网络安全之IPSEC路由基本配置
IPSEC配置的前提分析
协议分析
传输模式分析
IPSEC路由中的配置
图谱图
注意:
此场景为私网之间配置
配置公网可达
R1
ISP
R3
配置静态路由使得公网可达
R1配置IKESA的安全提议
R1配置IKESA的身份认证信息
野蛮模式配置
R3配置IKESA的安全提议
R3配置IKESA的身份认证信息
R1配置IPSEC的安全提议
[R1]displayipsecproposal---查询配置的IPSEC
网络安全:IPSEC路由基本配置
访客
目录网络安全之IPSEC路由基本配置IPSEC配置的前提分析协议分析传输模式分析编辑IPSEC路由中的配置图谱图配置公网可达R1配置IKESA的安全提议R1配置IKESA的身份认证信息R3配置IKESA的安全提议R3配置IKESA的身份认证信息R1配置IPSEC的安全提议R1配置感兴趣流R1配置安全策略集R3配置IPSEC的安全提议R3配置感兴趣流R3配置安全策略集在接口调安全策略集启动测试[R1]iproute-static192.168.2.024100.1.1.2 [R1]iproute-static200.1.1.024100.1.1.2 [R3]iproute-static100.1.1.024200.1.1.1 [R3]iproute-static192.168.1.024200.1.1.1 [R1]ikeproposal1---选择安全提议编号 [R1-ike-proposal-1]encryption-algorithm? 3des-cbc168bits3DES-CBC aes-cbc-128UseAES-128 aes-cbc-192UseAES-192 aes-cbc-256UseAES-256 des-cbc56bitsDES-CBC---比较弱,一般不选 [R1-ike-proposal-1]encryption-algorithm3des-cbc [R1-ike-proposal-1]authentication-algorithm?---认证加密算法 aes-xcbc-mac-96Selectaes-xcbc-mac-96asthehashalgorithm md5SelectMD5asthehashalgorithm sha1SelectSHAasthehashalgorithm sm3Selectsm3asthehashalgorithm [R1-ike-proposal-1]authentication-algorithmsha1---选择哈希算法 [R1-ike-proposal-1]authentication-method?---认证模式 digital-envelopeSelectdigitalenvelopekeyastheauthenticationmethod pre-shareSelectpre-sharedkeyastheauthenticationmethod rsa-signatureSelectrsa-signaturekeyastheauthenticationmethod [R1-ike-proposal-1]authentication-methodpre-share---域共享 [R1-ike-proposal-1]dh?---选择DH算法 group1768bitsDiffie-Hellmangroup group142048bitsDiffie-Hellmangroup group21024bitsDiffie-Hellmangroup group51536bitsDiffie-Hellmangroup [R1-ike-proposal-1]dhgroup5---一般选2以上强度,1太低 [R1-ike-proposal-1]saduration?---安全联盟周期 INTEGER<60-604800>Valueoftime(inseconds),defaultis86400 [R1-ike-proposal-1]saduration3600 [R1]ikepeer1?---选择ike版本 v1OnlyV1SA'scanbecreated v2OnlyV2SA'scanbecreated <cr>PleasepressENTERtoexecutecommand [R1]ikepeer1v1 [R1-ike-peer-1]exchange-mode?---选择模式 aggressiveAggressivemode---野蛮 mainMainmode---主模式 [R1-ike-peer-1]exchange-modemain---主模式 [R1-ike-peer-1]pre-shared-key?---预共享密钥 cipherPre-shared-keywithciphertext---本地不加密 simplePre-shared-keywithplaintext---本地加密 [R1-ike-peer-1]pre-shared-keycipher123 [R1-ike-peer-1]ike-proposal1---调用安全提议编号 [R1-ike-peer-1]remote-address200.1.1.2---对方IP ikepeeryyyv1 exchange-modeaggressive//设置为野蛮模式 pre-shared-keysimple999 ike-proposal1 local-id-typename//定义本地ID为name remote-namekkk//远程ID是kkk remote-address200.1.1.1 [R3]ikeproposal1 [R3-ike-proposal-1]encryption-algorithm3des-cbc [R3-ike-proposal-1]dhgroup5 [R3-ike-proposal-1]authentication-algorithmsha1 [R3-ike-proposal-1]saduration3600 [R3-ike-proposal-1]q [R3]ikepeer1v1 [R3-ike-peer-1]exchange-modemain [R3-ike-peer-1]pre-shared-keycipher123 [R3-ike-peer-1]ike-proposal1 [R3-ike-peer-1]remote-address100.1.1.1 [R3-ike-peer-1] [R1]ipsecproposal1---选择安全协议号 [R1-ipsec-proposal-1] [R1-ipsec-proposal-1]transform?---选择封装协议 ahAHprotocoldefinedinRFC2402 ah-espESPprotocolfirst,thenAHprotocol espESPprotocoldefinedinRFC2406 [R1-ipsec-proposal-1]transformesp---选择ESP协议 [R1-ipsec-proposal-1]espauthentication-algorithm?---选择认证算法 md5UseHMAC-MD5-96algorithm sha1UseHMAC-SHA1-96algorithm sha2-256UseSHA2-256algorithm sha2-384UseSHA2-384algorithm sha2-512UseSHA2-512algorithm sm3UseSM3algorithm [R1-ipsec-proposal-1]espauthentication-algorithmsha2-512 [R1-ipsec-proposal-1]espencryption-algorithm?---加密算法 3desUse3DES aes-128UseAES-128 aes-192UseAES-192 aes-256UseAES-256 desUseDES sm1UseSM1 <cr>PleasepressENTERtoexecutecommand [R1-ipsec-proposal-1]espencryption-algorithmaes-128 [R1-ipsec-proposal-1]encapsulation-modetunnel---选择隧道模式 [R1]acl3000 [R1-acl-adv-3000]rule5permitipsource192.168.1.00.0.0.255destination192.1 68.2.00.0.0.255 [R1]ipsecpolicyk1?---选择协议 isakmpIndicatesuseIKEtoestablishtheIPSecSA manualIndicatesusemanualtoestablishtheIPSecSA <cr>PleasepressENTERtoexecutecommand [R1]ipsecpolicyk1isakmp---定义安全策略编号与协议 [R1-ipsec-policy-isakmp-k-1]proposal1---调用IPSECSA提议 [R1-ipsec-policy-isakmp-k-1]ike-peer1---调用身份认证信息 [R1-ipsec-policy-isakmp-k-1]securityacl3000---调用感兴趣流 [R3]ipsecproposal1 [R3-ipsec-proposal-1]transformesp [R3-ipsec-proposal-1]espauthentication-algorithmsha2-512 [R3-ipsec-proposal-1]espencryption-algorithmaes-128 [R3-ipsec-proposal-1]encapsulation-modetunnel [R3]acl3000 [R3-acl-adv-3000]rule5permitipsource192.168.2.00.0.0.255destination192.1 68.1.00.0.0.255 [R3]ipsecpolicyk1isakmp [R3-ipsec-policy-isakmp-k-1]proposal1 [R3-ipsec-policy-isakmp-k-1]ike-peer1 [R3-ipsec-policy-isakmp-k-1]securityacl3000 [R1-GigabitEthernet0/0/1]ipsecpolicyk [R3-GigabitEthernet0/0/0]ipsecpolicyk