本文共 5939 字,大约阅读时间需要 19 分钟。
掌握华为设备上IKE方案实施站点到站点的虚拟私有网络(HCNP独家新增课程)
IPSec在IP层通过加密与数据来源认证等方式,来保证数据包在网络上传输时的私有性、真实性、完整性和抗重放。IPSec加密和验证算法所使用的密钥可以手工配置,也可以通过因特网密钥交换IKE(Internet Key Exchange)协议动态协商。IKE协议建立在Internet安全联盟和密钥管理协议ISAKMP(Internet Security Association and Key Management Protocol)框架之上,采用DH(Diffie-Hellman)算法在不安全的网络上安全地分发密钥、验证身份,以保证数据传输的安全性。IKE协议可提升密钥的安全性,并降低IPSec管理复杂度。目的
在Internet的传输中,绝大部分数据的内容都是明文传输的,这样就会存在很多潜在的危险,比如:密码、银行帐户的信息被窃取、篡改,用户的身份被冒充,遭受网络恶意×××等。网络中部署IPSec后,可对传输的数据进行保护处理,降低信息泄漏的风险。受益
IPSec通过加密与验证等方式,从以下几个方面保障了用户业务数据在Internet中的安全传输:数据来源验证:接收方验证发送方身份是否合法。数据加密:发送方对数据进行加密,以密文的形式在Internet上传送,接收方对接收的加密数据进行解密后处理或直接转发。数据完整性:接收方对接收的数据进行验证,以判定报文是否被篡改。抗重放:接收方拒绝旧的或重复的数据包,防止恶意用户通过重复发送捕获到的数据包所进行的×××。ip route-static 0.0.0.0 0.0.0.0 12.1.1.2 //该路由可以解决到达对端通信点以及对端加解密点的通信问题
这些流量将被×××做安全处理
acl number 3000 rule 5 permit ip source 10.1.10.0 0.0.0.255 destination 10.1.20.0 0.0.0.255ipsec proposal 10
esp authentication-algorithm sha2-384esp encryption-algorithm aes-128ike proposal 10
encryption-algorithm aes-cbc-128dh group2ike peer R2 v1
pre-shared-key simple qytangike-proposal 10remote-address 12.1.1.2ipsec policy P1 10 isakmp
security acl 3000ike-peer R2proposal 10interface GigabitEthernet0/0/0
ip address 12.1.1.1 255.255.255.0 ipsec policy P1AR2的配置几乎和AR1相同,大部分内容比如acl将流量的源目对调即可,请参考如下配置acl number 3000 rule 5 permit ip source 10.1.20.0 0.0.0.255 destination 10.1.10.0 0.0.0.255 #ipsec proposal 10 esp authentication-algorithm sha2-384 esp encryption-algorithm aes-128#ike proposal 10 encryption-algorithm aes-cbc-128 dh group2 #ike peer R1 v1 pre-shared-key simple qytang ike-proposal 10 remote-address 12.1.1.1#ipsec policy P1 10 isakmp security acl 3000 ike-peer R1 proposal 10#interface GigabitEthernet0/0/0 ip address 12.1.1.2 255.255.255.0 ipsec policy P1#interface GigabitEthernet0/0/2 ip address 10.1.20.254 255.255.255.0 #ip route-static 0.0.0.0 0.0.0.0 12.1.1.1
[Gateway1]display ike sa Conn-ID Peer ××× Flag(s) Phase --------------------------------------------------------------- 2 12.1.1.2 0 RD|ST 2 1 12.1.1.2 0 RD|ST 1 Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP[Gateway1]dis ike peer Number of IKE peers: 1 Peer name Exchange Remote NAT mode name traversal------------------------------------------------------- R2 Main Disable [Gateway1]dis ike statistics v1---------------------------------------------------------- IKE V1 statistics information Number of total peers : 18 Number of policy peers : 1 Number of profile peers : 17 Number of proposals : 2 Number of established V1 phase 1 SAs : 1 Number of established V1 phase 2 SAs : 1 Number of total V1 phase 1 SAs : 1 Number of total V1 phase 2 SAs : 1 Number of total SAs : 2 Keep alive time : 0 Keep alive interval : 0 keepalive spi list : Disable----------------------------------------------------------[Gateway1]dis ipsec sa // 查看IPSEC SA,它用于确定网络的两侧,同时进行数据加解密===============================Interface: GigabitEthernet0/0/0 Path MTU: 1500=============================== ----------------------------- IPSec policy name: "P1" Sequence number : 10 Acl Group : 3000 Acl rule : 5 Mode : ISAKMP ----------------------------- Connection ID : 2 Encapsulation mode: Tunnel Tunnel local : 12.1.1.1 Tunnel remote : 12.1.1.2 Flow source : 10.1.10.0/255.255.255.0 0/0 Flow destination : 10.1.20.0/255.255.255.0 0/0 Qos pre-classify : Disable [Outbound ESP SAs] SPI: 1214314935 (0x4860f9b7) Proposal: ESP-ENCRYPT-AES-128 SHA2-384-192 SA remaining key duration (bytes/sec): 1887283200/3079 Max sent sequence-number: 10 UDP encapsulation used for NAT traversal: N [Inbound ESP SAs] SPI: 2003986867 (0x777269b3) Proposal: ESP-ENCRYPT-AES-128 SHA2-384-192 SA remaining key duration (bytes/sec): 1887436260/3079 Max received sequence-number: 9 Anti-replay window size: 32 UDP encapsulation used for NAT traversal: N[Gateway1]dis ipsec policy ===========================================IPSec policy group: "P1"Using interface: GigabitEthernet0/0/0=========================================== Sequence number: 10 Security data flow: 3000 Peer name : R2 Perfect forward secrecy: None Proposal name: 10 IPSec SA local duration(time based): 3600 seconds IPSec SA local duration(traffic based): 1843200 kilobytes Anti-replay window size: 32 SA trigger mode: Automatic Route inject: None Qos pre-classify: Disable[Gateway1]dis ipsec statistics esp Inpacket count : 9 Inpacket auth count : 0 Inpacket decap count : 0 Outpacket count : 10 Outpacket auth count : 0 Outpacket encap count : 0 Inpacket drop count : 0 Outpacket drop count : 0 BadAuthLen count : 0 AuthFail count : 0 InSAAclCheckFail count : 0 PktDuplicateDrop count : 0 PktSeqNoTooSmallDrop count: 0 PktInSAMissDrop count : 0
需要注意的是ensp的acl并不一定匹配,如下所示
<Gateway1>dis acl allTotal quantity of nonempty ACL number is 1Advanced ACL 3000, 1 rule
Acl's step is 5rule 5 permit ip source 10.1.10.0 0.0.0.255 destination 10.1.20.0 0.0.0.255下图帮您认识ESP报文,您不能在看到icmp报文,因为数据被加密处理
转载于:https://blog.51cto.com/enderjoe/2162340