IPSEC技術應用
isakmp模式
F1配置:
[f1]inter eth0/0
[f1-Ethernet0/0]ip address 192.168.1.254 24
[f1-Ethernet0/0]loopback
[f1-Ethernet0/0]inter eth0/1
[f1-Ethernet0/1]ip address 1.1.1.1 24
[f1-Ethernet0/1]quit
[f1]ip route 0.0.0.0 0 1.1.1.2做路由
加區域:
[f1]fire zone trust
[f1-zone-trust]add inter eth0/0
[f1-zone-trust]quit
[f1]fire zone untrust
[f1-zone-untrust]add inter eth0/1
製做控制列表:
[f1]acl num 3000
[f1-acl-adv-3000]rule 10 permit ip source 192.168.1.0 0.0.0.255 dest 192.168.2.0 0.0.0.255
[f1-acl-adv-3000]rule 20 deny ip source any dest any
[f1-acl-adv-3000]quit
做安全提議:
[f1]ipsec proposal tran1安全提議名字
[f1-ipsec-proposal-tran1]?
Ipsec-proposal view commands:
display Display current system information
encapsulation-mode Specify the packet encapsulation mode
esp Specify the ESP protocol(RFC2406) parameters
nslookup Query Internet name servers
ping Ping function
quit Exit from current command view
return Exit to User View
save Save current configuration
tracert Trace route function
transform Specify the security protocol(s) used to transform the
packet
undo Cancel current setting
vrbd Show application version
[f1-ipsec-proposal-tran1]encap ?
transport Only the payload of IP packet is protected(transport mode)
tunnel The entire IP packet is protected(tunnel mode)
[f1-ipsec-proposal-tran1]encap tunnel 制定安全協議報文封裝模式(隧道)
[f1-ipsec-proposal-tran1]transform ?
ah AH protocol defined in RFC2402
ah-esp ESP protocol first, then AH protocol
esp ESP protocol defined in RFC2406
[f1-ipsec-proposal-tran1]transform esp 制定對報文進行安全轉換的安全協議(esp)
[f1-ipsec-proposal-tran1]esp encry des 加密算法類型
[f1-ipsec-proposal-tran1]esp auth md5 驗證算法類型
[f1-ipsec-proposal-tran1]quit
建立鄰居:
[f1]ike peer f2
共享密鑰:
[f1-ike-peer-f2]pre-shared-key simple 123456
目的:
[f1-ike-peer-f2]remote-address 1.1.2.1
製作安全策略:
[f1]ipsec policy policy1 10 isakmp
[f1-ipsec-policy-isakmp-policy1-10]security acl 3000
[f1-ipsec-policy-isakmp-policy1-10]proposal tran1
建立鄰居
[f1-ipsec-policy-isakmp-policy1-10]ike-peer f2
應用到接口:
[f1]inter eth0/1
[f1-Ethernet0/1]ipsec policy policy1
配置f2:
[f2]inter eth0/0
[f2-Ethernet0/0]ip address 192.168.2.254 24
[f2-Ethernet0/0]inter eth0/1
[f2-Ethernet0/1]ip address 1.1.2.1 24
[f2-Ethernet0/1]quit
[f2]ip route 0.0.0.0 0 1.1.2.2
[f2]fire pack defau permi
[f2]fire zone trust
[f2-zone-trust]add inter eth0/0
The interface has been added to trust security zone.
[f2-zone-trust]quit
[f2]fire zone untrust
[f2-zone-untrust]add inter eth0/1
[f2-zone-untrust]quit
[f2]acl num 3000
[f2-acl-adv-3000]rule 10 permit ip source 192.168.2.0 0.0.0.255 dest 192.168.1.0 0.0.0.255
[f2-acl-adv-3000]rule 20 deny ip source any dest any
[f2-acl-adv-3000]quit
[f2]ipsec proposal tran1
[f2-ipsec-proposal-tran1]encap tunnel
[f2-ipsec-proposal-tran1]transform esp
[f2-ipsec-proposal-tran1]esp encry des
[f2-ipsec-proposal-tran1]esp auth md5
[f2-ipsec-proposal-tran1]quit
建立鄰居:
[f2]ike peer f1
[f2-ike-peer-f1]pre-share?
pre-shared-key
[f2-ike-peer-f1]pre-shared-key 123456
[f2-ike-peer-f1]remote-address 1.1.1.1
做策略:
[f2]ipsec policy policy1 10 isakmp
[f2-ipsec-policy-isakmp-policy1-10]security acl 3000
[f2-ipsec-policy-isakmp-policy1-10]proposal tran1
[f2-ipsec-policy-isakmp-policy1-10]ike-peer f1
[f2-ipsec-policy-isakmp-policy1-10]quit
[f2]inter eth0/1
[f2-Ethernet0/1]
[f2-Ethernet0/1]ipsec policy polict1
No such policy exists.
[f2-Ethernet0/1]ipsec policy policy1
配置交換機:
[Quidway]vlan 10
[Quidway-vlan10]port eth0/10
[Quidway-vlan10]ip address 1.1.1.2 255.255.255.0
^
% Unrecognized command found at '^' position.
[Quidway-vlan10]vlan 20
[Quidway-vlan20]port eth0/20
[Quidway]inter vlan 10
[Quidway-Vlan-interface10]
%Dec 14 10:30:20 2012 Quidway L2INF/5/VLANIF LINK STATUS CHANGE:
Vlan-interface10: turns into UP state
[Quidway-Vlan-interface10]ip address 1.1.1.2 255.255.255.0
[Quidway-Vlan-interface10]
%Dec 14 10:30:38 2012 Quidway IFNET/5/UPDOWN:Line protocol on the interface Vlan-interface10 turns into UP state
[Quidway-Vlan-interface10]inter vlan 20
[Quidway-Vlan-interface20]
%Dec 14 10:30:45 2012 Quidway L2INF/5/VLANIF LINK STATUS CHANGE:
Vlan-interface20: turns into UP state
[Quidway-Vlan-interface20]ip address 1.1.2.2 255.255.255.0
測試:
[f2]dis ip rout 查看路由表
Routing Table: public net
Destination/Mask Protocol Pre Cost Nexthop Interface
0.0.0.0/0 STATIC 60 0 1.1.2.2 Ethernet0/1
1.1.2.0/24 DIRECT 0 0 1.1.2.1 Ethernet0/1
1.1.2.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
192.168.2.0/24 DIRECT 0 0 192.168.2.254 Ethernet0/0
192.168.2.254/32 DIRECT 0 0 127.0.0.1 InLoopBack0
[f2]ping -a 192.168.2.254 192.168.1.254
PING 192.168.1.254: 56 data bytes, press CTRL_C to break
Request time out
Reply from 192.168.1.254: bytes=56 Sequence=2 ttl=255 time=17 ms
Reply from 192.168.1.254: bytes=56 Sequence=3 ttl=255 time=16 ms
Reply from 192.168.1.254: bytes=56 Sequence=4 ttl=255 time=16 ms
Reply from 192.168.1.254: bytes=56 Sequence=5 ttl=255 time=15 ms
--- 192.168.1.254 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 15/16/17 ms
野蠻模式
野蠻模式:
F1自動獲得
配置f2:
[f2]inter eth0/0
[f2-Ethernet0/0]ip addres 192.168.2.254 24
[f2-Ethernet0/0]loopback
[f2-Ethernet0/0]inter eth0/1
[f2-Ethernet0/1]ip address 1.1.2.1 24
[f2]ip route 0.0.0.0 0 1.1.2.2
加區域:
[f2]firewall packet-filter default permit
[f2]firewall zone trust
[f2-zone-trust]add inter eth0/0
[f2]firewall zone untrust
[f2-zone-untrust]add inter eth0/1
做控制列表:
[f2]acl number 3000
[f2-acl-adv-3000]rule 10 permit ip source 192.168.2.0 0.0.0.255 dest 192.168.1.0 0.0.0.255
[f2-acl-adv-3000]rule 20 deny ip source any dest any
做安全提議:
[f2]ipsec proposal tran1
[f2-ipsec-proposal-tran1]encapsulation-mode tunnel
[f2-ipsec-proposal-tran1]transform esp
[f2-ipsec-proposal-tran1]esp encryption-algorithm des
[f2-ipsec-proposal-tran1]esp authentication-algorithm md5
做鄰居;
[f2]ike peer f1
[f2-ike-peer-f1]?
Ike-peer 系統視圖命令:
certificate 設置證書的參數
display 顯示當前系統信息
dpd 配置peer的DPD
exchange-mode 指定IKE階段一使用的協商模式
id-type 設置地址或名字作爲ID
local 設置隧道本端子網類型
local-address 指定本端IP地址
nat 使用udp封裝進行nat透傳
nslookup 查詢域名服務
peer 設置隧道對端子網類型
ping 檢查網絡連接或主機是否可達
pre-shared-key 指定預共享密鑰
quit 退出當前的命令視圖
remote-address 指定對端IP地址
remote-name 指定對端網關名
return 退到用戶視圖
save 保存當前有效配置
tracert 跟蹤到達目的地的路由
undo 取消當前設置
vrbd 顯示VRP版本
[f2-ike-peer-f1]exchange-mode ?
aggressive 野蠻模式
main 主模式
[f2-ike-peer-f1]exchange-mode aggressive
[f2-ike-peer-f1]id-type name 設置名字作爲id
[f2-ike-peer-f1]pre-shared-key simple 123456
[f2-ike-peer-f1]remote-name f1
[f2-ike-peer-f1]local-address 1.1.2.1
[f2]ike local-name f2
做策略:
[f2]ipsec policy policy1 10 isakmp
[f2-ipsec-policy-isakmp-policy1-10]security acl 3000
[f2-ipsec-policy-isakmp-policy1-10]proposal tran1
[f2-ipsec-policy-isakmp-policy1-10]ike-peer f1
應用:
[f2]inter eth0/1
[f2-Ethernet0/1]ipsec policy policy1
建立控制列表:
[f1]acl number 3000
[f1-acl-adv-3000]rule 10 permit ip source 192.168.1.0 0.0.0.255 dest 192.168.2.0 0.0.0.255
[f1-acl-adv-3000]rule 20 deny ip source any dest any
安全提議:
[f1]ipsec proposal tran1
[f1-ipsec-proposal-tran1]encap
[f1-ipsec-proposal-tran1]encapsulation-mode tunnel
[f1-ipsec-proposal-tran1]transform esp
[f1-ipsec-proposal-tran1]esp encry
[f1-ipsec-proposal-tran1]esp encryption-algorithm des
[f1-ipsec-proposal-tran1]esp auth
[f1-ipsec-proposal-tran1]esp authentication-algorithm md5
建立鄰居:
[f1]ike peer f2
[f1-ike-peer-f2]exchange-mode aggressive
[f1-ike-peer-f2]id-type name
[f1-ike-peer-f2]remote-address 1.1.2.1
[f1-ike-peer-f2]remote-name f2
密鑰:
[f1-ike-peer-f2]pre-shared-key simple 123456
安全策略:
[f1-ike-peer-f2]quit
[f1]ipsec policy policy1 10 isakmp
[f1-ipsec-policy-isakmp-policy1-10]security acl 3000
[f1-ipsec-policy-isakmp-policy1-10]proposal tran1
[f1-ipsec-policy-isakmp-policy1-10]ike-peer f2
[f1-ipsec-policy-isakmp-policy1-10]quit
應用:
[f1]inter eth0/1
[f1-Ethernet0/1]ipsec policy policy1
設置接口爲自動獲得地址:
[f1]inter eth0/1
[f1-Ethernet0/1]ip ?
address 設置接口的IP地址
fast-forwarding 快轉開關信息
policy 使能策略路由
relay 中繼
urpf 單播反向路徑查找功能
[f1-Ethernet0/1]ip address ?
X.X.X.X IP地址
bootp-alloc 使用BOOTP協商分配IP地址
dhcp-alloc 使用DHCP協商分配IP地址
[f1-Ethernet0/1]ip address dhcp-alloc
[f1-Ethernet0/1]
%2012/12/13 00:51:52:687 f1 IFNET/4/UPDOWN:鏈路協議在接口Ethernet0/1上狀態變爲UP
[f1]inter eth0/0
[f1-Ethernet0/0]ip address 192.168.1.254 24
[f1-Ethernet0/0]loopback
[f1]ip route 0.0.0.0 0 1.1.1.2
交換機配置:
[Quidway]vlan 10
[Quidway-vlan10]port eth0/10
[Quidway-vlan10]vlan 20
[Quidway-vlan20]port eth0/20
[Quidway-vlan20]quit
[Quidway]inter vlan 10
[Quidway-Vlan-interface10]ip address 1.1.1.2 255.255.255.0
[Quidway]inter vlan 20
[Quidway-Vlan-interface20]
%Dec 14 12:10:27 2012 Quidway L2INF/5/VLANIF LINK STATUS CHANGE:
Vlan-interface20: turns into UP state
[Quidway-Vlan-interface20]ip address 1.1.2.2 255.255.255.0
做dhcp服務器:
[Quidway]dhcp server ip-pool f1
[Quidway-dhcp-f1]network 1.1.1.0 mask 255.255.255.0
[Quidway-dhcp-f1]gateway-list 1.1.1.2
測試:
[f1]ping -a 192.168.1.254 192.168.2.254
PING 192.168.1.254: 56 data bytes, press CTRL_C to break
Request time out
Reply from 192.168.2.254: bytes=56 Sequence=2 ttl=255 time=17 ms
Reply from 192.168.2.254: bytes=56 Sequence=3 ttl=255 time=16 ms
Reply from 192.168.2.254: bytes=56 Sequence=4 ttl=255 time=16 ms
Reply from 192.168.2.254: bytes=56 Sequence=5 ttl=255 time=15 ms
--- 192.168.1.254 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 15/16/17 ms