ipsec在企业网中的应用
实验环境说明:
本实验采用华为2600系列路由器三台,3526系列交换机(三层)一台。实现1.0网段的主机可以和2.0,3.0网段的主机通过vpn互访。但是2.0和3.0之间不建立vpn。
拓扑图:
配置:
Router 14 的配置:
配置ip和默认路由:
[R14]int e0
[R14-Ethernet0]ip add 192.168.1.1 24
[R14-Ethernet0]int e1
[R14-Ethernet1]ip add 192.168.10.200 24
[R14-Ethernet1]quit
[R14]ip route 0.0.0.0 0 192.168.10.1
[R14]int e0
[R14-Ethernet0]ip add 192.168.1.1 24
[R14-Ethernet0]int e1
[R14-Ethernet1]ip add 192.168.10.200 24
[R14-Ethernet1]quit
[R14]ip route 0.0.0.0 0 192.168.10.1
配置两个访问控制列表:
[R14]acl 3000
[R14-acl-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[R14-acl-3000]rule deny ip source any destination any
[R14-acl-3000]quit
[R14]acl 3001
[R14-acl-3001]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[R14-acl-3001]rule deny ip source any destination any
[R14-acl-3001]quit
[R14]acl 3000
[R14-acl-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[R14-acl-3000]rule deny ip source any destination any
[R14-acl-3000]quit
[R14]acl 3001
[R14-acl-3001]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[R14-acl-3001]rule deny ip source any destination any
[R14-acl-3001]quit
配置安全提议:
[R14]ipsec proposal tran1 //创建名为tran1的安全协议
[R14-ipsec-proposal-tran1]encapsulation-mode tunnel //报文封装形式采用隧道模式
[R14-ipsec-proposal-tran1]transform esp-new //安全协议采用esp协议
选择加密算法和认证算法:
[R14-ipsec-proposal-tran1]esp-new encryption-algorithm des
[R14-ipsec-proposal-tran1]esp-new authentication-algorithm md5
[R14-ipsec-proposal-tran1]quit
[R14]ipsec proposal tran1 //创建名为tran1的安全协议
[R14-ipsec-proposal-tran1]encapsulation-mode tunnel //报文封装形式采用隧道模式
[R14-ipsec-proposal-tran1]transform esp-new //安全协议采用esp协议
选择加密算法和认证算法:
[R14-ipsec-proposal-tran1]esp-new encryption-algorithm des
[R14-ipsec-proposal-tran1]esp-new authentication-algorithm md5
[R14-ipsec-proposal-tran1]quit
[R14]ipsec proposal tran2 //创建名为tran2的安全协议
[R14-ipsec-proposal-tran2]encapsulation-mode tunnel //报文封装形式采用隧道模式
[R14-ipsec-proposal-tran2]transform esp-new //安全协议采用esp协议
选择加密算法和认证算法
[R14-ipsec-proposal-tran2]esp-new encryption-algorithm des
[R14-ipsec-proposal-tran2]esp-new authentication-algorithm md5
[R14-ipsec-proposal-tran2]quit
[R14-ipsec-proposal-tran2]encapsulation-mode tunnel //报文封装形式采用隧道模式
[R14-ipsec-proposal-tran2]transform esp-new //安全协议采用esp协议
选择加密算法和认证算法
[R14-ipsec-proposal-tran2]esp-new encryption-algorithm des
[R14-ipsec-proposal-tran2]esp-new authentication-algorithm md5
[R14-ipsec-proposal-tran2]quit
创建一条安全策略,协商方式为动态方式
[R14]ipsec poli policy1 10 isakmp
[R14-ipsec-policy-policy1-10]tunnel remote 192.168.20.100
[R14-ipsec-policy-policy1-10]proposal tran1 //引用安全提议
[R14-ipsec-policy-policy1-10]security acl 3000 //引用访问列表
[R14-ipsec-policy-policy1-10]quit
[R14]ike pre-shared-key 123456 remote 192.168.20.200 //共享密钥
[R14]ipsec poli policy1 10 isakmp
[R14-ipsec-policy-policy1-10]tunnel remote 192.168.20.100
[R14-ipsec-policy-policy1-10]proposal tran1 //引用安全提议
[R14-ipsec-policy-policy1-10]security acl 3000 //引用访问列表
[R14-ipsec-policy-policy1-10]quit
[R14]ike pre-shared-key 123456 remote 192.168.20.200 //共享密钥
创建安全策略,协商方式为动态方式
[R14]ipsec poli policy1 20 isakmp
[R14-ipsec-policy-policy1-20]tunnel remote 192.168.30.100
[R14-ipsec-policy-policy1-20]proposal tran2 //引用安全提议
[R14-ipsec-policy-policy1-20]security acl 3001 //引用访问列表
[R14-ipsec-policy-policy1-20]quit
[R14]ike pre-shared-key abcd remote 192.168.30.200 //共享密钥
[R14]ipsec poli policy1 20 isakmp
[R14-ipsec-policy-policy1-20]tunnel remote 192.168.30.100
[R14-ipsec-policy-policy1-20]proposal tran2 //引用安全提议
[R14-ipsec-policy-policy1-20]security acl 3001 //引用访问列表
[R14-ipsec-policy-policy1-20]quit
[R14]ike pre-shared-key abcd remote 192.168.30.200 //共享密钥
在接口上应用安全策略组:
[R14]int e1
[R14-Ethernet1]ipsec policy policy1
[R14]int e1
[R14-Ethernet1]ipsec policy policy1
###################################
Router 5 的配置:
配置ip和路由:
[R5]int e0
[R5-Ethernet0]ip add 192.168.2.1 24
[R5-Ethernet0]int e1
[R5-Ethernet1]ip add 192.168.20.200 24
[R5-Ethernet1]quit
[R5]ip route 0.0.0.0 0 192.168.20.1
配置一个访问控制列表:
[R5]acl 3000
[R5-acl-3000]rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[R5-acl-3000]rule deny ip source any destination any
规则已经被加入到普通的访问列表中
配置安全提议:
[R5]ipsec proposal tran1 //创建名为tran1的安全协议
[R5-ipsec-proposal-tran1]encapsulation-mode tunnel //报文封装形式采用隧道模式
[R5-ipsec-proposal-tran1]transform esp-new //安全协议采用esp协议
选择加密算法和认证算法:
[R5-ipsec-proposal-tran1]esp-new encryption-algorithm des
[R5-ipsec-proposal-tran1]esp-new authentication-algorithm md5
[R5-ipsec-proposal-tran1]quit
[R5]int e0
[R5-Ethernet0]ip add 192.168.2.1 24
[R5-Ethernet0]int e1
[R5-Ethernet1]ip add 192.168.20.200 24
[R5-Ethernet1]quit
[R5]ip route 0.0.0.0 0 192.168.20.1
配置一个访问控制列表:
[R5]acl 3000
[R5-acl-3000]rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[R5-acl-3000]rule deny ip source any destination any
规则已经被加入到普通的访问列表中
配置安全提议:
[R5]ipsec proposal tran1 //创建名为tran1的安全协议
[R5-ipsec-proposal-tran1]encapsulation-mode tunnel //报文封装形式采用隧道模式
[R5-ipsec-proposal-tran1]transform esp-new //安全协议采用esp协议
选择加密算法和认证算法:
[R5-ipsec-proposal-tran1]esp-new encryption-algorithm des
[R5-ipsec-proposal-tran1]esp-new authentication-algorithm md5
[R5-ipsec-proposal-tran1]quit
创建一条安全策略,协商方式为动态方式
[R5]ipsec poli policy1 10 isakmp
[R5-ipsec-policy-policy1-10]tunnel remote 192.168.10.100
[R5-ipsec-policy-policy1-10]proposal tran1 //引用安全提议
[R5-ipsec-policy-policy1-10]security acl 3000 //引用访问列表
[R5-ipsec-policy-policy1-10]quit
[R5]ike pre-shared-key 123456 remote 192.168.10.200 //共享密钥
[R5]ipsec poli policy1 10 isakmp
[R5-ipsec-policy-policy1-10]tunnel remote 192.168.10.100
[R5-ipsec-policy-policy1-10]proposal tran1 //引用安全提议
[R5-ipsec-policy-policy1-10]security acl 3000 //引用访问列表
[R5-ipsec-policy-policy1-10]quit
[R5]ike pre-shared-key 123456 remote 192.168.10.200 //共享密钥
在接口上应用安全策略组
[R5]int e1
[R5-Ethernet1]ipsec policy policy1
[R5]int e1
[R5-Ethernet1]ipsec policy policy1
#################################
Router 9 的配置:
配置ip和路由:
[R9]int e0
[R9-Ethernet0]ip add 192.168.3.1 24
[R9-Ethernet0]int e1
[R9-Ethernet1]ip add 192.168.30.200 24
[R9-Ethernet1]quit
[R9]ip route 0.0.0.0 0 192.168.30.1
配置一个访问控制列表:
[R9]acl 3000
[R9-acl-3000]rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[R9-acl-3000]rule deny ip source any destination any
规则已经被加入到普通的访问列表中
配置安全协议:
[R9]ipsec proposal tran2 //创建名为tran2的安全协议
[R9-ipsec-proposal-tran2]encapsulation-mode tunnel //报文封装形式采用隧道模式
[R9-ipsec-proposal-tran2]transform esp-new //安全协议采用esp协议
选择加密算法和认证算法:
[R9-ipsec-proposal-tran2]esp-new encryption-algorithm des
[R9-ipsec-proposal-tran2]esp-new authentication-algorithm md5
[R9-ipsec-proposal-tran2]quit
[R9]int e0
[R9-Ethernet0]ip add 192.168.3.1 24
[R9-Ethernet0]int e1
[R9-Ethernet1]ip add 192.168.30.200 24
[R9-Ethernet1]quit
[R9]ip route 0.0.0.0 0 192.168.30.1
配置一个访问控制列表:
[R9]acl 3000
[R9-acl-3000]rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[R9-acl-3000]rule deny ip source any destination any
规则已经被加入到普通的访问列表中
配置安全协议:
[R9]ipsec proposal tran2 //创建名为tran2的安全协议
[R9-ipsec-proposal-tran2]encapsulation-mode tunnel //报文封装形式采用隧道模式
[R9-ipsec-proposal-tran2]transform esp-new //安全协议采用esp协议
选择加密算法和认证算法:
[R9-ipsec-proposal-tran2]esp-new encryption-algorithm des
[R9-ipsec-proposal-tran2]esp-new authentication-algorithm md5
[R9-ipsec-proposal-tran2]quit
创建一条安全策略,协商方式为动态方式
[R9]ipsec poli policy1 20 isakmp
[R9-ipsec-policy-policy1-20]tunnel remote 192.168.10.100
[R9-ipsec-policy-policy1-20]proposal tran2 //引用安全提议
[R9-ipsec-policy-policy1-20]security acl 3000 //引用访问列表
[R9-ipsec-policy-policy1-20]quit
[R9]ike pre-shared-key adcd remote 192.168.10.200 //共享密钥
[R9]ipsec poli policy1 20 isakmp
[R9-ipsec-policy-policy1-20]tunnel remote 192.168.10.100
[R9-ipsec-policy-policy1-20]proposal tran2 //引用安全提议
[R9-ipsec-policy-policy1-20]security acl 3000 //引用访问列表
[R9-ipsec-policy-policy1-20]quit
[R9]ike pre-shared-key adcd remote 192.168.10.200 //共享密钥
在接口上应用安全策略组
[R9]int e1
[R9-Ethernet1]ipsec policy policy1
[R9]int e1
[R9-Ethernet1]ipsec policy policy1
########################
Switch10 的配置:
划分三个vlan,并加入接口:
# vlan 10
# port e1/0/1
# vlan 20
# port e1/0/2
# vlan 30
# port e1/0/3
# vlan 10
# port e1/0/1
# vlan 20
# port e1/0/2
# vlan 30
# port e1/0/3
分别为vlan 10、20、30配置地址:
# interface vlan-interface 10
# ip add 192.168.10.1 255.255.255.0
# interface vlan-interface 10
# ip add 192.168.10.1 255.255.255.0
# interface vlan-interface 20
# ip add 192.168.20.1 255.255.255.0
# ip add 192.168.20.1 255.255.255.0
# interface vlan-interface 30
# ip add 192.168.30.1 255.255.255.0
# ip add 192.168.30.1 255.255.255.0
测试:
1.10访问2.45:
1.10访问3.100:
2.45访问1.10:
3.100访问1.10:
