关于ipsec及***的简介和相关知识可查看博主的“ipsec下***的配置”博客。

 

拓扑图:

image

需求分析:

通过建立ipsec的隧道,实现北京总部和上海分公司以及郑州分公司的内网的互相访问,并对传输的数据进行加密,保证通信的安全性。

 

实验步骤

一:北京总部的配置

F1

[F1]dis cu

ike local-name f1

#

firewall packet-filter enable 开启包过滤的功能

firewall packet-filter default permit 默认的为允许

#

ike peer peer1 指定peer的 对等体

exchange-mode aggressive 配置ipsec 为野蛮模式

pre-shared-key 123456 配置预共享的密钥

id-type name 配置为名字的方式

remote-name f2

#

ike peer peer2指定peer的 对等体

exchange-mode aggressive配置ipsec 为野蛮模式

pre-shared-key 654321 配置预共享的密

id-type name配置为名字的方式

remote-name f3

#

ipsec proposal tran1 安全提议tran1

#

ipsec proposal tran2 安全提议tran2

#

ipsec policy policy1 10 isakmp 安全策略

security acl 3000 引用acl规则

ike-peer peer1 指定ike的对等体

proposal tran1引用协商

#

ipsec policy policy1 20 isakmp安全策略

security acl 3001引用acl规则

ike-peer peer2指定ike的对等体

proposal tran2引用协商

#

acl number 3000

rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

rule 1 deny ip

acl number 3001

rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

rule 1 deny ip

#

interface Ethernet0/0

ip address 192.168.1.254 255.255.255.0

#

interface Ethernet0/3

ip address 202.196.10.100 255.255.255.0

ipsec policy policy1 在接口上应用相应的规则

firewall zone trust

add interface Ethernet0/0

add interface Ethernet0/3

add interface Ethernet0/4

set priority 85

ip route-static 0.0.0.0 0.0.0.0 202.196.10.1 preference 60 默认的路由

[F1]dis ipsec proposal 查看安全提议

IPsec proposal name: tran2

encapsulation mode: tunnel

transform: esp-new

ESP protocol: authentication md5-hmac-96, encryption des

IPsec proposal name: tran1

encapsulation mode: tunnel

transform: esp-new

ESP protocol: authentication md5-hmac-96, encryption des

[F1]dis ipsec tunnel 查看隧道的信息

------------------------------------------------

Connection ID : 3

Perfect forward secrecy: None

SA's SPI :

Inbound : 855708328 (0x330112a8) [ESP]

Outbound : 3269242184 (0xc2dcad48) [ESP]

Tunnel :

Local Address: 202.196.10.100 Remote Address : 202.196.20.2

Flow : (26 times matched)

Sour Addr : 192.168.1.0/255.255.255.0 Port: 0 Protocol : IP

Dest Addr : 192.168.2.0/255.255.255.0 Port: 0 Protocol : IP

------------------------------------------------

Connection ID : 4

Perfect forward secrecy: None

SA's SPI :

Inbound : 796132552 (0x2f7404c8) [ESP]

Outbound : 2229133607 (0x84dde127) [ESP]

Tunnel :

Local Address: 202.196.10.100 Remote Address : 202.196.30.2

Flow : (22 times matched)

Sour Addr : 192.168.1.0/255.255.255.0 Port: 0 Protocol : IP

Dest Addr : 192.168.3.0/255.255.255.0 Port: 0 Protocol : IP

##################################

 

二:上海分公司的配置

FR2

[F2]dis cu

#

sysname F2

#

ike local-name f2

#

firewall packet-filter enable

firewall packet-filter default permit

#

domain system

#

ike peer peer1

exchange-mode aggressive

pre-shared-key 123456

id-type name

remote-name f1

remote-address 202.196.10.100 需要指定远程的ip地址

#

ipsec proposal tran1

#

ipsec policy policy1 10 isakmp

security acl 3000

ike-peer peer1

proposal tran1

#

acl number 3000

rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

rule 1 deny ip

#

interface Ethernet0/0

ip address 192.168.2.254 255.255.255.0

#

interface Ethernet0/3

ip address dhcp-alloc

ipsec policy policy1

#

firewall zone trust

add interface Ethernet0/0

add interface Ethernet0/3

add interface Ethernet0/4

set priority 85

ip route-static 0.0.0.0 0.0.0.0 202.196.20.1 preference 60

[F2] dis ip

[F2] dis ipsec proposal

IPsec安全提议名称: tran1

封装模式: 隧道模式

转换方式: esp-new

ESP协议: 验证 md5-hmac-96, des算法加密

[F2] dis ipsec policy

===========================================

安全策略组: "policy1"

接口: {Ethernet0/3}

===========================================

-----------------------------

安全策略库: "policy1"

序列号: 10

模式: isakmp

-----------------------------

保护的数据流: 3000

数据流保护方式: 标准

IKE网关: peer1

完善的前向安全性(PFS) : None

安全提议名称: tran1

安全联盟的生存周期: 3600 秒

安全联盟的生存周期: 1843200 千字节

[F2] dis ipsec tunnel

------------------------------------------------

Ipsec 隧道的连接号 : 3

前向安全特性: None

SA的SPI :

入方向 : 3269242184 (0xc2dcad48) [ESP]

出方向 : 855708328 (0x330112a8) [ESP]

隧道 :

本地地址: 202.196.20.2 对端地址 : 202.196.10.100

传输流 : (匹配了22次)

源端地址: 192.168.2.0/255.255.255.0 源端端口号: 0 协议: IP

目的地址: 192.168.1.0/255.255.255.0 目的端口号: 0 协议: IP

[F2]

 

三:郑州分公司的配置

Fr3

[F3]dis cu

#

sysname F3

#

ike local-name f3

#

firewall packet-filter enable

firewall packet-filter default permit

#

ike peer peer2

exchange-mode aggressive

pre-shared-key 654321

id-type name

remote-name f1

remote-address 202.196.10.100 需要指定远端的ip地址

#

ipsec proposal tran2

#

ipsec policy policy1 20 isakmp

security acl 3001

ike-peer peer2

proposal tran2

#

acl number 3001

rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

rule 1 deny ip

interface Ethernet0/0

ip address 192.168.3.254 255.255.255.0

#

interface Ethernet0/3

ip address dhcp-alloc

ipsec policy policy1

#

firewall zone trust

add interface Ethernet0/0

add interface Ethernet0/3

add interface Ethernet0/4

set priority 85

#

ip route-static 0.0.0.0 0.0.0.0 202.196.30.1 preference 60

#

[F3]dis ipsec policy

===========================================

IPsec Policy Group: "policy1"

Using interface: {Ethernet0/3}

===========================================

-----------------------------

IPsec policy name: "policy1"

sequence number: 20

mode: isakmp

-----------------------------

security data flow : 3001

selector mode: standard

ike-peer name: peer2

perfect forward secrecy: None

proposal name: tran2

IPsec sa local duration(time based): 3600 seconds

IPsec sa local duration(traffic based): 1843200 kilobytes

[F3]dis ipsec proposal

IPsec proposal name: tran2

encapsulation mode: tunnel

transform: esp-new

ESP protocol: authentication md5-hmac-96, encryption des

[F3]dis ipsec tunnel

------------------------------------------------

Connection ID : 3

Perfect forward secrecy: None

SA's SPI :

Inbound : 2229133607 (0x84dde127) [ESP]

Outbound : 796132552 (0x2f7404c8) [ESP]

Tunnel :

Local Address: 202.196.30.2 Remote Address : 202.196.10.100

Flow : (14 times matched)

Sour Addr : 192.168.3.0/255.255.255.0 Port: 0 Protocol : IP

Dest Addr : 192.168.1.0/255.255.255.0 Port: 0 Protocol : IP

[F3]dis ipsec tunnel

------------------------------------------------

Connection ID : 3

Perfect forward secrecy: None

SA's SPI :

Inbound : 2229133607 (0x84dde127) [ESP]

Outbound : 796132552 (0x2f7404c8) [ESP]

Tunnel :

Local Address: 202.196.30.2 Remote Address : 202.196.10.100

Flow : (14 times matched)

Sour Addr : 192.168.3.0/255.255.255.0 Port: 0 Protocol : IP

Dest Addr : 192.168.1.0/255.255.255.0 Port: 0 Protocol : IP

[F3]

 

四:网络中的3层SW的配置

[SW13]dis cu

sysname SW13

dhcp server ip-pool shanghai

network 202.196.20.0 mask 255.255.255.0

#

dhcp server ip-pool zhengzhou

network 202.196.30.0 mask 255.255.255.0

#

vlan 1

#

vlan 10

#

vlan 20

#

vlan 30

#

interface Vlan-interface1

ip address 192.168.100.33 255.255.255.0

#

interface Vlan-interface10

ip address 202.196.10.1 255.255.255.0

#

interface Vlan-interface20

ip address 202.196.20.1 255.255.255.0

#

interface Vlan-interface30

ip address 202.196.30.1 255.255.255.0

interface Ethernet0/6

port access vlan 10

interface Ethernet0/12

port access vlan 20

#

interface Ethernet0/18

port access vlan 30

#

i

#

dhcp server forbidden-ip 202.196.20.1

dhcp server forbidden-ip 202.196.30.1

#

[SW13]dis dhcp server ip-in-use all 查看dhcp服务器的状态

Global pool:

IP address Hardware address Lease expiration Type

202.196.20.2 3ce5-a67f-374b Mar 29 2012 18:31:43 PM Auto:COMMITTED

202.196.30.2 3ce5-a6ce-1895 Mar 29 2012 19:52:32 PM Auto:COMMITTED

五:测试:

北京到上海分公司

wps_clip_image-18936

北京到郑州分公司

wps_clip_image-21286