当前位置：文档之家› IPSEC配置文档

IPSEC配置文档

配置步骤：一、.使得R1与R3之间（公网之间）能够通信[R1]ip route-static 0.0.0.0 0.0.0.0 12.1.1.2[R3]ip route-static 0.0.0.0 0.0.0.0 23.1.1.2二、IPSEC配置R1配置：1.配置数据流[R1]acl num 3000[R1-acl-adv-3000]rule permit ip source 192.168.1.1 0.0.0.0 destination 192.168.2.1 0.0.0.02.IKE策略配置[R1]ikeproposal 10//创建IKE提议，并进入IKE视图[R1-ike-proposal-10]encryption-algorithm 3des-cbc //IKE提议使用的加密算法[R1-ike-proposal-10]authentication-method pre-share //IKE提议使用的密钥处理方式[R1-ike-proposal-10]authentication-algorithm md5 //IKE提议使用的验证算法[R1-ike-proposal-10]dhgroup2 //IKE提议使用的DH交换组[R1-ike-proposal-10]sa duration86400 //ISAKMP SA生存周期[R1-ike-proposal-10]3.配置IKE对等体及密钥[R1]ike peer R3 //创建IKE对等体，并进入IKE对等体视图[R1-ike-peer-r3]exchange-mode main //IKE对等体的协商模式[R1-ike-peer-r3]pre-shared-key h3c //IKE对等体的密钥[R1-ike-peer-r3]local-address 12.1.1.1 //本端安全网关地址[R1-ike-peer-r3]remote-address 23.1.1.3 //对端安全网关地址[R1-ike-peer-r3]remote-name R3 //对端安全网关名称[R1]ike local-name R1 //本端安全网关名称[R1]4. IPSEC安全提议配置[R1]ipsec proposalr1 //创建IPSEC安全提议[R1-ipsec-proposal-r1]transform esp//安全协议[R1-ipsec-proposal-r1]espencryption-algorithm 3des //ESP协议采用加密算法[R1-ipsec-proposal-r1]esp authentication-algorithm md5 //ESP 协议采用验证算法[R1-ipsec-proposal-r1]encapsulation-modetunnel //ESP协议采用工作模式[R1-ipsec-proposal-r1]5.配置IKE协商的安全策略[R1]ipsec policy 1 10isakmp //创建一条安全策略[R1-ipsec-policy-isakmp-1-10]security acl3000 //配置安全c策略所引用的ACL[R1-ipsec-policy-isakmp-1-10]proposal r1//配安全策略所引用的安全提议[R1-ipsec-policy-isakmp-1-10]ike-peerr3 //引用的IKE对等体[R1-ipsec-policy-isakmp-1-10]pfsdh-group5 //DH组[R1-ipsec-policy-isakmp-1-10]sa duration time-based 86400 //ipsec SA生存周期[R1-ipsec-policy-isakmp-1-10]q6.在接口上应用安全策略[R1]int s0/2/0[R1-Serial0/2/0]ipsec policy 1 //在接口上应用安全策略[R1]R3的配置[R3]ip route-static 0.0.0.0 0.0.0.0 23.1.1.2[R3]acl number 3000[R3-acl-adv-3000]rule pe[R3-acl-adv-3000]rule permit ip source 192.168.2.1 0.0.0.0 destination 192.168.1.1 0.0.0.0[R3-acl-adv-3000]q[R3]ike proposal 10[R3-ike-proposal-10]encryption-algorithm 3des-cbc[R3-ike-proposal-10]authentication-method pre-share[R3-ike-proposal-10]authentication-algorithm md5[R3-ike-proposal-10]dh group2[R3-ike-proposal-10]sa duration 86400[R3-ike-proposal-10]q[R3]ike peer R1[R3-ike-peer-r1]exchange-mode main[R3-ike-peer-r1]pre-shared-key h3c[R3-ike-peer-r1]local-a 23.1.1.3[R3-ike-peer-r1]remote-address 12.1.1.1[R3-ike-peer-r1]remote-name R1[R3-ike-peer-r1]Q[R3]ipsec proposal r3[R3-ipsec-proposal-r3]transform esp[R3-ipsec-proposal-r3]esp encryption-algorithm 3des[R3-ipsec-proposal-r3]esp authentication-algorithm md5[R3-ipsec-proposal-r3]encapsulation-mode tunnel[R3-ipsec-proposal-r3]q[R3]ipsec policy 1 10 isakmp[R3-ipsec-policy-isakmp-1-10]security acl 3000[R3-ipsec-policy-isakmp-1-10]proposal r3[R3-ipsec-policy-isakmp-1-10]ike-peer R1[R3-ipsec-policy-isakmp-1-10]sa duration time-based 86400 [R3-ipsec-policy-isakmp-1-10]q[R3]int s0/2/0[R3-Serial0/2/0]ipsec policy 1[R3-Serial0/2/0]q三、测试实验结果[R1]ping -a 192.168.1.1 192.168.2.1PING 192.168.2.1: 56 data bytes, press CTRL_C to break Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=255 time=5 msReply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=20 ms Request time outReply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=26 ms Request time out--- 192.168.2.1 ping statistics ---5 packet(s) transmitted3 packet(s) received40.00% packet lossround-trip min/avg/max = 5/17/26 ms[R1]此时两个内网之间能够正常通信。

实验完成调试命令：1.显示IKE对等体配置参数[R1]dis ike peer---------------------------IKE Peer: r3exchange mode: main on phase 1pre-shared-key cipher nw1kqzgZJnA=peer id type: ippeer ip address: 23.1.1.3local ip address: 12.1.1.1peer name: R3nat traversal: disabledpd:---------------------------[R1]2.显示当前ISAKMP SA的信息[R1]dis ike satotal phase-1 SAs: 1connection-id peer flagphase doi----------------------------------------------------------3 23.1.1.3 RD|ST2 IPSEC2 23.1.1.3 RD|ST1 IPSECflag meaningRD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT[R1]3.显示每个IKE提议的配置参数[R1]dis ike satotal phase-1 SAs: 1connection-id peer flagphase doi----------------------------------------------------------3 23.1.1.3 RD|ST2 IPSEC2 23.1.1.3 RD|ST1 IPSECflag meaningRD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT[R1]dis ike pro[R1]dis ike proposalpriority authentication authentication encryption Diffie-Hellman durationmethod algorithm algorit hm group (seconds)---------------------------------------------------------------------------10 PRE_SHARED MD5 3DES_CBCMODP_1024 86400default PRE_SHARED SHA DES_CBC MODP_768 86400[R1]4.显示IPsec安全策略信息[R1]dis ipsec policy===========================================IPsec Policy Group: "1"Using interface: {Serial0/2/0}===========================================-----------------------------IPsec policy name: "1"sequence number: 10mode: isakmp-----------------------------security data flow : 3000selector mode: standardike-peer name: r3perfect forward secrecy: DH group 5proposal name: r1IPsec sa local duration(time based): 86400 secondsIPsec sa local duration(traffic based): 1843200 kilobytes [R1]5.显示IPSEC安全提议信息[R1]dis ipsec proposalIPsec proposal name: r1encapsulation mode: tunneltransform: esp-newESP protocol: authentication md5-hmac-96, encryption 3des [R1]6.显示IPSEC SA的信息[R1]dis ipsec sa===============================Interface: Serial0/2/0path MTU: 1500===============================-----------------------------IPsec policy name: "1"sequence number: 10mode: isakmp-----------------------------connection id: 3encapsulation mode: tunnelperfect forward secrecy: DH group 5tunnel:local address: 12.1.1.1remote address: 23.1.1.3Flow :sour addr: 192.168.1.1/255.255.255.255 port:0 protocol: IPdest addr: 192.168.2.1/255.255.255.255 port:0 protocol: IP[inbound ESP SAs]spi: 2476921505 (0x93a2d2a1)proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887435624/84789max received sequence-number: 14udp encapsulation used for nat traversal: N[outbound ESP SAs]spi: 1974141924 (0x75ab03e4)proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887435624/84789max sent sequence-number: 15udp encapsulation used for nat traversal: N[R1]7.显示IPSEC处理的报文信息[R1]dis ipsec statisticsthe security packet statistics:input/output security packets: 14/14input/output security bytes: 1176/1176input/output dropped security packets: 0/1dropped security packet detail:not enough memory: 0can't find SA: 1queue is full: 0authentication has failed: 0wrong length: 0replay packet: 0packet too long: 0wrong SA: 0。

e商务文档

IPSEC配置文档

相关文档推荐：