IPsec+over+GRE.docx
- 文档编号:17148044
- 上传时间:2023-07-22
- 格式:DOCX
- 页数:17
- 大小:266.52KB
IPsec+over+GRE.docx
《IPsec+over+GRE.docx》由会员分享,可在线阅读,更多相关《IPsec+over+GRE.docx(17页珍藏版)》请在冰点文库上搜索。
IPsec+over+GRE
1.H3CSecPathIPSecVPN主模式实验指导
1、组网需求:
某公司杭州和北京各有一个公网出口VPN网关,两网关之间通过建立IPSec隧道,实现
两机构私网互访。
2、组网图:
杭州UTM公网地址为202.0.0.1/24,私网地址为192.168.1.1/24;北京F100-A公网地址为
202.0.0.2/24,私网地址为192.168.2.1/24,F100-A和VPNB之间建立IPSecVPN隧道,实
现两个机构的私网互通。
3.2F100-A配置
#
sysnameF100-A
#
ikelocal-namefirewall//配置IKE本地名称
#
insulate
#
firewallstatisticsystemenable
#
radiusschemesystem
server-typehuawei
#
domainsystem
#
ikepeerutm//配置IKEpeer
pre-shared-key123456//预共享密钥
remote-address202.0.0.1//对端地址
local-address202.0.0.2//本端地址
#
ipsecproposal1//配置IPSec安全提议,采用默认设置
#
ipsecpolicyfirewall1isakmp//配置IPSec策略
securityacl3001//引用创建的ACL
ike-peerutm//引用创建的IKEpeer
proposal1//引用创建的安全提议
#
aclnumber3001//定义感兴趣数据流
rule0permitipsource192.168.2.00.0.0.255destination192.168.1.00.0.0.255
#
interfaceAux0
asyncmodeflow
#
interfaceEthernet0/0
#
interfaceEthernet0/1
#
interfaceEthernet0/2
#
interfaceEthernet0/3
#
interfaceEthernet1/0
ipaddress202.0.0.2255.255.255.0
ipsecpolicyfirewall//在接口下应用IPSec策略
#
interfaceEthernet1/1
ipaddress192.168.2.1255.255.255.0
#
interfaceEthernet1/2
#
interfaceNULL0
#
//配置到达对方私网的路由,为了使得私网数据可以查找路由从eth1/0接口发出,而数据报
文在发出时,匹配接口下配置IPSec策略,从而私网数据被封装到IPsec里面
iproute-static192.168.1.0255.255.255.0202.0.0.1preference60
#
return
4,验证结果
1,从PC1pingPC2,可以ping通。
但为什么第一个报文不通呢?
这是因为第一个报文要触发
IPSec协商,而此时IPSec安全联盟还未建立起来,因此无法为第一包提供加密服务,因此第
一个报文被丢弃。
而当后续报文到达设备时,IPSec安全联盟已经建立,因此后续数据包可
以通过。
在F100-A上通过命令可以查看IKE的安全联盟和IPSec安全联盟
TotalIKEphase-1SAs:
1
connection-idpeerflagphasedoi
----------------------------------------------------------
2202.0.0.1RD2IPSEC
1202.0.0.1RD1IPSEC
flagmeaning
RD--READYST--STAYALIVERL--REPLACEDFD--FADINGTO--TIMEOUT
===============================
Interface:
Ethernet1/0
pathMTU:
1500
===============================
-----------------------------
IPsecpolicyname:
"firewall"
sequencenumber:
1
mode:
isakmp
-----------------------------
Createdby:
"Host"
connectionid:
3
encapsulationmode:
tunnel//封装模式为隧道模式
perfectforwardsecrecy:
None
tunnel:
//隧道的源和目的地址
localaddress:
202.0.0.2
remoteaddress:
202.0.0.1
flow:
(6timesmatched)//所要封装的私网数据流
souraddr:
192.168.2.0/255.255.255.0port:
0protocol:
IP
destaddr:
192.168.1.0/255.255.255.0port:
0protocol:
IP
[inboundESPSAs]
spi:
1057200163(0x3f039823)
proposal:
ESP-ENCRYPT-DESESP-AUTH-MD5
sakeyduration(bytes/sec):
1887436800/3600
saremainingkeyduration(bytes/sec):
1887436620/3323
maxreceivedsequence-number:
3
udpencapsulationusedfornattraversal:
N
[outboundESPSAs]
spi:
1082897926(0x408bb606)
proposal:
ESP-ENCRYPT-DESESP-AUTH-MD5
sakeyduration(bytes/sec):
1887436800/3600
saremainingkeyduration(bytes/sec):
1887436620/3323
maxsentsequence-number:
4
udpencapsulationusedfornattraversal:
N
2.H3CSecPathGREoverIPSec实验指导
1、组网需求:
某公司杭州和北京各有一个公网出口VPN网关,两网关之间通过建立GRE隧道,实现
两机构私网互访。
由于GRE协议本身无法对私网数据进行加密封装,因此我们配置IPSec
来保护GRE的报文。
2、组网图:
杭州UTM公网地址为202.0.0.1/24,私网地址为192.168.1.1/24;北京F100-A公网地址为
202.0.0.2/24,私网地址为192.168.2.1/24,F100-A和VPNB之间建立GREoverIPSec的
VPN隧道,实现两个机构的私网互通。
3、令行配置:
[F100-A]discur
#
sysnameF100-A
#
ikelocal-namefirewall
#
insulate
#
firewallstatisticsystemenable
#
radiusschemesystem
server-typeextended
#
domainsystem
#
ikepeerutm//配置IKE对等体
pre-shared-key123456
remote-address202.0.0.1
local-address202.0.0.2
#
ipsecproposal1
#
ipsecpolicyfirewall1isakmp//配置IPSec策略
securityacl3000
ike-peerutm
proposal1
#
aclnumber3000//配置感兴趣数据流
rule0permitgresource202.0.0.20destination202.0.0.10
#
interfaceEthernet0/0
#
interfaceEthernet0/1
#
interfaceEthernet0/2
#
interfaceEthernet0/3
#
interfaceEthernet1/0
ipaddress202.0.0.2255.255.255.0
ipsecpolicyfirewall
#
interfaceEthernet1/1
ipaddress192.168.2.1255.255.255.0
#
interfaceEthernet1/2
#
interfaceTunnel1
ipaddress2.1.1.2255.255.255.252
source202.0.0.2
destination202.0.0.1
#
interfaceNULL0
#
//配置到达对端私网的路由
iproute-static192.168.1.0255.255.255.0Tunnel1preference60
#
user-interfacecon0
user-interfaceaux0
user-interfacevty04
authentication-modenone
userprivilegelevel3
#
return
[F100-A]
4、验证结果
1,从PC1可以ping通PC2;
2,查看F100A的IPSec安全联盟,可以看到相关信息;
F100-A侧:
TotalIKEphase-1SAs:
1
connection-idpeerflagphasedoi
----------------------------------------------------------
8202.0.0.1RD1IPSEC
9202.0.0.1RD2IPSEC
flagmeaning
RD--READYST--STAYALIVERL--REPLACEDFD--FADINGTO--TIMEOUT
===============================
Interface:
Ethernet1/0
pathMTU:
1500
===============================
-----------------------------
IPsecpolicyname:
"firewall"
sequencenumber:
1
mode:
isakmp
-----------------------------
Createdby:
"Host"
connectionid:
6
encapsulationmode:
tunnel
perfectforwardsecrecy:
None
tunnel:
localaddress:
202.0.0.2
remoteaddress:
202.0.0.1
flow:
(6timesmatched)
souraddr:
202.0.0.2/255.255.255.255port:
0protocol:
GRE
destaddr:
202.0.0.1/255.255.255.250protocol:
GRE
[inboundESPSAs]
spi:
1417987758(0x5484c6ae)
proposal:
ESP-ENCRYPT-DESESP-AUTH-MD5
sakeyduration(bytes/sec):
1887436800/3600
saremainingkeyduration(bytes/sec):
1887436548/3282
maxreceivedsequence-number:
3
udpencapsulationusedfornattraversal:
N
[outboundESPSAs]
spi:
848802740(0x3297b3b4)
proposal:
ESP-ENCRYPT-DESESP-AUTH-MD5
sakeyduration(bytes/sec):
1887436800/3600
saremainingkeyduration(bytes/sec):
1887436548/3282
maxsentsequence-number:
4
udpencapsulationusedfornattraversal:
N
5、思考
1,如果PC1和PC2长时间没有流量,则IPSecsa会不会消失?
2,在GREoverIPSec的情况下,如何保证IPSecsa永远存在?
【提示】:
GRE的Keepalive
3,在这种VPN嵌套的环境下,数据是如何封装的?
是IPSec先协商起来还是GRE先协
商起来?
【提示】:
AoverB,即A是载荷协议(或叫乘客协议)),而B是承载协议(或叫运输协议。
乘客一定是坐在汽车上,然后让汽车来运输自己的。
4,为了实现PC1和PC2的互通,我们是配置静态路由指向Tunnel口来实现的。
是否可
以考虑不使用静态路由,是用动态路由协议?
假如使用OSPF的话,如何实现私网互通?
【提示】:
#
ospf1
area0.0.0.0
network2.1.1.00.0.0.3
network192.168.1.00.0.0.255
3.H3CSecPathIPSecoverGRE实验指导
1、组网需求:
某公司杭州和北京各有一个公网出口VPN网关,两网关之间通过建立VPN隧道,实现
两机构私网互访,我们在此处采用的为VPN为IPSecoverGRE。
2、组网图:
杭州UTM公网地址为202.0.0.1/24,私网地址为192.168.1.1/24;北京F100-A公网地址为
202.0.0.2/24,私网地址为192.168.2.1/24,F100-A和VPNB之间建立IPSecoverGRE的
VPN隧道,实现两个机构的私网互通。
3、F100-A配置
#
sysnameF100-A
#
ikelocal-namefirewall
#
insulate
#
firewallstatisticsystemenable
#
radiusschemesystem
server-typeextended
#
domainsystem
#
ikepeerutm//设置IKE对等体
pre-shared-key123456
remote-address2.1.1.1
local-address2.1.1.2
#
ipsecproposal1
#
ipsecpolicyfirewall1isakmp//设置IPSec策略
securityacl3000
ike-peerutm
proposal1
#
aclnumber3000//感兴趣数据流为私网数据
rule5permitipsource192.168.2.00.0.0.255destination192.168.1.00.0.0.255
#
interfaceAux0
asyncmodeflow
#
interfaceEthernet0/0
#
interfaceEthernet0/1
#
interfaceEthernet0/2
#
interfaceEthernet0/3
#
interfaceTunnel1
ipaddress2.1.1.2255.255.255.252
source202.0.0.2
destination202.0.0.1
ipsecpolicyfirewall//在Tunnel口上应用IPSec策略
#
interfaceNULL0
#
//指定到达对端私网的路由
iproute-static192.168.1.0255.255.255.02.1.1.1preference60
#
user-interfacecon0
user-interfaceaux0
user-interfacevty04
authentication-modenone
userprivilegelevel3
#
return
4,验证结果:
1,PC1可以ping通PC2;
2,查看F100A的IPSec安全联盟,可以看到相关信息:
F100-A侧:
TotalIKEphase-1SAs:
1
connection-idpeerflagphasedoi
----------------------------------------------------------
182.1.1.1RD2IPSEC
172.1.1.1RD1IPSEC
flagmeaning
RD--READYST--STAYALIVERL--REPLACEDFD--FADINGTO--TIMEOUT
===============================
Interface:
Tunnel1
pathMTU:
64000
===============================
-----------------------------
IPsecpolicyname:
"firewall"
sequencenumber:
1
mode:
isakmp
-----------------------------
Createdby:
"Host"
connectionid:
7
encapsulationmode:
tunnel
perfectforwardsecrecy:
None
tunnel:
localaddress:
2.1.1.2
remoteaddress:
2.1.1.1
flow:
(25timesmatched)
souraddr:
192.168.2.0/255.255.255.0port:
0protocol:
IP
destaddr:
192.168.1.0/255.255.255.0port:
0protocol:
IP
[inboundESPSAs]
spi:
1757554129(0x68c225d1)
proposal:
ESP-ENCRYPT-DESESP-AUTH-MD5
sakeyduration(bytes/sec):
1887436800/3600
saremainingkeyduration(bytes/sec):
1887436620/3480
maxreceivedsequence-number:
3
udpencapsulationusedfornattraversal:
N
[outboundESPSAs]
spi:
136712169(0x8260fe9)
proposal:
ESP-ENCRYPT-DESESP-AUTH-MD5
sakeyduration(bytes/sec):
1887436800/3600
saremainingkeyduration(bytes/sec):
1887436620/3480
maxsentsequence-number:
4
udpencapsulationusedfornattraversal:
N
5,思考
1,在IPSecoverGRE的组网中,私网数据是如何封装的?
2,私网间是否可以通过动态路由来互通?
如何做?
【提示】:
#
ospf1
area0.0.0.0
network192.168.1.00.0.0.255
3,network2.1.1.00.0.0.3
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- IPsec over GRE