H3C ipsec psk aggressive mode configuration

H3C ipsec psk aggressive mode configuration

Goal: ipsec vpn configuration of the switch (nat traversal) establish ipsec vpn (detailed version) and public network Centos
---------------------------- -------------------------------------------------- -----------------------------
step 1: configure Centos server
[myzdl the root @ ~] # yum the install for strongswan -Y
[the root @myzdl ~] # vim /etc/strongswan/ipsec.conf # profiles

config setup
       # strictcrlpolicy=yes
       # uniqueids = no
conn peer-h3c-switch   #将以下代码加入配置文件中
     leftid=@centos
    leftsubnet=172.19.19.0/24,172.20.20.0/24     #centons端内网网段
     right=%any
     rightid=@h3c
    rightsubnet=192.168.30.0/24,192.168.40.0/24    #h3c端内网网段
    
    aggressive=yes
    ike=3des-md5-modp2048     #第一阶段的验证md5加密3des、DH算法modp2048位
    esp=3des-sha1    #第二阶段数据封装加密认证算法
    authby=secret
    auto=start

[root@myzdl ~]# cat /etc/strongswan/strongswan.conf

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
load_modular = yes
      i_dont_care_about_security_and_use_aggressive_mode_psk = yes   #加入允许野蛮模式的psk验证
plugins { 
include strongswan.d/charon/*.conf
}
}

include strongswan.d/*.conf

[Root @ myzdl ~] # vim /etc/strongswan/ipsec.secrets // shared key

# ipsec.secrets - strongSwan IPsec secrets file
@centos  @h3c : PSK  "ipsec123456"

[root @ myzdl ~] # systemctl Start strongswan
---------------------------------------- ------------------------------------------------server configuration complete

Step 2: Configuration H3C switch (or router)
2.1 ike shared key configuration of the first phase
[H3C] ike keychain psk # Create a shared key called psk: ipsec123456
[H3C-ike-Keychain-psk] pre-Shared Simple Key ipsec123456 address 106.13.6.31 the -key
[H3C-IKE-Keychain-PSK] quit

Body safety proposal 2.2 Configure the IKE peer (phase 1 parameters: destination address, negotiation mode, shared key, etc.)
[H3C] IKE Proposal 1 # Create an IKE negotiation
[H3C-ike-proposal-1 ] authentication-method pre-share # IKE authentication method specified as the shared key
[H3C-ike-proposal-1 ] identity encryption algorithm encryption-algorithm 3des-cbc # for the IKE 3DES
[H3C-ike-proposal-1 ] # authentication-specified algorithm MD5 IKE authentication algorithm MD5
[H3C-IKE-Proposal-1] dh group14 # modp2048

[H3C] ike profile file #IKE negotiated configuration file
[H3C-ike-profile-file ] proposal 1 # Bind IKE negotiation No.
[H3C-ike-profile-file ] exchange-mode aggressive # aggressive mode
[H3C-ike- profile-file] keychain psk # shared key specified position (previously created)
[H3C-ike-profile-file] Remote Identity match specified remote address 106.13.6.31 # peer address
[H3C-ike-profile-file ] match remote identity fqdn centos # specify the identity of the remote peer id information
[H3C-ike-profile-file ] local-identity fqdn h3c # specify the identity of the local peer id information
[H3C-ike-profile-file ] quit

2.3 Security configuration proposal parameters (mode encapsulation, encapsulation protocol encryption algorithm and authentication) of the second stage
[H3C] ipsec transform-set proposal # Create proposal called the security ipsec proposal
[H3C-ipsec-transform-set -proposal] encapsulation -mode tunnel # encapsulation mode is tunnel mode
[H3C-ipsec-transform-set -proposal] protocol esp # encapsulation protocol uses the ESP
[H3C-IPSec-Transform-SET-Proposal] authentication algorithm esp authentication-algorithm sha1 # encapsulation protocol
[ H3C-ipsec-transform-set- proposal] esp encryption algorithm encryption-algorithm 3des-cbc # / encapsulation protocol
[H3C-ipsec-transform-set -proposal] quit

ACL Configuration 2.4 Creating the second phase of consultation interest drift segment
[H3C] acl Number The 3000
[H3C-acl-ipv4-ADV-3000] rule in permit ip Source 5 0.0.0.255 Where do you want the 192.168.30.0 172.19.19.0 0.0.0.255
[H3C IPv4---ADV - ACL 3000] Source IP rule 10 the permit the 192.168.30.0 0.0.0.255 Where do you want 172.20.20.0 0.0.0.255
[H3C-IPv4-ACL-ADV-3000] 15 the permit rule Source IP 192.168.40.0 0.0.0.255 Where do you want 0.0.0.255 172.19.19.0
[H3C-IPv4-ACL-ADV-3000] 20 is the permit rule Source IP 192.168.40.0 0.0.0.255 Where do you want 172.20.20.0 0.0.0.255
[H3C-IPv4-ACL-ADV-3000] quit

2.5创建ipsec策略综合协商参数：
[H3C]ipsec policy ipsec 1 isakmp
[H3C-ipsec-policy-isakmp-ipsec-1]ike-profile file
[H3C-ipsec-policy-isakmp-ipsec-1]transform-set proposal
[H3C-ipsec-policy-isakmp-ipsec-1]security acl 3000
[H3C-ipsec-policy-isakmp-ipsec-1]remote-address 106.13.6.31
[H3C-ipsec-policy-isakmp-ipsec-1]quit

2.6 The mating interface configuration good strategy:
[H3C] interface of Vlan-interface. 1
[H3C-of Vlan-interface1] Apply IPSec Policy IPSec policy interface binding #
[H3C-of Vlan-interface1] quit
-------- -------------------------------------------------- ---------------------------------
step 3: because it is so aggressive mode switch on the initiative to establish vpn
[H3C ] -a 192.168.30.254 172.19.19.19 of ping
the Ping 172.19.19.19 (172.19.19.19) from 192.168.30.254: 56 is Data bytes, BREAK Press CTRL_C to
the Request Time OUT
bytes from 172.19.19.19 56 is: =. 1 icmp_seq TTL = Time = 64 MS 12.328
56 is 172.19.19.19 bytes from: icmp_seq TTL = 2 = 64 Time = 13.255 MS
56 is 172.19.19.19 bytes from: icmp_seq = 64. 3 TTL = Time = 15.459 MS
56 is 172.19.19.19 bytes from: icmp_seq = 64. 4 TTL = Time = 10.924 ms

— Ping statistics for 172.19.19.19 —
5 packet(s) transmitted, 4 packet(s) received, 20.0% packet loss
round-trip min/avg/max/std-dev = 10.924/12.992/15.459/1.649 ms

[H3C]display ike sa
Connection-ID Remote Flag DOI
--------------------------------------------------------------------
14 106.13.6.31 RD IPsec
Flags:
RD–READY RL–REPLACED FD-FADING RK-REKEY

[H3C]display ipsec sa
------------------------------------------------------------------
Interface: Vlan-interface1
------------------------------------------------------------------

-----------------------------------------------------------------
IPsec policy: ipsec
Sequence number: 1
Mode: ISAKMP
----------------------------------------------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1436
Tunnel:
local address: 192.168.1.252
remote address: 106.13.6.31
Flow:
sour addr: 192.168.30.0/255.255.255.0 port: 0 protocol: ip
dest addr: 172.19.19.0/255.255.255.0 port: 0 protocol: ip

[Inbound ESP SAs]
SPI: 1391345111 (0x52ee3dd7)
Connection ID: 124554051588
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3583
Max received sequence-number: 4
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: Y
Status: Active

[Outbound ESP SAs]
SPI: 3472567373 (0xcefb2c4d)
Connection ID: 124554051589
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3583
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: Y
Status: Active

------------------------------------------------------------------
[root@myzdl ~]# strongswan status
Security Associations (1 up, 0 connecting):
peer-h3c-switch[2]: ESTABLISHED 69 seconds ago, 172.16.0.4[centos]…183.17.63.227[h3c]
peer-h3c-switch{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cefb2c4d_i 52ee3dd7_o
peer-h3c-switch{1}: 172.19.19.0/24 === 192.168.30.0/24