IPSec ***即指採用IPSec協議來實現遠程接入的一種***技術,IPSec全稱爲Internet Protocol Security,是由Internet Engineering Task Force (IETF) 定義的安全標準框架,用以提供公用和專用網絡的端對端加密和驗證服務。
普通模式:
隧道的2邊都需要有ip地址,採用手動的模式要設置校驗碼和密鑰
[R1]
int eth0/0
ip add 192.168.1.1 24
int eth0/4
ip add 1.1.1.1 24
quit
ip route-static 0.0.0.0 0 1.1.1.2
acl number 3000 match-order auto
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 20 deny ip source any destination any
ipsec proposal tran1 (ipsec提議,名字爲tran1)
encapsulation-mode tunnel (默認走的是隧道)
transform esp (安全協議時esp)
esp authentication-algorithm md5 (esp校驗算法爲MD5)
esp encryption-algorithm des (esp加密算法是des)
dis ipsec proposal
quit
ipsec policy policy1 10 manual(安全協議名字policy1 一個接口只能起一個policy,
一個policy可以有多條語句,一般都用isakmp自動方式)
security acl 3000 (只要匹配3000表格)
proposal tran1 (走tran1提議)
tunnel local 1.1.1.1 (源地址)
tunnel remote 1.1.2.1 (目標地址)
sa spi inbound esp 12345 (進去端口索引12345)
sa string-key inbound esp abcdef (密鑰)
dis ipsec sa (通信後能夠看到)
sa spi outbound esp 54321
sa string-key outbound esp qazwsx
int eth0/4
ipsec policy policy1 (在接口使用規則)
(右邊隧道配置)
acl number 3001 match-order auto
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 20 deny ip source any destination any
ipsec proposal tran2
encapsulation-mode tunnel
esp authentication-algorithm md5
esp encryption-algorithm des
quit
ipsec policy policy1 20 manual
security acl 3001
proposal tran2
tunnel local 1.1.1.1
tunnel remote 1.1.3.1
dis ipsec policy
sa spi esp inbound esp 123456
sa string-key inbound esp abcdefg
sa spi outbound esp 654321
sa string-key outbound esp qazwsxe
已經放到了外出出口,不需要再放了
dis ipsec policy
從廣州到上海
acl number 3000 match-order auto
rule 15 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
acl number 3001 match-order auto
rule 15 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[R2]
int eth0/0
ip add 192.168.2.1 24
loopback
int eth0/4
ip add 1.1.2.1 24
ip route-static 0.0.0.0 0 1.1.2.2
ping 1.1.2.2
ping 1.1.1.1
acl number 3000 match-order auto
rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 20 deny ip source any destination any
quit
ipsec proposal tran1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
quit
ipsec policy policy1 10 manual
security acl 3000
proposal tran1
tunnel local 1.1.2.1
tunnel remote 1.1.1.1
sa spi inbound esp 54321
sa string-key inbound esp qazwsx
sa spi outbound esp 12345
sa string-key outbound esp abcdef
quit
int eth0/4
ipsec policy policy1
dis ipsec sa
[R3]
int eth0/0
ip add 192.168.3.1 24
loopback
int eth0/4
ip add 1.1.3.1 24
quit
ip route-static 0.0.0.0 1.1.3.2
ping 1.1.3.2
ping 1.1.1.1
acl number 3001 match-order auto
rule 10 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 20 deny ip source any destination any
quit
ipsec proposal tran2
encapsulation-mode tunnel
esp authentication-algorithm md5
esp encryption-algorithm des
ipsec policy policy1 10 manual
security acl 3001
proposal tran2
tunnel local 1.1.3.1
tunnel remote 1.1.1.1
sa spi inbound esp 654321
sa string-key inbound esp qazwsxe
sa spi outbound esp 123456
sa string-key outbound esp abcdefg
int eth0/4
ipsec policy policy1
dis ipsec sa
從廣州到上海
acl number 3000 match-order auto
rule 15 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
野蠻模式:
在隧道的2邊,一邊設置地址,一邊是自動獲取ip地址,第一次連接要從有地址的一邊ping自動獲取地址的一邊
R1]
int eth0/0
ip add 192.168.1.1 24
int eth0/4
ip add 1.1.1.1 24
quit
ip route-static 0.0.0.0 0 1.1.1.2
acl number 3000 match-order auto
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 20 deny ip source any destination any
acl number 3001 match-order auto
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 20 deny ip source any destination nay
quit
ike peel R2 (指明鄰居)
exchange-mode aggressive (使用野蠻模式)
id-type name (類型爲名字)
remote-name R2
local-address 1.1.1.1
pre-shared-key simple 123456
quit
ike local-name R1
ipsec proposal tran1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
quit
ipsec policy policy1 10 isakmp
security acl 3000
proposal tran1
ike-peer R2
int eth0/4
ipsec policy policy1
ipsec proposal tran2
encapsulation-mode tunnel
esp authentication-algorithm md5
esp encryption-algorithm des
quit
ike peer R3
exchange-mode aggressive
pre-shared-key simple 654321
id-type name
remote-name R3
local-address 1.1.1.1
quit
ipsec policy policy1 20 isakmp
security acl 3001
proposal tran2
ike-peer R3
【R2】
nt eth0/0
ip add 192.168.2.1 24
loopback
int eth0/4
ip add dhcp
ip route-static 0.0.0.0 0 1.1.2.2
ping 1.1.2.2
ping 1.1.1.1
acl number 3000 match-order auto
rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 20 deny ip source any destination any
ipsec proposal tran1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
ike peer R1
remote-address 1.1.1.1
exchange-mode aggregation
id-type name
remote-name R1
pre-shared-key simple 123456
quit
ike local-name R2
ipsec policy policy1 10 isakmp
security acl 3000
proposal tran1
ike-peer R1
quit
int eth0/4
ipsec policy policy1
quit
【R3】
nt eth0/0
ip add 192.168.3.1 24
loopback
int eth0/4
ip add dhcp
quit
ip route-static 0.0.0.0 1.1.3.2
ping 1.1.3.2
ping 1.1.1.1
acl number 3001 match-order auto
rule 10 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 20 deny ip source any destination any
quit
ipsec proposal tran2
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
ike peel R1
exchange-mode aggressive
id-type name
remote-address 1.1.1.1
remote-name R1
pre-shared-key simple 654321
quit
ike local-name R3
ipsec policy policy1 10 isakmp
security acl 3001
proposal tran2
ike-peer R1
quit
int eth0/4
ipsec policy policy1
quit