一、组网需求
1、如图所示,RouterA为企业分支网关,RouterB为企业总部网关,分支与总部通过公网建立通信。分支子网为10.1.1.0/24,总部子网为10.1.2.0/24。
企业希望对分支子网与总部子网之间相互访问的流量进行安全保护。分支与总部通过公网建立通信,可以在分支网关与总部网关之间建立一个IPSec隧道来实施安全保护。由于维护网关较少,可以考虑采用手工方式建立IPSec隧道。
2、网络拓扑
3、采用如下思路配置采用手工方式建立IPSec隧道:
配置接口的IP地址和到对端的静态路由,保证两端路由可达。
配置ACL,以定义需要IPSec保护的数据流。
配置IPSec安全提议,定义IPSec的保护方法。
配置安全策略,并引用ACL和IPSec安全提议,确定对何种数据流采取何种保护方法。
在接口上应用安全策略组,使接口具有IPSec的保护功能。
二、操作步骤
1、配置接口IP地址
- <Huawei>system-view
- [Huawei]sysname RouterA
- [RouterA]interface GigabitEthernet 0/0/2
- [RouterA-GigabitEthernet0/0/2]ip address 10.1.1.1 24
- [RouterA-GigabitEthernet0/0/2]q
- [RouterA]interface GigabitEthernet 0/0/1
- [RouterA-GigabitEthernet0/0/1]ip address 202.138.163.1 24
- [RouterA-GigabitEthernet0/0/1]q
- <Huawei>system-view
- [Huawei]sysname RouterB
- [RouterB]interface GigabitEthernet 0/0/1
- [RouterB-GigabitEthernet0/0/1]ip address 202.138.162.1 24
- [RouterB-GigabitEthernet0/0/1]q
- [RouterB]interface GigabitEthernet 0/0/2
- [RouterB-GigabitEthernet0/0/2]ip address 10.1.2.1 24
- [RouterB-GigabitEthernet0/0/2]q
- <Huawei>system-view
- [Huawei]sysname Internet
- [Internet]interface GigabitEthernet 0/0/1
- [Internet-GigabitEthernet0/0/1]ip address 202.138.163.2 24
- [Internet-GigabitEthernet0/0/1]q
- [Internet]interface GigabitEthernet 0/0/0
- [Internet-GigabitEthernet0/0/0]ip address 202.138.162.2 24
- [Internet-GigabitEthernet0/0/0]q
2、配置静态路由
- [RouterA]ip route-static 202.138.162.0 255.255.255.0 202.138.163.2
- [RouterA]ip route-static 10.1.2.0 255.255.255.0 202.138.163.2
- [RouterB]ip route-static 202.138.163.0 255.255.255.0 202.138.162.2
- [RouterB]ip route-static 10.1.1.0 255.255.255.0 202.138.162.2
- [Internet]ip route-static 10.1.2.0 255.255.255.0 202.138.162.1
- [Internet]ip route-static 10.1.1.0 255.255.255.0 202.138.163.1
3、在Router上配置ACL,定义各自要保护的数据流
- [RouterA]acl number 3001
- [RouterA-acl-adv-3001]rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
- [RouterA-acl-adv-3001]q
- [RouterB]acl number 3001
- [RouterB-acl-adv-3001]rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
- [RouterB-acl-adv-3001]q
4、在Router上创建IPSec安全提议
- [RouterA]ipsec proposal tran1
- [RouterA-ipsec-proposal-tran1]esp authentication-algorithm sha1
- [RouterA-ipsec-proposal-tran1]quit
- [RouterB]ipsec proposal tran1
- [RouterB-ipsec-proposal-tan1]esp authentication-algorithm sha1
- [RouterB-ipsec-proposal-tan1]quit
查看
- [RouterA]display ipsec proposal name tran1
- IPSec proposal name: tran1
- Encapsulation mode: Tunnel
- Transform : esp-new
- ESP protocol : Authentication SHA1-HMAC-96
- Encryption DES
5、在Router上配置手工方式安全策略
- [RouterA]ipsec policy map1 10 manual
- [RouterA-ipsec-policy-manual-map1-10]security acl 3001
- [RouterA-ipsec-policy-manual-map1-10]proposal tran1
- [RouterA-ipsec-policy-manual-map1-10]tunnel remote 202.138.162.1
- [RouterA-ipsec-policy-manual-map1-10]tunnel local 202.138.163.1
- [RouterA-ipsec-policy-manual-map1-10]sa spi outbound esp 12345
- [RouterA-ipsec-policy-manual-map1-10]sa spi inbound esp 54321
- [RouterA-ipsec-policy-manual-map1-10]sa string-key outbound esp simple abc
- [RouterA-ipsec-policy-manual-map1-10]sa string-key inbound esp simple cba
- [RouterA-ipsec-policy-manual-map1-10]quit
- [RouterB]ipsec policy use1 10 manual
- [RouterB-ipsec-policy-manual-use1-10]security acl 3001
- [RouterB-ipsec-policy-manual-use1-10]proposal tran1
- [RouterB-ipsec-policy-manual-use1-10]tunnel remote 202.138.163.1
- [RouterB-ipsec-policy-manual-use1-10]tunnel local 202.138.162.1
- [RouterB-ipsec-policy-manual-use1-10]sa spi outbound esp 54321
- [RouterB-ipsec-policy-manual-use1-10]sa spi inbound esp 12345
- [RouterB-ipsec-policy-manual-use1-10]sa string-key outbound esp simple cba
- [RouterB-ipsec-policy-manual-use1-10]sa string-key inbound esp simple abc
- [RouterB-ipsec-policy-manual-use1-10]quit
查看
- [RouterA]display ipsec policy name map1
- ===========================================
- IPSec policy group: 'map1'
- Using interface:
- ===========================================
- Sequence number: 10
- Security data flow: 3001
- Tunnel local address: 202.138.163.1
- Tunnel remote address: 202.138.162.1
- Qos pre-classify: Disable
- Proposal name:tran1
- Inbound AH setting:
- AH SPI:
- AH string-key:
- AH authentication hex key:
- Inbound ESP setting:
- ESP SPI: 54321 (0xd431)
- ESP string-key: cba
- ESP encryption hex key:
- ESP authentication hex key:
- Outbound AH setting:
- AH SPI:
- AH string-key:
- AH authentication hex key:
- Outbound ESP setting:
- ESP SPI: 12345 (0x3039)
- ESP string-key: abc
- ESP encryption hex key:
- ESP authentication hex key:
6、在Router接口上引用安全策略组
- [RouterA]interface GigabitEthernet 0/0/1
- [RouterA-GigabitEthernet0/0/1]ipsec policy map1
- [RouterA-GigabitEthernet0/0/1]quit
- [RouterB]interface GigabitEthernet 0/0/1
- [RouterB-GigabitEthernet0/0/1]ipsec policy use1
- [RouterB-GigabitEthernet0/0/1]quit
7、验证结果
配置成功后,在主机PC10.1.1.2上执行ping操作仍然可以ping通主机PC 10.1.2.2,执行命令display ipsec statistics esp可以查看数据包的统计信息
- [RouterA]display ipsec sa
- ===============================
- Interface: GigabitEthernet0/0/1
- Path MTU: 1500
- ===============================
- -----------------------------
- IPSec policy name: 'map1'
- Sequence number : 10
- Acl Group : 3001
- Acl rule : 0
- Mode : Manual
- -----------------------------
- Encapsulation mode: Tunnel
- Tunnel local : 202.138.163.1
- Tunnel remote : 202.138.162.1
- Qos pre-classify : Disable
- [Outbound ESP SAs]
- SPI: 12345 (0x3039)
- Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
- No duration limit for this SA
- [Inbound ESP SAs]
- SPI: 54321 (0xd431)
- Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
- No duration limit for this SA
联系客服