实验一:IPSec VPN实验与配置
组网及业务介绍:
如图所示的网络环境,某公司的总部和分部都和运营商网络相连接,中间红色框内是ISP网络,现要求对网络进行配置,使得公司总部和分部能够互通,对于这种网络,我们最佳选择就是进行VPN方式配置,而VPN中,IPSec VPN是安全性较高的一种VPN方式,现在好多企业总部和分支以及分支和分支之间的连接都是通过IPSec VPN的方式。现就此实验,我们进行IPSec VPN的配置,使得公司总部和分部之间能够互访,实验要求,分别使用手工方式和IKE方式进行配置:
下面进行配置演示,先进行基础配置:
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys AR1
[AR1]int gi 0/0/1
[AR1-GigabitEthernet0/0/1]ip add 192.168.1.254 24
[AR1-GigabitEthernet0/0/1]int gi 0/0/0
[AR1-GigabitEthernet0/0/0]ip add 12.1.1.1 24
[AR1]ip route-static 0.0.0.0 0 12.1.1.2
<Huawei>sys
[Huawei]sys AR2
[AR2]int gi 0/0/0
[AR2-GigabitEthernet0/0/0]ip add 12.1.1.2 24
[AR2-GigabitEthernet0/0/0]int gi 0/0/1
[AR2-GigabitEthernet0/0/1]ip add 23.1.1.2 24
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys AR3
[AR3]int gi 0/0/0
[AR3-GigabitEthernet0/0/0]ip add 23.1.1.3 24
[AR3-GigabitEthernet0/0/0]int gi 0/0/1
[AR3-GigabitEthernet0/0/1]ip add 192.168.2.254 24
接下来开始配置IPSec VPN:
[AR1]ipsec proposal hcie
[AR1]acl 3000
[AR1-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[AR1]ipsec policy hcnp 10 manual
[AR1-ipsec-policy-manual-hcnp-10]security acl 3000
[AR1-ipsec-policy-manual-hcnp-10]proposal hcie
[AR1-ipsec-policy-manual-hcnp-10]tunnel local 12.1.1.1
[AR1-ipsec-policy-manual-hcnp-10]tunnel remote 23.1.1.3
[AR1-ipsec-policy-manual-hcnp-10]sa spi inbound esp 12345
[AR1-ipsec-policy-manual-hcnp-10]sa spi outbound esp 54321
[AR1-ipsec-policy-manual-hcnp-10]sa string-key inbound esp cipher huawei@123
[AR1-ipsec-policy-manual-hcnp-10]sa string-key outbound esp cipher huawei@123
[AR1]int gi 0/0/0
[AR1-GigabitEthernet0/0/0]ipsec policy hcnp
[AR3]ipsec proposal hcie
[AR3]acl 3000
[AR3-acl-adv-3000]rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[AR3]ipsec policy hcnp 10 manual
[AR3-ipsec-policy-manual-hcnp-10]security acl 3000
[AR3-ipsec-policy-manual-hcnp-10]proposal hcie
[AR3-ipsec-policy-manual-hcnp-10]tunnel local 23.1.1.3
[AR3-ipsec-policy-manual-hcnp-10]tunnel remote 12.1.1.1
[AR3-ipsec-policy-manual-hcnp-10]sa spi inbound esp 54321
[AR3-ipsec-policy-manual-hcnp-10]sa spi outbound esp 12345
[AR3-ipsec-policy-manual-hcnp-10]sa string-key inbound esp cipher huawei@123
[AR3-ipsec-policy-manual-hcnp-10]sa string-key outbound esp cipher huawei@123
[AR3]int gi 0/0/0
[AR3-GigabitEthernet0/0/0]ipsec policy hcnp
配置完成,接下来开始验证:
下面是ping包时候的抓包,可以看到数据是被加密了的:
(2)接下来,我们不用手工静态的方式配置IPSec VPN,二是采用IKE动态方式来配置IPSec VNP,下面是配置演示:
首先,我们将AR1和AR3上的IPSec policy删除:
[AR1]int gi 0/0/0
[AR1-GigabitEthernet0/0/0]undo ipsec policy
[AR3]int gi 0/0/0
[AR3-GigabitEthernet0/0/0]dis this
[V200R003C00]
#
interface GigabitEthernet0/0/0
ip address 23.1.1.3 255.255.255.0
ipsec policy hcnp
#
return
[AR3-GigabitEthernet0/0/0]undo ipsec policy
[AR1]ike proposal 10
[AR1-ike-proposal-10]dis ike proposal number 10
-------------------------------------------
IKE Proposal: 10
Authentication method : pre-shared
Authentication algorithm : SHA1
Encryption algorithm : DES-CBC
DH group : MODP-768
SA duration : 86400
PRF : PRF-HMAC-SHA
-------------------------------------------
[AR1]ike peer to_ar3 v1
[AR1-ike-peer-to_ar3]remote-address 23.1.1.3
[AR1-ike-peer-to_ar3]ike-proposal 10
[AR1-ike-peer-to_ar3]pre-shared-key cipher huawei@123
[AR1-ike-peer-to_ar3]q
[AR1]ipsec proposal test
[AR1-ipsec-proposal-test]q
[AR1]ipsec policy hcie 10 isakmp
[AR1-ipsec-policy-isakmp-hcie-10]security acl 3000
[AR1-ipsec-policy-isakmp-hcie-10]ike-peer to_ar3
[AR1-ipsec-policy-isakmp-hcie-10]proposal test
[AR1-ipsec-policy-isakmp-hcie-10]q
[AR1]int gi 0/0/0
[AR1-GigabitEthernet0/0/0]ipsec policy hcie
[AR3]ike proposal 10
[AR3]ike peer to_ar1 v1
[AR3-ike-peer-to_ar1]remote-address 12.1.1.1
[AR3-ike-peer-to_ar1]ike-proposal 10
[AR3-ike-peer-to_ar1]pre-shared-key cipher huawei@123
[AR3]ipsec proposal test
[AR3-ipsec-proposal-test]q
[AR3]ipsec policy hcie 10 isakmp
[AR3-ipsec-policy-isakmp-hcie-10]security acl 3000
[AR3-ipsec-policy-isakmp-hcie-10]ike-peer to_ar1
[AR3-ipsec-policy-isakmp-hcie-10]proposal hcie
[AR3]int gi 0/0/0
[AR3-GigabitEthernet0/0/0]ipsec policy hcie
OK,配置完成,接下来我们再验证一下:
OK,IPSec VPN的实验就到此结束。