目录
1.实验拓扑如图
2.需求
总部和分部通过IPSec VPN连接
总部和分部都能访问外网
3.需求分析
这个实验既要实现vpn连接,也要实现外网的连接,则需要写两条acl,分别作为ipsec的感兴趣流和外网流量的匹配这个实验的难点在于IPSec VPN的配置,IPSec VPN的配置复杂,而且VPN两边参数不一致,会导致VPN无法建立
4.ipsec配置顺序
配置ACL感兴趣流匹配去往分部私网的流量
创建ike提议
在ike提议视图中,可以配置Authentication method、 Authentication algorithm、 Encryption algorithm、DH算法(DH算法是一种公开密钥算法。通信双方在不传送密钥的情况下通过交换一些数据,计算出共享的密钥,在IPSec隧道的两端设置的Diffie-Hellman组必须相同,否则IKE协商不能通过)等参数。这些参数都有默认值,如图
创建ike对等体
配置协商模式为主模式/野蛮模式(默认主模式)调用ike提议设置预共享密钥主模式下则配置本端和对端公网地址
创建ipsec提议
配置保护协议(默认为ESP)
配置工作模式(默认为隧道模式)
配置验证算法
配置加密算法
注:以上参数都有默认值,如图
创建ipsec策略
调用acl
指定ike peer
调用ipsec提议
应用安全策略
在公网接口下应用ipsec 策略
5.IPSec 的配置
R1的配置
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 192.168.1.2 24
[Huawei-GigabitEthernet0/0/0]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 1.1.1.1 24
[Huawei-GigabitEthernet0/0/1]quit
[Huawei]ip route-static 0.0.0.0 0 1.1.1.2
//创建acl 3000,拒绝IPSec vpn流量,放行其余流量
[Huawei]acl 3000
[Huawei-acl-adv-3000]rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192
.168.2.0 0.0.0.255
[Huawei-acl-adv-3000]rule 5 permit ip
[Huawei-acl-adv-3000]quit
//创建acl 3001,匹配去往分部私网的流量
[Huawei]acl 3001
[Huawei-acl-adv-3001]rule permit ip source 192.168.1.0 0.0.0.255 destination 192
.168.2.0 0.0.0.255
[Huawei-acl-adv-3001]quit
//创建ike提议
[Huawei]ike proposal 1
[Huawei-ike-proposal-1]authentication-method pre-share
[Huawei-ike-proposal-1]authentication-algorithm sha1
[Huawei-ike-proposal-1]encryption-algorithm des-cbc
[Huawei-ike-proposal-1]dh group14
[Huawei-ike-proposal-1]quit
//创建ike对等体
[Huawei]ike peer to_fen v2
[Huawei-ike-peer-to_fen]ike-proposal 1
[Huawei-ike-peer-to_fen]pre-shared-key cipher 123
[Huawei-ike-peer-to_fen]local-address 1.1.1.1
[Huawei-ike-peer-to_fen]remote-address 1.1.2.3
[Huawei-ike-peer-to_fen]quit
//创建ipsec提议
[Huawei]ipsec proposal 1
[Huawei-ipsec-proposal-1]transform esp
[Huawei-ipsec-proposal-1]esp authentication-algorithm sha2-256
[Huawei-ipsec-proposal-1]esp encryption-algorithm 3des
[Huawei-ipsec-proposal-1]quit
//创建ipsec 策略
[Huawei]ipsec policy to_fen 1 isakmp
[Huawei-ipsec-policy-isakmp-to_fen-1]security acl 3001
[Huawei-ipsec-policy-isakmp-to_fen-1]ike-peer to_fen
[Huawei-ipsec-policy-isakmp-to_fen-1]proposal 1
[Huawei-ipsec-policy-isakmp-to_fen-1]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ipsec policy to_fen
[Huawei-GigabitEthernet0/0/1]nat outbound 3000
R2的配置(R2只需要配好相应的ip即可)
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 1.1.1.2 24
[Huawei-GigabitEthernet0/0/0]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 1.1.2.2 24
R3的配置
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 1.1.2.3 24
[Huawei-GigabitEthernet0/0/0]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 192.168.2.2 24
[Huawei-GigabitEthernet0/0/1]quit
[Huawei]ip route-static 0.0.0.0 0 1.1.2.2
[Huawei]acl 3000
[Huawei-acl-adv-3000]rule 0 deny ip source 192.168.2.0 0.0.0.255 destination 19
2.168.1.0 0.0.0.255
[Huawei-acl-adv-3000]rule 5 permit ip
[Huawei-acl-adv-3000]quit
[Huawei]acl 3001
[Huawei-acl-adv-3001]rule permit ip source 192.168.2.0 0.0.0.255 destination 19
2.168.1.0 0.0.0.255
[Huawei-acl-adv-3001]quit
[Huawei]ike proposal 1
[Huawei-ike-proposal-1]authentication-method pre-share
[Huawei-ike-proposal-1]authentication-algorithm sha1
[Huawei-ike-proposal-1]encryption-algorithm des
[Huawei-ike-proposal-1]encryption-algorithm des-cbc
[Huawei-ike-proposal-1]dh group14
[Huawei-ike-proposal-1]quit
[Huawei]ike peer to_zong v2
[Huawei-ike-peer-to_zong]ike-proposal 1
[Huawei-ike-peer-to_zong]pre-shared-key cipher 123
[Huawei-ike-peer-to_zong]local-address 1.1.2.3
[Huawei-ike-peer-to_zong]remote-address 1.1.1.1
[Huawei-ike-peer-to_zong]quit
[Huawei]ipsec proposal 1
[Huawei-ipsec-proposal-1]transform esp
[Huawei-ipsec-proposal-1]esp authentication-algorithm sha2
[Huawei-ipsec-proposal-1]esp authentication-algorithm sha2-256
[Huawei-ipsec-proposal-1]esp encryption-algorithm 3des
[Huawei-ipsec-proposal-1]quit
[Huawei]ipsec policy to_zong 1 isakmp
[Huawei-ipsec-policy-isakmp-to_zong-1]security acl 3001
[Huawei-ipsec-policy-isakmp-to_zong-1]ike-peer to_zong
[Huawei-ipsec-policy-isakmp-to_zong-1]proposal 1
[Huawei-ipsec-policy-isakmp-to_zong-1]quit
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ipsec policy to_zong
[Huawei-GigabitEthernet0/0/0]nat outbound 3000