IPsec 在企業網中的應用
- IPsec協議簡介
IPsec(Internet Protocol Security)是一系列安全協議的總稱,它是由IETF開發,可以為雙方提供訪問控制,資料的完整性,來源認證,抗重播,加密資料以及對資料分流服務;IPSEC屬於三層網路協議
2. IPsec工作模式
隧道(tunnel)模式:使用者的整個IP資料包被用來計算AH或ESP頭,AH或ESP頭以及ESP加密的使用者資料被封裝在一個新的IP資料包中。通常,隧道模式應用在兩個安全閘道器之間的通訊。
傳輸(transport)模式:只是傳輸層資料被用來計算AH或ESP頭,AH或ESP頭以及ESP加密的使用者資料被放置在原IP包頭後面。通常,傳輸模式應用在兩臺主機之間的通訊,或一臺主機和一個安全閘道器之間的通訊。
3. IPSEC的配置
建立加密訪問控制列表
定義安全提議
選擇加密演算法與認證演算法
建立安全策略
在介面上應用安全策略組
以下用一個案例來詳細說明:
實驗拓撲:
internet部分我們用防火牆代替
配置步驟
防火牆上只需在介面配置ip地址即可
[F4]int et0/1
[F4-Ethernet0/1]ip add 192.168.4.2 24
[F4-Ethernet0/1]
%Aug 9 09:38:38:232 2012 F4 IFNET/4/UPDOWN:Line protocol on the interface Ethernet0/1 is UP
[F4-Ethernet0/1]
[F4-Ethernet0/2]ip add 192.168.5.2 24
[F4-Ethernet0/2]int et0/3
[F4-Ethernet0/3]ip add 192.168.6.2 24
[F4-Ethernet0/3]
%Aug 9 09:39:16:841 2012 F4 IFNET/4/UPDOWN:Line protocol on the interface Ethernet0/3 is UP
R9
[R9]int e1
[R9-Ethernet1]ip add 192.168.1.1 24
[R9-Ethernet1]int e0
[R9-Ethernet0]ip add 192.168.4.1 24
%01:12:14: Line protocol ip on the interface Ethernet0 is UP
[R9-Ethernet0]quit
[R9]
[R9]
[R9]acl 3000
[R9-acl-3000]rule permit ip source ?
X.X.X.X IP address of source host
any Any source host
[R9-acl-3000]rule permit ip source 192.168.1.0 0.0.0.255 des 192.168.2.0 0.0.0.255
Rule has been added to normal packet-filtering rules
[R9-acl-3000]rule deny ip source any des any
Rule has been added to normal packet-filtering rules 配置訪問控制列表
[R9-acl-3000]quit
[R9]acl 3001
[R9-acl-3001]rule permit ip source 192.168.1.0 0.0.0.255 des 192.168.3.0 0.0.0.255
Rule has been added to normal packet-filtering rules
[R9-acl-3001]rule deny ip source any des any
Rule has been added to normal packet-filtering rules
[R9-acl-3001]quit
[R9]ipsec proposal tran1
[R9-ipsec-proposal-tran1]encaps? ---------------- 定義安全定義
encapsulation-mode
[R9-ipsec-proposal-tran1]encaps tunnel ?
<cr>
[R9-ipsec-proposal-tran1]encaps tunnel ---------------------- 定義資料封裝模式
[R9-ipsec-proposal-tran1]transform esp
[R9-ipsec-proposal-tran1]esp encry ?
3des Specify using triple DES
blowfish Specify using blowfish
cast Specify using cast
des Specify using DES
skipjack Specify using skipjack
[R9-ipsec-proposal-tran1]esp encry des -------------- 資料加密方式
[R9-ipsec-proposal-tran1]esp authent ?
md5-hmac-96 Specify using HMAC-MD5 algorithm
sha1-hmac-96 Specify using HMAC-SHA1 algorithm
[R9-ipsec-proposal-tran1]esp authent sha --------------- 資料認證方式
[R9-ipsec-proposal-tran1]quit
[R9]ipsec policy policy 10 isakmp
[R9-ipsec-policy-policy-10]proposal tran1
[R9-ipsec-policy-policy-10]security acl 3000
[R9-ipsec-policy-policy-10]tunnel remote 192.168.5.1
[R9-ipsec-policy-policy-10]quit ------------------ 將acl引用到安全策略中
[R9]ipsec policy policy1 20 isakmp
[R9-ipsec-policy-policy1-20]security acl 3001
[R9-ipsec-policy-policy1-20]tunnel remote 192.168.6.1
[R9-ipsec-policy-policy1-20]quit
[R9]ip route 0.0.0.0 0 192.168.4.2
[R9]int e0
[R9-Ethernet0]ipsec policy policy1 ---------------- 將策略運用到埠上
[R9-Ethernet0]quit
[R9]ike pre?
pre-shared-key
[R9]ike pre abcde remote 192.168.5.1
[R9]ike pre abcdef remote 192.168.6.1
以下路由器配置***與R9對應
R6
[R6]int e1
[R6-Ethernet1]ip add 192.168.2.1 24
[R6-Ethernet1]int e0
[R6-Ethernet0]ip add 192.168.5.1 24
[R6]acl 3000
[R6-acl-3000]rule permit ip sour 192.168.2.0 0.0.0.255 des 192.168.1.0 0.0.0.255
Rule has been added to normal packet-filtering rules
[R6-acl-3000]rule deny ip sour any des any
Rule has been added to normal packet-filtering rules
[R6-acl-3000]quit
[R6]ipsec proposal tran1
[R6-ipsec-proposal-tran1]encap tunne
[R6-ipsec-proposal-tran1]tran esp
[R6-ipsec-proposal-tran1]esp enry des
[R6-ipsec-proposal-tran1]esp auth sha
[R6-ipsec-proposal-tran1]quit
[R6]ipsec policy policy1 10 isakmp
[R6-ipsec-policy-policy1-10]secur ?
acl specify the security traffic by access-list
[R6-ipsec-policy-policy1-10]secur acl 3000
[R6-ipsec-policy-policy1-10]proposal tran1
[R6-ipsec-policy-policy1-10]tunnel remote ?
X.X.X.X remote host ip address.
[R6-ipsec-policy-policy1-10]tunnel remote 192.168.4.1
[R6-ipsec-policy-policy1-10]quit
[R6]int e0
[R6-Ethernet0]ipsec policy policy1
[R6-Ethernet0]uit
Incorrect command
[R6-Ethernet0]quit
[R6]ike pre abcde remote 192.168.4.1 ----------- ike協商要與R9對應
R16
[r16]int e0
[r16-Ethernet0]ip add 192.168.6.1 24
[r16-Ethernet0]
%01:23:30: Line protocol ip on the interface Ethernet0 is UP
[r16-Ethernet0]int e1
[r16-Ethernet1]ip add 192.168.3.1 24
[r16-Ethernet1]quit
[r16]ip route 0.0.0.0 0 192.168.6.2
[r16]acl 3000
[r16-acl-3000]rule permit ip source 192.168.3.0 0.0.0.255 des 192.168.1.0 0.0.0.255
Rule has been added to normal packet-filtering rules
[r16-acl-3000]rule deny ip source any des any
Rule has been added to normal packet-filtering rules
[r16-acl-3000]quit
[r16]ipsec proposal tran1
[r16-ipsec-proposal-tran1]enca ?
transport Specify only the payload(data) of the IP packet is protected
tunnel Specify the entire IP packet is protected
[r16-ipsec-proposal-tran1]enca tunnel
[r16-ipsec-proposal-tran1]esp encry ?
3des Specify using triple DES
blowfish Specify using blowfish
cast Specify using cast
des Specify using DES
skipjack Specify using skipjack
[r16-ipsec-proposal-tran1]esp encry des
[r16-ipsec-proposal-tran1]esp aut ?
md5-hmac-96 Specify using HMAC-MD5 algorithm
sha1-hmac-96 Specify using HMAC-SHA1 algorithm
[r16-ipsec-proposal-tran1]esp aut sha
[r16-ipsec-proposal-tran1]quit
[r16]ipsec policy ?
STRING<1-15> ipsec policy name.
[r16]ipsec policy policy1 10 ?
<cr> if this ipsec policy has been created
isakmp indicaties that IKE will be used to establish the IPSec SA
manual indicaties that IKE will NOT be used to establish the IPSec SA
[r16]ipsec policy policy1 10 isakmp
[r16-ipsec-policy-policy1-10]security 3000
Incorrect command
[r16-ipsec-policy-policy1-10]secu?
security
[r16-ipsec-policy-policy1-10]security ?
acl specify the security traffic by access-list
[r16-ipsec-policy-policy1-10]security acl 3000 ?
<cr>
[r16-ipsec-policy-policy1-10]security acl 3000
[r16-ipsec-policy-policy1-10]proposal tran1
[r16-ipsec-policy-policy1-10]tunnel remote 192.168.4.1
[r16-ipsec-policy-policy1-10]quit
[r16]int e0
[r16-Ethernet0]ipsec policy policy1
[r16-Ethernet0]quit
[r16]ike pre abcdef remote 192.168.4.1--------- ike要與R9的相對應
[r16]
實驗驗證結果
轉載於:https://blog.51cto.com/zhaoweinana/959502