配置IPSec技術(shù)介紹_第1頁
配置IPSec技術(shù)介紹_第2頁
配置IPSec技術(shù)介紹_第3頁
配置IPSec技術(shù)介紹_第4頁
配置IPSec技術(shù)介紹_第5頁
已閱讀5頁,還剩38頁未讀 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進(jìn)行舉報或認(rèn)領(lǐng)

文檔簡介

1、配置IPSec技術(shù)介紹技術(shù)創(chuàng)新,變革未來本章講解在路由器上配置IPSec VPN的方法及信息顯示和調(diào)試命令,并給出了相關(guān)的配置示例。引入描述IPSec和IKE的配置要點(diǎn)和任務(wù)配置IPSec和IKE使用display命令獲取IPSec和IKE配置和運(yùn)行信息使用debugging命令了解IPSec和IKE運(yùn)行時的重要事件和異常情況課程目標(biāo)學(xué)習(xí)完本課程,您應(yīng)該能夠:配置前準(zhǔn)備配置IPSec隧道配置IKEIPSec隧道配置示例目錄IPSec配置前準(zhǔn)備What 確定需要保護(hù)的數(shù)據(jù) Where 確定使用安全保護(hù)的路徑 Which 確定使用哪種安全保護(hù) How 確定安全保護(hù)的強(qiáng)度 配置前準(zhǔn)備配置IPSec隧

2、道配置IKEIPSec隧道配置示例目錄IPSec的配置任務(wù)配置安全ACL配置安全提議創(chuàng)建安全提議選擇安全協(xié)議 選擇安全算法選擇工作模式配置安全策略手工配置參數(shù)的安全策略通過IKE協(xié)商參數(shù)的安全策略在接口上應(yīng)用安全策略配置安全ACLIPSec通信雙方安全ACL的源和目的須對稱acl number 3101rule 1 permit ip source 173.1.1.1 0.0.0.0 destination 173.2.2.2 0.0.0.7acl number 3204rule 1 permit ip source 173.2.2.2 0.0.0.7 destination 173.1.1.

3、1 0.0.0.0 本端:對端:配置安全提議創(chuàng)建安全提議,并進(jìn)入安全提議視圖選擇安全協(xié)議 選擇工作模式 Router-ipsec-proposal-tran1 transform ah | ah-esp | esp Router-ipsec-proposal-tran1 encapsulation-mode transport | tunnel Router ipsec proposal proposal-name 配置安全提議(續(xù))選擇安全算法配置ESP協(xié)議采用的加密算法配置ESP協(xié)議采用的驗證算法 配置AH協(xié)議采用的驗證算法 Router-ipsec-proposal-tran1 esp

4、encryption-algorithm 3des | aes key-length | des Router-ipsec-proposal-tran1 esp authentication-algorithm md5 | sha1 Router-ipsec-proposal-tran1 ah authentication-algorithm md5 | sha1 安全策略的兩種類型靜態(tài)手工配置參數(shù)的安全策略需要用戶手工配置密鑰、SPI、安全協(xié)議和算法等參數(shù)在隧道模式下還需要手工配置安全隧道兩個端點(diǎn)的IP地址動態(tài)通過IKE協(xié)商參數(shù)的安全策略由IKE自動協(xié)商生成密鑰、SPI、安全協(xié)議和算法等參數(shù)

5、手工配置參數(shù)的安全策略流程是否匹配ACL數(shù)據(jù)包待發(fā)送是否匹配ACL是否匹配ACL直接明文發(fā)送提供安全服務(wù)提供安全服務(wù)提供安全服務(wù)發(fā)送受保護(hù)的數(shù)據(jù)YNNYYN第一條安全策略第二條安全策略最后一條安全策略使用手工配置的安全參數(shù)使用手工配置的安全參數(shù)使用手工配置的安全參數(shù)IKE協(xié)商參數(shù)的安全策略流程是否匹配ACL數(shù)據(jù)包待發(fā)送是否匹配ACL是否匹配ACL直接明文發(fā)送提供安全服務(wù)發(fā)送受保護(hù)的數(shù)據(jù)YNNYYN第一條安全策略第二條安全策略最后一條安全策略用IKE協(xié)商安全參數(shù)成功用IKE協(xié)商安全參數(shù)用IKE協(xié)商安全參數(shù)丟棄數(shù)據(jù)包提供安全服務(wù)丟棄數(shù)據(jù)包提供安全服務(wù)丟棄數(shù)據(jù)包失敗成功失敗成功失敗配置手工配置參數(shù)的

6、安全策略創(chuàng)建一條安全策略,并進(jìn)入安全策略視圖配置安全策略引用的ACL 配置安全策略所引用的安全提議 Router ipsec policy policy-name seq-number manual Router-ipsec-policy-manual-map1-10 security acl acl-number Router-ipsec-policy-manual-map1-10 proposal proposal-name 配置手工配置參數(shù)的安全策略(續(xù))配置IPSec隧道的本端地址配置IPSec隧道的對端地址配置SA的SPI Router-ipsec-policy-manual-map

7、1-10 tunnel local ip-address Router-ipsec-policy-manual-map1-10 tunnel remote ip-address Router-ipsec-policy-manual-map1-10 sa spi inbound | outbound ah | esp spi-number 配置手工配置參數(shù)的安全策略(續(xù))配置SA使用的密鑰配置協(xié)議的驗證密鑰(以16進(jìn)制方式輸入)配置協(xié)議的驗證密鑰(以字符串方式輸入)配置ESP協(xié)議的加密密鑰(以字符串方式輸入)配置ESP協(xié)議的加密密鑰(以16進(jìn)制方式輸入) Router-ipsec-policy-

8、manual-map1-10 sa authentication-hex inbound | outbound ah | esp hex-key Router-ipsec-policy-manual-map1-10 sa string-key inbound | outbound esp string-key Router-ipsec-policy-manual-map1-10 sa string-key inbound | outbound ah | esp string-key Router-ipsec-policy-manual-map1-10 sa encryption-hex inb

9、ound | outbound esp hex-key IKE協(xié)商安全提議IPSec proposal a1安全協(xié)議:ESP驗證算法:SHA1加密算法:DES模式:TunnelIPSec proposal a2安全協(xié)議:ESP驗證算法:MD5加密算法:3DES模式:TunnelIPSec proposal b1安全協(xié)議:AH驗證算法:SHA1模式:TunnelIPSec proposal b3安全協(xié)議:ESP驗證算法:SHA1加密算法:DES模式:TunnelIPSec proposal b5安全協(xié)議:ESP驗證算法:MD5加密算法:AES模式:Tunnel匹配RTARTBIP交換安全提議并協(xié)

10、商參數(shù)IKE為雙方協(xié)商出互相匹配的安全提議,使用其參數(shù)保護(hù)用戶數(shù)據(jù)配置IKE協(xié)商參數(shù)的安全策略創(chuàng)建一條安全策略,并進(jìn)入安全策略視圖配置安全策略引用的ACL配置安全策略所引用的安全提議Router ipsec policy policy-name seq-number isakmp Router-ipsec-policy-manual-map1-10 security acl acl-number Router-ipsec-policy-manual-map1-10 proposal proposal-name& 配置IKE協(xié)商參數(shù)的安全策略(續(xù))在安全策略中引用IKE對等體配置使用此安全策略發(fā)

11、起協(xié)商時使用PFS特性配置安全策略的SA生存周期配置全局的SA生存周期Router-ipsec-policy-manual-map1-10 pfs dh-group1 | dh-group2 | dh-group5 | dh-group14 Router-ipsec-policy-manual-map1-10 sa duration time-based seconds | traffic-based kilobytes Router-ipsec-policy-manual-map1-10 ike-peer peer-name Router ipsec sa global-duration t

12、ime-based seconds | traffic-based kilobytes 在接口上應(yīng)用安全策略在接口上應(yīng)用安全策略IPSec安全策略可以應(yīng)用到串口、以太網(wǎng)口等物理接口上和Tunnel、Virtual Template等邏輯接口上 一個接口只能應(yīng)用一個安全策略組IKE協(xié)商參數(shù)的安全策略可以應(yīng)用到多個接口上手工配置參數(shù)的安全策略只能應(yīng)用到一個接口上Router-Serial1/0 ipsec policy policy-name IPSec信息顯示命令顯示安全策略的信息 顯示安全提議的信息 顯示安全聯(lián)盟的相關(guān)信息 顯示IPSec處理報文的統(tǒng)計信息Router display ipse

13、c proposal proposal-name Router display ipsec sa brief | duration | policy policy-name seq-number | remote ip-address Router display ipsec policy brief | name policy-name seq-number Router display ipsec statistics display ipsec sa命令顯示示例 display ipsec saInterface: Ethernet0/0 path MTU: 1500 IPsec pol

14、icy name: r2 sequence number: 1 mode: isakmp connection id: 3 encapsulation mode: tunnel perfect forward secrecy: None tunnel: local address: 2.2.2.2 remote address: 1.1.1.2 Flow: sour addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP dest addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP inbo

15、und ESP SAs spi: 3564837569 (0 xd47b1ac1) proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887436380/2686 max received sequence-number: 5 anti-replay check enable: Y anti-replay window size: 32 udp encapsulation used for nat traversal: N outbound ESP SAs spi: 801701189

16、(0 x2fc8fd45) proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887436380/2686 max sent sequence-number: 6 udp encapsulation used for nat traversal: NIPSec調(diào)試和維護(hù)命令I(lǐng)PSec調(diào)試命令清除已經(jīng)建立的安全聯(lián)盟 清除IPSec的報文統(tǒng)計信息 reset ipsec sa parameters dest-address protocol spi | policy policy-name

17、seq-number | remote ip-address reset ipsec statistics debugging ipsec all | error | packet policy policy-name seq-number | parameters ip-address protocol spi-number | sa 配置前準(zhǔn)備配置IPSec隧道配置IKEIPSec隧道配置示例目錄IKE配置前準(zhǔn)備確定IKE交換過程中安全保護(hù)的強(qiáng)度包括身份驗證方法、加密算法、驗證算法、DH組等確定所選驗證方法的相應(yīng)參數(shù)使用預(yù)共享密鑰方法需預(yù)先約定共享密鑰使用RSA簽名方法需預(yù)先約定所屬的PK

18、I域IKE配置任務(wù)配置IKE提議創(chuàng)建IKE提議選擇IKE提議的加密算法選擇IKE提議的驗證方法選擇IKE提議的驗證算法選擇IKE階段1密鑰協(xié)商所使用的DH組配置IKE提議的ISAKMP SA生存周期配置IKE對等體創(chuàng)建IKE對等體配置IKE協(xié)商模式配置預(yù)共享密鑰驗證方法的身份驗證密鑰配置RSA簽名驗證方法的PKI域配置本端及對端安全網(wǎng)關(guān)的IP地址理解IKE提議IKE proposal 10驗證方法:Pre-share驗證算法:SHA加密算法:DESDH組:2IKE proposal 20驗證方法:Pre-share驗證算法:MD5加密算法:3DESDH組:1IKE proposal 10驗證方

19、法:Pre-share驗證算法:MD5加密算法:3DESDH組:1IKE proposal 30驗證方法:Pre-share驗證算法:MD5加密算法:DESDH組:2匹配RTARTBIP交換IKE提議并協(xié)商參數(shù)雙方協(xié)商出互相匹配的IKE提議,用于保護(hù)IKE交換時的通信配置IKE提議創(chuàng)建IKE提議,并進(jìn)入IKE提議視圖 選擇IKE提議所使用的加密算法選擇IKE提議所使用的驗證方法Router-ike-proposal-10 encryption-algorithm 3des-cbc | aes-cbc key-length | des-cbc Router-ike-proposal-10 aut

20、hentication-method pre-share | rsa-signature Router ike proposal proposal-number 配置IKE提議(續(xù))選擇IKE提議所使用的驗證算法選擇IKE階段1密鑰協(xié)商時所使用的DH交換組 配置IKE提議的ISAKMP SA生存周期Router-ike-proposal-10 dh group1 | group2 | group5 | group14 Router-ike-proposal-10 sa duration secondsRouter-ike-proposal-10 authentication-algorithm

21、 md5 | sha 配置IKE對等體創(chuàng)建一個IKE對等體,并進(jìn)入IKE對等體視圖 配置IKE階段1的協(xié)商模式 配置采用預(yù)共享密鑰驗證時所用的密鑰 Router-ike-peer-peer1 ike peer peer-name Router-ike-peer-peer1 pre-shared-key cipher | simple key Router-ike-peer-peer1 exchange-mode aggressive | main 配置IKE對等體(續(xù))配置采用數(shù)字簽名驗證時,證書所屬的PKI域選擇IKE第一階段的協(xié)商過程中使用的ID類型 Router-ike-peer-pee

22、r1 certificate domain domain-name Router id-type ip | name 配置IKE對等體(續(xù))配置本端安全網(wǎng)關(guān)的IP地址配置對端安全網(wǎng)關(guān)的IP地址配置本端安全網(wǎng)關(guān)的名字配置對端安全網(wǎng)關(guān)的名字Router-ike-peer-peer1 remote-address low-ip-address high-ip-address Router ike local-name name Router-ike-peer-peer1 remote-name name Router-ike-peer-peer1 local-address ip-address I

23、KE信息顯示命令顯示IKE對等體配置的參數(shù)顯示當(dāng)前ISAKMP SA的信息顯示每個IKE提議配置的參數(shù)Router display ike peer peer-name Router display ike proposalRouter display ike sa verbose connection-id connection-id | remote-address remote-address IKE調(diào)試和維護(hù)命令I(lǐng)KE調(diào)試命令清除IKE建立的安全隧道Router reset ike sa connection-id debugging ike all | dpd | error | e

24、xchange | message display ike sa命令顯示示例 display ike sa total phase-1 SAs: 1 connection-id peer flag phase doi - 1 202.38.0.2 RD|ST 1 IPSEC 2 202.38.0.2 RD|ST 2 IPSECflag meaningRD-READY ST-STAYALIVE RL-REPLACED FDFADING TO-TIMEOUT display ike sa verbose - connection id: 2 transmitting entity: initiat

25、or - local ip: 4.4.4.4 local id type: IPV4_ADDR local id: 4.4.4.4 remote ip: 4.4.4.5 remote id type: IPV4_ADDR remote id: 4.4.4.5 authentication-method: PRE-SHARED-KEY authentication-algorithm: HASH-SHA1 encryption-algorithm: DES-CBC life duration(sec): 86400 remaining key duration(sec): 86379 excha

26、nge-mode: MAIN diffie-hellman group: GROUP1 nat traversal: NO 配置前準(zhǔn)備配置IPSec隧道配置IKEIPSec隧道配置示例目錄IPSec+IKE預(yù)共享密鑰配置示例RTARTBIPXIPX站點(diǎn)A站點(diǎn)BS0/0S0/0E0/0E0/010.1.2.1/24202.38.160.1/2410.1.1.1/2410.1.2.1/24PCAPCB10.1.1.2/24202.38.160.2/24IPRTA acl number 3001 RTA-acl-adv-3001 rule permit ip source 10.1.1.0 0.0.

27、0.255 destination 10.1.2.0 0.0.0.255RTA-acl-adv-3001 rule deny ip source any destination anyRTA ip route-static 10.1.2.0 255.255.255.0 202.38.160.2 RTA ipsec proposal tran1 RTA-ipsec-proposal-tran1 encapsulation-mode tunnel RTA-ipsec-proposal-tran1 transform esp RTA-ipsec-proposal-tran1 esp encrypti

28、on-algorithm desRTA-ipsec-proposal-tran1 esp authentication-algorithm sha1RTA-ipsec-proposal-tran1 quitRTA ike peer peer1RTA-ike-peer-peer pre-share-key abcdeRTA-ike-peer-peer remote-address 202.38.160.2RTA ipsec policy map1 10 isakmp RTA-ipsec-policy-isakmp-map1-10 proposal tran1 RTA-ipsec-policy-i

29、sakmp-map1-10 security acl 3001RTA-ipsec-policy-isakmp-map1-10 ike-peer peer1RTA-ipsec-policy-isakmp-map1-10 quitRTA interface serial0/0RTA-Serial0/0 ip address 202.38.160.1 255.255.255.0RTA-Serial0/0 ipsec policy map1RTA interface ethernet0/0 RTA-Ethernet0/0 ip address 10.1.1.1 255.255.255.0 IPSec

30、TunnelIPSec+IKE預(yù)共享密鑰配置示例(續(xù))RTARTBIPXIPX站點(diǎn)A站點(diǎn)BS0/0S0/0E0/0E0/010.1.2.1/24202.38.160.1/2410.1.1.1/2410.1.2.1/24PCAPCB10.1.1.2/24202.38.160.2/24IPRTB acl number 3001RTB-acl-adv-3001 rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255RTB-acl-adv-3001 rule deny ip source any destinati

31、on anyRTB ip route-static 10.1.1.0 255.255.255.0 202.38.160.1 RTB ipsec proposal tran1 RTB-ipsec-proposal-tran1 encapsulation-mode tunnel RTB-ipsec-proposal-tran1 transform esp RTB-ipsec-proposal-tran1 esp encryption-algorithm desRTB-ipsec-proposal-tran1 esp authentication-algorithm sha1RTB-ipsec-pr

32、oposal-tran1 quitRTB ike peer peer1RTB-ike-peer-peer pre-share-key abcdeRTB-ike-peer-peer remote-address 202.38.160.1RTB ipsec policy map1 10 isakmp RTB-ipsec-policy-isakmp-map1-10 proposal tran1 RTB-ipsec-policy-isakmp-map1-10 security acl 3001RTB-ipsec-policy-isakmp-map1-10 ike-peer peer1RTB-ipsec

33、-policy-isakmp-map1-10 quitRTB interface serial0/0RTB-Serial0/0 ip address 202.38.160.2 255.255.255.0RTB-Serial0/0 ipsec policy map1RTB interface ethernet0/0 RTB-Ethernet0/0 ip address 10.1.2.1 255.255.255.0 IPSec TunnelIPSec+IKE RSA簽名配置示例 RTARTBIPXIPX站點(diǎn)A站點(diǎn)BS0/0S0/0E0/0E0/010.1.2.1/24202.38.160.1/24

34、10.1.1.1/2410.1.2.1/24PCAPCB10.1.1.2/24202.38.160.2/24IPIPSec TunnelRTA pki entity enRTA-pki-entity-en .RTA pki domain 1RTA-pki-domain-1 .RTA public-key local create rsaRTA pki retrieval-certificate ca domain 1RTA pki retrieval-crl domain 1RTA pki request-certificate domain 1RTA acl number 3001 RTA-

35、acl-adv-3001 .RTA ip route-static 10.1.2.0 255.255.255.0 202.38.160.2 RTA ipsec proposal tran1 RTA-ipsec-proposal-tran1 .RTA ike proposal 1RTA-ike-proposal-1 authentication-method rsa-signatureRTA ike peer peer1RTA-ike-peer-peer certificate domain 1RTA ipsec policy map1 10 isakmp RTA-ipsec-policy-is

36、akmp-map1-10 proposal tran1 RTA-ipsec-policy-isakmp-map1-10 security acl 3001RTA-ipsec-policy-isakmp-map1-10 ike-peer peer1RTA interface serial0/0RTA-Serial0/0 ipsec policy map1IKE野蠻模式配置示例RTARTBIPXS0/0S0/0E0/1E0/1192.168.2.1/2410.1.12.1/24192.168.1.1/24通過PPP協(xié)商,由網(wǎng)絡(luò)動態(tài)獲取地址IP總部網(wǎng)絡(luò)分支網(wǎng)絡(luò)192.168.2.0/24192.16

37、8.1.0/24IPSec TunnelRTA ike local-name rtaRTA ike peer rtbRTA-ike-peer-rtb exchange-mode aggressiveRTA-ike-peer-rtb pre-shared-key abc RTA-ike-peer-rtb id-type nameRTA-ike-peer-rtb remote-name rtbRTA-ike-peer-rtb ipsec proposal prop-for-rtbRTA-ipsec-proposal-prop-for-rtb esp authentication-algorithm

38、 sha1RTA-ipsec-proposal-prop-for-rtb esp encryption-algorithm 3desRTA acl number 3000RTA-acl-adv-3000 rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255RTA-acl-adv-3000 rule 1 deny ipRTA ipsec policy policy1 10 isakmpRTA-ipsec-policy-isakmp-policy1-10 security acl 3000RT

39、A-ipsec-policy-isakmp-policy1-10 ike-peer rtbRTA-ipsec-policy-isakmp-policy1-10 proposal prop-for-rtbRTA-ipsec-policy-isakmp-policy1-10 interface Ethernet0/1RTA-Ethernet0/1 ip address 192.168.1.1 255.255.255.0RTA-Ethernet0/1 interface Serial0/0RTA-Serial0/0 link-protocol pppRTA-Serial0/0 ip address 10.1.12.1 255.255.255.0RTA-Serial0/0 ipsec policy policy1RTA ip route-static 0.0.0.0 0.0.0

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

評論

0/150

提交評論