实验拓扑图:
实验目的: 武汉分公司和哈尔滨总部通过ipsec v p n 建立连接,实现两边内网互相访问。
主要记录ipsec的配置。 预先配置好模拟环境,武汉和哈尔滨的pc可以正常去访问公网,也就是这个区域的网络
武汉出口路由配置:
<wuhan-r>dis ip rout | in Sta
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 12 Routes : 12
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 222.73.1.1 GigabitEthernet0/0/0
192.168.0.0/16 Static 60 0 RD 1.1.1.2 GigabitEthernet0/0/1
<wuhan-r>
哈尔滨出口路由配置:
<wuhan-r>dis ip rout | in Sta
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 12 Routes : 12
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 222.73.1.1 GigabitEthernet0/0/0
192.168.0.0/16 Static 60 0 RD 1.1.1.2 GigabitEthernet0/0/1
<wuhan-r>
武汉nat配置:
<wuhan-r>dis acl 2000
Basic ACL 2000, 1 rule
Acl's step is 5
rule 10 permit source 192.168.0.0 0.0.255.255
<wuhan-r>dis nat ou
<wuhan-r>dis nat outbound
NAT Outbound Information:
-------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
-------------------------------------------------------------------------
GigabitEthernet0/0/0 2000 222.73.1.2 easyip
-------------------------------------------------------------------------
Total : 1
<wuhan-r>
哈尔滨nat配置:
<haerb-r>dis acl 2000
Basic ACL 2000, 1 rule
Acl's step is 5
rule 10 permit source 172.16.0.0 0.0.255.255
<haerb-r>dis nat out
<haerb-r>dis nat outbound
NAT Outbound Information:
--------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
--------------------------------------------------------------------------
GigabitEthernet0/0/0 2000 180.73.2.2 easyip
--------------------------------------------------------------------------
Total : 1
<haerb-r>
二层配置不做介绍。 现在武汉和哈尔滨内部pc可以正常上网。但是武汉和哈尔滨pc不能相互访问,这个时候配置ipsec v pn实现武汉和哈尔滨能内网能相互访问。
“配置采用手工方式建立IPSec隧道”
1,分别在wuhan-r和haerb-r上配置ACL,定义各自要保护的数据流
武汉:
[wuhan-r]dis acl 3000
Advanced ACL 3000, 2 rules
Acl's step is 5
rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
rule 10 permit ip source 222.73.1.2 0.0.0.252 destination 172.16.0.0 0.0.255.255
哈尔滨:
[haerb-r]dis acl 3000
Advanced ACL 3000, 2 rules
Acl's step is 5
rule 5 permit ip source 172.16.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255
rule 10 permit ip source 180.73.2.2 0.0.0.252 destination 192.168.0.0 0.0.255.255
注意:我这里各加了一条rule 10,原因是我要保护的数据流同时也是nat的ip段,所有这里把nat装换后的ip加进去。
2,分别在wuhan-r和haerb-r上创建IPSec安全提议 武汉:
[wuhan-r]display ipsec proposal name tran1
IPSec proposal name: tran1
Encapsulation mode: Tunnel
Transform : esp-new
ESP protocol : Authentication SHA2-HMAC-256
Encryption AES-128
哈尔滨:
[haerb-r]dis ipsec proposal name tran1
IPSec proposal name: tran1
Encapsulation mode: Tunnel
Transform : esp-new
ESP protocol : Authentication SHA2-HMAC-256
Encryption AES-128
3,分别在wuhan-r和haerb-r上创建安全策略 武汉:
[wuhan-r] ipsec policy whtohaerb 10 manual
[wuhan-r-ipsec-policy-manual-map1-10] security acl 3000
[wuhan-r-ipsec-policy-manual-map1-10] proposal tran1
[wuhan-r-ipsec-policy-manual-map1-10] tunnel remote 180.73.2.2
[wuhan-r-ipsec-policy-manual-map1-10] tunnel local 222.73.1.2
[wuhan-r-ipsec-policy-manual-map1-10] sa spi outbound esp 12345
[wuhan-r-ipsec-policy-manual-map1-10] sa spi inbound esp 54321
[wuhan-r-ipsec-policy-manual-map1-10] sa string-key outbound esp cipher antiy
[wuhan-r-ipsec-policy-manual-map1-10] sa string-key inbound esp cipher antiy
[wuhan-r-ipsec-policy-manual-map1-10] quit
哈尔滨:
[haerb-r] ipsec policy haerbtowh 10 manual
[haerb-r-ipsec-policyl-manual-use1-10] security acl 3000
[haerb-r-ipsec-policyl-manual-use1-10] proposal tran1
[haerb-r-ipsec-policyl-manual-use1-10] tunnel remote 222.73.1.2
[haerb-r-ipsec-policyl-manual-use1-10] tunnel local 180.73.2.2
[haerb-r-ipsec-policyl-manual-use1-10] sa spi outbound esp 54321
[haerb-r-ipsec-policyl-manual-use1-10] sa spi inbound esp 12345
[haerb-r-ipsec-policyl-manual-use1-10] sa string-key outbound esp cipher antiy
[haerb-r-ipsec-policyl-manual-use1-10] sa string-key inbound esp cipher antiy
[haerb-r-ipsec-policyl-manual-use1-10] quit
此时分别在wuhan-r和haerb-r上执行display ipsec policy会显示所配置的信息
[wuhan-r]dis ipsec policy name whtohaerb
===========================================
IPSec policy group: "whtohaerb"
Using interface: GigabitEthernet0/0/0
===========================================
Sequence number: 10
Security data flow: 3000
Tunnel local address: 222.73.1.2
Tunnel remote address: 180.73.2.2
Qos pre-classify: Disable
Proposal name:tran1
Inbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 54321 (0xd431)
ESP string-key: aUUOJ`$]T*KQ=^Q`MAF4<1!!
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Outbound ESP setting:
ESP SPI: 12345 (0x3039)
ESP string-key: aUUOJ`$]T*KQ=^Q`MAF4<1!!
ESP encryption hex key:
ESP authentication hex key:
[haerb-r]display ipsec policy name haerbtowh
===========================================
IPSec policy group: "haerbtowh"
Using interface: GigabitEthernet0/0/0
===========================================
Sequence number: 10
Security data flow: 3000
Tunnel local address: 180.73.2.2
Tunnel remote address: 222.73.1.2
Qos pre-classify: Disable
Proposal name:tran1
Inbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 12345 (0x3039)
ESP string-key: aUUOJ`$]T*KQ=^Q`MAF4<1!!
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Outbound ESP setting:
ESP SPI: 54321 (0xd431)
ESP string-key: aUUOJ`$]T*KQ=^Q`MAF4<1!!
ESP encryption hex key:
ESP authentication hex key:
4,分别在wuhan-r和haerb-r的接口上引用各自的安全策略,使接口具有IPSec的保护功能 武汉:
[wuhan-r-GigabitEthernet0/0/0]dis th
[V200R003C00]
#
interface GigabitEthernet0/0/0
ip address 222.73.1.2 255.255.255.252
ipsec policy whtohaerb
nat outbound 2000
#
return
哈尔滨:
[haerb-r-GigabitEthernet0/0/0]dis th
[V200R003C00]
#
interface GigabitEthernet0/0/0
ip address 180.73.2.2 255.255.255.252
ipsec policy haerbtowh
nat outbound 2000
#
return
验证: 武汉公司内网192.168.10.10可以正常ping哈尔滨公司内网172.16.10.10
执行命令display ipsec statistics esp可以查看数据包的统计信息
[wuhan-r]display ipsec statistics esp
Inpacket count : 16
Inpacket auth count : 0
Inpacket decap count : 0
Outpacket count : 14
Outpacket auth count : 0
Outpacket encap count : 0
Inpacket drop count : 0
Outpacket drop count : 0
BadAuthLen count : 0
AuthFail count : 0
InSAAclCheckFail count : 0
PktDuplicateDrop count : 0
PktSeqNoTooSmallDrop count: 0
PktInSAMissDrop count : 0
“采用默认配置通过IKE协商方式建立IPSec隧道”
参考:https://support.huawei.com/enterprise/zh/routers/ar2200-pid-6078842?category=configuration-commissioning