1.1 IPSec的基本配置 1
1.1.1 实验目的 1
1.1.2 实验环境 1
1.1.3 实验组网图 1
1.1.4 实验步骤 1
1.1.5 思考题 7
实验1 IPSec的基本配置
1.1 IPSec的基本配置
1.1.1 实验目的
掌握在华为路由器上配置IPSec的方法。
了解IKE建立安全联盟的过程。
了解IPSec的具体工作流程。
1.1.2 实验环境
Quidway 2600 系列路由器 2 台,以太网交换机或集线器 1 台,PC机 2 台,V35或V24 DTE/DCE 线缆 2 对;
VRP版本要求:VRP 1.74版本以上。
1.1.3 实验组网图
图1-1 实验组网图
1.1.4 实验步骤
1.按照上面的组网图将各设备连接起来,下面给出各路由器的配置,以供大家参考:
RT1 的配置:
[rt1] firewall enable
[rt1] interface ethernet 0
[rt1 -Ethernet0] ip address 10.10.1.1 255.255.255.0
[rt1 -Ethernet0] quit
[rt1 ] acl 101
[rt1-acl -101] rule permit ip source 10.10.1.0 0.0.0.255 destination 10.20.1.0 0.0.0.255
//配置访问控制列表,定义一条从10.10.1.1到10.20.1.1的数据流
[rt1-acl -101] rule deny ip source any destination any
[rt1-acl -101] quit
[rt1] ipsec proposal tran1
//创建一个名为tran1的转换方式,并进入安全转换方式配置模式
[rt1 -ipsec-proposal-tran1] encapsulation-mode tunnel
//设置安全协议对 IP报文的封装形式为隧道模式
[rt1 -ipsec-proposal-tran1] transform esp-new
//设置转换方式采用的安全协议为RFC2406规定的 ESP协议
[rt1 -ipsec-proposal-tran1] esp-new encryption-algorithm des
//设置 ESP协议采用的加密算法为des
[rt1 -ipsec-proposal-tran1] esp-new authentication-algorithm sha1-hmac-96
//设置 ESP协议采用的验证算法为SHA-1验证算法
[rt1 -ipsec-proposal-tran1] quit
[rt1] ipsec policy policy1 10 isakmp
//在全局模式下创建一条安全策略,并进入安全策略配置模式
[rt1-ipsec-policy-policy1-10] security acl 101
//设置安全策略引用的访问列表
[rt1-ipsec-policy-policy1-10] tunnel remote 202.10.1.2
//设置安全隧道的对端地址
[rt1-ipsec-policy-policy1-10] proposal tran1
//设置安全策略所引用的转换方式
[rt1-ipsec-policy-policy1-10] quit
[rt1] interface serial 0
[rt1 -Serial0] ip address 202.10.1.1 255.255.255.0
[rt1 -Serial0] ipsec policy policy1
[rt1 -Serial0] quit
//在接口Serial0上应用安全策略组
[rt1] ike pre-shared-key asd remote 202.10.1.2
//配置 pre-shared-key的验证字
[rt1] ike proposal 10
//创建一个 IKE策略
[rt1-ike-proposal-10] quit
[rt1] ip route-static 10.20.1.0 255.255.255.0 202.10.1.2
RT2 的配置:
[rt2] firewall enable
[rt2] interface ethernet 0
[rt2 -Ethernet0] ip address 10.20.1.1 255.255.0.0
[rt2] acl 101
[rt2-acl -101] rule permit ip source 10.20.1.0 0.0.0.255 destination 10.10.1.0 0.0.0.255
[rt2-acl -101] rule deny ip source any destination any
[rt2] ipsec proposal tran1
[rt2-ipsec-proposal-tran1] encapsulation-mode tunnel
[rt2-ipsec-proposal-tran1] transform esp-new
[rt2-ipsec-proposal-tran1] esp-new encryption-algorithm des
[rt2-ipsec-proposal-tran1] esp-new authentication-algorithm sha1-hmac-96
[rt2-ipsec-proposal-tran1]quit
[rt2] ipsec policy policy1 10 isakmp
[rt2-ipsec-policy-policy1-10] security acl 101
[rt2-ipsec-policy-policy1-10] tunnel remote 202.10.1.1
[rt2-ipsec-policy-policy1-10] proposal tran1
[rt2-ipsec-policy-policy1-10] quit
[rt2] interface serial 0
[rt2 -Serial0]ip add 202.10.1.2 255.255.255.0
[rt2 -Serial0] ipsec policy policy1
[rt2] ike pre-shared-key asd remote 202.10.1.1
[rt2] ike proposal 10
[rt1-ike-proposal-10] quit
[rt2] ip route-static 10.10.1.0 255.255.255.0 202.10.1.1
2.通过“display ipsec proposal”命令可以显示转换方式的有关信息,下面是显示的结果:
[rt1] display ipsec proposal
transform set name: tran1
transform set mode: tunnel
transform: esp-new
ESP protocol: hash sha1-hmac-96, encrypt des
而通过“display ike proposal”命令,我们可以在路由器上查看配置的IKE的安全策略,下面是显示的结果:
[rt1] display ike proposal
Protection policy suite with priority 10
encryption : DES_CBC
hash : SHA
authentication : PRE_SHARED
DH Group : MODP_768
duration(seconds): 800
Default protection policy suite
encryption : DES_CBC
hash : SHA
authentication : PRE_SHARED
DH Group : MODP_768
duration(seconds): 800
在这里我们使用的是默认的IKE安全策略参数,有关参数在应用中可以根据实际情况进行配置。
我们还可以通过“display ipsec policy name policy1 10”命令来查看指定的安全策略的信息:
[rt1] display ipsec policy name policy1 10
ipsec policy name: policy1
ipsec policy sequence: 10
negotiation mode: isakmp
security acl: 101
remote address 0: 202.10.1.2
Proposal name: tran1
ipsec sa duration: 3600 seconds
ipsec sa duration: 1843200 kilobytes
OutBound SA has NOT been established.
InBound SA has NOT been established.
3.下面我们来观察一下IKE建立安全联盟的流程。在RT2上用“debugging ike all”和“debugging ipsec packet”命令打开所有 IKE调试开关和IPSec报文调试开关,然后在PC1上执行“ping –n 2 10.20.1.2”,下面是在RT2上显示的信息:
[rt2]
transport_add: adding 10D08A4
transport_reference: transport 10D08A4 now has 1 references
message_alloc: allocated 100D224
message_recv: message 100D224
ICOOKIE: 0xc57785535e7bba66
RCOOKIE: 0x0000000000000000
NEXT_PAYLOAD: SA
VERSION: 16
EXCH_TYPE: ID_PROT
FLAGS: [ ]
MESSAGE_ID: 0x00000000
LENGTH: 120
message_dump_raw: iovec 0:
c5778553 5e7bba66 00000000 00000000 01100200 00000000 00000078 0000005c
00000001 00000001 00000050 01010002 03000024 00010000 80010001 80020002
80030001 80040001 800b0001 000c0004 00015180 00000024 01010000 80010001
80020002 80030001 80040001 800b0001 000c0004 00015180
message_parse_payloads: offset 0x1c payload SA
message_validate_payloads: payload SA at 10D0950 of message 100D224
DOI: 1
timer_add_event: event exchange_error_free_aux(10F2234) added before cookie_rese
t_event(0)
transport_reference: transport 10D08A4 now has 2 references
sa_create: sa 10D0FF4 phase 1 added to exchange 10F2234
message_parse_payloads: offset 0x28 payload PROPOSAL
message_parse_payloads: offset 0x30 payload TRANSFORM
Transform 0's attributes
Attribute ENCRYPTION_ALGORITHM value 1
Attribute HASH_ALGORITHM value 2
Attribute AUTHENTICATION_METHOD value 1
Attribute GROUP_DESCRIPTION value 1
Attribute LIFE_TYPE value 1
Attribute LIFE_DURATION value 800
message_parse_payloads: offset 0x54 payload TRANSFORM
Transform 1's attributes
Attribute ENCRYPTION_ALGORITHM value 1
Attribute HASH_ALGORITHM value 2
Attribute AUTHENTICATION_METHOD value 1
Attribute GROUP_DESCRIPTION value 1
Attribute LIFE_TYPE value 1
Attribute LIFE_DURATION value 800
message_validate_payloads: payload PROPOSAL at 10D095C of message 100D224
NO: 1
PROTO: ISAKMP
SPI_SZ: 0
NTRANSFORMS: 2
message_validate_payloads: payload TRANSFORM at 10D09 of message 100D224
NO: 0
ID: 1
message_validate_payloads: payload TRANSFORM at 10D0988 of message 100D224
NO: 1
ID: 1
exchange_validate: checking for required SA
ipsec_responder: phase 1 exchange 2 step 0
message_negotiate_sa: transform 0 proto 1 proposal 1 compatible
sa_add_transform: proto 10F9E24 no 1 proto 1 chosen 10C6674 sa 10D0FF4 id 1
ike_main_mode_validate_prop: success
message_negotiate_sa: proposal 1 succeeded
ipsec_decode_transform: transform 0 chosen
group_get: returning 10FA054 of group 1
exchange_run: finished step 0, advancing...
transport_reference: transport 10D08A4 now has 3 references
message_alloc: allocated 10F1684
ipsec_responder: phase 1 exchange 2 step 1
exchange_validate: checking for required SA
message_send: message 10F1684
ICOOKIE: 0xc57785535e7bba66
RCOOKIE: 0x1c98cd7f231947
NEXT_PAYLOAD: SA
VERSION: 16
EXCH_TYPE: ID_PROT
FLAGS: [ ]
MESSAGE_ID: 0x00000000
LENGTH: 84
message_dump_raw: iovec 0:
c5778553 5e7bba66 1c98cd7f 231947 01100200 00000000 00000054
message_dump_raw: iovec 1:
00000038 00000001 00000001
message_dump_raw: iovec 2:
0000002c 01010001
message_dump_raw: iovec 3:
00000024 00010000 80010001 80020002 80030001 80040001 800b0001 000c0004
00015180
exchange_run: finished step 1, advancing...
transport_reference: transport 10D08A4 now has 4 references
transport_reference: transport 10D0034 now has 2 references
transport_release: transport 10D08A4 had 4 references
transport_release: transport 10D0034 had 2 references
transport_reference: transport 10D08A4 now has 4 references
transport_reference: transport 10D0034 now has 2 references
transport 10D08A4 sending message 10F1684 0 times.
transport_send_messages: message 10F1684 scheduled for retrans 1 in 7 secs
timer_add_event: event message_send(10F1684) added before exchange_error_free_au
x(10F2234)
transport_release: transport 10D08A4 had 4 references
transport_release: transport 10D0034 had 2 references
transport_add: adding 10FAF94
transport_reference: transport 10FAF94 now has 1 references
message_alloc: allocated 100D004
message_recv: message 100D004
ICOOKIE: 0xc57785535e7bba66
RCOOKIE: 0x1c98cd7f231947
NEXT_PAYLOAD: KEY_EXCH
VERSION: 16
EXCH_TYPE: ID_PROT
FLAGS: [ ]
MESSAGE_ID: 0x00000000
LENGTH: 148
message_dump_raw: iovec 0:
transport_add: adding 10FB414
transport_add: adding 10D0934
transport_add: adding 10FAF94
Received IPSec(ESP) Packet!
SPI:1426831585(0x550bb8e1) from 202.10.1.1 to 202.10.1.2
New ESP(RFC 2406) Enc Alg:DES; Auth Alg:HMAC-SHA1-96;
Authentication Succeed!
Decryption Succeed!
Tunnel mode. Outer IP header chopping succeed!
New Src Addr:10.10.1.2 New Dst Addr:10.20.1.2
Now send it to IP input process...
Send IPSec Packet! From 10.20.1.2 to 10.10.1.2
Tunnel Mode. Adding outer IP header succeed!
SPI:4288804284(0xffa1f5bc) Src Addr:202.10.1.2 Dst Addr:202.10.1.1
New ESP(RFC 2406) Enc Alg:DES Auth Alg:HMAC-SHA1-96
Authentication Finished! (New ESP: RFC2406)
Encryption Finished! (New ESP: RFC2406) Sequence Number:1
Now send it to IP output process....
4.在PC1上执行“ping -n 1000 10.20.1.2”,然后利用“NetXray”之类的抓包软件截获从以太口发出的加密报文,并对他们进行传输。接下来我们再观察报文的情况,会发现他们在接收端会被丢弃。大家可以根据前面的知识思考一下为什么会这样?
1.1.5 思考题
通过上面的实验,相信大家对IPSec的基本配置和IKE建立安全联盟的过程已经有了一个比较清晰的认识了吧。IPSec中还有一些参数的设置,由于和GRE比较类似,所以再这里就不作详细介绍了。在这里作为思考题布置给大家,请大家自己试着去配置一下,熟悉一下相关的命令。
Copyright © 2019-2025 51dongshi.net 版权所有
违法及侵权请联系:TEL:177 7030 7066 E-MAIL:11247931@qq.com 本站由北京市万商天勤律师事务所王兴未律师提供法律服务
