.1
[DeviceB-ipsec-policy-isakmp-use1-10] remote-address 2.2.2.1
[DeviceB-ipsec-policy-isakmp-use1-10] ike-profile profile1
[DeviceB-ipsec-policy-isakmp-use1-10] quit
(10) 在接口上应用IPsec策略,对接口上的流量进行保护
# 在接口GigabitEthernet1/0/2上应用IPsec策略,具体配置步骤如下。
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] ipsec apply policy use1
[DeviceB-GigabitEthernet1/0/2] quit
# 以上配置完成后,Device A和Device B之间如果有子网10.1.1.0/24与子网10.1.2.0/24之间的报文通过,将触发IKE进行IPsec SA的协商。IKE成功协商出IPsec SA后,子网10.1.1.0/24与子网10.1.2.0/24之间数据流的传输将受到IPsec SA的保护。可通过以下显示查看到协商生成的IPsec SA。
[DeviceA] display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/2
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Alisa: map1-10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1443
Tunnel:
local address/port: 2.2.3.1/500
remote address/port: 2.2.2.1/500
Flow:
sour addr: 2.2.3.1/0.0.0.0 port: 0 protocol: ip
dest addr: 2.2.2.1/0.0.0.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3769702703 (0xe0b1192f)
Connection ID: 90194313219
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 3000/28800
SA remaining duration (kilobytes/sec): 2300/797
Max received sequence-number: 1
Anti-replay check enable: N
Anti-replay window size:
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 3840956402 (0xe4f057f2)
Connection ID: 64424509441
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 3000/28800
SA remaining duration (kilobytes/sec): 2312/797
Max sent sequence-number: 1
UDP encapsulation used for NAT traversal: N
Status: Active
# Device B上也会产生相应的IPsec SA来保护IPv4报文,查看方式与Device A同,此处略。
#
sysname DeviceA
#
interface gigabitethernet 1/0/1
ip address 10.1.1.1 255.255.255.0
#
ip route-static 10.1.2.0 24 2.2.2.2
ip route-static 2.2.3.1 24 2.2.2.2
security-zone name trust
import interface gigabitethernet 1/0/1
#
security-zone name untrust
import interface gigabitethernet 1/0/2
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 2.2.2.1
destination-ip-host 2.2.3.1
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 2.2.3.1
destination-ip-host 2.2.2.1
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.1.0 24
destination-ip-subnet 10.1.2.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.2.0 24
destination-ip-subnet 10.1.1.0 24
action pass
#
acl advanced 3101
rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ike keychain keychain1
pre-shared-key address 2.2.3.1 255.255.255.0 key simple 123456TESTplat&!
#
ike profile profile1
keychain keychain1
match remote identity address 2.2.3.1 255.255.255.0
#
ipsec policy map1 10 isakmp
security acl 3101
transform-set tran1
local-address 2.2.2.1
remote-address 2.2.3.1
ike-profile profile1
#
interface gigabitethernet 1/0/2
ipsec apply policy map1
#
#
sysname DeviceB
##
interface gigabitethernet 1/0/1
ip address 10.1.2.1 255.255.255.0
#
ip route-static 10.1.1.0 24 2.2.3.2
ip route-static 2.2.2.1 24 2.2.3.2
security-zone name trust
import interface gigabitethernet 1/0/1
#
security-zone name untrust
import interface gigabitethernet 1/0/2
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 2.2.3.1
destination-ip-host 2.2.2.1
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 2.2.2.1
destination-ip-host 2.2.3.1
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.2.0 24
destination-ip-subnet 10.1.1.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.1.0 24
destination-ip-subnet 10.1.2.0 24
action pass
#
acl advanced 3101
rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ike keychain keychain1
pre-shared-key address 2.2.2.1 255.255.255.0 key simple 123456TESTplat&!
#
ike profile profile1
keychain keychain1
match remote identity address 2.2.2.1 255.255.255.0
#
ipsec policy use1 10 isakmp
security acl 3101
transform-set tran1
local-address 2.2.3.1
remote-address 2.2.2.1
ike-profile profile1
#
interface gigabitethernet 1/0/2
ipsec apply policy use1
#
在Device A和Device B之间建立一个IPsec隧道,对Host A所在的子网(10.1.1.0/24)与Host B所在的子网(10.1.2.0/24)之间的数据流进行安全保护。
· Device A和Device B之间采用IKE协商方式建立IPsec SA。
· Device A和DeviceB均使用RSA数字签名的认证方法。
· IKE第一阶段的协商模式为野蛮模式。
· Device A侧子网的IP地址为动态分配,并作为发起方。
图1-20 IKE野蛮模式及RSA数字签名认证配置组网图
表1-8 组网图示例接口与设备实际接口对应关系
|
组网图示例接口 |
设备实际接口 |
|
Interface1 |
GigabitEthernet1/0/1 |
|
Interface2 |
GigabitEthernet1/0/2 |
在开始下面的配置之前,假设已完成如下配置:
· DeviceA已获取到CA证书ca.cer和服务器证书server.pfx。
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.0.0
[DeviceA-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为1.1.1.2,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceA] ip route-static 10.1.2.0 24 1.1.1.2
[DeviceA] ip route-static 2.2.2.2 16 1.1.1.2
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device A可以向Device B发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name ipseclocalout
[DeviceA-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceA-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 1.1.1.1
[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.2
[DeviceA-security-policy-ip-1-ipseclocalout] action pass
[DeviceA-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device A可以接收和处理来自Device B的IPsec隧道协商报文,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name ipseclocalin
[DeviceA-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceA-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.2
[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 1.1.1.1
[DeviceA-security-policy-ip-2-ipseclocalin] action pass
[DeviceA-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host A与Host B之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-3-trust-untrust] action pass
[DeviceA-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-4-untrust-trust] action pass
[DeviceA-security-policy-ip-4-untrust-trust] quit
[DeviceA-security-policy-ip] quit
(5) 定义需要保护的数据流
# 配置IPv4高级ACL 3101,定义要保护由子网10.1.1.0/24去往子网10.1.2.0/24的数据流。
[DeviceA] acl advanced 3101
[DeviceA-acl-ipv4-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[DeviceA-acl-ipv4-adv-3101] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceA] ipsec transform-set tran1
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceA-ipsec-transform-set-tran1] protocol esp
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
(7) 配置PKI实体,设置PKI实体的身份信息
[DeviceA] pki entity entity1
[DeviceA-pki-entity-entity1] common-name devicea
[DeviceA-pki-entity-entity1] quit
(8) 配置PKI域,约定PKI证书申请的相关信息
[DeviceA] pki domain domain1
[DeviceA-pki-domain-domain1] public-key rsa general name rsa1
[DeviceA-pki-domain-domain1] undo crl check enable
[DeviceA-pki-domain-domain1] quit
[DeviceA] pki import domain domain1 der ca filename ca.cer
[DeviceA] pki import domain domain1 p12 local filename server.pfx
(9) 配置证书访问策略,对用户访问权限进行进一步的控制
[DeviceA] pki certificate access-control-policy policy1
[DeviceA-pki-cert-acp-policy1] rule 1 permit group1
[DeviceA] pki certificate attribute-group group1
[DeviceA-pki-cert-attribute-group-group1] attribute 1 subject-name dn ctn 1
对端证书subject-name DN中需包含(ctn)规则中定义的字符串才被认为是有效的证书。本例使用的证书subject-name DN中包含字符“1”,因此在这里使用参数ctn 1。
(10) 配置IKE profile,约定建立IKE SA所需的安全参数
[DeviceA] ike profile profile1
[DeviceA-ike-profile-profile1] certificate domain domain1
[DeviceA-ike-profile-profile1] exchange-mode aggressive
[DeviceA-ike-profile-profile1] local-identity dn
[DeviceA-ike-profile-profile1] match remote certificate policy1
[DeviceA-ike-profile-profile1] quit
(11) 配置IKE提议,定义双方进行IKE协商所需的安全参数
[DeviceA] ike proposal 10
[DeviceA-ike-proposal-10] authentication-algorithm md5
[DeviceA-ike-proposal-10] authentication-method rsa-signature
[DeviceA-ike-proposal-10] quit
(12) 配置IPsec策略,建立IPsec隧道,保护需要防护的数据流
# 创建一条手工方式的IPsec策略,引用需要保护数据流的ACL和所需的IPsec安全提议,指定对端的IP地址,具体配置步骤如下。
[DeviceA] ipsec policy map1 10 isakmp
[DeviceA-ipsec-policy-isakmp-map1-10] remote-address 2.2.2.2
[DeviceA-ipsec-policy-isakmp-map1-10] transform-set tran1
[DeviceA-ipsec-policy-isakmp-map1-10] security acl 3101
[DeviceA-ipsec-policy-isakmp-map1-10] ike-profile profile1
[DeviceA-ipsec-policy-isakmp-map1-10] quit
(13) 在接口上应用IPsec策略,对接口上的流量进行保护
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ipsec apply policy map1
[DeviceA-GigabitEthernet1/0/1] quit
在开始下面的配置之前,假设已完成如下配置:
· DeviceB已获取到CA证书ca.cer和服务器证书server.pfx。
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 2.2.2.2 255.255.0.0
[DeviceB-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为2.2.2.1,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceB] ip route-static 10.1.1.0 24 2.2.2.1
[DeviceB] ip route-static 1.1.1.1 16 2.2.2.1
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device B可以向Device A发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name ipseclocalout
[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.2
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1
[DeviceB-security-policy-ip-1-ipseclocalout] action pass
[DeviceB-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device B可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name ipseclocalin
[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1
[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.2
[DeviceB-security-policy-ip-2-ipseclocalin] action pass
[DeviceB-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host B与Host A之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-3-trust-untrust] action pass
[DeviceB-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-4-untrust-trust] action pass
[DeviceB-security-policy-ip-4-untrust-trust] quit
[DeviceB-security-policy-ip] quit
(5) 定义需要保护的数据流
# 配置IPv4高级ACL 3101,定义要保护由子网10.1.2.0/24去往子网10.1.1.0/24的数据流。
[DeviceB] acl advanced 3101
[DeviceB-acl-ipv4-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[DeviceB-acl-ipv4-adv-3101] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceB] ipsec transform-set tran1
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceB-ipsec-transform-set-tran1] protocol esp
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
(7) 配置PKI实体,设置PKI实体的身份信息
[DeviceB] pki entity entity2
[DeviceB-pki-entity-entity2] common-name deviceb
[DeviceB-pki-entity-entity2] quit
(8) 配置PKI域,约定PKI证书申请的相关信息
[DeviceB] pki domain domain2
[DeviceB-pki-domain-domain2] public-key rsa general name rsa1
[DeviceB-pki-domain-domain2] undo crl check enable
[DeviceB-pki-domain-domain2] quit
[DeviceB] pki import domain domain2 der ca filename ca.cer
[DeviceB] pki import domain domain2 p12 local filename server.pfx
(9) 配置证书访问策略,对用户访问权限进行进一步的控制
# 配置证书访问策略policy1。
[DeviceB] pki certificate access-control-policy policy1
[DeviceB-pki-cert-acp-policy1] rule 1 permit group1
[DeviceB] pki certificate attribute-group group1
[DeviceB-pki-cert-attribute-group-group1] attribute 1 subject-name dn ctn 1
对端证书subject-name DN中需包含(ctn)规则中定义的字符串才被认为是有效的证书。本例使用的证书subject-name DN中包含字符“1”,因此在这里使用参数ctn 1。
(10) 配置IKE profile,约定建立IKE SA所需的安全参数
[DeviceB] ike profile profile2
[DeviceB-ike-profile-profile2] certificate domain domain2
[DeviceB-ike-profile-profile2] exchange-mode aggressive
[DeviceB-ike-profile-profile2] local-identity dn
[DeviceB-ike-profile-profile2] match remote certificate policy1
[DeviceB-ike-profile-profile2] quit
(11) 配置IKE提议,定义双方进行IKE协商所需的安全参数
[DeviceB] ike proposal 10
[DeviceB-ike-proposal-10] authentication-algorithm md5
[DeviceB-ike-proposal-10] authentication-method rsa-signature
[DeviceB-ike-proposal-10] quit
(12) 配置IPsec策略模板,用于创建IPsec策略
# 创建一条IPsec策略模板,名称为template1,顺序号为1。
[DeviceB] ipsec policy-template template1 1
[DeviceB-ipsec-policy-template-template1-1] transform-set tran1
[DeviceB-ipsec-policy-template-template1-1] ike-profile profile2
[DeviceB-ipsec-policy-template-template1-1] quit
(13) 创建IPsec策略,建立IPsec隧道,保护需要防护的数据流
[DeviceB] ipsec policy use1 1 isakmp template template1
(14) 在接口上应用IPsec策略,对接口上的流量进行保护
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ipsec apply policy use1
[DeviceB-GigabitEthernet1/0/1] quit
以上配置完成后,Device A和Device B之间如果有子网10.1.1.0/24与子网10.1.2.0/24之间的报文通过,将触发IKE协商。
# 可通过如下显示信息查看到Device A和Device B上的IKE提议。
[DeviceA] display ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
10 RSA-SIG MD5 DES-CBC Group 1 86400
default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400
[DeviceB] display ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
10 RSA-SIG MD5 DES-CBC Group 1 86400
default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400
# 可通过如下显示信息查看到Device A上IKE第一阶段协商成功后生成的IKE SA。
[DeviceA] display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
1 2.2.2.2/500 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
# 可通过如下显示信息查看到Device A上自动触发获取到的CA证书。
[DeviceA] display pki certificate domain domain1 ca
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
b9:14:fb:25:c9:08:2c:9d:f6:94:20:30:37:4e:00:00
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, O=rnd, OU=sec, CN=8088
Validity
Not Before: Sep 6 01:53:58 2012 GMT
Not After : Sep 8 01:50:58 2015 GMT
Subject: C=cn, O=rnd, OU=sec, CN=8088
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:de:81:f4:42:c6:9f:c2:37:7b:21:84:57:d6:42:
00:69:1c:4c:34:a4:5e:bb:30:97:45:2b:5e:52:43:
c0:49:1f:e1:d8:0f:5c:48:c2:39:69:d1:84:e4:14:
70:3d:98:41:28:1c:20:a1:9a:3f:91:67:78:77:27:
d9:08:5f:7a:c4:36:45:8b:f9:7b:e7:7d:6a:98:bb:
4e:a1:cb:2c:3d:92:66:bd:fb:80:35:16:c6:35:f0:
ff:0b:b9:3c:f3:09:94:b7:d3:6f:50:8d:83:f1:66:
2f:91:0b:77:a5:98:22:b4:77:ac:84:1d:03:8e:33:
1b:31:03:78:4f:77:a0:db:af
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
9a:6d:8c:46:d3:18:8a:00:ce:12:ee:2b:b0:aa:39:5d:3f:90:
08:49:b9:a9:8f:0d:6e:7b:e1:00:fb:41:f5:d4:0c:e4:56:d8:
7a:a7:61:1d:2b:b6:72:e3:09:0b:13:9d:fa:c8:fc:c4:65:a7:
f9:45:21:05:75:2c:bf:36:7b:48:b4:4a:b9:fe:87:b9:d8:cf:
55:16:87:ec:07:1d:55:5a:89:74:73:68:5e:f9:1d:30:55:d9:
8a:8f:c5:d4:20:7e:41:a9:37:57:ed:8e:83:a7:80:2f:b8:31:
57:3a:f2:1a:28:32:ea:ea:c5:9a:55:61:6a:bc:e5:6b:59:0d:
82:16
# 可通过如下显示信息查看到Device A上自动触发申请到的本地证书。
[DeviceA] display pki certificate domain domain1 local
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a1:f4:d4:fd:cc:54:c3:07:c4:9e:15:2d:5f:64:57:77
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, O=rnd, OU=sec, CN=8088
Validity
Not Before: Sep 26 02:06:43 2012 GMT
Not After : Sep 26 02:06:43 2013 GMT
Subject: CN=devicea
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b0:a1:cd:24:6e:1a:1d:51:79:f0:2a:3e:9f:e9:
84:07:16:78:49:1b:7d:0b:22:f0:0a:ed:75:91:a4:
17:fd:c7:ef:d0:66:5c:aa:e3:2a:d9:71:12:e4:c6:
25:77:f0:1d:97:bb:92:a8:bd:66:f8:f8:e8:d5:0d:
d2:c8:01:dd:ea:e6:e0:80:ad:db:9d:c8:d9:5f:03:
2d:22:07:e3:ed:cc:88:1e:3f:0c:5e:b3:d8:0e:2d:
ea:d6:c6:47:23:6a:11:ef:3c:0f:6b:61:f0:ca:a1:
79:a0:b1:02:1a:ae:8c:c9:44:e0:cf:d1:30:de:4c:
f0:e5:62:e7:d0:81:5d:de:d3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
URI:https://xx.rsa.com:447/8088.crl
Signature Algorithm: sha1WithRSAEncryption
73:ac:66:f9:b8:b5:39:e1:6a:17:e4:d0:72:3e:26:9e:12:61:
9e:c9:7a:86:6f:27:b0:b9:a3:5d:02:d9:5a:cb:79:0a:12:2e:
cb:e7:24:57:e6:d9:77:12:6b:7a:cf:ee:d6:17:c5:5f:d2:98:
30:e0:ef:00:39:4a:da:ff:1c:29:bb:2a:5b:60:e9:33:8f:78:
f9:15:dc:a5:a3:09:66:32:ce:36:cd:f0:fe:2f:67:e5:72:e5:
21:62:85:c4:07:92:c8:f1:d3:13:9c:2e:42:c1:5f:0e:8f:ff:
65:fb:de:7c:ed:53:ab:14:7a:cf:69:f2:42:a4:44:7c:6e:90:
7e:cd
# 可通过如下显示信息查看到Device A上IKE第二阶段协商生成的IPsec SA。
[DeviceA] display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/1
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1456
Tunnel:
local address/port: 1.1.1.1/500
remote address/port: 2.2.2.2/500
Flow:
sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3264152513 (0xc28f03c1)
Connection ID: 90194313219
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max received sequence-number:
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 738451674 (0x2c03e0da)
Connection ID: 64424509441
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max sent sequence-number:
UDP encapsulation used for NAT traversal: N
Status: Active
# Device B上也会产生相应的IKE SA和IPsec SA,并自动获取CA证书,自动申请本地证书,查看方式与Device A同,此处略。
#
sysname DeviceA
#
interface gigabitethernet 1/0/1
ip address 1.1.1.1 255.255.0.0
#
ip route-static 10.1.2.0 24 1.1.1.2
ip route-static 2.2.2.2 16 1.1.1.2
security-zone name trust
import interface gigabitethernet 1/0/2
#
security-zone name untrust
import interface gigabitethernet 1/0/1
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 2.2.2.2
destination-ip-host 1.1.1.1
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.1.0 24
destination-ip-subnet 10.1.2.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.2.0 24
destination-ip-subnet 10.1.1.0 24
action pass
#
acl advanced 3101
rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
pki entity entity1
common-name devicea
#
pki domain domain1
public-key rsa general name rsa1
undo crl check enable
#
pki import domain domain1 der ca filename ca.cer
pki import domain domain1 p12 local filename server.pfx
pki certificate access-control-policy policy1
rule 1 permit group1
pki certificate attribute-group group1
attribute 1 subject-name dn ctn 1
ike profile profile1
certificate domain domain1
exchange-mode aggressive
local-identity dn
match remote certificate policy1
#
ike proposal 10
authentication-algorithm md5
authentication-method rsa-signature
quit
ipsec policy map1 10 isakmp
remote-address 2.2.2.2
transform-set tran1
security acl 3101
ike-profile profile1
#
interface gigabitethernet 1/0/1
ipsec apply policy map1
#
#
sysname DeviceB
#
interface gigabitethernet 1/0/1
ip address 2.2.2.2 255.255.0.0
#
ip route-static 10.1.1.0 24 2.2.2.1
ip route-static 1.1.1.1 16 2.2.2.1
security-zone name trust
import interface gigabitethernet 1/0/2
#
security-zone name untrust
import interface gigabitethernet 1/0/1
quit
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 2.2.2.2
destination-ip-host 1.1.1.1
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.2.0 24
destination-ip-subnet 10.1.1.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.1.0 24
destination-ip-subnet 10.1.2.0 24
action pass
#
quit
acl advanced 3101
rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
pki entity entity2
common-name deviceb
#
pki domain domain2
public-key rsa general name rsa1
undo crl check enable
#
pki import domain domain2 der ca filename ca.cer
pki import domain domain2 p12 local filename server.pfx
pki certificate access-control-policy policy1
rule 1 permit group1
pki certificate attribute-group group1
attribute 1 subject-name dn ctn 1
ike profile profile2
certificate domain domain2
exchange-mode aggressive
local-identity dn
match remote certificate policy1
#
ike proposal 10
authentication-algorithm md5
authentication-method rsa-signature
#
ipsec policy-template template1 1
transform-set tran1
ike-profile profile2
#
ipsec policy use1 1 isakmp template template1
interface gigabitethernet 1/0/1
ipsec apply policy use1
#
在Device A和Device B之间建立一个IPsec隧道,对Host A所在的子网(10.1.1.0/24)与Host B所在的子网(10.1.2.0/24)之间的数据流进行安全保护。
· Device A和Device B之间采用IKE协商方式建立IPsec SA。
· Device A和DeviceB均使用SM2-DE数字信封的认证方法。
· IKE第一阶段的协商模式为国密主模式。
图1-21 IKE国密主模式及SM2-DE数字信封认证配置组网图
表1-9 组网图示例接口与设备实际接口对应关系
|
组网图示例接口 |
设备实际接口 |
|
Interface1 |
GigabitEthernet1/0/1 |
|
Interface2 |
GigabitEthernet1/0/2 |
在开始下面的配置之前,假设已完成如下配置:
· DeviceA已获取到CA证书ca.cer和服务器证书server.pfx。
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.0.0
[DeviceA-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为1.1.1.2,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceA] ip route-static 10.1.2.0 24 1.1.1.2
[DeviceA] ip route-static 2.2.2.2 16 1.1.1.2
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device A可以向Device B发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name ipseclocalout
[DeviceA-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceA-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 1.1.1.1
[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.2
[DeviceA-security-policy-ip-1-ipseclocalout] action pass
[DeviceA-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device A可以接收和处理来自Device B的IPsec隧道协商报文,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name ipseclocalin
[DeviceA-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceA-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.2
[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 1.1.1.1
[DeviceA-security-policy-ip-2-ipseclocalin] action pass
[DeviceA-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host A与Host B之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-3-trust-untrust] action pass
[DeviceA-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-4-untrust-trust] action pass
[DeviceA-security-policy-ip-4-untrust-trust] quit
[DeviceA-security-policy-ip] quit
(5) 定义需要保护的数据流
# 配置IPv4高级ACL 3101,定义要保护由子网10.1.1.0/24去子网10.1.2.0/24的数据流。
[DeviceA] acl advanced 3101
[DeviceA-acl-ipv4-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[DeviceA-acl-ipv4-adv-3101] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceA] ipsec transform-set tran1
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceA-ipsec-transform-set-tran1] protocol esp
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm sm1-cbc-128
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sm3
[DeviceA-ipsec-transform-set-tran1] quit
(7) 配置PKI实体,设置PKI实体的身份信息
[DeviceA] pki entity entity1
[DeviceA-pki-entity-entity1] common-name devicea
[DeviceA-pki-entity-entity1] quit
(8) 配置PKI域,约定PKI证书申请的相关信息
[DeviceA] pki domain domain1
[DeviceA-pki-domain-domain1] public-key sm2 general name sm2-1
[DeviceA-pki-domain-domain1] undo crl check enable
[DeviceA-pki-domain-domain1] quit
[DeviceA] pki import domain domain1 der ca filename ca.cer
[DeviceA] pki import domain domain1 p12 local filename server.pfx
(9) 配置IKE提议,定义双方进行IKE协商所需的安全参数
[DeviceA] ike proposal 10
[DeviceA-ike-proposal-10] authentication-method sm2-de
[DeviceA-ike-proposal-10] authentication-algorithm sm3
[DeviceA-ike-proposal-10] encryption-algorithm sm1-cbc-128
[DeviceA-ike-proposal-10] quit
(10) 配置IKE profile,约定建立IKE SA所需的安全参数
[DeviceA] ike profile profile1
[DeviceA-ike-profile-profile1] exchange-mode gm-main
[DeviceA-ike-profile-profile1] certificate domain domain1
[DeviceA-ike-profile-profile1] proposal 10
[DeviceA-ike-profile-profile1] local-identity address 1.1.1.1
[DeviceA-ike-profile-profile1] match remote identity address 2.2.2.2 255.255.0.0
[DeviceA-ike-profile-profile1] quit
(11) 配置IPsec策略,建立IPsec隧道,保护需要防护的数据流
# 创建一条手工方式的IPsec策略,引用需要保护数据流的ACL和所需的IPsec安全提议,指定对端的IP地址,具体配置步骤如下。
[DeviceA] ipsec policy map1 10 isakmp
[DeviceA-ipsec-policy-isakmp-map1-10] remote-address 2.2.2.2
[DeviceA-ipsec-policy-isakmp-map1-10] security acl 3101
[DeviceA-ipsec-policy-isakmp-map1-10] transform-set tran1
[DeviceA-ipsec-policy-isakmp-map1-10] ike-profile profile1
[DeviceA-ipsec-policy-isakmp-map1-10] quit
(12) 在接口上应用IPsec策略,对接口上的流量进行保护
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ipsec apply policy map1
[DeviceA-GigabitEthernet1/0/1] quit
在开始下面的配置之前,假设已完成如下配置:
· DeviceB已获取到CA证书ca.cer和服务器证书server.pfx。
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 2.2.2.2 255.255.0.0
[DeviceB-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为2.2.2.1,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceB] ip route-static 10.1.1.0 24 2.2.2.1
[DeviceB] ip route-static 1.1.1.1 16 2.2.2.1
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device B可以向Device A发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name ipseclocalout
[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.2
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1
[DeviceB-security-policy-ip-1-ipseclocalout] action pass
[DeviceB-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device B可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name ipseclocalin
[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1
[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.2
[DeviceB-security-policy-ip-2-ipseclocalin] action pass
[DeviceB-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host B与Host A之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-3-trust-untrust] action pass
[DeviceB-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-4-untrust-trust] action pass
[DeviceB-security-policy-ip-4-untrust-trust] quit
[DeviceB-security-policy-ip] quit
(5) 定义需要保护的数据流
# 配置IPv4高级ACL 3101,定义要保护由子网10.1.2.0/24去往子网10.1.1.0/24的数据流。
[DeviceB] acl advanced 3101
[DeviceB-acl-ipv4-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[DeviceB-acl-ipv4-adv-3101] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
[DeviceB] ipsec transform-set tran1
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceB-ipsec-transform-set-tran1] protocol esp
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm sm1-cbc-128
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sm3
[DeviceB-ipsec-transform-set-tran1] quit
(7) 配置PKI实体,设置PKI实体的身份信息
[DeviceB] pki entity entity2
[DeviceB-pki-entity-entity2] common-name deviceb
[DeviceB-pki-entity-entity2] quit
(8) 配置PKI域,约定PKI证书申请的相关信息
[DeviceB] pki domain domain2
[DeviceB-pki-domain-domain2] public-key sm2 general name sm2-1
[DeviceB-pki-domain-domain2] undo crl check enable
[DeviceB-pki-domain-domain2] quit
[DeviceB] pki import domain domain2 der ca filename ca.cer
[DeviceB] pki import domain domain2 p12 local filename server.pfx
(9) 配置IKE提议,定义双方进行IKE协商所需的安全参数
[DeviceB] ike proposal 10
[DeviceB-ike-proposal-10] authentication-method sm2-de
[DeviceB-ike-proposal-10] authentication-algorithm sm3
[DeviceB-ike-proposal-10] encryption-algorithm sm1-cbc-128
[DeviceB-ike-proposal-10] quit
(10) 配置IKE profile,约定建立IKE SA所需的安全参数
[DeviceB] ike profile profile1
[DeviceB-ike-profile-profile1] exchange-mode gm-main
[DeviceB-ike-profile-profile1] certificate domain domain2
[DeviceB-ike-profile-profile1] proposal 10
[DeviceB-ike-profile-profile1] local-identity address 2.2.2.2
[DeviceB-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.0.0
[DeviceB-ike-profile-profile1] quit
(11) 配置IPsec策略,建立IPsec隧道,保护需要防护的数据流
# 创建一条手工方式的IPsec策略,引用需要保护数据流的ACL和所需的IPsec安全提议,指定对端的IP地址,具体配置步骤如下。
[DeviceB] ipsec policy use1 10 isakmp
[DeviceB-ipsec-policy-isakmp-use1-10] remote-address 1.1.1.1
[DeviceB-ipsec-policy-isakmp-use1-10] security acl 3101
[DeviceB-ipsec-policy-isakmp-use1-10] transform-set tran1
[DeviceB-ipsec-policy-isakmp-use1-10] ike-profile profile1
[DeviceB-ipsec-policy-isakmp-use1-10] quit
(12) 在接口上应用IPsec策略,对接口上的流量进行保护
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ipsec apply policy use1
[DeviceB-GigabitEthernet1/0/1] quit
以上配置完成后,Device A和Device B之间如果有子网10.1.1.0/24与子网10.1.2.0/24之间的报文通过,将触发IKE协商。
# 可通过如下显示信息查看到Device A和Device B上的IKE提议。
[DeviceA] display ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
10 SM2-DE SM3 SM1-CBC-128 Group 1 86400
default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400
[DeviceB] display ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
10 SM2-DE SM3 SM1-CBC-128 Group 1 86400
default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400
# 可通过如下显示信息查看到Device A上IKE第一阶段协商成功后生成的IKE SA。
[DeviceA] display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
1 2.2.2.2/500 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
# 可通过如下显示信息查看到IKE第二阶段协商生成的IPsec SA。
[DeviceA] display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/1
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1456
Tunnel:
local address/port: 1.1.1.1/500
remote address/port: 2.2.2.2/500
Flow:
sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 1451246811 (0x568044db)
Connection ID: 90194313219
Transform set: ESP-ENCRYPT-SM1-CBC-128 ESP-AUTH-SM3
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max received sequence-number:
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 2692887942 (0xa0823586)
Connection ID: 64424509441
Transform set: ESP-ENCRYPT-SM1-CBC-128 ESP-AUTH-SM3
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max sent sequence-number:
UDP encapsulation used for NAT traversal: N
Status: Active
# Device B上也会产生相应的IKE SA和IPsec SA,查看方式与Device A同,此处略。
#
sysname DeviceA
##
interface gigabitethernet 1/0/1
ip address 1.1.1.1 255.255.0.0
#
ip route-static 10.1.2.0 24 1.1.1.2
ip route-static 2.2.2.2 16 1.1.1.2
security-zone name trust
import interface gigabitethernet 1/0/2
#
security-zone name untrust
import interface gigabitethernet 1/0/1
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 2.2.2.2
destination-ip-host 1.1.1.1
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.1.0 24
destination-ip-subnet 10.1.2.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.2.0 24
destination-ip-subnet 10.1.1.0 24
action pass
#
acl advanced 3101
rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm sm1-cbc-128
esp authentication-algorithm sm3
#
pki entity entity1
common-name devicea
#
pki domain domain1
public-key sm2 general name sm2-1
undo crl check enable
#
pki import domain domain1 der ca filename ca.cer
pki import domain domain1 p12 local filename server.pfx
ike proposal 10
authentication-method sm2-de
authentication-algorithm sm3
encryption-algorithm sm1-cbc-128
#
ike profile profile1
exchange-mode gm-main
certificate domain domain1
proposal 10
local-identity address 1.1.1.1
match remote identity address 2.2.2.2 255.255.0.0
#
ipsec policy map1 10 isakmp
remote-address 2.2.2.2
security acl 3101
transform-set tran1
ike-profile profile1
#
interface gigabitethernet 1/0/1
ipsec apply policy map1
#
#
sysname DeviceB
#
interface gigabitethernet 1/0/1
ip address 2.2.2.2 255.255.0.0
#
ip route-static 10.1.1.0 24 2.2.2.1
ip route-static 1.1.1.1 16 2.2.2.1
security-zone name trust
import interface gigabitethernet 1/0/2
#
security-zone name untrust
import interface gigabitethernet 1/0/1
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 2.2.2.2
destination-ip-host 1.1.1.1
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.2.0 24
destination-ip-subnet 10.1.1.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.1.0 24
destination-ip-subnet 10.1.2.0 24
action pass
#
acl advanced 3101
rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm sm1-cbc-128
esp authentication-algorithm sm3
#
pki entity entity2
common-name deviceb
#
pki domain domain2
public-key sm2 general name sm2-1
undo crl check enable
#
pki import domain domain2 der ca filename ca.cer
pki import domain domain2 p12 local filename server.pfx
ike proposal 10
authentication-method sm2-de
authentication-algorithm sm3
encryption-algorithm sm1-cbc-128
#
ike profile profile1
exchange-mode gm-main
certificate domain domain2
proposal 10
local-identity address 2.2.2.2
match remote identity address 1.1.1.1 255.255.0.0
#
ipsec policy use1 10 isakmp
remote-address 1.1.1.1
security acl 3101
transform-set tran1
ike-profile profile1
#
interface gigabitethernet 1/0/1
ipsec apply policy use1
#
在Device A和Device B之间建立IPsec隧道,对Host A所在的子网(10.1.1.0/24)与Host B所在的子网(10.1.2.0/24)之间的数据流进行安全保护。
· Device A和Device B之间采用IKEv2协商方式建立IPsec SA。
· 使用用户自定义的IKEv2提议。
· 使用用户自定义的IKEv2安全策略。
图1-22 IKEv2预共享密钥认证配置组网图
表1-10 组网图示例接口与设备实际接口对应关系
|
组网图示例接口 |
设备实际接口 |
|
Interface1 |
GigabitEthernet1/0/1 |
|
Interface2 |
GigabitEthernet1/0/2 |
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.0.0
[DeviceA-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为1.1.1.2,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceA] ip route-static 10.1.2.0 24 1.1.1.2
[DeviceA] ip route-static 2.2.2.2 16 1.1.1.2
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device A可以向Device B发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name ipseclocalout
[DeviceA-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceA-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 1.1.1.1
[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.2
[DeviceA-security-policy-ip-1-ipseclocalout] action pass
[DeviceA-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device A可以接收和处理来自Device B的IPsec隧道协商报文,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name ipseclocalin
[DeviceA-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceA-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.2
[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 1.1.1.1
[DeviceA-security-policy-ip-2-ipseclocalin] action pass
[DeviceA-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host A与Host B之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-3-trust-untrust] action pass
[DeviceA-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-4-untrust-trust] action pass
[DeviceA-security-policy-ip-4-untrust-trust] quit
[DeviceA-security-policy-ip] quit
(5) 定义需要保护的数据流
# 配置ACL 3101,定义要保护由子网10.1.1.0/24去子网10.1.2.0/24的数据流。
[DeviceA] acl advanced 3101
[DeviceA-acl-ipv4-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[DeviceA-acl-ipv4-adv-3101] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
[DeviceA] ipsec transform-set tran1
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceA-ipsec-transform-set-tran1] protocol esp
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
(7) 配置IKEv2 keychain,约定通信双方使用的密钥信息
[DeviceA] ikev2 keychain keychain1
[DeviceA-ikev2-keychain-keychain1] peer peer1
[DeviceA-ikev2-keychain-keychain1-peer-peer1] address 2.2.2.2 16
[DeviceA-ikev2-keychain-keychain1-peer-peer1] identity address 2.2.2.2
[DeviceA-ikev2-keychain-keychain1-peer-peer1] pre-shared-key plaintext abcde
[DeviceA-ikev2-keychain-keychain1-peer-peer1] quit
[DeviceA-ikev2-keychain-keychain1] quit
(8) 配置IKEv2 profile,约定建立IKE SA所需的安全参数
[DeviceA] ikev2 profile profile1
[DeviceA-ikev2-profile-profile1] authentication-method local pre-share
[DeviceA-ikev2-profile-profile1] authentication-method remote pre-share
[DeviceA-ikev2-profile-profile1] keychain keychain1
[DeviceA-ikev2-profile-profile1] match remote identity address 2.2.2.2 255.255.0.0
[DeviceA-ikev2-profile-profile1] quit
(9) 配置IKEv2 proposal,约定建立IKE SA所需的协商参数,包括加密算法、完整性校验算法、PRF算法和DH组。
[DeviceA] ikev2 proposal proposal1
[DeviceA-ikev2-proposal-proposal1] encryption aes-cbc-128
[DeviceA-ikev2-proposal-proposal1] integrity sha1
[DeviceA-ikev2-proposal-proposal1] dh group5
[DeviceA-ikev2-proposal-proposal1] prf sha1
[DeviceA-ikev2-proposal-proposal1] quit
(10) 配置IKEv2 policy,设备将根据IKEv2安全策略中的安全提议进行协商。
[DeviceA] ikev2 policy policy1
[DeviceA-ikev2-policy-policy1] proposal proposal1
[DeviceA-ikev2-policy-policy1] match local address 1.1.1.1
[DeviceA-ikev2-policy-policy1] quit
(11) 配置IPsec策略,建立IPsec隧道,保护需要防护的数据流
# 创建一条手工方式的IPsec策略,引用需要保护数据流的ACL和所需的IPsec安全提议,指定对端的IP地址,具体配置步骤如下。
[DeviceA] ipsec policy map1 10 isakmp
[DeviceA-ipsec-policy-isakmp-map1-10] remote-address 2.2.2.2
[DeviceA-ipsec-policy-isakmp-map1-10] security acl 3101
[DeviceA-ipsec-policy-isakmp-map1-10] transform-set tran1
[DeviceA-ipsec-policy-isakmp-map1-10] ikev2-profile profile1
[DeviceA-ipsec-policy-isakmp-map1-10] quit
(12) 在接口上应用IPsec策略,对接口上的流量进行保护
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ipsec apply policy map1
[DeviceA-GigabitEthernet1/0/1] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 2.2.2.2 255.255.0.0
[DeviceB-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为2.2.2.1,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceB] ip route-static 10.1.1.0 24 2.2.2.1
[DeviceB] ip route-static 1.1.1.1 16 2.2.2.1
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device B可以向Device A发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name ipseclocalout
[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.2
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1
[DeviceB-security-policy-ip-1-ipseclocalout] action pass
[DeviceB-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device B可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name ipseclocalin
[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1
[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.2
[DeviceB-security-policy-ip-2-ipseclocalin] action pass
[DeviceB-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host B与Host A之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-3-trust-untrust] action pass
[DeviceB-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-4-untrust-trust] action pass
[DeviceB-security-policy-ip-4-untrust-trust] quit
[DeviceB-security-policy-ip] quit
(5) 定义需要保护的数据流
# 配置ACL 3101,定义要保护由子网10.1.2.0/24去往子网10.1.1.0/24的数据流。
[DeviceB] acl advanced 3101
[DeviceB-acl-ipv4-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[DeviceB-acl-ipv4-adv-3101] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
[DeviceB] ipsec transform-set tran1
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceB-ipsec-transform-set-tran1] protocol esp
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
(7) 配置IKEv2 keychain,约定通信双方使用的密钥信息
[DeviceB] ikev2 keychain keychain1
[DeviceB-ikev2-keychain-keychain1] peer peer1
[DeviceB-ikev2-keychain-keychain1-peer-peer1] address 1.1.1.1 16
[DeviceB-ikev2-keychain-keychain1-peer-peer1] identity address 1.1.1.1
[DeviceB-ikev2-keychain-keychain1-peer-peer1] pre-shared-key plaintext abcde
[DeviceB-ikev2-keychain-keychain1-peer-peer1] quit
[DeviceB-ikev2-keychain-keychain1] quit
(8) 配置IKEv2 profile,约定建立IKE SA所需的安全参数
[DeviceB] ikev2 profile profile1
[DeviceB-ikev2-profile-profile1] authentication-method local pre-share
[DeviceB-ikev2-profile-profile1] authentication-method remote pre-share
[DeviceB-ikev2-profile-profile1] keychain keychain1
[DeviceA-ikev2-profile-profile1] match remote identity address 1.1.1.1 255.255.0.0
[DeviceA-ikev2-profile-profile1] quit
(9) 配置IKEv2 proposal,约定建立IKE SA所需的协商参数,包括加密算法、完整性校验算法、PRF算法和DH组。
[DeviceB] ikev2 proposal proposal1
[DeviceB-ikev2-proposal-proposal1] encryption aes-cbc-128
[DeviceB-ikev2-proposal-proposal1] integrity sha1
[DeviceB-ikev2-proposal-proposal1] dh group5
[DeviceB-ikev2-proposal-proposal1] prf sha1
[DeviceB-ikev2-proposal-proposal1] quit
(10) 配置IKEv2 policy,设备将根据IKEv2安全策略中的安全提议与对端进行协商。
[DeviceB] ikev2 policy policy1
[DeviceB-ikev2-policy-policy1] proposal proposal1
[DeviceB-ikev2-policy-policy1] match local address 2.2.2.2
[DeviceB-ikev2-policy-policy1] quit
(11) 配置IPsec策略,建立IPsec隧道,保护需要防护的数据流
# 创建一条手工方式的IPsec策略,引用需要保护数据流的ACL和所需的IPsec安全提议,指定对端的IP地址,具体配置步骤如下。
[DeviceB] ipsec policy use1 10 isakmp
[DeviceB-ipsec-policy-isakmp-use1-10] remote-address 1.1.1.1
[DeviceB-ipsec-policy-isakmp-use1-10] security acl 3101
[DeviceB-ipsec-policy-isakmp-use1-10] transform-set tran1
[DeviceB-ipsec-policy-isakmp-use1-10] ikev2-profile profile1
[DeviceB-ipsec-policy-isakmp-use1-10] quit
(12) 在接口上应用IPsec策略,对接口上的流量进行保护
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ipsec apply policy use1
[DeviceB-GigabitEthernet1/0/1] quit
以上配置完成后,Device A和Device B之间如果有子网10.1.1.0/24与子网10.1.2.0/24之间的报文通过,将触发IKEv2协商。
# 可通过如下显示信息查看到Device A上的IKEv2提议和IKEv2安全策略。
[DeviceA] display ikev2 proposal
IKEv2 proposal : proposal1
Encryption: AES-CBC-128
Integrity: SHA1
PRF: SHA1
DH Group: MODP1536/Group5
IKEv2 proposal : default
Encryption: AES-CBC-128 3DES-CBC
Integrity: SHA1 MD5
PRF: SHA1 MD5
DH Group: MODP1536/Group5 MODP1024/Group2
[DeviceA] display ikev2 policy
IKEv2 policy: policy1
Priority: 100
Match local address: 1.1.1.1
Match VRF: public
Proposal: proposal1
IKEv2 policy : default
Match VRF : any
Proposal: default
Device B上IKEv2 提议和IKEv2安全策略的查看方式与Device A同,此处略。
# 可通过如下显示信息查看到Device A上IKEv2协商成功后生成的IKEv2 SA。
[DeviceA] display ikev2 sa
Tunnel ID Local Remote Status
---------------------------------------------------------------------------
1 1.1.1.1/500 2.2.2.2/500 EST
Status:
IN-NEGO: Negotiating, EST: Established, DEL:Deleting
# 可通过如下显示信息查看到IKEv2协商生成的IPsec SA。
[DeviceA] display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/1
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1456
Tunnel:
local address/port: 1.1.1.1/500
remote address/port: 2.2.2.2/500
Flow:
sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3264152513 (0xc28f03c1)
Connection ID: 141733920771
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max received sequence-number:
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 738451674 (0x2c03e0da)
Connection ID: 64424509441
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max sent sequence-number:
UDP encapsulation used for NAT traversal: N
Status: Active
# Device B上也会产生相应的IKEv2 SA和IPsec SA,查看方式与Device A同,此处略。
#
sysname DeviceA
#
interface gigabitethernet 1/0/1
ip address 1.1.1.1 255.255.0.0
#
ip route-static 10.1.2.0 24 1.1.1.2
ip route-static 2.2.2.2 16 1.1.1.2
security-zone name trust
import interface gigabitethernet 1/0/2
#
security-zone name untrust
import interface gigabitethernet 1/0/1
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 2.2.2.2
destination-ip-host 1.1.1.1
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.1.0 24
destination-ip-subnet 10.1.2.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.2.0 24
destination-ip-subnet 10.1.1.0 24
action pass
#
acl advanced 3101
rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ikev2 keychain keychain1
peer peer1
address 2.2.2.2 16
identity address 2.2.2.2
pre-shared-key plaintext abcde
#
ikev2 profile profile1
authentication-method local pre-share
authentication-method remote pre-share
keychain keychain1
match remote identity address 2.2.2.2 255.255.0.0
#
ikev2 proposal proposal1
encryption aes-cbc-128
integrity sha1
dh group5
prf sha1
#
ikev2 policy policy1
proposal proposal1
match local address 1.1.1.1
#
ipsec policy map1 10 isakmp
remote-address 2.2.2.2
security acl 3101
transform-set tran1
ikev2-profile profile1
#
interface gigabitethernet 1/0/1
ipsec apply policy map1
#
#
sysname DeviceB
#
interface gigabitethernet 1/0/1
ip address 2.2.2.2 255.255.0.0
#
ip route-static 10.1.1.0 24 2.2.2.1
ip route-static 1.1.1.1 16 2.2.2.1
security-zone name trust
import interface gigabitethernet 1/0/2
#
security-zone name untrust
import interface gigabitethernet 1/0/1
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 2.2.2.2
destination-ip-host 1.1.1.1
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.2.0 24
destination-ip-subnet 10.1.1.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.1.0 24
destination-ip-subnet 10.1.2.0 24
action pass
#
acl advanced 3101
rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ikev2 keychain keychain1
peer peer1
address 1.1.1.1 16
identity address 1.1.1.1
pre-shared-key plaintext abcde
#
ikev2 profile profile1
authentication-method local pre-share
authentication-method remote pre-share
keychain keychain1
match remote identity address 1.1.1.1 255.255.0.0
#
ikev2 proposal proposal1
encryption aes-cbc-128
integrity sha1
dh group5
prf sha1
#
ikev2 policy policy1
proposal proposal1
match local address 2.2.2.2
#
ipsec policy use1 10 isakmp
remote-address 1.1.1.1
security acl 3101
transform-set tran1
ikev2-profile profile1
#
interface gigabitethernet 1/0/1
ipsec apply policy use1
#
在Device A和Device B之间建立IPsec隧道,对Host A所在的子网(10.1.1.0/24)与Host B所在的子网(10.1.2.0/24)之间的数据流进行安全保护。
· Device A和Device B之间采用IKEv2协商方式建立IPsec SA。
· Device A和DeviceB均使用RSA数字签名的认证方法。
· Device A侧子网的IP地址为动态分配,并作为发起方。
图1-23 IKEv2 RSA数字签名认证配置组网图
表1-11 组网图示例接口与设备实际接口对应关系
|
组网图示例接口 |
设备实际接口 |
|
Interface1 |
GigabitEthernet1/0/1 |
|
Interface2 |
GigabitEthernet1/0/2 |
在开始下面的配置之前,假设已完成如下配置:
· DeviceA已获取到CA证书ca.cer和服务器证书server.pfx。
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.0.0
[DeviceA-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为1.1.1.2,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceA] ip route-static 10.1.2.0 24 1.1.1.2
[DeviceA] ip route-static 2.2.2.2 16 1.1.1.2
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device A可以向Device B发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name ipseclocalout
[DeviceA-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceA-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 1.1.1.1
[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.2
[DeviceA-security-policy-ip-1-ipseclocalout] action pass
[DeviceA-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device A可以接收和处理来自Device B的IPsec隧道协商报文,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name ipseclocalin
[DeviceA-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceA-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.2
[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 1.1.1.1
[DeviceA-security-policy-ip-2-ipseclocalin] action pass
[DeviceA-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host A与Host B之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-3-trust-untrust] action pass
[DeviceA-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-4-untrust-trust] action pass
[DeviceA-security-policy-ip-4-untrust-trust] quit
[DeviceA-security-policy-ip] quit
(5) 定义需要保护的数据流
# 配置ACL 3101,定义要保护由子网10.1.1.0/24去往子网10.1.2.0/24的数据流。
[DeviceA] acl advanced 3101
[DeviceA-acl-ipv4-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[DeviceA-acl-ipv4-adv-3101] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceA] ipsec transform-set tran1
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceA-ipsec-transform-set-tran1] protocol esp
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
(7) 配置PKI实体,设置PKI实体的身份信息
[DeviceA] pki entity entity1
[DeviceA-pki-entity-entity1] common-name devicea
[DeviceA-pki-entity-entity1] quit
(8) 配置PKI域,约定PKI证书申请的相关信息
[DeviceA] pki domain domain1
[DeviceA-pki-domain-domain1] public-key rsa general name rsa1
[DeviceA-pki-domain-domain1] undo crl check enable
[DeviceA-pki-domain-domain1] quit
[DeviceA] pki import domain domain1 der ca filename ca.cer
[DeviceA] pki import domain domain1 p12 local filename server.pfx
(9) 配置证书访问策略,对用户访问权限进行进一步的控制
[DeviceA] pki certificate access-control-policy policy1
[DeviceA-pki-cert-acp-policy1] rule 1 permit group1
[DeviceA] pki certificate attribute-group group1
[DeviceA-pki-cert-attribute-group-group1] attribute 1 subject-name dn ctn 1
对端证书subject-name DN中需包含(ctn)规则中定义的字符串才被认为是有效的证书。本例使用的证书subject-name DN中包含字符“1”,因此在这里使用参数ctn 1。
(10) 配置IKEv2 profile,约定建立IKE SA所需的安全参数
[DeviceA] ikev2 profile profile1
[DeviceA-ikev2-profile-profile1] authentication-method local rsa-signature
[DeviceA-ikev2-profile-profile1] authentication-method remote rsa-signature
[DeviceA-ikev2-profile-profile1] certificate domain domain1
[DeviceA-ikev2-profile-profile1] identity local dn
[DeviceA-ikev2-profile-profile1] match remote certificate policy1
[DeviceA-ikev2-profile-profile1] quit
(11) 配置IKEv2 proposal,约定建立IKE SA所需的协商参数,包括加密算法、完整性校验算法、PRF算法和DH组。
[DeviceA] ikev2 proposal proposal1
[DeviceA-ikev2-proposal-proposal1] encryption aes-cbc-128
[DeviceA-ikev2-proposal-proposal1] integrity sha1
[DeviceA-ikev2-proposal-proposal1] dh group5
[DeviceA-ikev2-proposal-proposal1] prf sha1
[DeviceA-ikev2-proposal-proposal1] quit
(12) 配置IKEv2 policy,设备将根据IKEv2安全策略中的安全提议进行协商。
[DeviceA] ikev2 policy policy1
[DeviceA-ikev2-policy-policy1] proposal proposal1
[DeviceA-ikev2-policy-policy1] match local address 1.1.1.1
[DeviceA-ikev2-policy-policy1] quit
(13) 配置IPsec策略,建立IPsec隧道,保护需要防护的数据流
# 创建一条手工方式的IPsec策略,引用需要保护数据流的ACL和所需的IPsec安全提议,指定对端的IP地址,具体配置步骤如下。
[DeviceA] ipsec policy map1 10 isakmp
[DeviceA-ipsec-policy-isakmp-map1-10] remote-address 2.2.2.2
[DeviceA-ipsec-policy-isakmp-map1-10] transform-set tran1
[DeviceA-ipsec-policy-isakmp-map1-10] security acl 3101
[DeviceA-ipsec-policy-isakmp-map1-10] ikev2-profile profile1
[DeviceA-ipsec-policy-isakmp-map1-10] quit
(14) 在接口上应用IPsec策略,对接口上的流量进行保护
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ipsec apply policy map1
[DeviceA-GigabitEthernet1/0/1] quit
在开始下面的配置之前,假设已完成如下配置:
· DeviceB已获取到CA证书ca.cer和服务器证书server.pfx。
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 2.2.2.2 255.255.0.0
[DeviceB-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为2.2.2.1,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceB] ip route-static 10.1.1.0 24 2.2.2.1
[DeviceB] ip route-static 1.1.1.1 16 2.2.2.1
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device B可以向Device A发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name ipseclocalout
[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.2
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1
[DeviceB-security-policy-ip-1-ipseclocalout] action pass
[DeviceB-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device B可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name ipseclocalin
[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1
[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.2
[DeviceB-security-policy-ip-2-ipseclocalin] action pass
[DeviceB-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host B与Host A之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-3-trust-untrust] action pass
[DeviceB-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-4-untrust-trust] action pass
[DeviceB-security-policy-ip-4-untrust-trust] quit
[DeviceB-security-policy-ip] quit
(5) 定义需要保护的数据流
# 配置ACL 3101,定义要保护由子网10.1.2.0/24去子网10.1.1.0/24的数据流。
[DeviceB] acl advanced 3101
[DeviceB-acl-ipv4-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[DeviceB-acl-ipv4-adv-3101] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceB] ipsec transform-set tran1
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceB-ipsec-transform-set-tran1] protocol esp
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
(7) 配置PKI实体,设置PKI实体的身份信息
[DeviceB] pki entity entity2
[DeviceB-pki-entity-entity2] common-name deviceb
[DeviceB-pki-entity-entity2] quit
(8) 配置PKI域,约定PKI证书申请的相关信息
[DeviceB] pki domain domain2
[DeviceB-pki-domain-domain2] public-key rsa general name rsa1
[DeviceB-pki-domain-domain2] undo crl check enable
[DeviceB-pki-domain-domain2] quit
[DeviceB] pki import domain domain2 der ca filename ca.cer
[DeviceB] pki import domain domain2 p12 local filename server.pfx
(9) 配置证书访问策略,对用户访问权限进行进一步的控制
[DeviceB] pki certificate access-control-policy policy1
[DeviceB-pki-cert-acp-policy1] rule 1 permit group1
[DeviceB] pki certificate attribute-group group1
[DeviceB-pki-cert-attribute-group-group1] attribute 1 subject-name dn ctn 1
对端证书subject-name DN中需包含(ctn)规则中定义的字符串才被认为是有效的证书。本例使用的证书subject-name DN中包含字符“1”,因此在这里使用参数ctn 1。
(10) 配置IKEv2 profile,约定建立IKE SA所需的安全参数
[DeviceB] ikev2 profile profile2
[DeviceB-ikev2-profile-profile2] authentication-method local rsa-signature
[DeviceB-ikev2-profile-profile2] authentication-method remote rsa-signature
[DeviceB-ikev2-profile-profile2] certificate domain domain2
[DeviceB-ikev2-profile-profile2] identity local dn
[DeviceB-ikev2-profile-profile2] match remote certificate policy1
[DeviceB-ikev2-profile-profile2] quit
(11) 配置IKEv2 proposal,约定建立IKE SA所需的协商参数,包括加密算法、完整性校验算法、PRF算法和DH组。
[DeviceB] ikev2 proposal proposal1
[DeviceB-ikev2-proposal-proposal1] encryption aes-cbc-128
[DeviceB-ikev2-proposal-proposal1] integrity sha1
[DeviceB-ikev2-proposal-proposal1] dh group5
[DeviceB-ikev2-proposal-proposal1] prf sha1
[DeviceB-ikev2-proposal-10] quit
(12) 配置IKEv2 policy,设备将根据IKEv2安全策略中的安全提议与对端进行协商。
[DeviceB] ikev2 policy policy1
[DeviceB-ikev2-policy-policy1] proposal proposal1
[DeviceB-ikev2-policy-policy1] match local address 2.2.2.2
[DeviceB-ikev2-policy-policy1] quit
(13) 配置IPsec策略模板,用于创建IPsec策略
[DeviceB] ipsec policy-template template1 1
[DeviceB-ipsec-policy-template-template1-1] remote-address 1.1.1.1
[DeviceB-ipsec-policy-template-template1-1] security acl 3101
[DeviceB-ipsec-policy-template-template1-1] transform-set tran1
[DeviceB-ipsec-policy-template-template1-1] ikev2-profile profile2
[DeviceB-ipsec-policy-template-template1-1] quit
(14) 创建IPsec策略,建立IPsec隧道,保护需要防护的数据流
[DeviceB] ipsec policy use1 1 isakmp template template1
(15) 在接口上应用IPsec策略,对接口上的流量进行保护
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ipsec apply policy use1
[DeviceB-GigabitEthernet1/0/1] quit
以上配置完成后,Device A和Device B之间如果有子网10.1.1.0/24与子网10.1.2.0/24之间的报文通过,将触发IKEv2协商。
# 可通过如下显示信息查看到Device A上的IKEv2提议和IKEv2安全策略。
[DeviceA] display ikev2 proposal
IKEv2 proposal : proposal1
Encryption: AES-CBC-128
Integrity: SHA1
PRF: SHA1
DH Group: MODP1536/Group5
IKEv2 proposal : default
Encryption: AES-CBC-128 3DES-CBC
Integrity: SHA1 MD5
PRF: SHA1 MD5
DH Group: MODP1536/Group5 MODP1024/Group2
[DeviceA] display ikev2 policy
IKEv2 policy: policy1
Priority: 100
Match local address: 1.1.1.1
Match VRF: public
Proposal: proposal1
IKEv2 policy : default
Match VRF : any
Proposal: default
Device B上IKEv2 提议和IKEv2安全策略的查看方式与Device A同,此处略。
# 可通过如下显示信息查看到Device A和Device B上的IKEv2安全策略。
[DeviceA] display ikev2 policy 1
IKEv2 policy : 1
Priority: 100
Match Local : any
Match VRF : public
Proposal : 10
[DeviceB] display ikev2 policy 1
IKEv2 policy : 1
Priority: 100
Match Local : any
Match VRF : public
Proposal : 10
# 可通过如下显示信息查看到Device A上IKEv2协商成功后生成的IKEv2 SA。
[DeviceA] display ikev2 sa
Tunnel ID Local Remote Status
---------------------------------------------------------------------------
1 1.1.1.1/500 2.2.2.2/500 EST
Status:
IN-NEGO: Negotiating, EST: Established, DEL:Deleting
# 可通过如下显示信息查看到Device A上自动触发获取到的CA证书。
[DeviceA] display pki certificate domain domain1 ca
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
b9:14:fb:25:c9:08:2c:9d:f6:94:20:30:37:4e:00:00
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, O=rnd, OU=sec, CN=8088
Validity
Not Before: Sep 6 01:53:58 2012 GMT
Not After : Sep 8 01:50:58 2015 GMT
Subject: C=cn, O=rnd, OU=sec, CN=8088
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:de:81:f4:42:c6:9f:c2:37:7b:21:84:57:d6:42:
00:69:1c:4c:34:a4:5e:bb:30:97:45:2b:5e:52:43:
c0:49:1f:e1:d8:0f:5c:48:c2:39:69:d1:84:e4:14:
70:3d:98:41:28:1c:20:a1:9a:3f:91:67:78:77:27:
d9:08:5f:7a:c4:36:45:8b:f9:7b:e7:7d:6a:98:bb:
4e:a1:cb:2c:3d:92:66:bd:fb:80:35:16:c6:35:f0:
ff:0b:b9:3c:f3:09:94:b7:d3:6f:50:8d:83:f1:66:
2f:91:0b:77:a5:98:22:b4:77:ac:84:1d:03:8e:33:
1b:31:03:78:4f:77:a0:db:af
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
9a:6d:8c:46:d3:18:8a:00:ce:12:ee:2b:b0:aa:39:5d:3f:90:
08:49:b9:a9:8f:0d:6e:7b:e1:00:fb:41:f5:d4:0c:e4:56:d8:
7a:a7:61:1d:2b:b6:72:e3:09:0b:13:9d:fa:c8:fc:c4:65:a7:
f9:45:21:05:75:2c:bf:36:7b:48:b4:4a:b9:fe:87:b9:d8:cf:
55:16:87:ec:07:1d:55:5a:89:74:73:68:5e:f9:1d:30:55:d9:
8a:8f:c5:d4:20:7e:41:a9:37:57:ed:8e:83:a7:80:2f:b8:31:
57:3a:f2:1a:28:32:ea:ea:c5:9a:55:61:6a:bc:e5:6b:59:0d:
82:16
# 可通过如下显示信息查看到Device A上自动触发申请到的本地证书。
[DeviceA]display pki certificate domain domain1 local
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a1:f4:d4:fd:cc:54:c3:07:c4:9e:15:2d:5f:64:57:77
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, O=rnd, OU=sec, CN=8088
Validity
Not Before: Sep 26 02:06:43 2012 GMT
Not After : Sep 26 02:06:43 2013 GMT
Subject: CN=devicea
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b0:a1:cd:24:6e:1a:1d:51:79:f0:2a:3e:9f:e9:
84:07:16:78:49:1b:7d:0b:22:f0:0a:ed:75:91:a4:
17:fd:c7:ef:d0:66:5c:aa:e3:2a:d9:71:12:e4:c6:
25:77:f0:1d:97:bb:92:a8:bd:66:f8:f8:e8:d5:0d:
d2:c8:01:dd:ea:e6:e0:80:ad:db:9d:c8:d9:5f:03:
2d:22:07:e3:ed:cc:88:1e:3f:0c:5e:b3:d8:0e:2d:
ea:d6:c6:47:23:6a:11:ef:3c:0f:6b:61:f0:ca:a1:
79:a0:b1:02:1a:ae:8c:c9:44:e0:cf:d1:30:de:4c:
f0:e5:62:e7:d0:81:5d:de:d3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
URI:https://xx.rsa.com:447/8088.crl
Signature Algorithm: sha1WithRSAEncryption
73:ac:66:f9:b8:b5:39:e1:6a:17:e4:d0:72:3e:26:9e:12:61:
9e:c9:7a:86:6f:27:b0:b9:a3:5d:02:d9:5a:cb:79:0a:12:2e:
cb:e7:24:57:e6:d9:77:12:6b:7a:cf:ee:d6:17:c5:5f:d2:98:
30:e0:ef:00:39:4a:da:ff:1c:29:bb:2a:5b:60:e9:33:8f:78:
f9:15:dc:a5:a3:09:66:32:ce:36:cd:f0:fe:2f:67:e5:72:e5:
21:62:85:c4:07:92:c8:f1:d3:13:9c:2e:42:c1:5f:0e:8f:ff:
65:fb:de:7c:ed:53:ab:14:7a:cf:69:f2:42:a4:44:7c:6e:90:
7e:cd
# 可通过如下显示信息查看到Device A上IKEv2协商生成的IPsec SA。
[DeviceA] display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/1
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1456
Tunnel:
local address/port: 1.1.1.1/500
remote address/port: 2.2.2.2/500
Flow:
sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3264152513 (0xc28f03c1)
Connection ID: 141733920771
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max received sequence-number:
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 738451674 (0x2c03e0da)
Connection ID: 141733920770
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max sent sequence-number:
UDP encapsulation used for NAT traversal: N
Status: Active
# Device B上也会产生相应的IKEv2 SA和IPsec SA,并自动获取CA证书,自动申请本地证书,查看方式与Device A同,此处略。
#
sysname DeviceA
#
interface gigabitethernet 1/0/1
ip address 1.1.1.1 255.255.0.0
#
ip route-static 10.1.2.0 24 1.1.1.2
ip route-static 2.2.2.2 16 1.1.1.2
security-zone name trust
import interface gigabitethernet 1/0/2
#
security-zone name untrust
import interface gigabitethernet 1/0/1
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 2.2.2.2
destination-ip-host 1.1.1.1
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.1.0 24
destination-ip-subnet 10.1.2.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.2.0 24
destination-ip-subnet 10.1.1.0 24
action pass
#
acl advanced 3101
rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
pki entity entity1
common-name devicea
#
pki domain domain1
public-key rsa general name rsa1
undo crl check enable
#
pki import domain domain1 der ca filename ca.cer
pki import domain domain1 p12 local filename server.pfx
pki certificate access-control-policy policy1
rule 1 permit group1
pki certificate attribute-group group1
attribute 1 subject-name dn ctn 1
ikev2 profile profile1
authentication-method local rsa-signature
authentication-method remote rsa-signature
certificate domain domain1
identity local dn
match remote certificate policy1
#
ikev2 proposal proposal1
encryption aes-cbc-128
integrity sha1
dh group5
prf sha1
#
ikev2 policy policy1
proposal proposal1
match local address 1.1.1.1
#
ipsec policy map1 10 isakmp
remote-address 2.2.2.2
transform-set tran1
security acl 3101
ikev2-profile profile1
#
interface gigabitethernet 1/0/1
ipsec apply policy map1
#
#
sysname DeviceB
#
interface gigabitethernet 1/0/1
ip address 2.2.2.2 255.255.0.0
#
ip route-static 10.1.1.0 24 2.2.2.1
ip route-static 1.1.1.1 16 2.2.2.1
security-zone name trust
import interface gigabitethernet 1/0/2
#
security-zone name untrust
import interface gigabitethernet 1/0/1
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 2.2.2.2
destination-ip-host 1.1.1.1
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.2.0 24
destination-ip-subnet 10.1.1.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.1.0 24
destination-ip-subnet 10.1.2.0 24
action pass
#
acl advanced 3101
rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
pki entity entity2
common-name deviceb
#
pki domain domain2
public-key rsa general name rsa1
undo crl check enable
#
pki import domain domain2 der ca filename ca.cer
pki import domain domain2 p12 local filename server.pfx
pki certificate access-control-policy policy1
rule 1 permit group1
pki certificate attribute-group group1
attribute 1 subject-name dn ctn 1
ikev2 profile profile2
authentication-method local rsa-signature
authentication-method remote rsa-signature
certificate domain domain2
identity local dn
match remote certificate policy1
#
ikev2 proposal proposal1
encryption aes-cbc-128
integrity sha1
dh group5
prf sha1
#
ikev2 policy policy1
proposal proposal1
match local address 2.2.2.2
#
ipsec policy-template template1 1
remote-address 1.1.1.1
security acl 3101
transform-set tran1
ikev2-profile profile2
#
ipsec policy use1 1 isakmp template template1
interface gigabitethernet 1/0/1
ipsec apply policy use1
#
Device A在NAT安全网关内网侧,所连接的内网侧用户使用NAT地址3.3.3.1访问外网。要求在Device A和Device B之间建立一个IPsec隧道,对Host A所在的子网(10.1.1.0/24)与Host B所在的子网(10.1.2.0/24)之间的数据流进行安全保护。具体需要求如下:
· 协商双方使用缺省的IKE提议。
· 协商模式为野蛮模式协商。
· 第一阶段协商的认证方法为预共享密钥认证。
图1-24 IKE野蛮模式及NAT穿越配置组网图
表1-12 组网图示例接口与设备实际接口对应关系
|
组网图示例接口 |
设备实际接口 |
|
Interface1 |
GigabitEthernet1/0/1 |
|
Interface2 |
GigabitEthernet1/0/2 |
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.0.0
[DeviceA-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为1.1.1.2,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceA] ip route-static 10.1.2.0 24 1.1.1.2
[DeviceA] ip route-static 2.2.2.2 16 1.1.1.2
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device A可以向Device B发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name ipseclocalout
[DeviceA-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceA-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 1.1.1.1
[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.2
[DeviceA-security-policy-ip-1-ipseclocalout] action pass
[DeviceA-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device A可以接收和处理来自Device B的IPsec隧道协商报文,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name ipseclocalin
[DeviceA-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceA-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.2
[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 1.1.1.1
[DeviceA-security-policy-ip-2-ipseclocalin] action pass
[DeviceA-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host A与Host B之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-3-trust-untrust] action pass
[DeviceA-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-4-untrust-trust] action pass
[DeviceA-security-policy-ip-4-untrust-trust] quit
[DeviceA-security-policy-ip] quit
(5) 定义需要保护的数据流
# 配置IPv4高级ACL 3000,定义要保护由子网10.1.1.0/24去往子网10.1.2.0/24的数据流。
[DeviceA] acl advanced 3000
[DeviceA-acl-ipv4-adv-3000] rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[DeviceA-acl-ipv4-adv-3000] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
[DeviceA] ipsec transform-set transform1
[DeviceA-ipsec-transform-set-transform1] protocol esp
[DeviceA-ipsec-transform-set-transform1] esp encryption-algorithm 3des-cbc
[DeviceA-ipsec-transform-set-transform1] esp authentication-algorithm md5
[DeviceA-ipsec-transform-set-transform1] quit
(7) 配置IKE keychain,约定通信双方使用的密钥信息
[DeviceA] ike keychain keychain1
[DeviceA-ike-keychain-keychain1] pre-shared-key address 2.2.2.2 255.255.0.0 key simple 12345zxcvb!@#$%ZXCVB
[DeviceA-ike-keychain-keychain1] quit
(8) 配置IKE profile,约定建立IKE SA所需的安全参数
[DeviceA] ike profile profile1
[DeviceA-ike-profile-profile1] keychain keychain1
[DeviceA-ike-profile-profile1] exchange-mode aggressive
[DeviceA-ike-profile-profile1] local-identity fqdn devicea.example.com
[DeviceA-ike-profile-profile1] match remote identity address 2.2.2.2 255.255.0.0
[DeviceA-ike-profile-profile1] quit
(9) 配置IPsec策略,建立IPsec隧道,保护需要防护的数据流
# 创建一条手工方式的IPsec策略,引用需要保护数据流的ACL和所需的IPsec安全提议,指定对端的IP地址,具体配置步骤如下。
[DeviceA] ipsec policy policy1 1 isakmp
[DeviceA-ipsec-policy-isakmp-policy1-1] remote-address 2.2.2.2
[DeviceA-ipsec-policy-isakmp-policy1-1] transform-set transform1
[DeviceA-ipsec-policy-isakmp-policy1-1] security acl 3000
[DeviceA-ipsec-policy-isakmp-policy1-1] ike-profile profile1
[DeviceA-ipsec-policy-isakmp-policy1-1] quit
(10) 在接口上应用IPsec策略,对接口上的流量进行保护
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ipsec apply policy policy1
[DeviceA-GigabitEthernet1/0/1] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 2.2.2.2 255.255.0.0
[DeviceB-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为2.2.2.1,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceB] ip route-static 10.1.1.0 24 2.2.2.1
[DeviceB] ip route-static 1.1.1.1 16 2.2.2.1
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device B可以向Device A发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name ipseclocalout
[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.2
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 3.3.3.1
[DeviceB-security-policy-ip-1-ipseclocalout] action pass
[DeviceB-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device B可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name ipseclocalin
[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 3.3.3.1
[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.2
[DeviceB-security-policy-ip-2-ipseclocalin] action pass
[DeviceB-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host B与Host A之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-3-trust-untrust] action pass
[DeviceB-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-4-untrust-trust] action pass
[DeviceB-security-policy-ip-4-untrust-trust] quit
[DeviceB-security-policy-ip] quit
(5) 配置IPsec安全提议,协商封装报文使用的各种安全协议
[DeviceB] ipsec transform-set transform1
[DeviceB-ipsec-transform-set-transform1] protocol esp
[DeviceB-ipsec-transform-set-transform1] esp encryption-algorithm 3des-cbc
[DeviceB-ipsec-transform-set-transform1] esp authentication-algorithm md5
[DeviceB-ipsec-transform-set-transform1] quit
(6) 配置IKE keychain,约定通信双方使用的密钥信息
# 配置与IP地址为1.1.1.1的对端使用的预共享密钥为明文12345zxcvb!@#$%ZXCVB。在本例中,来自1.1.1.1的报文经NAT转换后,源IP地址被转换为3.3.3.1,因此指定预共享密钥时对端IP地址为3.3.3.1。
[DeviceB]ike keychain keychain1
[DeviceB-ike-keychain-keychain1] pre-shared-key address 3.3.3.1 255.255.0.0 key simple 12345zxcvb!@#$%ZXCVB
[DeviceB-ike-keychain-keychain1] quit
(7) 配置IKE profile,约定建立IKE SA所需的安全参数
[DeviceB] ike profile profile1
[DeviceB-ike-profile-profile1] keychain keychain1
[DeviceB-ike-profile-profile1] exchange-mode aggressive
[DeviceB-ike-profile-profile1] match remote identity fqdn devicea.example.com
[DeviceB-ike-profile-profile1] quit
(8) 配置IPsec策略模板,用于创建IPsec策略
[DeviceB] ipsec policy-template template1 1
[DeviceB-ipsec-policy-template-template1-1] transform-set transform1
[DeviceB-ipsec-policy-template-template1-1] local-address 2.2.2.2
[DeviceB-ipsec-policy-template-template1-1] ike-profile profile1
[DeviceB-ipsec-policy-template-template1-1] quit
(9) 创建IPsec策略,建立IPsec隧道,保护需要防护的数据流
[DeviceB] ipsec policy policy1 1 isakmp template template1
(10) 在接口上应用IPsec策略,对接口上的流量进行保护
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ipsec apply policy policy1
[DeviceB-GigabitEthernet1/0/1] quit
(11) 配置NAT
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Sysname> system-view
[Sysname] sysname NAT
[NAT] interface gigabitethernet 1/0/1
[NAT-GigabitEthernet1/0/1] ip address 1.1.1.2 255.255.0.0
[NAT-GigabitEthernet1/0/1] quit
[NAT] interface gigabitethernet 1/0/2
[NAT-GigabitEthernet1/0/2] ip address 3.3.3.1 255.255.0.0
[NAT-GigabitEthernet1/0/2] quit
# 配置静态地址转换功能。
[NAT] nat static outbound 1.1.1.1 3.3.3.10
[NAT] interface gigabitethernet 1/0/2
[NAT-GigabitEthernet1/0/2] nat static enable
以上配置完成后,子网10.1.1.0/24若向子网10.1.2.0/24发送报文,将触发IKE协商。
# 可通过如下显示信息查看到Device A上IKE第一阶段协商成功后生成的IKE SA。
[DeviceA] display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
13 2.2.2.2/500 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
[DeviceA] display ike sa verbose
-----------------------------------------------
Connection ID: 13
Outside VPN:
Inside VPN:
Profile: profile1
Transmitting entity: Initiator
Output interface index: 2
-----------------------------------------------
Local IP/port: 1.1.1.1/500
Local ID type: FQDN
Local ID: devicea.example.com
Remote IP/port: 2.2.2.2/500
Remote ID type: IPV4_ADDR
Remote ID: 2.2.2.2
Authentication-method: PRE-SHARED-KEY
Authentication-algorithm: SHA1
Encryption-algorithm: DES-CBC
Life duration(sec): 86400
Remaining key duration(sec): 84565
Exchange-mode: Aggressive
Diffie-Hellman group: Group 1
NAT traversal: Detected
Extend authentication: Disabled
Assigned IP address:
# 可通过如下显示信息查看到IKE第二阶段协商生成的IPsec SA。
[DeviceA] display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/1
-------------------------------
-----------------------------
IPsec policy: policy1
Sequence number: 1
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1435
Tunnel:
local address/port: 1.1.1.1/500
remote address/port: 2.2.2.2/500
Flow:
sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 830667426 (0x3182faa2)
Connection ID: 90194313219
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/2313
Max received sequence-number:
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: Y
Status: Active
[Outbound ESP SAs]
SPI: 3516214669 (0xd1952d8d)
Connection ID: 64424509441
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/2313
Max sent sequence-number:
UDP encapsulation used for NAT traversal: Y
Status: Active
#
sysname DeviceA
#
interface gigabitethernet 1/0/1
ip address 1.1.1.1 255.255.0.0
#
ip route-static 10.1.2.0 24 1.1.1.2
ip route-static 2.2.2.2 16 1.1.1.2
security-zone name trust
import interface gigabitethernet 1/0/2
#
security-zone name untrust
import interface gigabitethernet 1/0/1
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 2.2.2.2
destination-ip-host 1.1.1.1
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.1.0 24
destination-ip-subnet 10.1.2.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.2.0 24
destination-ip-subnet 10.1.1.0 24
action pass
#
acl advanced 3000
rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec transform-set transform1
protocol esp
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ike keychain keychain1
pre-shared-key address 2.2.2.2 255.255.0.0 key simple 12345zxcvb!@#$%ZXCVB
#
ike profile profile1
keychain keychain1
exchange-mode aggressive
local-identity fqdn devicea.example.com
match remote identity address 2.2.2.2 255.255.0.0
#
ipsec policy policy1 1 isakmp
remote-address 2.2.2.2
transform-set transform1
security acl 3000
ike-profile profile1
#
interface gigabitethernet 1/0/1
ipsec apply policy policy1
#
#
sysname DeviceB
#
interface gigabitethernet 1/0/1
ip address 2.2.2.2 255.255.0.0
#
ip route-static 10.1.1.0 24 2.2.2.1
ip route-static 1.1.1.1 16 2.2.2.1
security-zone name trust
import interface gigabitethernet 1/0/2
#
security-zone name untrust
import interface gigabitethernet 1/0/1
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 2.2.2.2
destination-ip-host 3.3.3.1
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 3.3.3.1
destination-ip-host 2.2.2.2
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.2.0 24
destination-ip-subnet 10.1.1.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.1.0 24
destination-ip-subnet 10.1.2.0 24
action pass
#
ipsec transform-set transform1
protocol esp
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ike keychain keychain1
pre-shared-key address 3.3.3.1 255.255.0.0 key simple 12345zxcvb!@#$%ZXCVB
#
ike profile profile1
keychain keychain1
exchange-mode aggressive
match remote identity fqdn devicea.example.com
#
ipsec policy-template template1 1
transform-set transform1
local-address 2.2.2.2
ike-profile profile1
#
ipsec policy policy1 1 isakmp template template1
interface gigabitethernet 1/0/1
ipsec apply policy policy1
#
#
sysname NAT
#
interface gigabitethernet 1/0/1
ip address 1.1.1.2 255.255.0.0
#
interface gigabitethernet 1/0/2
ip address 3.3.3.1 255.255.0.0
#
ipsec transform-set transform1
nat static outbound 1.1.1.1 3.3.3.10
interface gigabitethernet 1/0/2
nat static enable
#
Device A在NAT安全网关内网侧。要求在Device A和Device B之间建立一个IPsec隧道,对Host A所在的子网(10.1.1.2/24)与Host B所在的子网(10.1.2.2/24)之间的数据流进行安全保护。具体需要求如下:
· 协商双方使用缺省的IKEv2安全提议和IKEv2安全策略。
· 第一阶段协商的认证方法为预共享密钥认证。
图1-25 IKEv2 NAT穿越配置组网图
表1-13 组网图示例接口与设备实际接口对应关系
|
组网图示例接口 |
设备实际接口 |
|
Interface1 |
GigabitEthernet1/0/1 |
|
Interface2 |
GigabitEthernet1/0/2 |
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.0.0
[DeviceA-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为1.1.1.2,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceA] ip route-static 10.1.2.0 24 1.1.1.2
[DeviceA] ip route-static 2.2.2.2 16 1.1.1.2
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device A可以向Device B发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name ipseclocalout
[DeviceA-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceA-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 1.1.1.1
[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.2
[DeviceA-security-policy-ip-1-ipseclocalout] action pass
[DeviceA-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device A可以接收和处理来自Device B的IPsec隧道协商报文,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name ipseclocalin
[DeviceA-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceA-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.2
[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 1.1.1.1
[DeviceA-security-policy-ip-2-ipseclocalin] action pass
[DeviceA-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host A与Host B之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-3-trust-untrust] action pass
[DeviceA-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-4-untrust-trust] action pass
[DeviceA-security-policy-ip-4-untrust-trust] quit
[DeviceA-security-policy-ip] quit
(5) 定义需要保护的数据流
# 配置ACL 3101,定义要保护由子网10.1.1.0/24去往子网10.1.2.0/24的数据流。
[DeviceA] acl advanced 3101
[DeviceA-acl-ipv4-adv-3101] rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[DeviceA-acl-ipv4-adv-3101] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceA] ipsec transform-set transform1
[DeviceA-ipsec-transform-set-transform1] protocol esp
[DeviceA-ipsec-transform-set-transform1] esp encryption-algorithm 3des-cbc
[DeviceA-ipsec-transform-set-transform1] esp authentication-algorithm md5
[DeviceA-ipsec-transform-set-transform1] quit
(7) 配置IKEv2 keychain,约定通信双方使用的密钥信息
[DeviceA] ikev2 keychain keychain1
[DeviceA-ikev2-keychain-keychain1] peer peer1
[DeviceA-ikev2-keychain-keychain1-peer-peer1] address 2.2.2.2 16
[DeviceA-ikev2-keychain-keychain1-peer-peer1] identity address 2.2.2.2
[DeviceA-ikev2-keychain-keychain1-peer-peer1] pre-shared-key plaintext 123
[DeviceA-ikev2-keychain-keychain1-peer-peer1] quit
[DeviceA-ikev2-keychain-keychain1] quit
(8) 配置IKEv2 profile,约定建立IKE SA所需的安全参数
[DeviceA] ikev2 profile profile1
[DeviceA-ikev2-profile-profile1] keychain keychain1
[DeviceA-ikev2-profile-profile1] identity local fqdn devicea.example.com
[DeviceA-ikev2-profile-profile1] match remote identity address 2.2.2.2 255.255.0.0
[DeviceA-ikev2-profile-profile1] authentication-method local pre-share
[DeviceA-ikev2-profile-profile1] authentication-method remote pre-share
[DeviceA-ikev2-profile-profile1] quit
(9) 配置IPsec策略,建立IPsec隧道,保护需要防护的数据流
# 创建一条手工方式的IPsec策略,引用需要保护数据流的ACL和所需的IPsec安全提议,指定对端的IP地址,具体配置步骤如下。
[DeviceA] ipsec policy policy1 1 isakmp
[DeviceA-ipsec-policy-isakmp-policy1-1] remote-address 2.2.2.2
[DeviceA-ipsec-policy-isakmp-policy1-1] transform-set transform1
[DeviceA-ipsec-policy-isakmp-policy1-1] security acl 3101
[DeviceA-ipsec-policy-isakmp-policy1-1] ikev2-profile profile1
[DeviceA-ipsec-policy-isakmp-policy1-1] quit
(10) 在接口上应用IPsec策略,对接口上的流量进行保护
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ipsec apply policy policy1
[DeviceA-GigabitEthernet1/0/1] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 2.2.2.2 255.255.0.0
[DeviceB-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为2.2.2.1,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceB] ip route-static 10.1.1.0 24 2.2.2.1
[DeviceB] ip route-static 1.1.1.1 16 2.2.2.1
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device B可以向Device A发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name ipseclocalout
[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.2
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 3.3.3.1
[DeviceB-security-policy-ip-1-ipseclocalout] action pass
[DeviceB-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device B可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name ipseclocalin
[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 3.3.3.1
[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.2
[DeviceB-security-policy-ip-2-ipseclocalin] action pass
[DeviceB-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host B与Host A之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-3-trust-untrust] action pass
[DeviceB-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-4-untrust-trust] action pass
[DeviceB-security-policy-ip-4-untrust-trust] quit
[DeviceB-security-policy-ip] quit
(5) 定义需要保护的数据流
# 配置ACL 3101,定义要保护由子网10.1.2.0/24去往子网10.1.1.0/24的数据流。
[DeviceB] acl advanced 3101
[DeviceB-acl-ipv4-adv-3101] rule 0 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[DeviceB-acl-ipv4-adv-3101] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceB] ipsec transform-set transform1
[DeviceB-ipsec-transform-set-transform1] protocol esp
[DeviceB-ipsec-transform-set-transform1] esp encryption-algorithm 3des-cbc
[DeviceB-ipsec-transform-set-transform1] esp authentication-algorithm md5
[DeviceB-ipsec-transform-set-transform1] quit
(7) 配置IKEv2 keychain,约定通信双方使用的密钥信息
[DeviceB]ikev2 keychain keychain1
[DeviceB-ikev2-keychain-keychain1] peer peer1
[DeviceB-ikev2-keychain-keychain1-peer-peer1] address 3.3.3.1 16
[DeviceB-ikev2-keychain-keychain1-peer-peer1] identity address 3.3.3.1
[DeviceB-ikev2-keychain-keychain1-peer-peer1] pre-shared-key plaintext 123
[DeviceB-ikev2-keychain-keychain1-peer-peer1] quit
[DeviceB-ikev2-keychain-keychain1] quit
(8) 配置IKEv2 profile,约定建立IKE SA所需的安全参数
[DeviceB] ikev2 profile profile1
[DeviceB-ikev2-profile-profile1] keychain keychain1
[DeviceB-ikev2-profile-profile1] match remote identity fqdn devicea.example.com
[DeviceB-ikev2-profile-profile1] authentication-method local pre-share
[DeviceB-ikev2-profile-profile1] authentication-method remote pre-share
[DeviceB-ikev2-profile-profile1] quit
(9) 配置IPsec策略模板,用于创建IPsec策略
[DeviceB] ipsec policy-template template1 1
[DeviceB-ipsec-policy-template-template1-1] remote-address 3.3.3.1
[DeviceB-ipsec-policy-template-template1-1] security acl 3101
[DeviceB-ipsec-policy-template-template1-1] transform-set transform1
[DeviceB-ipsec-policy-template-template1-1] ikev2-profile profile1
[DeviceB-ipsec-policy-template-template1-1] quit
(10) 创建IPsec策略,建立IPsec隧道,保护需要防护的数据流
[DeviceB] ipsec policy policy1 1 isakmp template template1
(11) 在接口上应用IPsec策略,对接口上的流量进行保护
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ipsec apply policy policy1
[DeviceB-GigabitEthernet1/0/1] quit
(12) 配置NAT
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Sysname> system-view
[Sysname] sysname NAT
[NAT] interface gigabitethernet 1/0/1
[NAT-GigabitEthernet1/0/1] ip address 1.1.1.2 255.255.0.0
[NAT-GigabitEthernet1/0/1] quit
[NAT] interface gigabitethernet 1/0/2
[NAT-GigabitEthernet1/0/2] ip address 3.3.3.1 255.255.0.0
[NAT-GigabitEthernet1/0/2] quit
# 配置静态地址转换功能。
[NAT] nat static outbound 1.1.1.1 3.3.3.10
[NAT] interface gigabitethernet 1/0/2
[NAT-GigabitEthernet1/0/2] nat static enable
以上配置完成后,子网10.1.1.0/24若向子网10.1.2.0/24发送报文,将触发IKEv2协商。
# 可通过如下显示信息查看到Device A上IKEv2协商成功后生成的IKEv2 SA。
[DeviceA] display ikev2 sa
Tunnel ID Local Remote Status
---------------------------------------------------------------------------
1 1.1.1.1/4500 2.2.2.2/4500 EST
Status:
IN-NEGO: Negotiating, EST: Established, DEL:Deleting
[DeviceA] display ikev2 sa verbose
Tunnel ID: 45
Local IP/Port: 1.1.1.1/4500
Remote IP/Port: 2.2.2.2/4500
Outside VRF: -
Inside VRF: -
Local SPI: 372228d699a33c63
Remote SPI: 75c537621b4a7190
Local ID type: ID_FQDN
Local ID: devicea.example.com
Remote ID type: ID_IPV4_ADDR
Remote ID: 2.2.2.2
Auth sign method: Pre-shared key
Auth verify method: Pre-shared key
Integrity algorithm: SHA1
PRF algorithm: SHA1
Encryption algorithm: AES-CBC-128
Life duration: 86400 secs
Remaining key duration: 86177 secs
Diffie-Hellman group: MODP1536/Group5
NAT traversal: Detected
DPD: Interval 0 secs, retry interval 0 secs
Transmitting entity: Initiator
Local window: 1
Remote window: 1
Local request message ID: 2
Remote request message ID: 0
Local next message ID: 2
Remote next message ID: 0
# 可通过如下显示信息查看到IKEv2协商生成的IPsec SA。
[DeviceA] display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/1
-------------------------------
-----------------------------
IPsec policy: policy1
Sequence number: 1
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1435
Tunnel:
local address/port: 1.1.1.1/500
remote address/port: 2.2.2.2/500
Flow:
sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 10.2.1.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 830667426 (0x3182faa2)
Connection ID: 605590388736
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/2313
Max received sequence-number:
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: Y
Status: Active
[Outbound ESP SAs]
SPI: 3516214669 (0xd1952d8d)
Connection ID: 227633266689
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/2313
Max sent sequence-number:
UDP encapsulation used for NAT traversal: Y
Status: Active
#
sysname DeviceA
#
interface gigabitethernet 1/0/1
ip address 1.1.1.1 255.255.0.0
#
ip route-static 10.1.2.0 24 1.1.1.2
ip route-static 2.2.2.2 16 1.1.1.2
security-zone name trust
import interface gigabitethernet 1/0/2
#
security-zone name untrust
import interface gigabitethernet 1/0/1
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 2.2.2.2
destination-ip-host 1.1.1.1
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.1.0 24
destination-ip-subnet 10.1.2.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.2.0 24
destination-ip-subnet 10.1.1.0 24
action pass
#
acl advanced 3101
rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec transform-set transform1
protocol esp
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ikev2 keychain keychain1
peer peer1
address 2.2.2.2 16
identity address 2.2.2.2
pre-shared-key plaintext 123
#
ikev2 profile profile1
keychain keychain1
identity local fqdn devicea.example.com
match remote identity address 2.2.2.2 255.255.0.0
authentication-method local pre-share
authentication-method remote pre-share
#
ipsec policy policy1 1 isakmp
remote-address 2.2.2.2
transform-set transform1
security acl 3101
ikev2-profile profile1
#
interface gigabitethernet 1/0/1
ipsec apply policy policy1
#
#
sysname DeviceB
#
interface gigabitethernet 1/0/1
ip address 2.2.2.2 255.255.0.0
#
ip route-static 10.1.1.0 24 2.2.2.1
ip route-static 1.1.1.1 16 2.2.2.1
security-zone name trust
import interface gigabitethernet 1/0/2
#
security-zone name untrust
import interface gigabitethernet 1/0/1
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 2.2.2.2
destination-ip-host 3.3.3.1
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 3.3.3.1
destination-ip-host 2.2.2.2
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.2.0 24
destination-ip-subnet 10.1.1.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.1.0 24
destination-ip-subnet 10.1.2.0 24
action pass
#
acl advanced 3101
rule 0 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec transform-set transform1
protocol esp
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ikev2 keychain keychain1
peer peer1
address 3.3.3.1 16
identity address 3.3.3.1
pre-shared-key plaintext 123
#
ikev2 profile profile1
keychain keychain1
match remote identity fqdn devicea.example.com
authentication-method local pre-share
authentication-method remote pre-share
#
ipsec policy-template template1 1
remote-address 3.3.3.1
security acl 3101
transform-set transform1
ikev2-profile profile1
#
ipsec policy policy1 1 isakmp template template1
interface gigabitethernet 1/0/1
ipsec apply policy policy1
#
#
sysname NAT
#
interface gigabitethernet 1/0/1
ip address 1.1.1.2 255.255.0.0
#
interface gigabitethernet 1/0/2
ip address 3.3.3.1 255.255.0.0
#
ipsec transform-set transform1
nat static outbound 1.1.1.1 3.3.3.10
interface gigabitethernet 1/0/2
nat static enable
#
用户主机Host和Device之间建立一个IPsec隧道,对用户主机和Device之间的数据流进行安全保护。
· Host和Device之间采用IKE协商方式建立IPsec SA。
· IKE第一阶段协商的认证方法为预共享密钥认证。
· Device对Host进行IKE扩展认证,认证方式采用远程RADIUS认证。
图1-26 IKE支持远程扩展认证配置组网图
表1-14 组网图示例接口与设备实际接口对应关系
|
组网图示例接口 |
设备实际接口 |
|
Interface1 |
GigabitEthernet1/0/1 |
|
Interface2 |
GigabitEthernet1/0/2 |
· 请保证Host与Device之间路由可达。
· 完成RADIUS服务器上的配置,保证Host使用指定的用户名和密码(本例中,用户名为test,密码为123456TESTplat&!)可以完成身份认证。
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 2.2.2.2 255.255.255.0
[Device-GigabitEthernet1/0/1] quit
[Device] interface GigabitEthernet1/0/2
[Device-GigabitEthernet1/0/2] ip address 3.3.3.3 255.255.255.0
[Device-GigabitEthernet1/0/2] quit
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设到达Host所在网络的下一跳IP地址为2.2.2.3实际使用中请以具体组网情况为准,具体配置步骤如下。
[Device] ip route-static 1.1.1.1 24 2.2.2.3
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/1
[Device-security-zone-Untrust] quit
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/2
[Device-security-zone-Trust] quit
(4) 配置安全策略放行Untrust与Local安全域之间的流量,用于Host访问设备。
# 配置名称为ipseclocalout1的安全策略规则,使Device可以向Host发送报文,具体配置步骤如下。
[Device] security-policy ip
[Device-security-policy-ip] rule name ipseclocalout1
[Device-security-policy-ip-1-ipseclocalout1] source-zone local
[Device-security-policy-ip-1-ipseclocalout1] destination-zone untrust
[Device-security-policy-ip-1-ipseclocalout1] source-ip-host 2.2.2.2
[Device-security-policy-ip-1-ipseclocalout1] destination-ip-host 1.1.1.1
[Device-security-policy-ip-1-ipseclocalout1] action pass
[Device-security-policy-ip-1-ipseclocalout1] quit
# 配置名称为ipseclocalin1的安全策略规则,使Host可以向Device发送报文,具体配置步骤如下。
[Device-security-policy-ip] rule name ipseclocalin1
[Device-security-policy-ip-2-ipseclocalin1] source-zone untrust
[Device-security-policy-ip-2-ipseclocalin1] destination-zone local
[Device-security-policy-ip-2-ipseclocalin1] source-ip-host 1.1.1.1
[Device-security-policy-ip-2-ipseclocalin1] destination-ip-host 2.2.2.2
[Device-security-policy-ip-2-ipseclocalin1] action pass
[Device-security-policy-ip-2-ipseclocalin1] quit
# 配置名称为ipseclocalout2的安全策略规则,使Device可以向RADIUS server发送报文,具体配置步骤如下。
[Device-security-policy-ip] rule name ipseclocalout2
[Device-security-policy-ip-3-ipseclocalout2] source-zone local
[Device-security-policy-ip-3-ipseclocalout2] destination-zone trust
[Device-security-policy-ip-3-ipseclocalout2] source-ip-host 3.3.3.3
[Device-security-policy-ip-3-ipseclocalout2] destination-ip-host 3.3.3.48
[Device-security-policy-ip-3-ipseclocalout2] action pass
[Device-security-policy-ip-3-ipseclocalout2] quit
# 配置名称为ipseclocalin2的安全策略规则,使RADIUS server可以向Device发送报文,具体配置步骤如下。
[Device-security-policy-ip] rule name ipseclocalin2
[Device-security-policy-ip-4-ipseclocalin2] source-zone trust
[Device-security-policy-ip-4-ipseclocalin2] destination-zone local
[Device-security-policy-ip-4-ipseclocalin2] source-ip-host 3.3.3.48
[Device-security-policy-ip-4-ipseclocalin2] destination-ip-host 3.3.3.3
[Device-security-policy-ip-4-ipseclocalin2] action pass
[Device-security-policy-ip-4-ipseclocalin2] quit
[Device-security-policy-ip] quit
(5) 配置RADIUS方案
# 创建RADIUS方案ike-scheme。
[Device] radius scheme ike-scheme
# 配置主RADIUS认证服务器IP地址为3.3.3.48,端口为1645。
[Device-radius-ike-scheme] primary authentication 3.3.3.48 1645
# 配置与认证服务器交互报文时的共享密钥为明文abc。
[Device-radius-ike-scheme] key authentication simple abc
# 配置向RADIUS服务器发送的用户名不携带域名。(此配置可根据服务器对用户名的要求调整)
[Device-radius-ike-scheme] user-name-format without-domain
[Device-radius-ike-scheme] quit
(6) 配置ISP域
# 配置ISP域ike,指定IKE用户的认证方法。
[Device] domain ike
[Device-isp-ike] authentication ike radius-scheme ike-scheme
[Device-isp-ike] quit
(7) 定义数据流
# 配置IPv4高级ACL 3101,定义要保护由2.2.2.2到1.1.1.1的数据流。
[Device] acl advanced 3101
[Device-acl-ipv4-adv-3101] rule permit ip source 2.2.2.2 0.0.0.0 destination 1.1.1.1 0.0.0.0
[Device-acl-ipv4-adv-3101] quit
(8) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议tran1,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[Device] ipsec transform-set tran1
[Device-ipsec-transform-set-tran1] encapsulation-mode transport
[Device-ipsec-transform-set-tran1] protocol esp
[Device-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[Device-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[Device-ipsec-transform-set-tran1] quit
(9) 配置IKE keychain,约定通信双方使用的密钥信息
# 创建IKE keychain,名称为keychain1,协商双方配置的预共享密钥必须完全相同,具体配置步骤如下。
[Device] ike keychain keychain1
[Device-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.255.255 key simple 123456TESTplat&!
[Device-ike-keychain-keychain1] quit
(10) 配置IKE profile,约定建立IKE SA所需的安全参数
[Device] ike profile profile1
[Device-ike-profile-profile1] keychain keychain1
[Device-ike-profile-profile1] local-identity address 2.2.2.2
[Device-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.255
[Device-ike-profile-profile1] client-authentication xauth
[Device-ike-profile-profile1] quit
(11) 配置IPsec策略,建立IPsec隧道,保护需要防护的数据流
# 创建一条IKE协商方式的IPsec策略,名称为map1,顺序号为10。
[Device] ipsec policy map1 10 isakmp
[Device-ipsec-policy-isakmp-map1-10] remote-address 1.1.1.1
[Device-ipsec-policy-isakmp-map1-10] security acl 3101
[Device-ipsec-policy-isakmp-map1-10] transform-set tran1
[Device-ipsec-policy-isakmp-map1-10] ike-profile profile1
[Device-ipsec-policy-isakmp-map1-10] quit
(12) 在接口上应用IPsec策略
# 在接口GigabitEthernet1/0/1上应用IPsec策略map1。
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ipsec apply policy map1
[Device-GigabitEthernet1/0/1] quit
Host上需要完成IPsec VPN客户端的如下主要配置,并保证与Device端的相关配置相匹配:
· IPsec隧道对端的安全网关IP地址
· IKE第一阶段认证采用的预共享密钥
· 扩展认证采用的用户名和密码
· IPsec安全协议,以及采用的加密算法、认证算法
· IKE协商参数
· 本地及远端的ID类型与取值
以上配置完成后,Host和Device之间如果有1.1.1.1与2.2.2.2之间的报文通过,将触发IKE协商。
# 可通过如下显示信息查看到Device上IKE第一阶段协商成功后生成的IKE SA的详细信息,并可查看到对客户端的扩展认证处于开启状态。
[Device] display ike sa verbose remote-address 1.1.1.1
-----------------------------------------------
Connection ID: 18
Outside VPN:
Inside VPN:
Profile: profile1
Transmitting entity: Initiator
Output interface index: 2
-----------------------------------------------
Local IP/port: 2.2.2.2/500
Local ID type: IPV4_ADDR
Local ID: 2.2.2.2
Remote IP/port: 1.1.1.1/500
Remote ID type: IPV4_ADDR
Remote ID: 1.1.1.1
Authentication-method: PRE-SHARED-KEY
Authentication-algorithm: SHA1
Encryption-algorithm: DES-CBC
Life duration(sec): 86400
Remaining key duration(sec): 84565
Exchange-mode: Aggressive
Diffie-Hellman group: Group 1
NAT traversal: Detected
Extend authentication: Enabled
Assigned IP address:
若Host端提供了正确的用户名和密码,将能够与Device之间成功建立IPsec隧道。在Device上可以通过display ipsec sa命令查看到生成的IPsec SA信息。
#
sysname Device
#
interface gigabitethernet 1/0/1
ip address 2.2.2.2 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 3.3.3.3 255.255.255.0
#
ip route-static 1.1.1.1 24 2.2.2.3
security-zone name untrust
import interface gigabitethernet 1/0/1
#
security-zone name trust
import interface gigabitethernet 1/0/2
#
security-policy ip
rule name ipseclocalout1
source-zone local
destination-zone untrust
source-ip-host 2.2.2.2
destination-ip-host 1.1.1.1
action pass
#
rule name ipseclocalin1
source-zone untrust
destination-zone local
source-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
action pass
quit
rule name ipseclocalout2
source-zone local
destination-zone trust
source-ip-host 3.3.3.3
destination-ip-host 3.3.3.48
action pass
#
rule name ipseclocalin2
source-zone trust
destination-zone local
source-ip-host 3.3.3.48
destination-ip-host 3.3.3.3
action pass
#
radius scheme ike-scheme
primary authentication 3.3.3.48 1645
key authentication simple abc
user-name-format without-domain
#
domain ike
authentication ike radius-scheme ike-scheme
#
acl advanced 3101
rule permit ip source 2.2.2.2 0.0.0.0 destination 1.1.1.1 0.0.0.0
#
ipsec transform-set tran1
encapsulation-mode transport
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ike keychain keychain1
pre-shared-key address 1.1.1.1 255.255.255.255 key simple 123456TESTplat&!
quit
ike profile profile1
keychain keychain1
local-identity address 2.2.2.2
match remote identity address 1.1.1.1 255.255.255.255
client-authentication xauth
#
ipsec policy map1 10 isakmp
remote-address 1.1.1.1
security acl 3101
transform-set tran1
ike-profile profile1
#
interface gigabitethernet 1/0/1
ipsec apply policy map1
#
用户主机Host和Device建立一个IPsec隧道,对用户主机和Server之间的数据流进行安全保护。
· Host和Device之间采用IKE协商方式建立IPsec SA。
· IKE第一阶段协商的认证方法为预共享密钥认证。
· Device对Host进行IKE本地扩展认证,认证方式采用本地AAA认证,Device为Host分配IPv4地址。
图1-27 IKE支持本地扩展认证及授权配置组网图
表1-15 组网图示例接口与设备实际接口对应关系
|
组网图示例接口 |
设备实际接口 |
|
Interface1 |
GigabitEthernet1/0/1 |
|
Interface2 |
GigabitEthernet1/0/2 |
· 请保证Host与Device、Host与Server之间路由可达。
· 保证Host使用指定的用户名和密码(本例中,用户名为test,密码为123456TESTplat&!)可以完成身份认证。
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 2.2.2.2 255.255.255.0
[Device-GigabitEthernet1/0/1] quit
[Device] interface GigabitEthernet1/0/2
[Device-GigabitEthernet1/0/2] ip address 3.3.3.3 255.255.255.0
[Device-GigabitEthernet1/0/2] quit
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设到达Host所在网络的下一跳IP地址为2.2.2.3实际使用中请以具体组网情况为准,具体配置步骤如下。
[Device] ip route-static 1.1.1.1 24 2.2.2.3
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/1
[Device-security-zone-Untrust] quit
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/2
[Device-security-zone-Trust] quit
(4) 配置安全策略放行Untrust与Local安全域之间的流量,用于Host访问设备。
# 配置名称为ipseclocalout1的安全策略规则,使Device可以向Host发送报文,具体配置步骤如下。
[Device] security-policy ip
[Device-security-policy-ip] rule name ipseclocalout1
[Device-security-policy-ip-1-ipseclocalout1] source-zone local
[Device-security-policy-ip-1-ipseclocalout1] destination-zone untrust
[Device-security-policy-ip-1-ipseclocalout1] source-ip-host 2.2.2.2
[Device-security-policy-ip-1-ipseclocalout1] destination-ip-host 1.1.1.1
[Device-security-policy-ip-1-ipseclocalout1] action pass
[Device-security-policy-ip-1-ipseclocalout1] quit
# 配置名称为ipseclocalin1的安全策略规则,使Host可以向Device发送报文,具体配置步骤如下。
[Device-security-policy-ip] rule name ipseclocalin1
[Device-security-policy-ip-2-ipseclocalin1] source-zone untrust
[Device-security-policy-ip-2-ipseclocalin1] destination-zone local
[Device-security-policy-ip-2-ipseclocalin1] source-ip-host 1.1.1.1
[Device-security-policy-ip-2-ipseclocalin1] destination-ip-host 2.2.2.2
[Device-security-policy-ip-2-ipseclocalin1] action pass
[Device-security-policy-ip-2-ipseclocalin1] quit
# 配置名称为ipseclocalout2的安全策略规则,使Device可以向RADIUS server发送报文,具体配置步骤如下。
[Device-security-policy-ip] rule name ipseclocalout2
[Device-security-policy-ip-3-ipseclocalout2] source-zone local
[Device-security-policy-ip-3-ipseclocalout2] destination-zone trust
[Device-security-policy-ip-3-ipseclocalout2] source-ip-host 3.3.3.3
[Device-security-policy-ip-3-ipseclocalout2] destination-ip-host 3.3.3.48
[Device-security-policy-ip-3-ipseclocalout2] action pass
[Device-security-policy-ip-3-ipseclocalout2] quit
# 配置名称为ipseclocalin2的安全策略规则,使RADIUS server可以向Device发送报文,具体配置步骤如下。
[Device-security-policy-ip] rule name ipseclocalin2
[Device-security-policy-ip-4-ipseclocalin2] source-zone trust
[Device-security-policy-ip-4-ipseclocalin2] destination-zone local
[Device-security-policy-ip-4-ipseclocalin2] source-ip-host 3.3.3.48
[Device-security-policy-ip-4-ipseclocalin2] destination-ip-host 3.3.3.3
[Device-security-policy-ip-4-ipseclocalin2] action pass
[Device-security-policy-ip-4-ipseclocalin2] quit
[Device-security-policy-ip] quit
(5) 配置ISP域
# 创建ISP域dm并进入其视图,指定IKE用户的认证方法。
[Device] domain dm
[Device-isp-dm] authentication ike local
[Device-isp-dm] authorization ike local
[Device-isp-dm] quit
(6) 创建IKE本地地址池
# 创建IKE本地地址池pool,地址范围为20.1.1.1~20.1.1.20。
[Device] ike address-group pool 20.1.1.1 20.1.1.20
(7) 配置本地用户
# 创建本地用户ike,用户类型为网络接入类。
[Device] local-user ike class network
# 配置本地用户ike的服务类型为ike,授权地址池的名称为pool。
[Device-luser-network-ike] service-type ike
[Device-luser-network-ike] authorization-attribute ip-pool pool
[Device-luser-network-ike] quit
# 创建本地用户test,用户类型为网络接入类,用于扩展认证Host。
[Device] local-user test class network
# 配置本地用户test的服务类型为ike,密码为abc。
[Device-luser-network-test] service-type ike
[Device-luser-network-test] password simple abc
[Device-luser-network-test] quit
(8) 配置IKE keychain,约定通信双方使用的密钥信息
# 创建IKE keychain,名称为keychain1,协商双方配置的预共享密钥必须完全相同,具体配置步骤如下。
[Device] ike keychain keychain1
[Device-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.255.255 key simple 123456TESTplat&!
[Device-ike-keychain-keychain1] quit
(9) 配置IKE profile,约定建立IKE SA所需的安全参数
[Device] ike profile profile1
[Device-ike-profile-profile1] keychain keychain1
[Device-ike-profile-profile1] local-identity address 2.2.2.2
[Device-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.255
[Device-ike-profile-profile1] client-authentication xauth
[Device-ike-profile-profile1] aaa authorization domain dm username ike
[Device-ike-profile-profile1] quit
(10) 配置IPsec安全提议,协商封装报文使用的各种安全协议
[Device] ipsec transform-set tran1
[Device-ipsec-transform-set-tran1] encapsulation-mode transport
[Device-ipsec-transform-set-tran1] protocol esp
[Device-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-256
[Device-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[Device-ipsec-transform-set-tran1] quit
(11) 配置IPsec策略模板,建立IPsec隧道,保护需要防护的数据流
# 创建一个IPsec策略模板pt,并进入IPsec策略模板pt的视图。
[Device] ipsec policy-template pt 1
[Device-ipsec-policy-template-pt-1] transform-set tran1
[Device-ipsec-policy-template-pt-1] ike-profile profile1
[Device-ipsec-policy-template-pt-1] reverse-route dynamic
[Device-ipsec-policy-template-pt-1] quit
(12) 创建安全策略
# 引用安全策略模板pt创建一条IKE协商方式的安全策略map1。
[Device] ipsec policy map1 1 isakmp template pt
(13) 在接口上应用IPsec策略
# 在接口GigabitEthernet1/0/1上应用IPsec策略map1。
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ipsec apply policy map1
[Device-GigabitEthernet1/0/1] quit
Host上需要完成IPsec VPN客户端的如下主要配置,并保证与Device端的相关配置相匹配:
· IPsec隧道对端的安全网关IP地址;
· IKE第一阶段认证采用的预共享密钥;
· 扩展认证采用的用户名和密码(本例为用户test);
· IPsec安全协议,以及采用的加密算法、认证算法;
· IKE协商参数;
· 本地及远端的ID类型与取值。
以上配置完成后,Host如果有报文发送到3.3.3.48,将触发IKE协商。
# 可通过如下显示信息查看到Device上IKE第一阶段协商成功后生成的IKE SA的详细信息,并可查看到对客户端的扩展认证处于开启状态。
[Device] display ike sa verbose remote-address 1.1.1.1
-----------------------------------------------
Connection ID: 18
Outside VPN:
Inside VPN:
Profile: profile1
Transmitting entity: Responder
Output interface index: 2
-----------------------------------------------
Local IP/port: 2.2.2.2/500
Local ID type: IPV4_ADDR
Local ID: 2.2.2.2
Remote IP/port: 1.1.1.1/500
Remote ID type: IPV4_ADDR
Remote ID: 1.1.1.1
Authentication-method: PRE-SHARED-KEY
Authentication-algorithm: SHA1
Encryption-algorithm: 3DES-CBC
Life duration(sec): 86400
Remaining key duration(sec): 84565
Exchange-mode: Main
Diffie-Hellman group: Group 2
NAT traversal: Detected
Extend authentication: Enabled
Assigned IP address: 20.1.1.2
若Host端提供了正确的用户名和密码,将能够与Device之间成功建立IPsec隧道。在Device上可以通过display ipsec sa命令查看到生成的IPsec SA信息。
<Device> display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/1
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 1
Mode: Template
-----------------------------
Tunnel id: 2
Encapsulation mode: transport
Perfect Forward Secrecy:
Transmitting entity: Initiator
Path MTU: 1427
Tunnel:
local address/port: 2.2.2.2/500
remote address/port: 1.1.1.1/500
Flow:
sour addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip
dest addr: 20.1.1.2/255.255.255.255 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 2374047012 (0x8d811524)
Transform set: ESP-ENCRYPT-AES-CBC-256 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843198/3259
Max received sequence-number: 24
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 146589619 (0x08bcc7b3)
Transform set: ESP-ENCRYPT-AES-CBC-256 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3259
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N
Status: Active
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1839568/3164
Max sent sequence-number: 2793
UDP encapsulation used for NAT traversal: N
Status: Active
#
sysname Device
#
interface gigabitethernet 1/0/1
ip address 2.2.2.2 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 3.3.3.3 255.255.255.0
#
ip route-static 1.1.1.1 24 2.2.2.3
security-zone name untrust
import interface gigabitethernet 1/0/1
#
security-zone name trust
import interface gigabitethernet 1/0/2
#
security-policy ip
rule name ipseclocalout1
source-zone local
destination-zone untrust
source-ip-host 2.2.2.2
destination-ip-host 1.1.1.1
action pass
#
rule name ipseclocalin1
source-zone untrust
destination-zone local
source-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
action pass
#
rule name ipseclocalout2
source-zone local
destination-zone trust
source-ip-host 3.3.3.3
destination-ip-host 3.3.3.48
action pass
#
rule name ipseclocalin2
source-zone trust
destination-zone local
source-ip-host 3.3.3.48
destination-ip-host 3.3.3.3
action pass
#
domain dm
authentication ike local
authorization ike local
#
ike address-group pool 20.1.1.1 20.1.1.20
local-user ike class network
service-type ike
authorization-attribute ip-pool pool
#
local-user test class network
service-type ike
password simple abc
#
ike keychain keychain1
pre-shared-key address 1.1.1.1 255.255.255.255 key simple 123456TESTplat&!
#
ike profile profile1
keychain keychain1
local-identity address 2.2.2.2
match remote identity address 1.1.1.1 255.255.255.255
client-authentication xauth
aaa authorization domain dm username ike
#
ipsec transform-set tran1
encapsulation-mode transport
protocol esp
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha1
#
ipsec policy-template pt 1
transform-set tran1
ike-profile profile1
reverse-route dynamic
#
ipsec policy map1 1 isakmp template pt
interface gigabitethernet 1/0/1
ipsec apply policy map1
#
在Device A和Device B之间建立一条IPsec隧道,对Host A所在的子网(333::/64)与Host B所在的子网(555::/64)之间的数据流进行安全保护。具体要求如下:
· 封装形式为隧道模式。
· 安全协议采用ESP协议。
· 加密算法采用128比特的AES,认证算法采用HMAC-SHA1。
· IKE协商方式建立IPsec SA。
图1-28 保护IPv6报文的IPsec配置组网图
表1-16 组网图示例接口与设备实际接口对应关系
|
组网图示例接口 |
设备实际接口 |
|
Interface1 |
GigabitEthernet1/0/1 |
|
Interface2 |
GigabitEthernet1/0/2 |
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ipv6 address 333::1/64
[DeviceA-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为111::2,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceA] ipv6 route-static 555::0 64 111::2
[DeviceA] ipv6 route-static 222::0 64 111::2
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device A可以向Device B发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceA] security-policy ipv6
[DeviceA-security-policy-ipv6] rule name ipseclocalout
[DeviceA-security-policy-ipv6-1-ipseclocalout] source-zone local
[DeviceA-security-policy-ipv6-1-ipseclocalout] destination-zone untrust
[DeviceA-security-policy-ipv6-1-ipseclocalout] source-ip-host 111::1
[DeviceA-security-policy-ipv6-1-ipseclocalout] destination-ip-host 222::1
[DeviceA-security-policy-ipv6-1-ipseclocalout] action pass
[DeviceA-security-policy-ipv6-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device A可以接收和处理来自Device B的IPsec隧道协商报文,具体配置步骤如下。
[DeviceA-security-policy-ipv6] rule name ipseclocalin
[DeviceA-security-policy-ipv6-2-ipseclocalin] source-zone untrust
[DeviceA-security-policy-ipv6-2-ipseclocalin] destination-zone local
[DeviceA-security-policy-ipv6-2-ipseclocalin] source-ip-host 222::1
[DeviceA-security-policy-ipv6-2-ipseclocalin] destination-ip-host 111::1
[DeviceA-security-policy-ipv6-2-ipseclocalin] action pass
[DeviceA-security-policy-ipv6-2-ipseclocalin] quit
b. 配置安全策略放行Host A与Host B之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ipv6] rule name trust-untrust
[DeviceA-security-policy-ipv6-3-trust-untrust] source-zone trust
[DeviceA-security-policy-ipv6-3-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ipv6-3-trust-untrust] source-ip-subnet 333::1 64
[DeviceA-security-policy-ipv6-3-trust-untrust] destination-ip-subnet 555::1 64
[DeviceA-security-policy-ipv6-3-trust-untrust] action pass
[DeviceA-security-policy-ipv6-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ipv6] rule name untrust-trust
[DeviceA-security-policy-ipv6-4-untrust-trust] source-zone untrust
[DeviceA-security-policy-ipv6-4-untrust-trust] destination-zone trust
[DeviceA-security-policy-ipv6-4-untrust-trust] source-ip-subnet 555::1 64
[DeviceA-security-policy-ipv6-4-untrust-trust] destination-ip-subnet 333::1 64
[DeviceA-security-policy-ipv6-4-untrust-trust] action pass
[DeviceA-security-policy-ipv6-4-untrust-trust] quit
[DeviceA-security-policy-ipv6] quit
(5) 定义需要保护的数据流
# 配置一个IPv6高级ACL,定义要保护由子网333::/64去往子网555::/64的数据流。
[DeviceA] acl ipv6 advanced 3101
[DeviceA-acl-ipv6-adv-3101] rule permit ipv6 source 333::0 64 destination 555::0 64
[DeviceA-acl-ipv6-adv-3101] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceA] ipsec transform-set tran1
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceA-ipsec-transform-set-tran1] protocol esp
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
(7) 配置IKE keychain,约定通信双方使用的密钥信息
# 创建并配置IKE keychain,协商双方配置的预共享密钥必须完全相同,具体配置步骤如下。
[DeviceA] ike keychain keychain1
[DeviceA-ike-keychain-keychain1] pre-shared-key address ipv6 222::1 64 key simple 123456TESTplat&!
[DeviceA-ike-keychain-keychain1] quit
(8) 配置IKE profile,约定建立IKE SA所需的安全参数
[DeviceA] ike profile profile1
[DeviceA-ike-profile-profile1] keychain keychain1
[DeviceA-ike-profile-profile1] match remote identity address ipv6 222::1 64
[DeviceA-ike-profile-profile1] quit
(9) 配置IPsec策略,建立IPsec隧道,保护需要防护的数据流
# 创建一条IKE协商方式的IPsec策略,引用需要保护数据流的ACL和所需的IPsec安全提议,指定本端和对端的IP地址,引用IKE profile,具体配置步骤如下。
[DeviceA] ipsec ipv6-policy map1 10 isakmp
[DeviceA-ipsec-ipv6-policy-isakmp-map1-10] security acl ipv6 3101
[DeviceA-ipsec-ipv6-policy-isakmp-map1-10] transform-set tran1
[DeviceA-ipsec-ipv6-policy-isakmp-map1-10] local-address ipv6 111::1
[DeviceA-ipsec-ipv6-policy-isakmp-map1-10] remote-address ipv6 222::1
[DeviceA-ipsec-ipv6-policy-isakmp-map1-10] ike-profile profile1
[DeviceA-ipsec-ipv6-policy-isakmp-map1-10] quit
(10) 在接口上应用IPsec策略,对接口上的流量进行保护
# 在接口GigabitEthernet1/0/2上应用IPsec策略,具体配置步骤如下。
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] ipsec apply ipv6-policy map1
[DeviceA-GigabitEthernet1/0/2] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ipv6 address 555::1/64
[DeviceB-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为222::2,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceB] ipv6 route-static 333::0 64 222::2
[DeviceB] ipv6 route-static 111::0 64 222::2
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device B可以向Device A发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceB] security-policy ipv6
[DeviceB-security-policy-ipv6] rule name ipseclocalout
[DeviceB-security-policy-ipv6-1-ipseclocalout] source-zone local
[DeviceB-security-policy-ipv6-1-ipseclocalout] destination-zone untrust
[DeviceB-security-policy-ipv6-1-ipseclocalout] source-ip-host 222::1
[DeviceB-security-policy-ipv6-1-ipseclocalout] destination-ip-host 111::1
[DeviceB-security-policy-ipv6-1-ipseclocalout] action pass
[DeviceB-security-policy-ipv6-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device B可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下。
[DeviceB-security-policy-ipv6] rule name ipseclocalin
[DeviceB-security-policy-ipv6-2-ipseclocalin] source-zone untrust
[DeviceB-security-policy-ipv6-2-ipseclocalin] destination-zone local
[DeviceB-security-policy-ipv6-2-ipseclocalin] source-ip-host 111::1
[DeviceB-security-policy-ipv6-2-ipseclocalin] destination-ip-host 222::1
[DeviceB-security-policy-ipv6-2-ipseclocalin] action pass
[DeviceA-security-policy-ipv6-2-ipseclocalin] quit
b. 配置安全策略放行Host B与Host A之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ipv6] rule name trust-untrust
[DeviceB-security-policy-ipv6-3-trust-untrust] source-zone trust
[DeviceB-security-policy-ipv6-3-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ipv6-3-trust-untrust] source-ip-subnet 333::1 64
[DeviceB-security-policy-ipv6-3-trust-untrust] destination-ip-subnet 555::1 64
[DeviceB-security-policy-ipv6-3-trust-untrust] action pass
[DeviceB-security-policy-ipv6-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ipv6] rule name untrust-trust
[DeviceB-security-policy-ipv6-4-untrust-trust] source-zone untrust
[DeviceB-security-policy-ipv6-4-untrust-trust] destination-zone trust
[DeviceB-security-policy-ipv6-4-untrust-trust] source-ip-subnet 555::1 64
[DeviceB-security-policy-ipv6-4-untrust-trust] destination-ip-subnet 333::1 64
[DeviceB-security-policy-ipv6-4-untrust-trust] action pass
[DeviceB-security-policy-ipv6-4-untrust-trust] quit
[DeviceB-security-policy-ipv6] quit
(5) 定义需要保护的数据流
# 配置一个IPv6高级ACL,定义要保护由子网555::/64去往子网333::/64的数据流。
[DeviceB] acl ipv6 advanced 3101
[DeviceB-acl-ipv6-adv-3101] rule permit ipv6 source 555::/64 destination 333::/64
[DeviceB-acl-ipv6-adv-3101] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceB] ipsec transform-set tran1
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceB-ipsec-transform-set-tran1] protocol esp
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
(7) 配置IKE keychain,约定通信双方使用的密钥信息
# 创建并配置IKE keychain,协商双方配置的预共享密钥必须完全相同,具体配置步骤如下。
[DeviceB] ike keychain keychain1
[DeviceB-ike-keychain-keychain1] pre-shared-key address ipv6 111::1 64 key simple 123456TESTplat&!
[DeviceB-ike-keychain-keychain1] quit
(8) 配置IKE profile,约定建立IKE SA所需的安全参数
[DeviceB] ike profile profile1
[DeviceB-ike-profile-profile1] keychain keychain1
[DeviceB-ike-profile-profile1] match remote identity address ipv6 111::1 64
[DeviceB-ike-profile-profile1] quit
(9) 配置IPsec策略,建立IPsec隧道,保护需要防护的数据流
# 创建一条IKE协商方式的IPsec策略,引用需要保护数据流的ACL和所需的IPsec安全提议,指定本端和对端的IP地址,引用IKE profile,具体配置步骤如下。
[DeviceB] ipsec ipv6-policy use1 10 isakmp
[DeviceB-ipsec-ipv6-policy-isakmp-use1-10] security acl ipv6 3101
[DeviceB-ipsec-ipv6-policy-isakmp-use1-10] transform-set tran1
[DeviceB-ipsec-ipv6-policy-isakmp-use1-10] local-address ipv6 222::1
[DeviceB-ipsec-ipv6-policy-isakmp-use1-10] remote-address ipv6 111::1
[DeviceB-ipsec-ipv6-policy-isakmp-use1-10] ike-profile profile1
[DeviceB-ipsec-ipv6-policy-isakmp-use1-10] quit
(10) 在接口上应用IPsec策略,对接口上的流量进行保护
# 在接口GigabitEthernet1/0/2上应用IPsec策略,具体配置步骤如下。
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] ipsec apply ipv6-policy use1
[DeviceB-GigabitEthernet1/0/2] quit
# 以上配置完成后,当Device A和Device B之间有子网333::/64与子网555::/64之间的报文通过时,将触发IKE进行IPsec SA的协商。IKE成功协商出IPsec SA后,子网333::/64与子网555::/64之间数据流的传输将受到IPsec SA的保护。可通过以下显示查看到协商生成的IPsec SA。
[DeviceA] display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/2
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Alisa: map1-10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1423
Tunnel:
local address/port: 111::1/500
remote address/port: 222::1/500
Flow:
sour addr: 111::1/0 port: 0 protocol: ipv6
dest addr: 222::1/0 port: 0 protocol: ipv6
[Inbound ESP SAs]
SPI: 3769702703 (0xe0b1192f)
Connection ID: 1
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 3000/28800
SA remaining duration (kilobytes/sec): 2300/797
Max received sequence-number: 1
Anti-replay check enable: N
Anti-replay window size:
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 3840956402 (0xe4f057f2)
Connection ID: 2
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 3000/28800
SA remaining duration (kilobytes/sec): 2312/797
Max sent sequence-number: 1
UDP encapsulation used for NAT traversal: N
Status: Active
# Device B上也会产生相应的IPsec SA来保护IPv6报文,查看方式与Device A同,此处略。
#
sysname DeviceA
#
interface gigabitethernet 1/0/1
ipv6 address 333::1/64
#
ipv6 route-static 555::0 64 111::2
ipv6 route-static 222::0 64 111::2
security-zone name trust
import interface gigabitethernet 1/0/1
#
security-zone name untrust
import interface gigabitethernet 1/0/2
#
security-policy ipv6
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 111::1
destination-ip-host 222::1
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 222::1
destination-ip-host 111::1
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 333::1 64
destination-ip-subnet 555::1 64
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 555::1 64
destination-ip-subnet 333::1 64
action pass
#
acl ipv6 advanced 3101
rule permit ipv6 source 333::0 64 destination 555::0 64
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ike keychain keychain1
pre-shared-key address ipv6 222::1 64 key simple 123456TESTplat&!
#
ike profile profile1
keychain keychain1
match remote identity address ipv6 222::1 64
#
ipsec ipv6-policy map1 10 isakmp
security acl ipv6 3101
transform-set tran1
local-address ipv6 111::1
remote-address ipv6 222::1
ike-profile profile1
#
interface gigabitethernet 1/0/2
ipsec apply ipv6-policy map1
#
#
sysname DeviceB
#
interface gigabitethernet 1/0/1
ipv6 address 555::1/64
#
ipv6 route-static 333::0 64 222::2
ipv6 route-static 111::0 64 222::2
security-zone name trust
import interface gigabitethernet 1/0/1
#
security-zone name untrust
import interface gigabitethernet 1/0/2
#
security-policy ipv6
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 222::1
destination-ip-host 111::1
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 111::1
destination-ip-host 222::1
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 333::1 64
destination-ip-subnet 555::1 64
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 555::1 64
destination-ip-subnet 333::1 64
action pass
#
acl ipv6 advanced 3101
rule permit ipv6 source 555::/64 destination 333::/64
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ike keychain keychain1
pre-shared-key address ipv6 111::1 64 key simple 123456TESTplat&!
#
ike profile profile1
keychain keychain1
match remote identity address ipv6 111::1 64
#
ipsec ipv6-policy use1 10 isakmp
security acl ipv6 3101
transform-set tran1
local-address ipv6 222::1
remote-address ipv6 111::1
ike-profile profile1
#
interface gigabitethernet 1/0/2
ipsec apply ipv6-policy use1
#
企业分支通过IPsec VPN接入企业总部,有如下具体需求:
· 总部网关Device A和各分支网关Device B、Device C之间建立IPsec隧道,对总部网络4.4.4.0/24分别与分支网络5.5.5.0/24和6.6.6.0/24之间的数据进行安全保护。
· 使用IKE协商方式建立IPsec SA,采用ESP安全协议,DES加密算法,HMAC-SHA-1-96认证算法。
· IKE协商采用预共享密钥认证方式、3DES加密算法、HMAC-SHA1认证算法。
· 总部网关Device A采用IKE安全策略模板方式,分支网关Device B和DeviceC采用IKE安全策略方式。
图1-29 IPsec策略模板方式配置组网图
表1-17 组网图示例接口与设备实际接口对应关系
|
组网图示例接口 |
设备实际接口 |
|
Interface1 |
GigabitEthernet1/0/1 |
|
Interface2 |
GigabitEthernet1/0/2 |
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设到达对端网关设备和分支网络的下一跳IP地址为1.1.1.2,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceA] ip route-static 2.2.2.2 24 1.1.1.2
[DeviceA] ip route-static 3.3.3.3 24 1.1.1.2
[DeviceA] ip route-static 5.5.5.0 255.255.255.0 1.1.1.2
[DeviceA] ip route-static 6.6.6.0 255.255.255.0 1.1.1.2
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Untrust] quit
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Trust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout1的安全策略规则,使Device A可以向Device B发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name ipseclocalout1
[DeviceA-security-policy-ip-1-ipseclocalout1] source-zone local
[DeviceA-security-policy-ip-1-ipseclocalout1] destination-zone untrust
[DeviceA-security-policy-ip-1-ipseclocalout1] source-ip-host 1.1.1.1
[DeviceA-security-policy-ip-1-ipseclocalout1] destination-ip-host 2.2.2.2
[DeviceA-security-policy-ip-1-ipseclocalout1] action pass
[DeviceA-security-policy-ip-1-ipseclocalout1] quit
# 配置名称为ipseclocalin1的安全策略规则,使Device A可以接收和处理来自Device B的IPsec隧道协商报文,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name ipseclocalin1
[DeviceA-security-policy-ip-2-ipseclocalin1] source-zone untrust
[DeviceA-security-policy-ip-2-ipseclocalin1] destination-zone local
[DeviceA-security-policy-ip-2-ipseclocalin1] source-ip-host 2.2.2.2
[DeviceA-security-policy-ip-2-ipseclocalin1] destination-ip-host 1.1.1.1
[DeviceA-security-policy-ip-2-ipseclocalin1] action pass
[DeviceA-security-policy-ip-2-ipseclocalin1] quit
# 配置名称为ipseclocalout2的安全策略规则,使Device A可以向Device C发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name ipseclocalout2
[DeviceA-security-policy-ip-3-ipseclocalout2] source-zone local
[DeviceA-security-policy-ip-3-ipseclocalout2] destination-zone untrust
[DeviceA-security-policy-ip-3-ipseclocalout2] source-ip-host 1.1.1.1
[DeviceA-security-policy-ip-3-ipseclocalout2] destination-ip-host 3.3.3.3
[DeviceA-security-policy-ip-3-ipseclocalout2] action pass
[DeviceA-security-policy-ip-3-ipseclocalout2] quit
# 配置名称为ipseclocalin2的安全策略规则,使Device A可以接收和处理来自Device C的IPsec隧道协商报文,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name ipseclocalin2
[DeviceA-security-policy-ip-4-ipseclocalin2] source-zone untrust
[DeviceA-security-policy-ip-4-ipseclocalin2] destination-zone local
[DeviceA-security-policy-ip-4-ipseclocalin2] source-ip-host 3.3.3.3
[DeviceA-security-policy-ip-4-ipseclocalin2] destination-ip-host 1.1.1.1
[DeviceA-security-policy-ip-4-ipseclocalin2] action pass
[DeviceA-security-policy-ip-4-ipseclocalin2] quit
b. 配置安全策略放行Host A与Host B、Host C之间的流量
# 配置名称为trust-untrust1的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name trust-untrust1
[DeviceA-security-policy-ip-5-trust-untrust1] source-zone trust
[DeviceA-security-policy-ip-5-trust-untrust1] destination-zone untrust
[DeviceA-security-policy-ip-5-trust-untrust1] source-ip-subnet 4.4.4.0 24
[DeviceA-security-policy-ip-5-trust-untrust1] destination-ip-subnet 5.5.5.0 24
[DeviceA-security-policy-ip-5-trust-untrust1] action pass
[DeviceA-security-policy-ip-5-trust-untrust1] quit
# 配置名称为untrust-trust1的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name untrust-trust1
[DeviceA-security-policy-ip-6-untrust-trust1] source-zone untrust
[DeviceA-security-policy-ip-6-untrust-trust1] destination-zone trust
[DeviceA-security-policy-ip-6-untrust-trust1] source-ip-subnet 5.5.5.0 24
[DeviceA-security-policy-ip-6-untrust-trust1] destination-ip-subnet 4.4.4.0 24
[DeviceA-security-policy-ip-6-untrust-trust1] action pass
[DeviceA-security-policy-ip-6-untrust-trust1] quit
# 配置名称为trust-untrust2的安全策略规则,使Host A访问Host C的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name trust-untrust2
[DeviceA-security-policy-ip-7-trust-untrust2] source-zone trust
[DeviceA-security-policy-ip-7-trust-untrust2] destination-zone untrust
[DeviceA-security-policy-ip-7-trust-untrust2] source-ip-subnet 4.4.4.0 24
[DeviceA-security-policy-ip-7-trust-untrust2] destination-ip-subnet 6.6.6.0 24
[DeviceA-security-policy-ip-7-trust-untrust2] action pass
[DeviceA-security-policy-ip-7-trust-untrust2] quit
# 配置名称为untrust-trust2的安全策略规则,使Host C访问Host A的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name untrust-trust2
[DeviceA-security-policy-ip-8-untrust-trust2] source-zone untrust
[DeviceA-security-policy-ip-8-untrust-trust2] destination-zone trust
[DeviceA-security-policy-ip-8-untrust-trust2] source-ip-subnet 6.6.6.0 24
[DeviceA-security-policy-ip-8-untrust-trust2] destination-ip-subnet 4.4.4.0 24
[DeviceA-security-policy-ip-8-untrust-trust2] action pass
[DeviceA-security-policy-ip-8-untrust-trust2] quit
[DeviceA-security-policy-ip] quit
(5) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceA] ipsec transform-set tran1
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceA-ipsec-transform-set-tran1] protocol esp
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
(6) 配置IKE keychain,约定通信双方使用的密钥信息
# 创建并配置名为key1的IKE keychain,指定与地址为2.2.2.2的对端使用的预共享密钥为明文123。
[DeviceA] ike keychain key1
[DeviceA-ike-keychain-key1] pre-shared-key address 2.2.2.2 key simple 123
[DeviceA-ike-keychain-key1] quit
# 创建并配置名为key2的IKE keychain,指定与地址为3.3.3.3的对端使用的预共享密钥为明文456。
[DeviceA] ike keychain key2
[DeviceA-ike-keychain-key2] pre-shared-key address 3.3.3.3 key simple 456
[DeviceA-ike-keychain-key2] quit
(7) 配置IKE profile,约定建立IKE SA所需的安全参数
[DeviceA] ike profile profile1
[DeviceA-ike-profile-profile1] keychain key1
[DeviceA-ike-profile-profile1] keychain key2
[DeviceA-ike-profile-profile1] match remote identity address 2.2.2.2 255.255.255.0
[DeviceA-ike-profile-profile1] match remote identity address 3.3.3.3 255.255.255.0
[DeviceA-ike-profile-profile1] quit
(8) 配置IPsec策略模板,用于创建IPsec策略
# 创建并配置名为temp1的IPsec策略模板,引用安全提议tran1
[DeviceA] ipsec policy-template temp1 1
[DeviceA-ipsec-policy-template-temp1-1] transform-set tran1
[DeviceA-ipsec-policy-template-temp1-1] ike-profile profile1
(9) 引用安全策略模板temp1创建一条IKE协商方式的安全策略policy1,建立IPsec隧道,保护需要防护的数据流
[DeviceA] ipsec policy map1 10 isakmp template temp1
(10) 配置IKE提议,定义双方进行IKE协商所需的安全参数
# 创建并配置IKE提议1,指定使用预共享密钥认证方式、3DES加密算法、HMAC-SHA1认证算法。
[DeviceA] ike proposal 1
[DeviceA-ike-proposal-1] encryption-algorithm 3des-cbc
[DeviceA-ike-proposal-1] authentication-algorithm sha
[DeviceA-ike-proposal-1] authentication-method pre-share
[DeviceA-ike-proposal-1] quit
(11) 在接口下引用IPsec策略,对接口上的流量进行保护
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ipsec apply policy map1
[DeviceA-GigabitEthernet1/0/1] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 2.2.2.2 255.255.255.0
[DeviceB-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设到达对端网关设备和总部网络的下一跳IP地址为2.2.2.3,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceB] ip route-static 4.4.4.0 24 2.2.2.3
[DeviceB] ip route-static 1.1.1.1 24 2.2.2.3
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Untrust] quit
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Trust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device B可以向Device A发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name ipseclocalout
[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.2
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1
[DeviceB-security-policy-ip-1-ipseclocalout] action pass
[DeviceB-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device B可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name ipseclocalin
[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1
[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.2
[DeviceB-security-policy-ip-2-ipseclocalin] action pass
[DeviceB-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host B与Host A之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 5.5.5.0 24
[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 4.4.4.0 24
[DeviceB-security-policy-ip-3-trust-untrust] action pass
[DeviceB-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 4.4.4.0 24
[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 5.5.5.0 24
[DeviceB-security-policy-ip-4-untrust-trust] action pass
[DeviceB-security-policy-ip-4-untrust-trust] quit
[DeviceB-security-policy-ip] quit
(5) 配置ACL,定义需要保护的数据流
# 配置IPv4高级ACL 3000,定义要保护由子网5.5.5.0/24去往子网4.4.4.0/24的数据流。
[DeviceB] acl advanced 3000
[DeviceB-acl-ipv4-adv-3000] rule permit ip source 5.5.5.0 0.0.0.255 destination 4.4.4.0 0.0.0.255
[DeviceB-acl-ipv4-adv-3000] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceB] ipsec transform-set tran1
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceB-ipsec-transform-set-tran1] protocol esp
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
(7) 配置IKE keychain,约定通信双方使用的密钥信息
# 创建并配置名为key1的IKE keychain,指定与地址为1.1.1.1的对端使用的预共享密钥为明文123。
[DeviceB] ike keychain key1
[DeviceB-ike-keychain-key1] pre-shared-key address 1.1.1.1 key simple 123
[DeviceB-ike-keychain-key1] quit
(8) 配置IKE profile,约定建立IKE SA所需的安全参数
[DeviceB] ike profile profile1
[DeviceB-ike-profile-profile1] keychain key1
[DeviceB-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0
[DeviceB-ike-profile-profile1] quit
(9) 配置ISAKMP方式的安全策略,建立IPsec隧道,保护需要防护的数据流
# 创建并配置名为map1的IPsec策略,引用安全提议tran1,引用ACL 3000,并指定IPsec隧道的对端地址为1.1.1.1。
[DeviceB] ipsec policy map1 10 isakmp
[DeviceB-ipsec-policy-isakmp-map1-10] transform-set tran1
[DeviceB-ipsec-policy-isakmp-map1-10] security acl 3000
[DeviceB-ipsec-policy-isakmp-map1-10] local-address 2.2.2.2
[DeviceB-ipsec-policy-isakmp-map1-10] remote-address 1.1.1.1
[DeviceB-ipsec-policy-isakmp-map1-10] ike-profile profile1
[DeviceB-ipsec-policy-isakmp-map1-10] quit
(10) 配置IKE提议,定义双方进行IKE协商所需的安全参数
# 创建并配置IKE提议1,指定预共享密钥认证方式、3DES加密算法、HMAC-SHA1认证算法。
[DeviceB] ike proposal 1
[DeviceB-ike-proposal-1] encryption-algorithm 3des-cbc
[DeviceB-ike-proposal-1] authentication-algorithm sha
[DeviceB-ike-proposal-1] authentication-method pre-share
[DeviceB-ike-proposal-1] quit
(11) 在接口上应用IPsec策略,对接口上的流量进行保护
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ipsec apply policy map1
[DeviceB-GigabitEthernet1/0/1] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceC> system-view
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] ip address 3.3.3.3 255.255.255.0
[DeviceC-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设到达对端网关设备和总部网络的下一跳IP地址为3.3.3.4,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceC] ip route-static 4.4.4.0 24 3.3.3.4
[DeviceC] ip route-static 1.1.1.1 24 3.3.3.4
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceC] security-zone name untrust
[DeviceC-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceC-security-zone-Untrust] quit
[DeviceC] security-zone name trust
[DeviceC-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceC-security-zone-Trust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device C可以向Device A发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceC] security-policy ip
[DeviceC-security-policy-ip] rule name ipseclocalout
[DeviceC-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceC-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceC-security-policy-ip-1-ipseclocalout] source-ip-host 3.3.3.3
[DeviceC-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1
[DeviceC-security-policy-ip-1-ipseclocalout] action pass
[DeviceC-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device C可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下。
[DeviceC-security-policy-ip] rule name ipseclocalin
[DeviceC-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceC-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceC-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1
[DeviceC-security-policy-ip-2-ipseclocalin] destination-ip-host 3.3.3.3
[DeviceC-security-policy-ip-2-ipseclocalin] action pass
[DeviceC-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host C与Host A之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host C访问Host A的报文可通,具体配置步骤如下。
[DeviceC-security-policy-ip] rule name trust-untrust
[DeviceC-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceC-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceC-security-policy-ip-3-trust-untrust] source-ip-subnet 6.6.6.0 24
[DeviceC-security-policy-ip-3-trust-untrust] destination-ip-subnet 4.4.4.0 24
[DeviceC-security-policy-ip-3-trust-untrust] action pass
[DeviceC-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host A访问Host C的报文可通,具体配置步骤如下。
[DeviceC-security-policy-ip] rule name untrust-trust
[DeviceC-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceC-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceC-security-policy-ip-4-untrust-trust] source-ip-subnet 4.4.4.0 24
[DeviceC-security-policy-ip-4-untrust-trust] destination-ip-subnet 6.6.6.0 24
[DeviceC-security-policy-ip-4-untrust-trust] action pass
[DeviceC-security-policy-ip-4-untrust-trust] quit
[DeviceC-security-policy-ip] quit
(5) 配置ACL,定义需要保护的数据流
# 配置IPv4高级ACL 3000,定义要保护由子网6.6.6.0/24去往子网4.4.4.0/24的数据流。
[DeviceC] acl advanced 3000
[DeviceC-acl-ipv4-adv-3000] rule permit ip source 6.6.6.0 0.0.0.255 destination 4.4.4.0 0.0.0.255
[DeviceC-acl-ipv4-adv-3000] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceC] ipsec transform-set tran1
[DeviceC-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceC-ipsec-transform-set-tran1] protocol esp
[DeviceC-ipsec-transform-set-tran1] esp encryption-algorithm des
[DeviceC-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceC-ipsec-transform-set-tran1] quit
(7) 配置IKE keychain,约定通信双方使用的密钥信息
# 创建并配置名为key1的IKE keychain,指定与地址为1.1.1.1的对端使用的预共享密钥为明文456。
[DeviceC] ike keychain key1
[DeviceC-ike-keychain-key1] pre-shared-key address 1.1.1.1 key simple 456
[DeviceC-ike-keychain-key1] quit
(8) 配置IKE profile,约定建立IKE SA所需的安全参数
[DeviceC] ike profile profile1
[DeviceC-ike-profile-profile1] keychain key1
[DeviceC-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0
[DeviceC-ike-profile-profile1] quit
(9) 配置ISAKMP方式的安全策略,建立IPsec隧道,保护需要防护的数据流
# 创建并配置名为map1的IPsec策略,引用安全提议tran1,引用ACL 3000,并指定IPsec隧道的对端地址为1.1.1.1。
[DeviceC] ipsec policy map1 10 isakmp
[DeviceC-ipsec-policy-isakmp-map1-10] transform-set tran1
[DeviceC-ipsec-policy-isakmp-map1-10] security acl 3000
[DeviceC-ipsec-policy-isakmp-map1-10] local-address 3.3.3.3
[DeviceC-ipsec-policy-isakmp-map1-10] remote-address 1.1.1.1
[DeviceC-ipsec-policy-isakmp-map1-10] ike-profile profile1
[DeviceC-ipsec-policy-isakmp-map1-10] quit
(10) 在接口上应用IPsec策略,对接口上的流量进行保护
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] ipsec apply policy map1
[DeviceC-GigabitEthernet1/0/1] quit
# 以上配置完成后,当分支子网5.5.5.0/24向总部网络4.4.4.0/24发起数据连接时,将触发Device B和Device A之间进行IKE协商。IKE成功协商出IPsec SA后,企业总部与分支子网之间的数据流传输将受到IPsec SA的保护。
# 可通过如下显示信息查看到Device A上IKE第一阶段协商成功后生成的IKE SA。
[DeviceA] display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
1 2.2.2.2/500 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
# 可通过如下显示信息查看到Device A上协商生成的IPsec SA。
[DeviceA] display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/1
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: Template
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1463
Tunnel:
local address/port: 1.1.1.1/500
remote address/port: 2.2.2.2/500
Flow:
sour addr: 4.4.4.0/255.255.255.0 port: 0 protocol: ip
dest addr: 5.5.5.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 1014286405 (0x3c74c845)
Connection ID: 1
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3590
Max received sequence-number: 4
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 4011716027 (0xef1dedbb)
Connection ID: 2
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3590
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N
Status: Active
#
sysname DeviceA
#
interface gigabitethernet 1/0/1
ip address 1.1.1.1 255.255.255.0
#
ip route-static 2.2.2.2 24 1.1.1.2
ip route-static 3.3.3.3 24 1.1.1.2
ip route-static 5.5.5.0 255.255.255.0 1.1.1.2
ip route-static 6.6.6.0 255.255.255.0 1.1.1.2
security-zone name untrust
import interface gigabitethernet 1/0/1
#
security-zone name trust
import interface gigabitethernet 1/0/2
#
security-policy ip
rule name ipseclocalout1
source-zone local
destination-zone untrust
source-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
action pass
#
rule name ipseclocalin1
source-zone untrust
destination-zone local
source-ip-host 2.2.2.2
destination-ip-host 1.1.1.1
action pass
#
rule name ipseclocalout2
source-zone local
destination-zone untrust
source-ip-host 1.1.1.1
destination-ip-host 3.3.3.3
action pass
#
rule name ipseclocalin2
source-zone untrust
destination-zone local
source-ip-host 3.3.3.3
destination-ip-host 1.1.1.1
action pass
#
rule name trust-untrust1
source-zone trust
destination-zone untrust
source-ip-subnet 4.4.4.0 24
destination-ip-subnet 5.5.5.0 24
action pass
#
rule name untrust-trust1
source-zone untrust
destination-zone trust
source-ip-subnet 5.5.5.0 24
destination-ip-subnet 4.4.4.0 24
action pass
#
rule name trust-untrust2
source-zone trust
destination-zone untrust
source-ip-subnet 4.4.4.0 24
destination-ip-subnet 6.6.6.0 24
action pass
#
rule name untrust-trust2
source-zone untrust
destination-zone trust
source-ip-subnet 6.6.6.0 24
destination-ip-subnet 4.4.4.0 24
action pass
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ike keychain key1
pre-shared-key address 2.2.2.2 key simple 123
quit
ike keychain key2
pre-shared-key address 3.3.3.3 key simple 456
#
ike profile profile1
keychain key1
keychain key2
match remote identity address 2.2.2.2 255.255.255.0
match remote identity address 3.3.3.3 255.255.255.0
#
ipsec policy-template temp1 1
transform-set tran1
ike-profile profile1
ipsec policy map1 10 isakmp template temp1
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm sha
authentication-method pre-share
#
interface gigabitethernet 1/0/1
ipsec apply policy map1
#
#
sysname DeviceB
#
interface gigabitethernet 1/0/1
ip address 2.2.2.2 255.255.255.0
#
ip route-static 4.4.4.0 24 2.2.2.3
ip route-static 1.1.1.1 24 2.2.2.3
security-zone name untrust
import interface gigabitethernet 1/0/1
#
security-zone name trust
import interface gigabitethernet 1/0/2
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 2.2.2.2
destination-ip-host 1.1.1.1
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 5.5.5.0 24
destination-ip-subnet 4.4.4.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 4.4.4.0 24
destination-ip-subnet 5.5.5.0 24
action pass
#
acl advanced 3000
rule permit ip source 5.5.5.0 0.0.0.255 destination 4.4.4.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ike keychain key1
pre-shared-key address 1.1.1.1 key simple 123
#
ike profile profile1
keychain key1
match remote identity address 1.1.1.1 255.255.255.0
#
ipsec policy map1 10 isakmp
transform-set tran1
security acl 3000
local-address 2.2.2.2
remote-address 1.1.1.1
ike-profile profile1
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm sha
authentication-method pre-share
#
interface gigabitethernet 1/0/1
ipsec apply policy map1
#
#
sysname DeviceC
#
interface gigabitethernet 1/0/1
ip address 3.3.3.3 255.255.255.0
#
ip route-static 4.4.4.0 24 3.3.3.4
ip route-static 1.1.1.1 24 3.3.3.4
security-zone name untrust
import interface gigabitethernet 1/0/1
#
security-zone name trust
import interface gigabitethernet 1/0/2
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 3.3.3.3
destination-ip-host 1.1.1.1
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 1.1.1.1
destination-ip-host 3.3.3.3
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 6.6.6.0 24
destination-ip-subnet 4.4.4.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 4.4.4.0 24
destination-ip-subnet 6.6.6.0 24
action pass
#
acl advanced 3000
rule permit ip source 6.6.6.0 0.0.0.255 destination 4.4.4.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm des
esp authentication-algorithm sha1
#
ike keychain key1
pre-shared-key address 1.1.1.1 key simple 456
#
ike profile profile1
keychain key1
match remote identity address 1.1.1.1 255.255.255.0
#
ipsec policy map1 10 isakmp
transform-set tran1
security acl 3000
local-address 3.3.3.3
remote-address 1.1.1.1
ike-profile profile1
#
interface gigabitethernet 1/0/1
ipsec apply policy map1
#
如下图所示,Device A、Device B和Device C相连,并通过RIPng来学习网络中的IPv6路由信息。在各设备之间建立IPsec隧道,对它们收发的RIPng报文进行安全保护。具体要求如下:
· 安全协议采用ESP协议;
· 加密算法采用128比特的AES;
· 认证算法采用HMAC-SHA1。
图1-30 配置IPsec保护RIPng报文配置组网图
表1-18 组网图示例接口与设备实际接口对应关系
|
组网图示例接口 |
设备实际接口 |
|
Interface1 |
GigabitEthernet1/0/1 |
|
Interface2 |
GigabitEthernet1/0/2 |
(1) 配置RIPng的基本功能
RIPng配置的详细介绍请参见“三层技术-IP路由配置指导”中的“RIPng”。
(2) 配置IPsec安全框架
需要注意的是:
¡ 各设备上本端出方向SA的SPI及密钥必须和本端入方向SA的SPI及密钥保持一致。
¡ Device A、Device B和Device C上的安全策略所引用的安全提议采用的安全协议、认证/加密算法和报文封装模式要相同,而且所有设备上的SA的SPI及密钥均要保持一致。
(3) 在RIPng进程下或接口上应用IPsec安全框架
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ipv6 address 1::1/64
[DeviceA-GigabitEthernet1/0/1] quit
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例下一跳IP地址为1::2,具体配置步骤如下。
[DeviceA] ipv6 route-static 3::2 64 1::2
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Untrust] quit
(4) 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device A可以向Device B发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceA] security-policy ipv6
[DeviceA-security-policy-ipv6] rule name ipseclocalout
[DeviceA-security-policy-ipv6-1-ipseclocalout] source-zone local
[DeviceA-security-policy-ipv6-1-ipseclocalout] destination-zone untrust
[DeviceA-security-policy-ipv6-1-ipseclocalout] source-ip-host 1::1
[DeviceA-security-policy-ipv6-1-ipseclocalout] destination-ip-host 1::2
[DeviceA-security-policy-ipv6-1-ipseclocalout] action pass
[DeviceA-security-policy-ipv6-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device A可以接收和处理来自Device B的IPsec隧道协商报文,具体配置步骤如下。
[DeviceA-security-policy-ipv6] rule name ipseclocalin
[DeviceA-security-policy-ipv6-2-ipseclocalin] source-zone untrust
[DeviceA-security-policy-ipv6-2-ipseclocalin] destination-zone local
[DeviceA-security-policy-ipv6-2-ipseclocalin] source-ip-host 1::2
[DeviceA-security-policy-ipv6-2-ipseclocalin] destination-ip-host 1::1
[DeviceA-security-policy-ipv6-2-ipseclocalin] action pass
[DeviceA-security-policy-ipv6-2-ipseclocalin] quit
(5) 配置RIPng的基本功能
[DeviceA] ripng 1
[DeviceA-ripng-1] quit
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ripng 1 enable
[DeviceA-GigabitEthernet1/0/1] quit
(6) 配置IPsec安全框架,建立IPsec隧道,保护需要防护的数据流
# 创建并配置名为tran1的IPsec安全提议(报文封装模式采用传输模式,安全协议采用ESP协议,加密算法采用128比特的AES,认证算法采用HMAC-SHA1)。
[DeviceA] ipsec transform-set tran1
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode transport
[DeviceA-ipsec-transform-set-tran1] protocol esp
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
# 创建并配置名为profile001的IPsec安全框架(协商方式为手工方式,出入方向SA的SPI均为123456,出入方向SA的密钥均为明文abcdefg)。
[DeviceA] ipsec profile profile001 manual
[DeviceA-ipsec-profile-manual-profile001] transform-set tran1
[DeviceA-ipsec-profile-manual-profile001] sa spi outbound esp 123456
[DeviceA-ipsec-profile-manual-profile001] sa spi inbound esp 123456
[DeviceA-ipsec-profile-manual-profile001] sa string-key outbound esp simple abcdefg
[DeviceA-ipsec-profile-manual-profile001] sa string-key inbound esp simple abcdefg
[DeviceA-ipsec-profile-manual-profile001] quit
(7) 在RIPng进程上应用IPsec安全框架,利用IPsec保护RIPng报文
[DeviceA] ripng 1
[DeviceA-ripng-1] enable ipsec-profile profile001
[DeviceA-ripng-1] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ipv6 address 1::2/64
[DeviceB-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置RIPng的基本功能
[DeviceB] ripng 1
[DeviceB-ripng-1] quit
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ripng 1 enable
[DeviceB-GigabitEthernet1/0/1] quit
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] ripng 1 enable
[DeviceB-GigabitEthernet1/0/2] quit
(3) 配置IPsec安全框架,建立IPsec隧道,保护需要防护的数据流
# 创建并配置名为tran1的IPsec安全提议(报文封装模式采用传输模式,安全协议采用ESP协议,加密算法采用128比特的AES,认证算法采用HMAC-SHA1)。
[DeviceB] ipsec transform-set tran1
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode transport
[DeviceB-ipsec-transform-set-tran1] protocol esp
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
# 创建并配置名为profile001的IPsec安全框架(协商方式为手工方式,出入方向SA的SPI均为123456,出入方向SA的密钥均为明文abcdefg)。
[DeviceB] ipsec profile profile001 manual
[DeviceB-ipsec-profile-manual-profile001] transform-set tran1
[DeviceB-ipsec-profile-manual-profile001] sa spi outbound esp 123456
[DeviceB-ipsec-profile-manual-profile001] sa spi inbound esp 123456
[DeviceB-ipsec-profile-manual-profile001] sa string-key outbound esp simple abcdefg
[DeviceB-ipsec-profile-manual-profile001] sa string-key inbound esp simple abcdefg
[DeviceB-ipsec-profile-manual-profile001] quit
(4) 在RIPng进程上应用IPsec安全框架,利用IPsec保护RIPng报文
[DeviceB] ripng 1
[DeviceB-ripng-1] enable ipsec-profile profile001
[DeviceB-ripng-1] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceC> system-view
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] ipv6 address 3::2/64
[DeviceC-GigabitEthernet1/0/1] quit
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例下一跳IP地址为3::1,具体配置步骤如下。
[DeviceC] ipv6 route-static 1::1 64 3::1
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceC] security-zone name untrust
[DeviceC-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceC-security-zone-Untrust] quit
(4) 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device C可以向Device B发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceC] security-policy ipv6
[DeviceC-security-policy-ipv6] rule name ipseclocalout
[DeviceC-security-policy-ipv6-1-ipseclocalout] source-zone local
[DeviceC-security-policy-ipv6-1-ipseclocalout] destination-zone untrust
[DeviceC-security-policy-ipv6-1-ipseclocalout] source-ip-host 3::2
[DeviceC-security-policy-ipv6-1-ipseclocalout] destination-ip-host 3::1
[DeviceC-security-policy-ipv6-1-ipseclocalout] action pass
[DeviceC-security-policy-ipv6-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device C可以接收和处理来自Device B的IPsec隧道协商报文,具体配置步骤如下。
[DeviceC-security-policy-ipv6] rule name ipseclocalin
[DeviceC-security-policy-ipv6-2-ipseclocalin] source-zone untrust
[DeviceC-security-policy-ipv6-2-ipseclocalin] destination-zone local
[DeviceC-security-policy-ipv6-2-ipseclocalin] source-ip-host 3::1
[DeviceC-security-policy-ipv6-2-ipseclocalin] destination-ip-host 3::2
[DeviceC-security-policy-ipv6-2-ipseclocalin] action pass
[DeviceC-security-policy-ipv6-2-ipseclocalin] quit
(5) 配置RIPng的基本功能
[DeviceC] ripng 1
[DeviceC-ripng-1] quit
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] ripng 1 enable
[DeviceC-GigabitEthernet1/0/1] quit
(6) 配置IPsec安全框架,建立IPsec隧道,保护需要防护的数据流
# 创建并配置名为tran1的IPsec安全提议(报文封装模式采用传输模式,安全协议采用ESP协议,加密算法采用128比特的AES,认证算法采用HMAC-SHA1)。
[DeviceC] ipsec transform-set tran1
[DeviceC-ipsec-transform-set-tran1] encapsulation-mode transport
[DeviceC-ipsec-transform-set-tran1] protocol esp
[DeviceC-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[DeviceC-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceC-ipsec-transform-set-tran1] quit
# 创建并配置名为profile001的IPsec安全框架(协商方式为手工方式,出入方向SA的SPI均为123456,出入方向SA的密钥均为明文abcdefg)。
[DeviceC] ipsec profile profile001 manual
[DeviceC-ipsec-profile-manual-profile001] transform-set tran1
[DeviceC-ipsec-profile-manual-profile001] sa spi outbound esp 123456
[DeviceC-ipsec-profile-manual-profile001] sa spi inbound esp 123456
[DeviceC-ipsec-profile-manual-profile001] sa string-key outbound esp simple abcdefg
[DeviceC-ipsec-profile-manual-profile001] sa string-key inbound esp simple abcdefg
[DeviceC-ipsec-profile-manual-profile001] quit
(7) 在RIPng进程上应用IPsec安全框架,利用IPsec保护RIPng报文
[DeviceC] ripng 1
[DeviceC-ripng-1] enable ipsec-profile profile001
[DeviceC-ripng-1] quit
以上配置完成后,Device A、Device B和Device C将通过RIPng协议学习到网络中的IPv6路由信息,且分别产生用于保护RIPng报文的IPsec SA。
# 可以通过如下display命令查看Device A上RIPng的配置信息。如下显示信息表示RIPng进程1上已成功应用了IPsec安全框架。
[DeviceA] display ripng 1
RIPng process : 1
Preference : 100
Checkzero : Enabled
Default Cost : 0
Maximum number of load balanced routes : 8
Update time : 30 secs Timeout time : 180 secs
Suppress time : 120 secs Garbage-Collect time : 120 secs
Update output delay: 20(ms) Output count: 3
Graceful-restart interval: 60 secs
Triggered Interval : 5 50 200
Number of periodic updates sent : 186
Number of triggered updates sent : 1
IPsec profile name: profile001
# 可以通过如下命令查看Device A上生成的IPsec SA。
[DeviceA] display ipsec sa
-------------------------------
Global IPsec SA
-------------------------------
-----------------------------
IPsec profile: profile001
Alisa: profile-profile001
Mode: Manual
-----------------------------
Encapsulation mode: transport
[Inbound ESP SA]
SPI: 123456 (0x3039)
Connection ID: 1
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
No duration limit for this SA
[Outbound ESP SA]
SPI: 123456 (0x3039)
Connection ID: 2
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
No duration limit for this SA
# Device B和Device C上也会生成相应的IPsec SA来保护RIPng报文,查看方式与Device A同,此处略。
#
sysname DeviceA
#
interface gigabitethernet 1/0/1
ipv6 address 1::1/64
#
ipv6 route-static 3::2 64 1::2
security-zone name untrust
import interface gigabitethernet 1/0/1
#
security-policy ipv6
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 1::1
destination-ip-host 1::2
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 1::2
destination-ip-host 1::1
action pass
#
ripng 1
#
interface gigabitethernet 1/0/1
ripng 1 enable
#
ipsec transform-set tran1
encapsulation-mode transport
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec profile profile001 manual
transform-set tran1
sa spi outbound esp 123456
sa spi inbound esp 123456
sa string-key outbound esp simple abcdefg
sa string-key inbound esp simple abcdefg
#
ripng 1
enable ipsec-profile profile001
#
#
sysname DeviceB
#
interface gigabitethernet 1/0/1
ipv6 address 1::2/64
#
ripng 1
#
interface gigabitethernet 1/0/1
ripng 1 enable
#
interface gigabitethernet 1/0/2
ripng 1 enable
#
ipsec transform-set tran1
encapsulation-mode transport
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec profile profile001 manual
transform-set tran1
sa spi outbound esp 123456
sa spi inbound esp 123456
sa string-key outbound esp simple abcdefg
sa string-key inbound esp simple abcdefg
#
ripng 1
enable ipsec-profile profile001
#
#
sysname DeviceC
#
interface gigabitethernet 1/0/1
ipv6 address 3::2/64
#
ipv6 route-static 1::1 64 3::1
security-zone name untrust
import interface gigabitethernet 1/0/1
#
security-policy ipv6
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 3::2
destination-ip-host 3::1
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 3::1
destination-ip-host 3::2
action pass
#
ripng 1
#
interface gigabitethernet 1/0/1
ripng 1 enable
#
ipsec transform-set tran1
encapsulation-mode transport
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec profile profile001 manual
transform-set tran1
sa spi outbound esp 123456
sa spi inbound esp 123456
sa string-key outbound esp simple abcdefg
sa string-key inbound esp simple abcdefg
#
ripng 1
enable ipsec-profile profile001
#
企业分支通过IPsec VPN接入企业总部,有如下具体需求:
· 总部网关Device A和各分支网关Device B、DeviceC、Device D之间建立IPsec隧道,对总部网络4.4.4.0/24与分支网络5.5.5.0/24之间的数据进行安全保护。
· 使用IKE协商方式建立IPsec SA,采用ESP安全协议,DES加密算法,HMAC-SHA-1-96认证算法。
· IKE协商采用预共享密钥认证方式、3DES加密算法、HMAC-SHA1认证算法。
· 在Device A上开启IPsec反向路由注入功能,实现总部到分支的静态路由随IPsec SA的建立而动态生成。
图1-31 配置IPsec反向路由注入功能配置组网图
表1-19 组网图示例接口与设备实际接口对应关系
|
组网图示例接口 |
设备实际接口 |
|
Interface1 |
GigabitEthernet1/0/1 |
|
Interface2 |
GigabitEthernet1/0/2 |
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为1.1.1.2,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceA] ip route-static 2.2.2.2 24 1.1.1.2
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Untrust] quit
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Trust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device A可以向Device B发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name ipseclocalout
[DeviceA-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceA-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 1.1.1.1
[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.2
[DeviceA-security-policy-ip-1-ipseclocalout] action pass
[DeviceA-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device A可以接收和处理来自Device B的IPsec隧道协商报文,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name ipseclocalin
[DeviceA-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceA-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.2
[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 1.1.1.1
[DeviceA-security-policy-ip-2-ipseclocalin] action pass
[DeviceA-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host A与Host B之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 4.4.4.0 24
[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 5.5.5.0 24
[DeviceA-security-policy-ip-3-trust-untrust] action pass
[DeviceA-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 5.5.5.0 24
[DeviceA-security-policy-ip-4-untrust-trust] destination-ip-subnet 4.4.4.0 24
[DeviceA-security-policy-ip-4-untrust-trust] action pass
[DeviceA-security-policy-ip-4-untrust-trust] quit
[DeviceA-security-policy-ip] quit
(5) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceA] ipsec transform-set tran1
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceA-ipsec-transform-set-tran1] protocol esp
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
(6) 配置IKE keychain,约定通信双方使用的密钥信息
# 创建并配置名为key1的IKE keychain,指定与地址为2.2.2.2的对端使用的预共享密钥为明文123。
[DeviceA] ike keychain key1
[DeviceA-ike-keychain-key1] pre-shared-key address 2.2.2.2 key simple 123
[DeviceA-ike-keychain-key1] quit
(7) 配置IKE profile,约定建立IKE SA所需的安全参数
[DeviceA] ike profile profile1
[DeviceA-ike-profile-profile1] keychain key1
[DeviceA-ike-profile-profile1] match remote identity address 2.2.2.2 255.255.255.0
[DeviceA-ike-profile-profile1] quit
(8) 配置IPsec策略模板,用于创建IPsec策略
# 创建并配置名为temp1的IPsec策略模板,引用安全提议tran1
[DeviceA] ipsec policy-template temp1 1
[DeviceA-ipsec-policy-template-temp1-1] transform-set tran1
[DeviceA-ipsec-policy-template-temp1-1] ike-profile profile1
(9) 配置RRI参数,用于实现反向路由注入功能
# 开启RRI功能,指定生成的静态路由的优先级为100、Tag值为1000。
[DeviceA-ipsec-policy-template-temp1-1] reverse-route dynamic
[DeviceA-ipsec-policy-template-temp1-1] reverse-route preference 100
[DeviceA-ipsec-policy-template-temp1-1] reverse-route tag 1000
[DeviceA-ipsec-policy-template-temp1-1] quit
(10) 引用安全策略模板temp1创建一条IKE协商方式的安全策略policy1,建立IPsec隧道,保护需要防护的数据流
[DeviceA] ipsec policy map1 10 isakmp template temp1
(11) 配置IKE提议,定义双方进行IKE协商所需的安全参数
# 创建并配置IKE提议1,指定使用预共享密钥认证方式、3DES加密算法、HMAC-SHA1认证算法。
[DeviceA] ike proposal 1
[DeviceA-ike-proposal-1] encryption-algorithm 3des-cbc
[DeviceA-ike-proposal-1] authentication-algorithm sha
[DeviceA-ike-proposal-1] authentication-method pre-share
[DeviceA-ike-proposal-1] quit
(12) 在接口下引用IPsec策略,对接口上的流量进行保护
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ipsec apply policy map1
[DeviceA-GigabitEthernet1/0/1] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 2.2.2.2 255.255.255.0
[DeviceB-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为2.2.2.3,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceB] ip route-static 4.4.4.0 24 2.2.2.3
[DeviceB] ip route-static 1.1.1.1 24 2.2.2.3
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Untrust] quit
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Trust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device B可以向Device A发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name ipseclocalout
[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 1.1.1.1
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.2
[DeviceB-security-policy-ip-1-ipseclocalout] action pass
[DeviceB-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device B可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name ipseclocalin
[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.2
[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 1.1.1.1
[DeviceB-security-policy-ip-2-ipseclocalin] action pass
[DeviceB-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host B与Host A之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 5.5.5.0 24
[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 4.4.4.0 24
[DeviceB-security-policy-ip-3-trust-untrust] action pass
[DeviceB-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 4.4.4.0 24
[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 5.5.5.0 24
[DeviceB-security-policy-ip-4-untrust-trust] action pass
[DeviceB-security-policy-ip-4-untrust-trust] quit
[DeviceB-security-policy-ip] quit
(5) 配置ACL,定义需要保护的数据流,同时反向路由注入功能会根据此ACL生成路由
# 配置IPv4高级ACL 3000,定义要保护由子网5.5.5.0/24去往子网4.4.4.0/24的数据流。
[DeviceB] acl advanced 3000
[DeviceB-acl-ipv4-adv-3000] rule permit ip source 5.5.5.0 0.0.0.255 destination 4.4.4.0 0.0.0.255
[DeviceB-acl-ipv4-adv-3000] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceB] ipsec transform-set tran1
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceB-ipsec-transform-set-tran1] protocol esp
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
(7) 配置IKE keychain,约定通信双方使用的密钥信息
# 创建并配置名为key1的IKE keychain,指定与地址为1.1.1.1的对端使用的预共享密钥为明文123。
[DeviceB] ike keychain key1
[DeviceB-ike-keychain-key1] pre-shared-key address 1.1.1.1 key simple 123
[DeviceB-ike-keychain-key1] quit
(8) 配置IKE profile,约定建立IKE SA所需的安全参数
[DeviceB] ike profile profile1
[DeviceB-ike-profile-profile1] keychain key1
[DeviceB-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0
[DeviceB-ike-profile-profile1] quit
(9) 配置ISAKMP方式的安全策略,建立IPsec隧道,保护需要防护的数据流
# 创建并配置名为map1的IPsec策略,引用安全提议tran1,引用ACL 3000,并指定IPsec隧道的对端地址为1.1.1.1。
[DeviceB] ipsec policy map1 10 isakmp
[DeviceB-ipsec-policy-isakmp-map1-10] transform-set tran1
[DeviceB-ipsec-policy-isakmp-map1-10] security acl 3000
[DeviceB-ipsec-policy-isakmp-map1-10] remote-address 1.1.1.1
[DeviceB-ipsec-policy-isakmp-map1-10] ike-profile profile1
[DeviceB-ipsec-policy-isakmp-map1-10] quit
(10) 配置IKE提议,定义双方进行IKE协商所需的安全参数
# 创建并配置IKE提议1,指定预共享密钥认证方式、3DES加密算法、HMAC-SHA1认证算法。
[DeviceB] ike proposal 1
[DeviceB-ike-proposal-1] encryption-algorithm 3des-cbc
[DeviceB-ike-proposal-1] authentication-algorithm sha
[DeviceB-ike-proposal-1] authentication-method pre-share
[DeviceB-ike-proposal-1] quit
(11) 在接口上应用IPsec策略,对接口上的流量进行保护
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ipsec apply policy map1
[DeviceB-GigabitEthernet1/0/1] quit
配置步骤与Device B类似,请参考Device B的配置。
# 以上配置完成后,当分支子网5.5.5.0/24向总部网络4.4.4.0/24发起数据连接时,将触发Device B和Device A之间进行IKE协商。IKE成功协商出IPsec SA后,企业总部与分支子网之间的数据流传输将受到IPsec SA的保护。在Device A上可通过以下显示查看到协商生成的IPsec SA。
[DeviceA] display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/1
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Alias: map1-10
Mode: Template
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1463
Tunnel:
local address/port: 1.1.1.1/500
remote address/port: 2.2.2.2/500
Flow:
sour addr: 4.4.4.0/255.255.255.0 port: 0 protocol: ip
dest addr: 5.5.5.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 1014286405 (0x3c74c845)
Connection ID: 1
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3590
Max received sequence-number: 4
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 4011716027 (0xef1dedbb)
Connection ID: 2
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3590
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N
Status: Active
# IPsec SA成功建立后,在Device A上可以通过display ip routing-table verbose命令查看到IPsec反向路由注入生成的静态路由,目的地址为分支子网地址5.5.5.0/24,下一跳为IPsec隧道对端地址2.2.2.2,优先级为100,Tag值为1000。Device A和Device C、Device D之间的IPsec隧道建立成功后,Device A上也会产生到达各分支子网的相应静态路由,此处显示略。
#
sysname DeviceA
#
interface gigabitethernet 1/0/1
ip address 1.1.1.1 255.255.255.0
quit
ip route-static 2.2.2.2 24 1.1.1.2
security-zone name untrust
import interface gigabitethernet 1/0/1
quit
security-zone name trust
import interface gigabitethernet 1/0/2
quit
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
action pass
quit
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 2.2.2.2
destination-ip-host 1.1.1.1
action pass
quit
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 4.4.4.0 24
destination-ip-subnet 5.5.5.0 24
action pass
quit
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 5.5.5.0 24
destination-ip-subnet 4.4.4.0 24
action pass
quit
quit
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm des
esp authentication-algorithm sha1
quit
ike keychain key1
pre-shared-key address 2.2.2.2 key simple 123
quit
ike profile profile1
keychain key1
match remote identity address 2.2.2.2 255.255.255.0
quit
ipsec policy-template temp1 1
transform-set tran1
ike-profile profile1
reverse-route dynamic
reverse-route preference 100
reverse-route tag 1000
quit
ipsec policy map1 10 isakmp template temp1
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm sha
authentication-method pre-share
quit
interface gigabitethernet 1/0/1
ipsec apply policy map1
quit
#
sysname DeviceB
#
interface gigabitethernet 1/0/1
ip address 2.2.2.2 255.255.255.0
#
ip route-static 4.4.4.0 24 2.2.2.3
ip route-static 1.1.1.1 24 2.2.2.3
security-zone name untrust
import interface gigabitethernet 1/0/1
#
security-zone name trust
import interface gigabitethernet 1/0/2
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 2.2.2.2
destination-ip-host 1.1.1.1
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 5.5.5.0 24
destination-ip-subnet 4.4.4.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 4.4.4.0 24
destination-ip-subnet 5.5.5.0 24
action pass
#
acl advanced 3000
rule permit ip source 5.5.5.0 0.0.0.255 destination 4.4.4.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm des
esp authentication-algorithm sha1
#
ike keychain key1
pre-shared-key address 1.1.1.1 key simple 123
#
ike profile profile1
keychain key1
match remote identity address 1.1.1.1 255.255.255.0
#
ipsec policy map1 10 isakmp
transform-set tran1
security acl 3000
remote-address 1.1.1.1
ike-profile profile1
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm sha
authentication-method pre-share
#
interface gigabitethernet 1/0/1
ipsec apply policy map1
#
如下图所示,企业分支使用IPsec VPN接入企业总部,通过在分支Device A上配置IPsec智能选路功能,实现IPsec隧道在Link 1和Link 2两条链路上动态切换,具体需求如下:
· Device A首先使用Link1与总部建立IPSec隧道。
· 当基于Link1建立的IPSec隧道丢包严重或时延过高时,能自动切换到Link2建立新的IPSec隧道。
图1-32 配置IPsec智能选路功能组网图
表1-20 组网图示例接口与设备实际接口对应关系
|
组网图示例接口 |
设备实际接口 |
|
Interface1 |
GigabitEthernet1/0/1 |
|
Interface2 |
GigabitEthernet1/0/2 |
(1) 配置接口IP地址和网关地址,1.1.1.3和2.2.2.3为本例中的直连下一跳地址,实际使用中请以具体组网情况为准。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 1.1.1.1 24
[DeviceA-GigabitEthernet1/0/1] gateway 1.1.1.3
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] ip address 2.2.2.2 24
[DeviceA-GigabitEthernet1/0/2] gateway 2.2.2.3
[DeviceA-GigabitEthernet1/0/2] quit
(2) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/3
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Untrust] quit
(3) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device A可以向Device B发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name ipseclocalout
[DeviceA-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceA-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 1.1.1.1
[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.2
[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 3.3.3.3
[DeviceA-security-policy-ip-1-ipseclocalout] action pass
[DeviceA-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device A可以接收和处理来自Device B的IPsec隧道协商报文,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name ipseclocalin
[DeviceA-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceA-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 3.3.3.3
[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 1.1.1.1
[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.2
[DeviceA-security-policy-ip-2-ipseclocalin] action pass
[DeviceA-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host A与Host B之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-3-trust-untrust] action pass
[DeviceA-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-4-untrust-trust] action pass
[DeviceA-security-policy-ip-4-untrust-trust] quit
[DeviceA-security-policy-ip] quit
(4) 配置IPsec智能选路策略,实现在不同的链路之间选择一条符合质量要求的链路与总部建立IPsec隧道。
[DeviceA] ipsec smart-link policy policy1
[DeviceA-ipsec-smart-link-policy-policy1] link 1 interface gigabitethernet 1/0/1 remote 3.3.3.3
[DeviceA-ipsec-smart-link-policy-policy1] link 2 interface gigabitethernet 1/0/2 remote 3.3.3.3
[DeviceA-ipsec-smart-link-policy-policy1] link-switch cycles 4
[DeviceA-ipsec-smart-link-policy-policy1] smart-link enable
[DeviceA-ipsec-smart-link-policy-policy1] quit
(5) 定义需要保护的数据流
[DeviceA] acl advanced 3000
[DeviceA-acl-ipv4-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[DeviceA-acl-ipv4-adv-3000] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceA] ipsec transform-set tran1
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceA-ipsec-transform-set-tran1] protocol esp
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
(7) 配置IKE keychain,约定通信双方使用的密钥信息
# 创建并配置IKE keychain,协商双方配置的预共享密钥必须完全相同,具体配置步骤如下。
[DeviceA] ike keychain keychain1
[DeviceA-ike-keychain-keychain1] pre-shared-key address 3.3.3.3 24 key simple 123456
[DeviceA-ike-keychain-keychain1] quit
(8) 配置IKE profile,约定建立IKE SA所需的安全参数
[DeviceA] ike profile profile1
[DeviceA-ike-profile-profile1] keychain keychain1
[DeviceA-ike-profile-profile1] match remote identity address 3.3.3.3 24
[DeviceA-ike-profile-profile1] quit
(9) 配置IPsec策略,建立IPsec隧道,保护需要防护的数据流
[DeviceA] ipsec policy policy1 10 isakmp
[DeviceA-ipsec-policy-isakmp-policy1-10] security acl 3000
[DeviceA-ipsec-policy-isakmp-policy1-10] transform-set tran1
[DeviceA-ipsec-policy-isakmp-policy1-10] ike-profile profile1
[DeviceA-ipsec-policy-isakmp-policy1-10] smart-link policy policy1
[DeviceA-ipsec-policy-isakmp-policy1-10] quit
(1) 配置接口IP地址和网关地址,3.3.3.4为本例中的直连下一跳地址,实际使用中请以具体组网情况为准。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 3.3.3.3 24
[DeviceB-GigabitEthernet1/0/1] gateway 3.3.3.4
[DeviceB-GigabitEthernet1/0/1] quit
(2) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Untrust] quit
(3) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device B可以向Device A发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name ipseclocalout
[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 3.3.3.3
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.2
[DeviceB-security-policy-ip-1-ipseclocalout] action pass
[DeviceB-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device B可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name ipseclocalin
[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.2
[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 3.3.3.3
[DeviceB-security-policy-ip-2-ipseclocalin] action pass
[DeviceB-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host A与Host B之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-3-trust-untrust] action pass
[DeviceB-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-4-untrust-trust] action pass
[DeviceB-security-policy-ip-4-untrust-trust] quit
[DeviceB-security-policy-ip] quit
(4) 定义需要保护的数据流
[DeviceB] acl advanced 3000
[DeviceB-acl-ipv4-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[DeviceB-acl-ipv4-adv-3000] rule permit ip source 3.3.3.0 0.0.0.255 destination 1.1.1.0 0.0.0.255
[DeviceB-acl-ipv4-adv-3000] rule permit ip source 3.3.3.0 0.0.0.255 destination 2.2.2.0 0.0.0.255
[DeviceB-acl-ipv4-adv-3000] quit
(5) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceB] ipsec transform-set tran1
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceB-ipsec-transform-set-tran1] protocol esp
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
(6) 配置IKE keychain,约定通信双方使用的密钥信息
# 创建并配置IKE keychain,协商双方配置的预共享密钥必须完全相同,具体配置步骤如下。
[DeviceB] ike keychain keychain1
[DeviceB-ike-keychain-keychain1] pre-shared-key address 0.0.0.0 0 key simple 123456
[DeviceB-ike-keychain-keychain1] quit
(7) 配置IKE profile,约定建立IKE SA所需的安全参数
[DeviceB] ike profile profile1
[DeviceB-ike-profile-profile1] keychain keychain1
[DeviceB-ike-profile-profile1] match remote identity address 0.0.0.0 0
[DeviceB-ike-profile-profile1] quit
(8) 配置IPsec策略模板,用于创建IPsec策略
[DeviceB] ipsec policy-template template1 10
[DeviceB-ipsec-policy-template-template1-10] security acl 3000
[DeviceB-ipsec-policy-template-template1-10] transform-set tran1
[DeviceB-ipsec-policy-template-template1-10] local-address 3.3.3.3
[DeviceB-ipsec-policy-template-template1-10] ike-profile profile1
[DeviceB-ipsec-policy-template-template1-10] quit
(9) 引用安全策略模板template1创建一条IKE协商方式的安全策略policy1,建立IPsec隧道,保护需要防护的数据流
[DeviceB] ipsec policy policy1 10 isakmp template template1
(10) 在接口GigabitEthernet1/0/1上应用安全策略policy1,对接口上的流量进行保护
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ipsec apply policy policy1
[DeviceB-GigabitEthernet1/0/1] quit
以上配置完成后,总部Device A和分支Device B之间的IPsec智能选路功能配置完成。
# 可以通过以下显示命令查看Device A上创建的IPsec智能选路策略。
[DeviceA] display ipsec smart-link policy
--------------------------------------------------------------------------
Policy name : policy1
State :Enabled
Probe count :10
Probe interval :1 sec
Probe source IP address :1.1.1.1
Probe destination IP address :3.3.3.3
Max link switch cycles :4
IPsec policy name :policy1
Interface :GigabitEthernet1/0/1
IPsec policy sequence number :10
Link ID Local address Remote address Loss(%) Delay(ms) State
1 1.1.1.1 3.3.3.3 0.0 1.0 Active
2 2.2.2.2 3.3.3.3 25.0 1.0 Inactive(Available)
--------------------------------------------------------------------------
# 通过以下显示命令查看IPsec策略引用IPsec智能选路策略。
[DeviceA] display ipsec policy
-------------------------------------------
IPsec Policy: policy1
Interface: GigabitEthernet1/0/1
-------------------------------------------
-----------------------------
Sequence number: 10
Mode: ISAKMP
-----------------------------
Traffic Flow Confidentiality: Disabled
Security data flow: 3000
Selector mode: standard
Local address: 1.1.1.1
Remote address: 3.3.3.3
Transform set: tran1
IKE profile: profile1
IKEv2 profile:
smart-link policy: policy1
SA trigger mode: Auto
SA duration(time based): 3600 seconds
SA duration(traffic based): 1843200 kilobytes
SA idle time: 100 seconds
SA df-bit:
Responder only: Disabled
# 通过以下显示命令查看动态生成的ACL规则。
[DeviceA] display acl 3000
Advanced IPv4 ACL 3000, 3 rules,
ACL's step is 5
rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
rule 5 permit ip source 1.1.1.0 0.0.0.255 destination 3.3.3.3 0 (Dynamic) (10 times matched)
# 通过以下显示查看协商生成的IPsec SA。
[DeviceA]display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/1
-------------------------------
-----------------------------
IPsec policy: policy1
Sequence number: 10
Alias: policy1-10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1428
Tunnel:
local address/port: 1.1.1.1/500
remote address/port: 3.3.3.3/500
Flow:
sour addr: 1.1.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 3.3.3.3/255.255.255.255 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 2443816215 (0x91a9ad17)
Connection ID: 38654705665
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843194/3368
Max received sequence-number: 64
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 4220315517 (0xfb8ce77d)
Connection ID: 38654705664
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843194/3368
Max sent sequence-number: 64
UDP encapsulation used for NAT traversal: N
Status: Active
#
sysname DeviceA
#
interface gigabitethernet 1/0/1
ip address 1.1.1.1 24
gateway 1.1.1.3
#
interface gigabitethernet 1/0/2
ip address 2.2.2.2 24
gateway 2.2.2.3
#
security-zone name trust
import interface gigabitethernet 1/0/3
#
security-zone name untrust
import interface gigabitethernet 1/0/1
import interface gigabitethernet 1/0/2
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 1.1.1.1
source-ip-host 2.2.2.2
destination-ip-host 3.3.3.3
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 3.3.3.3
destination-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.1.0 24
destination-ip-subnet 10.1.2.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.2.0 24
destination-ip-subnet 10.1.1.0 24
action pass
#
ipsec smart-link policy policy1
link 1 interface gigabitethernet 1/0/1 remote 3.3.3.3
link 2 interface gigabitethernet 1/0/2 remote 3.3.3.3
link-switch cycles 4
smart-link enable
#
acl advanced 3000
rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
quit
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ike keychain keychain1
pre-shared-key address 3.3.3.3 24 key simple 123456
#
ike profile profile1
keychain keychain1
match remote identity address 3.3.3.3 24
#
ipsec policy policy1 10 isakmp
security acl 3000
transform-set tran1
ike-profile profile1
smart-link policy policy1
#
#
sysname DeviceB
#
interface gigabitethernet 1/0/1
ip address 3.3.3.3 24
gateway 3.3.3.4
#
security-zone name trust
import interface gigabitethernet 1/0/2
#
security-zone name untrust
import interface gigabitethernet 1/0/1
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 3.3.3.3
destination-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 1.1.1.1
source-ip-host 2.2.2.2
destination-ip-host 3.3.3.3
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.2.0 24
destination-ip-subnet 10.1.1.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.1.0 24
destination-ip-subnet 10.1.2.0 24
action pass
#
acl advanced 3000
rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
rule permit ip source 3.3.3.0 0.0.0.255 destination 1.1.1.0 0.0.0.255
rule permit ip source 3.3.3.0 0.0.0.255 destination 2.2.2.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ike keychain keychain1
pre-shared-key address 0.0.0.0 0 key simple 123456
#
ike profile profile1
keychain keychain1
match remote identity address 0.0.0.0 0
#
ipsec policy-template template1 10
security acl 3000
transform-set tran1
local-address 3.3.3.3
ike-profile profile1
#
ipsec policy policy1 10 isakmp template template1
interface gigabitethernet 1/0/1
ipsec apply policy policy1
#
在Device A和Device B之间建立一条IPsec隧道,对Host A所在的子网(10.1.1.0/24)与Host B所在的子网(10.1.2.0/24)之间的数据流进行安全保护。具体要求如下:
· 封装形式为隧道模式。
· 安全协议采用ESP协议。
· 加密算法采用128比特的AES,认证算法采用HMAC-SHA1。
· IKE协商方式建立IPsec SA。
· Device A和Device B的内网口和外网口属于不同的VPN实例。
图1-33 保护IPv4报文的IPsec配置组网图
表1-21 组网图示例接口与设备实际接口对应关系
|
组网图示例接口 |
设备实际接口 |
|
Interface1 |
GigabitEthernet1/0/1 |
|
Interface2 |
GigabitEthernet1/0/2 |
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceA> system-view
[DeviceA] ip vpn-instance vpn1
[DeviceA-vpn-instance-vpn1] route-distinguisher 100:1
[DeviceA-vpn-instance-vpn1] quit
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip binding vpn-instance vpn1
[DeviceA-GigabitEthernet1/0/1] ip address 10.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] ip vpn-instance vpn2
[DeviceA-vpn-instance-vpn2] route-distinguisher 100:2
[DeviceA-vpn-instance-vpn2] quit
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] ip binding vpn-instance vpn2
[DeviceA-GigabitEthernet1/0/2] ip address 2.2.2.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/2] quit
(2) 配置路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为2.2.2.2,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceA] ip route-static vpn-instance vpn1 10.1.2.0 24 vpn-instance vpn2 2.2.2.2
[DeviceA] ip route-static vpn-instance vpn2 2.2.3.1 24 2.2.2.2
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device A可以向Device B发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name ipseclocalout
[DeviceA-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceA-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.1
[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.3.1
[DeviceA-security-policy-ip-1-ipseclocalout] action pass
[DeviceA-security-policy-ip-1-ipseclocalout] vrf vpn2
[DeviceA-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device A可以接收和处理来自Device B的IPsec隧道协商报文,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name ipseclocalin
[DeviceA-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceA-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.3.1
[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.1
[DeviceA-security-policy-ip-2-ipseclocalin] action pass
[DeviceA-security-policy-ip-2-ipseclocalout] vrf vpn2
[DeviceA-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host A与Host B之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-3-trust-untrust] action pass
[DeviceA-security-policy-ip-3-ipseclocalout] vrf vpn1
[DeviceA-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-4-untrust-trust] action pass
[DeviceA-security-policy-ip-4-ipseclocalout] vrf vpn1
[DeviceA-security-policy-ip-4-untrust-trust] quit
[DeviceA-security-policy-ip] quit
(5) 定义需要保护的数据流
# 配置一个IPv4高级ACL,定义要保护由子网10.1.1.0/24去往子网10.1.2.0/24的数据流。
[DeviceA] acl advanced 3101
[DeviceA-acl-ipv4-adv-3101] rule permit ip vpn-instance vpn1 source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[DeviceA-acl-ipv4-adv-3101] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceA] ipsec transform-set tran1
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceA-ipsec-transform-set-tran1] protocol esp
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
(7) 配置IKE keychain,约定通信双方使用的密钥信息
# 创建并配置IKE keychain,协商双方配置的预共享密钥必须完全相同,具体配置步骤如下。
[DeviceA] ike keychain keychain1 vpn-instance vpn2
[DeviceA-ike-keychain-keychain1] pre-shared-key address 2.2.3.1 255.255.255.0 key simple 123456TESTplat&!
[DeviceA-ike-keychain-keychain1] quit
(8) 配置IKE profile,约定建立IKE SA所需的安全参数
[DeviceA] ike profile profile1
[DeviceA-ike-profile-profile1] keychain keychain1
[DeviceA-ike-profile-profile1] match remote identity address 2.2.3.1 255.255.255.0 vpn-instance vpn2
[DeviceA-ike-profile-profile1] inside-vpn vpn-instance vpn1
[DeviceA-ike-profile-profile1] quit
(9) 配置IPsec策略,建立IPsec隧道,保护需要防护的数据流
# 创建一条IKE协商方式的IPsec策略,引用需要保护数据流的ACL和所需的IPsec安全提议,指定本端和对端的IP地址,引用IKE profile,具体配置步骤如下。
[DeviceA] ipsec policy map1 10 isakmp
[DeviceA-ipsec-policy-isakmp-map1-10] security acl 3101
[DeviceA-ipsec-policy-isakmp-map1-10] transform-set tran1
[DeviceA-ipsec-policy-isakmp-map1-10] local-address 2.2.2.1
[DeviceA-ipsec-policy-isakmp-map1-10] remote-address 2.2.3.1
[DeviceA-ipsec-policy-isakmp-map1-10] ike-profile profile1
[DeviceA-ipsec-policy-isakmp-map1-10] quit
(10) 在接口上应用IPsec策略,对接口上的流量进行保护
# 在接口GigabitEthernet1/0/2上应用安全策略,具体配置步骤如下。
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] ipsec apply policy map1
[DeviceA-GigabitEthernet1/0/2] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceB> system-view
[DeviceB] ip vpn-instance vpn1
[DeviceB-vpn-instance-vpn1] route-distinguisher 200:1
[DeviceB-vpn-instance-vpn1] quit
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip binding vpn-instance vpn1
[DeviceB-GigabitEthernet1/0/1] ip address 10.1.2.1 255.255.255.0
[DeviceB-GigabitEthernet1/0/1] quit
[DeviceB] ip vpn-instance vpn2
[DeviceB-vpn-instance-vpn2] route-distinguisher 200:2
[DeviceB-vpn-instance-vpn2] quit
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] ip binding vpn-instance vpn2
[DeviceB-GigabitEthernet1/0/2] ip address 2.2.3.1 255.255.255.0
[DeviceB-GigabitEthernet1/0/2] quit
(2) 配置路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为2.2.3.2,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceB] ip route-static vpn-instance vpn1 10.1.1.0 24 vpn-instance vpn2 2.2.3.2
[DeviceB] ip route-static vpn-instance vpn2 2.2.2.1 24 2.2.3.2
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device B可以向Device A发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name ipseclocalout
[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.3.1
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.1
[DeviceB-security-policy-ip-1-ipseclocalout] action pass
[DeviceB-security-policy-ip-1-ipseclocalout] vrf vpn2
[DeviceB-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device B可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name ipseclocalin
[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.1
[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.3.1
[DeviceB-security-policy-ip-2-ipseclocalin] action pass
[DeviceB-security-policy-ip-2-ipseclocalout] vrf vpn2
[DeviceB-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host B与Host A之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-3-trust-untrust] action pass
[DeviceB-security-policy-ip-3-ipseclocalout] vrf vpn1
[DeviceB-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-4-untrust-trust] action pass
[DeviceB-security-policy-ip-4-ipseclocalout] vrf vpn1
[DeviceB-security-policy-ip-4-untrust-trust] quit
[DeviceB-security-policy-ip] quit
(5) 定义数据流需要保护的数据流
# 配置一个IPv4高级ACL,定义要保护由子网10.1.2.0/24去往子网10.1.1.0/24的数据流。
[DeviceB] acl advanced 3101
[DeviceB-acl-ipv4-adv-3101] rule permit ip vpn-instance vpn1 source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[DeviceB-acl-ipv4-adv-3101] quit
(6) 配置IPsec安全提议,协商封装报文使用的各种安全协议
# 创建IPsec安全提议,两端配置的安全提议参数需要完全相同,具体配置步骤如下。
[DeviceB] ipsec transform-set tran1
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceB-ipsec-transform-set-tran1] protocol esp
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
(7) 配置IKE keychain,约定通信双方使用的密钥信息
# 创建并配置IKE keychain,协商双方配置的预共享密钥必须完全相同,具体配置步骤如下。
[DeviceB] ike keychain keychain1 vpn-instance vpn2
[DeviceB-ike-keychain-keychain1] pre-shared-key address 2.2.2.1 255.255.255.0 key simple 123456TESTplat&!
[DeviceB-ike-keychain-keychain1] quit
(8) 配置IKE profile,约定建立IKE SA所需的安全参数
[DeviceB] ike profile profile1
[DeviceB-ike-profile-profile1] keychain keychain1
[DeviceB-ike-profile-profile1] match remote identity address 2.2.2.1 255.255.255.0 vpn-instance vpn2
[DeviceB-ike-profile-profile1] inside-vpn vpn-instance vpn1
[DeviceB-ike-profile-profile1] quit
(9) 配置IPsec策略,建立IPsec隧道,保护需要防护的数据流
# 创建一条IKE协商方式的安全策略,引用需要保护数据流的ACL和所需的IPsec安全提议,指定本端和对端的IP地址,引用IKE profile,具体配置步骤如下。
[DeviceB] ipsec policy use1 10 isakmp
[DeviceB-ipsec-policy-isakmp-use1-10] security acl 3101
[DeviceB-ipsec-policy-isakmp-use1-10] transform-set tran1
[DeviceB-ipsec-policy-isakmp-use1-10] local-address 2.2.3.1
[DeviceB-ipsec-policy-isakmp-use1-10] remote-address 2.2.2.1
[DeviceB-ipsec-policy-isakmp-use1-10] ike-profile profile1
[DeviceB-ipsec-policy-isakmp-use1-10] quit
(10) 在接口上应用IPsec策略,对接口上的流量进行保护
# 在接口GigabitEthernet1/0/2上应用IPsec策略,具体配置步骤如下。
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] ipsec apply policy use1
[DeviceB-GigabitEthernet1/0/2] quit
# 以上配置完成后,Device A和Device B之间如果有子网10.1.1.0/24与子网10.1.2.0/24之间的报文通过,将触发IKE进行IPsec SA的协商。IKE成功协商出IPsec SA后,子网10.1.1.0/24与子网10.1.2.0/24之间数据流的传输将受到IPsec SA的保护。可通过以下显示查看到协商生成的IPsec SA。
[DeviceA] display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/2
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Alisa: map1-10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN: vpn1
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1443
Tunnel:
local address/port: 2.2.3.1/500
remote address/port: 2.2.2.1/500
Flow:
sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3769702703 (0xe0b1192f)
Connection ID: 90194313219
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 2300/797
Max received sequence-number: 1
Anti-replay check enable: Y
Anti-replay window size:
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 3840956402 (0xe4f057f2)
Connection ID: 64424509441
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 2312/797
Max sent sequence-number: 1
UDP encapsulation used for NAT traversal: N
Status: Active
# Device B上也会产生相应的IPsec SA来保护IPv4报文,查看方式与Device A同,此处略。
#
sysname DeviceA
#
ip vpn-instance vpn1
route-distinguisher 100:1
#
interface gigabitethernet 1/0/1
ip binding vpn-instance vpn1
ip address 10.1.1.1 255.255.255.0
#
ip vpn-instance vpn2
route-distinguisher 100:2
#
interface gigabitethernet 1/0/2
ip binding vpn-instance vpn2
ip address 2.2.2.1 255.255.255.0
#
ip route-static vpn-instance vpn1 10.1.2.0 24 vpn-instance vpn2 2.2.2.2
ip route-static vpn-instance vpn2 2.2.3.1 24 2.2.2.2
security-zone name trust
import interface gigabitethernet 1/0/1
#
security-zone name untrust
import interface gigabitethernet 1/0/2
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 2.2.2.1
destination-ip-host 2.2.3.1
action pass
vrf vpn2
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 2.2.3.1
destination-ip-host 2.2.2.1
action pass
vrf vpn2
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.1.0 24
destination-ip-subnet 10.1.2.0 24
action pass
vrf vpn1
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.2.0 24
destination-ip-subnet 10.1.1.0 24
action pass
vrf vpn1
#
acl advanced 3101
rule permit ip vpn-instance vpn1 source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ike keychain keychain1 vpn-instance vpn2
pre-shared-key address 2.2.3.1 255.255.255.0 key simple 123456TESTplat&!
#
ike profile profile1
keychain keychain1
match remote identity address 2.2.3.1 255.255.255.0 vpn-instance vpn2
inside-vpn vpn-instance vpn1
#
ipsec policy map1 10 isakmp
security acl 3101
transform-set tran1
local-address 2.2.2.1
remote-address 2.2.3.1
ike-profile profile1
#
interface gigabitethernet 1/0/2
ipsec apply policy map1
#
#
sysname DeviceB
#
ip vpn-instance vpn1
route-distinguisher 200:1
#
interface gigabitethernet 1/0/1
ip binding vpn-instance vpn1
ip address 10.1.2.1 255.255.255.0
#
ip vpn-instance vpn2
route-distinguisher 200:2
#
interface gigabitethernet 1/0/2
ip binding vpn-instance vpn2
ip address 2.2.3.1 255.255.255.0
#
ip route-static vpn-instance vpn1 10.1.1.0 24 vpn-instance vpn2 2.2.3.2
ip route-static vpn-instance vpn2 2.2.2.1 24 2.2.3.2
security-zone name trust
import interface gigabitethernet 1/0/1
#
security-zone name untrust
import interface gigabitethernet 1/0/2
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 2.2.3.1
destination-ip-host 2.2.2.1
action pass
vrf vpn2
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 2.2.2.1
destination-ip-host 2.2.3.1
action pass
vrf vpn2
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.2.0 24
destination-ip-subnet 10.1.1.0 24
action pass
vrf vpn1
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.1.0 24
destination-ip-subnet 10.1.2.0 24
action pass
vrf vpn1
#
acl advanced 3101
rule permit ip vpn-instance vpn1 source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ike keychain keychain1 vpn-instance vpn2
pre-shared-key address 2.2.2.1 255.255.255.0 key simple 123456TESTplat&!
#
ike profile profile1
keychain keychain1
match remote identity address 2.2.2.1 255.255.255.0 vpn-instance vpn2
inside-vpn vpn-instance vpn1
#
ipsec policy use1 10 isakmp
security acl 3101
transform-set tran1
local-address 2.2.3.1
remote-address 2.2.2.1
ike-profile profile1
#
interface gigabitethernet 1/0/2
ipsec apply policy use1
#
某企业总部Device A有两条出口链路接入Internet,分支Device B和Device C各有一条出口链路接入Internet,要求实现如下需求:
· 企业总部与各企业分支之间使用基于路由的IPsec隧道接口方式建立IPsec隧道;
· 企业总部和各分支之间根据NQA探测结果,选择高质量、低延迟的链路动态建立IPsec隧道。
图1-34 基于路由模式的总部采用双链路与分支建立IPsec隧道配置组网图
表1-22 组网图示例接口与设备实际接口对应关系
|
组网图示例接口 |
设备实际接口 |
|
Interface1 |
GigabitEthernet1/0/1 |
|
Interface2 |
GigabitEthernet1/0/2 |
|
Interface3 |
GigabitEthernet1/0/3 |
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 创建IPsec隧道接口
# 创建IPsec隧道接口Tunnel0,具体配置步骤如下。
[DeviceA] interface tunnel 0 mode ipsec
[DeviceA-Tunnel0] ip address 10.0.0.1 255.255.255.0
[DeviceA-Tunnel0] source 1.1.1.1
[DeviceA-Tunnel0] destination 3.3.3.3
[DeviceA-Tunnel0] quit
# 创建IPsec隧道接口Tunnel1,具体配置步骤如下。
[DeviceA] interface tunnel 1 mode ipsec
[DeviceA-Tunnel1] ip address 20.0.0.1 255.255.255.0
[DeviceA-Tunnel1] source 2.2.2.2
[DeviceA-Tunnel1] destination 3.3.3.3
[DeviceA-Tunnel1] quit
# 创建IPsec隧道接口Tunnel2,具体配置步骤如下。
[DeviceA] interface tunnel 2 mode ipsec
[DeviceA-Tunnel2] ip address 30.0.0.1 255.255.255.0
[DeviceA-Tunnel2] source 1.1.1.1
[DeviceA-Tunnel2] destination 4.4.4.4
[DeviceA-Tunnel2] quit
# 创建IPsec隧道接口Tunnel3,具体配置步骤如下。
[DeviceA] interface tunnel 3 mode ipsec
[DeviceA-Tunnel3] ip address 40.0.0.1 255.255.255.0
[DeviceA-Tunnel3] source 2.2.2.2
[DeviceA-Tunnel3] destination 4.4.4.4
[DeviceA-Tunnel3] quit
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/3
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Untrust] import interface tunnel 0
[DeviceA-security-zone-Untrust] import interface tunnel 1
[DeviceA-security-zone-Untrust] import interface tunnel 2
[DeviceA-security-zone-Untrust] import interface tunnel 3
[DeviceA-security-zone-Untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device A可以向Device B和Device C发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name ipseclocalout
[DeviceA-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceA-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 1.1.1.1
[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.2
[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 3.3.3.3
[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 4.4.4.4
[DeviceA-security-policy-ip-1-ipseclocalout] action pass
[DeviceA-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device A可以接收和处理来自Device B和Device C的IPsec隧道协商报文,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name ipseclocalin
[DeviceA-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceA-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 3.3.3.3
[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 4.4.4.4
[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 1.1.1.1
[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.2
[DeviceA-security-policy-ip-2-ipseclocalin] action pass
[DeviceA-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host A与Host B、Host C之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host A访问Host B、Host C的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 192.168.11.0 24
[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 192.168.12.0 24
[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 192.168.13.0 24
[DeviceA-security-policy-ip-3-trust-untrust] action pass
[DeviceA-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host B、Host C访问Host A的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 192.168.12.0 24
[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 192.168.13.0 24
[DeviceA-security-policy-ip-4-untrust-trust] destination-ip-subnet 192.168.11.0 24
[DeviceA-security-policy-ip-4-untrust-trust] action pass
[DeviceA-security-policy-ip-4-untrust-trust] quit
[DeviceA-security-policy-ip] quit
(5) 配置IPsec安全框架,建立IPsec隧道,保护需要防护的数据流
# 配置IPsec安全框架t0,建立IPsec隧道,具体配置步骤如下。
[DeviceA] ike keychain t0
[DeviceA-ike-keychain-t0] pre-shared-key address 3.3.3.3 255.255.255.0 key simple 123456TESTplat&!
[DeviceA-ike-keychain-t0] quit
[DeviceA] ike profile t0
[DeviceA-ike-profile-t0] keychain t0
[DeviceA-ike-profile-t0] match remote identity address 3.3.3.3 24
[DeviceA-ike-profile-t0] exchange-mode aggressive
[DeviceA-ike-profile-t0] dpd interval 30 periodic
[DeviceA-ike-profile-t0] quit
[DeviceA] ipsec transform-set t0
[DeviceA-ipsec-transform-set-t0] esp encryption-algorithm aes-cbc-128
[DeviceA-ipsec-transform-set-t0] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-t0] quit
[DeviceA] ipsec profile t0 isakmp
[DeviceA-ipsec-profile-isakmp-t0] transform-set t0
[DeviceA-ipsec-profile-isakmp-t0] ike-profile t0
[DeviceA-ipsec-profile-isakmp-t0] quit
# 配置IPsec安全框架t1,建立IPsec隧道,具体配置步骤如下。
[DeviceA] ike keychain t1
[DeviceA-ike-keychain-t1] pre-shared-key address 3.3.3.3 255.255.255.0 key simple 123456TESTplat&!
[DeviceA-ike-keychain-t1] quit
[DeviceA] ike profile t1
[DeviceA-ike-profile-t1] keychain t1
[DeviceA-ike-profile-t1] match local address Tunnel1
[DeviceA-ike-profile-t1] match remote identity address 3.3.3.3 24
[DeviceA-ike-profile-t1] exchange-mode aggressive
[DeviceA-ike-profile-t1] dpd interval 30 periodic
[DeviceA-ike-profile-t1] quit
[DeviceA] ipsec transform-set t1
[DeviceA-ipsec-transform-set-t1] esp encryption-algorithm aes-cbc-128
[DeviceA-ipsec-transform-set-t1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-t1] quit
[DeviceA] ipsec profile t1 isakmp
[DeviceA-ipsec-profile-isakmp-t1] transform-set t1
[DeviceA-ipsec-profile-isakmp-t1] ike-profile t1
[DeviceA-ipsec-profile-isakmp-t1] quit
# 配置IPsec安全框架t2,建立IPsec隧道,具体配置步骤如下。
[DeviceA] ike keychain t2
[DeviceA-ike-keychain-t2] pre-shared-key address 4.4.4.4 255.255.255.0 key simple 123456TESTplat&!
[DeviceA-ike-keychain-t2] quit
[DeviceA] ike profile t2
[DeviceA-ike-profile-t2] keychain t2
[DeviceA-ike-profile-t2] match local address Tunnel2
[DeviceA-ike-profile-t2] match remote identity address 4.4.4.4 24
[DeviceA-ike-profile-t2] exchange-mode aggressive
[DeviceA-ike-profile-t2] dpd interval 30 periodic
[DeviceA-ike-profile-t2] quit
[DeviceA] ipsec transform-set t2
[DeviceA-ipsec-transform-set-t2] esp encryption-algorithm aes-cbc-128
[DeviceA-ipsec-transform-set-t2] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-t2] quit
[DeviceA] ipsec profile t2 isakmp
[DeviceA-ipsec-profile-isakmp-t2] transform-set t2
[DeviceA-ipsec-profile-isakmp-t2] ike-profile t2
[DeviceA-ipsec-profile-isakmp-t2] quit
# 配置IPsec安全框架t3,建立IPsec隧道,具体配置步骤如下。
[DeviceA] ike keychain t3
[DeviceA-ike-keychain-t3] pre-shared-key address 4.4.4.4 255.255.255.0 key simple 123456TESTplat&!
[DeviceA-ike-keychain-t3] quit
[DeviceA] ike profile t3
[DeviceA-ike-profile-t3] keychain t3
[DeviceA-ike-profile-t3] match local address Tunnel3
[DeviceA-ike-profile-t3] match remote identity address 4.4.4.4 24
[DeviceA-ike-profile-t3] exchange-mode aggressive
[DeviceA-ike-profile-t3] dpd interval 30 periodic
[DeviceA-ike-profile-t3] quit
[DeviceA] ipsec transform-set t3
[DeviceA-ipsec-transform-set-t3] esp encryption-algorithm aes-cbc-128
[DeviceA-ipsec-transform-set-t3] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-t3] quit
[DeviceA] ipsec profile t3 isakmp
[DeviceA-ipsec-profile-isakmp-t3] transform-set t3
[DeviceA-ipsec-profile-isakmp-t3] ike-profile t3
[DeviceA-ipsec-profile-isakmp-t3] quit
(6) 配置IPsec隧道接口,用于对需要保护的流量进行IPsec封装。
# 在IPsec隧道接口Tunnel0中引用IPsec安全框架t0,建立IPsec隧道。
[DeviceA] interface tunnel 0
[DeviceA-Tunnel0] tunnel protection ipsec profile t0
[DeviceA-Tunnel0] quit
# 在IPsec隧道接口Tunnel1中引用IPsec安全框架t1,建立IPsec隧道。
[DeviceA] interface tunnel 1
[DeviceA-Tunnel1] tunnel protection ipsec profile t1
[DeviceA-Tunnel1] quit
# 在IPsec隧道接口Tunnel2中引用IPsec安全框架t2,建立IPsec隧道。
[DeviceA] interface tunnel 2
[DeviceA-Tunnel2] tunnel protection ipsec profile t2
[DeviceA-Tunnel2] quit
# 在IPsec隧道接口Tunnel3中引用IPsec安全框架t3,建立IPsec隧道。
[DeviceA] interface tunnel 3
[DeviceA-Tunnel3] tunnel protection ipsec profile t3
[DeviceA-Tunnel3] quit
(7) 配置NQA测试组与Track项联动,用于探测链路状态。
# 配置NQA测试组(管理员为admin,操作标签为test1),具体配置步骤如下。
[DeviceA] nqa entry admin test1
[DeviceA-nqa-admin-test1] type icmp-echo
[DeviceA-nqa-admin-test1-icmp-echo] destination ip 3.3.3.3
[DeviceA-nqa-admin-test1-icmp-echo] frequency 3000
[DeviceA-nqa-admin-test1-icmp-echo] history-record enable
[DeviceA-nqa-admin-test1-icmp-echo] next-hop ip 1.1.1.2
[DeviceA-nqa-admin-test1-icmp-echo] probe count 5
[DeviceA-nqa-admin-test1-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceA-nqa-admin-test1-icmp-echo] quit
[DeviceA] nqa schedule admin test1 start-time now lifetime forever
# 配置Track项110,关联NQA测试组(管理员为admin,操作标签为test1)的联动项1,配置步骤如下。
[DeviceA] track 110 nqa entry admin test1 reaction 1
[DeviceA-track-110] quit
# 配置NQA测试组(管理员为admin,操作标签为test2),具体配置步骤如下。
[DeviceA] nqa entry admin test2
[DeviceA-nqa-admin-test2] type icmp-echo
[DeviceA-nqa-admin-test2-icmp-echo] destination ip 3.3.3.3
[DeviceA-nqa-admin-test2-icmp-echo] frequency 3000
[DeviceA-nqa-admin-test2-icmp-echo] history-record enable
[DeviceA-nqa-admin-test2-icmp-echo] probe count 5
[DeviceA-nqa-admin-test2-icmp-echo] next-hop ip 2.2.2.3
[DeviceA-nqa-admin-test2-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceA-nqa-admin-test2-icmp-echo] quit
[DeviceA] nqa schedule admin test2 start-time now lifetime forever
# 配置Track项120,关联NQA测试组(管理员为admin,操作标签为test2)的联动项1,配置步骤如下。
[DeviceA] track 120 nqa entry admin test2 reaction 1
[DeviceA-track-120] quit
# 配置NQA测试组(管理员为admin,操作标签为test3),具体配置步骤如下。
[DeviceA] nqa entry admin test3
[DeviceA-nqa-admin-test3] type icmp-echo
[DeviceA-nqa-admin-test3-icmp-echo] destination ip 4.4.4.4
[DeviceA-nqa-admin-test3-icmp-echo] frequency 3000
[DeviceA-nqa-admin-test3-icmp-echo] history-record enable
[DeviceA-nqa-admin-test3-icmp-echo] probe count 5
[DeviceA-nqa-admin-test3-icmp-echo] next-hop ip 1.1.1.2
[DeviceA-nqa-admin-test3-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceA-nqa-admin-test3-icmp-echo] quit
[DeviceA] nqa schedule admin test3 start-time now lifetime forever
# 配置Track项130,关联NQA测试组(管理员为admin,操作标签为test3)的联动项1,配置步骤如下。
[DeviceA] track 130 nqa entry admin test3 reaction 1
[DeviceA-track-130] quit
# 配置NQA测试组(管理员为admin,操作标签为test4),具体配置步骤如下。
[DeviceA] nqa entry admin test4
[DeviceA-nqa-admin-test4] type icmp-echo
[DeviceA-nqa-admin-test4-icmp-echo] destination ip 4.4.4.4
[DeviceA-nqa-admin-test4-icmp-echo] frequency 3000
[DeviceA-nqa-admin-test4-icmp-echo] history-record enable
[DeviceA-nqa-admin-test4-icmp-echo] probe count 5
[DeviceA-nqa-admin-test4-icmp-echo] next-hop ip 2.2.2.3
[DeviceA-nqa-admin-test4-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceA-nqa-admin-test4-icmp-echo] quit
[DeviceA] nqa schedule admin test4 start-time now lifetime forever
# 配置Track项140,关联NQA测试组(管理员为admin,操作标签为test4)的联动项1,配置步骤如下。
[DeviceA] track 140 nqa entry admin test4 reaction 1
[DeviceA-track-140] quit
(8) 配置路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例的下一跳IP地址仅为示例,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceA] ip route-static 192.168.12.0 24 tunnel 0 track 110 preference 100
[DeviceA] ip route-static 192.168.12.0 24 tunnel 1 track 120 preference 110
[DeviceA] ip route-static 192.168.13.0 24 tunnel 2 track 130 preference 100
[DeviceA] ip route-static 192.168.13.0 24 tunnel 3 track 140 preference 110
[DeviceA] ip route-static 3.3.3.3 24 1.1.1.2 track 110 preference 100
[DeviceA] ip route-static 3.3.3.3 24 2.2.2.3 track 120 preference 110
[DeviceA] ip route-static 4.4.4.4 24 1.1.1.2 track 130 preference 100
[DeviceA] ip route-static 4.4.4.4 24 2.2.2.3 track 140 preference 110
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 3.3.3.3 255.255.255.0
[DeviceB-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 创建IPsec隧道接口
# 创建IPsec隧道接口Tunnel0,具体配置步骤如下。
[DeviceB] interface tunnel 0 mode ipsec
[DeviceB-Tunnel0] ip address 50.0.0.1 255.255.255.0
[DeviceB-Tunnel0] source 3.3.3.3
[DeviceB-Tunnel0] destination 1.1.1.1
[DeviceB-Tunnel0] quit
# 创建IPsec隧道接口Tunnel1,具体配置步骤如下。
[DeviceB] interface tunnel 1 mode ipsec
[DeviceB-Tunnel1] ip address 60.0.0.1 255.255.255.0
[DeviceB-Tunnel1] source 3.3.3.3
[DeviceB-Tunnel1] destination 2.2.2.2
[DeviceB-Tunnel1] quit
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Untrust] import interface tunnel 0
[DeviceB-security-zone-Untrust] import interface tunnel 1
[DeviceB-security-zone-Untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device B可以向Device A发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name ipseclocalout
[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 3.3.3.3
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.2
[DeviceB-security-policy-ip-1-ipseclocalout] action pass
[DeviceB-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device B可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name ipseclocalin
[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.2
[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 3.3.3.3
[DeviceB-security-policy-ip-2-ipseclocalin] action pass
[DeviceB-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host B与Host A之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 192.168.12.0 24
[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 192.168.11.0 24
[DeviceB-security-policy-ip-3-trust-untrust] action pass
[DeviceB-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 192.168.11.0 24
[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 192.168.12.0 24
[DeviceB-security-policy-ip-4-untrust-trust] action pass
[DeviceB-security-policy-ip-4-untrust-trust] quit
[DeviceB-security-policy-ip] quit
(5) 配置IPsec安全框架,建立IPsec隧道,保护需要防护的数据流
# 配置IPsec安全框架t0,建立IPsec隧道,具体配置步骤如下。
[DeviceB] ike keychain t0
[DeviceB-ike-keychain-t0] pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&!
[DeviceB-ike-keychain-t0] quit
[DeviceB] ike profile t0
[DeviceB-ike-profile-t0] keychain t0
[DeviceB-ike-profile-t0] match remote identity address 1.1.1.1 24
[DeviceB-ike-profile-t0] exchange-mode aggressive
[DeviceB-ike-profile-t0] dpd interval 30 periodic
[DeviceB-ike-profile-t0] quit
[DeviceB] ipsec transform-set t0
[DeviceB-ipsec-transform-set-t0] esp encryption-algorithm aes-cbc-128
[DeviceB-ipsec-transform-set-t0] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-t0] quit
[DeviceB] ipsec profile t0 isakmp
[DeviceB-ipsec-profile-isakmp-t0] transform-set t0
[DeviceB-ipsec-profile-isakmp-t0] ike-profile t0
[DeviceB-ipsec-profile-isakmp-t0] quit
# 配置IPsec安全框架t1,建立IPsec隧道,具体配置步骤如下。
[DeviceB] ike keychain t1
[DeviceB-ike-keychain-t1] pre-shared-key address 2.2.2.2 255.255.255.0 key simple 123456TESTplat&!
[DeviceB-ike-keychain-t1] quit
[DeviceB] ike profile t1
[DeviceB-ike-profile-t1] keychain t1
[DeviceB-ike-profile-t1] match local address Tunnel1
[DeviceB-ike-profile-t1] match remote identity address 2.2.2.2 24
[DeviceB-ike-profile-t1] exchange-mode aggressive
[DeviceB-ike-profile-t1] dpd interval 30 periodic
[DeviceB-ike-profile-t1] quit
[DeviceB] ipsec transform-set t1
[DeviceB-ipsec-transform-set-t1] esp encryption-algorithm aes-cbc-128
[DeviceB-ipsec-transform-set-t1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-t1] quit
[DeviceB] ipsec profile t1 isakmp
[DeviceB-ipsec-profile-isakmp-t1] transform-set t1
[DeviceB-ipsec-profile-isakmp-t1] ike-profile t1
[DeviceB-ipsec-profile-isakmp-t1] quit
(6) 配置IPsec隧道接口,用于对需要保护的流量进行IPsec封装。
# 在IPsec隧道接口Tunnel0中引用IPsec安全框架t0,建立IPsec隧道。
[DeviceB] interface tunnel 0
[DeviceB-Tunnel0] tunnel protection ipsec profile t0
[DeviceB-Tunnel0] quit
# 在IPsec隧道接口Tunnel1中引用IPsec安全框架t1,建立IPsec隧道。
[DeviceB] interface tunnel 1
[DeviceB-Tunnel1] tunnel protection ipsec profile t1
[DeviceB-Tunnel1] quit
(7) 配置NQA测试组与Track项联动,用于探测链路状态。
# 配置NQA测试组(管理员为admin,操作标签为test1),具体配置步骤如下。
[DeviceB] nqa entry admin test1
[DeviceB-nqa-admin-test1] type icmp-echo
[DeviceB-nqa-admin-test1-icmp-echo] destination ip 1.1.1.1
[DeviceB-nqa-admin-test1-icmp-echo] frequency 3000
[DeviceB-nqa-admin-test1-icmp-echo] history-record enable
[DeviceB-nqa-admin-test1-icmp-echo] probe count 5
[DeviceB-nqa-admin-test1-icmp-echo] next-hop ip 3.3.3.4
[DeviceB-nqa-admin-test1-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceB-nqa-admin-test1-icmp-echo] quit
[DeviceB] nqa schedule admin test1 start-time now lifetime forever
# 配置Track项110,关联NQA测试组(管理员为admin,操作标签为test1)的联动项1,配置步骤如下。
[DeviceB] track 110 nqa entry admin test1 reaction 1
[DeviceB-track-110] quit
# 配置NQA测试组(管理员为admin,操作标签为test2),具体配置步骤如下。
[DeviceB] nqa entry admin test2
[DeviceB-nqa-admin-test2] type icmp-echo
[DeviceB-nqa-admin-test2-icmp-echo] destination ip 2.2.2.2
[DeviceB-nqa-admin-test2-icmp-echo] frequency 3000
[DeviceB-nqa-admin-test2-icmp-echo] history-record enable
[DeviceB-nqa-admin-test2-icmp-echo] probe count 5
[DeviceB-nqa-admin-test2-icmp-echo] next-hop ip 3.3.3.4
[DeviceB-nqa-admin-test2-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceB-nqa-admin-test2-icmp-echo] quit
[DeviceB] nqa schedule admin test2 start-time now lifetime forever
# 配置Track项120,关联NQA测试组(管理员为admin,操作标签为test2)的联动项1,配置步骤如下。
[DeviceB] track 120 nqa entry admin test2 reaction 1
[DeviceB-track-120] quit
(8) 配置路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例的下一跳IP地址仅为示例,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceB] ip route-static 192.168.11.0 24 tunnel 0 track 110 preference 100
[DeviceB] ip route-static 192.168.11.0 24 tunnel 1 track 120 preference 110
[DeviceB] ip route-static 1.1.1.1 24 3.3.3.4
[DeviceB] ip route-static 2.2.2.2 24 3.3.3.4
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceC> system-view
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] ip address 4.4.4.4 255.255.255.0
[DeviceC-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 创建IPsec隧道接口
# 创建IPsec隧道接口Tunnel0,具体配置步骤如下。
[DeviceC] interface tunnel 0 mode ipsec
[DeviceC-Tunnel0] ip address 70.0.0.1 255.255.255.0
[DeviceC-Tunnel0] source 4.4.4.4
[DeviceC-Tunnel0] destination 1.1.1.1
[DeviceC-Tunnel0] quit
# 创建IPsec隧道接口Tunnel1,具体配置步骤如下。
[DeviceC] interface tunnel 1 mode ipsec
[DeviceC-Tunnel1] ip address 80.0.0.1 255.255.255.0
[DeviceC-Tunnel1] source 4.4.4.4
[DeviceC-Tunnel1] destination 2.2.2.2
[DeviceC-Tunnel1] quit
(3) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceC] security-zone name trust
[DeviceC-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceC-security-zone-Trust] quit
[DeviceC] security-zone name untrust
[DeviceC-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceC-security-zone-Untrust] import interface tunnel 0
[DeviceC-security-zone-Untrust] import interface tunnel 1
[DeviceC-security-zone-Untrust] quit
(4) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device C可以向Device A发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceC] security-policy ip
[DeviceC-security-policy-ip] rule name ipseclocalout
[DeviceC-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceC-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceC-security-policy-ip-1-ipseclocalout] source-ip-host 4.4.4.4
[DeviceC-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1
[DeviceC-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.2
[DeviceC-security-policy-ip-1-ipseclocalout] action pass
[DeviceC-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device C可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下。
[DeviceC-security-policy-ip] rule name ipseclocalin
[DeviceC-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceC-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceC-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1
[DeviceC-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.2
[DeviceC-security-policy-ip-2-ipseclocalin] destination-ip-host 4.4.4.4
[DeviceC-security-policy-ip-2-ipseclocalin] action pass
[DeviceC-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host C与Host A之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host C访问Host A的报文可通,具体配置步骤如下。
[DeviceC-security-policy-ip] rule name trust-untrust
[DeviceC-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceC-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceC-security-policy-ip-3-trust-untrust] source-ip-subnet 192.168.13.0 24
[DeviceC-security-policy-ip-3-trust-untrust] destination-ip-subnet 192.168.11.0 24
[DeviceC-security-policy-ip-3-trust-untrust] action pass
[DeviceC-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host A访问Host C的报文可通,具体配置步骤如下。
[DeviceC-security-policy-ip] rule name untrust-trust
[DeviceC-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceC-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceC-security-policy-ip-4-untrust-trust] source-ip-subnet 192.168.11.0 24
[DeviceC-security-policy-ip-4-untrust-trust] destination-ip-subnet 192.168.13.0 24
[DeviceC-security-policy-ip-4-untrust-trust] action pass
[DeviceC-security-policy-ip-4-untrust-trust] quit
[DeviceC-security-policy-ip] quit
(5) 配置IPsec安全框架,建立IPsec隧道,保护需要防护的数据流
# 配置IPsec安全框架t0,建立IPsec隧道,具体配置步骤如下。
[DeviceC] ike keychain t0
[DeviceC-ike-keychain-t0] pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&!
[DeviceC-ike-keychain-t0] quit
[DeviceC] ike profile t0
[DeviceC-ike-profile-t0] keychain t0
[DeviceC-ike-profile-t0] match remote identity address 1.1.1.1 24
[DeviceC-ike-profile-t0] exchange-mode aggressive
[DeviceC-ike-profile-t0] dpd interval 30 periodic
[DeviceC-ike-profile-t0] quit
[DeviceC] ipsec transform-set t0
[DeviceC-ipsec-transform-set-t0] esp encryption-algorithm aes-cbc-128
[DeviceC-ipsec-transform-set-t0] esp authentication-algorithm sha1
[DeviceC-ipsec-transform-set-t0] quit
[DeviceC] ipsec profile t0 isakmp
[DeviceC-ipsec-profile-isakmp-t0] transform-set t0
[DeviceC-ipsec-profile-isakmp-t0] ike-profile t0
[DeviceC-ipsec-profile-isakmp-t0] quit
# 配置IPsec安全框架t1,建立IPsec隧道,具体配置步骤如下。
[DeviceC] ike keychain t1
[DeviceC-ike-keychain-t1] pre-shared-key address 2.2.2.2 255.255.255.0 key simple 123456TESTplat&!
[DeviceC-ike-keychain-t1] quit
[DeviceC] ike profile t1
[DeviceC-ike-profile-t1] keychain t1
[DeviceC-ike-profile-t1] match local address Tunnel1
[DeviceC-ike-profile-t1] match remote identity address 2.2.2.2 24
[DeviceC-ike-profile-t1] exchange-mode aggressive
[DeviceC-ike-profile-t1] dpd interval 30 periodic
[DeviceC-ike-profile-t1] quit
[DeviceC] ipsec transform-set t1
[DeviceC-ipsec-transform-set-t1] esp encryption-algorithm aes-cbc-128
[DeviceC-ipsec-transform-set-t1] esp authentication-algorithm sha1
[DeviceC-ipsec-transform-set-t1] quit
[DeviceC] ipsec profile t1 isakmp
[DeviceC-ipsec-profile-isakmp-t1] transform-set t1
[DeviceC-ipsec-profile-isakmp-t1] ike-profile t1
[DeviceC-ipsec-profile-isakmp-t1] quit
(6) 配置IPsec隧道接口,用于对需要保护的流量进行IPsec封装
# 在IPsec隧道接口Tunnel0中引用IPsec安全框架t0,建立IPsec隧道。
[DeviceC] interface tunnel 0
[DeviceC-Tunnel0] tunnel protection ipsec profile t0
[DeviceC-Tunnel0] quit
# 在IPsec隧道接口Tunnel1中引用IPsec安全框架t1,建立IPsec隧道。
[DeviceC] interface tunnel 1
[DeviceC-Tunnel1] tunnel protection ipsec profile t1
[DeviceC-Tunnel1] quit
(7) 配置NQA测试组与Track项联动,用于探测链路状态
# 配置NQA测试组(管理员为admin,操作标签为test1),具体配置步骤如下。
[DeviceC] nqa entry admin test1
[DeviceC-nqa-admin-test1] type icmp-echo
[DeviceC-nqa-admin-test1-icmp-echo] destination ip 1.1.1.1
[DeviceC-nqa-admin-test1-icmp-echo] frequency 3000
[DeviceC-nqa-admin-test1-icmp-echo] history-record enable
[DeviceC-nqa-admin-test1-icmp-echo] probe count 5
[DeviceC-nqa-admin-test1-icmp-echo] next-hop ip 4.4.4.5
[DeviceC-nqa-admin-test1-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceC-nqa-admin-test1-icmp-echo] quit
[DeviceC] nqa schedule admin test1 start-time now lifetime forever
# 配置Track项110,关联NQA测试组(管理员为admin,操作标签为test1)的联动项1,配置步骤如下。
[DeviceC] track 110 nqa entry admin test1 reaction 1
[DeviceC-track-110] quit
# 配置NQA测试组(管理员为admin,操作标签为test2),具体配置步骤如下。
[DeviceC] nqa entry admin test2
[DeviceC-nqa-admin-test2] type icmp-echo
[DeviceC-nqa-admin-test2-icmp-echo] destination ip 2.2.2.2
[DeviceC-nqa-admin-test2-icmp-echo] frequency 3000
[DeviceC-nqa-admin-test2-icmp-echo] history-record enable
[DeviceC-nqa-admin-test2-icmp-echo] probe count 5
[DeviceC-nqa-admin-test2-icmp-echo] next-hop ip 4.4.4.5
[DeviceC-nqa-admin-test2-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
[DeviceC-nqa-admin-test2-icmp-echo] quit
[DeviceC] nqa schedule admin test2 start-time now lifetime forever
# 配置Track项120,关联NQA测试组(管理员为admin,操作标签为test2)的联动项1,配置步骤如下。
[DeviceC] track 120 nqa entry admin test2 reaction 1
[DeviceC-track-120] quit
(8) 配置路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例的下一跳IP地址仅为示例,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceC] ip route-static 192.168.11.0 24 tunnel 0 track 110 preference 100
[DeviceC] ip route-static 192.168.11.0 24 tunnel 1 track 120 preference 110
[DeviceC] ip route-static 1.1.1.1 24 4.4.4.5
[DeviceC] ip route-static 2.2.2.2 24 4.4.4.5
以上配置完成后,Device A会自动与Device B、Device C进行IKE协商。当IKE协商完成后,Device A、Device B和Device C上的IPsec 虚拟隧道接口都将up,即可对总部和分支的数据流进行安全保护。
# 通过display ip interface brief命令可查看Device A的接口状态如下。
<DeviceA> display ip interface brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE1/0/1 up up 1.1.1.1/24 -- --
GE1/0/2 up up 2.2.2.2/24 -- --
GE1/0/3 up up 192.168.11.1/24 -- --
Tun0 up up 10.0.0.1/24 -- --
Tun1 up up 20.0.0.1/24 -- --
Tun2 up up 30.0.0.1/24 -- --
Tun3 up up 40.0.0.1/24 -- --
# 通过display ip routing-table命令可查看Device A的路由状态如下。
<DeviceA> display ip routing-table
Destinations : 14 Routes : 14
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.0/24 Direct 0 0 1.1.1.1 GE1/0/1
1.1.1.255/32 Direct 0 0 1.1.1.1 GE1/0/1
2.2.2.0/24 Direct 0 0 2.2.2.2 GE1/0/2
2.2.2.255/32 Direct 0 0 2.2.2.2 GE1/0/2
3.3.3.0/24 Static 100 0 1.1.1.2 GE1/0/1
4.4.4.0/24 Static 100 0 1.1.1.2 GE1/0/1
10.0.0.0/24 Direct 0 0 10.0.0.1 Tun0
10.0.0.255/32 Direct 0 0 10.0.0.1 Tun0
20.0.0.0/24 Direct 0 0 20.0.0.1 Tun1
20.0.0.255/32 Direct 0 0 20.0.0.1 Tun1
192.168.11.0/24 Direct 0 0 192.168.11.1 GE1/0/3
192.168.11.255/32 Direct 0 0 192.168.11.1 GE1/0/3
192.168.12.0/24 Static 100 0 0.0.0.0 Tun0
192.168.13.0/24 Static 100 0 0.0.0.0 Tun2
# Host A可以Ping通Host B,此时IPsec流量在Tunnel0所在链路传输。
C:\Users\hosta> ping 192.168.12.2
正在 Ping 192.168.12.2 具有 32 字节的数据:
来自 192.168.12.2 的回复: 字节=32 时间=1ms TTL=254
来自 192.168.12.2 的回复: 字节=32 时间<1ms TTL=254
来自 192.168.12.2 的回复: 字节=32 时间<1ms TTL=254
来自 192.168.12.2 的回复: 字节=32 时间<1ms TTL=254
192.168.12.2 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 1ms,平均 = 0ms
# 当Device A的GigabitEthernet1/0/1接口所在链路发生故障时,Host A仍然可以Ping通Host B,此时IPsec流量在Tunnel1所在链路传输。
C:\Users\hosta> ping 192.168.12.2
正在 Ping 192.168.12.2 具有 32 字节的数据:
来自 192.168.12.2 的回复: 字节=32 时间=1ms TTL=254
来自 192.168.12.2 的回复: 字节=32 时间<1ms TTL=254
来自 192.168.12.2 的回复: 字节=32 时间<1ms TTL=254
来自 192.168.12.2 的回复: 字节=32 时间<1ms TTL=254
192.168.12.2 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 1ms,平均 = 0ms
# 通过display ip interface brief命令可查看Device A的接口状态如下。
<DeviceA> display ip interface brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE1/0/1 down down 1.1.1.1/24 -- --
GE1/0/2 up up 2.2.2.2/24 -- --
GE1/0/3 up up 192.168.11.1/24 -- --
Tun0 down down 10.0.0.1/24 -- --
Tun1 up up 20.0.0.1/24 -- --
Tun2 down down 30.0.0.1/24 -- --
Tun3 up up 40.0.0.1/24 -- --
# 通过display ip routing-table命令可查看Device A的路由状态如下。
<DeviceA> display ip routing-table
Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost NextHop Interface
2.2.2.0/24 Direct 0 0 2.2.2.2 GE1/0/2
2.2.2.255/32 Direct 0 0 2.2.2.2 GE1/0/2
3.3.3.0/24 Static 110 0 2.2.2.3 GE1/0/2
4.4.4.0/24 Static 110 0 2.2.2.3 GE1/0/2
20.0.0.0/24 Direct 0 0 20.0.0.1 Tun1
20.0.0.255/32 Direct 0 0 20.0.0.1 Tun1
192.168.11.0/24 Direct 0 0 192.168.11.1 GE1/0/3
192.168.11.255/32 Direct 0 0 192.168.11.1 GE1/0/3
192.168.12.0/24 Static 110 0 0.0.0.0 Tun1
192.168.13.0/24 Static 110 0 0.0.0.0 Tun3
# 当Device A的GigabitEthernet1/0/1接口所在链路故障恢复时,IPsec流量将切换到Tunnel0所在链路传输。
#
sysname DeviceA
#
interface gigabitethernet 1/0/1
ip address 1.1.1.1 255.255.255.0
#
interface tunnel 0 mode ipsec
ip address 10.0.0.1 255.255.255.0
source 1.1.1.1
destination 3.3.3.3
#
interface tunnel 1 mode ipsec
ip address 20.0.0.1 255.255.255.0
source 2.2.2.2
destination 3.3.3.3
#
interface tunnel 2 mode ipsec
ip address 30.0.0.1 255.255.255.0
source 1.1.1.1
destination 4.4.4.4
#
interface tunnel 3 mode ipsec
ip address 40.0.0.1 255.255.255.0
source 2.2.2.2
destination 4.4.4.4
#
security-zone name trust
import interface gigabitethernet 1/0/3
#
security-zone name untrust
import interface gigabitethernet 1/0/1
import interface gigabitethernet 1/0/2
import interface tunnel 0
import interface tunnel 1
import interface tunnel 2
import interface tunnel 3
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 1.1.1.1
source-ip-host 2.2.2.2
destination-ip-host 3.3.3.3
destination-ip-host 4.4.4.4
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 3.3.3.3
source-ip-host 4.4.4.4
destination-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 192.168.11.0 24
destination-ip-subnet 192.168.12.0 24
destination-ip-subnet 192.168.13.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 192.168.12.0 24
source-ip-subnet 192.168.13.0 24
destination-ip-subnet 192.168.11.0 24
action pass
#
ike keychain t0
pre-shared-key address 3.3.3.3 255.255.255.0 key simple 123456TESTplat&!
#
ike profile t0
keychain t0
match remote identity address 3.3.3.3 24
exchange-mode aggressive
dpd interval 30 periodic
#
ipsec transform-set t0
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec profile t0 isakmp
transform-set t0
ike-profile t0
#
ike keychain t1
pre-shared-key address 3.3.3.3 255.255.255.0 key simple 123456TESTplat&!
#
ike profile t1
keychain t1
match local address Tunnel1
match remote identity address 3.3.3.3 24
exchange-mode aggressive
dpd interval 30 periodic
#
ipsec transform-set t1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec profile t1 isakmp
transform-set t1
ike-profile t1
#
ike keychain t2
pre-shared-key address 4.4.4.4 255.255.255.0 key simple 123456TESTplat&!
#
ike profile t2
keychain t2
match local address Tunnel2
match remote identity address 4.4.4.4 24
exchange-mode aggressive
dpd interval 30 periodic
#
ipsec transform-set t2
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec profile t2 isakmp
transform-set t2
ike-profile t2
#
ike keychain t3
pre-shared-key address 4.4.4.4 255.255.255.0 key simple 123456TESTplat&!
#
ike profile t3
keychain t3
match local address Tunnel3
match remote identity address 4.4.4.4 24
exchange-mode aggressive
dpd interval 30 periodic
#
ipsec transform-set t3
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec profile t3 isakmp
transform-set t3
ike-profile t3
#
interface tunnel 0
tunnel protection ipsec profile t0
#
interface tunnel 1
tunnel protection ipsec profile t1
#
interface tunnel 2
tunnel protection ipsec profile t2
#
interface tunnel 3
tunnel protection ipsec profile t3
#
nqa entry admin test1
type icmp-echo
destination ip 3.3.3.3
frequency 3000
history-record enable
next-hop ip 1.1.1.2
probe count 5
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa schedule admin test1 start-time now lifetime forever
track 110 nqa entry admin test1 reaction 1
#
nqa entry admin test2
type icmp-echo
destination ip 3.3.3.3
frequency 3000
history-record enable
probe count 5
next-hop ip 2.2.2.3
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa schedule admin test2 start-time now lifetime forever
track 120 nqa entry admin test2 reaction 1
#
nqa entry admin test3
type icmp-echo
destination ip 4.4.4.4
frequency 3000
history-record enable
probe count 5
next-hop ip 1.1.1.2
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa schedule admin test3 start-time now lifetime forever
track 130 nqa entry admin test3 reaction 1
#
nqa entry admin test4
type icmp-echo
destination ip 4.4.4.4
frequency 3000
history-record enable
probe count 5
next-hop ip 2.2.2.3
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa schedule admin test4 start-time now lifetime forever
track 140 nqa entry admin test4 reaction 1
#
ip route-static 192.168.12.0 24 tunnel 0 track 110 preference 100
ip route-static 192.168.12.0 24 tunnel 1 track 120 preference 110
ip route-static 192.168.13.0 24 tunnel 2 track 130 preference 100
ip route-static 192.168.13.0 24 tunnel 3 track 140 preference 110
ip route-static 3.3.3.3 24 1.1.1.2 track 110 preference 100
ip route-static 3.3.3.3 24 2.2.2.3 track 120 preference 110
ip route-static 4.4.4.4 24 1.1.1.2 track 130 preference 100
ip route-static 4.4.4.4 24 2.2.2.3 track 140 preference 110
#
#
sysname DeviceB
#
interface gigabitethernet 1/0/1
ip address 3.3.3.3 255.255.255.0
#
interface tunnel 0 mode ipsec
ip address 50.0.0.1 255.255.255.0
source 3.3.3.3
destination 1.1.1.1
#
interface tunnel 1 mode ipsec
ip address 60.0.0.1 255.255.255.0
source 3.3.3.3
destination 2.2.2.2
#
security-zone name trust
import interface gigabitethernet 1/0/2
#
security-zone name untrust
import interface gigabitethernet 1/0/1
import interface tunnel 0
import interface tunnel 1
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 3.3.3.3
destination-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 1.1.1.1
source-ip-host 2.2.2.2
destination-ip-host 3.3.3.3
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 192.168.12.0 24
destination-ip-subnet 192.168.11.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 192.168.11.0 24
destination-ip-subnet 192.168.12.0 24
action pass
#
ike keychain t0
pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&!
#
ike profile t0
keychain t0
match remote identity address 1.1.1.1 24
exchange-mode aggressive
dpd interval 30 periodic
#
ipsec transform-set t0
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec profile t0 isakmp
transform-set t0
ike-profile t0
#
ike keychain t1
pre-shared-key address 2.2.2.2 255.255.255.0 key simple 123456TESTplat&!
#
ike profile t1
keychain t1
match local address Tunnel1
match remote identity address 2.2.2.2 24
exchange-mode aggressive
dpd interval 30 periodic
#
ipsec transform-set t1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec profile t1 isakmp
transform-set t1
ike-profile t1
#
interface tunnel 0
tunnel protection ipsec profile t0
#
interface tunnel 1
tunnel protection ipsec profile t1
#
nqa entry admin test1
type icmp-echo
destination ip 1.1.1.1
frequency 3000
history-record enable
probe count 5
next-hop ip 3.3.3.4
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa schedule admin test1 start-time now lifetime forever
track 110 nqa entry admin test1 reaction 1
#
nqa entry admin test2
type icmp-echo
destination ip 2.2.2.2
frequency 3000
history-record enable
probe count 5
next-hop ip 3.3.3.4
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa schedule admin test2 start-time now lifetime forever
track 120 nqa entry admin test2 reaction 1
#
ip route-static 192.168.11.0 24 tunnel 0 track 110 preference 100
ip route-static 192.168.11.0 24 tunnel 1 track 120 preference 110
ip route-static 1.1.1.1 24 3.3.3.4
ip route-static 2.2.2.2 24 3.3.3.4
#
#
sysname DeviceC
#
interface gigabitethernet 1/0/1
ip address 4.4.4.4 255.255.255.0
#
interface tunnel 0 mode ipsec
ip address 70.0.0.1 255.255.255.0
source 4.4.4.4
destination 1.1.1.1
#
interface tunnel 1 mode ipsec
ip address 80.0.0.1 255.255.255.0
source 4.4.4.4
destination 2.2.2.2
#
security-zone name trust
import interface gigabitethernet 1/0/2
#
security-zone name untrust
import interface gigabitethernet 1/0/1
import interface tunnel 0
import interface tunnel 1
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 4.4.4.4
destination-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 1.1.1.1
source-ip-host 2.2.2.2
destination-ip-host 4.4.4.4
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 192.168.13.0 24
destination-ip-subnet 192.168.11.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 192.168.11.0 24
destination-ip-subnet 192.168.13.0 24
action pass
#
ike keychain t0
pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&!
#
ike profile t0
keychain t0
match remote identity address 1.1.1.1 24
exchange-mode aggressive
dpd interval 30 periodic
#
ipsec transform-set t0
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec profile t0 isakmp
transform-set t0
ike-profile t0
#
ike keychain t1
pre-shared-key address 2.2.2.2 255.255.255.0 key simple 123456TESTplat&!
#
ike profile t1
keychain t1
match local address Tunnel1
match remote identity address 2.2.2.2 24
exchange-mode aggressive
dpd interval 30 periodic
#
ipsec transform-set t1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec profile t1 isakmp
transform-set t1
ike-profile t1
#
interface tunnel 0
tunnel protection ipsec profile t0
#
interface tunnel 1
tunnel protection ipsec profile t1
#
nqa entry admin test1
type icmp-echo
destination ip 1.1.1.1
frequency 3000
history-record enable
probe count 5
next-hop ip 4.4.4.5
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa schedule admin test1 start-time now lifetime forever
track 110 nqa entry admin test1 reaction 1
#
nqa entry admin test2
type icmp-echo
destination ip 2.2.2.2
frequency 3000
history-record enable
probe count 5
next-hop ip 4.4.4.5
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa schedule admin test2 start-time now lifetime forever
track 120 nqa entry admin test2 reaction 1
#
ip route-static 192.168.11.0 24 tunnel 0 track 110 preference 100
ip route-static 192.168.11.0 24 tunnel 1 track 120 preference 110
ip route-static 1.1.1.1 24 4.4.4.5
ip route-static 2.2.2.2 24 4.4.4.5
#
如下图所示,某企业分支和总部均使用固定的IP地址接入Internet。现有如下组网要求:
· 企业分支与企业总部之间的所有流量通过IPsec安全隧道进行传送;
· 当企业分支的私网IP地址段调整时,不需要改变企业总部网关的IPsec配置。
为实现如上组网需求,可采用如下配置思路实现:
· 在Device A和Device B之间使用IPsec隧道接口建立IPsec连接,将发送给对端私网的数据流路由到IPsec虚拟隧道接口上,由IPsec虚拟隧道接口上动态协商建立的IPsec安全隧道对分支子网(10.1.1.0/24)与总部子网(10.1.2.0/24)之间的所有数据流进行安全保护。
图1-35 基于IPsec隧道建立保护IPv4报文的IPsec隧道配置组网图
表1-23 组网图示例接口与设备实际接口对应关系
|
组网图示例接口 |
设备实际接口 |
|
Interface1 |
GigabitEthernet1/0/1 |
|
Interface2 |
GigabitEthernet1/0/2 |
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 10.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 创建IPsec隧道接口
[DeviceA] interface tunnel 1 mode ipsec
[DeviceA-Tunnel1] ip address 3.3.3.1 255.255.255.0
[DeviceA-Tunnel1] source 2.2.2.1
[DeviceA-Tunnel1] destination 2.2.3.1
[DeviceA-Tunnel1] quit
(3) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为2.2.2.2,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceA] ip route-static 2.2.3.1 24 2.2.2.2
# 请根据组网图中规划的信息,配置静态路由,将需要保护的流量引入IPsec隧道接口,本举例的IPsec隧道接口为Tunnel1,具体配置步骤如下。
[DeviceA] ip route-static 10.1.2.0 255.255.255.0 tunnel 1
(4) 配置接口加入安全域
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Untrust] import interface tunnel 1
[DeviceA-security-zone-Untrust] quit
(5) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device A可以向Device B发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name ipseclocalout
[DeviceA-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceA-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.1
[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.3.1
[DeviceA-security-policy-ip-1-ipseclocalout] action pass
[DeviceA-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device A可以接收和处理来自Device B的IPsec隧道协商报文,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name ipseclocalin
[DeviceA-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceA-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.3.1
[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.1
[DeviceA-security-policy-ip-2-ipseclocalin] action pass
[DeviceA-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host A与Host B之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-3-trust-untrust] action pass
[DeviceA-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-4-untrust-trust] action pass
[DeviceA-security-policy-ip-4-untrust-trust] quit
[DeviceA-security-policy-ip] quit
(6) 配置IPsec安全框架,建立IPsec隧道,保护需要防护的数据流
[DeviceA] ike keychain abc
[DeviceA-ike-keychain-abc] pre-shared-key address 2.2.3.1 255.255.255.0 key simple 123456TESTplat&!
[DeviceA-ike-keychain-abc] quit
[DeviceA] ike profile abc
[DeviceA-ike-profile-abc] keychain abc
[DeviceA-ike-profile-abc] local-identity address 2.2.2.1
[DeviceA-ike-profile-abc] match remote identity address 2.2.3.1 24
[DeviceA-ike-profile-abc] exchange-mode aggressive
[DeviceA-ike-profile-abc] quit
[DeviceA] ipsec transform-set abc
[DeviceA-ipsec-transform-set-abc] esp encryption-algorithm aes-cbc-128
[DeviceA-ipsec-transform-set-abc] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-abc] quit
[DeviceA] ipsec profile abc isakmp
[DeviceA-ipsec-profile-isakmp-abc] transform-set abc
[DeviceA-ipsec-profile-isakmp-abc] ike-profile abc
[DeviceA-ipsec-profile-isakmp-abc] quit
(7) 配置IPsec隧道接口,用于对需要保护的流量进行IPsec封装
[DeviceA] interface tunnel 1
[DeviceA-Tunnel1] tunnel protection ipsec profile abc
[DeviceA-Tunnel1] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 10.1.2.1 255.255.255.0
[DeviceB-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
(2) 创建IPsec隧道接口
[DeviceB] interface tunnel 1 mode ipsec
[DeviceB-Tunnel1] ip address 3.3.3.2 255.255.255.0
[DeviceB-Tunnel1] source 2.2.3.1
[DeviceB-Tunnel1] destination 2.2.2.1
[DeviceB-Tunnel1] quit
(3) 配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设下一跳IP地址为2.2.3.2,实际使用中请以具体组网情况为准,具体配置步骤如下。
[DeviceB] ip route-static 2.2.2.1 24 2.2.3.2
# 请根据组网图中规划的信息,配置静态路由,将需要保护的流量引入IPsec隧道接口,本举例的IPsec隧道接口为Tunnel1,具体配置步骤如下。
[DeviceA] ip route-static 10.1.1.0 255.255.255.0 tunnel 1
(4) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Untrust] import interface tunnel 1
[DeviceB-security-zone-Untrust] quit
(5) 配置安全策略
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策略规则,使Device B可以向Device A发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name ipseclocalout
[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.3.1
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.1
[DeviceB-security-policy-ip-1-ipseclocalout] action pass
[DeviceB-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device B可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name ipseclocalin
[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.1
[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.3.1
[DeviceB-security-policy-ip-2-ipseclocalin] action pass
[DeviceB-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host B与Host A之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-3-trust-untrust] action pass
[DeviceB-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-4-untrust-trust] action pass
[DeviceB-security-policy-ip-4-untrust-trust] quit
[DeviceB-security-policy-ip] quit
(6) 配置IPsec安全框架,建立IPsec隧道,保护需要防护的数据流
[DeviceB] ike keychain abc
[DeviceB-ike-keychain-abc] pre-shared-key address 2.2.2.1 255.255.255.0 key simple 123456TESTplat&!
[DeviceB-ike-keychain-abc] quit
[DeviceB] ike profile abc
[DeviceB-ike-profile-abc] keychain abc
[DeviceB-ike-profile-abc] local-identity address 2.2.3.1
[DeviceB-ike-profile-abc] match remote identity address 2.2.2.1 24
[DeviceB-ike-profile-abc] exchange-mode aggressive
[DeviceB-ike-profile-abc] quit
[DeviceB] ipsec transform-set abc
[DeviceB-ipsec-transform-set-abc] esp encryption-algorithm aes-cbc-128
[DeviceB-ipsec-transform-set-abc] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-abc] quit
[DeviceB] ipsec profile abc isakmp
[DeviceB-ipsec-profile-isakmp-abc] transform-set abc
[DeviceB-ipsec-profile-isakmp-abc] ike-profile abc
[DeviceB-ipsec-profile-isakmp-abc] quit
(7) 配置IPsec隧道接口,用于对需要保护的流量进行IPsec封装
[DeviceB] interface tunnel 1
[DeviceB-Tunnel1] tunnel protection ipsec profile abc
[DeviceB-Tunnel1] quit
以上配置完成后,Device A会自动与Device B进行IKE协商。当IKE协商完成后,Device A和Device B上的IPsec 虚拟隧道接口都将up,即可以满足上述组网需求,对总部和分支的数据流进行安全保护。
# 通过display ip interface brief命令可查看接口状态如下:
<DeviceA> display ip interface brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE1/0/1 up up 10.1.1.1/24 -- --
GE1/0/2 up up 2.2.2.1/24 -- --
Tun1 up up 3.3.3.1/24 -- --
# 通过display interface tunnel命令可查看隧道状态如下:
<DeviceA> display interface Tunnel 1
Tunnel1
Current state: UP
Line protocol state: UP
Description: Tunnel1 Interface
Bandwidth: 64 kbps
Maximum transmission unit: 1444
Internet address: 3.3.3.1/24 (primary)
Tunnel source 2.2.2.1, destination 2.2.3.1
Tunnel TTL 255
Tunnel protocol/transport IPsec/IP
Output queue - Urgent queuing: Size/Length/Discards 0/100/0
Output queue - Protocol queuing: Size/Length/Discards 0/500/0
Output queue - FIFO queuing: Size/Length/Discards 0/75/0
Last clearing of counters: Never
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes, 0 drops
Output: 0 packets, 0 bytes, 0 drops
# 通过display ipsec sa命令查看协商生成的IPsec SA:
<DeviceA> display ipsec sa
-------------------------------
Interface: Tunnel1
-------------------------------
-----------------------------
IPsec profile: abc
Alias: profile-abc
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Transmitting entity: Initiator
Path MTU: 1388
Tunnel:
local address/port: 2.2.2.1/500
remote address/port: 2.2.3.1/500
Flow:
sour addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip
dest addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 2701952073 (0xa10c8449)
Connection ID: 4294967296
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3180
Max received sequence-number: 0
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 3607077598 (0xd6ffa2de)
Connection ID: 12884901889
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3180
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N
Status: Active
# 在Device A上用私网地址可以Ping通Device B连接的私网地址:
<DeviceA> ping -a 10.1.1.1 10.1.2.1
Ping 10.1.2.1 (10.1.2.1) from 10.1.1.1: 56 data bytes, press CTRL_C to break
56 bytes from 10.1.2.1: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 10.1.2.1: icmp_seq=1 ttl=255 time=1.000 ms
56 bytes from 10.1.2.1: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 10.1.2.1: icmp_seq=3 ttl=255 time=1.000 ms
56 bytes from 10.1.2.1: icmp_seq=4 ttl=255 time=0.000 ms
--- Ping statistics for 10.1.2.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.600/1.000/0.490 ms
#
sysname DeviceA
#
interface gigabitethernet 1/0/1
ip address 10.1.1.1 255.255.255.0
#
interface tunnel 1 mode ipsec
ip address 3.3.3.1 255.255.255.0
source 2.2.2.1
destination 2.2.3.1
#
ip route-static 2.2.3.1 24 2.2.2.2
ip route-static 10.1.2.0 255.255.255.0 tunnel 1
security-zone name trust
import interface gigabitethernet 1/0/1
#
security-zone name untrust
import interface gigabitethernet 1/0/2
import interface tunnel 1
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 2.2.2.1
destination-ip-host 2.2.3.1
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 2.2.3.1
destination-ip-host 2.2.2.1
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.1.0 24
destination-ip-subnet 10.1.2.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.2.0 24
destination-ip-subnet 10.1.1.0 24
action pass
#
ike keychain abc
pre-shared-key address 2.2.3.1 255.255.255.0 key simple 123456TESTplat&!
#
ike profile abc
keychain abc
local-identity address 2.2.2.1
match remote identity address 2.2.3.1 24
exchange-mode aggressive
#
ipsec transform-set abc
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
interface tunnel 1
tunnel protection ipsec profile abc
#
#
sysname DeviceB
#
interface gigabitethernet 1/0/1
ip address 10.1.2.1 255.255.255.0
#
interface tunnel 1 mode ipsec
ip address 3.3.3.2 255.255.255.0
source 2.2.3.1
destination 2.2.2.1
#
ip route-static 2.2.2.1 24 2.2.3.2
ip route-static 10.1.1.0 255.255.255.0 tunnel 1
security-zone name trust
import interface gigabitethernet 1/0/1
#
security-zone name untrust
import interface gigabitethernet 1/0/2
import interface tunnel 1
#
security-policy ip
rule name ipseclocalout
source-zone local
destination-zone untrust
source-ip-host 2.2.3.1
destination-ip-host 2.2.2.1
action pass
#
rule name ipseclocalin
source-zone untrust
destination-zone local
source-ip-host 2.2.2.1
destination-ip-host 2.2.3.1
action pass
#
rule name trust-untrust
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.2.0 24
destination-ip-subnet 10.1.1.0 24
action pass
#
rule name untrust-trust
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.1.0 24
destination-ip-subnet 10.1.2.0 24
action pass
#
ike keychain abc
pre-shared-key address 2.2.2.1 255.255.255.0 key simple 123456TESTplat&!
#
ike profile abc
keychain abc
local-identity address 2.2.3.1
match remote identity address 2.2.2.1 24
exchange-mode aggressive
#
ipsec transform-set abc
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
interface tunnel 1
tunnel protection ipsec profile abc
#
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!
支持
