1. IPsec协议简介

       IPsec(Internet Protocol Security)是一系列安全协议的总称,它是由IETF开发,可以为双方提供访问控制,数据的完整性,来源认证,抗重播,加密数据以及对数据分流服务;IPSEC属于三层网络协议

  2. IPsec工作模式

      隧道(tunnel)模式:用户的整个IP数据包被用来计算AH或ESP头,AH或ESP头以及ESP加密的用户数据被封装在一个新的IP数据包中。通常,隧道模式应用在两个安全网关之间的通讯。

      传输(transport)模式:只是传输层数据被用来计算AH或ESP头,AH或ESP头以及ESP加密的用户数据被放置在原IP包头后面。通常,传输模式应用在两台主机之间的通讯,或一台主机和一个安全网关之间的通讯。

IPsec 在企业网中的应用

 

 

3. IPSEC的配置

创建加密访问控制列表
定义安全提议
选择加密算法与认证算法
创建安全策略
在接口上应用安全策略组

 

 

 

以下用一个案例来详细说明:

实验拓扑:

IPsec 在企业网中的应用

 

 

internet部分我们用防火墙代替

配置步骤

防火墙上只需在接口配置ip地址即可

[F4]int et0/1
[F4-Ethernet0/1]ip add 192.168.4.2 24 
[F4-Ethernet0/1]
%Aug  9 09:38:38:232 2012 F4 IFNET/4/UPDOWN:Line protocol on the interface Ethernet0/1 is UP 

[F4-Ethernet0/1]
[F4-Ethernet0/1]int et0/2          
[F4-Ethernet0/2]ip add 192.168.5.2 24
[F4-Ethernet0/2]int et0/3           
[F4-Ethernet0/3]ip add 192.168.6.2 24
[F4-Ethernet0/3]
%Aug  9 09:39:16:841 2012 F4 IFNET/4/UPDOWN:Line protocol on the interface Ethernet0/3 is UP 

 

 

R9

[R9]int e1
[R9-Ethernet1]ip add 192.168.1.1 24
[R9-Ethernet1]int e0
[R9-Ethernet0]ip add 192.168.4.1 24
[R9-Ethernet0]
%01:12:14: Line protocol ip on the interface Ethernet0 is UP
[R9-Ethernet0]quit
[R9]
[R9]
[R9]acl 3000
[R9-acl-3000]rule permit ip source ?
  X.X.X.X  IP address of source host
  any      Any source host
[R9-acl-3000]rule permit ip source 192.168.1.0 0.0.0.255 des 192.168.2.0 0.0.0.255
  Rule has been added to normal packet-filtering rules
[R9-acl-3000]rule deny ip source any des any
  Rule has been added to normal packet-filtering rules                                                      配置访问控制列表
[R9-acl-3000]quit
[R9]acl 3001
[R9-acl-3001]rule permit ip source 192.168.1.0 0.0.0.255 des 192.168.3.0 0.0.0.255
  Rule has been added to normal packet-filtering rules
[R9-acl-3001]rule deny ip source any des any
  Rule has been added to normal packet-filtering rules
[R9-acl-3001]quit
[R9]ipsec proposal tran1
[R9-ipsec-proposal-tran1]encaps?                                        ----------------                              定义安全定义
    encapsulation-mode

[R9-ipsec-proposal-tran1]encaps tunnel ?
  <cr>
[R9-ipsec-proposal-tran1]encaps tunnel ----------------------                                                    定义数据封装模式
[R9-ipsec-proposal-tran1]transform esp
[R9-ipsec-proposal-tran1]esp encry ?
    3des                Specify using triple DES
    blowfish            Specify using blowfish
    cast                Specify using cast
    des                 Specify using DES
    skipjack            Specify using skipjack

[R9-ipsec-proposal-tran1]esp encry des   --------------                                                              数据加密方式
[R9-ipsec-proposal-tran1]esp authent ?
    md5-hmac-96   Specify using HMAC-MD5 algorithm
    sha1-hmac-96  Specify using HMAC-SHA1 algorithm

[R9-ipsec-proposal-tran1]esp authent sha                     ---------------                                       数据认证方式
[R9-ipsec-proposal-tran1]quit
[R9]ipsec policy policy 10 isakmp
[R9-ipsec-policy-policy-10]proposal tran1
[R9-ipsec-policy-policy-10]security acl 3000
[R9-ipsec-policy-policy-10]tunnel remote 192.168.5.1 
[R9-ipsec-policy-policy-10]quit                                                        ------------------              将acl引用到安全策略中
[R9]ipsec policy policy1 20 isakmp
[R9-ipsec-policy-policy1-20]security acl 3001          
[R9-ipsec-policy-policy1-20]tunnel remote 192.168.6.1
[R9-ipsec-policy-policy1-20]quit
[R9]ip route 0.0.0.0 0 192.168.4.2
[R9]int e0
[R9-Ethernet0]ipsec policy policy1      ----------------                                                              将策略运用到端口上
[R9-Ethernet0]quit
[R9]ike pre?
    pre-shared-key

[R9]ike pre abcde remote 192.168.5.1
[R9]ike pre abcdef remote 192.168.6.1

 

 

 

以下路由器配置***与R9对应

R6

[R6]int e1
[R6-Ethernet1]ip add 192.168.2.1 24
[R6-Ethernet1]int e0
[R6-Ethernet0]ip add 192.168.5.1 24

[R6]acl 3000
[R6-acl-3000]rule permit ip sour 192.168.2.0 0.0.0.255 des 192.168.1.0 0.0.0.255
  Rule has been added to normal packet-filtering rules
[R6-acl-3000]rule deny ip sour any des any
  Rule has been added to normal packet-filtering rules
[R6-acl-3000]quit
[R6]ipsec proposal tran1
[R6-ipsec-proposal-tran1]encap tunne
[R6-ipsec-proposal-tran1]tran esp
[R6-ipsec-proposal-tran1]esp enry des

[R6-ipsec-proposal-tran1]esp auth sha
[R6-ipsec-proposal-tran1]quit
[R6]ipsec policy policy1 10 isakmp
[R6-ipsec-policy-policy1-10]secur ?
    acl       specify the security traffic by access-list

[R6-ipsec-policy-policy1-10]secur acl 3000
[R6-ipsec-policy-policy1-10]proposal tran1

[R6-ipsec-policy-policy1-10]tunnel remote ?
  X.X.X.X    remote host ip address.
[R6-ipsec-policy-policy1-10]tunnel remote 192.168.4.1
[R6-ipsec-policy-policy1-10]quit

[R6]int e0
[R6-Ethernet0]ipsec policy policy1
[R6-Ethernet0]uit
  Incorrect command

[R6-Ethernet0]quit
[R6]ike pre abcde remote 192.168.4.1 -----------                        ike协商要与R9对应

 

 

 

R16

[r16]int e0
[r16-Ethernet0]ip add 192.168.6.1 24
[r16-Ethernet0]
%01:23:30: Line protocol ip on the interface Ethernet0 is UP
[r16-Ethernet0]int e1
[r16-Ethernet1]ip add 192.168.3.1 24
[r16-Ethernet1]quit
[r16]ip route 0.0.0.0 0 192.168.6.2
[r16]acl 3000
[r16-acl-3000]rule permit ip source 192.168.3.0 0.0.0.255 des 192.168.1.0 0.0.0.255
  Rule has been added to normal packet-filtering rules
[r16-acl-3000]rule deny ip source any des any
  Rule has been added to normal packet-filtering rules
[r16-acl-3000]quit
[r16]ipsec proposal tran1
[r16-ipsec-proposal-tran1]enca ?
    transport   Specify only the payload(data) of the IP packet is protected
    tunnel      Specify the entire IP packet is protected

[r16-ipsec-proposal-tran1]enca tunnel
[r16-ipsec-proposal-tran1]esp encry ?
    3des                Specify using triple DES
    blowfish            Specify using blowfish
    cast                Specify using cast
    des                 Specify using DES
    skipjack            Specify using skipjack

[r16-ipsec-proposal-tran1]esp encry des
[r16-ipsec-proposal-tran1]esp aut ?
    md5-hmac-96   Specify using HMAC-MD5 algorithm
    sha1-hmac-96  Specify using HMAC-SHA1 algorithm

[r16-ipsec-proposal-tran1]esp aut sha
[r16-ipsec-proposal-tran1]quit
[r16]ipsec policy ?
  STRING<1-15>  ipsec policy name.
[r16]ipsec policy policy1 10 ?
  <cr>      if this ipsec policy has been created
  isakmp    indicaties that IKE will be used to establish the IPSec SA
  manual    indicaties that IKE will NOT be used to establish the IPSec SA
[r16]ipsec policy policy1 10 isakmp
[r16-ipsec-policy-policy1-10]security 3000
  Incorrect command

[r16-ipsec-policy-policy1-10]secu?       
    security

[r16-ipsec-policy-policy1-10]security ?
    acl       specify the security traffic by access-list

[r16-ipsec-policy-policy1-10]security acl 3000 ?
  <cr>
[r16-ipsec-policy-policy1-10]security acl 3000
[r16-ipsec-policy-policy1-10]proposal tran1
[r16-ipsec-policy-policy1-10]tunnel remote 192.168.4.1
[r16-ipsec-policy-policy1-10]quit
[r16]int e0
[r16-Ethernet0]ipsec policy policy1
[r16-Ethernet0]quit
[r16]ike pre abcdef remote 192.168.4.1---------  ike要与R9的相对应
[r16]

 

实验验证结果

 

IPsec 在企业网中的应用

IPsec 在企业网中的应用

IPsec 在企业网中的应用

IPsec 在企业网中的应用

IPsec 在企业网中的应用