IPSec ×××即指采用IPSec协议来实现远程接入的一种×××技术,IPSec全称为Internet Protocol Security,是由Internet Engineering Task Force (IETF) 定义的安全标准框架,用以提供公用和专用网络的端对端加密和验证服务。
普通模式:
隧道的2边都需要有ip地址,采用手动的模式要设置校验码和密钥
[R1]
int eth0/0
ip add 192.168.1.1 24
int eth0/4
ip add 1.1.1.1 24
quit
ip route-static 0.0.0.0 0 1.1.1.2
acl number 3000 match-order auto
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 20 deny ip source any destination any
ipsec proposal tran1 (ipsec提议,名字为tran1)
encapsulation-mode tunnel (默认走的是隧道)
transform esp (安全协议时esp)
esp authentication-algorithm md5 (esp校验算法为MD5)
esp encryption-algorithm des (esp加密算法是des)
dis ipsec proposal
quit
ipsec policy policy1 10 manual(安全协议名字policy1 一个接口只能起一个policy,
一个policy可以有多条语句,一般都用isakmp自动方式)
security acl 3000 (只要匹配3000表格)
proposal tran1 (走tran1提议)
tunnel local 1.1.1.1 (源地址)
tunnel remote 1.1.2.1 (目标地址)
sa spi inbound esp 12345 (进去端口索引12345)
sa string-key inbound esp abcdef (密钥)
dis ipsec sa (通信后能够看到)
sa spi outbound esp 54321
sa string-key outbound esp qazwsx
int eth0/4
ipsec policy policy1 (在接口使用规则)
(右边隧道配置)
acl number 3001 match-order auto
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 20 deny ip source any destination any
ipsec proposal tran2
encapsulation-mode tunnel
esp authentication-algorithm md5
esp encryption-algorithm des
quit
ipsec policy policy1 20 manual
security acl 3001
proposal tran2
tunnel local 1.1.1.1
tunnel remote 1.1.3.1
dis ipsec policy
sa spi esp inbound esp 123456
sa string-key inbound esp abcdefg
sa spi outbound esp 654321
sa string-key outbound esp qazwsxe
已经放到了外出出口,不需要再放了
dis ipsec policy
从广州到上海
acl number 3000 match-order auto
rule 15 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
acl number 3001 match-order auto
rule 15 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[R2]
int eth0/0
ip add 192.168.2.1 24
loopback
int eth0/4
ip add 1.1.2.1 24
ip route-static 0.0.0.0 0 1.1.2.2
ping 1.1.2.2
ping 1.1.1.1
acl number 3000 match-order auto
rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 20 deny ip source any destination any
quit
ipsec proposal tran1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
quit
ipsec policy policy1 10 manual
security acl 3000
proposal tran1
tunnel local 1.1.2.1
tunnel remote 1.1.1.1
sa spi inbound esp 54321
sa string-key inbound esp qazwsx
sa spi outbound esp 12345
sa string-key outbound esp abcdef
quit
int eth0/4
ipsec policy policy1
dis ipsec sa
[R3]
int eth0/0
ip add 192.168.3.1 24
loopback
int eth0/4
ip add 1.1.3.1 24
quit
ip route-static 0.0.0.0 1.1.3.2
ping 1.1.3.2
ping 1.1.1.1
acl number 3001 match-order auto
rule 10 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 20 deny ip source any destination any
quit
ipsec proposal tran2
encapsulation-mode tunnel
esp authentication-algorithm md5
esp encryption-algorithm des
ipsec policy policy1 10 manual
security acl 3001
proposal tran2
tunnel local 1.1.3.1
tunnel remote 1.1.1.1
sa spi inbound esp 654321
sa string-key inbound esp qazwsxe
sa spi outbound esp 123456
sa string-key outbound esp abcdefg
int eth0/4
ipsec policy policy1
dis ipsec sa
从广州到上海
acl number 3000 match-order auto
rule 15 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
野蛮模式:
在隧道的2边,一边设置地址,一边是自动获取ip地址,第一次连接要从有地址的一边ping自动获取地址的一边
R1]
int eth0/0
ip add 192.168.1.1 24
int eth0/4
ip add 1.1.1.1 24
quit
ip route-static 0.0.0.0 0 1.1.1.2
acl number 3000 match-order auto
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 20 deny ip source any destination any
acl number 3001 match-order auto
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 20 deny ip source any destination nay
quit
ike peel R2 (指明邻居)
exchange-mode aggressive (使用野蛮模式)
id-type name (类型为名字)
remote-name R2
local-address 1.1.1.1
pre-shared-key simple 123456
quit
ike local-name R1
ipsec proposal tran1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
quit
ipsec policy policy1 10 isakmp
security acl 3000
proposal tran1
ike-peer R2
int eth0/4
ipsec policy policy1
ipsec proposal tran2
encapsulation-mode tunnel
esp authentication-algorithm md5
esp encryption-algorithm des
quit
ike peer R3
exchange-mode aggressive
pre-shared-key simple 654321
id-type name
remote-name R3
local-address 1.1.1.1
quit
ipsec policy policy1 20 isakmp
security acl 3001
proposal tran2
ike-peer R3
【R2】
nt eth0/0
ip add 192.168.2.1 24
loopback
int eth0/4
ip add dhcp
ip route-static 0.0.0.0 0 1.1.2.2
ping 1.1.2.2
ping 1.1.1.1
acl number 3000 match-order auto
rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 20 deny ip source any destination any
ipsec proposal tran1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
ike peer R1
remote-address 1.1.1.1
exchange-mode aggregation
id-type name
remote-name R1
pre-shared-key simple 123456
quit
ike local-name R2
ipsec policy policy1 10 isakmp
security acl 3000
proposal tran1
ike-peer R1
quit
int eth0/4
ipsec policy policy1
quit
【R3】
nt eth0/0
ip add 192.168.3.1 24
loopback
int eth0/4
ip add dhcp
quit
ip route-static 0.0.0.0 1.1.3.2
ping 1.1.3.2
ping 1.1.1.1
acl number 3001 match-order auto
rule 10 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 20 deny ip source any destination any
quit
ipsec proposal tran2
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm des
ike peel R1
exchange-mode aggressive
id-type name
remote-address 1.1.1.1
remote-name R1
pre-shared-key simple 654321
quit
ike local-name R3
ipsec policy policy1 10 isakmp
security acl 3001
proposal tran2
ike-peer R1
quit
int eth0/4
ipsec policy policy1
quit