HCMSR系列路由器IPsec典型配置举例V
HC华为路由器配置实例
H C华为路由器配置实例 Written by Peter at 2021 in January通过在外网口配置nat基本就OK了,以下配置假设Ethernet0/0为局域网接口,Ethernet0/1为外网口。
1、配置内网接口(Ethernet0/0):[MSR20-20] interface Ethernet0/0[MSR20-20- Ethernet0/0]ip add 242、使用动态分配地址的方式为局域网中的PC分配地址[MSR20-20]dhcp server ip-pool 1[MSR20-20-dhcp-pool-1]network 24[MSR20-20-dhcp-pool-1]dns-list[MSR20-20-dhcp-pool-1] gateway-list3、配置nat[MSR20-20]nat address-group 1 公网IP 公网IP[MSR20-20]acl number 3000[MSR20-20-acl-adv-3000]rule 0 permit ip4、配置外网接口(Ethernet0/1)[MSR20-20] interface Ethernet0/1[MSR20-20- Ethernet0/1]ip add 公网IP[MSR20-20- Ethernet0/1] nat outbound 3000 address-group 15.加默缺省路由[MSR20-20]route-stac 0.0.0.0 外网网关总结:在2020路由器下面,配置外网口,配置内网口,配置acl 作nat,一条默认路由指向电信网关. ok!Console登陆认证功能的配置关键词:MSR;console;一、组网需求:要求用户从console登录时输入已配置的用户名h3c和对应的口令h3c,用户名和口令正确才能登录成功。
二、组网图:三、配置步骤:设备和版本:MSR系列、version , R1508P023c3c1)地址池要连续;2)在出接口做转换;3)默认路由一般要配置。
MSR系列路由器使用PKI认证建立IPSec隧道功能的配置(学习资料)..
# //定义安全流量的 ACL acl number 3000 rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 # interface Ethernet0/0 port link-mode route ip address 1.1.1.2 255.255.255.0
%Dec 20 21:02:29:02 2006 2 PKI/4/Local_Cert_Request:Request local certificate of //上述信息提示本地证书获取成功,第三步,获取 CRL,可以检查同一个 CA 签名的证书是否过期 [MSR2]pki retrieval-crl domain h3c Connecting to server for retrieving CRL. Please wait a while..... CRL retrieval success! [MSR2] %Dec 20 21:03:59:211 2006 MSR2 PKI/4/Update_CRL:Update CRL of the domain h3c succ %Dec 20 21:03:59:212 2006 MSR2 PKI/4/Retrieval_CRL:Retrieval CRL of the domain h3 [MSR2] //显示 CA 证书 [MSR2]dis pki cert ca d h3c Certificate:
# //定义 IKE 提议,序号为 1,优先度最高,使用 rsa 签名方式认证 ike proposal 1 authentication-method rsa-signature # //pki 实体 msr2 pki entity msr2
H3C MSR 系列路由器 配置指导13-WLAN配置指导
杭州华三通信技术有限公司 资料版本:20121214-C-1.12 产品版本:MSR-CMW520-R2311
Copyright © 2006-2012 杭州华三通信技术有限公司及其许可者版权所有,保留一切权利。
#
由“#”号开始的行表示为注释行。
2. 各类标志 本书还采用各种醒目标志来表示在操作过程中应该特别注意的地方,这些标志的意义如下:
该标志后的注释需给予格外关注,不当的操作可能会对人身造成伤害。
提醒操作中应注意的事项,不当的操作可能会导致数据丢失或者设备损坏。
为确保设备配置成功或者正常工作而需要特别关注的操作或信息。 对操作内容的描述进行必要的补充和说明。 配置、操作、或使用设备的技巧、小窍门。
{ x | y | ... }
表示从多个选项中仅选取一个。
[ x | y | ... ]
表示从多个选项中选取一个或者不选。
{ x | y | ... } *
表示从多个选项中至少选取一个。
[ x | y | ... ] *
表示从多个选项中选取一个、多个或者不选。
&<1-n>
表示符号&前面的参数可以重复输入1~n次。
3. 图标约定 本书使用的图标及其含义如下:
该图标及其相关描述文字代表一般网络设备,如路由器、交换机、防火墙等。 该图标及其相关描述文字代表一般意义下的路由器,以及其他运行了路由协议的设备。
该图标及其相关描述文字代表二、三层以太网交换机,以及运行了二层协议的设备。
4. 端口编号示例约定 本手册中出现的端口编号仅作示例,并不代表设备上实际具有此编号的端口,实际使用中请以设备 上存在的端口编号为准。
H3C MSR系列路由器典型配置举例(V7)-6W100-整本手册
1 典型配置举例导读H3C MSR系列路由器典型配置举例(V7)共包括63个文档,介绍了基于Comware V7软件版本的MSR系列路由器软件特性的典型配置举例,包含组网需求、配置步骤、验证配置和配置文件等内容。
1.1 适用款型本手册所描述的内容适用于MSR系列路由器中的如下款型:款型MSR 5600 MSR 56-60 MSR 56-80MSR 3600 MSR 36-10 MSR 36-20 MSR 36-40 MSR 36-60 MSR3600-28 MSR3600-51MSR 2600 MSR 26-301.2 内容简介典型配置举例中特性的支持情况与MSR系列路由器的款型有关,关于特性支持情况的详细介绍,请参见《H3C MSR 系列路由器配置指导(V7)》和《H3C MSR 系列路由器命令参考(V7)》。
手册包含的文档列表如下:编号名称1H3C MSR系列路由器作为TFTP client升级版本的典型配置举例(V7)2H3C MSR系列路由器作为FTP client升级版本的典型配置举例(V7)3H3C MSR系列路由器作为FTP server升级版本的典型配置举例(V7)4H3C MSR系列路由器采用Boot ROM TFTP方式升级方法的典型配置举例(V7)5H3C MSR系列路由器内网用户通过NAT地址访问地址重叠的外网典型配置举例(V7)6H3C MSR系列路由器内网用户通过NAT地址访问内网服务器典型配置举例(V7)7H3C MSR系列路由器内部服务器负载分担典型配置举例(V7)8H3C MSR系列路由器NAT DNS mapping典型配置举例(V7)9H3C MSR系列路由器定时执行任务典型配置举例(V7)10H3C MSR系列路由器RBAC典型配置举例(V7)11H3C MSR系列路由器以太网链路聚合典型配置举例(V7)12H3C MSR系列路由器端口隔离典型配置举例(V7)13H3C MSR系列路由器VLAN典型配置举例(V7)14H3C MSR系列路由器QinQ典型配置举例(V7)15H3C MSR系列路由器PPP典型配置案例(V7)16H3C MSR系列路由器建立LAC-Auto-Initiated模式L2TP隧道典型配置举例(V7) 17H3C MSR系列路由器建立Client-Initiated模式L2TP隧道的典型配置举例(V7) 18H3C MSR系列路由器L2TP多实例典型配置举例(V7)19H3C MSR系列路由器L2TP多域接入典型配置举例(V7)20H3C MSR系列路由器L2TP over IPsec典型配置举例(V7)21H3C MSR系列路由器AAA典型配置举例(V7)22H3C MSR系列路由器802.1X本地认证典型配置举例(V7)23H3C MSR系列路由器802.1X结合Radius服务器典型配置举例(V7)24H3C MSR系列路由器IPsec典型配置举例(V7)25H3C MSR系列路由器Portal典型配置举例(V7)26H3C MSR系列路由器SSH典型配置举例(V7)27H3C MSR系列路由器OSPF典型配置举例(V7)28H3C MSR系列路由器IS-IS典型配置举例(V7)29H3C MSR系列路由器OSPFv3典型配置举例(V7)30H3C MSR系列路由器IPv6 IS-IS典型配置举例(V7)31H3C MSR系列路由器BGP基础典型配置举例(V7)32H3C MSR系列路由器路由策略典型配置举例(V7)33H3C MSR系列路由器策略路由典型配置举例(V7)34H3C MSR系列路由器Tcl脚本典型配置举例(V7)35H3C MSR系列路由器GRE和OSPF结合使用典型配置举例(V7)36H3C MSR系列路由器IPv6 over IPv4 GRE隧道典型配置举例(V7)37H3C MSR系列路由器ISATAP和6to4相结合使用的典型配置举例(V7)38H3C MSR系列路由器IPv6手动隧道+OSPFv3功能的典型配置举例(V7)39H3C MSR系列路由器授权ARP功能典型配置举例(V7)40H3C MSR系列路由器ARP防攻击特性典型配置举例(V7)41H3C MSR系列路由器ACL典型配置举例(V7)42H3C MSR系列路由器流量监管典型配置举例(V7)43H3C MSR系列路由器流量整形典型配置举例(V7)44H3C MSR系列路由器基于控制平面应用QoS策略典型配置举例(V7)45H3C MSR系列路由器IGMP Snooping典型配置举例(V7)46H3C MSR系列路由器IGMP典型配置举例(V7)47H3C MSR系列路由器组播VPN配置举例(V7)48H3C MSR系列路由器MPLS基础典型配置举例(V7)49H3C MSR系列路由器MPLS L3VPN典型配置举例(V7)50H3C MSR系列路由器HoVPN典型配置举例(V7)51H3C MSR系列路由器MPLS TE典型配置举例(V7)52H3C MSR系列路由器MPLS OAM典型配置举例(V7)53H3C MSR系列路由器作为重定向服务器反向Telnet的典型配置举例(V7)54H3C MSR系列路由器BFD典型配置举例(V7)55H3C MSR系列路由器VRRP典型配置举例(V7)56H3C MSR系列路由器SNMP典型配置举例(V7)57H3C MSR系列路由器Sampler结合IPv4 NetStream使用典型配置举例(V7)58H3C MSR系列路由器NQA典型配置举例(V7)59H3C MSR系列路由器EAA监控策略典型配置举例(V7)60H3C MSR系列路由器NTP典型配置举例(V7)61H3C MSR系列路由器RMON统计功能典型配置举例(V7)62H3C MSR系列路由器终端为流接入方式且应用为流连接方式典型配置举例(V7) 63H3C MSR系列路由器终端为TCP接入且应用为TCP连接方式典型配置举例(V7)H3C MSR系列路由器作为TFTP client升级版本的典型配置举例(V7)Copyright © 2014 杭州华三通信技术有限公司版权所有,保留一切权利。
MSR系列路由器pppoe拨号接口配置IPSec功能案例
MSR系列路由器拨号接口上配置IPSec功能的配置关键词:MSR;PPP;PAP;PPPoE;Client;Server;Dialer;IPSec;IKE
一、组网需求:
PPPoE Client和PPPoE Server通过PPPoE建立拨号关系,双方在拨号接口和虚模板上配置IPSec策略,使两边的私有数据得以加密传送
设备清单:MSR系列路由器2台
二、组网图:
三、配置步骤:
设备和版本:MSR系列、Version 5.20, Release 1509
四、配置关键点:
1) PPPoE Client和PPPoE Server可以参见《MSR系列路由器PPPoE Client功能的配置》,PAP认证可以参见PPP认证典型配置;
2) 当PPPoE Server没有为PPP认证用户指定认证域时,地址池配置在全局视图下;
3) IKE发起方PPPoE Client必须指定接收方PPPoE Server的地址;
4) IKE接收方PPPoE Server可以指定对方所属的地址范围;
5) IPSec的配置除了IKE Peer配置部分可以参考《MSR系列路由器IPSec + IKE 功能的配置》;
6) 发起方和接收方IPSec策略分别绑定在Dialer0和Virtual-Template0下;
7) 双方通过配置静态路由将内网流量引入到Dialer0和Virtual-Template0。
华为路由器 配置IPSec
目录
目录
7 配置 IPSec ...................................................................................................................................7-1
7.1 简介..............................................................................................................................................................7-2 7.1.1 IPSec 概述 ...........................................................................................................................................7-2 7.1.2 基于证书认证机制的 IPSec ..............................................................................................................7-2
文档版本 02 (2008-12-15)
华为所有和机密iLeabharlann 版权所有 © 华为技术有限公司
目录
Secoway USG50 配置指南 安全防范分册
7.5.3 配置证书验证...................................................................................................................................7-21 7.5.4 检查配置结果...................................................................................................................................7-21 7.6 维护............................................................................................................................................................7-21 7.6.1 查看 IPSec 处理报文的统计信息 ...................................................................................................7-21 7.6.2 调试 IPSec ........................................................................................................................................7-21 7.6.3 调试 IKE...........................................................................................................................................7-22 7.6.4 删除 IKE SA.....................................................................................................................................7-22 7.6.5 删除 SA ............................................................................................................................................7-22 7.6.6 清除 IPSec 统计报文 .......................................................................................................................7-23 7.6.7 维护低速加密卡...............................................................................................................................7-23 7.6.8 维护 CA............................................................................................................................................7-24 7.7 配置举例....................................................................................................................................................7-25 7.7.1 配置采用 Manual 方式建立 SA 示例 .............................................................................................7-25 7.7.2 配置采用 IKE 方式建立 SA 示例(预共享密钥) .......................................................................7-32 7.7.3 配置采用 IKE 方式建立 SA 示例(RSA 签名) ..........................................................................7-39
H3CIPV6之ipsec+IKE野蛮模式典型组网配置案例
H3CIPV6之ipsec+IKE野蛮模式典型组网配置案例组网说明:本案例采用H3C HCL模拟器来模拟IPV6 IPSEC IKE+野蛮模式典型组网配置。
为了确保数据的传输安全,在R1与R2之间建立IPSEC VPN隧道采用野蛮模式。
最后R1与R2之间采用OSPFV3路由协议互联。
配置思路:1、按照网络拓扑图正确配置IP地址2、R1与R2之间运行OSPFV3路由协议3、R1与R2采用IPSEC IKE+野蛮模式建立VPN隧道。
配置过程:第一阶段调试(基础网络配置):SW1:sysSystem View: return to User View with Ctrl+Z.[H3C]sysname SW1[SW1]int loopback 0[SW1-LoopBack0]ip address 3.3.3.3 32[SW1-LoopBack0]quit[SW1]ospfv3 1[SW1-ospfv3-1]import-route direct[SW1-ospfv3-1]router-id 3.3.3.3[SW1-ospfv3-1]quit[SW1]int gi 1/0/1[SW1-GigabitEthernet1/0/1]port link-mode route[SW1-GigabitEthernet1/0/1]des[SW1-GigabitEthernet1/0/1]ipv6 address 3::2 64[SW1-GigabitEthernet1/0/1]ospfv3 1 area 0[SW1-GigabitEthernet1/0/1]quitR1:sysSystem View: return to User View with Ctrl+Z. [H3C]sysname R1[R1]int loopback 0[R1-LoopBack0]ip address 1.1.1.1 32[R1-LoopBack0]quit[R1]ospfv3 1[R1-ospfv3-1]router-id 1.1.1.1[R1-ospfv3-1]import-route direct[R1-ospfv3-1]quit[R1]int gi 0/0[R1-GigabitEthernet0/0]ipv6 address 1::1 64 [R1-GigabitEthernet0/0]ospfv3 1 area 0[R1-GigabitEthernet0/0]quit[R1]int s 1/0[R1-Serial1/0]des[R1-Serial1/0]ipv6 address 2::1 64[R1-Serial1/0]ospfv3 1 area 0[R1-Serial1/0]quitR2:sysSystem View: return to User View with Ctrl+Z. [H3C]sysnameR2[R2]int loopback 0[R2-LoopBack0]ip address 2.2.2.2 32[R2-LoopBack0]quit[R2]ospfv3 1[R2-ospfv3-1]import-route direct[R2-ospfv3-1]router-id 2.2.2.2[R2-ospfv3-1]quit[R2]int s 1/0[R2-Serial1/0]des[R2-Serial1/0]ipv6 address 2::2 64[R2-Serial1/0]ospfv3 1 area 0[R2-Serial1/0]quit[R2]int gi 0/0[R2-GigabitEthernet0/0]des [R2-GigabitEthernet0/0]ipv6 address 3::1 64 [R2-GigabitEthernet0/0]ospfv3 1 area 0 [R2-GigabitEthernet0/0]quit第一阶段测试:物理机填写IP地址:物理机能PING通SW1:第二阶段调试(IPSEC+IKE野蛮模式关键配置点):[R1]acl ipv6 advanced 3000[R1-acl-ipv6-adv-3000]rule 0 permit ipv6 source 1::/64 destination 3::/64 [R1-acl-ipv6-adv-3000]quit[R1]ike identity fqdn r1[R1]ike proposal 1[R1-ike-proposal-1]quit[R1]ike keychain james[R1-ike-keychain-james]pre-shared-key address ipv6 2::2 64 key simple james [R1-ike-keychain-james]quit[R1]ike profile james[R1-ike-profile-james]keychain james[R1-ike-profile-james]proposal 1[R1-ike-profile-james]match remote identity address ipv6 2::2[R1-ike-profile-james]exchange-mode aggressive[R1-ike-profile-james]quit[R1]ipsec transform-set james[R1-ipsec-transform-set-james]protocol esp[R1-ipsec-transform-set-james]encapsulation-mode tunnel [R1-ipsec-transform-set-james]esp authentication-algorithm md5[R1-ipsec-transform-set-james]esp encryption-algorithm des-cbc[R1-ipsec-transform-set-james]quit[R1]ipsec ipv6-policy james 1 isakmp[R1-ipsec-ipv6-policy-isakmp-james-1]security acl ipv6 3000 [R1-ipsec-ipv6-policy-isakmp-james-1]transform-set james [R1-ipsec-ipv6-policy-isakmp-james-1]ike-profile james[R1-ipsec-ipv6-policy-isakmp-james-1]remote-address ipv6 2::2[R1-ipsec-ipv6-policy-isakmp-james-1]quit[R1]int s 1/0[R1-Serial1/0]ipsec apply ipv6-policy james[R1-Serial1/0]quitR2:[R2]acl ipv6 advanced 3000[R2-acl-ipv6-adv-3000]rule 0 permit ipv6 source 3::/64 destination 1::/64 [R2-acl-ipv6-adv-3000]quit[R2]ike identity fqdn r2[R2]ike proposal 1[R2-ike-proposal-1]quit[R2]ike keychain james[R2-ike-keychain-james]pre-shared-key hostname r1 key simple james[R2-ike-keychain-james]quit[R2]ipsec transform-set james[R2-ipsec-transform-set-james]protocol esp[R2-ipsec-transform-set-james]encapsulation-mode tunnel [R2-ipsec-transform-set-james]esp authentication-algorithm md5[R2-ipsec-transform-set-james]esp encryption-algorithm des-cbc[R2-ipsec-transform-set-james]quit[R2]ike profile james[R2-ike-profile-james]keychain james[R2-ike-profile-james]proposal 1[R2-ike-profile-james]match remote identity fqdn r1[R2-ike-profile-james]exchange-mode aggressive[R2-ike-profile-james]quit[R2]ipsec ipv6-policy-template james 1[R2-ipsec-ipv6-policy-template-james-1]security acl ipv6 3000 [R2-ipsec-ipv6-policy-template-james-1]ike-profile james [R2-ipsec-ipv6-policy-template-james-1]transform-set james [R2-ipsec-ipv6-policy-template-james-1]quit[R2]ipsec ipv6-policy james 1 isakmp template james[R2]int s 1/0[R2-Serial1/0]ipsec apply ipv6-policy james[R2-Serial1/0]quit第二阶段测试:查看R1的IPSEC显示信息:。
H3C-V7-ipsec配置
配置路由器:如图配置各个接口IP地址,具体略基本配置B(isakmp):IPSEC自动协商#RTA的配置#进入系统视图<RouteA>system-view#创建访问控制列表,定义由子网20.x.x.x去子网30.x.x.x的数据流[RouteA]acl number 3000[RouteA-acl-adv-3000]rule permit ip source 20.0.0.0 0.255.255.255 destination 30.0.0.0 0.255.255.255[H3C-acl-adv-3000]quit# 创IPsec建安全提议tran1。
[RouterA] ipsec transform-set tran1# 配置安全协议对IP报文的封装形式为隧道模式。
[RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel# 配置采用的安全协议为ESP。
[RouterA-ipsec-transform-set-tran1] protocol esp# 配置ESP协议采用的加密算法为DES,认证算法为HMAC-SHA1。
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1[RouterA-ipsec-transform-set-tran1] quit# 创建并配置IKE keychain,名称为keychain1。
[RouterA] ike keychain keychain1# 配置与IP地址为2.2.3.1的对端使用的预共享密钥为明文abcd。
[RouterA-ike-keychain-keychain1] pre-share-key address 10.1.1.2 255.255.255.0 key simple abcd[RouterA-ike-keychain-keychain1] quit# 创建并配置IKE profile,名称为profile1。
H3C 华为 IPsec 配置步骤
IPsec VPN工作中感受(2010-10-11 14:06:48)来这边工作2个月。
一直没有什么大的case做,每天基本都是不知道在做什么,终于有一个Case,就是和mexico对接VPN.这两个月也看了不少的VPN方面的书籍,一直等待实践的机会。
机会来了。
我就小心翼翼完成这case。
这篇文章只是心里总结。
我配置的时候也是分两个阶段配置的,根据VPN对接表来操作的,设备是HUAWEI EUDEMON 1000.有的是默认的配置,用display curr 命令看不到你配置过的命令。
1 配置IKE,其中要配置Ike proposal 和ike peer.1.1 配置 ike proposal(各种加密算法,验证算法都是在这个里面)ike proposal 6encryption-algorithm 3des-cbcdh group2sa duration 288001.2 配置ike peerike peer mexico_moralespre-shared-key 123456!AaFWike-proposal 6remote-address *.*.*.*2 配置ipse,其中要配置ipsec proposal ,ACL和ipsec policy2.1 配置 ipsec proposal(各种加密算法,验证算法都是在这个里面)ipsec proposal 6esp authentication-algorithm sha1esp encryption-algorithm 3des2.2 配置ACL(双方的ACL要相互对称)acl number 3600rule 15 permit ip source *.*.*.* 0 destination *.*.*.* 02.3配置ipsec policy (配置这个之前要断了出口VPN组)ipsec policy 1 60 isakmpsecurity acl 3600pfs dh-group2ike-peer mexico_morales proposal 6local-address *.*.*.*sa duration time-based 3600。
H3C ipsec(V7---V5)
组网需求:MSR930为3G拨号上网,其获取到的为私网地址。
MSR36在NAT设备之后,其中在NAT设备上将MSR36的地址做一对一映射。
MSR930与MSR36做ipsec vpn。
MSR930配置:#version 5.20, Release 2511P02#sysname H3C-MSR930#ike local-name 3210#acl number 3000rule 0 deny ip source 172.16.1.0 0.0.0.255 destination 172.16.0.0 0.0.0.255rule 1000 permit ipacl number 3210rule 0 permit ip source 172.16.1.0 0.0.0.255 destination 172.16.0.0 0.0.0.255#vlan 1#vlan 1000#ike proposal 3210encryption-algorithm 3des-cbcauthentication-algorithm md5#ike peer 3210exchange-mode aggressive proposal 3210pre-shared-key simple 3210id-type nameremote-name v7remote-address 60.29.48.70nat traversal#ipsec transform-set 3210 encapsulation-mode tunnel transform espesp authentication-algorithm md5 esp encryption-algorithm des#ipsec policy 3210 1 isakmp security acl 3210ike-peer 3210transform-set 3210#interface Cellular1/0async mode protocollink-protocol pppppp chap user adminppp chap password cipher adminppp pap local-user admin password cipher admin ppp ipcp dns admit-anyppp ipcp dns requestip address ppp-negotiatedialer enable-circulardialer-group 1dialer timer idle 0dialer number *99# autodialnat outbound 3000ipsec no-nat-process enableipsec policy 3210#interface Vlan-interface1ip address 192.168.1.1 255.255.255.0#interface Vlan-interface1000ip address 172.16.1.1 255.255.255.0#interface GigabitEthernet0/1port link-mode bridgeport access vlan 1000#ip route-static 0.0.0.0 0.0.0.0 Cellular1/0MSR36配置:#version 7.1.042, Release 0007P02#sysname H3C-36-60#interface GigabitEthernet0/0port link-mode routecombo enable copperip address 192.168.10.67 255.255.255.0 nat outbound 3000ipsec apply policy 3210#interface GigabitEthernet0/1port link-mode routecombo enable copperip address 172.16.0.1 255.255.255.0#ip route-static 0.0.0.0 0 192.168.10.2#acl number 3000rule 0 deny ip source 172.16.0.0 0.0.0.255 destination 172.16.1.0 0.0.0.255 rule 1000 permit ip#acl number 3100rule 0 permit ip source 172.16.0.0 0.0.0.255 destination 172.16.1.0 0.0.0.255 #ipsec transform-set 11esp encryption-algorithm des-cbcesp authentication-algorithm md5#ipsec policy-template 1 3210transform-set 11security acl 3100ike-profile 11#ipsec policy 3210 1 isakmp template 1#ike identity fqdn v7#ike profile 11keychain 11exchange-mode aggressivelocal-identity fqdn v7match remote identity fqdn 3210proposal 11#ike proposal 11encryption-algorithm 3des-cbcauthentication-algorithm md5#ike keychain 11pre-shared-key hostname 3210 key cipher 3210注意:1.V5侧ike对等体中使用id-type name时,必须指名字remote-name2.V7 必须配置ipsec 模板才能不配置remote-address,如果使用ipsec policy 要么配置remote-address ip(前方的应用中不知道对方地址),要么必须配置remote-address hostname,而hostnmae还需要DNS 配合使用3.V7侧不用使能nat 穿越,V7自动检测nat 穿越。
H3C MSR系列路由器典型配置举例(V7)-6W100-H3C MSR系列路由器BGP基础典型配置举例(V7)
3.1 组网需求 ··············································································································································· 1 3.2 配置思路 ··············································································································································· 1 3.3 使用版本 ··············································································································································· 1 3.4 配置注意事项········································································································································ 2 3.5 配置步骤 ··············································································································································· 2
MSR系列路由器-加密特性和IPSec应用
28
第四章 IPsec处理流程 处理流程
IPsec Session: 首报建立会话表,后续报文直接查找会话表命中 tunnel,进行相应IPsec处理,省去了直接查找tunnel的繁琐步骤。
输入:MBuf ,报文 ulIfIndex,外出接口索引 No 设置返回值为透传 接口应用IPsec了吗? Yes MBuf Yes
4
第一章 IPsec
概述 基本概念 命令行
5
第一章 IPsec
IPsec是什么? 是什么? 是什么 IPSec: IP Security 是IETF制定的为保证在 制定的为保证在Internet 制定的为保证在 上传送数据的安全保密性能的框架协议。顾名思义, 上传送数据的安全保密性能的框架协议。顾名思义,其 在IP层提供安全服务。 层提供安全服务。 层提供安全服务 IPSec的安全特点 的安全特点: 的安全特点 数据机密性Confidentiality 数据机密性Confidentiality 数据加密 数据完整性Data 数据完整性Data Integrity 数据验证 数据来源认证Data Authentication身分验证 身分验证, 数据来源认证Data Authentication身分验证,数字签名 反重放Anti Anti反重放Anti-Replay sequence number
新IP包头
ESP Header 原始IP包头
载荷数据
ESP Trailer ESP Auth
|<----------- encrypted --------->| |<------------- authenticated ------------>|
22
第三章 AH和ESP 和
HCMSR系列路由器IPsec典型配置举例V
7 相关资料1 简介本文档介绍IPsec的典型配置举例..2 配置前提本文档适用于使用Comware V7软件版本的MSR系列路由器;如果使用过程中与产品实际情况有差异;请参考相关产品手册;或以设备实际情况为准..本文档中的配置均是在实验室环境下进行的配置和验证;配置前设备的所有参数均采用出厂时的缺省配置..如果您已经对设备进行了配置;为了保证配置效果;请确认现有配置和以下举例中的配置不冲突..本文档假设您已了解IPsec特性..3 使用iNode客户端基于证书认证的L2TP over IPsec功能配置举例3.1 组网需求如图1所示;PPP用户Host与Device建立L2TP隧道;Windows server 2003作为CA服务器;要求:通过L2TP隧道访问Corporate network..用IPsec对L2TP隧道进行数据加密..采用RSA证书认证方式建立IPsec隧道..图1 基于证书认证的L2TP over IPsec配置组网图3.2 配置思路由于使用证书认证方式建立IPsec隧道;所以需要在ike profile中配置local-identity 为dn;指定从本端证书中的主题字段取得本端身份..3.3 使用版本本举例是在R0106版本上进行配置和验证的..3.4 配置步骤3.4.1 Device的配置1 配置各接口IP地址# 配置接口GigabitEthernet2/0/1的IP地址..<Device> system-viewDevice interface gigabitethernet 2/0/1Device-GigabitEthernet2/0/1 quit# 配置接口GigabitEthernet2/0/2的IP地址..Device interface gigabitethernet 2/0/2Device-GigabitEthernet2/0/2 quit# 配置接口GigabitEthernet2/0/3的IP地址..Device interface gigabitethernet 2/0/3Device-GigabitEthernet2/0/3 quit2 配置L2TP# 创建本地PPP用户l2tpuser;设置密码为hello..Device local-user l2tpuser class networkDevice-luser-network-l2tpuser password simple helloDevice-luser-network-l2tpuser service-type pppDevice-luser-network-l2tpuser quit# 配置ISP域system对PPP用户采用本地验证..Device domain systemDevice-isp-system authentication ppp localDevice-isp-system quit# 启用L2TP服务..Device l2tp enable# 创建接口Virtual-Template0;配置接口的IP地址为..Device interface virtual-template 0# 配置PPP认证方式为PAP..Device-Virtual-Template0 ppp authentication-mode pap# 配置为PPP用户分配的IP地址为..Device-Virtual-Template0 quit# 创建LNS模式的L2TP组1..Device l2tp-group 1 mode lns# 配置LNS侧本端名称为lns..Device-l2tp1 tunnel name lns# 关闭L2TP隧道验证功能..Device-l2tp1 undo tunnel authentication# 指定接收呼叫的虚拟模板接口为VT0..Device-l2tp1 allow l2tp virtual-template 0Device-l2tp1 quit3 配置PKI证书# 配置PKI实体security..Device pki entity securityDevice-pki-entity-security common-name deviceDevice-pki-entity-security quit# 新建PKI域..Device pki domain headgateDevice-pki-domain-headgate ca identifier LYQDevice-pki-domain-headgate certificate request from raDevice-pki-domain-headgate certificate request entity securityDevice-pki-domain-headgate undo crl check enableDevice-pki-domain-headgate public-key rsa general name abc length 1024Device-pki-domain-headgate quit# 生成RSA算法的本地密钥对..Device public-key local create rsa name abcThe range of public key modulus is 512 ~ 2048.If the key modulus is greater than 512;it will take a few minutes. Press CTRL+C to abort.Input the modulus length default = 1024:Generating Keys.............................++++++.++++++Create the key pair successfully.# 获取CA证书并下载至本地..Device pki retrieve-certificate domain headgate caThe trusted CA's finger print is:MD5 fingerprint:8649 7A4B EAD5 42CF 5031 4C99 BFS3 2A99SHA1 fingerprint:61A9 6034 181E 6502 12FA 5A5F BA12 0EA0 5187 031CIs the finger print correct Y/N:yRetrieved the certificates successfully.# 手工申请本地证书..Device pki request-certificate domain headgateStart to request general certificate ...Certificate requested successfully.4 配置IPsec隧道# 创建IKE安全提议..Device ike proposal 1Device-ike-proposal-1 authentication-method rsa-signatureDevice-ike-proposal-1 encryption-algorithm 3des-cbcDevice-ike-proposal-1 dh group2Device-ike-proposal-1 quit# 配置IPsec安全提议..Device ipsec transform-set tran1Device-ipsec-transform-set-tran1 esp authentication-algorithm sha1Device-ipsec-transform-set-tran1 esp encryption-algorithm 3desDevice-ipsec-transform-set-tran1 quit# 配置IKE profile..Device ike profile profile1Device-ike-profile-profile1 local-identity dnDevice-ike-profile-profile1 certificate domain headgateDevice-ike-profile-profile1 proposal 1Device-ike-profile-profile1 match remote certificate deviceDevice-ike-profile-profile1 quit# 在采用数字签名认证时;指定总从本端证书中的主题字段取得本端身份.. Deviceike signature-identity from-certificate# 创建一条IPsec安全策略模板;名称为template1;序列号为1..Device ipsec policy-template template1 1Device-ipsec-policy-template-template1-1 transform-set tran1Device-ipsec-policy-template-template1-1 ike-profile profile1Device-ipsec-policy-template-template1-1 quit# 引用IPsec安全策略模板创建一条IPsec安全策略;名称为policy1;顺序号为1.. Device ipsec policy policy1 1 isakmp template template1# 在接口上应用IPsec安全策略..Device interface gigabitethernet 2/0/2Device-GigabitEthernet2/0/2 ipsec apply policy policy1Device-GigabitEthernet2/0/2 quit3.4.2 Host的配置1 从证书服务器上申请客户端证书# 登录到证书服务器:;点击“申请一个证书”..图1 进入申请证书页面# 点击“高级证书申请”..图2 高级证书申请# 选择第一项:创建并向此CA提交一个申请..图3 创建并向CA提交一个申请# 填写相关信息..需要的证书类型;选择“客户端身份验证证书”;密钥选项的配置;勾选“标记密钥为可导出”前的复选框..# 点击<提交>;弹出一提示框:在对话框中选择“是”..# 点击安装此证书..图4 安装证书2 iNode客户端的配置使用iNode版本为:iNode PC 5.2E0409# 打开L2TP VPN连接;并单击“属性…Y”..图5 打开L2TP连接# 输入LNS服务器的地址;并启用IPsec安全协议;验证证方法选择证书认证..图6 基本配置# 单击<高级C>按钮;进入“L2TP设置”页签;设置L2TP参数如下图所示..图7 L2TP设置# 单击“IPsec设置”页签;配置IPsec参数..图8 IPsec参数设置# 单击“IKE设置”页签;配置IKE参数..图9 IKE参数设置# 单击“路由设置”页签;添加访问Corporate network的路由..图10 路由设置# 完成上述配置后;单击<确定>按钮;回到L2TP连接页面..3.5 验证配置# 在L2TP连接对话框中;输入用户名“l2tpuser”和密码“hello”;单击<连接>按钮..图11 连接L2TP# 在弹出的对话框中选择申请好的证书;单击<确定>按钮..图12 证书选择# 通过下图可以看到L2TP连接成功..图13 连接成功图14 连接成功# 在Device上使用display ike sa命令;可以看到IPsec隧道第一阶段的SA正常建立..<Device> display ike saConnection-ID Remote Flag DOI------------------------------------------------------------------Flags:RD--READY RL--REPLACED FD-FADING# 在Device上使用display ipsec sa命令可以看到IPsec SA的建立情况..<Device> display ipsec sa-------------------------------Interface: GigabitEthernet2/0/2------------------------------------------------------------IPsec policy: policy1Sequence number: 1Mode: template-----------------------------Tunnel id: 0Encapsulation mode: tunnelPerfect forward secrecy:Path MTU: 1443Tunnel:Flow:Inbound ESP SAsTransform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1SA duration kilobytes/sec: 1843200/3600SA remaining duration kilobytes/sec: 1843197/3294Max received sequence-number: 51Anti-replay check enable: YAnti-replay window size: 64UDP encapsulation used for NAT traversal: NStatus: ActiveOutbound ESP SAsTransform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1SA duration kilobytes/sec: 1843200/3600SA remaining duration kilobytes/sec: 1843197/3294Max sent sequence-number: 52UDP encapsulation used for NAT traversal: NStatus: Active3.6 配置文件#interface Virtual-Template0ppp authentication-mode pap#interface GigabitEthernet2/0/1#interface GigabitEthernet2/0/2ipsec apply policy policy1#interface GigabitEthernet2/0/3#domain systemauthentication ppp local#local-user l2tpuser class networkpassword cipher $c$3$nl46fURLtkCkcbdnB6irTXma+E6u0c+h service-type pppauthorization-attribute user-role network-operator#pki domain headgateca identifier LYQcertificate request from racertificate request entity securitypublic-key rsa general name abcundo crl check enable#pki entity securitycommon-name host#ipsec transform-set tran1esp encryption-algorithm 3des-cbcesp authentication-algorithm sha1#ipsec policy-template template1 1transform-set tran1ike-profile profile1#ipsec policy policy1 1 isakmp template template1#l2tp-group 1 mode lnsallow l2tp virtual-template 0undo tunnel authenticationtunnel name lns#l2tp enable#ike signature-identity from-certificate#ike profile profile1certificate domain headgatelocal-identity dnmatch remote certificate deviceproposal 1#ike proposal 1authentication-method rsa-signatureencryption-algorithm 3des-cbcdh group2#4 IPsec over GRE的典型配置举例4.1 组网需求如图15所示;企业远程办公网络通过IPsec VPN接入企业总部;要求:通过GRE隧道传输两网络之间的IPsec加密数据..图15 IPsec over GRE组网图4.2 配置思路为了对数据先进行IPsec处理;再进行GRE封装;访问控制列表需匹配数据的原始范围;并且要将IPsec应用到GRE隧道接口上..为了对网络间传输的数据先进行IPsec封装;再进行GRE封装;需要配置IPsec 隧道的对端IP地址为GRE隧道的接口地址..4.3 使用版本本举例是在R0106版本上进行配置和验证的..4.4 配置步骤4.4.1 Device A的配置1 配置各接口IP地址# 配置接口GigabitEthernet2/0/1的IP地址..<DeviceA> system-viewDeviceA interface gigabitethernet 2/0/1DeviceA-GigabitEthernet2/0/1 tcp mss 1350DeviceA-GigabitEthernet2/0/1 quit# 配置接口GigabitEthernet2/0/2的IP地址..DeviceA interface gigabitethernet 2/0/2DeviceA-GigabitEthernet2/0/2 quit2配置GRE隧道# 创建Tunnel0接口;并指定隧道模式为GRE over IPv4隧道..DeviceA interface tunnel 0 mode gre# 配置Tunnel0接口的IP地址为..# 配置Tunnel0接口的源端地址为Device A的GigabitEthernet2/0/2的IP地址..# 配置Tunnel0接口的目的端地址为Device B的GigabitEthernet2/0/2的IP地址..DeviceA-Tunnel0 quit# 配置从Device A经过Tunnel0接口到Remote office network的静态路由..3配置IPsec VPN# 配置IKE keychain..DeviceA ike keychain keychain1DeviceA-ike-keychain-keychain1 quit# 创建ACL3000;定义需要IPsec保护的数据流..DeviceA acl number 3000DeviceA-acl-adv-3000 quit# 配置IPsec安全提议..DeviceA ipsec transform-set tran1DeviceA-ipsec-transform-set-tran1 esp encryption-algorithm desDeviceA-ipsec-transform-set-tran1 esp authentication-algorithm sha1DeviceA-ipsec-transform-set-tran1 quit# 创建一条IKE协商方式的IPsec安全策略;名称为policy1;序列号为1..DeviceA ipsec policy policy1 1 isakmpDeviceA-ipsec-policy-isakmp-policy1-1 security acl 3000DeviceA-ipsec-policy-isakmp-policy1-1 transform-set tran1DeviceA-ipsec-policy-isakmp-policy1-1 quit# 在GRE隧道接口上应用安全策略..DeviceA interface tunnel 0DeviceA-Tunnel0 ipsec apply policy policy1DeviceA-Tunnel0 quit4.4.2 Device B的配置1 配置各接口IP地址# 配置接口GigabitEthernet2/0/1的IP地址..<DevoceB> system-viewDeviceB interface gigabitethernet 2/0/1DeviceB-GigabitEthernet2/0/1 tcp mss 1350DeviceB-GigabitEthernet2/0/1 quit# 配置接口GigabitEthernet2/0/2的IP地址..DeviceB interface gigabitethernet 2/0/2DeviceB-GigabitEthernet2/0/2 quit2配置GRE隧道# 创建Tunnel0接口;并指定隧道模式为GRE over IPv4隧道..DeviceB interface tunnel 0 mode gre# 配置Tunnel0接口的IP地址为..# 配置Tunnel0接口的源端地址为Device B的GigabitEthernet2/0/2的IP地址..# 配置Tunnel0接口的目的端地址为Device A的GigabitEthernet2/0/2的IP地址..DeviceB-Tunnel0 quit# 配置从DeviceB经过Tunnel0接口到Corporate network的静态路由..3 配置IPsec VPN# 配置IKE keychain..DeviceB ike keychain keychain1DeviceB-ike-keychain-keychain1 quit# 创建ACL3000;定义需要IPsec保护的数据流..DeviceB acl number 3000DeviceB-acl-adv-3000 quit# 配置IPsec安全提议..DeviceB ipsec transform-set tran1DeviceB-ipsec-transform-set-tran1 esp encryption-algorithm desDeviceB-ipsec-transform-set-tran1 esp authentication-algorithm sha1DeviceB-ipsec-transform-set-tran1 quit# 创建一条IKE协商方式的IPsec安全策略;名称为policy1;序列号为1..DeviceB ipsec policy policy1 1 isakmpDeviceB-ipsec-policy-isakmp-policy1-1 security acl 3000DeviceB-ipsec-policy-isakmp-policy1-1 transform-set tran1DeviceB-ipsec-policy-isakmp-policy1-1 quit# 在GRE隧道接口上应用安全策略..DeviceB interface tunnel 0DeviceB-Tunnel0 ipsec apply policy policy1DeviceB-Tunnel0 quit4.5 验证配置# 以Corporate network的主机向Remote office network的主机发起通信为例;从;会触发IPsec协商;建立IPsec隧道;在成功建立IPsec隧道后;可以ping通..Request timed out.Packets: Sent = 4; Received = 3; Lost = 1 25% loss;Approximate round trip times in milli-seconds:Minimum = 1ms; Maximum = 2ms; Average = 1ms# 在Device A上使用display ike sa命令;可以看到第一阶段的SA正常建立..<DeviceA> display ike saConnection-ID Remote Flag DOI------------------------------------------------------------------Flags:RD--READY RL--REPLACED FD-FADING# 在Device A上使用display ipsec sa命令可以看到IPsec SA的建立情况..<DeviceA> display ipsec sa-------------------------------Interface: Tunnel0------------------------------------------------------------IPsec policy: policy1Sequence number: 1Mode: isakmp-----------------------------Tunnel id: 0Encapsulation mode: tunnelPerfect forward secrecy:Path MTU: 1419Tunnel:Flow:Inbound ESP SAsTransform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1SA duration kilobytes/sec: 1843200/3600SA remaining duration kilobytes/sec: 1843199/3550Max received sequence-number: 3Anti-replay check enable: YAnti-replay window size: 64UDP encapsulation used for NAT traversal: NStatus: ActiveOutbound ESP SAsTransform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1SA duration kilobytes/sec: 1843200/3600SA remaining duration kilobytes/sec: 1843199/3550Max sent sequence-number: 3UDP encapsulation used for NAT traversal: NStatus: Active# 在Device A上通过命令display interface tunnel 0可以查看经过GRE隧道传输的流量情况..<DeviceA> display interface tunnel 0Tunnel0Current state: UPLine protocol state: UPDescription: Tunnel0 InterfaceBandwidth: 64kbpsMaximum Transmit Unit: 1476Tunnel keepalive disabledTunnel TTL 255Tunnel protocol/transport GRE/IPGRE key disabledChecksumming of GRE packets disabledOutput queue - Urgent queuing: Size/Length/Discards 0/100/0Output queue - Protocol queuing: Size/Length/Discards 0/500/0Output queue - FIFO queuing: Size/Length/Discards 0/75/0Last clearing of counters: NeverLast 300 seconds input rate: 0 bytes/sec; 0 bits/sec; 0 packets/secLast 300 seconds output rate: 0 bytes/sec; 0 bits/sec; 0 packets/secInput: 40 packets; 3300 bytes; 0 dropsOutput: 41 packets; 3464 bytes; 0 drops# 从Remote office network的主机向Corporate network的主机发起通信验证方法相同;此不赘述..4.6 配置文件Device A:#interface GigabitEthernet2/0/1tcp mss 1350#interface GigabitEthernet2/0/2#interface Tunnel0 mode greipsec apply policy policy1##acl number 3000#ipsec transform-set tran1esp encryption-algorithm des-cbcesp authentication-algorithm sha1#ipsec policy policy1 1 isakmptransform-set tran1security acl 3000#ike keychain keychain1#Devoce B#interface GigabitEthernet2/0/1tcp mss 1350#interface GigabitEthernet2/0/2#interface Tunnel0 mode greipsec apply policy policy1##acl number 3000#ipsec transform-set tran1esp encryption-algorithm des-cbcesp authentication-algorithm sha1#ipsec policy policy1 1 isakmptransform-set tran1security acl 3000#ike keychain keychain1#5 GRE over IPsec的典型配置举例5.1 组网需求如图16所示;企业远程办公网络通过GRE隧道与企业总部传输数据;要求:对通过GRE隧道的数据进行IPsec加密处理..图16 GRE over IPsec组网图5.2 配置思路为了对经GRE封装的数据进行IPsec加密;将IPsec策略应用在物理接口上;访问控制列表源和目的地址为物理接口地址..为了使IPsec保护整个GRE隧道;应用IPsec策略的接口和GRE隧道源、目的接口必须是同一接口..5.3 使用版本本举例是在R0106版本上进行配置和验证的..5.4 配置步骤5.4.1 Device A的配置1 配置各接口IP地址# 配置接口GigabitEthernet2/0/1的IP地址..<DeviceA> system-viewDeviceA interface gigabitethernet 2/0/1DeviceA-GigabitEthernet2/0/1 quit# 配置接口GigabitEthernet2/0/2的IP地址..DeviceA interface gigabitethernet 2/0/2DeviceA-GigabitEthernet2/0/2 quit2 配置GRE隧道# 创建Tunnel0接口;并指定隧道模式为GRE over IPv4隧道..DeviceA interface tunnel 0 mode gre# 配置Tunnel0接口的IP地址为..# 配置Tunnel0接口的源端地址为Device A的GigabitEthernet2/0/2的IP地址..# 配置Tunnel0接口的目的端地址为Device B的GigabitEthernet2/0/2的IP地址..DeviceA-Tunnel0 quit# 配置从Device A经过Tunnel0接口到Remote office network的静态路由..3配置IPsec VPN# 配置IKE keychain..DeviceA ike keychain keychain1DeviceA-ike-keychain-keychain1 quit# 创建ACL3000;定义需要IPsec保护的数据流..DeviceA acl number 3000DeviceA-acl-adv-3000 quit# 配置IPsec安全提议..DeviceA ipsec transform-set tran1DeviceA-ipsec-transform-set-tran1 esp encryption-algorithm desDeviceA-ipsec-transform-set-tran1 esp authentication-algorithm sha1DeviceA-ipsec-transform-set-tran1 quit# 创建一条IKE协商方式的IPsec安全策略;名称为policy1;序列号为1..DeviceA ipsec policy policy1 1 isakmpDeviceA-ipsec-policy-isakmp-policy1-1 security acl 3000DeviceA-ipsec-policy-isakmp-policy1-1 transform-set tran1DeviceA-ipsec-policy-isakmp-policy1-1 quit# 在接口GigabitEthernet2/0/2上应用安全策略..DeviceA interface gigabitethernet 2/0/2DeviceA-GigabitEthernet2/0/2 ipsec apply policy policy1DeviceA-GigabitEthernet2/0/2 quit5.4.2 Device B的配置1 配置各接口IP地址# 配置接口GigabitEthernet2/0/1的IP地址..<DeviceB> system-viewDeviceB interface gigabitethernet 2/0/1DeviceB-GigabitEthernet2/0/1 quit# 配置接口GigabitEthernet2/0/2的IP地址..DeviceB interface gigabitethernet 2/0/2DeviceB-GigabitEthernet2/0/2 quit2配置GRE隧道# 创建Tunnel0接口;并指定隧道模式为GRE over IPv4隧道..DeviceB interface tunnel 0 mode gre# 配置Tunnel0接口的IP地址为..# 配置Tunnel0接口的源端地址为Device B的GigabitEthernet2/0/2的IP地址..# 配置Tunnel0接口的目的端地址为Device A的GigabitEthernet2/0/2的IP地址..DeviceB-Tunnel0 quit# 配置从DeviceB经过Tunnel0接口到Corporate network的静态路由..3 配置IPsec VPN# 配置IKE keychain..DeviceB ike keychain keychain1DeviceB-ike-keychain-keychain1 quit# 创建ACL3000;定义需要IPsec保护的数据流..DeviceB acl number 3000DeviceB-acl-adv-3000 quit# 配置IPsec安全提议..DeviceB ipsec transform-set tran1DeviceB-ipsec-transform-set-tran1 esp encryption-algorithm desDeviceB-ipsec-transform-set-tran1 esp authentication-algorithm sha1DeviceB-ipsec-transform-set-tran1 quit# 创建一条IKE协商方式的IPsec安全策略;名称为policy1;序列号为1..DeviceB ipsec policy policy1 1 isakmpDeviceB-ipsec-policy-isakmp-policy1-1 security acl 3000DeviceB-ipsec-policy-isakmp-policy1-1 transform-set tran1DeviceB-ipsec-policy-isakmp-policy1-1 quit# 在接口GigabitEthernet2/0/2上应用安全策略..DeviceB interface gigabitethernet 2/0/2DeviceB-GigabitEthernet2/0/2 ipsec apply policy policy1DeviceB-GigabitEthernet2/0/2 quit5.5 验证配置# 以Corporate network的主机向Remote office network的主机发起通信为例;从;会触发IPsec协商;建立IPsec隧道;在成功建立IPsec隧道后;可以ping通..Request timed out.Packets: Sent = 4; Received = 3; Lost = 1 25% loss;Approximate round trip times in milli-seconds:Minimum = 1ms; Maximum = 2ms; Average = 1ms# 在Device A上使用display ike sa命令;可以看到第一阶段的SA正常建立..<DeviceA> display ike saConnection-ID Remote Flag DOI------------------------------------------------------------------Flags:RD--READY RL--REPLACED FD-FADING# 在Device A上使用display ipsec sa命令可以看到IPsec SA的建立情况..<DeviceA> display ipsec sa-------------------------------Interface: GigabitEthernet2/0/2------------------------------------------------------------IPsec policy: policy1Sequence number: 1Mode: isakmp-----------------------------Tunnel id: 0Encapsulation mode: tunnelPerfect forward secrecy:Path MTU: 1443Tunnel:Flow:Inbound ESP SAsTransform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1SA duration kilobytes/sec: 1843200/3600SA remaining duration kilobytes/sec: 1843199/3573Max received sequence-number: 3Anti-replay check enable: YAnti-replay window size: 64UDP encapsulation used for NAT traversal: NStatus: ActiveOutbound ESP SAsTransform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1SA duration kilobytes/sec: 1843200/3600SA remaining duration kilobytes/sec: 1843199/3573Max sent sequence-number: 3UDP encapsulation used for NAT traversal: NStatus: Active# 在Device A上通过命令display interface tunnel 0可以查看经过GRE隧道传输的流量情况..<DeviceA> display interface tunnel 0Tunnel0Current state: UPLine protocol state: UPDescription: Tunnel0 InterfaceBandwidth: 64kbpsMaximum Transmit Unit: 1476Tunnel keepalive disabledTunnel TTL 255Tunnel protocol/transport GRE/IPGRE key disabledChecksumming of GRE packets disabledOutput queue - Urgent queuing: Size/Length/Discards 0/100/0Output queue - Protocol queuing: Size/Length/Discards 0/500/0Output queue - FIFO queuing: Size/Length/Discards 0/75/0Last clearing of counters: NeverLast 300 seconds input rate: 0 bytes/sec; 0 bits/sec; 0 packets/secLast 300 seconds output rate: 0 bytes/sec; 0 bits/sec; 0 packets/secInput: 43 packets; 3480 bytes; 0 dropsOutput: 45 packets; 3740 bytes; 2 drops# 从Remote office network的主机向Corporate network的主机发起通信验证方法相同;此不赘述..5.6 配置文件Device A:#interface GigabitEthernet2/0/1#interface GigabitEthernet2/0/2 ipsec apply policy policy1#interface Tunnel0 mode gre##acl number 3000#ipsec transform-set tran1esp encryption-algorithm des-cbc esp authentication-algorithm sha1 #ipsec policy policy1 1 isakmp transform-set tran1security acl 3000#ike keychain keychain1qp4hMMjV/iteA==#Devoce B:#interface GigabitEthernet2/0/1#interface GigabitEthernet2/0/2 ipsec apply policy policy1#interface Tunnel0 mode gre##acl number 3000#ipsec transform-set tran1esp encryption-algorithm des-cbc esp authentication-algorithm sha1 #ipsec policy policy1 1 isakmp transform-set tran1security acl 3000#ike keychain keychain1qp4hMMjV/iteA==#6 IPsec同流双隧道的典型配置举例6.1 组网需求如图17所示组网;要求:在Device A和Device B之间建立IPsec隧道;对Host A所在的子网与Host B 所在的子网之间的数据流进行安全保护..Device B上通过两条链路接入互联网;在这两条链路上配置相同的IPsec隧道形成备份..使用IKE自动协商方式建立SA;安全协议采用ESP协议;加密算法采用DES;认证算法采用SHA1-HMAC-96..在Device B上配置共享源接口安全策略;实现数据流量在不同接口间平滑切换..图17 IPsec同流双隧道组网图6.2 使用版本本举例是在R0106版本上进行配置和验证的..6.3 配置步骤6.3.1 Device A的配置1 配置各接口IP地址# 配置接口GigabitEthernet2/0/1的IP地址..<DeviceA> system-viewDeviceA interface gigabitethernet 2/0/1DeviceA-GigabitEthernet2/0/1 quit# 配置接口GigabitEthernet2/0/2的IP地址..DeviceA interface gigabitethernet 2/0/2DeviceA-GigabitEthernet2/0/2 quit# 配置访问网段的静态路由..# 配置到Device B上Loopback0接口的静态路由..2配置IPsec VPN# 配置IKE keychain..DeviceA ike keychain keychain1DeviceA-ike-keychain-keychain1 quit# 创建ACL3000;定义需要IPsec保护的数据流..DeviceA acl number 3000DeviceA-acl-adv-3000 quit# 配置IPsec安全提议..DeviceA ipsec transform-set tran1DeviceA-ipsec-transform-set-tran1 esp encryption-algorithm desDeviceA-ipsec-transform-set-tran1 esp authentication-algorithm sha1DeviceA-ipsec-transform-set-tran1 quit# 创建一条IKE协商方式的IPsec安全策略;名称为policy1;序列号为1..DeviceA ipsec policy policy1 1 isakmpDeviceA-ipsec-policy-isakmp-policy1-1 security acl 3000DeviceA-ipsec-policy-isakmp-policy1-1 transform-set tran1DeviceA-ipsec-policy-isakmp-policy1-1 quit# 在接口GigabitEthernet2/0/1上应用安全策略..DeviceA interface gigabitethernet 2/0/1DeviceA-GigabitEthernet2/0/1 ipsec apply policy policy1DeviceA-GigabitEthernet2/0/1 quit6.3.2 Device B的配置1 配置各接口IP地址# 配置接口GigabitEthernet2/0/1的IP地址..<DeviceB> system-viewDeviceB interface gigabitethernet 2/0/1DeviceB-GigabitEthernet2/0/1 quit# 配置接口GigabitEthernet2/0/2的IP地址..DeviceB interface gigabitethernet 2/0/2DeviceB-GigabitEthernet2/0/2 quit# 配置接口GigabitEthernet2/0/3的IP地址..DeviceB interface gigabitethernet 2/0/3DeviceB-GigabitEthernet2/0/3 quit# 配置接口Loopback 0的IP地址..DeviceB interface loopback 0DeviceB-LoopBack0 quit# 配置访问网段的静态路由..2配置IPsec VPN# 配置IKE keychain..DeviceB ike keychain keychain1DeviceB-ike-keychain-keychain1 quit# 创建ACL3000;定义需要IPsec保护的数据流..DeviceB acl number 3000DeviceB-acl-adv-3000 quit# 配置IPsec安全提议..DeviceB ipsec transform-set tran1DeviceB-ipsec-transform-set-tran1 esp encryption-algorithm desDeviceB-ipsec-transform-set-tran1 esp authentication-algorithm sha1DeviceB-ipsec-transform-set-tran1 quit# 创建一条IKE协商方式的IPsec安全策略;名称为policy1;序列号为1..DeviceB ipsec policy policy1 1 isakmpDeviceB-ipsec-policy-isakmp-policy1-1 security acl 3000DeviceB-ipsec-policy-isakmp-policy1-1 transform-set tran1Device-ipsec-policy-isakmp-policy1-1 quit# 在接口GigabitEthernet2/0/1上应用安全策略..DeviceB interface gigabitethernet 2/0/1DeviceB-GigabitEthernet2/0/1 ipsec apply policy policy1DeviceB-GigabitEthernet2/0/1 quit# 在接口GigabitEthernet2/0/2上应用安全策略..DeviceB interface gigabitethernet 2/0/2DeviceB-GigabitEthernet2/0/2 ipsec apply policy policy1DeviceB-GigabitEthernet2/0/2 quit# 配置IPsec安全策略policy1为共享源接口安全策略;共享源接口为Loopback0..DeviceB ipsec policy policy1 local-address loopback 06.4 验证配置# 从Host A ping Host B;会触发IPsec协商;建立IPsec隧道;在成功建立IPsec隧道后;可以ping通..Request timed out.Packets: Sent = 4; Received = 3; Lost = 1 25% loss;Approximate round trip times in milli-seconds:Minimum = 1ms; Maximum = 5ms; Average = 3ms# 在Device A上使用display ike sa命令;可以看到第一阶段的SA正常建立..DeviceA display ike saConnection-ID Remote Flag DOI------------------------------------------------------------------Flags:RD--READY RL--REPLACED FD-FADING# 在Device A上使用display ipsec sa命令可以看到IPsec SA的建立情况..DeviceA display ipsec sa-------------------------------Interface: GigabitEthernet2/0/1------------------------------------------------------------IPsec policy: policy1Sequence number: 1Mode: isakmp-----------------------------Tunnel id: 0Encapsulation mode: tunnelPerfect forward secrecy:Path MTU: 1443Tunnel:Flow:Inbound ESP SAsTransform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1SA duration kilobytes/sec: 1843200/3600SA remaining duration kilobytes/sec: 1843199/3035Max received sequence-number: 3Anti-replay check enable: YAnti-replay window size: 64UDP encapsulation used for NAT traversal: NStatus: ActiveOutbound ESP SAsTransform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1SA duration kilobytes/sec: 1843200/3600SA remaining duration kilobytes/sec: 1843199/3035Max sent sequence-number: 3UDP encapsulation used for NAT traversal: NStatus: Active# 从Host B向Host A发起通信验证方法相同;此不赘述..6.5 配置文件Device A:#interface GigabitEthernet2/0/1ipsec apply policy policy1#interface GigabitEthernet2/0/2##acl number 3000#ipsec transform-set tran1esp encryption-algorithm des-cbcesp authentication-algorithm sha1#ipsec policy policy1 1 isakmptransform-set tran1security acl 3000#ike keychain keychain1#Device B:#interface LoopBack0#interface GigabitEthernet2/0/1ipsec apply policy policy1#interface GigabitEthernet2/0/2ipsec apply policy policy1#interface GigabitEthernet2/0/3##acl number 3000#ipsec transform-set tran1esp encryption-algorithm des-cbcesp authentication-algorithm sha1#ipsec policy policy1 1 isakmptransform-set tran1security acl 3000#ipsec policy policy1 local-address LoopBack0 #ike keychain keychain1qp4hMMjV/iteA==#。
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
7 相关资料1 简介本文档介绍IPsec的典型配置举例。
2 配置前提本文档适用于使用Comware V7软件版本的MSR系列路由器,如果使用过程中与产品实际情况有差异,请参考相关产品手册,或以设备实际情况为准。
本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。
如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
本文档假设您已了解IPsec特性。
3 使用iNode客户端基于证书认证的L2TP over IPsec功能配置举例3.1 组网需求如图1所示,PPP用户Host与Device建立L2TP隧道,Windows server 2003作为CA服务器,要求:•通过L2TP隧道访问Corporate network。
•用IPsec对L2TP隧道进行数据加密。
•采用RSA证书认证方式建立IPsec隧道。
图1 基于证书认证的L2TP over IPsec配置组网图3.2 配置思路由于使用证书认证方式建立IPsec隧道,所以需要在ike profile中配置local-identity 为dn,指定从本端证书中的主题字段取得本端身份。
3.3 使用版本本举例是在R0106版本上进行配置和验证的。
3.4 配置步骤3.4.1 Device的配置(1) 配置各接口IP地址# 配置接口GigabitEthernet2/0/1的IP地址。
<Device> system-view[Device] interface gigabitethernet 2/0/1[Device-GigabitEthernet2/0/1] ip address 192.168.100.50 24[Device-GigabitEthernet2/0/1] quit# 配置接口GigabitEthernet2/0/2的IP地址。
[Device] interface gigabitethernet 2/0/2[Device-GigabitEthernet2/0/2] ip address 102.168.1.11 24[Device-GigabitEthernet2/0/2] quit# 配置接口GigabitEthernet2/0/3的IP地址。
[Device] interface gigabitethernet 2/0/3[Device-GigabitEthernet2/0/3] ip address 192.168.1.1 24[Device-GigabitEthernet2/0/3] quit(2) 配置L2TP# 创建本地PPP用户l2tpuser,设置密码为hello。
[Device] local-user l2tpuser class network[Device-luser-network-l2tpuser] password simple hello[Device-luser-network-l2tpuser] service-type ppp[Device-luser-network-l2tpuser] quit# 配置ISP域system对PPP用户采用本地验证。
[Device] domain system[Device-isp-system] authentication ppp local[Device-isp-system] quit# 启用L2TP服务。
[Device] l2tp enable# 创建接口Virtual-Template0,配置接口的IP地址为172.16.0.1/24。
[Device] interface virtual-template 0[Device-Virtual-Template0] ip address 172.16.0.1 255.255.255.0# 配置PPP认证方式为PAP。
[Device-Virtual-Template0] ppp authentication-mode pap# 配置为PPP用户分配的IP地址为172.16.0.2。
[Device-Virtual-Template0] remote address 172.16.0.2[Device-Virtual-Template0] quit# 创建LNS模式的L2TP组1。
[Device] l2tp-group 1 mode lns# 配置LNS侧本端名称为lns。
[Device-l2tp1] tunnel name lns# 关闭L2TP隧道验证功能。
[Device-l2tp1] undo tunnel authentication# 指定接收呼叫的虚拟模板接口为VT0。
[Device-l2tp1] allow l2tp virtual-template 0[Device-l2tp1] quit(3) 配置PKI证书# 配置PKI实体 security。
[Device] pki entity security[Device-pki-entity-security] common-name device[Device-pki-entity-security] quit# 新建PKI域。
[Device] pki domain headgate[Device-pki-domain-headgate] ca identifier LYQ[Device-pki-domain-headgate] certificate request url http://192.168.1.51/certsrv/mscep/mscep.dll [Device-pki-domain-headgate] certificate request from ra[Device-pki-domain-headgate] certificate request entity security[Device-pki-domain-headgate] undo crl check enable[Device-pki-domain-headgate] public-key rsa general name abc length 1024[Device-pki-domain-headgate] quit# 生成RSA算法的本地密钥对。
[Device] public-key local create rsa name abcThe range of public key modulus is (512 ~ 2048).If the key modulus is greater than 512,it will take a few minutes. Press CTRL+C to abort.Input the modulus length [default = 1024]:Generating Keys.............................++++++.++++++Create the key pair successfully.# 获取CA证书并下载至本地。
[Device] pki retrieve-certificate domain headgate caThe trusted CA's finger print is:MD5 fingerprint:8649 7A4B EAD5 42CF 5031 4C99 BFS3 2A99SHA1 fingerprint:61A9 6034 181E 6502 12FA 5A5F BA12 0EA0 5187 031CIs the finger print correct?(Y/N):yRetrieved the certificates successfully.# 手工申请本地证书。
[Device] pki request-certificate domain headgateStart to request general certificate ...Certificate requested successfully.(4) 配置IPsec隧道# 创建IKE安全提议。
[Device] ike proposal 1[Device-ike-proposal-1] authentication-method rsa-signature[Device-ike-proposal-1] encryption-algorithm 3des-cbc[Device-ike-proposal-1] dh group2[Device-ike-proposal-1] quit# 配置IPsec安全提议。
[Device] ipsec transform-set tran1[Device-ipsec-transform-set-tran1] esp authentication-algorithm sha1[Device-ipsec-transform-set-tran1] esp encryption-algorithm 3des[Device-ipsec-transform-set-tran1] quit# 配置IKE profile。
[Device] ike profile profile1[Device-ike-profile-profile1] local-identity dn[Device-ike-profile-profile1] certificate domain headgate[Device-ike-profile-profile1] proposal 1[Device-ike-profile-profile1] match remote certificate device[Device-ike-profile-profile1] quit# 在采用数字签名认证时,指定总从本端证书中的主题字段取得本端身份。
[Device]ike signature-identity from-certificate# 创建一条IPsec安全策略模板,名称为template1,序列号为1。
[Device] ipsec policy-template template1 1[Device-ipsec-policy-template-template1-1] transform-set tran1[Device-ipsec-policy-template-template1-1] ike-profile profile1[Device-ipsec-policy-template-template1-1] quit# 引用IPsec安全策略模板创建一条IPsec安全策略,名称为policy1,顺序号为1。