华为路由器IPSEC VPN配置文档
一、实验拓扑及描述
站点1和站点2为某公司成都和北京两个站点,ip地址如上所示
二、实现步骤及配置
整体步骤
- 配置ip地址,isp路由器用lo0模拟互联网
- 成都和北京两个出口路由器配置默认路由指向ISP路由器
- 进行IPSEC VPN配置,让两个站点内网互通,同时数据加密。静态IPSEC配置如下:一共分4个步骤:
1. 配置ip地址,isp路由器用lo0模拟互联网
R1配置如下:
<huawei>system-view
[huawei]sysname R1
[R1]interface GigabitEthernet0/0/0
[R1-GigabitEthernet0/0/0]ip address 100.1.1.1 30
[R1-GigabitEthernet0/0/0]quit
[R1]interface GigabitEthernet0/0/1
[R1-GigabitEthernet0/0/1]ip address 192.168.10.254 24
[R1-GigabitEthernet0/0/1]quitISP配置如下:
<huawei>system-view
[huawei]sysname ISP
[ISP]interface GigabitEthernet0/0/0
[ISP-GigabitEthernet0/0/0]ip address 100.1.1.2 30
[ISP-GigabitEthernet0/0/0]quit
[ISP]interface GigabitEthernet0/0/1
[ISP-GigabitEthernet0/0/1]ip address 200.1.1.2 30
[ISP-GigabitEthernet0/0/1]quit
[ISP]interface LoopBack0
[ISP-LoopBack0]ip address 2.2.2.2 32R2配置如下:
<huawei>system-view
[huawei]sysname R2
[R2]interface GigabitEthernet0/0/0
[R2-GigabitEthernet0/0/0]ip address 200.1.1.1 30
[R2-GigabitEthernet0/0/0]quit
[R2]interface GigabitEthernet0/0/1
[R2-GigabitEthernet0/0/1]ip address 192.168.20.254 24
[R2-GigabitEthernet0/0/1]quitPC1和PC2配置:
2. 成都和北京两个出口路由器分别配置NAT和默认路由,指向ISP路由器
路由器R1配置
[R1]acl 3001
[R1-acl-adv-3001]rule 10 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
[R1-acl-adv-3001]rule 20 permit ip
[R1-acl-adv-3001]quit
[R1]interface GigabitEthernet0/0/0
[R1-GigabitEthernet0/0/0]nat outbound 3001
[R1-GigabitEthernet0/0/0]quit
[R1]ip route-static 0.0.0.0 0 100.1.1.2路由器R2配置
[R2]acl 3001
[R2-acl-adv-3001]rule 10 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
[R2-acl-adv-3001]rule 20 permit ip
[R2-acl-adv-3001]quit
[R2]interface GigabitEthernet0/0/0
[R2-GigabitEthernet0/0/0]nat outbound 3001
[R2-GigabitEthernet0/0/0]quit
[R2]ip route-static 0.0.0.0 0 200.1.1.2PC1和PC2分别ping测试2.2.2.2,正常通信
PC1 ping PC2,不能通信。
3. 进行IPSEC VPN配置,让两个站点内网互通,同时数据加密
第一步:匹配感兴趣的流量
#R1配置
[R1]acl 3000
[R1-acl-adv-3000]rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
#R2配置
[R2]acl 3000
[R2-acl-adv-3000]rule 10 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255第二步:配置ipsec提议
#R1配置
[R1]ipsec proposal cd //ipsec提议名称cd
[R1-ipsec-proposal-cd]esp authentication-algorithm sha2-256 //认证算法采用sha2-256
[R1-ipsec-proposal-cd]esp encryption-algorithm aes-128 //加密算法采用aes-128
[R1-ipsec-proposal-cd]quit
#R2配置
[R2]ipsec proposal cd
[R2-ipsec-proposal-cd]esp authentication-algorithm sha2-256
[R2-ipsec-proposal-cd]esp encryption-algorithm aes-128
[R2-ipsec-proposal-cd]quit第三步:配置ipsec手动方式安全策略
#R1配置
[R1]ipsec policy chengdu 10 manual //配置ipsec策略chengdu,方式为手动
[R1-ipsec-policy-manual-chengdu-10]security acl 3000 //包含acl3000流量
[R1-ipsec-policy-manual-chengdu-10]proposal cd //采用ipsec提议cd
[R1-ipsec-policy-manual-chengdu-10]tunnel local 100.1.1.1 //配置隧道本地地址100.1.1.1
[R1-ipsec-policy-manual-chengdu-10]tunnel remote 200.1.1.1 //配置隧道远端地址200.1.1.1
[R1-ipsec-policy-manual-chengdu-10]sa spi inbound esp 54321 //配置入方向SA编号54321
[R1-ipsec-policy-manual-chengdu-10]sa string-key inbound esp cipher summer //配置入方向SA的认证密钥为summer
[R1-ipsec-policy-manual-chengdu-10]sa spi outbound esp 12345 //配置出方向SA编号12345
[R1-ipsec-policy-manual-chengdu-10]sa string-key outbound esp cipher summer //配置出方向SA的认证密钥为summer
[R1-ipsec-policy-manual-chengdu-10]quit
#R2配置
[R2]ipsec policy beijing 10 manual
[R2-ipsec-policy-manual-beijing-10]security acl 3000
[R2-ipsec-policy-manual-beijing-10]proposal cd
[R2-ipsec-policy-manual-beijing-10]tunnel local 200.1.1.1
[R2-ipsec-policy-manual-beijing-10]tunnel remote 100.1.1.1
[R2-ipsec-policy-manual-beijing-10]sa spi inbound esp 12345
[R2-ipsec-policy-manual-beijing-10]sa string-key inbound esp cipher summer
[R2-ipsec-policy-manual-beijing-10]sa spi outbound esp 54321
[R2-ipsec-policy-manual-beijing-10]sa string-key outbound esp cipher summer
[R2-ipsec-policy-manual-beijing-10]quit第四步:在接口上应用ipsec策略
#R1配置
[R1]interface GigabitEthernet0/0/0
[R1-GigabitEthernet0/0/0]ipsec policy chengdu //接口上应用ipsec策略(只能用于出接口)
[R1-GigabitEthernet0/0/0]quit
[R1]dis ipsec sa brief
Number of SAs:2
Src address Dst address SPI VPN Protocol Algorithm
-------------------------------------------------------------------------------
200.1.1.1 100.1.1.1 54321 0 ESP E:AES-128 A:SHA2_256_128
100.1.1.1 200.1.1.1 12345 0 ESP E:AES-128 A:SHA2_256_128
#R2配置
[R2]interface GigabitEthernet0/0/0
[R2-GigabitEthernet0/0/0]ipsec policy beijing
[R2-GigabitEthernet0/0/0]quit
[R2]dis ipsec sa brief
Number of SAs:2
Src address Dst address SPI VPN Protocol Algorithm
-------------------------------------------------------------------------------
200.1.1.1 100.1.1.1 54321 0 ESP E:AES-128 A:SHA2_256_128
100.1.1.1 200.1.1.1 12345 0 ESP E:AES-128 A:SHA2_256_128测试
在PC1上ping pc2,可以正常通信
PC1>ping 192.168.20.1
Ping 192.168.20.1: 32 data bytes, Press Ctrl_C to break
From 192.168.20.1: bytes=32 seq=1 ttl=127 time=16 ms
From 192.168.20.1: bytes=32 seq=2 ttl=127 time=31 ms
From 192.168.20.1: bytes=32 seq=3 ttl=127 time=32 ms
From 192.168.20.1: bytes=32 seq=4 ttl=127 time=31 ms
From 192.168.20.1: bytes=32 seq=5 ttl=127 time=31 ms
--- 192.168.20.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 16/28/32 ms
PC1>ping 2.2.2.2
Ping 2.2.2.2: 32 data bytes, Press Ctrl_C to break
From 2.2.2.2: bytes=32 seq=1 ttl=254 time=16 ms
From 2.2.2.2: bytes=32 seq=2 ttl=254 time=15 ms
From 2.2.2.2: bytes=32 seq=3 ttl=254 time=15 ms
From 2.2.2.2: bytes=32 seq=4 ttl=254 time=16 ms
From 2.2.2.2: bytes=32 seq=5 ttl=254 time=16 ms
--- 2.2.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 15/15/16 ms在R1接口g0/0/0进行抓包,如下图所示,流量已经被ESP加密,看不到ip报头里面的数据内容,实验成功
上面是通过手工静态方式建立ipsec隧道
IKE动态建立IPSEC VPN隧道
整体步骤如下,多了1和2两个过程,其他和静态IPSEC完全一样
为了简化过程,我们直接在原有配置基础上修改
R1删除原有策略,并配置新策略
[R1]undo ipsec policy chengdu
Info:All IPSec configurations with this policy are deleted.
#第1步配置IKE提议
[R1]ike proposal 10
[R1-ike-proposal-10]authentication-algorithm sha1
[R1-ike-proposal-10]encryption-algorithm aes-cbc-128
[R1-ike-proposal-10]dh group14
#第2步配置IKE对等体
[R1]ike peer bj v1
[R1-ike-peer-bj]pre-shared-key cipher summer
[R1-ike-peer-bj]ike-proposal 10
[R1-ike-peer-bj]local-address 100.1.1.1
[R1-ike-peer-bj]remote-address 200.1.1.1
[R1-ike-peer-bj]quit
#第3步配置ipsec提议
[R1]ipsec proposal cd
[R1-ipsec-proposal-cd]esp authentication-algorithm sha2-256
[R1-ipsec-proposal-cd]esp encryption-algorithm aes-128
[R1-ipsec-proposal-cd]quit
#第4步配置ipsec策略
[R1]ipsec policy chengdu 10 isakmp
[R1-ipsec-policy-isakmp-chengdu-10]security acl 3000
[R1-ipsec-policy-isakmp-chengdu-10]ike-peer bj
[R1-ipsec-policy-isakmp-chengdu-10]proposal cd
[R1-ipsec-policy-isakmp-chengdu-10]quit
#第5步接口下应用安全策略
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ipsec policy chengdu
[R1-GigabitEthernet0/0/0]quit
#第6步查看ipsec sa,自动协商SPI号
[R1]dis ipsec sa brief
Number of SAs:2
Src address Dst address SPI VPN Protocol Algorithm
-------------------------------------------------------------------------------
200.1.1.1 100.1.1.1 844603885 0 ESP E:AES-128 A:SHA2_256_128
100.1.1.1 200.1.1.1 2851191353 0 ESP E:AES-128 A:SHA2_256_128R2删除原有策略,并配置新策略
[R2]undo ipsec policy beijing //删除ipsec策略beijing
Info:All IPSec configurations with this policy are deleted.
#第1步配置IKE提议
[R2]ike proposal 10 //ike提议编号10
[R2-ike-proposal-10]authentication-algorithm sha1 //配置认证算法sha1
[R2-ike-proposal-10]encryption-algorithm aes-cbc-128 //配置加密算法aes-cbs-128(算法为AES,密钥是128位)
[R2-ike-proposal-10]dh group14 //密钥交换协议采用DH,group14表示2014bit DH交换组
#第2步配置IKE对等体
[R2]ike peer bj v1 //ike对等体为bj,采用ike v1协商对等体
[R2-ike-peer-bj]pre-shared-key cipher summer //配置预共享密钥summer
[R2-ike-peer-bj]ike-proposal 10 //ike提议编号10
[R2-ike-peer-bj]local-address 200.1.1.1 //本地地址200.1.1.1
[R2-ike-peer-bj]remote-address 100.1.1.1 //远端地址100.1.1.1
[R2-ike-peer-bj]quit
#第3步配置ipsec提议
[R2]ipsec proposal cd //ipsec提议名称cd
[R2-ipsec-proposal-cd]esp authentication-algorithm sha2-256 //认证算法采用sha2-256
[R2-ipsec-proposal-cd]esp encryption-algorithm aes-128 //加密算法采用aes-128
[R2-ipsec-proposal-cd]quit
#第4步配置ipsec策略
[R2]ipsec policy beijing 10 isakmp //配置ipsec策略beijing,编号10,isakmp表示自动隧道
[R2-ipsec-policy-isakmp-beijing-10]security acl 3000 //保护acl3000匹配的流量
[R2-ipsec-policy-isakmp-beijing-10]ike-peer bj //ike对等体是bj
[R2-ipsec-policy-isakmp-beijing-10]proposal cd //采用ipsec提议cd
[R2-ipsec-policy-isakmp-beijing-10]quit
#第5步接口下应用安全策略
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ipsec policy beijing //应用ipsec策略beijing
[R2-GigabitEthernet0/0/0]quit
#第6步查看ipsec sa,自动协商SPI号
[R2]dis ipsec sa brief
Number of SAs:2
Src address Dst address SPI VPN Protocol Algorithm
-------------------------------------------------------------------------------
200.1.1.1 100.1.1.1 844603885 0 ESP E:AES-128 A:SHA2_256_128
100.1.1.1 200.1.1.1 2851191353 0 ESP E:AES-128 A:SHA2_256_128
微信
支付宝本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可。