IPSec Internet Protocol Security 作爲一種開放標準的安全框架結構,可以用來保證IP數據報文在網絡上傳輸的機密性、完整性和防重放
機密性:對數據進行加密保護,用密文的性質傳輸數據
完整性:對接收的數據進行認證,以判定報文是否被篡改。
防重放:防止惡意用戶通過重複發送捕獲到的數據包進行攻擊,拒絕接收重複的數據包
IPSec架構:
IPSec 包括AH和ESP這兩個安全協議來實現IP數據報文的安全傳送。一般用ESP有加密功能
IKE協議:用於自動協商AH和ESP所使用的加密算法進行祕鑰協商,建立和維護安全聯盟SA等服務
安全聯盟SA
安全聯盟定義了IPSec對等體間將使用的數據封裝模式、認證和加密算法、祕鑰等參數;
安全聯盟是單向的,兩個對等體之間的雙向通信、至少需要兩個SA.
SA 有一個三元組唯一標識:包括安全參數索引SPI,目的IP地址,安全協議(AH/ESP)
建立SA的方式有兩種:
手動方式
IKE動態協商方式
IPSec 協議有兩種封裝模式:傳輸模式和隧道模式
傳輸模式:AH或ESP報頭位於IP報頭和傳輸層報頭之間
隧道模式:IPSec會另外生成一個新的IP報頭,並封裝在AH或ESP之前。
IPSec VPN 配置步驟:
1.配置網絡可達
2.配置ACL識別興趣流
3.創建安全提議:定義保護數據流所用的安全協議、認證算法、加密算法和封裝模式
4.創建安全策略:手工建立SA策略和IKE協商建立SA的策略
5.應用安全策略
配置實例手動模式
定義
加密點:61.128.1.1-->102.100.1.1
通訊點:172.16.1.0/24 -->10.1.1.0/24
AR2 上配置
###配置默認路由
[AR2]ip route-static 0.0.0.0 0 61.128.1.10
[AR2]dis ip routing-table | include 61.128.1.10
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 61.128.1.10 GigabitEthernet0/0/1
##配置ACL 和 感興趣流
[AR2]acl 3000
[AR2-acl-adv-3000]rule 5 permit ip source 172.16.1.0 0.0.0.255 destination 10.1.
1.0 0.0.0.255
[AR2-acl-adv-3000]
##創建安全協議 可以自定義加密算法或者默認設置
[AR2]ipsec proposal transAR2
[AR2-ipsec-proposal-transAR2]di th
[V200R003C00]
#
ipsec proposal transAR2
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#
return
[AR2-ipsec-proposal-transAR2]
###查看安全協議
[AR2]dis ipsec proposal
Number of proposals: 1
IPSec proposal name: transAR2
Encapsulation mode: Tunnel
Transform : esp-new
ESP protocol : Authentication SHA2-HMAC-512
Encryption AES-256
###創建IPsec sa 階段
[AR2]ipsec policy AR2-policy 10 manu
[AR2]ipsec policy AR2-policy 10 manual
[AR2-ipsec-policy-manual-AR2-policy-10]di th
[V200R003C00]
#
ipsec policy AR2-policy 10 manual
security acl 3000
proposal transAR2
tunnel local 61.128.1.1
tunnel remote 202.100.1.1
sa spi inbound esp 12345
sa string-key inbound esp simple huayun
sa spi outbound esp 54321
sa string-key outbound esp simple huayun
#
return
[AR2-ipsec-policy-manual-AR2-policy-10]q
[AR2]dis ipsec policy brief
Number of policies group : 2
Number of policies : 2
Policy name Mode ACL Peer name Local address Remote address
--------------------------------------------------------------------------------
AR2-policy-10 manual 3000 61.128.1.1 202.100.1.1
[AR2]dis ipsec policy name AR2-policy
===========================================
IPSec policy group: "AR2-policy"
Using interface: GigabitEthernet0/0/1
===========================================
Sequence number: 10
Security data flow: 3000
Tunnel local address: 61.128.1.1
Tunnel remote address: 202.100.1.1
Qos pre-classify: Disable
Proposal name:transAR2
Inbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 12345 (0x3039)
ESP string-key: huayun
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Outbound ESP setting:
ESP SPI: 54321 (0xd431)
ESP string-key: huayun
ESP encryption hex key:
ESP authentication hex key:
[AR2]
[AR2]
###放置到接口下條用
[AR2]di ip inter brief
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 172.16.1.254/24 up up
GigabitEthernet0/0/1 61.128.1.1/24 up up
GigabitEthernet0/0/2 unassigned down down
NULL0 unassigned up up(s)
[AR2]inter g 0/0/1
[AR2-GigabitEthernet0/0/1]di th
[V200R003C00]
#
interface GigabitEthernet0/0/1
ip address 61.128.1.1 255.255.255.0
ipsec policy AR2-policy
#
return
[AR2-GigabitEthernet0/0/1]
###AR4 上配置
##配置默認路由
[AR4]
[AR4]ip route-static 0.0.0.0 0 202.100.1.10
<AR4>di ip routing-table | include 202.100.1.10
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 202.100.1.10 GigabitEthernet0/0/0
##配置ACL
[AR4]dis acl all
Total quantity of nonempty ACL number is 1
Advanced ACL 3000, 1 rule
Acls step is 5
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
###查看安全協議
[AR4]dis ipsec proposal
Number of proposals: 1
IPSec proposal name: transAR4
Encapsulation mode: Tunnel
Transform : esp-new
ESP protocol : Authentication SHA2-HMAC-512
Encryption AES-256
[AR4]ipsec proposal transAR4
[AR4-ipsec-proposal-transAR4]di th
[V200R003C00]
#
ipsec proposal transAR4
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#
return
[AR4-ipsec-proposal-transAR4]q
###查看SA 內容
[AR4]dis ipsec policy brief
Number of policies group : 1
Number of policies : 1
Policy name Mode ACL Peer name Local address Remote address
--------------------------------------------------------------------------------
AR4-policy-10 manual 3000 202.100.1.1 61.128.1.1
###SA配置
[AR4]ipsec policy AR4-policy 10 manual
[AR4-ipsec-policy-manual-AR4-policy-10]di th
[V200R003C00]
#
ipsec policy AR4-policy 10 manual
security acl 3000
proposal transAR4
tunnel local 202.100.1.1
tunnel remote 61.128.1.1
sa spi inbound esp 54321
sa string-key inbound esp simple huayun
sa spi outbound esp 12345
sa string-key outbound esp simple huayun
#
return
[AR4-ipsec-policy-manual-AR4-policy-10]q
[AR4]dis ipsec policy name AR4-policy
===========================================
IPSec policy group: "AR4-policy"
Using interface: GigabitEthernet0/0/0
===========================================
Sequence number: 10
Security data flow: 3000
Tunnel local address: 202.100.1.1
Tunnel remote address: 61.128.1.1
Qos pre-classify: Disable
Proposal name:transAR4
Inbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 54321 (0xd431)
ESP string-key: huayun
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Outbound ESP setting:
ESP SPI: 12345 (0x3039)
ESP string-key: huayun
ESP encryption hex key:
ESP authentication hex key:
###進入端口進行條用
[AR4]dis ip inter brief
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 202.100.1.1/24 up up
GigabitEthernet0/0/1 10.1.1.254/24 up up
GigabitEthernet0/0/2 unassigned down down
NULL0 unassigned up up(s)
[AR4]inter g 0/0/0
[AR4-GigabitEthernet0/0/0]di th
[V200R003C00]
#
interface GigabitEthernet0/0/0
ip address 202.100.1.1 255.255.255.0
ipsec policy AR4-policy
#
return
[AR4-GigabitEthernet0/0/0]
PC機器上進行驗證
###查看狀態
<AR2>dis ipsec statistics esp
Inpacket count : 18
Inpacket auth count : 0
Inpacket decap count : 0
Outpacket count : 25
Outpacket auth count : 0
Outpacket encap count : 0
Inpacket drop count : 0
Outpacket drop count : 0
BadAuthLen count : 0
AuthFail count : 0
InSAAclCheckFail count : 0
PktDuplicateDrop count : 0
PktSeqNoTooSmallDrop count: 0
PktInSAMissDrop count : 0
<AR2>
自動協商模式