H3C IPSec配置实例

配置步骤：

一、.使得R1与R3之间（公网之间）能够通信

[R1]ip route-static 0.0.0.0 0.0.0.0 12.1.1.2

[R3]ip route-static 0.0.0.0 0.0.0.0 23.1.1.2

二、IPSEC配置

R1配置：

1.配置感兴趣的数据流

[R1]acl num 3000

[R1-acl-adv-3000]rule permit ip source 192.168.1.1 0.0.0.0 destination 192.168.2.1 0.0.0.0

2.IKE策略配置

[R1]ike proposal 10 //创建IKE提议，并进入IKE视图

[R1-ike-proposal-10]encryption-algorithm 3des-cbc //IKE提议使用的加密算法

[R1-ike-proposal-10]authentication-method pre-share //IKE提议使用的密钥处理方式

[R1-ike-proposal-10]authentication-algorithm md5 //IKE提议使用的验证算法

[R1-ike-proposal-10]dh group2 //IKE提议使用的DH交换组

[R1-ike-proposal-10]sa duration 86400 //ISAKMP SA生存周期

[R1-ike-proposal-10]

3.配置IKE对等体及密钥

[R1]ike peer R3 //创建IKE对等体，并进入IKE对等体视图

[R1-ike-peer-r3]exchange-mode main //IKE对等体的协商模式

[R1-ike-peer-r3]pre-shared-key h3c //IKE对等体的密钥

[R1-ike-peer-r3]local-address 12.1.1.1 //本端安全网关地址

[R1-ike-peer-r3]remote-address 23.1.1.3 //对端安全网关地址

[R1-ike-peer-r3]remote-name R3 //对端安全网关名称

[R1]ike local-name R1 //本端安全网关名称

[R1]

4. IPSEC安全提议配置

[R1]ipsec proposal r1 //创建IPSEC安全提议

[R1-ipsec-proposal-r1]transform esp //安全协议

[R1-ipsec-proposal-r1]esp encryption-algorithm 3des //ESP协议采用加密算法

[R1-ipsec-proposal-r1]esp authentication-algorithm md5 //ESP协议采用验证算法

[R1-ipsec-proposal-r1]encapsulation-mode tunnel //ESP协议采用工作模式

[R1-ipsec-proposal-r1]

5.配置IKE协商的安全策略

[R1]ipsec policy 1 10 isakmp //创建一条安全策略

[R1-ipsec-policy-isakmp-1-10]security acl 3000 //配置安全c策略所引用的ACL

[R1-ipsec-policy-isakmp-1-10]proposal r1 //配安全策略所引用的安全提议

[R1-ipsec-policy-isakmp-1-10]ike-peer r3 //引用的IKE对等体

[R1-ipsec-policy-isakmp-1-10]pfs dh-group5 //DH组

[R1-ipsec-policy-isakmp-1-10]sa duration time-based 86400 //ipsec SA生存周期

[R1-ipsec-policy-isakmp-1-10]q

6.在接口上应用安全策略

[R1]int s0/2/0

[R1-Serial0/2/0]ipsec policy 1 //在接口上应用安全策略

[R1]

R3的配置

[R3]ip route-static 0.0.0.0 0.0.0.0 23.1.1.2

[R3]acl number 3000

[R3-acl-adv-3000]rule pe

[R3-acl-adv-3000]rule permit ip source 192.168.2.1 0.0.0.0 destination 192.168.1.1 0.0.0.0

[R3-acl-adv-3000]q

[R3]ike proposal 10

[R3-ike-proposal-10]encryption-algorithm 3des-cbc

[R3-ike-proposal-10]authentication-method pre-share

[R3-ike-proposal-10]authentication-algorithm md5

[R3-ike-proposal-10]dh group2

[R3-ike-proposal-10]sa duration 86400

[R3-ike-proposal-10]q

[R3]ike peer R1

[R3-ike-peer-r1]exchange-mode main

[R3-ike-peer-r1]pre-shared-key h3c

[R3-ike-peer-r1]local-a 23.1.1.3

[R3-ike-peer-r1]remote-address 12.1.1.1

[R3-ike-peer-r1]remote-name R1

[R3-ike-peer-r1]Q

[R3]ipsec proposal r3

[R3-ipsec-proposal-r3]transform esp

[R3-ipsec-proposal-r3]esp encryption-algorithm 3des

[R3-ipsec-proposal-r3]esp authentication-algorithm md5

[R3-ipsec-proposal-r3]encapsulation-mode tunnel

[R3-ipsec-proposal-r3]q

[R3]ipsec policy 1 10 isakmp

[R3-ipsec-policy-isakmp-1-10]security acl 3000

[R3-ipsec-policy-isakmp-1-10]proposal r3

[R3-ipsec-policy-isakmp-1-10]ike-peer R1

[R3-ipsec-policy-isakmp-1-10]sa duration time-based 86400

[R3-ipsec-policy-isakmp-1-10]q

[R3]int s0/2/0

[R3-Serial0/2/0]ipsec policy 1

[R3-Serial0/2/0]q

三、测试实验结果

[R1]ping -a 192.168.1.1 192.168.2.1

PING 192.168.2.1: 56 data bytes, press CTRL_C to break

Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=255 time=5 ms

Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=20 ms

Request time out

Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=26 ms

Request time out

--- 192.168.2.1 ping statistics ---

5 packet(s) transmitted

3 packet(s) received

40.00% packet loss

round-trip min/avg/max = 5/17/26 ms

[R1]

此时两个内网之间能够正常通信。实验完成

调试命令：

1.显示IKE对等体配置参数

[R1]dis ike peer

---------------------------

IKE Peer: r3

exchange mode: main on phase 1

pre-shared-key cipher nw1kqzgZJnA=

peer id type: ip

peer ip address: 23.1.1.3

local ip address: 12.1.1.1

peer name: R3

nat traversal: disable

dpd:

---------------------------

[R1]

2.显示当前ISAKMP SA的信息

[R1]dis ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi

----------------------------------------------------------

3 23.1.1.3 RD|ST 2 IPSEC

2 23.1.1.3 RD|ST 1 IPSEC

flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT

[R1]

3.显示每个IKE提议的配置参数

[R1]dis ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi

----------------------------------------------------------

3 23.1.1.3 RD|ST 2 IPSEC

2 23.1.1.3 RD|ST 1 IPSEC

flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT

[R1]dis ike pro

[R1]dis ike proposal

priority authentication authentication encryption Diffie-Hellman duration

method algorithm algorithm group (seconds)

---------------------------------------------------------------------------

10 PRE_SHARED MD5 3DES_CBC MODP_1024 86400

default PRE_SHARED SHA DES_CBC MODP_768 86400

[R1]

4.显示IPsec安全策略信息

[R1]dis ipsec policy

===========================================

IPsec Policy Group: "1"

Using interface: {Serial0/2/0}

===========================================

-----------------------------

IPsec policy name: "1"

sequence number: 10

mode: isakmp

-----------------------------

security data flow : 3000

selector mode: standard

ike-peer name: r3

perfect forward secrecy: DH group 5

proposal name: r1

IPsec sa local duration(time based): 86400 seconds

IPsec sa local duration(traffic based): 1843200 kilobytes

[R1]

5.显示IPSEC安全提议信息

[R1]dis ipsec proposal

IPsec proposal name: r1

encapsulation mode: tunnel

transform: esp-new

ESP protocol: authentication md5-hmac-96, encryption 3des

[R1]

6.显示IPSEC SA的信息

[R1]dis ipsec sa

===============================

Interface: Serial0/2/0

path MTU: 1500

===============================

-----------------------------

IPsec policy name: "1"

sequence number: 10

mode: isakmp

-----------------------------

connection id: 3

encapsulation mode: tunnel

perfect forward secrecy: DH group 5

tunnel:

local address: 12.1.1.1

remote address: 23.1.1.3

Flow :

sour addr: 192.168.1.1/255.255.255.255 port: 0 protocol: IP

dest addr: 192.168.2.1/255.255.255.255 port: 0 protocol: IP

[inbound ESP SAs]

spi: 2476921505 (0x93a2d2a1)

proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

sa remaining key duration (bytes/sec): 1887435624/84789

max received sequence-number: 14

udp encapsulation used for nat traversal: N

[outbound ESP SAs]

spi: 1974141924 (0x75ab03e4)

proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

sa remaining key duration (bytes/sec): 1887435624/84789

max sent sequence-number: 15

udp encapsulation used for nat traversal: N

[R1]

7.显示IPSEC处理的报文信息

[R1]dis ipsec statistics

the security packet statistics:

input/output security packets: 14/14

input/output security bytes: 1176/1176

input/output dropped security packets: 0/1

dropped security packet detail:

not enough memory: 0

can't find SA: 1

queue is full: 0

authentication has failed: 0

wrong length: 0

replay packet: 0

packet too long: 0

wrong SA: 0

[R1]