在华为设备上实施GRE隧道和IPSEC ***
IPSEC ×××是干私活利器哦,欢迎大家学习和掌握
私有的BGP的AS号码:64512~65535,互联网的基础就是BGP
×××的简单分类:
一大类IPSEC ×××,这是一个框架,包含很多解决方案
LAN to LAN ×××(站点到站点的×××)仅仅是IPSEC ×××中的一小类而已,它基于internet实现
另外一类是MPLS ×××(多协议标签交换),又分成L3×××(peer2peer,即设备之间建立路由协议邻居);IPSEC的框架:1)AH(认证头部) 2)ESP(安全头部负载封装,协议号50) 3)IKE(互联网秘钥交换协议)--面试常见题目
会形成两种SA(安全关联):ISAKMP SA和IPSEC SA
传输模式和隧道模式
实施拓扑:
1.实施GRE隧道(协议号47),它的特点是支持路由协议。如果实现加密的叫做GRE over IPSEC
R1:
interface Tunnel0/0/0
tunnel-protocol gre
source 202.100.1.1
destination 202.100.1.2
ip address 10.1.12.1 24
R2:
interface Tunnel0/0/0
tunnel-protocol gre
source 202.100.1.2
destination 202.100.1.1
ip address 10.1.12.2 255.255.255.0
[Huawei-Tunnel0/0/0]ping 10.1.12.2
PING 10.1.12.2: 56 data bytes, press CTRL_C to break
Reply from 10.1.12.2: bytes=56 Sequence=1 ttl=255 time=70 ms
Reply from 10.1.12.2: bytes=56 Sequence=2 ttl=255 time=30 ms
在GRE隧道上实施路由协议:
[R2-GigabitEthernet0/0/1]dis cu conf rip
[V200R003C00]
#
rip 1
version 2
network 10.0.0.0 //实施在GRE隧道上的动态路由协议
!
[R1-rip-1]dis th
[V200R003C00]
#
rip 1
version 2
network 10.0.0.0
通过GRE隧道得到的路由
[R1-rip-1]dis ip rou pro rip
Route Flags: R - relay, D - download to fib
Public routing table : RIP
Destinations : 1 Routes : 1
RIP routing table status : <Active>
Destinations : 1 Routes : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.2.0/24 RIP 100 1 D 10.1.12.2 Tunnel0/0/0RIP routing table status : <Inactive>
Destinations : 0 Routes : 0
终端的通信:
PC>ping 10.1.1.1
Ping 10.1.1.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 10.1.1.1: bytes=32 seq=2 ttl=126 time=15 ms
From 10.1.1.1: bytes=32 seq=3 ttl=126 time=15 ms
From 10.1.1.1: bytes=32 seq=4 ttl=126 time=15 ms
From 10.1.1.1: bytes=32 seq=5 ttl=126 time=15 ms
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 0/15/15 ms
2.L2L的IPSEC ×××
实施步骤:1)实施路由的可达性
HEDEX
加解密设备至少需要3条路由:A.到达对端加解密点的路由;B.到达本端通信点的路由;C.到达对端通信点的路由(这点容易忽略,但是转发设备如果没有到达目的地的路由就丢弃数据包)
R1的路由实施:
[R1]ip route-static 10.1.2.0 24 g0/0/0 202.100.1.2
另外两个要求默认使用直连路由完成
[R2]ip route-static 0.0.0.0 0.0.0.0 g0/0/0 202.100.1.1
2)实施第一阶段的Proposal策略
R1&R2:
ipsec proposal QYT
esp authentication-algorithm sha1
[R2]display ipsec proposal
Number of proposals: 1
IPSec proposal name: QYT
Encapsulation mode: Tunnel
Transform : esp-new
ESP protocol : Authentication SHA1-HMAC-96
Encryption DES
[R2]
3)实施SPD(ACL来匹配哪些数据通过IPSEC 处理),感兴趣
R1:
acl name ××× 3999
rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
R2:
acl name ××× 3999
rule 10 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
4)整合IPSEC 策略
R1:
ipsec policy NONGDA 10 manual
security acl 3999
proposal QYT
tunnel local 202.100.1.1
tunnel remote 202.100.1.2
sa spi inbound esp 6543
sa string-key inbound esp simple nongda
sa spi outbound esp 3456
sa string-key outbound esp simple nongda
R2:
ipsec policy NONGDA 10 manual
security acl 3999
proposal QYT
tunnel local 202.100.1.2
tunnel remote 202.100.1.1
sa spi inbound esp 3456
sa string-key inbound esp simple nongda
sa spi outbound esp 6543
sa string-key outbound esp simple **
应用策略
两个网关设备应用:
interface GigabitEthernet0/0/0
ip address 202.100.1.2 255.255.255.252
ipsec policy NONGDA
[R2]dis ipsec sa //验证安全关联
===============================
Interface: GigabitEthernet0/0/0
Path MTU: 1500
IPSec policy name: "NONGDA"
Sequence number : 10
Acl Group : 3999
Acl rule : 0
Mode : Manual
Encapsulation mode: Tunnel
Tunnel local : 202.100.1.2
Tunnel remote : 202.100.1.1
Qos pre-classify : Disable
[Outbound ESP SAs]
SPI: 6543 (0x198f)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
No duration limit for this SA
[Inbound ESP SAs]
SPI: 3456 (0xd80)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
No duration limit for this SA[R2]dis ipsec statistics esp //验证通过SEC加解密的报文
Inpacket count : 9
Inpacket auth count : 0
Inpacket decap count : 0
Outpacket count : 7
NAT bypass(用acl拒绝掉×××流量,再配置其他流量去访问互联网),即在NAT环境下实施IPSEC ×××
转载于:https://blog.51cto.com/enderjoe/2057897