华为IPsec IKE自动协商配置
要点
1、大家使用ENSP模拟器AR2220进行配置 其他的路由设备貌似配置不能通,有兴趣 的可以使用别的设备测试下,完了告诉我一声,反正我是没干通可能是版本的原因;
2、配置的时候梳理好逻辑,有自己一套逻辑最好,我比较习惯先让设备能通讯,然后在配置协议;
3、验证的时候最好抓包看一下IPsec建立的过程、以及加密ESP报文;
4、理论就不过多的赘述了,有兴趣的可以去华为官网下载安全相关的教材,上面关于IPsec理论的解释比较全面;
图
PC1地址
PC2地址
AR1配置
acl number 3001
rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 10.0.20.0 0.0.0.255
ipsec proposal tran
esp authentication-algorithm sha1
ike proposal 5
encryption-algorithm aes-cbc-128
dh group14
ike peer spub v1
pre-shared-key simple hanshu
ike-proposal 5
remote-address 2.2.2.2
ipsec policy mp 10 isakmp
security acl 3001
ike-peer spub
proposal tran
interface GigabitEthernet0/0/0
ip address 192.168.10.254 255.255.255.0
interface GigabitEthernet0/0/1
ip address 1.1.1.1 255.255.255.0
ipsec policy mp
ip route-static 2.2.2.0 255.255.255.0 GigabitEthernet0/0/1 1.1.1.2
ip route-static 10.0.20.0 255.255.255.0 GigabitEthernet0/0/1 1.1.1.2
AR2
interface GigabitEthernet0/0/0
ip address 1.1.1.2 255.255.255.0
interface GigabitEthernet0/0/1
ip address 2.2.2.1 255.255.255.0
AR3
acl number 3001
rule 5 permit ip source 10.0.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
ipsec proposal tran
esp authentication-algorithm sha1
ike proposal 5
encryption-algorithm aes-cbc-128
dh group14
ike peer spua v1
pre-shared-key simple hanshu
ike-proposal 5
remote-address 1.1.1.1
ipsec policy us 10 isakmp
security acl 3001
ike-peer spua
proposal tran
interface GigabitEthernet0/0/0
ip address 2.2.2.2 255.255.255.0
ipsec policy us
interface GigabitEthernet0/0/1
ip address 10.0.20.254 255.255.255.0
ip route-static 1.1.1.0 255.255.255.0 GigabitEthernet0/0/0 2.2.2.1
ip route-static 192.168.10.0 255.255.255.0 GigabitEthernet0/0/0 2.2.2.1
验证
AR1 dis ike sa
AR2
在公网上随意找个端口进行抓包,查看IKE 建立过程的报文
PC1 ping PC2 抓包查看ESP加密数据流
可以看到protocol 不是ICMP而是ESP ,说明数据已经被加密。
定位合肥 ,有工作或者兼职请联系我
联系方式QQ : 481715271