H3C MSR系列路由器IPsec典型配置举例(V7)(25页).doc

-H3C MSR系列路由器IPsec典型配置举例(V7)-第 25 页1 简介2 配置前提3 使用iNode客户端基于证书认证的L2TP over IPsec功能配置举例3.1 组网需求3.2 配置思路3.3 使用版本3.4 配置步骤3.4.1 Device的配置3.4.2 Host的配置3.5 验证配置3.6 配置文件4 IPsec over GRE的典型配置举例4.1 组网需求4.2 配置思路4.3 使用版本4.4 配置步骤4.4.1 Device A的配置4.4.2 Device B的配置4.5 验证配置4.6 配置文件5 GRE over IPsec的典型配置举例5.1 组网需求5.2 配置思路5.3 使用版本5.4 配置步骤5.4.1 Device A的配置5.4.2 Device B的配置5.5 验证配置5.6 配置文件6 IPsec同流双隧道的典型配置举例6.1 组网需求6.2 使用版本6.3 配置步骤6.3.1 Device A的配置6.3.2 Device B的配置6.4 验证配置6.5 配置文件7 相关资料1  简介本文档介绍IPsec的典型配置举例。2  配置前提本文档适用于使用Comware V7软件版本的MSR系列路由器，如果使用过程中与产品实际情况有差异，请参考相关产品手册，或以设备实际情况为准。本文档中的配置均是在实验室环境下进行的配置和验证，配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置，为了保证配置效果，请确认现有配置和以下举例中的配置不冲突。本文档假设您已了解IPsec特性。3  使用iNode客户端基于证书认证的L2TP over IPsec功能配置举例3.1  组网需求如图1所示，PPP用户Host与Device建立L2TP隧道，Windows server 2003作为CA服务器，要求：·     通过L2TP隧道访问Corporate network。·     用IPsec对L2TP隧道进行数据加密。·     采用RSA证书认证方式建立IPsec隧道。图1 基于证书认证的L2TP over IPsec配置组网图3.2  配置思路由于使用证书认证方式建立IPsec隧道，所以需要在ike profile中配置local-identity为dn，指定从本端证书中的主题字段取得本端身份。3.3  使用版本本举例是在R0106版本上进行配置和验证的。3.4  配置步骤3.4.1  Device的配置(1)     配置各接口IP地址# 配置接口GigabitEthernet2/0/1的IP地址。<Device> system-viewDevice interface gigabitethernet 2/0/1Device-GigabitEthernet2/0/1 ip address 192.168.100.50 24Device-GigabitEthernet2/0/1 quit# 配置接口GigabitEthernet2/0/2的IP地址。Device interface gigabitethernet 2/0/2Device-GigabitEthernet2/0/2 ip address 102.168.1.11 24Device-GigabitEthernet2/0/2 quit# 配置接口GigabitEthernet2/0/3的IP地址。Device interface gigabitethernet 2/0/3Device-GigabitEthernet2/0/3 ip address 192.168.1.1 24Device-GigabitEthernet2/0/3 quit(2)     配置L2TP# 创建本地PPP用户l2tpuser，设置密码为hello。Device local-user l2tpuser class networkDevice-luser-network-l2tpuser password simple helloDevice-luser-network-l2tpuser service-type pppDevice-luser-network-l2tpuser quit# 配置ISP域system对PPP用户采用本地验证。Device domain systemDevice-isp-system authentication ppp localDevice-isp-system quit# 启用L2TP服务。Device l2tp enable# 创建接口Virtual-Template0，配置接口的IP地址为172.16.0.1/24。Device interface virtual-template 0Device-Virtual-Template0 ip address 172.16.0.1 255.255.255.0# 配置PPP认证方式为PAP。Device-Virtual-Template0 ppp authentication-mode pap# 配置为PPP用户分配的IP地址为172.16.0.2。Device-Virtual-Template0 remote address 172.16.0.2Device-Virtual-Template0 quit# 创建LNS模式的L2TP组1。Device l2tp-group 1 mode lns# 配置LNS侧本端名称为lns。Device-l2tp1 tunnel name lns# 关闭L2TP隧道验证功能。Device-l2tp1 undo tunnel authentication# 指定接收呼叫的虚拟模板接口为VT0。Device-l2tp1 allow l2tp virtual-template 0Device-l2tp1 quit(3)     配置PKI证书# 配置PKI实体 security。Device pki entity securityDevice-pki-entity-security common-name deviceDevice-pki-entity-security quit# 新建PKI域。Device pki domain headgateDevice-pki-domain-headgate ca identifier LYQDevice-pki-domain-headgate certificate request url http:/192.168.1.51/certsrv/mscep/mscep.dllDevice-pki-domain-headgate certificate request from raDevice-pki-domain-headgate certificate request entity securityDevice-pki-domain-headgate undo crl check enableDevice-pki-domain-headgate public-key rsa general name abc length 1024Device-pki-domain-headgate quit# 生成RSA算法的本地密钥对。Device public-key local create rsa name abcThe range of public key modulus is (512 2048).If the key modulus is greater than 512,it will take a few minutes.Press CTRL+C to abort.Input the modulus length default = 1024:Generating Keys.Create the key pair successfully.# 获取CA证书并下载至本地。Device pki retrieve-certificate domain headgate caThe trusted CA's finger print is:    MD5  fingerprint:8649 7A4B EAD5 42CF 5031 4C99 BFS3 2A99    SHA1 fingerprint:61A9 6034 181E 6502 12FA 5A5F BA12 0EA0 5187 031CIs the finger print correct?(Y/N):yRetrieved the certificates successfully.# 手工申请本地证书。Device pki request-certificate domain headgateStart to request general certificate .Certificate requested successfully.(4)     配置IPsec隧道# 创建IKE安全提议。Device ike proposal 1Device-ike-proposal-1 authentication-method rsa-signatureDevice-ike-proposal-1 encryption-algorithm 3des-cbcDevice-ike-proposal-1 dh group2Device-ike-proposal-1 quit# 配置IPsec安全提议。Device ipsec transform-set tran1Device-ipsec-transform-set-tran1 esp authentication-algorithm sha1Device-ipsec-transform-set-tran1 esp encryption-algorithm 3desDevice-ipsec-transform-set-tran1 quit# 配置IKE profile。Device ike profile profile1Device-ike-profile-profile1 local-identity dnDevice-ike-profile-profile1 certificate domain headgateDevice-ike-profile-profile1 proposal 1Device-ike-profile-profile1 match remote certificate deviceDevice-ike-profile-profile1 quit# 在采用数字签名认证时，指定总从本端证书中的主题字段取得本端身份。Deviceike signature-identity from-certificate# 创建一条IPsec安全策略模板，名称为template1，序列号为1。Device ipsec policy-template template1 1Device-ipsec-policy-template-template1-1 transform-set tran1Device-ipsec-policy-template-template1-1 ike-profile profile1Device-ipsec-policy-template-template1-1 quit# 引用IPsec安全策略模板创建一条IPsec安全策略，名称为policy1，顺序号为1。Device ipsec policy policy1 1 isakmp template template1# 在接口上应用IPsec安全策略。Device interface gigabitethernet 2/0/2Device-GigabitEthernet2/0/2 ipsec apply policy policy1Device-GigabitEthernet2/0/2 quit3.4.2  Host的配置(1)     从证书服务器上申请客户端证书# 登录到证书服务器：http:/192.168.1.51/certsrv ，点击“申请一个证书”。图1 进入申请证书页面# 点击“高级证书申请”。图2 高级证书申请# 选择第一项：创建并向此CA提交一个申请。图3 创建并向CA提交一个申请# 填写相关信息。·     需要的证书类型，选择“客户端身份验证证书”；·     密钥选项的配置，勾选“标记密钥为可导出”前的复选框。# 点击<提交>，弹出一提示框 ：在对话框中选择“是”。# 点击安装此证书。图4 安装证书(2)     iNode客户端的配置（使用iNode版本为：iNode PC 5.2(E0409)）# 打开L2TP VPN连接，并单击“属性(Y)”。图5 打开L2TP连接# 输入LNS服务器的地址，并启用IPsec安全协议，验证证方法选择证书认证。图6 基本配置# 单击<高级(C)>按钮，进入“L2TP设置”页签，设置L2TP参数如下图所示。图7 L2TP设置# 单击“IPsec设置”页签，配置IPsec参数。图8 IPsec参数设置# 单击“IKE设置”页签，配置IKE参数。图9 IKE参数设置# 单击“路由设置”页签，添加访问Corporate network的路由。图10 路由设置# 完成上述配置后，单击<确定>按钮，回到L2TP连接页面。3.5  验证配置# 在L2TP连接对话框中，输入用户名“l2tpuser”和密码“hello”，单击<连接>按钮。图11 连接L2TP# 在弹出的对话框中选择申请好的证书，单击<确定>按钮。图12 证书选择# 通过下图可以看到L2TP连接成功。图13 连接成功图14 连接成功# 在Device上使用display ike sa命令，可以看到IPsec隧道第一阶段的SA正常建立。<Device> display ike sa    Connection-ID   Remote                Flag         DOI    10              102.168.1.1           RD           IPSECFlags:RD-READY RL-REPLACED FD-FADING# 在Device上使用display ipsec sa命令可以看到IPsec SA的建立情况。<Device> display ipsec saInterface: GigabitEthernet2/0/2  IPsec policy: policy1  Sequence number: 1  Mode: template    Tunnel id: 0    Encapsulation mode: tunnel    Perfect forward secrecy:    Path MTU: 1443    Tunnel:        local  address: 102.168.1.11        remote address: 102.168.1.1    Flow:    sour addr: 102.168.1.11/255.255.255.255  port: 1701  protocol: udp    dest addr: 102.168.1.1/255.255.255.255  port: 0  protocol: udp    Inbound ESP SAs      SPI: 2187699078 (0x8265a386)      Transform set:  ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1      SA duration (kilobytes/sec): 1843200/3600      SA remaining duration (kilobytes/sec): 1843197/3294      Max received sequence-number: 51      Anti-replay check enable: Y      Anti-replay window size: 64      UDP encapsulation used for NAT traversal: N      Status: Active    Outbound ESP SAs      SPI: 3433374591 (0xcca5237f)      Transform set:  ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1      SA duration (kilobytes/sec): 1843200/3600      SA remaining duration (kilobytes/sec): 1843197/3294      Max sent sequence-number: 52      UDP encapsulation used for NAT traversal: N      Status: Active3.6  配置文件interface Virtual-Template0 ppp authentication-mode pap remote address 172.16.0.2 ip address 172.16.0.1 255.255.255.0interface GigabitEthernet2/0/1 ip address 192.168.100.50 255.255.255.0interface GigabitEthernet2/0/2 ip address 102.168.1.11 255.255.255.0 ipsec apply policy policy1interface GigabitEthernet2/0/3 ip address 192.168.1.1 255.255.255.0domain system authentication ppp locallocal-user l2tpuser class network password cipher $c$3$nl46fURLtkCkcbdnB6irTXma+E6u0c+h service-type ppp authorization-attribute user-role network-operatorpki domain headgate ca identifier LYQ certificate request url http:/192.168.1.51/certsrv/mscep/mscep.dll certificate request from ra certificate request entity security public-key rsa general name abc undo crl check enablepki entity security common-name hostipsec transform-set tran1 esp encryption-algorithm 3des-cbc esp authentication-algorithm sha1ipsec policy-template template1 1 transform-set tran1 ike-profile profile1ipsec policy policy1 1 isakmp template template1l2tp-group 1 mode lns allow l2tp virtual-template 0 undo tunnel authentication tunnel name lns l2tp enableike signature-identity from-certificateike profile profile1 certificate domain headgate local-identity dn match remote certificate device proposal 1ike proposal 1 authentication-method rsa-signature encryption-algorithm 3des-cbc dh group24  IPsec over GRE的典型配置举例4.1  组网需求如图15所示，企业远程办公网络通过IPsec VPN接入企业总部，要求：通过GRE隧道传输两网络之间的IPsec加密数据。图15 IPsec over GRE组网图4.2  配置思路·     为了对数据先进行IPsec处理，再进行GRE封装，访问控制列表需匹配数据的原始范围，并且要将IPsec应用到GRE隧道接口上。·     为了对网络间传输的数据先进行IPsec封装，再进行GRE封装，需要配置IPsec隧道的对端IP地址为GRE隧道的接口地址。4.3  使用版本本举例是在R0106版本上进行配置和验证的。4.4  配置步骤4.4.1  Device A的配置(1)     配置各接口IP地址# 配置接口GigabitEthernet2/0/1的IP地址。<DeviceA> system-viewDeviceA interface gigabitethernet 2/0/1DeviceA-GigabitEthernet2/0/1 ip address 192.168.1.1 255.255.255.0DeviceA-GigabitEthernet2/0/1 tcp mss 1350DeviceA-GigabitEthernet2/0/1 quit# 配置接口GigabitEthernet2/0/2的IP地址。DeviceA interface gigabitethernet 2/0/2DeviceA-GigabitEthernet2/0/2 ip address 202.115.22.48 255.255.255.0DeviceA-GigabitEthernet2/0/2 quit(2)     配置GRE隧道# 创建Tunnel0接口，并指定隧道模式为GRE over IPv4隧道。DeviceA interface tunnel 0 mode gre# 配置Tunnel0接口的IP地址为10.1.1.1/24。DeviceA-Tunnel0 ip address 10.1.1.1 255.255.255.0# 配置Tunnel0接口的源端地址为202.115.22.48/24（Device A的GigabitEthernet2/0/2的IP地址）。DeviceA-Tunnel0 source 202.115.22.48# 配置Tunnel0接口的目的端地址为202.115.24.50/24（Device B的GigabitEthernet2/0/2的IP地址）。DeviceA-Tunnel0 destination 202.115.24.50DeviceA-Tunnel0 quit# 配置从Device A经过Tunnel0接口到Remote office network的静态路由。DeviceA ip route-static 192.168.2.1 255.255.255.0 tunnel 0(3)     配置IPsec VPN# 配置IKE keychain。DeviceA ike keychain keychain1DeviceA-ike-keychain-keychain1 pre-shared-key address 10.1.1.2 255.255.255.0 key simple 123DeviceA-ike-keychain-keychain1 quit# 创建ACL3000，定义需要IPsec保护的数据流。DeviceA acl number 3000DeviceA-acl-adv-3000 rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255DeviceA-acl-adv-3000 quit# 配置IPsec安全提议。DeviceA ipsec transform-set tran1DeviceA-ipsec-transform-set-tran1 esp encryption-algorithm desDeviceA-ipsec-transform-set-tran1 esp authentication-algorithm sha1DeviceA-ipsec-transform-set-tran1 quit# 创建一条IKE协商方式的IPsec安全策略，名称为policy1，序列号为1。DeviceA ipsec policy policy1 1 isakmpDeviceA-ipsec-policy-isakmp-policy1-1 security acl 3000DeviceA-ipsec-policy-isakmp-policy1-1 remote-address 10.1.1.2DeviceA-ipsec-policy-isakmp-policy1-1 transform-set tran1DeviceA-ipsec-policy-isakmp-policy1-1 quit# 在GRE隧道接口上应用安全策略。DeviceA interface tunnel 0DeviceA-Tunnel0 ipsec apply policy policy1DeviceA-Tunnel0 quit4.4.2  Device B的配置(1)     配置各接口IP地址# 配置接口GigabitEthernet2/0/1的IP地址。<DevoceB> system-viewDeviceB interface gigabitethernet 2/0/1DeviceB-GigabitEthernet2/0/1 ip address 192.168.2.1 255.255.255.0DeviceB-GigabitEthernet2/0/1 tcp mss 1350DeviceB-GigabitEthernet2/0/1 quit# 配置接口GigabitEthernet2/0/2的IP地址。DeviceB interface gigabitethernet 2/0/2DeviceB-GigabitEthernet2/0/2 ip address 202.115.24.50 255.255.255.0DeviceB-GigabitEthernet2/0/2 quit(2)     配置GRE隧道# 创建Tunnel0接口，并指定隧道模式为GRE over IPv4隧道。DeviceB interface tunnel 0 mode gre# 配置Tunnel0接口的IP地址为10.1.1.2/24。DeviceB-Tunnel0 ip address 10.1.1.2 255.255.255.0# 配置Tunnel0接口的源端地址为202.115.24.50/24（Device B的GigabitEthernet2/0/2的IP地址）。DeviceB-Tunnel0 source 202.115.24.50# 配置Tunnel0接口的目的端地址为202.115.22.48/24（Device A的GigabitEthernet2/0/2的IP地址）。DeviceB-Tunnel0 destination 202.115.22.48DeviceB-Tunnel0 quit# 配置从DeviceB经过Tunnel0接口到Corporate network的静态路由。DeviceB ip route-static 192.168.1.1 255.255.255.0 tunnel 0(3)     配置IPsec VPN# 配置IKE keychain。DeviceB ike keychain keychain1DeviceB-ike-keychain-keychain1 pre-shared-key address 10.1.1.1 255.255.255.0 key simple 123DeviceB-ike-keychain-keychain1 quit# 创建ACL3000，定义需要IPsec保护的数据流。DeviceB acl number 3000DeviceB-acl-adv-3000 rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255DeviceB-acl-adv-3000 quit# 配置IPsec安全提议。DeviceB ipsec transform-set tran1DeviceB-ipsec-transform-set-tran1 esp encryption-algorithm desDeviceB-ipsec-transform-set-tran1 esp authentication-algorithm sha1DeviceB-ipsec-transform-set-tran1 quit# 创建一条IKE协商方式的IPsec安全策略，名称为policy1，序列号为1。DeviceB ipsec policy policy1 1 isakmpDeviceB-ipsec-policy-isakmp-policy1-1 security acl 3000DeviceB-ipsec-policy-isakmp-policy1-1 remote-address 10.1.1.1DeviceB-ipsec-policy-isakmp-policy1-1 transform-set tran1DeviceB-ipsec-policy-isakmp-policy1-1 quit# 在GRE隧道接口上应用安全策略。DeviceB interface tunnel 0DeviceB-Tunnel0 ipsec apply policy policy1DeviceB-Tunnel0 quit4.5  验证配置# 以Corporate network的主机192.168.1.2向Remote office network的主机192.168.2.2发起通信为例，从192.168.1.2 ping 192.168.2.2，会触发IPsec协商，建立IPsec隧道，在成功建立IPsec隧道后，可以ping通。C:Userscorporatenetwork> ping 192.168.2.2Pinging 192.168.2.2 with 32 bytes of data:Request timed out.Reply from 192.168.2.2: bytes=32 time=2ms TTL=254Reply from 192.168.2.2: bytes=32 time=2ms TTL=254Reply from 192.168.2.2: bytes=32 time=1ms TTL=254Ping statistics for 192.168.2.2:    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),Approximate round trip times in milli-seconds:Minimum = 1ms, Maximum = 2ms, Average = 1ms# 在Device A上使用display ike sa命令，可以看到第一阶段的SA正常建立。<DeviceA> display ike sa    Connection-ID   Remote                Flag         DOI    1               10.1.1.2              RD           IPSECFlags:RD-READY RL-REPLACED FD-FADING# 在Device A上使用display ipsec sa命令可以看到IPsec SA的建立情况。<DeviceA> display ipsec saInterface: Tunnel0  IPsec policy: policy1  Sequence number: 1  Mode: isakmp    Tunnel id: 0    Encapsulation mode: tunnel    Perfect forward secrecy:    Path MTU: 1419    Tunnel:        local  address: 10.1.1.1