1.实验拓扑
2.需求
- r2作为DHCP server,给r3和r4分配ip
- 路由器上的环回口地址作为私网地址
- 总部分别和分部r3、分部r4建立vpn隧道,采用ipsec vpn的野蛮模式
3.分析
- 由于R3和R4的ip不是固定的,所以只能使用ipsec 的野蛮模式,无法使用ipsec的主模式
注:这个实验,我只注重配置IPSec vpn,没有配置NAT,所以内部路由器无法连接到外网
4.配置
ip固定端
- 配置IKE名称
- 创建IKE提议
- 创建预共享密钥
使用 FQDN名称来识别对端,因为对方ip不固定
由于ip固定端要分别和两个分部建立vpn连接,可以在预共享密钥视图中,分别建立两个密钥 - 创建IKE模板
配置协商模式为野蛮模式
调用IKE提议
调用预共享密钥 - 创建IPsec转换集(为了简化配置,两个策略模板调用相同的ipsec转换集)
配置保护协议(默认为ESP,采取默认值即可)
配置工作模式(默认为隧道模式,采取默认值即可)
配置验证算法
配置加密算法 - 创建IPsec策略模板
调用IKE模板
调用IPsec转换集 - 创建IPsec策略,绑定IPsec策略模板
- 在公网接口下发IPsec策略
ip不固定端
- 配置感兴趣流
- 配置IKE名称
- 创建IKE提议
- 创建预共享密钥
使用地址标识对方 - 创建IKE模板
配置协商模式为野蛮模式
调用IKE提议
调用预共享密钥 - 创建IPsec转换集
配置保护协议(默认为ESP,采取默认值即可)
配置工作模式(默认为隧道模式,采取默认值即可)
配置验证算法
配置加密算法 - 创建IPsec策略
调用感兴趣流
调用IKE模板
调用IPsec转换集
配置对端地址 - 在公网接口下发IPsec策略
5.配置
R1的配置:
[H3C]int g0/0
[H3C-GigabitEthernet0/0]ip add 1.1.1.1 24
[H3C-GigabitEthernet0/0]int lo0
[H3C-LoopBack0]ip add 192.168.1.1 24
[H3C-LoopBack0]quit
[H3C]ip route-static 0.0.0.0 0 1.1.1.2
[H3C]ike identity fqdn r1
[H3C]ike proposal 1
[H3C-ike-proposal-1]quit
[H3C]ike keychain fb
[H3C-ike-keychain-fb]pre-shared-key hostname r3 key simple 123
[H3C-ike-keychain-fb]pre-shared-key hostname r4 key simple 321
[H3C-ike-keychain-fb]quit
[H3C]ike profile r3
[H3C-ike-profile-r3]exchange-mode aggressive
[H3C-ike-profile-r3]proposal 1
[H3C-ike-profile-r3]keychain fb
[H3C-ike-profile-r3]match remote identity fqdn r3
[H3C-ike-profile-r3]ike profile r4
[H3C-ike-profile-r4]exchange-mode aggressive
[H3C-ike-profile-r4]proposal 1
[H3C-ike-profile-r4]keychain fb
[H3C-ike-profile-r4]match remote identity fqdn r4
[H3C-ike-profile-r4]quit
[H3C]ipsec transform-set fb
[H3C-ipsec-transform-set-fb]esp authentication-algorithm md5
[H3C-ipsec-transform-set-fb]esp encryption-algorithm des
[H3C-ipsec-transform-set-fb]quit
[H3C]ipsec policy-template r3 1
[H3C-ipsec-policy-template-r3-1]ike-profile r3
[H3C-ipsec-policy-template-r3-1]transform-set fb
[H3C-ipsec-policy-template-r3-1]quit
[H3C]ipsec policy-template r4 1
[H3C-ipsec-policy-template-r4-1]ike-profile r4
[H3C-ipsec-policy-template-r4-1]transform-set fb
[H3C-ipsec-policy-template-r4-1]quit
[H3C]ipsec policy fb 1 isakmp template r3
[H3C]ipsec policy fb 2 isakmp template r4
[H3C]int g0/0
[H3C-GigabitEthernet0/0] ipsec apply policy fb
R2的配置:
[H3C]int g0/0
[H3C-GigabitEthernet0/0]ip add 1.1.1.2 24
[H3C-GigabitEthernet0/0]int g0/1
[H3C-GigabitEthernet0/1]ip add 1.1.2.2 24
[H3C-GigabitEthernet0/1]int g0/2
[H3C-GigabitEthernet0/2]ip add 1.1.3.2 24
[H3C-GigabitEthernet0/2]quit
[H3C]dhcp server ip-pool 1
[H3C-dhcp-pool-1]network 1.1.2.0 24
[H3C-dhcp-pool-1]gateway-list 1.1.2.2
[H3C-dhcp-pool-1]quit
[H3C]dhcp server ip-pool 2
[H3C-dhcp-pool-2]network 1.1.3.0 24
[H3C-dhcp-pool-2]gateway-list 1.1.3.2
R3的配置:
[H3C]int g0/0
[H3C-GigabitEthernet0/0]ip add dhcp-alloc
[H3C-GigabitEthernet0/0]int lo0
[H3C-LoopBack0]ip add 192.168.2.1 24
[H3C-LoopBack0]quit
[H3C]acl advance 3000
[H3C-acl-ipv4-adv-3000]rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[H3C-acl-ipv4-adv-3000]quit
[H3C]ike identity fqdn r3
[H3C]ike proposal 1
[H3C-ike-proposal-1]quit
[H3C]ike keychain r1
[H3C-ike-keychain-r1]pre-shared-key address 1.1.1.1 key simple 123
[H3C-ike-keychain-r1]quit
[H3C]ike profile r1
[H3C-ike-profile-r1]proposal 1
[H3C-ike-profile-r1]keychain r1
[H3C-ike-profile-r1]match remote identity fqdn r1
[H3C-ike-profile-r1]exchange-mode aggressive
[H3C-ike-profile-r1]quit
[H3C]ipsec transform-set r1
[H3C-ipsec-transform-set-r1]esp authentication-algorithm md5
[H3C-ipsec-transform-set-r1]esp encryption-algorithm des-cbc
[H3C-ipsec-transform-set-r1]quit
[H3C]ipsec policy r1 1 isakmp
[H3C-ipsec-policy-isakmp-r1-1]security 3000
[H3C-ipsec-policy-isakmp-r1-1]ike-profile r1
[H3C-ipsec-policy-isakmp-r1-1]transform-set r1
[H3C-ipsec-policy-isakmp-r1-1]remote-address 1.1.1.1
[H3C-ipsec-policy-isakmp-r1-1]quit
[H3C]int g0/0
[H3C-GigabitEthernet0/0]ipsec apply policy r1
[H3C-GigabitEthernet0/0]quit
R4的配置:
[H3C]int g0/0
[H3C-GigabitEthernet0/0]ip add dhcp-alloc
[H3C-GigabitEthernet0/0]int lo0
[H3C-LoopBack0]ip add 192.168.3.1 24
[H3C-LoopBack0]quit
[H3C]acl advance 3000
[H3C-acl-ipv4-adv-3000]rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[H3C-acl-ipv4-adv-3000]quit
[H3C]ike identity fqdn r4
[H3C]ike proposal 1
[H3C-ike-proposal-1]quit
[H3C]ike keychain r1
[H3C-ike-keychain-r1]pre-shared-key address 1.1.1.1 key simple 321
[H3C-ike-keychain-r1]quit
[H3C]ike profile r1
[H3C-ike-profile-r1]proposal 1
[H3C-ike-profile-r1]keychain r1
[H3C-ike-profile-r1]match remote identity fqdn r1
[H3C-ike-profile-r1]exchange-mode aggressive
[H3C-ike-profile-r1]quit
[H3C]ipsec transform-set r1
[H3C-ipsec-transform-set-r1]esp authentication-algorithm md5
[H3C-ipsec-transform-set-r1]esp encryption-algorithm des-cbc
[H3C-ipsec-transform-set-r1]quit
[H3C]ipsec policy r1 1 isakmp
[H3C-ipsec-policy-isakmp-r1-1]security 3000
[H3C-ipsec-policy-isakmp-r1-1]ike-profile r1
[H3C-ipsec-policy-isakmp-r1-1]transform-set r1
[H3C-ipsec-policy-isakmp-r1-1]remote-address 1.1.1.1
[H3C-ipsec-policy-isakmp-r1-1]quit
[H3C]int g0/0
[H3C-GigabitEthernet0/0]ipsec apply policy r1
[H3C-GigabitEthernet0/0]quit
6.测试
- R3的私网网段ping R1的私网网段:
- R4的私网网段ping R1的私网网段:
7.总结
- ipsec野蛮模式和主模式的很大区别是:野蛮模式的IP固定端使用fqdn标识对端设备,主模式两端都是使用地址标识对端设备
- 野蛮模式ip固定端可以不配置感兴趣流,因为野蛮模式vpn建立发起方为ip不固定端,ip固定端收到连接请求后,可以自动生成感兴趣流
- 这个实验有个疑惑:什么时候需要指定对端标识,什么时候不需要。通过验证,
ip固定端:ike profile和ipsec policy没指定对端标识,可以建立vpn隧道;
ip不固定端:ike profile可不指定对端标识,ipsec policy需要指定对端标识。
具体原因,我也不清楚,欢迎读者留言。