H3C 建通道配置方法.docxVIP

IKE典型配置举例1.组网需求在Router A和Router B之间建立一个安全隧道，对Host A所在的子网（10.1.1.0/24）与Host B所在的子网（10.1.2.0/24）之间的数据流进行安全保护。在Router A上配置一条IKE提议，其提议号为10，使用的认证算法为MD5。Router B使用缺省的IKE提议。使用预共享密钥的认证方法。2.组网图图2-3IKE主模式及预共享密钥认证典型组网图3.配置步骤请保证Router A与Router B之间路由可达。(1)配置安全网关Router A#配置ACL 3101，定义由子网10.1.1.0/24去子网10.1.2.0/24的数据流。 system-viewRouterA acl number 3101RouterA-acl-adv-3101 rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255RouterA-acl-adv-3101 quit#配置IPsec安全提议tran1。RouterA ipsec transform-set tran1#报文封装形式采用隧道模式。RouterA-ipsec-transform-set-tran1 encapsulation-mode tunnel#安全协议采用ESP协议。RouterA-ipsec-transform-set-tran1 transform esp#选择ESP协议采用的加密算法和认证算法。RouterA-ipsec-transform-set-tran1 esp encryption-algorithm desRouterA-ipsec-transform-set-tran1 esp authentication-algorithm sha1RouterA-ipsec-transform-set-tran1 quit#创建IKE对等体。RouterA ike peer peer#配置预共享密钥。RouterA-ike-peer-peer pre-shared-key abcde#配置对端安全网关的IP地址。RouterA-ike-peer-peer remote-address 2.2.2.2RouterA-ike-peer-peer quit#创建一条IKE提议10。RouterA ike proposal 10#指定IKE提议使用的认证算法为MD5。RouterA-ike-proposal-10 authentication-algorithm md5#使用预共享密钥认证方法。RouterA-ike-proposal-10 authentication-method pre-share#配置ISAKMP SA的存活时间为5000秒。RouterA-ike-proposal-10 sa duration 5000RouterA-ike-proposal-10 quit#创建一条IPsec安全策略，协商方式为isakmp。RouterA ipsec policy map1 10 isakmp#引用安全提议。RouterA-ipsec-policy-isakmp-map1-10 transform-set tran1#引用访问控制列表。RouterA-ipsec-policy-isakmp-map1-10 security acl 3101#引用IKE对等体。RouterA-ipsec-policy-isakmp-map1-10 ike-peer peerRouterA-ipsec-policy-isakmp-map1-10 quit#配置接口Ethernet1/2的IP地址。RouterA interface ethernet 1/2RouterA-Ethernet1/2 ip address 10.1.1.1 255.255.255.0RouterA-Ethernet1/2 quit#配置接口Ethernet1/1的IP地址。RouterA interface ethernet 1/1RouterA-Ethernet1/1 ip address 1.1.1.1 255.255.255.0#在接口Ethernet1/1上应用IPsec安全策略组。RouterA-Ethernet1/1 ipsec policy map1#配置到Host B所在子网的静态路由。RouterA ip route-static 10.1.2.0 255.255.255.0 2.2.2.2(2)配置安全网关Router B#配置ACL 3101，定义由子网10.1.2.0/24去子网10.1.1.0/24的数据流。 system-viewRouterB acl number 3101RouterB-acl-adv-3101 rule permit ip source 10.1.2.0 0.0.0.255 destination10.1.1.0 0.0.0.255RouterB-acl-adv-3101 quit#创建IPsec安全提议tran1。RouterB ipsec transform-set tran1#报文封装形式采用隧道模式。RouterB-ipsec-transform-set-tran1 encapsulation-mode tunnel#安全协议采用ESP协议。RouterB-ipsec-transform-set-tran1 transform esp#选择ESP协议采用的加密算法和认证算法。RouterB-ipsec-transform-set-tran1 esp encryption-algorithm desRouterB-ipsec-transform-set-tran1 esp authentication-algorithm sha1RouterB-ipsec-transform-set-tran1 quit#配置IKE对等体。RouterB ike peer peer#配置预共享密钥。RouterB-ike-peer-peer pre-shared-key abcde#配置对端安全网关的IP地址。RouterB-ike-peer-peer remote-address 1.1.1.1RouterB-ike-peer-peer quit#创建一条IPsec安全策略，协商方式为isakmp。RouterB ipsec policy use1 10 isakmp#引用访问控制列表。RouterB-ipsec-policy-isakmp-use1-10 security acl 3101#引用IPsec安全提议。RouterB-ipsec-policy-isakmp-use1-10 transform-set tran1#引用IKE对等体。RouterB-ipsec-policy-isakmp-use1-10 ike-peer peerRouterB-ipsec-policy-isakmp-use1-10 quit#配置接口Ethernet1/2的IP地址。RouterB interface ethernet 1/2RouterB-Ethernet1/2 ip address 10.1.2.1 255.255.255.0RouterB-Ethernet1/2 quit#配置接口Ethernet1/1的IP地址。RouterB interface ethernet 1/1RouterB-Ethernet1/1 ip address 2.2.2.2 255.255.255.0#在接口Ethernet1/1上应用IPsec安全策略组。RouterB-Ethernet1/1 ipsec policy use1#配置到Host A所在子网的静态路由。RouterB ip route-static 10.1.1.0 255.255.255.0 1.1.1.14.验证配置结果以上配置完成后，Router A和Router B之间如果有子网10.1.1.0/24与子网10.1.2.0/24之间的报文通过，将触发IKE协商。由于Router A上配置了提议10，其中使用的认证算法为md5，但Router B上使用的是缺省的IKE提议，默认的认证算法为sha。因此，在进行IKE提议匹配的时候，从优先级最高的提议开始匹配，因为Router B上没有和Router A上提议10相匹配的IKE提议，所以双方能够匹配的只有缺省的IKE提议。另外，在进行提议匹配的时候，存活时间是不用进行匹配的，它由IKE协商双方决定。RouterA display ike proposalpriority authentication authentication encryption Diffie-Hellman duration method algorithm algorithm group (seconds)- 10 PRE_SHARED MD5 DES_CBC MODP_768 5000 default PRE_SHARED SHA DES_CBC MODP_768 86400RouterB display ike proposalpriority authentication authentication encryption Diffie-Hellman duration method algorithm algorithm group (seconds)- default PRE_SHARED SHADES_CBC MODP_768 86400可通过如下显示信息查看到IKE协商成功后生成的两个阶段的SA。RouterA display ike sa total phase-1 SAs: 1 connection-id peer flag phase doi - 1 2.2.2.2 RD|ST 1 IPSEC 2 2.2.2.2 RD|ST 2 IPSEC flag meaning RD-READY ST-STAYALIVE RL-REPLACED FD-FADING TOTIMEOUT RK-REKEYIKE第二阶段协商生成的IPsec SA用于保护子网10.1.1.0/24与子网10.1.2.0/24之间的数据流，可通过如下显示信息查看。RouterA display ipsec sa=Interface: Ethernet1/1path MTU: 1500= - IPsec policy name: map1sequence number: 10 acl version: ACL4 mode: isakmp - PFS: N, DH group: none tunnel: local address: 1.1.1.1 remote address: 2.2.2.2 flow: sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: IP dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: IP inbound ESP SAsspi: 0x3D6D3A62(1030568546) transform: ESP-ENCRYPT-DES ESP-AUTH-SHA1 in use setting: Tunnel connection id: 1 sa duration (kilobytes/sec): 1843200/3600sa remaining duration (kilobytes/sec): 1843199/3590 anti-replay detection: Enabled anti-replay window size(counter based): 32 udp encapsulation used for nat traversal: N outbound ESP SAs spi: 0x553FAAE(89389742)transform: ESP-ENCRYPT-D