野蛮模式的特别之处:

1.       野蛮模式支持NAT转化,主动模式不支持;

2.       野蛮模式支持以Name方式标识对等体,主动模式只支持ip地址方式标识。

 
 
当部署***两端是动态ip地址的时候,例如通过ADSL方式上网,主动模式就束手无策了,因为它只支持ip地址方式标识,当ip地址不是固定的。而野蛮模式可以通过Name标识,没有经过不确定的ip地址,能够成功的构建***。
 
 
 
IPSec主模式和野蛮模式的区别包含如下几点:
1.      交换的消息:主模式为6个,野蛮模式为3个。
2.      NAT支持:对预共享密钥认证:主模式不支持NAT转换,而野蛮模式支持。而对于证书方式认证:两种模式都能支持。
3.      对等体标识:主模式只能采用IP地址方式标识对等体;而野蛮模式可以采用IP地址方式或者Name方式标识对等体。这是由于主模式在交换完3、4消息以后,需要使用预共享密钥来计算SKEYID,当一个设备有多个对等体时,必须查找到该对等体对应的预共享密钥,但是由于其对等体的ID信息在消息5、6中才会发送,此时主模式的设备只能使用消息3、4中的IP报文源地址来找到与其对应的预共享密钥;如果主模式采用Name方式,Name信息却包含在消息5、6中,而设备必须在消息5、6之前找到其对等体的预共享密钥,所以就造成了矛盾,无法完成Name方式的标识。
而在野蛮模式中,ID消息在消息1、2中就已经发送了,设备可以根据ID信息查找到对应的预共享密钥,从而计算SKEYID。但是由于野蛮模式交换的3个消息没有经过加密,所以ID信息也是明文的,也相应造成了安全隐患。
4.      提议转换对数量:在野蛮模式中,由于第一个消息就需要交换DH消息,而DH消息本身就决定了采用哪个DH组,这样在提议转换对中就确定了使用哪个DH组,如果第一个消息中包含多个提议转换对,那么这多个转换对的DH组必须相同(和DH消息确定的DH组一致),否则消息1中只能携带和确定DH组相同的提议转换对。
5.      协商能力:由于野蛮模式交换次数的限制,因此野蛮模式协商能力低于主模式。
 
配置任务
 
 
更多关于ipsec的介绍请参考附件
 
 
 
下面做实际配置,设备三台H3C SecPath F100-C 防火墙,一台HUAWEI Quidway 三层交换机
拓扑

三层交换机配置
配置ip地址
[S13]vlan 5
[S13-vlan5]port Ethernet 0/5
[S13-vlan5]vlan 10
[S13-vlan10]port ethernet 0/10
[S13-vlan10]vlan 15
[S13-vlan15]port ethernet 0/15
[S13-vlan15]inter vlan 5

[S13-Vlan-interface5]ip ad 193.168.10.2 255.255.255.0

[S13-Vlan-interface5]inter vlan 10

[S13-Vlan-interface10]ip ad 193.168.20.2 255.255.255.0

[S13-Vlan-interface10]inter vlan 15

[S13-Vlan-interface15]ip ad 193.168.30.2 255.255.255.0

配置dhcp服务
[SW13]dhcp enable
[SW13]dhcp server ip-pool fw2
[SW13-dhcp-fw2]network 193.168.20.0
[SW13-dhcp-fw2]dhcp server ip-pool fw3
[SW13-dhcp-fw3]network 193.168.30.0
[SW13]dhcp server forbidden-ip 193.168.20.2
[SW13]dhcp server forbidden-ip 193.168.30.2
 
 
FW1配置
为简单起见将所需端口都加入trust zone
[FW1]firewall zone trust
[FW1-zone-trust]add interface Ethernet 0/1
[FW1-zone-trust]add interface Ethernet 0/2
配置ip地址
[FW1]interface Ethernet0/1

[FW1-Ethernet0/1]ip address 193.168.10.1 255.255.255.0

[FW1-Ethernet0/1]interface ethernet 0/2

[FW1-Ethernet0/2]ip address 192.168.10.1 255.255.255.0

配置默认路由
[FW1]ip route-static  0.0.0.0 0 193.168.10.2
 
为了减少不必要让人郁闷的错误[FW1]ping 193.168.10.2确认FW1与三层交换机链路状态
 
配置acl
[FW1]acl number 3000

[FW1-acl-adv-3000]rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

[FW1-acl-adv-3000]rule deny ip source any destination any

 
[FW1]acl number 3001

[FW1-acl-adv-3001]rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255

[FW1-acl-adv-3001]rule deny ip source any destination any

配置ike
[FW1]ike local-name fw1
[FW1]ike peer peer1

[FW1-ike-peer-peer1]exchange-mode aggressive

[FW1-ike-peer-peer1]id-type name
[FW1-ike-peer-peer1]pre-shared-key 12345
[FW1-ike-peer-peer1]remote-name fw2

[FW1-ike-peer-peer1]local-address 193.168.10.1

 
[FW1]ike peer peer2

[FW1-ike-peer-peer2]exchange-mode aggressive

[FW1-ike-peer-peer2]id-type name

[FW1-ike-peer-peer2]local-address 193.168.10.1

[FW1-ike-peer-peer2]pre-shared-key abcde
[FW1-ike-peer-peer2]remote-name fw3
 
配置proposal
[FW1]ipsec proposal proposal1

[FW1-ipsec-proposal-proposal1]encapsulation-mode tunnel

[FW1-ipsec-proposal-proposal1]esp authentication-algorithm md5

[FW1-ipsec-proposal-proposal1]esp encryption-algorithm des

[FW1-ipsec-proposal-proposal1]transform esp
配置policy
[FW1]ipsec policy policy 1 isakmp

[FW1-ipsec-policy-isakmp-policy-1]ike-peer peer1

[FW1-ipsec-policy-isakmp-policy-1]proposal proposal1

[FW1-ipsec-policy-isakmp-policy-1]security acl 3000

 
[FW1]ipsec policy policy 2 isakmp

[FW1-ipsec-policy-isakmp-policy-2]ike-peer peer2

[FW1-ipsec-policy-isakmp-policy-2]proposal proposal1

[FW1-ipsec-policy-isakmp-policy-2]security acl 3001 

将ipsec policy应用到接口上
[FW1]inter Ethernet 0/1
[FW1-Ethernet0/1]ipsec policy policy
 
 
 
FW2配置
[FW2]firewall zone trust
[FW2-zone-trust]add interface Ethernet 0/1
[FW2-zone-trust]add interface Ethernet 0/2
 
配置ip地址
[FW2]interface Ethernet 0/1

[FW2-Ethernet0/1]ip address 193.168.20.1 255.255.255.0

[FW2-Ethernet0/3]interface ethernet 0/2

[FW2-Ethernet0/2]ip address 192.168.20.1 255.255.255.0

配置默认路由
[FW2]ip route-static  0.0.0.0 0 193.168.20.2
配置acl
[FW2]acl number 3000

[FW2-acl-adv-3000]rule permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

[FW2-acl-adv-3000]rule deny ip source any destination any

配置ike
[FW2]ike local-name fw2

[FW2-ike-peer-peer1]exchange-mode aggressive

[FW2-ike-peer-peer1]id-type name
[FW2-ike-peer-peer1]pre-shared-key 12345
[FW2-ike-peer-peer]remote-name fw1       //在启用aggressive ,id-type为name时配置

[FW2-ike-peer-peer]remote-address 193.168.10.1  //remote-address或remote-name都可以

配置ipsec proposal

[FW2-ipsec-proposal-proposal]encapsulation-mode tunnel

[FW2-ipsec-proposal-proposal]esp authentication-algorithm md5

[FW2-ipsec-proposal-proposal]esp encryption-algorithm des

[FW2-ipsec-proposal-proposal]transform  esp
配置ipsec policy
[FW2]ipsec policy policy 1 isakmp

[FW2-ipsec-policy-isakmp-plicy-1]ike-peer peer1

[FW2-ipsec-policy-isakmp-plicy-1]proposal proposal

[FW2-ipsec-policy-isakmp-plicy-1]security acl 3000

将ipsec policy应用到接口上
[FW2]inter Ethernet 0/1
[FW2-Ethernet0/1]ipsec policy policy
 
 
FW3配置
[FW3]firewall zone trust
[FW3-zone-trust]add interface Ethernet 0/1
[FW3-zone-trust]add interface Ethernet 0/2
 
配置ip地址
[FW3]interface Ethernet 0/1

[FW3-Ethernet0/1]ip address 193.168.30.1 255.255.255.0

[FW3-Ethernet0/3]interface ethernet 0/2

[FW3-Ethernet0/2]ip address 192.168.30.1 255.255.255.0

配置默认路由
[FW3]ip route-static  0.0.0.0 0 193.168.30.2
配置acl
[FW3]acl number 3000

[FW3-acl-adv-3000]rule permit ip source 192.168.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

[FW3-acl-adv-3000]rule deny ip source any destination any

配置ike
[FW3]ike local-name fw3

[FW3-ike-peer-peer1]exchange-mode aggressive

[FW3-ike-peer-peer1]id-type name
[FW3-ike-peer-peer1]pre-shared-key abcde
[FW3-ike-peer-peer]remote-name fw1       //在启用aggressive ,id-type为name时配置

[FW3-ike-peer-peer]remote-address 193.168.10.1  //remote-address或remote-name都可以

配置ipsec proposal

[FW3-ipsec-proposal-proposal]encapsulation-mode tunnel

[FW3-ipsec-proposal-proposal]esp authentication-algorithm md5

[FW3-ipsec-proposal-proposal]esp encryption-algorithm des

[FW3-ipsec-proposal-proposal]transform  esp
配置ipsec policy
[FW3]ipsec policy policy 1 isakmp

[FW3-ipsec-policy-isakmp-plicy-1]ike-peer peer1

[FW3-ipsec-policy-isakmp-plicy-1]proposal proposal

[FW3-ipsec-policy-isakmp-plicy-1]security acl 3000

将ipsec policy应用到接口上
[FW3]inter Ethernet 0/1
[FW3-Ethernet0/1]ipsec policy policy