***中ipsec --manual的實現
要求:通過ipsec--manual模式實現***。
說明:由於實驗條件有限,Internet有華爲三層交換機代替模擬。
1.路由器r1上的基本的配置
[R1-Ethernet0]ip add 192.168.2.254 24
[R1-Ethernet0]int e1
[R1-Ethernet1]ip add 1.1.2.2 24
R1]ip route 0.0.0.0 0 1.1.2.1 (配置默認的路由用於上網)
2.三層交換機上的配置
[Quidway]vlan 10
[Quidway-vlan10]port e0/10
[Quidway-vlan10]int vlan 10
[Quidway-Vlan-interface10]ip add 1.1.2.1 255.255.255.0
[Quidway-Vlan-interface10]vlan 20
[Quidway-vlan20]port e0/20
[Quidway-vlan20]int vlan 20
[Quidway-Vlan-interface20]ip add 1.1.1.2 255.255.255.0
3.路由器r2上的基本配置
[r2-Ethernet0]int s0
[r2-Serial0]ip add 192.168.1.254 24
[r2-Serial0]loopback(用於測試)
[r2]ip route 0.0.0.0 0 1.1.1.2
4.核心代碼配置
1)創建acl用於控制數據流
[r2]acl 3000
[r2-acl-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[r2-acl-3000]rule deny ip source any destination any
2)創建安全提議
[r2]ipsec proposal tran1(建安全提議)
[r2-ipsec-proposal-tran1]encapsulation-mode tunnel(封裝模式是隧道)
[r2-ipsec-proposal-tran1]transform esp(安全協議上esp)
[r2-ipsec-proposal-tran1]esp authentication md5(驗證類型是md5)
[r2-ipsec-proposal-tran1]esp encryption-al des(加密類型是des)
3)創建安全策略(acl+proposal)
[r2]ipsec policy policy1 10 manual (定義安全策略名是policy1並是手工配置)
[r2-ipsec-policy-policy1-10]security acl 3000
[r2-ipsec-policy-policy1-10]proposal tran1
4)靜態的要定義下面的內容,動態的就不用了
[r2-ipsec-policy-policy1-10]tunnel local 1.1.1.1 (隧道本端的地址新的ip頭部)
[r2-ipsec-policy-policy1-10]tunnel remote 1.1.2.2(隧道對端的地址)
[r2-ipsec-policy-policy1-10]sa inbound esp spi 123456(定義進入流量的索引號)
[r2-ipsec-policy-policy1-10]sa inbound esp string-key abcdef(定義進入流量的密鑰)
[r2-ipsec-policy-policy1-10]sa outbound esp spi 654321
[r2-ipsec-policy-policy1-10]sa outbound esp string fedcba
5)最後進入外出口應用此安全策略
[r2]int e0
[r2-Ethernet0]ipsec policy policy1
小結:怎麼樣排錯:用到的命令
1.dis acl all
2.dis ipsec proposal
3.dis ipsec policy
4.dis ipsec sa
5.dis ip rout
強調:手工配置sa,兩端即r1與r2的spi和string-key一定要照應。