H3C ipsec psk aggressive mode配置

H3C ipsec psk aggressive mode配置

目标：配置交换机的ipsec vpn(nat穿越)与公网Centos建立ipsec vpn （详细版本）
-----------------------------------------------------------------------------------------------------------
第1步：配置Centos服务器
[root@myzdl ~]# yum install strongswan -y
[root@myzdl ~]# vim /etc/strongswan/ipsec.conf      #配置文件

config setup
       # strictcrlpolicy=yes
       # uniqueids = no
conn peer-h3c-switch   #将以下代码加入配置文件中
     leftid=@centos
    leftsubnet=172.19.19.0/24,172.20.20.0/24     #centons端内网网段
     right=%any
     rightid=@h3c
    rightsubnet=192.168.30.0/24,192.168.40.0/24    #h3c端内网网段
    
    aggressive=yes
    ike=3des-md5-modp2048     #第一阶段的验证md5加密3des、DH算法modp2048位
    esp=3des-sha1    #第二阶段数据封装加密认证算法
    authby=secret
    auto=start

[root@myzdl ~]# cat /etc/strongswan/strongswan.conf

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
load_modular = yes
      i_dont_care_about_security_and_use_aggressive_mode_psk = yes   #加入允许野蛮模式的psk验证
plugins { 
include strongswan.d/charon/*.conf
}
}

include strongswan.d/*.conf

[root@myzdl ~]# vim /etc/strongswan/ipsec.secrets //共享密钥

# ipsec.secrets - strongSwan IPsec secrets file
@centos  @h3c : PSK  "ipsec123456"

[root@myzdl ~]# systemctl start strongswan
----------------------------------------------------------------------------------------服务器配置完毕

第2步：配置H3C交换机(或路由器)
2.1配置第一阶段的ike共享秘钥
[H3C]ike keychain psk           #创建名为psk的共享秘钥：ipsec123456
[H3C-ike-keychain-psk]pre-shared-key address 106.13.6.31 key simple ipsec123456
[H3C-ike-keychain-psk]quit

2.2配置IKE对等体安全提议（第一阶段参数：目标地址、协商模式、共享秘钥等）
[H3C]ike proposal 1           #创建IKE协商
[H3C-ike-proposal-1]authentication-method pre-share           #为IKE指定身份验证方法为共享密钥
[H3C-ike-proposal-1]encryption-algorithm 3des-cbc           #指定IKE的身份加密算法为3des
[H3C-ike-proposal-1]authentication-algorithm md5           #指定IKE的身份验证算法为md5
[H3C-ike-proposal-1]dh group14           #modp2048

[H3C]ike profile file           #IKE协商的配置文件
[H3C-ike-profile-file]proposal 1           #绑定IKE协商号
[H3C-ike-profile-file]exchange-mode aggressive           #野蛮模式
[H3C-ike-profile-file]keychain psk          #指定共享秘钥位置（前面已创建）
[H3C-ike-profile-file]match remote identity address 106.13.6.31           #指定远端对等体的地址
[H3C-ike-profile-file]match remote identity fqdn centos           #指定远端对等体的身份id信息
[H3C-ike-profile-file]local-identity fqdn h3c           #指定本端对等体的身份id信息
[H3C-ike-profile-file]quit

2.3配置第二阶段的安全提议参数（封装模式、封装协议及认证加密算法等）
[H3C]ipsec transform-set proposal           #创建名为proposal的ipsec安全提议
[H3C-ipsec-transform-set-proposal]encapsulation-mode tunnel           #封装模式为隧道模式
[H3C-ipsec-transform-set-proposal]protocol esp           #封装协议采用ESP
[H3C-ipsec-transform-set-proposal]esp authentication-algorithm sha1           #封装协议的验证算法
[H3C-ipsec-transform-set-proposal]esp encryption-algorithm 3des-cbc          #/封装协议的加密算法
[H3C-ipsec-transform-set-proposal]quit

2.4 创建ACL配置第二阶段协商的兴趣流网段
[H3C]acl number 3000
[H3C-acl-ipv4-adv-3000]rule 5 permit ip source 192.168.30.0 0.0.0.255 destination 172.19.19.0 0.0.0.255
[H3C-acl-ipv4-adv-3000]rule 10 permit ip source 192.168.30.0 0.0.0.255 destination 172.20.20.0 0.0.0.255
[H3C-acl-ipv4-adv-3000]rule 15 permit ip source 192.168.40.0 0.0.0.255 destination 172.19.19.0 0.0.0.255
[H3C-acl-ipv4-adv-3000]rule 20 permit ip source 192.168.40.0 0.0.0.255 destination 172.20.20.0 0.0.0.255
[H3C-acl-ipv4-adv-3000]quit

2.5创建ipsec策略综合协商参数：
[H3C]ipsec policy ipsec 1 isakmp
[H3C-ipsec-policy-isakmp-ipsec-1]ike-profile file
[H3C-ipsec-policy-isakmp-ipsec-1]transform-set proposal
[H3C-ipsec-policy-isakmp-ipsec-1]security acl 3000
[H3C-ipsec-policy-isakmp-ipsec-1]remote-address 106.13.6.31
[H3C-ipsec-policy-isakmp-ipsec-1]quit

2.6将配置好的策略匹配上接口：
[H3C]interface Vlan-interface 1
[H3C-Vlan-interface1]ipsec apply policy ipsec           #接口绑定策略
[H3C-Vlan-interface1]quit
-------------------------------------------------------------------------------------------
第3步：因为是野蛮模式所以在交换机上主动建立vpn
[H3C]ping -a 192.168.30.254 172.19.19.19
Ping 172.19.19.19 (172.19.19.19) from 192.168.30.254: 56 data bytes, press CTRL_C to break
Request time out
56 bytes from 172.19.19.19: icmp_seq=1 ttl=64 time=12.328 ms
56 bytes from 172.19.19.19: icmp_seq=2 ttl=64 time=13.255 ms
56 bytes from 172.19.19.19: icmp_seq=3 ttl=64 time=15.459 ms
56 bytes from 172.19.19.19: icmp_seq=4 ttl=64 time=10.924 ms

— Ping statistics for 172.19.19.19 —
5 packet(s) transmitted, 4 packet(s) received, 20.0% packet loss
round-trip min/avg/max/std-dev = 10.924/12.992/15.459/1.649 ms

[H3C]display ike sa
Connection-ID Remote Flag DOI
--------------------------------------------------------------------
14 106.13.6.31 RD IPsec
Flags:
RD–READY RL–REPLACED FD-FADING RK-REKEY

[H3C]display ipsec sa
------------------------------------------------------------------
Interface: Vlan-interface1
------------------------------------------------------------------

-----------------------------------------------------------------
IPsec policy: ipsec
Sequence number: 1
Mode: ISAKMP
----------------------------------------------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1436
Tunnel:
local address: 192.168.1.252
remote address: 106.13.6.31
Flow:
sour addr: 192.168.30.0/255.255.255.0 port: 0 protocol: ip
dest addr: 172.19.19.0/255.255.255.0 port: 0 protocol: ip

[Inbound ESP SAs]
SPI: 1391345111 (0x52ee3dd7)
Connection ID: 124554051588
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3583
Max received sequence-number: 4
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: Y
Status: Active

[Outbound ESP SAs]
SPI: 3472567373 (0xcefb2c4d)
Connection ID: 124554051589
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3583
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: Y
Status: Active

------------------------------------------------------------------
[root@myzdl ~]# strongswan status
Security Associations (1 up, 0 connecting):
peer-h3c-switch[2]: ESTABLISHED 69 seconds ago, 172.16.0.4[centos]…183.17.63.227[h3c]
peer-h3c-switch{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cefb2c4d_i 52ee3dd7_o
peer-h3c-switch{1}: 172.19.19.0/24 === 192.168.30.0/24