<>本节介绍如何使用华为路由器,建立IPSec VPN,来保障俩个站点之间正常的通信
1.拓扑图

2.步骤

2.1 在r4和r5上配置静态路由,指定对端的路由
2.2 使用高级IP acl 指定进行保护的流量(指定流量的源地址和目的IP地址)
2.3 创建IPSec安全提议并指定IPSec使用的各项参数
2.4 创建IKE安全提议,并指定IKE使用的各项参数
2.5 创建IKE对等体。并在其中引用配置的安全提议
2.6 创建IPSec安全策略,并在其中引用ACL,IPSec安全提议和IKE对等体
2.7建立连接的俩端,在面向lnternet的接口上应用安全策略

3.配置
3.1配置所有的IP地址和静态路由

r4: interface GigabitEthernet0/0/0 ip address 10.10.10.254 255.255.255.0 #
interface GigabitEthernet0/0/1 ip address 45.1.1.1 255.255.255.0 静态路由: ip route-
static20.20.20.0 255.255.255.0 45.1.1.5 ip route-static 56.1.1.0 255.255.255.0
45.1.1.5 # r5: [r5]int g0/0/0 [r5-GigabitEthernet0/0/0]ip address 45.1.1.5 24 [
r5-GigabitEthernet0/0/0]int g0/0/1 [r5-GigabitEthernet0/0/1]ip address 56.1.1.1
24 r6: interface GigabitEthernet0/0/0 ip address 56.1.1.6 255.255.255.0
interface GigabitEthernet0/0/1 ip address 20.20.20.254 255.255.255.0 静态路由: ip
route-static 10.10.10.0 255.255.255.0 56.1.1.1 ip route-static 45.1.1.0 255.255
.255.0 56.1.1.1
3.2在r4和r6上使用高级IP acl定义需要过ipsec vpn的流量
[r4]acl 3010 [r4-acl-adv-3010] [r4-acl-adv-3010] rule permit ip source 10.10.10
.0 0.0.0.255 destination 20.20 .20.0 0.0.0.255 [r4-acl-adv-3010] rule 10 deny ip
[r6]acl 3020 [r6-acl-adv-3020] [r6-acl-adv-3020] rule permit ip source 20.20.20
.0 0.0.0.255 destination 10.10 .10.0 0.0.0.255 [r6-acl-adv-3020] rule deny ip
3.3在r4和r6上配置IPSec安全提议
r4: [r4]ipsec proposal huawei10(自定义名字) [r4-ipsec-proposal-huawei10]
encapsulation-mode tunnel [r4-ipsec-proposal-huawei10]transform
esp(指定IPSec所使用的安全协议)[r4-ipsec-proposal-huawei10]esp authentication-algorithm
sha2-256(算法) [r4-ipsec-proposal-huawei10]esp encryption-algorithm aes-128 r6: [
r6]ipsec proposal huawei20(自定义名字) [r6-ipsec-proposal-huawei10]encapsulation-mode
tunnel[r6-ipsec-proposal-huawei10]transform esp(指定IPSec所使用的安全协议) [r6-ipsec-
proposal-huawei10]esp authentication-algorithm sha2-256(算法) [r6-ipsec-proposal-
huawei10]esp encryption-algorithm aes-128
查看安全提议:
[r4]display ipsec proposal Number of proposals: 1 IPSec proposal name: huawei
Encapsulationmode: Tunnel Transform : esp-new ESP protocol : Authentication SHA2
-HMAC-256 Encryption AES-128 [r6]dis ipsec proposal Number of proposals: 1
IPSec proposal name: huawei2 Encapsulationmode: Tunnel Transform : esp-new ESP
protocol : Authentication SHA2-HMAC-256 Encryption AES-128
3.4在r4和r6上创建ike安全提议
[r4]ike proposal 10 [r4-ike-proposal-10]authentication-algorithm sha1
(认证算法也与设备的型号有关)[r4-ike-proposal-10]authentication-method pre-share
(默认的认证方式是预共享密钥)[r4-ike-proposal-10]encryption-algorithm aes-cbc-128(加密算法) [r4-
ike-proposal-10]q 同理 [r6-ike-proposal-10]authentication-algorithm sha1 [r6-ike-
proposal-10]authentication-algorithm [r6-ike-proposal-10]authentication-method
pre-share [r6-ike-proposal-10]encryption-algorithm aes-cbc-128 [r6-ike-proposal-
10]q
3.5在r4和r6上创建ike对等体
[r4]ike peer huawei10 v1 [r4-ike-peer-huawei10]ike [r4-ike-peer-huawei10]ike-
proposal10 [r4-ike-peer-huawei10]pre-shared-key cipher huawei [r4-ike-peer-
huawei10]remote-address 56.1.1.6(对端的g0/0/0ip地址) [r4-ike-peer-huawei10]q [r6]ike
peer huawei20 v1[r6-ike-peer-huawei20]ike-proposal 10 [r6-ike-peer-huawei20]pre-
shared-key cip huawei [r6-ike-peer-huawei20]remote-address 45.1.1.1 [r6-ike-peer
-huawei20]q [r6]
查看ike对等体
[r4]dis ike peer verbose Number of IKE peers: 1
------------------------------------------ Peer name : huawei10 Exchange mode :
mainon phase 1 Pre-shared-key cipher : N`C55QK<`=/Q=^Q`MAF4<1!! Proposal : 10
Local ID type : IP DPD : Disable DPD mode : Periodic DPD idle time : 30 DPD
retransmitinterval: 15 DPD retry limit : 3 Host name : Peer IP address : 56.1.1
.6 VPN name : Local IP address : Local name : Remote name : NAT-traversal :
Disable Configured IKE version : Version one PKI realm : NULL Inband OCSP :
Disable [r6]dis ike peer verbose Number of IKE peers: 1
------------------------------------------ Peer name : huawei20 Exchange mode :
mainon phase 1 Pre-shared-key cipher : N`C55QK<`=/Q=^Q`MAF4<1!! Proposal : 10
Local ID type : IP DPD : Disable DPD mode : Periodic DPD idle time : 30 DPD
retransmitinterval: 15 DPD retry limit : 3 Host name : Peer IP address : 45.1.1
.1 VPN name : Local IP address : Local name : Remote name : NAT-traversal :
Disable Configured IKE version : Version one PKI realm : NULL Inband OCSP :
Disable ------------------------------------------
3.6在r4和r6上配置ipsec策略
[r4]ipsec policy hw 10 isakmp [r4-ipsec-policy-isakmp-hw-10]ike-peer huawei10 [
r4-ipsec-policy-isakmp-hw-10]proposal huawei [r4-ipsec-policy-isakmp-hw-10]
security acl3010 [r4-ipsec-policy-isakmp-hw-10]q [r6]ipsec policy hw2 10 isakmp
[r6-ipsec-policy-isakmp-hw2-10]ike-peer huawei20 [r6-ipsec-policy-isakmp-hw2-10]
proposal huawei2[r6-ipsec-policy-isakmp-hw2-10]security acl 3020 [r6-ipsec-
policy-isakmp-hw2-10]q
查看ipsec安全策略
[r4]display ipsec policy =========================================== IPSec
policygroup: "hw" Using interface: ===========================================
Sequence number:10 Security data flow: 3010 Peer name : huawei10 Perfect
forward secrecy: None Proposal name: huawei IPSec SAlocal duration(time based):
3600 seconds IPSec SA local duration(traffic based): 1843200 kilobytes Anti-
replay window size:32 SA trigger mode: Automatic Route inject: None Qos pre-
classify:Disable [r6]dis ipsec policy ==========================================
= IPSec policy group: "hw2" Using interface: ===================================
======== Sequence number: 10 Security data flow: 3020 Peer name : huawei20
Perfect forward secrecy: None Proposal name: huawei2 IPSec SAlocal duration(time
based): 3600 seconds IPSec SA local duration(traffic based): 1843200 kilobytes
Anti-replay window size: 32 SA trigger mode: Automatic Route inject: None Qos
pre-classify: Disable
3.7在r4和r6上应用IPSec安全策略
[r4]int g0/0/1 [r4-GigabitEthernet0/0/1]ipsec po [r4-GigabitEthernet0/0/1]
ipsec policy hw[r6]int g0/0/0 [r6-GigabitEthernet0/0/0]ipsec [r6-
GigabitEthernet0/0/0]ipsec policy hw2 [r6-GigabitEthernet0/0/0]dis this [
V200R003C00] # interface GigabitEthernet0/0/0 ip address 56.1.1.6 255.255.255.0
ipsec policy hw2
查看以创建的ike sa
[r4]dis ike sa Conn-ID Peer VPN Flag(s) Phase
--------------------------------------------------------------- 7 56.1.1.6 0 RD
2 6 56.1.1.6 0 RD 1 Flag Description: RD--READY ST--STAYALIVE RL--REPLACED
FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED
UP [r6]dis ike sa Conn-ID Peer VPN Flag(s) Phase
--------------------------------------------------------------- 9 45.1.1.1 0 RD|
ST2 8 45.1.1.1 0 RD|ST 1 Flag Description: RD--READY ST--STAYALIVE RL--REPLACED
FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED
UP
3.8 pc1向pc2发起ping

抓包查看

由此可知lnternet中路由器无法知道这个数据包是哪种类型的信息,只有数据到达r6才能读到携带的真数据,并把数据进行下一步处理。

技术
今日推荐
下载桌面版
GitHub
百度网盘(提取码:draw)
Gitee
云服务器优惠
阿里云优惠券
腾讯云优惠券
华为云优惠券
站点信息
问题反馈
邮箱:[email protected]
QQ群:766591547
关注微信