IPv6 IPSec配置
目前,为下一代互联网开发的安全协议——IPSec是TCP/IP协议族IP层唯一的安全协议,同时适用于IPv4和IPv6,IPSec在IP层提供了IP报文的机密性、完整性、IP报文源地址认证以及有限的抗重播攻击能力。IPSec可以保护在所有支持IP的传输介质上的通信,保护所有运行于IP层上的所有协议在主机间进行安全传输。IPSec网关可以安装在需要安全保护的任何地方,如路由器、防火墙、应用服务器、客户机等。
IPSec是IPv6的一个组成部分,IPv6的节点必须支持IPSec。在IPv4上可以使用IPSec,但并不要求强制IPSec,除IPv4与IPv6本身的区别外,IPSec安全体系在IPv4和IPv6中的功能、结构、作用完全相同。
IPSec主要由三个协议组成:
⒈AH(Authentication Header,认证报头)提供对报文完整性和报文的信源地址认证功能。
⒉ESP(Encapsulating Security Payload)提供对报文内容的加密和认证功能。
⒊IKE(Internet Key Exchange)协商信源节点和信宿节点间保护IP报文的AH和ESP的相关参数,如加密、认证的算法和密钥、密钥的生存期等,称之为安全联盟。
AH和ESP是IP层协议,IKE是应用层协议,使用UDP端口500,多数时候,IPSec仅指网络层协议AH和ESP。
下面是基于IPv6 IPSec的两个配置案例:
实例1
R1配置
|
R1#sh running-config
Building configuration...
Current configuration : 1431 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
!
!
!
ipv6 unicast-routing
ipv6 cef
!
!
!
!
!
crypto isakmp policy 110
authentication pre-share
crypto isakmp key cisco123 address ipv6 2001:1:1::2/64
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
!
crypto ipsec profile ipsec
set transform-set vpn
!
!
!
!
!
!
interface Tunnel0
no ip address
ipv6 address 2001:DB:1::1/64
ipv6 mtu 1400
ipv6 rip rip enable
tunnel source FastEthernet0/0
tunnel destination 2001:1:1::2
tunnel mode ipsec ipv6
tunnel protection ipsec profile ipsec
!
interface FastEthernet0/0
no ip address
duplex full
ipv6 address 2001:1:1::1/64
!
interface Ethernet1/0
no ip address
duplex half
ipv6 address 2001:10:1::1/64
ipv6 rip rip enable
!
interface Ethernet1/1
no ip address
shutdown
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
ip classless
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
ipv6 router rip rip
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end |
R2配置
|
R2#sh running-config
Building configuration...
Current configuration : 1431 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
!
!
!
ipv6 unicast-routing
ipv6 cef
!
!
!
!
!
!
crypto isakmp policy 110
authentication pre-share
crypto isakmp key cisco123 address ipv6 2001:1:1::1/64
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
!
crypto ipsec profile ipsec
set transform-set vpn
!
!
!
!
!
!
interface Tunnel0
no ip address
ipv6 address 2001:DB:1::2/64
ipv6 mtu 1400
ipv6 rip rip enable
tunnel source FastEthernet0/0
tunnel destination 2001:1:1::1
tunnel mode ipsec ipv6
tunnel protection ipsec profile ipsec
!
interface FastEthernet0/0
no ip address
duplex full
ipv6 address 2001:1:1::2/64
!
interface Ethernet1/0
no ip address
duplex half
ipv6 address 2001:20:1::1/64
ipv6 rip rip enable
!
interface Ethernet1/1
no ip address
shutdown
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
ip classless
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
ipv6 router rip rip
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end |
查看状态信息
实例2
|
R1#ping
Protocol [ip]: ipv6
Target IPv6 address: 2001:20:1::1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands? [no]: y
Source address or interface: 2001:10:1::1
UDP protocol? [no]:
Verbose? [no]:
Precedence [0]:
DSCP [0]:
Include hop by hop option? [no]:
Include destination option? [no]:
Sweep range of sizes? [no]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:20:1::1, timeout is 2 seconds:
Packet sent with a source address of 2001:10:1::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/114/236 ms
R1#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 2001:1:1::1
protected vrf: (none)
local ident (addr/mask/prot/port): (::/0/0/0)
remote ident (addr/mask/prot/port): (::/0/0/0)
current_peer 2001:1:1::2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 22, #pkts encrypt: 22, #pkts digest: 22
#pkts decaps: 22, #pkts decrypt: 22, #pkts verify: 22
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 2001:1:1::1,
remote crypto endpt.: 2001:1:1::2
path mtu 1514, ip mtu 1514
current outbound spi: 0x97CE38EC(2546874604)
inbound esp sas:
spi: 0x2419215A(605626714)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4476581/3496)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x97CE38EC(2546874604)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4476582/3495)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
dst: 2001:1:1::1
src: 2001:1:1::2
state: QM_IDLE conn-id: 1001 slot: 0 status: ACTIVE
R1#sh crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Fa0/0 IPsec 3DES+SHA 0 23 2001:1:1::1
2 Fa0/0 IPsec 3DES+SHA 23 0 2001:1:1::1
1001 Fa0/0 IKE SHA+DES 0 0 2001:1:1::1
R1#sh crypto session
Crypto session current status
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 2001:1:1::2 port 500
IKE SA: local 2001:1:1::1/500
remote 2001:1:1::2/500 Active
IPSEC FLOW: permit ipv6 ::/0 ::/0
Active SAs: 2, origin: crypto map
R1#sh ipv6 route
IPv6 Routing Table - 9 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C 2001:1:1::/64 [0/0]
via ::, FastEthernet0/0
L 2001:1:1::1/128 [0/0]
via ::, FastEthernet0/0
C 2001:10:1::/64 [0/0]
via ::, Ethernet1/0
L 2001:10:1::1/128 [0/0]
via ::, Ethernet1/0
R 2001:20:1::/64 [120/2]
via FE80::C800:34FF:FE70:0, Tunnel0
C 2001:DB:1::/64 [0/0]
via ::, Tunnel0
L 2001:DB:1::1/128 [0/0]
via ::, Tunnel0
L FE80::/10 [0/0]
via ::, Null0
L FF00::/8 [0/0]
via ::, Null0
R1#sh ipv6 interface tunnel 0
Tunnel0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::C800:14FF:FEA0:0
No Virtual link-local address(es):
Global unicast address(es):
2001:DB:1::1, subnet is 2001:DB:1::/64
Joined group address(es):
FF02::1
FF02::2
FF02::9
FF02::1:FF00:1
FF02::1:FFA0:0
MTU is 1400 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
Hosts use stateless autoconfig for addresses.
R1#sh interfaces tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 2001:1:1::1 (FastEthernet0/0), destination 2001:1:1::2
Tunnel protocol/transport IPSEC/IPV6
Tunnel TTL 255
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "ipsec")
Last input never, output 00:00:27, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
35 packets input, 2980 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
35 packets output, 2980 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out |
R1配置
|
R1#sh running-config
Building configuration...
Current configuration : 1473 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
!
!
!
ipv6 unicast-routing
ipv6 cef
!
!
!
crypto isakmp policy 110
authentication pre-share
crypto isakmp key cisco123 address ipv6 2001:1:1::2/64
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
!
crypto ipsec profile ipsec
set transform-set vpn
!
!
!
!
!
!
interface Tunnel0
no ip address
ipv6 address 2001:DB:1::1/64
ipv6 mtu 1400
ipv6 ospf 10 area 0
tunnel source FastEthernet0/0
tunnel destination 2001:1:1::2
tunnel mode ipsec ipv6
tunnel protection ipsec profile ipsec
!
interface FastEthernet0/0
no ip address
duplex full
ipv6 address 2001:1:1::1/64
!
interface Ethernet1/0
no ip address
duplex half
ipv6 address 2001:10:1::1/64
ipv6 ospf 10 area 0
!
interface Ethernet1/1
no ip address
shutdown
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
ip classless
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
ipv6 router ospf 10
router-id 1.1.1.1
log-adjacency-changes
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end |
R2配置
|
R2#sh running-config
Building configuration...
Current configuration : 1473 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
!
!
!
ipv6 unicast-routing
ipv6 cef
!
!
!
!
!
crypto isakmp policy 110
authentication pre-share
crypto isakmp key cisco123 address ipv6 2001:1:1::1/64
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
!
crypto ipsec profile ipsec
set transform-set vpn
!
!
!
!
!
!
interface Tunnel0
no ip address
ipv6 address 2001:DB:1::2/64
ipv6 mtu 1400
ipv6 ospf 10 area 0
tunnel source FastEthernet0/0
tunnel destination 2001:1:1::1
tunnel mode ipsec ipv6
tunnel protection ipsec profile ipsec
!
interface FastEthernet0/0
no ip address
duplex full
ipv6 address 2001:1:1::2/64
!
interface Ethernet1/0
no ip address
duplex half
ipv6 address 2001:20:1::1/64
ipv6 ospf 10 area 0
!
interface Ethernet1/1
no ip address
shutdown
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
ip classless
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
ipv6 router ospf 10
router-id 2.2.2.2
log-adjacency-changes
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end |
查看状态信息
|
R2#ping ipv6 2001:10:1::1 source 2001:20:1::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:10:1::1, timeout is 2 seconds:
Packet sent with a source address of 2001:20:1::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/80/176 ms
R2#sh ipv6 ospf neighbor
Neighbor ID Pri State Dead Time Interface ID Interface
1.1.1.1 1 FULL/ - 00:00:31 12 Tunnel0
R2#sh ipv6 route
IPv6 Routing Table - 9 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C 2001:1:1::/64 [0/0]
via ::, FastEthernet0/0
L 2001:1:1::2/128 [0/0]
via ::, FastEthernet0/0
O 2001:10:1::/64 [110/11121]
via FE80::C800:14FF:FEA0:0, Tunnel0
C 2001:20:1::/64 [0/0]
via ::, Ethernet1/0
L 2001:20:1::1/128 [0/0]
via ::, Ethernet1/0
C 2001:DB:1::/64 [0/0]
via ::, Tunnel0
L 2001:DB:1::2/128 [0/0]
via ::, Tunnel0
L FE80::/10 [0/0]
via ::, Null0
L FF00::/8 [0/0]
via ::, Null0
R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
dst: 2001:1:1::1
src: 2001:1:1::2
state: QM_IDLE conn-id: 1001 slot: 0 status: ACTIVE |
这时在网络中使用窃听工具对网络中应用数据和OSPFv3路由协议的报文进行采集,采集到报文无法显示其路由更新的内容,因为所有的更新内容都加密了,如下所示采集到的报文。
