IPSec 协议
IPSec 是一系列网络安全协议的总称, 包括网络认证协议AH(Authentication Header,认证头)、ESP(Encapsulating Security Payload,封装安全载荷)、IKE(Internet Key Exchange,因特网密钥交换)和用于网络认证及加密的一些算法等。 IPSec 是网络层的安全机制。通过对网络层包信息的保护,上层应用程序即使没有实现安全性,也能够自动从网络层提供的安全性中获益。
AH协议(IP协议号为51)提供数据源认证、数据完整性校验和防报文重放功能。
ESP协议(IP协议号为50)提供加密、数据源认证、数据完整性校验和防报文重放功能。
IPsec有如下两种工作模式:隧道(tunnel)模式、传输(transport)模式。
封装方法:
原 ip包: IP data
加密协议 | transport | tunnel |
ah-new | IP AH data | IP AH IP data |
esp-new | IP ESP data ESP-T | IP ESP IP data ESP-T |
ah-esp-new | IP AH ESP data ESP-T | IP AH ESP IP data ESP-T |
加密卡以硬件方式完成数据的加/解密运算,消除了路由器 VRP 主体软件处理 IPSec 对性能的影响,提高了路由器的工作效率。
下面我们来介绍一个案例:
实验背景: 总公司和分公司分布在不同的地方,他们想访问对方的资源,但是,不想让其它网络用户访问。
需求分析: 可以通过 ipsec实现。
拓扑图:
实验设备:
两台路由器,一台三层交换机和两台 pc 配置:
R1
[r1]dis cu
acl 3000 match-order auto
rule normal permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule normal deny ip source any destination any
!
acl 3001 match-order auto
rule normal permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule normal deny ip source any destination any
!
ipsec proposal tran2
!
ipsec proposal tran1
!
ipsec policy policy1 10 manual
security acl 3000
proposal tran1
tunnel local 61.130.130.1
tunnel remote 61.130.132.1
sa inbound esp spi 54321
sa inbound esp string-key gfedcba
sa outbound esp spi 12345
sa outbound esp string-key abcdefg
!
ipsec policy policy2 10 manual
security acl 3001
proposal tran2
tunnel local 61.130.131.1
tunnel remote 61.130.133.1
sa inbound esp spi 54321
sa inbound esp string-key gfedcba
sa outbound esp spi 12345
sa outbound esp string-key abcdefg
!
interface Aux0
async mode flow
link-protocol ppp
!
interface Ethernet0
ip address 61.130.130.1 255.255.255.252
ipsec policy policy1
!
interface Ethernet1
ip address 61.130.131.1 255.255.255.252
ipsec policy policy2
!
interface LoopBack1
ip address 192.168.1.254 255.255.255.0
!
quit
ip route-static 61.130.132.0 255.255.255.252 61.130.130.2 preference 60
ip route-static 61.130.133.0 255.255.255.252 61.130.131.2 preference 60
ip route-static 192.168.2.0 255.255.255.0 61.130.132.1 preference 60
ip route-static 192.168.3.0 255.255.255.0 61.130.133.1 preference 60
!
return
[r1]
[r1]dis ipsec policy all
ipsec policy name: policy1
ipsec policy sequence: 10
negotiation mode: manual
security acl: 3000
local address: 61.130.130.1
remote address: 61.130.132.1
proposal name: tran1
ah(inbound) setting:
ah spi:
ah string-key:
ah hex-key-string:
esp(inbound) setting:
esp spi: 54321 (0xd431)
esp string-key: gfedcba
esp encryption-hex:
esp authen-hex:
ah(outbound) setting:
ah spi:
ah string-key:
ah hex-key-string:
esp(outbound) setting:
esp spi: 12345 (0x3039)
esp string-key: abcdefg
esp encryption-hex:
esp authen-hex:
OutBound SA has been established.
InBound SA has been established.
ipsec policy name: policy2
ipsec policy sequence: 10
negotiation mode: manual
security acl: 3001
local address: 61.130.131.1
remote address: 61.130.133.1
proposal name: tran2
ah(inbound) setting:
ah spi:
ah string-key:
ah hex-key-string:
esp(inbound) setting:
esp spi: 54321 (0xd431)
esp string-key: gfedcba
esp encryption-hex:
esp authen-hex:
ah(outbound) setting:
ah spi:
ah string-key:
ah hex-key-string:
esp(outbound) setting:
esp spi: 12345 (0x3039)
esp string-key: abcdefg
esp encryption-hex:
esp authen-hex:
OutBound SA has been established.
InBound SA has been established.
[r1]
R2
[r2]dis cu
acl 3000 match-order auto
rule normal permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule normal deny ip source any destination any
!
ipsec proposal tran1
!
ipsec policy use1 10 manual
security acl 3000
proposal tran1
tunnel local 61.130.132.1
tunnel remote 61.130.130.1
sa inbound esp spi 12345
sa inbound esp string-key abcdefg
sa outbound esp spi 54321
sa outbound esp string-key gfedcba
!
controller e1 0
!
interface Aux0
async mode flow
link-protocol ppp
!
interface Ethernet0
ip address 61.130.132.1 255.255.255.252
ipsec policy use1
!
interface Ethernet1
ip address 192.168.2.254 255.255.255.0
!
ip route-static 0.0.0.0 0.0.0.0 61.130.132.2 preference 60
ip route-static 192.168.1.0 255.255.255.0 61.130.130.1 preference 60
!
return
[r2]
[r2]dis ipsec policy all
ipsec policy name: use1
ipsec policy sequence: 10
negotiation mode: manual
security acl: 3000
local address: 61.130.132.1
remote address: 61.130.130.1
proposal name: tran1
ah(inbound) setting:
ah spi:
ah string-key:
ah hex-key-string:
esp(inbound) setting:
esp spi: 12345 (0x3039)
esp string-key: abcdefg
esp encryption-hex:
esp authen-hex:
ah(outbound) setting:
ah spi:
ah string-key:
ah hex-key-string:
esp(outbound) setting:
esp spi: 54321 (0xd431)
esp string-key: gfedcba
esp encryption-hex:
esp authen-hex:
OutBound SA has been established.
InBound SA has been established.
[r2]
R3
[r3]dis cu
acl 3000 match-order auto
rule normal permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule normal deny ip source any destination any
!
ipsec proposal tran1
!
ipsec policy use1 10 manual
security acl 3000
proposal tran1
tunnel local 61.130.133.1
tunnel remote 61.130.131.1
sa inbound esp spi 12345
sa inbound esp string-key abcdefg
sa outbound esp spi 54321
sa outbound esp string-key gfedcba
!
interface Ethernet0
ip address 61.130.133.1 255.255.255.252
ipsec policy use1
!
interface Ethernet1
ip address 192.168.3.254 255.255.255.0
!
ip route-static 0.0.0.0 0.0.0.0 61.130.133.2 preference 60
ip route-static 192.168.1.0 255.255.255.0 61.130.131.1 preference 60
!
return
[r3]
[r3]
[r3]dis ipsec sa all
interface name: Ethernet0
path MTU: 1500
ipsec policy name: use1
ipsec policy sequence: 10
negotiation mode: manual
in use settings = {tunnel}
local address: 61.130.133.1
remote address: 61.130.131.1
esp SAs(inbound):
spi: 12345 (0x3039)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
No duration limit for this sa
esp SAs(outbound):
spi: 54321 (0xd431)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
No duration limit for this sa
[r3]
ISP
<isp>
<isp>dis cu
#
sysname isp
#
vlan 1
#
vlan 10
#
vlan 20
#
vlan 30
#
vlan 40
#
interface Vlan-interface1
#
interface Vlan-interface10
ip address 61.130.130.2 255.255.255.252
#
interface Vlan-interface20
ip address 61.130.131.2 255.255.255.252
#
interface Vlan-interface30
ip address 61.130.132.2 255.255.255.252
#
interface Vlan-interface40
ip address 61.130.133.2 255.255.255.252
#
interface Aux0/0
#
interface Ethernet0/1
port access vlan 10
#
interface Ethernet0/2
port access vlan 20
#
interface Ethernet0/3
port access vlan 30
#
interface Ethernet0/4
port access vlan 40
#
<isp>
测试
分公司2访问总公司
分公司 1访问总公司
成功!