IPSec隧道配置實驗(手工方式)

時間  2021-07-13 標籤 實驗 網絡 ipsec

實驗目的:

採用手工方式建立IPSec隧道

組網需求:

R1爲企業總部出口路由,R2爲企業分支出口路由,總部與分支通過公網建立通信。

企業希望對總部子網與分支子網之間相互訪問的流量進行安全保護。總部與分支通過公網建立通信,可以在總部出口路由網關與分支出口路由網關之間建立一個IPSec隧道來實現安全保護。

配置操作:

******************R1企業總部************

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname R1-head-office
[R1-head-office]int gi 0/0/0
[R1-head-office-GigabitEthernet0/0/0]ip addr 1.1.1.1 24
[R1-head-office-GigabitEthernet0/0/0]int gi 0/0/1
[R1-head-office-GigabitEthernet0/0/1]ip addr 10.1.1.1 24
[R1-head-office-GigabitEthernet0/0/1]
[R1-head-office-GigabitEthernet0/0/1]q
[R1-head-office]ospf 1 router-id 1.1.1.1
[R1-head-office-ospf-1]area 0                                      //配置ospf,實現模擬外網互通,現實中不需要這樣配置,只需要配置靜態路由
[R1-head-office-ospf-1-area-0.0.0.0]network 1.1.1.0 0.0.0.255

[R1-head-office-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[R1-head-office-ospf-1-area-0.0.0.0]q
[R1-head-office-ospf-1]q

[R1-head-office]acl 3101                       //配置acl3101,匹配從總部子網到分支子網的流量
[R1-head-office-acl-adv-3101]rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[R1-head-office-acl-adv-3101]ipsec proposal tran1     //配置IPSec安全提議
[R1-head-office-ipsec-proposal-tran1]esp authentication-algorithm sha2-256
[R1-head-office-ipsec-proposal-tran1]esp encryption-algorithm aes-128
[R1-head-office-ipsec-proposal-tran1]q
[R1-head-office]ipsec policy map1 10 manual                        //配置手動方式安全策略
[R1-head-office-ipsec-policy-manual-map1-10]security acl 3101
[R1-head-office-ipsec-policy-manual-map1-10]proposal tran1
[R1-head-office-ipsec-policy-manual-map1-10]tunnel local 1.1.1.1
[R1-head-office-ipsec-policy-manual-map1-10]tunnel remote 2.1.1.1
[R1-head-office-ipsec-policy-manual-map1-10]sa spi inbound esp 54321
[R1-head-office-ipsec-policy-manual-map1-10]sa string-key inbound esp cipher huawei         //配置入方向SA的認證祕鑰
[R1-head-office-ipsec-policy-manual-map1-10]sa spi outbound esp 12345
[R1-head-office-ipsec-policy-manual-map1-10]sa string-key outbound esp cipher huawei       //配置出方向SA的認證祕鑰
[R1-head-office-ipsec-policy-manual-map1-10]q
[R1-head-office]int gi 0/0/0
[R1-head-office-GigabitEthernet0/0/0]ipsec policy map1                                    //在外網出接口上綁定IPSec策略
[R1-head-office-GigabitEthernet0/0/0]

 

******************R2企業分支************

 

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname R2-office-other
[R2-office-other]int gi 0/0/0
[R2-office-other-GigabitEthernet0/0/0]ip addr 2.1.1.1 24
[R2-office-other-GigabitEthernet0/0/0]int gi 0/0/1
[R2-office-other-GigabitEthernet0/0/1]ip addr 10.1.2.1 24
[R2-office-other-GigabitEthernet0/0/1]
[R2-office-other-GigabitEthernet0/0/1]q
[R2-office-other]ospf 1 router-id 2.2.2.2
[R2-office-other-ospf-1]area 0
[R2-office-other-ospf-1-area-0.0.0.0]network 2.1.1.0 0.0.0.255

[R2-office-other-ospf-1-area-0.0.0.0]network 10.1.2.0 0.0.0.255
[R2-office-other-ospf-1-area-0.0.0.0]q
[R2-office-other-ospf-1]q
[R2-office-other]
[R2-office-other]acl 3101
[R2-office-other-acl-adv-3101]rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[R2-office-other-acl-adv-3101]q
[R2-office-other]ipsec proposal tran1
[R2-office-other-ipsec-proposal-tran1]esp authentication-algorithm sha2-256
[R2-office-other-ipsec-proposal-tran1]esp encryption-algorithm aes-128
[R2-office-other-ipsec-proposal-tran1]q

[R2-office-other]ipsec policy use1 10 manual
[R2-office-other-ipsec-policy-manual-use1-10]security acl 3101
[R2-office-other-ipsec-policy-manual-use1-10]proposal tran1
[R2-office-other-ipsec-policy-manual-use1-10]tunnel local 2.1.1.1
[R2-office-other-ipsec-policy-manual-use1-10]tunnel remote 1.1.1.1
[R2-office-other-ipsec-policy-manual-use1-10]sa spi inbound esp 12345
[R2-office-other-ipsec-policy-manual-use1-10]sa string-key inbound esp cipher huawei
[R2-office-other-ipsec-policy-manual-use1-10]sa spi outbound esp 54321
[R2-office-other-ipsec-policy-manual-use1-10]sa string-key outbound esp cipher huawei
[R2-office-other-ipsec-policy-manual-use1-10]q
[R2-office-other]int gi 0/0/0
[R2-office-other-GigabitEthernet0/0/0]ipsec policy use1
[R2-office-other-GigabitEthernet0/0/0]dis ipsec sa

===============================
Interface: GigabitEthernet0/0/0
 Path MTU: 1500
===============================

  -----------------------------
  IPSec policy name: "use1"
  Sequence number  : 10
  Acl Group        : 3101
  Acl rule         : 0
  Mode             : Manual
  -----------------------------
    Encapsulation mode: Tunnel
    Tunnel local      : 2.1.1.1
    Tunnel remote     : 1.1.1.1
    Qos pre-classify  : Disable

    [Outbound ESP SAs] 
      SPI: 54321 (0xd431)
      Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128
      No duration limit for this SA

    [Inbound ESP SAs]        SPI: 12345 (0x3039)       Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128       No duration limit for this SA  

联系我们 沪ICP备13005482号-10