华为路由器：ipsec技术

实验拓扑

R1 按照拓扑配置好IP地址

这里省略。

R2配置

[R2]ip route-static 0.0.0.0 0 10.10.10.2       #加一条路由，使得两个公网IP互通
[R2]acl 3000
[R2-acl-adv-3000]rule permit ip source 192.168.11.0 0.0.0.255 destination 192.16
8.12.0 0.0.0.255

创建ipsec的安全提议
[R2]ipsec proposal pokes
[R2-ipsec-proposal-pokes]q
[R2]dis ipsec proposal name pokes   #先查看一下

IPSec proposal name: pokes                            
 Encapsulation mode: Tunnel      #封装方式 
 Transform         : esp-new     #传输级
 ESP protocol      : Authentication MD5-HMAC-96    #认证算法
                     Encryption     DES            #加密算法

创建安全策略
[R2]ipse	
[R2]ipsec policy zhpr 10 manual   #创建手动安全策略zhpr 10
[R2-ipsec-policy-manual-zhpr-10]security acl 3000   #调用acl
[R2-ipsec-policy-manual-zhpr-10]proposal pokes      #调用安全提议
[R2-ipsec-policy-manual-zhpr-10]tunnel local 10.10.10.1    #指定隧道源地址
[R2-ipsec-policy-manual-zhpr-10]tunnel remote 10.10.20.1   #指定隧道目标地址
[R2-ipsec-policy-manual-zhpr-10]sa spi inbound esp 123456  #设置安全联盟的安全索引SPI
[R2-ipsec-policy-manual-zhpr-10]sa string-key inbound esp simple 234567    #设置安全联盟的认证密钥
[R2-ipsec-policy-manual-zhpr-10]sa spi outbound esp 123456
[R2-ipsec-policy-manual-zhpr-10]sa string-key outbound esp simple 234567

接口下调用policy策略
[R2]in g0/0/0   #公网出口
[R2-GigabitEthernet0/0/0]ipsec policy zhpr


[R2]dis ipsec policy brief    #查看ipsec接口信息

Number of policies group : 1
Number of policies       : 1
 
Policy name           Mode     ACL   Peer name   Local address    Remote address
--------------------------------------------------------------------------------
zhpr-10               manual   3000             10.10.10.1       10.10.20.1
[R2]

注意事项：

• sa spi inbound esp 123456要和对端的outbound保持一致。
• sa string-key inbound esp simple 234567要和对端的outbound保持一致。

建议配置好一端之后复制粘贴，粘贴时改掉源地址和目标地址。

R3配置

[R3]ip route-static 0.0.0.0 0 10.10.20.2
[R3]acl 3000
[R3-acl-adv-3000]rule permit ip source 192.168.12.0 0.0.0.255 destination 192.16
8.11.0 0.0.0.255

[R2]ipse	
[R2]ipsec policy zhpr 10 manual

[R3-ipsec-policy-manual-zhpr-10] security acl 3000
[R3-ipsec-policy-manual-zhpr-10] proposal pokes
[R3-ipsec-policy-manual-zhpr-10] tunnel local 10.10.20.1
[R3-ipsec-policy-manual-zhpr-10] tunnel remote 10.10.10.1
[R3-ipsec-policy-manual-zhpr-10] sa spi inbound esp 123456
[R3-ipsec-policy-manual-zhpr-10] sa string-key inbound esp simple 234567
[R3-ipsec-policy-manual-zhpr-10] sa spi outbound esp 123456
[R3-ipsec-policy-manual-zhpr-10] sa string-key outbound esp simple 234567
[R3-ipsec-policy-manual-zhpr-10]q

[R3]in g0/0/0
[R3-GigabitEthernet0/0/0]ips	
[R3-GigabitEthernet0/0/0]ipsec po	
[R3-GigabitEthernet0/0/0]ipsec policy zhpr

[R3]dis ipsec policy brief

Number of policies group : 1
Number of policies       : 1
 
Policy name           Mode     ACL   Peer name   Local address    Remote address
--------------------------------------------------------------------------------
zhpr-10               manual   3000             10.10.20.1       10.10.10.1

测试结果

PC>ping 192.168.12.1

Ping 192.168.12.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.12.1: bytes=32 seq=2 ttl=127 time=15 ms
From 192.168.12.1: bytes=32 seq=3 ttl=127 time=16 ms
From 192.168.12.1: bytes=32 seq=4 ttl=127 time=31 ms
From 192.168.12.1: bytes=32 seq=5 ttl=127 time=16 ms

--- 192.168.12.1 ping statistics ---
  5 packet(s) transmitted
  4 packet(s) received
  20.00% packet loss
  round-trip min/avg/max = 0/19/31 ms

PC>

PC>ping 192.168.11.1

Ping 192.168.11.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.11.1: bytes=32 seq=2 ttl=127 time=16 ms
From 192.168.11.1: bytes=32 seq=3 ttl=127 time=15 ms
From 192.168.11.1: bytes=32 seq=4 ttl=127 time=32 ms
From 192.168.11.1: bytes=32 seq=5 ttl=127 time=31 ms

--- 192.168.11.1 ping statistics ---
  5 packet(s) transmitted
  4 packet(s) received
  20.00% packet loss
  round-trip min/avg/max = 0/23/32 ms

PC>

其实生成过程中，搭建ipset都是购买硬件设备来实现，而且功能强大，用路由器做实属有点low.