IPsec在企業網中的應用!(vpn)

科技小能手發表於2017-11-12

一、基本原理及相關知識的介紹!

image

image

image

image

image

image

image

image

相關知識:

image

image

image

image

 

二、案例:(利用IKE動態)

1. 作業要求:

在公司與分支機構之間實現跨Internet的通訊。用Ipsec 實現 vpn 在總部與公司建立隧道來實現!

2. 拓撲圖:

image

IP 地址分配情況:

R7  Loopback 1 192.168.1.1 /24

      Ethernet 1 200.100.1.1 /24

S1  Ethernet 0/1 200.100.1.2/24  (中間的交換機

      Ehternet 0/2 200.100.2.1/24

      Ethernet 0/3 200.100.3.1/24

F1  Ethernet 0/1 200.100.2.2/24

     Ethernet 0/2 192.168.2.1 /24

F2  Ethernet 0/1 200.100.3.2/24

     Ethernet 0/2 192.168.3.1 /24

3. 裝置描述:

路由器: H3C Quidway R2621

交換機: H3C Quidway S3526E

防火牆: H3C SecPath F100-c

4. 配置如下:

路由器配置:

  • 配ip

[Router]sysname r7

[r7]int loopback 1

[r7-LoopBack1]ip add 192.168.1.1 255.255.255.0

[r7-LoopBack1]int e1

[r7-Ethernet1]ip add 200.100.1.1 255.255.255.0

  • 配預設路由:

[r7]ip route 0.0.0.0 0.0.0.0 200.100.1.2

  • 配訪問控制列表:

[r7]acl 3000

[r7-acl-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

[r7-acl-3000]rule deny ip source any dest any

[r7]acl 3001

[r7-acl-3001]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

[r7-acl-3001]rule deny ip source any dest any

  • 配安全提議:

[r7]ipsec proposal gjp1   名稱隨意

[r7-ipsec-proposal-gjp1]encapsulation tunnel

[r7-ipsec-proposal-gjp1]transform esp-new

[r7-ipsec-proposal-gjp1]esp encryp des

[r7-ipsec-proposal-gjp1]esp auth md5

[r7-ipsec-proposal-gjp1]dis ipsec propo  //顯示配置的提議

proposal set name: gjp1

proposal set mode: tunnel

transform: esp-new

ESP protocol: authentication md5-hmac-96, encryption-algorithm des

[r7]ipsec policy py1 10 isakmp //動態

[r7-ipsec-policy-py1-10]security acl 3000

[r7-ipsec-policy-py1-10]proposal gjp1 //安全協議採用 ESP協議

[r7-ipsec-policy-py1-10]tunnel remote 200.100.2.2  使用隧道的對端IP

[r7-ipsec-policy-py1-10]ike pre-shared-key abc remote 200.100.2.2

[r7-ipsec-policy-py1-10]quit

[r7]int e1

[r7-Ethernet1]ipsec policy py1

[r7]dis ipsec policy all

ipsec policy name: py1

ipsec policy sequence: 10

negotiation mode: isakmp

security acl: 3000

remote address 0: 200.100.2.2

Proposal name: gjp1

ipsec sa duration: 3600 seconds

ipsec sa duration: 1843200 kilobytes

OutBound SA has NOT been established.

InBound SA has NOT been established.

[r7]ipsec policy py1 11 isakmp

[r7-ipsec-policy-py1-11]sec acl 3001

[r7-ipsec-policy-py1-11]proposal gjp1

[r7-ipsec-policy-py1-11]tunnel remote 200.100.3.2

[r7]ike pre-shared-key abc remote 200.100.3.2  //鑰匙雙方要一致

交換機配置:

<Quidway>sys

[Quidway]vlan 10   建vlan

[Quidway-vlan10]port e0/1   加介面

[Quidway-vlan10]vlan 20

[Quidway-vlan20]port e0/2

[Quidway-vlan20]vlan 30

[Quidway-vlan30]port e0/3

[Quidway-vlan30]quit

[Quidway]int vlan 10   進入介面

[Quidway-Vlan-interface10]ip add 200.100.1.2 255.255.255.0  配ip

[Quidway-Vlan-interface10]int vlan 20

[Quidway-Vlan-interface20]ip add 200.100.2.1 255.255.255.0

[Quidway-Vlan-interface20]int vlan 30

[Quidway-Vlan-interface30]ip add 200.100.3.1 255.255.255.0

 

第一個防火牆(f1) 配置:

  • 配IP:

H3C] int eth0/1

[H3C-Ethernet0/1]ip add 200.100.2.2 255.255.255.0

[H3C-Ethernet0/1]int et0/2

[H3C-Ethernet0/2]ip add 192.168.2.1 255.255.255.0

  • 新增區域:

[H3C]firewall zone untrust

[H3C-zone-untrust]add interface eth0/1

[H3C-zone-untrust]quit

[H3C]firewall zone trust

[H3C-zone-trust]add interface eth0/2

  • Acl

[H3C]acl number 3000

[H3C-acl-adv-3000]rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

[H3C-acl-adv-3000]rule deny ip source any dest any

[H3C-acl-adv-3000]QUIT

  • 預設路由:

[H3C]ip route-static 0.0.0.0 0.0.0.0 200.100.2.1

建立名為gjp2的安全提議:

[H3C]ipsec proposal gjp2

[H3C-ipsec-proposal-gjp2]encapsulation-mode tunnel //報文封裝形式採用隧道模式

[H3C-ipsec-proposal-gjp2]transform esp //安全協議採用 ESP協議

[H3C-ipsec-proposal-gjp2]esp encryption-algorithm des //選擇演算法

[H3C-ipsec-proposal-gjp2]esp authentication-algorithm md5 //選擇認證

  • 配IKE對等體

[H3C]ike peer r1 (名字可隨意)

[H3C-ike-peer-r1]pre-shared-key abc //雙方要一致

[H3C-ike-peer-r1]remote-address 200.100.1.1 //隧道對端的ip

  • 建立一條安全策略,協商方式為isakmp

[H3C]ipsec policy py2 10 isakmp

[H3C-ipsec-policy-isakmp-py2-10]security acl 3000 //引用訪問控制列表

[H3C-ipsec-policy-isakmp-py2-10]proposal gjp2 // 引用安全提議

[H3C-ipsec-policy-isakmp-py2-10]ike-peer r1 //引用IKE對等體

[H3C]int et0/1

[H3C-Ethernet0/1]ipsec policy py2 //應用安全策略

測試:使用一臺PC

clip_image004

C:UsersAdministrator&gt;ping 192.168.1.1 //公司總部的IP

正在 Ping 192.168.1.1 具有 32 位元組的資料:

請求超時。

來自 192.168.1.1 的回覆: 位元組=32 時間=8ms TTL=254

來自 192.168.1.1 的回覆: 位元組=32 時間=8ms TTL=254

第二個防火牆(f2)配置:

[H3C]int eth0/1

[H3C-Ethernet0/1]ip add 200.100.3.2 24

[H3C-Ethernet0/1]int eth0/2

[H3C-Ethernet0/2]ip add 192.168.3.1 24

[H3C-Ethernet0/2]qu

[H3C]firewall zone trust

[H3C-zone-trust]add interface eth0/2

[H3C-zone-trust]qu

[H3C]firewall zone untrust

[H3C-zone-untrust]add interface eth0/1

[H3C-zone-untrust]qu

[H3C]acl number 3000

[H3C-acl-adv-3000]rule permit ip source 192.168.3.0 0.0.0.255 dest 192.168.1.0 0.0.0.255

[H3C-acl-adv-3000]rule deny ip source any dest any

[H3C-acl-adv-3000]qu

[H3C]ip route-static 0.0.0.0 0.0.0.0 200.100.3.1

(其他的參考第一個防火牆的配置)

測試:使用一臺PC

clip_image006

clip_image008

C:UsersAdministrator&gt;ping 192.168.1.1

正在 Ping 192.168.1.1 具有 32 位元組的資料:

請求超時。

來自 192.168.1.1 的回覆: 位元組=32 時間=9ms TTL=254

來自 192.168.1.1 的回覆: 位元組=32 時間=7ms TTL=254

來自 192.168.1.1 的回覆: 位元組=32 時間=9ms TTL=254

本文轉自 gjp0731 51CTO部落格,原文連結:http://blog.51cto.com/guojiping/959583


相關文章