通辽做网站制作公司免费行情软件app网站mnw下载

实验说明

使用Ensp模拟器实现IPsec隧道实验。IPSec是一种VPN技术，配置的思路首先是两个网络先通，然后配置ACL、IEK和IPSec对等体，从而建立VPN隧道。

实验拓扑

配置过程

1 配置IP地址以及OSPF路由

# 配置中使用了简写命令，不熟悉的可通过Tab补齐
# AR1 路由配置
[Huawei]system-view
[Huawei]sysname AR1
[AR1]interface g0/0/1
[AR1-GigabitEthernet0/0/1]ip ad 192.168.10.254 24
[AR1-GigabitEthernet0/0/1]interface g0/0/0
[AR1-GigabitEthernet0/0/0]ip ad 100.0.0.1 30
[AR1]ospf 1 
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]network 192.168.10.254 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]network 100.0.0.1 0.0.0.3# ISP 路由配置
[Huawei]system-view
[Huawei]sysname ISP
[ISP]int g0/0/0
[ISP-GigabitEthernet0/0/0]ip ad 100.0.0.2 30
[ISP-GigabitEthernet0/0/0]int g0/0/1
[ISP-GigabitEthernet0/0/1]ip ad 200.0.0.2 30
[ISP-GigabitEthernet0/0/1]ospf 1
[ISP-ospf-1]area 0
[ISP-ospf-1-area-0.0.0.0]network 100.0.0.2 0.0.0.3
[ISP-ospf-1-area-0.0.0.0]network 200.0.0.2 0.0.0.3# AR2 路由配置
[Huawei]system-view
[Huawei]sys AR2
[AR2]int g0/0/1
[AR2-GigabitEthernet0/0/1]ip ad 192.168.20.254 24
[AR2-GigabitEthernet0/0/1]int g0/0/0
[AR2-GigabitEthernet0/0/0]ip ad 200.0.0.1 30
[AR2]ospf 1
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]network 200.0.0.2 0.0.0.3
[AR2-ospf-1-area-0.0.0.0]network 192.168.20.0 0.0.0.255

2 测试两台PC连通性

PC>ipconfigLink local IPv6 address...........: fe80::5689:98ff:fe71:6be9
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.20.1
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.20.254
Physical address..................: 54-89-98-71-6B-E9
DNS server........................:PC>ping 192.168.10.1Ping 192.168.10.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.10.1: bytes=32 seq=2 ttl=125 time=31 ms
From 192.168.10.1: bytes=32 seq=3 ttl=125 time=16 ms
From 192.168.10.1: bytes=32 seq=4 ttl=125 time=31 ms
From 192.168.10.1: bytes=32 seq=5 ttl=125 time=15 ms--- 192.168.10.1 ping statistics ---5 packet(s) transmitted4 packet(s) received20.00% packet lossround-trip min/avg/max = 0/23/31 ms

3 配置IPSec

这个过程有三个步骤：

1. 创建ACL描述需要加密的流量匹配规则，被ACL匹配的流量就被加密
2. 创建IKE提议，使用默认即可
3. 创建IPSec提议，使用默认即可
4. 创建IKE对等体，把IKE提议加进入，配置对端IP和密码
5. 创建IPSec对等体，把ACL和IKE对等体、IPSec提议加进去就行了

3.1 创建ACL

这里要记住ACL的编号是3000

# AR1 路由配置
[AR1]acl 3000
[AR1-acl-adv-3000]rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
# 这条acl的意思是允许左边流量到右边
# 同样，我们还需要配置对端流量，即右边到左边的# AR2 路由配置
[AR2]acl 3000
[AR2-acl-adv-3000]rule permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

3.2 创建IKE提议

两边路由都创建序号为1的提议，使用默认配置。如果你需要自定义，可以通过?查看可以配置的内容，如认证方式和认证算法等。

[AR1]ike proposal 1	
[AR1-ike-proposal-1]dis ike proposal # 查看默认配置Number of IKE Proposals: 2-------------------------------------------IKE Proposal: 1Authentication method      : pre-sharedAuthentication algorithm   : SHA1Encryption algorithm       : DES-CBCDH group                   : MODP-768SA duration                : 86400PRF                        : PRF-HMAC-SHA
-------------------------------------------# AR2 路由配置
[AR2]ike proposal 1
[AR2-ike-proposal-1]dis ike proposal Number of IKE Proposals: 2-------------------------------------------IKE Proposal: 1Authentication method      : pre-sharedAuthentication algorithm   : SHA1Encryption algorithm       : DES-CBCDH group                   : MODP-768SA duration                : 86400PRF                        : PRF-HMAC-SHA
--------------------------------------------------------------------------------------IKE Proposal: DefaultAuthentication method      : pre-sharedAuthentication algorithm   : SHA1Encryption algorithm       : DES-CBCDH group                   : MODP-768SA duration                : 86400PRF                        : PRF-HMAC-SHA
-------------------------------------------

3.3创建IPSec提议

创建IPSec提议，名称为ipsec_proposal，使用默认配置。同样，你可以自定义他的加密算法等，默认使用DES。

# AR1 路由配置
[AR1]ipsec proposal ipsec_proposal
[AR1-ipsec-proposal-ipsec_proposal]dis ipsec proposalNumber of proposals: 1IPSec proposal name: ipsec_proposal                            Encapsulation mode: Tunnel                            Transform         : esp-newESP protocol      : Authentication MD5-HMAC-96                             Encryption     DES# AR2 路由配置
[AR2]ipsec proposal ipsec_proposal
[AR2-ipsec-proposal-ipsec_proposal]dis ips propoNumber of proposals: 1IPSec proposal name: ipsec_proposal                            Encapsulation mode: Tunnel                            Transform         : esp-newESP protocol      : Authentication MD5-HMAC-96                             Encryption     DES

3.4 创建 IKE对等体

创建名为ike_peer的对等体，把ike-proposal 1 加进去

# AR1 路由配置
[AR1]ike peer ike_peer v1
[AR1-ike-peer-ike_peer]pre-shared-key simple huawei	# 配置密码，两边要一样
[AR1-ike-peer-ike_peer]ike-proposal 1				# 配置ike提议
[AR1-ike-peer-ike_peer]remote-address 200.0.0.1		# 配置对端IP# AR2 路由配置
[AR2]ike peer ike_peer v1
[AR2-ike-peer-ike_peer]pre-shared-key simple huawei
[AR2-ike-peer-ike_peer]ike-proposal 1
[AR2-ike-peer-ike_peer]remote-address 100.0.0.1

3.5创建IPSec策略

# AR1 路由配置
[AR1]ipsec policy ipsec_policy 10 isakmp 
[AR1-ipsec-policy-isakmp-ipsec_policy-10]security acl 3000			# 添加ACL 3000
[AR1-ipsec-policy-isakmp-ipsec_policy-10]ike-peer ike_peer			# 添加ike peer
[AR1-ipsec-policy-isakmp-ipsec_policy-10]proposal ipsec_proposal	# 添加ipsec proposal# AR2 路由配置
[AR2]ipsec policy ipsec_policy 10 isakmp 
[AR2-ipsec-policy-isakmp-ipsec_policy-10]ike-peer ike_peer
[AR2-ipsec-policy-isakmp-ipsec_policy-10]security acl 3000
[AR2-ipsec-policy-isakmp-ipsec_policy-10]proposal ipsec_proposal 

3.6在路由出口处配置ipsec策略

# AR1 路由配置
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ipsec policy ipsec_policy # AR2 路由配置
[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]ipsec policy ipsec_policy

抓包测试

两台PC相互Ping，抓包结果如下：

这个ESP包就是对IP加密后的报文。