采用IKE方式建立IPsec安全隧道

 

 

 

一、【组网和实验环境】

 

 

 

按如上的接口ip先作配置，再作ipsec的相关配置，配置文本见文章最后

 本文实验采用的交换机是H3C模拟器，下载地址如下：http://forum.h3c.com/forum.php?mod=viewthread&tid=109740&highlight=H3C%E6%A8%A1%E6%8B%9F%E5%99%A8 有兴趣的朋

 

友可以在论坛上去下载。

 

 

二、【ipsec sa 建立分析】

配置完成后作如下的的debugging 分析

[R1]dis ipsec sa

===============================

Interface: Serial0/6/0

    path MTU: 1500

===============================

 

  -----------------------------

  IPsec policy name: "map1"

  sequence number: 10

  mode: isakmp

  -----------------------------

    connection id: 3

    encapsulation mode: tunnel

    perfect forward secrecy: None

    tunnel:

        local  address: 2.2.2.1

        remote address: 2.2.3.1

    Flow :

        sour addr: 10.1.1.1/255.255.255.255  port: 0  protocol: IP

        dest addr: 10.1.2.1/255.255.255.255  port: 0  protocol: IP

 

    [inbound ESP SAs] 

      spi: 3180831459 (0xbd97a2e3)

      proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1

      sa remaining key duration (bytes/sec): 1887436464/3582  安全联盟剩余的存活时间 

      max received sequence-number: 4

      udp encapsulation used for nat traversal: N

 

    [outbound ESP SAs] 

      spi: 3790725279 (0xe1f1e09f)

      proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1

      sa remaining key duration (bytes/sec): 1887436464/3582

      max sent sequence-number: 5

      udp encapsulation used for nat traversal: N

 

[R1] dis ike sa

    total phase-1 SAs:  1

    connection-id  peer            flag        phase   doi

  ----------------------------------------------------------

        2          2.2.3.1         RD            2     IPSEC 

        1          2.2.3.1         RD            1     IPSEC 

 

  flag meaning

  RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT

 

 

 

[R2]dis ipsec sa

===============================

Interface: Serial0/6/0

    path MTU: 1500

===============================

 

  -----------------------------

  IPsec policy name: "use1"

  sequence number: 10

  mode: isakmp

  -----------------------------

    connection id: 3

    encapsulation mode: tunnel

    perfect forward secrecy: None

    tunnel:

        local  address: 2.2.3.1

        remote address: 2.2.2.1

    Flow :

        sour addr: 10.1.2.1/255.255.255.255  port: 0  protocol: IP

        dest addr: 10.1.1.1/255.255.255.255  port: 0  protocol: IP

 

    [inbound ESP SAs] 

      spi: 3790725279 (0xe1f1e09f)

      proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1

      sa remaining key duration (bytes/sec): 1887436464/3506

      max received sequence-number: 4

      udp encapsulation used for nat traversal: N

 

    [outbound ESP SAs] 

      spi: 3180831459 (0xbd97a2e3)

      proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1

      sa remaining key duration (bytes/sec): 1887436464/3506

      max sent sequence-number: 5

      udp encapsulation used for nat traversal: N

[R2]

 

 

[R2]dis ike sa

    total phase-1 SAs:  1

    connection-id  peer            flag        phase   doi

  ----------------------------------------------------------

        3          2.2.2.1         RD|ST         2     IPSEC 

        2          2.2.2.1         RD|ST         1     IPSEC 

 

  flag meaning

  RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT

 

 

2、debugging ipsec packet 查看包的收发情况

 

<R2>ping -a 10.1.2.1 10.1.1.1

  PING 10.1.1.1: 56  data bytes, press CTRL_C to break

    Request time out

    Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=4 ms

    Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=10 ms

    Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=26 ms

    Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=20 ms

 

  --- 10.1.1.1 ping statistics ---

    5 packet(s) transmitted

    4 packet(s) received

    20.00% packet loss

    round-trip min/avg/max = 4/15/26 ms

<R1>

*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:--- Receive IPSec(ESP) packet ---收到数据包

*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:Src:2.2.3.1 Dst:2.2.2.1 SPI:1875259957(0x6fc63235) 发现源和目的

*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:DES Auth Alg:HMAC-SHA1-96  安全协议、算法

*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:Replay Checking Enabled! SN:1  重放检测启用！ 序号1

*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:ESP new input: Authentication succeed!   验证通过

*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:IPSEC Task: Decryption succeed!  解密成功

*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:Tunnel mode. Org Src:10.1.2.1 Org Dst:10.1.1.1  发现内部加密码包的源和目的

*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:Now send it to IP input process... 

*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:--- Send IPSec packet ---  发回包

*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:Tunnel mode. Adding outer IP header succeed! 加IP封装

*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:Src:2.2.2.1 Dst:2.2.3.1 SPI:848486168(0x3292df18)  源和目的

*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:DES Auth Alg:HMAC-SHA1-96  安全协议、算法

*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:Encryption finished! New ESP(RFC2406) SN:1   加密完成

*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:Now send it to IP output process...

发回包

*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:--- Receive IPSec(ESP) packet ---

*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:Src:2.2.3.1 Dst:2.2.2.1 SPI:1875259957(0x6fc63235)

*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:DES Auth Alg:HMAC-SHA1-96

*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:Replay Checking Enabled! SN:2                      

*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:ESP new input: Authentication succeed!

*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:IPSEC Task: Decryption succeed!

*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:Tunnel mode. Org Src:10.1.2.1 Org Dst:10.1.1.1

*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:Now send it to IP input process...

*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:--- Send IPSec packet ---

*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:Tunnel mode. Adding outer IP header succeed!

*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:Src:2.2.2.1 Dst:2.2.3.1 SPI:848486168(0x3292df18)

*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:DES Auth Alg:HMAC-SHA1-96

*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:Encryption finished! New ESP(RFC2406) SN:2

*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:Now send it to IP output process...

 

3、

ike propsal没有作任何的配置，但有一个default的IKE proposal

<R1> dis ike proposal 

 priority authentication authentication encryption Diffie-Hellman duration

              method       algorithm    algorithm     group       (seconds)

---------------------------------------------------------------------------

  default  PRE_SHARED     SHA         DES_CBC         MODP_768       86400 

 

[R2]dis ike pro

 priority authentication authentication encryption Diffie-Hellman duration

              method       algorithm    algorithm     group       (seconds)

---------------------------------------------------------------------------

  default  PRE_SHARED     SHA         DES_CBC         MODP_768       86400

 

三、【配置文本】

 

<R1>dis cu 

#

 version 5.20, Alpha 1011

#

 sysname R1

#

 password-control login-attempt 3 exceed lock-time 120

#

 undo voice vlan mac-address 00e0-bb00-0000

#

 ipsec cpu-backup enable

#

 undo cryptoengine enable

#

 domain default enable system

#

vlan 1

#

domain system

 access-limit disable

 state active

 idle-cut disable

 self-service-url disable

#

ike peer peer   

 pre-shared-key cipher PMEfbsX04vk=

 remote-address 2.2.3.1

#

ipsec proposal tran1

 esp authentication-algorithm sha1

#

ipsec policy map1 10 isakmp

 security acl 3101

 ike-peer peer

 proposal tran1

#

acl number 3101

 rule 0 permit ip source 10.1.1.1 0 destination 10.1.2.1 0

#

interface Serial0/6/0

 link-protocol ppp

 ip address 2.2.2.1 255.255.255.0

 ipsec policy map1

#

interface Serial0/6/1

 link-protocol ppp

#

interface Serial0/6/2

 link-protocol ppp

#

interface Serial0/6/3

 link-protocol ppp

#

interface NULL0

#

interface LoopBack0

 ip address 10.1.1.1 255.255.255.255

#

interface Ethernet0/4/0

 port link-mode bridge

#

interface Ethernet0/4/1

 port link-mode bridge

#

interface Ethernet0/4/2

 port link-mode bridge

#

interface Ethernet0/4/3

 port link-mode bridge

#

interface Ethernet0/4/4

 port link-mode bridge

#

interface Ethernet0/4/5

 port link-mode bridge

#

interface Ethernet0/4/6

 port link-mode bridge

#

interface Ethernet0/4/7

 port link-mode bridge

#

 ip route-static 0.0.0.0 0.0.0.0 Serial0/6/0

#

 load xml-configuration

#

user-interface con 0

user-interface vty 0 4

#

return

 

 

 

 

<R2>dis cu

#

 version 5.20, Alpha 1011

#

 sysname R2

#

 password-control login-attempt 3 exceed lock-time 120

#

 undo voice vlan mac-address 00e0-bb00-0000

#

 ipsec cpu-backup enable

#

 undo cryptoengine enable

#

 domain default enable system

#

vlan 1

#

domain system

 access-limit disable

 state active

 idle-cut disable

 self-service-url disable

#

ike peer peer   

 pre-shared-key cipher PMEfbsX04vk=

 remote-address 2.2.2.1

#

ipsec proposal tran1

 esp authentication-algorithm sha1

#

ipsec policy use1 10 isakmp

 security acl 3101

 ike-peer peer

 proposal tran1

#

acl number 3101

 rule 0 permit ip source 10.1.2.1 0 destination 10.1.1.1 0

#

interface Serial0/6/0

 link-protocol ppp

 ip address 2.2.3.1 255.255.255.0

 ipsec policy use1

#

interface Serial0/6/1

 link-protocol ppp

#

interface Serial0/6/2

 link-protocol ppp

#

interface Serial0/6/3

 link-protocol ppp

#

interface NULL0

#

interface LoopBack0

 ip address 10.1.2.1 255.255.255.255

#

interface Ethernet0/4/0

 port link-mode bridge

#

interface Ethernet0/4/1

 port link-mode bridge

#

interface Ethernet0/4/2

 port link-mode bridge

#

interface Ethernet0/4/3

 port link-mode bridge

#

interface Ethernet0/4/4

 port link-mode bridge

#

interface Ethernet0/4/5

 port link-mode bridge

#

interface Ethernet0/4/6

 port link-mode bridge

#

interface Ethernet0/4/7

 port link-mode bridge

#

 ip route-static 0.0.0.0 0.0.0.0 Serial0/6/0

#

 load xml-configuration

#

user-interface con 0

user-interface vty 0 4

#

return