VPN, 网络

IPsecVPN的配置

Posted by honeyshan on 2024年9月24日 0 Comments

Read Next →

环境说明:

三台路由器链接如下图,R3上只配置IP不配置路由信息,R1、R2配置默认路由指向R3,要求1、在R1、R2上配置IPsecVPN实现PC1与PC2能互通。2、实现分公司、总公司能通过NAT访问Internet。

路由器R1 的配置如下:

<R1>dis current-configuration 
[V200R003C00]
#
 sysname R1
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
 drop illegal-mac alarm
#
 wlan ac-global carrier id other ac id 0
#
 set cpu-usage threshold 80 restore 75
#
acl number 3000  
 rule 5 permit ip source 10.1.1.2 0 destination 10.1.2.2 0 
acl number 3003  
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 100.100.100.100 0 
#
ipsec proposal ipsecp
 transform ah-esp
 ah authentication-algorithm sha1
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ike proposal 1
 encryption-algorithm 3des-cbc
#
ike peer T22 v2
 pre-shared-key cipher %$%${"@cGFyLlVmL@4G,4=J.,.2n%$%$
 ike-proposal 1
 remote-address 202.138.164.2
#
ipsec policy ipsecp 1 isakmp
 security acl 3000
 ike-peer T22
 proposal ipsecp
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ip address 10.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 202.138.163.1 255.255.255.0 
 ipsec policy ipsecp
 nat outbound 3003
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 202.138.163.2
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
<R1>

路由器R2的配置如下:

<R2>dis current-configuration 
[V200R003C00]
#
 sysname R2
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
 drop illegal-mac alarm
#
 wlan ac-global carrier id other ac id 0
#
 set cpu-usage threshold 80 restore 75
#
acl number 3002  
 rule 5 permit ip source 10.1.2.2 0 destination 10.1.1.2 0 
acl number 3003  
 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 100.100.100.100 0 
#
ipsec proposal ipsecp2
 transform ah-esp
 ah authentication-algorithm sha1
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ike proposal 2
 encryption-algorithm 3des-cbc
#
ike peer T21 v2
 pre-shared-key cipher %$%${"@cGFyLlVmL@4G,4=J.,.2n%$%$
 ike-proposal 2
 remote-address 202.138.163.1
#
ipsec policy ipsecp2 2 isakmp
 security acl 3002
 ike-peer T21
 proposal ipsecp2
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ip address 10.1.2.1 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 202.138.164.2 255.255.255.0 
 ipsec policy ipsecp2
 nat outbound 3003
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 202.138.164.1
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

路由器R3 的配置如下:

<R3>dis cur
[V200R003C00]
#
 sysname R3
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
 drop illegal-mac alarm
#
 wlan ac-global carrier id other ac id 0
#
 set cpu-usage threshold 80 restore 75
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ip address 202.138.163.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 202.138.164.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
interface LoopBack0
 ip address 100.100.100.100 255.255.255.0 
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

路由器R3上抓包情况如下图,可以看到数据包已经被封装成esp。

总结:

  • 本实验ensp模拟器使用路由器型号AR3260,其他型号可能有问题,无法建立ipsec sa。
  • 路由器R1、R2 之间的ike proposal 号、ipsec proposal名称、ike peer名称都可以不一样,只要其相应的加密协议、验证协议一致即可。
  • 可以使用dis ike sa v2 查看sa的信息,正常应该出现两个阶段。
  • ike peer两端的acl范围不一致会出现无法形成ike sa的故障。
  • SM3数据验证算法可能无法在ensp上面使用。

honeyshan

Read Next →

Leave a Reply

分类

归档