在华为设备上实战站点到站点的虚拟私有网络

掌握华为设备上IKE方案实施站点到站点的虚拟私有网络(HCNP独家新增课程)
IPSec在IP层通过加密与数据来源认证等方式，来保证数据包在网络上传输时的私有性、真实性、完整性和抗重放。
IPSec加密和验证算法所使用的密钥可以手工配置，也可以通过因特网密钥交换IKE（Internet Key Exchange）协议动态协商。IKE协议建立在Internet安全联盟和密钥管理协议ISAKMP（Internet Security Association and Key Management Protocol）框架之上，采用DH（Diffie-Hellman）算法在不安全的网络上安全地分发密钥、验证身份，以保证数据传输的安全性。IKE协议可提升密钥的安全性，并降低IPSec管理复杂度。

目的
在Internet的传输中，绝大部分数据的内容都是明文传输的，这样就会存在很多潜在的危险，比如：密码、银行帐户的信息被窃取、篡改，用户的身份被冒充，遭受网络恶意×××等。网络中部署IPSec后，可对传输的数据进行保护处理，降低信息泄漏的风险。

受益
IPSec通过加密与验证等方式，从以下几个方面保障了用户业务数据在Internet中的安全传输：
数据来源验证：接收方验证发送方身份是否合法。
数据加密：发送方对数据进行加密，以密文的形式在Internet上传送，接收方对接收的加密数据进行解密后处理或直接转发。
数据完整性：接收方对接收的数据进行验证，以判定报文是否被篡改。
抗重放：接收方拒绝旧的或重复的数据包，防止恶意用户通过重复发送捕获到的数据包所进行的×××。

2.实施拓扑图

3.实验步骤 3.1 路由问题

ip route-static 0.0.0.0 0.0.0.0 12.1.1.2 //该路由可以解决到达对端通信点以及对端加解密点的通信问题

3.2 实施ACL匹配感兴趣流

这些流量将被×××做安全处理
acl number 3000
rule 5 permit ip source 10.1.10.0 0.0.0.255 destination 10.1.20.0 0.0.0.255

3.3 配置IPSEC提案

ipsec proposal 10
esp authentication-algorithm sha2-384
esp encryption-algorithm aes-128

3.4 配置IKE提案

ike proposal 10
encryption-algorithm aes-cbc-128
dh group2

3.5配置IKE对等体组，协商对等体

ike peer R2 v1
pre-shared-key simple qytang
ike-proposal 10
remote-address 12.1.1.2

3.6配置策略汇总

ipsec policy P1 10 isakmp
security acl 3000
ike-peer R2
proposal 10

4.将策略调用在接口

interface GigabitEthernet0/0/0
ip address 12.1.1.1 255.255.255.0
ipsec policy P1
AR2的配置几乎和AR1相同，大部分内容比如acl将流量的源目对调即可，请参考如下配置

acl number 3000 rule 5 permit ip source 10.1.20.0 0.0.0.255 destination 10.1.10.0 0.0.0.255 # ipsec proposal 10 esp authentication-algorithm sha2-384 esp encryption-algorithm aes-128 # ike proposal 10 encryption-algorithm aes-cbc-128 dh group2 # ike peer R1 v1 pre-shared-key simple qytang ike-proposal 10 remote-address 12.1.1.1 # ipsec policy P1 10 isakmp security acl 3000 ike-peer R1 proposal 10 # interface GigabitEthernet0/0/0 ip address 12.1.1.2 255.255.255.0 ipsec policy P1 # interface GigabitEthernet0/0/2 ip address 10.1.20.254 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 12.1.1.1 5.验证IPSEC的各种状态以便排错

在华为设备上实战站点到站点的虚拟私有网络

验证：

[Gateway1]display ike sa Conn-ID Peer ××× Flag(s) Phase --------------------------------------------------------------- 2 12.1.1.2 0 RD|ST 2 1 12.1.1.2 0 RD|ST 1 Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP [Gateway1]dis ike peer Number of IKE peers: 1 Peer name Exchange Remote NAT mode name traversal ------------------------------------------------------- R2 Main Disable [Gateway1]dis ike statistics v1 ---------------------------------------------------------- IKE V1 statistics information Number of total peers : 18 Number of policy peers : 1 Number of profile peers : 17 Number of proposals : 2 Number of established V1 phase 1 SAs : 1 Number of established V1 phase 2 SAs : 1 Number of total V1 phase 1 SAs : 1 Number of total V1 phase 2 SAs : 1 Number of total SAs : 2 Keep alive time : 0 Keep alive interval : 0 keepalive spi list : Disable ---------------------------------------------------------- [Gateway1]dis ipsec sa // 查看IPSEC SA，它用于确定网络的两侧，同时进行数据加解密 =============================== Interface: GigabitEthernet0/0/0 Path MTU: 1500 =============================== ----------------------------- IPSec policy name: "P1" Sequence number : 10 Acl Group : 3000 Acl rule : 5 Mode : ISAKMP ----------------------------- Connection ID : 2 Encapsulation mode: Tunnel Tunnel local : 12.1.1.1 Tunnel remote : 12.1.1.2 Flow source : 10.1.10.0/255.255.255.0 0/0 Flow destination : 10.1.20.0/255.255.255.0 0/0 Qos pre-classify : Disable [Outbound ESP SAs] SPI: 1214314935 (0x4860f9b7) Proposal: ESP-ENCRYPT-AES-128 SHA2-384-192 SA remaining key duration (bytes/sec): 1887283200/3079 Max sent sequence-number: 10 UDP encapsulation used for NAT traversal: N [Inbound ESP SAs] SPI: 2003986867 (0x777269b3) Proposal: ESP-ENCRYPT-AES-128 SHA2-384-192 SA remaining key duration (bytes/sec): 1887436260/3079 Max received sequence-number: 9 Anti-replay window size: 32 UDP encapsulation used for NAT traversal: N [Gateway1]dis ipsec policy =========================================== IPSec policy group: "P1" Using interface: GigabitEthernet0/0/0 =========================================== Sequence number: 10 Security data flow: 3000 Peer name : R2 Perfect forward secrecy: None Proposal name: 10 IPSec SA local duration(time based): 3600 seconds IPSec SA local duration(traffic based): 1843200 kilobytes Anti-replay window size: 32 SA trigger mode: Automatic Route inject: None Qos pre-classify: Disable [Gateway1]dis ipsec statistics esp Inpacket count : 9 Inpacket auth count : 0 Inpacket decap count : 0 Outpacket count : 10 Outpacket auth count : 0 Outpacket encap count : 0 Inpacket drop count : 0 Outpacket drop count : 0 BadAuthLen count : 0 AuthFail count : 0 InSAAclCheckFail count : 0 PktDuplicateDrop count : 0 PktSeqNoTooSmallDrop count: 0 PktInSAMissDrop count : 0

需要注意的是ensp的acl并不一定匹配，如下所示
<Gateway1>dis acl all
Total quantity of nonempty ACL number is 1

Advanced ACL 3000, 1 rule
Acl's step is 5
rule 5 permit ip source 10.1.10.0 0.0.0.255 destination 10.1.20.0 0.0.0.255

6.查看安全处理的报文

郑重声明：本文版权归原作者所有，转载文章仅为传播更多信息之目的，如作者信息标记有误，请第一时间联系我们修改或删除，多谢。