一、【组网和实验环境】

按如上的接口ip先作配置,再作ipsec的相关配置,配置文本见文章最后
本文实验采用的交换机是H3C模拟器,下载地址如下:http://forum.h3c.com/forum.php?mod=viewthread&tid=109740&highlight=H3C%E6%A8%A1%E6%8B%9F%E5%99%A8 有兴趣的朋
友可以在论坛上去下载。
二、【ipsec sa 建立分析】
配置完成后作如下的的debugging 分析
[R1]dis ipsec sa
===============================
Interface: Serial0/6/0
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "map1"
sequence number: 10
mode: isakmp
-----------------------------
connection id: 3
encapsulation mode: tunnel
perfect forward secrecy: None
tunnel:
local  address: 2.2.2.1
remote address: 2.2.3.1
Flow :
sour addr: 10.1.1.1/255.255.255.255  port: 0  protocol: IP
dest addr: 10.1.2.1/255.255.255.255  port: 0  protocol: IP
[inbound ESP SAs] 
spi: 3180831459 (0xbd97a2e3)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887436464/3582  安全联盟剩余的存活时间 
max received sequence-number: 4
udp encapsulation used for nat traversal: N
[outbound ESP SAs] 
spi: 3790725279 (0xe1f1e09f)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887436464/3582
max sent sequence-number: 5
udp encapsulation used for nat traversal: N
[R1] dis ike sa
total phase-1 SAs:  1
connection-id  peer            flag        phase   doi
----------------------------------------------------------
2          2.2.3.1         RD            2     IPSEC 
1          2.2.3.1         RD            1     IPSEC 
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
[R2]dis ipsec sa
===============================
Interface: Serial0/6/0
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "use1"
sequence number: 10
mode: isakmp
-----------------------------
connection id: 3
encapsulation mode: tunnel
perfect forward secrecy: None
tunnel:
local  address: 2.2.3.1
remote address: 2.2.2.1
Flow :
sour addr: 10.1.2.1/255.255.255.255  port: 0  protocol: IP
dest addr: 10.1.1.1/255.255.255.255  port: 0  protocol: IP
[inbound ESP SAs] 
spi: 3790725279 (0xe1f1e09f)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887436464/3506
max received sequence-number: 4
udp encapsulation used for nat traversal: N
[outbound ESP SAs] 
spi: 3180831459 (0xbd97a2e3)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887436464/3506
max sent sequence-number: 5
udp encapsulation used for nat traversal: N
[R2]
[R2]dis ike sa
total phase-1 SAs:  1
connection-id  peer            flag        phase   doi
----------------------------------------------------------
3          2.2.2.1         RD|ST         2     IPSEC 
2          2.2.2.1         RD|ST         1     IPSEC 
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
2、debugging ipsec packet 查看包的收发情况
ping -a 10.1.2.1 10.1.1.1
PING 10.1.1.1: 56  data bytes, press CTRL_C to break
Request time out
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=4 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=10 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=26 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=20 ms
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 4/15/26 ms
*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:--- Receive IPSec(ESP) packet ---收到数据包
*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:Src:2.2.3.1 Dst:2.2.2.1 SPI:1875259957(0x6fc63235) 发现源和目的
*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:DES Auth Alg:HMAC-SHA1-96  安全协议、算法
*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:Replay Checking Enabled! SN:1  重放检测启用! 序号1
*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:ESP new input: Authentication succeed!   验证通过
*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:IPSEC Task: Decryption succeed!  解密成功
*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:Tunnel mode. Org Src:10.1.2.1 Org Dst:10.1.1.1  发现内部加密码包的源和目的
*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:Now send it to IP input process... 
*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:--- Send IPSec packet ---  发回包
*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:Tunnel mode. Adding outer IP header succeed! 加IP封装
*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:Src:2.2.2.1 Dst:2.2.3.1 SPI:848486168(0x3292df18)  源和目的
*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:DES Auth Alg:HMAC-SHA1-96  安全协议、算法
*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:Encryption finished! New ESP(RFC2406) SN:1   加密完成
*Feb 17 14:11:25:953 2013 R1 IPSEC/7/DBG:Now send it to IP output process...
发回包
*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:--- Receive IPSec(ESP) packet ---
*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:Src:2.2.3.1 Dst:2.2.2.1 SPI:1875259957(0x6fc63235)
*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:DES Auth Alg:HMAC-SHA1-96
*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:Replay Checking Enabled! SN:2                      
*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:ESP new input: Authentication succeed!
*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:IPSEC Task: Decryption succeed!
*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:Tunnel mode. Org Src:10.1.2.1 Org Dst:10.1.1.1
*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:Now send it to IP input process...
*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:--- Send IPSec packet ---
*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:Tunnel mode. Adding outer IP header succeed!
*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:Src:2.2.2.1 Dst:2.2.3.1 SPI:848486168(0x3292df18)
*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:DES Auth Alg:HMAC-SHA1-96
*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:Encryption finished! New ESP(RFC2406) SN:2
*Feb 17 14:11:26:156 2013 R1 IPSEC/7/DBG:Now send it to IP output process...
3、
ike propsal没有作任何的配置,但有一个default的IKE proposal
dis ike proposal 
priority authentication authentication encryption Diffie-Hellman duration
method       algorithm    algorithm     group       (seconds)
---------------------------------------------------------------------------
default  PRE_SHARED     SHA         DES_CBC         MODP_768       86400 
[R2]dis ike pro
priority authentication authentication encryption Diffie-Hellman duration
method       algorithm    algorithm     group       (seconds)
---------------------------------------------------------------------------
default  PRE_SHARED     SHA         DES_CBC         MODP_768       86400
三、【配置文本】
dis cu 
#
version 5.20, Alpha 1011
#
sysname R1
#
password-control login-attempt 3 exceed lock-time 120
#
undo voice vlan mac-address 00e0-bb00-0000
#
ipsec cpu-backup enable
#
undo cryptoengine enable
#
domain default enable system
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
ike peer peer   
pre-shared-key cipher PMEfbsX04vk=
remote-address 2.2.3.1
#
ipsec proposal tran1
esp authentication-algorithm sha1
#
ipsec policy map1 10 isakmp
security acl 3101
ike-peer peer
proposal tran1
#
acl number 3101
rule 0 permit ip source 10.1.1.1 0 destination 10.1.2.1 0
#
interface Serial0/6/0
link-protocol ppp
ip address 2.2.2.1 255.255.255.0
ipsec policy map1
#
interface Serial0/6/1
link-protocol ppp
#
interface Serial0/6/2
link-protocol ppp
#
interface Serial0/6/3
link-protocol ppp
#
interface NULL0
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.255
#
interface Ethernet0/4/0
port link-mode bridge
#
interface Ethernet0/4/1
port link-mode bridge
#
interface Ethernet0/4/2
port link-mode bridge
#
interface Ethernet0/4/3
port link-mode bridge
#
interface Ethernet0/4/4
port link-mode bridge
#
interface Ethernet0/4/5
port link-mode bridge
#
interface Ethernet0/4/6
port link-mode bridge
#
interface Ethernet0/4/7
port link-mode bridge
#
ip route-static 0.0.0.0 0.0.0.0 Serial0/6/0
#
load xml-configuration
#
user-interface con 0
user-interface vty 0 4
#
return
dis cu
#
version 5.20, Alpha 1011
#
sysname R2
#
password-control login-attempt 3 exceed lock-time 120
#
undo voice vlan mac-address 00e0-bb00-0000
#
ipsec cpu-backup enable
#
undo cryptoengine enable
#
domain default enable system
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
ike peer peer   
pre-shared-key cipher PMEfbsX04vk=
remote-address 2.2.2.1
#
ipsec proposal tran1
esp authentication-algorithm sha1
#
ipsec policy use1 10 isakmp
security acl 3101
ike-peer peer
proposal tran1
#
acl number 3101
rule 0 permit ip source 10.1.2.1 0 destination 10.1.1.1 0
#
interface Serial0/6/0
link-protocol ppp
ip address 2.2.3.1 255.255.255.0
ipsec policy use1
#
interface Serial0/6/1
link-protocol ppp
#
interface Serial0/6/2
link-protocol ppp
#
interface Serial0/6/3
link-protocol ppp
#
interface NULL0
#
interface LoopBack0
ip address 10.1.2.1 255.255.255.255
#
interface Ethernet0/4/0
port link-mode bridge
#
interface Ethernet0/4/1
port link-mode bridge
#
interface Ethernet0/4/2
port link-mode bridge
#
interface Ethernet0/4/3
port link-mode bridge
#
interface Ethernet0/4/4
port link-mode bridge
#
interface Ethernet0/4/5
port link-mode bridge
#
interface Ethernet0/4/6
port link-mode bridge
#
interface Ethernet0/4/7
port link-mode bridge
#
ip route-static 0.0.0.0 0.0.0.0 Serial0/6/0
#
load xml-configuration
#
user-interface con 0
user-interface vty 0 4
#
return