目錄

網(wǎng)絡(luò)安全之IPSEC路由基本配置

IPSEC配置的前提分析

協(xié)議分析

傳輸模式分析?編輯

IPSEC路由中的配置

圖譜圖

配置公網(wǎng)可達(dá)

R1配置IKE?SA的安全提議

R1配置?IKE SA?的身份認(rèn)證信息

R3配置IKE?SA的安全提議

R3配置?IKE SA?的身份認(rèn)證信息

R1配置IPSEC的安全提議

R1配置感興趣流

R1配置安全策略集

R3配置IPSEC的安全提議

R3配置感興趣流

R3配置安全策略集

在接口調(diào)安全策略集

啟動

測試

網(wǎng)絡(luò)安全之IPSEC路由基本配置

IPSEC配置的前提分析

協(xié)議分析

傳輸模式分析

IPSEC路由中的配置

圖譜圖

注意：

? ? ? ? 此場景為私網(wǎng)之間配置

配置公網(wǎng)可達(dá)

R1

ISP

R3

?配置靜態(tài)路由使得公網(wǎng)可達(dá)

[R1]ip route-static 192.168.2.0 24 100.1.1.2
[R1]ip route-static 200.1.1.0 24 100.1.1.2

[R3]ip route-static 100.1.1.0 24 200.1.1.1
[R3]ip route-static 192.168.1.0 24 200.1.1.1

R1配置IKE?SA的安全提議

[R1]ike proposal 1 --- 選擇安全提議編號
[R1-ike-proposal-1]encryption-algorithm ?
  3des-cbc     168 bits 3DES-CBC 
  aes-cbc-128  Use AES-128
  aes-cbc-192  Use AES-192
  aes-cbc-256  Use AES-256
  des-cbc      56 bits DES-CBC --- 比較弱，一般不選
[R1-ike-proposal-1]encryption-algorithm 3des-cbc 

[R1-ike-proposal-1]authentication-algorithm ? --- 認(rèn)證加密算法
  aes-xcbc-mac-96  Select aes-xcbc-mac-96 as the hash algorithm
  md5              Select MD5 as the hash algorithm
  sha1             Select SHA as the hash algorithm
  sm3              Select sm3 as the hash algorithm
[R1-ike-proposal-1]authentication-algorithm sha1 --- 選擇哈希算法

[R1-ike-proposal-1]authentication-method ? --- 認(rèn)證模式
  digital-envelope  Select digital envelope  key as the authentication method
  pre-share         Select pre-shared key as the authentication method
  rsa-signature     Select rsa-signature key as the authentication method
[R1-ike-proposal-1]authentication-method pre-share  --- 域共享

[R1-ike-proposal-1]dh ? --- 選擇DH算法
  group1   768 bits Diffie-Hellman group
  group14  2048 bits Diffie-Hellman group
  group2   1024 bits Diffie-Hellman group
  group5   1536 bits Diffie-Hellman group
[R1-ike-proposal-1]dh group5 --- 一般選2以上強(qiáng)度，1太低

[R1-ike-proposal-1]sa duration ? --- 安全聯(lián)盟周期
  INTEGER<60-604800>  Value of time(in seconds), default is 86400
[R1-ike-proposal-1]sa duration 3600

R1配置?IKE SA?的身份認(rèn)證信息

[R1]ike peer 1 ? --- 選擇ike版本
  v1    Only V1 SA's can be created
  v2    Only V2 SA's can be created
  <cr>  Please press ENTER to execute command 
[R1]ike peer 1 v1 

[R1-ike-peer-1]exchange-mode ? --- 選擇模式
  aggressive  Aggressive mode --- 野蠻
  main        Main mode --- 主模式
[R1-ike-peer-1]exchange-mode main --- 主模式

[R1-ike-peer-1]pre-shared-key ? --- 預(yù)共享密鑰
  cipher  Pre-shared-key with cipher text --- 本地不加密
  simple  Pre-shared-key with plain text --- 本地加密
[R1-ike-peer-1]pre-shared-key cipher 123

[R1-ike-peer-1]ike-proposal 1 --- 調(diào)用安全提議編號

[R1-ike-peer-1]remote-address 200.1.1.2 --- 對方IP

野蠻模式配置

ike peer yyy v1
exchange-mode aggressive //設(shè)置為野蠻模式
pre-shared-key simple 999
ike-proposal 1
local-id-type name //定義本地ID為name
remote-name kkk //遠(yuǎn)程ID是 kkk
remote-address 200.1.1.1

R3配置IKE?SA的安全提議

[R3]ike proposal 1
[R3-ike-proposal-1]encryption-algorithm 3des-cbc 
[R3-ike-proposal-1]dh group5
[R3-ike-proposal-1]authentication-algorithm sha1
[R3-ike-proposal-1]sa duration 3600
[R3-ike-proposal-1]q

R3配置?IKE SA?的身份認(rèn)證信息

[R3]ike peer 1 v1
[R3-ike-peer-1]exchange-mode main 
[R3-ike-peer-1]pre-shared-key cipher 123
[R3-ike-peer-1]ike-proposal 1
[R3-ike-peer-1]remote-address 100.1.1.1
[R3-ike-peer-1]

R1配置IPSEC的安全提議

[R1]ipsec proposal 1  --- 選擇安全協(xié)議號
[R1-ipsec-proposal-1]

[R1-ipsec-proposal-1]transform ? --- 選擇封裝協(xié)議
  ah      AH protocol defined in RFC2402
  ah-esp  ESP protocol first, then AH protocol
  esp     ESP protocol defined in RFC2406
[R1-ipsec-proposal-1]transform esp  --- 選擇ESP協(xié)議

[R1-ipsec-proposal-1]esp authentication-algorithm ? --- 選擇認(rèn)證算法
  md5       Use HMAC-MD5-96 algorithm
  sha1      Use HMAC-SHA1-96 algorithm
  sha2-256  Use SHA2-256 algorithm
  sha2-384  Use SHA2-384 algorithm
  sha2-512  Use SHA2-512 algorithm
  sm3       Use SM3 algorithm
[R1-ipsec-proposal-1]esp authentication-algorithm sha2-512

[R1-ipsec-proposal-1]esp encryption-algorithm ? --- 加密算法
  3des     Use 3DES
  aes-128  Use AES-128
  aes-192  Use AES-192
  aes-256  Use AES-256
  des      Use DES
  sm1      Use SM1
  <cr>     Please press ENTER to execute command 	
[R1-ipsec-proposal-1]esp encryption-algorithm aes-128

[R1-ipsec-proposal-1]encapsulation-mode tunnel  --- 選擇隧道模式 

?[R1]display ipsec proposal ---?查詢配置的IPSEC

R1配置感興趣流

[R1]acl 3000
[R1-acl-adv-3000]rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.1
68.2.0 0.0.0.255

R1配置安全策略集

[R1]ipsec policy k 1 ? --- 選擇協(xié)議
  isakmp  Indicates use IKE to establish the IPSec SA
  manual  Indicates use manual to establish the IPSec SA
  <cr>    Please press ENTER to execute command 
[R1]ipsec policy k 1 isakmp  --- 定義安全策略編號與協(xié)議

[R1-ipsec-policy-isakmp-k-1]proposal 1 --- 調(diào)用IPSEC SA 提議

[R1-ipsec-policy-isakmp-k-1]ike-peer 1 --- 調(diào)用身份認(rèn)證信息

[R1-ipsec-policy-isakmp-k-1]security acl 3000 --- 調(diào)用感興趣流

R3配置IPSEC的安全提議

[R3]ipsec proposal 1

[R3-ipsec-proposal-1]transform esp 

[R3-ipsec-proposal-1]esp authentication-algorithm sha2-512	

[R3-ipsec-proposal-1]esp encryption-algorithm aes-128

[R3-ipsec-proposal-1]encapsulation-mode tunnel

R3配置感興趣流

[R3]acl 3000

[R3-acl-adv-3000]rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.1
68.1.0 0.0.0.255

R3配置安全策略集

[R3]ipsec  policy k 1 isakmp 

[R3-ipsec-policy-isakmp-k-1]proposal 1

[R3-ipsec-policy-isakmp-k-1]ike-peer 1

[R3-ipsec-policy-isakmp-k-1]security acl 3000

在接口調(diào)安全策略集

[R1-GigabitEthernet0/0/1]ipsec policy k

[R3-GigabitEthernet0/0/0]ipsec policy k

啟動

測試

文章來源地址http://www.zghlxwxcb.cn/news/detail-487263.html

到了這里，關(guān)于網(wǎng)絡(luò)安全之IPSEC路由基本配置的文章就介紹完了。如果您還想了解更多內(nèi)容，請在右上角搜索TOY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章，希望大家以后多多支持TOY模板網(wǎng)！