《网络安全技术与实践》实验报告+思考题及答案 实验8VPN技术的应用.docx
《《网络安全技术与实践》实验报告+思考题及答案 实验8VPN技术的应用.docx》由会员分享,可在线阅读,更多相关《《网络安全技术与实践》实验报告+思考题及答案 实验8VPN技术的应用.docx(22页珍藏版)》请在淘文阁 - 分享文档赚钱的网站上搜索。
1、实验8 VPN技术的应用【实验目的】令熟悉加密技术与完整性校验在VPN技术当中的应用。令掌握在华为防火墙上实现GRE VPNo令掌握在华为防火墙上实现站点到站点的IPSec VPNo【学时分配】2学时【实验设备】PC机一台;、eNSP; Win 7/11操作系统。【实验任务】任务8-1:使用GRE VPN实现加密传输任务8-2:使用IPSec的ESP协议实现站点到站点VPN任务8-1 :使用GRE VPN实现加密传输【任务目标】Bob为WYL公司的安全运维工程师,根据网络安全的要求,总公司访问分公司 的服务器时需要对数据流进行加密传输,经该公司网络部门决定使用GRE VPN来 实现,拓扑如图1
2、所示。【能力观测点】了解GR助口密隧道;熟练掌握华为防火墙上的GRE VPN配置。【实验内容及过程】分公司总公司GW:PC1Ethernet 0/0/1Trust GE 1/0/0GE 1/0/1FV1UnTrustGRE TunnelGE 1/oA公网IP地址:Tunnel IP地址:GE 1/0/0TrustEthernet一 |0/0/010.1GW:.2.1/24图1拓扑图以上场景中组网需求如下:(1)基础配置:配置接口 IP地址和接口划分进对应安全区域。任务8-2 :使用I PSec的ESP协议实现站点到站点VPN【任务目标】Bob为WYL公司的安全运维工程师,根据网络安全的要求,实
3、现Bob所在的公 司总部与Alice所在的公司分部之间建立站点到站点的VPN,如此以来,就可以通 过IPSec的ESP协议保证Alice与Bob之间在互联网上频繁传送公司机密文件时的 安全性,拓扑如图5所示。【能力观测点】了解IPSec VPN原理;熟练掌握华为防火墙上的IPSec VPN配置。【实验内容及过程】T rustClientlj EthernetFW4TrustGE 1A)/6EthernetServeri图5拓扑图(1)配置FW1和FW2的各接口 IP地址和所属安全区域。FW1interface GigabitEthernet 1/0/1FWl-GigabitEthernetl/
4、0/1ip address 202.1.1.1 24FWl-GigabitEthernet1/0/1undo shutdownFWl-GigabitEthernet1/0/1 quitFW1interface GigabitEthernet 1/0/6 FWl-GigabitEthernetl/0/6ip address 10.91.74, 254 24 FWl-GigabitEthernet1/0/6undo shutdownFWl-GigabitEthernetl/0/6quitFW1FW2interface GigabitEthernet 1/0/1FW2-GigabitEthernet
5、l/0/lip address 202.1.2.2 24FW2-GigabitEthernet1/0/1undo shutdownFW2-GigabitEthernetl/0/lquitFW2interface GigabitEthernet 1/0/6FW2-GigabitEthernetl/0/6ip address 10.91.65,254 24FW2-GigabitEthernet1/0/6undo shutdownFW2-GigabitEthernetl/0/6quitFW2FW1firewall zone trustFWl-zone-trustadd interface Gigab
6、itEthernet 1/0/6FWl-zone-trustquitFW1firewall zone untrustFWl-zone-untrustadd interface GigabitEthernet 1/0/1FWl-zone-untrustquitFW1FW2firewall zone trustFW2-zone-trustadd interface GigabitEthernet 1/0/6FW2-zone-trustquitFW2firewall zone untrustFW2-zone-untrustadd interface GigabitEthernet 1/0/1FW2-
7、zone-untrustquitFW2(2) FW1和FW2配置到达对端的默认路由。FW1 ip route-static 0. 0. 0. 0 0. 0. 0. 0 202. 1. 1. 2FW2 ip route-static 0. 0. 0. 0 0. 0. 0. 0 202. 1. 2. 1(3)定义需要保护的数据流,使用ACL进行流量抓取。FWlacl number 3000FWl-acl-adv-3000rule permit ip source 10. 91. 74. 0 0. 0. 0. 255 destination 10.91.65.0 0. 0. 0. 255 /抓取需要
8、进入IPSec VPN加密的 数据流FWl-acl-adv-3000 quitFW1FW2acl number 3000FW2-acl-adv-3000rule permit ip source 10. 91. 65. 0 0. 0. 0. 255destination 10. 91. 74. 0 0. 0. 0. 255抓取需要进入IPSec VPN加密的数据流FW2-acl-adv-3000quitFW2(4)配置IKE安全协议。FW1 ike proposal 1FWl-ike-proposal-1encryption-algorithm aes-256IKE的加密算法为aes-256F
9、Wl-ike-proposal-1 dh group 14 交换及密钥分发组为14FWl-ike-proposal-1authentication-algorithm sha2-256IKE的认证算法为sha2-256FWl-ike-proposal-1authentication-method pre-shareIKE认证方式为预共享字符串FW1-ike-proposal-1integrity-algorithm hmac-sha2-256完整性算法为hmac-sha2-256FWl-ike-proposal-1prf hmac-sha2-256FWl-ike-proposal-1quitF
10、W1FW2ike proposal 1FW2-ike-proposal-lencryption-algorithm aes-256IKE的加密算法为aes-256FW2-ike-proposal-l dh groupl4 交换及密钥分发组为14FW2-ike-proposal-lauthentication-algorithm sha2-256IKE的认证算法为sha2-256FW2-ike-proposal-lauthentication-method pre-shareIKE认证方式为预共享字符串FW2-ike-proposal-lintegrity-algorithm hmac-sha2
11、-256完整性算法为hmac-sha2-256FW2-ike-proposal-lprf hmac-sha2-256FW2-ike-proposal-lquitFW2(5)配置IKE对等体。FWlike peer FW2FWl-ike-peer-FW2exchange-mode autoFWl-ike-peer-FW2pre-shared-key huawei123预共享密钥,两边要一样,设置成huawei123FWl-ike-peer-FW2 ike-proposal 1 /关联IKE安全提议ike-proposal 1FWl-ike-peer-FW2 remote-address 202.
12、 1. 2. 2 配置对端建立IKE所用地址FWl-ike-peer-FW2quitFW1FW2ike peer FW1FW2-ike-peer-FWlexchange-mode autoFW2-ike-peer-FWlpre-shared-key huawei123 预共享密钥, 两边要一样,设置成huawei123FW2-ike-peer-FWl ike-proposal 1 关联IKE安全提议ike-proposal 1FW2-ike-peer-FWl remote-address 202. 1. 1. 1 配置对端建立IKE所用地址FW2-ike-peer-FWlquitFW2(6)配
13、置IPSec安全协议。LFW1FW1ipsec proposal 10FWl-ipsec-proposal-10esp authentication-algorithmsha2-256ESP认证算法为sha2-256FWl-ipsec-proposal-10esp encryption-algorithm aes-256ESP加密算法为aes-256FWl-ipsec-proposal-10quitFW1FW2ipsec proposal 10FW2-ipsec-proposal-10esp authentication-algorithmsha2-256FW2-ipsec-proposal-
14、10esp encryption-a1gorithm aes-256FW2-ipsec-proposal-101quitFW2(7)配置IPSec策略。FW1ipsec policy FW2 1 isakmp FWl-ipsec-policy-isakmp-FW2-lsecurity acl 3000 将ACL3000抓取的流量放进IPSec VPNFWl-ipsec-policy-isakmp-FW2-like-peer FW2设置对等体,调用IKE peer设置的名字 FWl-ipsec-policy-isakmp-FW2-lproposal 10应用IPSec安全提议10的认证和加密方式
15、 FWl-ipsec-policy-isakmp-FW2-lquitFW1FW2ipsec policy FW1 1 isakmp FW2-ipsec-policy-isakmp-FWl-lsecurity acl 3000 将ACL3000抓取的流量放进IPSec VPNFW2-ipsec-policy-isakmp-FWl-like-peer FW1设置对等体,调用IKE peer设置的名字 FW2-ipsec-policy-isakmp-FWl-lproposal 10应用IPSec安全提议10的认证和加密方式 FW2-ipsec-policy-isakmp-FWl-lquitFW2(8
16、)在对应接口上应用IPSec安全策略。FW1interface GigabitEthernet 1/0/1 FWl-GigabitEthernetl/0/1ipsec policy FW2 FWl-GigabitEthernet1/0/1quitFW1FW2interface GigabitEthernet 1/0/1FW2-GigabitEthernetl/0/lipsec policy FW1FW2-GigabitEthernetl/0/lquitFW2(9)配置FW1和FW2安全策略,放行指定的内网网段进行报文交互。 首先创建私网地址组FW1ip address-set public t
17、ype groupFWl-group-address-set-publicaddress 0 202. 1. 1. 0 mask 24 FWl-group-address-set-publicaddress 1 202. 1. 2. 0 mask 24 FWl-group-address-set-publicquitFW1ip address-set private type groupFWl-group-address-set-privateaddress 0 10.91.74.0 mask 24 FWl-group-address-set-privateaddress 1 10.91.65
18、.0 mask 24 FWl-group-address-set-private quit其次定义一个ike服务集FW1ip service-set ike type objectFWl-object-service-set-ikeservice 0 protocol udpdest inat ion-port 500FWl-object-service-set-ike quit接下来进入安全策略配置视图FW1security-policyFW1-policy-security rule name permit_client_to_serverFWl-policy-security-rule-
19、permit_client_to_serversource-z one trust untrustFWl-policy-security-rule-permit_client_to_serverdestinat ion-zone trust untrustFWl-policy-security-rule-permit_client_to_serversource-a ddress address-set privateFWl-policy-security-rule-permit_client_to_serverdestinat ion-address address-set privateF
20、Wl-policy-security-rule-permit_client_to_serveractionpermitFWl-policy-security-rule-permit_ client to serverquit 制以上安全策略为放行Client去往Server的数据包FWl-policy-security_FWl-policy-securityrule name permit_client_to_server_ikeFWl-policy-security-rule-permit_client_to_server_ikesour ce-zone untrust localFWl-p
21、olicy-security-rule-permit_client_to_server_ikedest ination-zone untrust localFWl-policy-security-rule-permit_client_to_server_ikesour ce-address address-set publicFWl-policy-security-rule-permit client to server ikedest ination-address address-set publicFWl-policy-security-rule-permit_client_to_ser
22、ver_ikeserv ice ikeFWl-policy-security-rule-permit_client_to_server_ikeserv ice espFWl-policy-security-rule-permit_client_to_server_ikeacti on permitFWl-policy-security-rule-permit_client_to_server_ikequit#以上是FW1对IKE封装后的流量进行放行首先创建私网地址组FW2ip address-set public type groupFW2-group-address-set-publicad
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 网络安全技术与实践 网络安全技术与实践实验报告+思考题及答案 实验8 VPN技术的应用 网络安全 技术 实践 实验 报告 思考题 答案 VPN 应用
限制150内