1.手工静态密钥(AH封装模式)
1)配置内网互通路由
#R1
ip route-static 172.16.1.0 24 172.16.14.4
#R4
ip route-static 0.0.0.0 0.0.0.0 172.16.14.1
#R3
ip route-static 172.17.1.0 24 172.16.35.5
#R5
ip route-static 0.0.0.0 0.0.0.0 172.16.35.3
2)配置出口路由
#R1
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
#R3
ip route-static 0.0.0.0 0.0.0.0 23.1.1.2
3)配置感兴趣流,根据IPSEC策略匹配到隧道
#R1
(1)创建感兴趣流
acl number 3001
rule 10 permit ip source 172.16.0.0 0.0.255.255 destination 172.17.0.0 0.0.255.255
(2)创建安全提议(封装模式、封装协议、加密算法、验证算法)
#安全提议
ipsec proposal pps1
#封装模式
encapsulation-mode tunnel
#封装协议
transform ah
#验证算法
ah authentication-algorithm sha1
display ipsec proposal
IPSec proposal name: pps1
Encapsulation mode: Tunnel
Transform : ah-new
AH protocol : Authentication SHA1-HMAC-96
(3)创建安全策略
ipsec policy pl1 10 manual
#调用感兴趣流
security acl 3001
#调用安全提议
proposal pps1
#创建隧道源目地址
tunnel local 12.1.1.1
tunnel remote 23.1.1.3
#定义安全联盟SPI
sa spi outbound ah 12345
sa spi inbound ah 54321
#定义验证钥匙
sa string-key outbound ah simple hw123456
sa string-key inbound ah simple hw654321
#R3
(1)创建感兴趣流
acl number 3001
rule 10 permit ip source 172.17.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
(2)创建安全提议(封装模式、封装协议、加密算法、验证算法)
#安全提议
ipsec proposal pps1
#封装模式
encapsulation-mode tunnel
#封装协议
transform ah
#验证算法
ah authentication-algorithm sha1
display ipsec proposal
IPSec proposal name: pps1
Encapsulation mode: Tunnel
Transform : ah-new
AH protocol : Authentication SHA1-HMAC-96
(3)创建安全策略
ipsec policy pl1 10 manual
#调用感兴趣流
security acl 3001
#调用安全提议
proposal pps1
#创建隧道源目地址
tunnel local 23.1.1.3
tunnel remote 12.1.1.1
#定义安全联盟SPI
sa spi outbound ah 54321
sa spi inbound ah 12345
#定义验证钥匙
sa string-key outbound ah simple hw654321
sa string-key inbound ah simple hw123456
4)策略调用在出接口
#R1
interface GigabitEthernet0/0/0
ipsec policy pl1
#R3
interface GigabitEthernet0/0/0
ipsec policy pl1
display ipsec policy
IPSec policy group: "pl1"
Using interface: GigabitEthernet0/0/0
Sequence number: 10
Security data flow: 3001
Tunnel local address: 23.1.1.3
Tunnel remote address: 12.1.1.1
Qos pre-classify: Disable
Proposal name:pps1
Inbound AH setting:
AH SPI: 12345 (0x3039)
AH string-key: hw123456
AH authentication hex key:
Inbound ESP setting:
ESP SPI:
ESP string-key:
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI: 54321 (0xd431)
AH string-key: hw654321
AH authentication hex key:
Outbound ESP setting:
ESP SPI:
ESP string-key:
ESP encryption hex key:
ESP authentication hex key:
2.手工静态密钥(ESP封装模式)
1)配置内网互通路由
#R1
ip route-static 172.16.1.0 24 172.16.14.4
#R4
ip route-static 0.0.0.0 0.0.0.0 172.16.14.1
#R3
ip route-static 172.17.1.0 24 172.16.35.5
#R5
ip route-static 0.0.0.0 0.0.0.0 172.16.35.3
2)配置出口路由
#R1
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
#R3
ip route-static 0.0.0.0 0.0.0.0 23.1.1.2
3)配置感兴趣流,根据IPSEC策略匹配到隧道
#R1
(1)创建感兴趣流
acl number 3001
rule 10 permit ip source 172.16.0.0 0.0.255.255 destination 172.17.0.0 0.0.255.255
(2)创建安全提议(封装模式、封装协议、加密算法、验证算法)
#安全提议
ipsec proposal pps2
#封装模式
encapsulation-mode tunnel
#封装协议
transform esp
#验证算法
esp authentication-algorithm sha1
#加密算法
esp encryption-algorithm aes-128
(3)创建安全策略
ipsec policy pl2 10 manual
#调用感兴趣流
security acl 3001
#调用安全提议
proposal pps2
#创建隧道源目地址
tunnel local 12.1.1.1
tunnel remote 23.1.1.3
#定义安全联盟SPI
sa spi outbound esp 12345
sa spi inbound esp 54321
#定义验证钥匙
sa string-key outbound esp simple hw123456
sa string-key inbound esp simple hw654321
#R3
(1)创建感兴趣流
acl number 3001
rule 10 permit ip source 172.17.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
(2)创建安全提议(封装模式、封装协议、加密算法、验证算法)
#安全提议
ipsec proposal pps2
#封装模式
encapsulation-mode tunnel
#封装协议
transform esp
#验证算法
esp authentication-algorithm sha1
#加密算法
esp encryption-algorithm aes-128
(3)创建安全策略
ipsec policy pl2 10 manual
#调用感兴趣流
security acl 3001
#调用安全提议
proposal pps2
#创建隧道源目地址
tunnel local 23.1.1.3
tunnel remote 12.1.1.1
#定义安全联盟SPI
sa spi outbound esp 54321
sa spi inbound esp 12345
#定义验证钥匙
sa string-key outbound esp simple hw654321
sa string-key inbound esp simple hw123456
4)策略调用在出接口
#R1
interface GigabitEthernet0/0/0
ipsec policy pl2
#R3
interface GigabitEthernet0/0/0
ipsec policy pl2
3.手工静态密钥(AH+ESP封装模式)
1)配置内网互通路由
#R1
ip route-static 172.16.1.0 24 172.16.14.4
#R4
ip route-static 0.0.0.0 0.0.0.0 172.16.14.1
#R3
ip route-static 172.17.1.0 24 172.16.35.5
#R5
ip route-static 0.0.0.0 0.0.0.0 172.16.35.3
2)配置出口路由
#R1
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
#R3
ip route-static 0.0.0.0 0.0.0.0 23.1.1.2
3)配置感兴趣流,根据IPSEC策略匹配到隧道
#R1
(1)创建感兴趣流
acl number 3001
rule 10 permit ip source 172.16.0.0 0.0.255.255 destination 172.17.0.0 0.0.255.255
(2)创建安全提议(封装模式、封装协议、加密算法、验证算法)
#安全提议
ipsec proposal pps3
#封装模式
encapsulation-mode tunnel
#封装协议
transform ah-esp
#验证算法
ah authentication-algorithm sha1
esp authentication-algorithm sha1
#加密算法
esp encryption-algorithm aes-128
(3)创建安全策略
ipsec policy pl3 10 manual
#调用感兴趣流
security acl 3001
#调用安全提议
proposal pps3
#创建隧道源目地址
tunnel local 12.1.1.1
tunnel remote 23.1.1.3
#定义安全联盟SPI
sa spi outbound ah 12345
sa spi inbound ah 54321
sa spi outbound esp 12345
sa spi inbound esp 54321
#定义验证钥匙
sa string-key outbound ah simple hw123456
sa string-key inbound ah simple hw654321
sa string-key outbound esp simple hw123456
sa string-key inbound esp simple hw654321
#R3
(1)创建感兴趣流
acl number 3001
rule 10 permit ip source 172.17.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
(2)创建安全提议(封装模式、封装协议、加密算法、验证算法)
#安全提议
ipsec proposal pps3
#封装模式
encapsulation-mode tunnel
#封装协议
transform ah-esp
#验证算法
ah authentication-algorithm sha1
esp authentication-algorithm sha1
#加密算法
esp encryption-algorithm aes-128
(3)创建安全策略
ipsec policy pl3 10 manual
#调用感兴趣流
security acl 3001
#调用安全提议
proposal pps3
#创建隧道源目地址
tunnel local 23.1.1.3
tunnel remote 12.1.1.1
#定义安全联盟SPI
sa spi outbound ah 54321
sa spi inbound ah 12345
sa spi outbound esp 54321
sa spi inbound esp 12345
#定义验证钥匙
sa string-key outbound ah simple hw654321
sa string-key inbound ah simple hw123456
sa string-key outbound esp simple hw654321
sa string-key inbound esp simple hw123456
4)策略调用在出接口
#R1
interface GigabitEthernet0/0/0
ipsec policy pl3
#R3
interface GigabitEthernet0/0/0
ipsec policy pl3
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容