实验5 L0000014IPSEC及IKE实验中文版v11Word格式文档下载.docx
《实验5 L0000014IPSEC及IKE实验中文版v11Word格式文档下载.docx》由会员分享,可在线阅读,更多相关《实验5 L0000014IPSEC及IKE实验中文版v11Word格式文档下载.docx(10页珍藏版)》请在冰豆网上搜索。
[rt1-acl-101]rulepermitipsource10.10.1.00.0.0.255destination10.20.1.00.0.0.255
//配置访问控制列表,定义一条从10.10.1.1到10.20.1.1的数据流
[rt1-acl-101]ruledenyipsourceanydestinationany
[rt1-acl-101]quit
[rt1]ipsecproposaltran1
//创建一个名为tran1的转换方式,并进入安全转换方式配置模式
[rt1-ipsec-proposal-tran1]encapsulation-modetunnel
//设置安全协议对IP报文的封装形式为隧道模式
[rt1-ipsec-proposal-tran1]transformesp-new
//设置转换方式采用的安全协议为RFC2406规定的ESP协议
[rt1-ipsec-proposal-tran1]esp-newencryption-algorithmdes
//设置ESP协议采用的加密算法为des
[rt1-ipsec-proposal-tran1]esp-newauthentication-algorithmsha1-hmac-96
//设置ESP协议采用的验证算法为SHA-1验证算法
[rt1-ipsec-proposal-tran1]quit
[rt1]ipsecpolicypolicy110isakmp
//在全局模式下创建一条安全策略,并进入安全策略配置模式
[rt1-ipsec-policy-policy1-10]securityacl101
//设置安全策略引用的访问列表
[rt1-ipsec-policy-policy1-10]tunnelremote202.10.1.2
//设置安全隧道的对端地址
[rt1-ipsec-policy-policy1-10]proposaltran1
//设置安全策略所引用的转换方式
[rt1-ipsec-policy-policy1-10]quit
[rt1]interfaceserial0
[rt1-Serial0]ipaddress202.10.1.1255.255.255.0
[rt1-Serial0]ipsecpolicypolicy1
[rt1-Serial0]quit
//在接口Serial0上应用安全策略组
[rt1]ikepre-shared-keyasdremote202.10.1.2
//配置pre-shared-key的验证字
[rt1]ikeproposal10
//创建一个IKE策略
[rt1-ike-proposal-10]quit
[rt1]iproute-static10.20.1.0255.255.255.0202.10.1.2
RT2的配置:
[rt2]firewallenable
[rt2]interfaceethernet0
[rt2-Ethernet0]ipaddress10.20.1.1255.255.0.0
[rt2]acl101
[rt2-acl-101]rulepermitipsource10.20.1.00.0.0.255destination10.10.1.00.0.0.255
[rt2-acl-101]ruledenyipsourceanydestinationany
[rt2]ipsecproposaltran1
[rt2-ipsec-proposal-tran1]encapsulation-modetunnel
[rt2-ipsec-proposal-tran1]transformesp-new
[rt2-ipsec-proposal-tran1]esp-newencryption-algorithmdes
[rt2-ipsec-proposal-tran1]esp-newauthentication-algorithmsha1-hmac-96
[rt2-ipsec-proposal-tran1]quit
[rt2]ipsecpolicypolicy110isakmp
[rt2-ipsec-policy-policy1-10]securityacl101
[rt2-ipsec-policy-policy1-10]tunnelremote202.10.1.1
[rt2-ipsec-policy-policy1-10]proposaltran1
[rt2-ipsec-policy-policy1-10]quit
[rt2]interfaceserial0
[rt2-Serial0]ipadd202.10.1.2255.255.255.0
[rt2-Serial0]ipsecpolicypolicy1
[rt2]ikepre-shared-keyasdremote202.10.1.1
[rt2]ikeproposal10
[rt1-ike-proposal-10]quit
[rt2]iproute-static10.10.1.0255.255.255.0202.10.1.1
2.通过“displayipsecproposal”命令可以显示转换方式的有关信息,下面是显示的结果:
[rt1]displayipsecproposal
transformsetname:
tran1
transformsetmode:
tunnel
transform:
esp-new
3.ESPprotocol:
hashsha1-hmac-96,encryptdes
而通过“displayikeproposal”命令,我们可以在路由器上查看配置的IKE的安全策略,下面是显示的结果:
[rt1]displayikeproposal
Protectionpolicysuitewithpriority10
encryption:
DES_CBC
hash:
SHA
authentication:
PRE_SHARED
DHGroup:
MODP_768
duration(seconds):
86400
Defaultprotectionpolicysuite
86400
在这里我们使用的是默认的IKE安全策略参数,有关参数在应用中可以根据实际情况进行配置。
我们还可以通过“displayipsecpolicynamepolicy110”命令来查看指定的安全策略的信息:
[rt1]displayipsecpolicynamepolicy110
ipsecpolicyname:
policy1
ipsecpolicysequence:
10
negotiationmode:
isakmp
securityacl:
101
remoteaddress0:
202.10.1.2
Proposalname:
ipsecsaduration:
3600seconds
1843200kilobytes
OutBoundSAhasNOTbeenestablished.
InBoundSAhasNOTbeenestablished.
4.下面我们来观察一下IKE建立安全联盟的流程。
在RT2上用“debuggingikeall”和“debuggingipsecpacket”命令打开所有IKE调试开关和IPSec报文调试开关,然后在PC1上执行“ping–n210.20.1.2”,下面是在RT2上显示的信息:
[rt2]
transport_add:
adding10D08A4
transport_reference:
transport10D08A4nowhas1references
message_alloc:
allocated100D224
message_recv:
message100D224
ICOOKIE:
0xc57785535e7bba66
RCOOKIE:
0x0000000000000000
NEXT_PAYLOAD:
SA
VERSION:
16
EXCH_TYPE:
ID_PROT
FLAGS:
[]
MESSAGE_ID:
0x00000000
LENGTH:
120
message_dump_raw:
iovec0:
c57785535e7bba6600000000000000000110020000000000000000780000005c
0000000100000001000000500101000203000024000100008001000180020002
8003000180040001800b0001000c000400015180000000240101000080010001
800200028003000180040001800b0001000c000400015180
message_parse_payloads:
offset0x1cpayloadSA
message_validate_payloads:
payloadSAat10D0950ofmessage100D224
DOI:
1
timer_add_event:
eventexchange_error_free_aux(10F2234)addedbeforecookie_rese
t_event(0)
transport10D08A4nowhas2references
sa_create:
sa10D0FF4phase1addedtoexchange10F2234
offset0x28payloadPROPOSAL
offset0x30payloadTRANSFORM
Transform0'
sattributes
AttributeENCRYPTION_ALGORITHMvalue1
AttributeHASH_ALGORITHMvalue2
AttributeAUTHENTICATION_METHODvalue1
AttributeGROUP_DESCRIPTIONvalue1
AttributeLIFE_TYPEvalue1
AttributeLIFE_DURATIONvalue86400
offset0x54payloadTRANSFORM
Transform1'
payloadPROPOSALat10D095Cofmessage100D224
NO:
PROTO:
ISAKMP
SPI_SZ:
0
NTRANSFORMS:
2
payloadTRANSFORMat10D0964ofmessage100D224
ID:
payloadTRANSFORMat10D0988ofmessage100D224
exchange_validate:
checkingforrequiredSA
ipsec_responder:
phase1exchange2step0
message_negotiate_sa:
transform0proto1proposal1compatible
sa_add_transform:
proto10F9E24no1proto1chosen10C6674sa10D0FF4id1
ike_main_mode_validate_prop:
success
proposal1succeeded
ipsec_decode_transform:
transform0chosen
group_get:
returning10FA054ofgroup1
exchange_run:
finishedstep0,advancing...
transport10D08A4nowhas3references
allocated10F1684
phase1exchange2step1
message_send:
message10F1684
0x1c98cd7f26431947
84
c57785535e7bba661c98cd7f26431947011002000000000000000054
iovec1:
000000380000000100000001
iovec2:
0000002c01010001
iovec3:
000000240001000080010001800200028003000180040001800b0001000c0004
00015180
finishedstep1,advancing...
transport10D08A4nowhas4references
transport10D0034nowhas2references
transport_release:
transport10D08A4had4references
transport10D0034had2references
transport10D08A4sendingmessage10F16840times.
transport_send_messages:
message10F1684scheduledforretrans1in7secs
eventmessage_send(10F1684)addedbeforeexchange_error_free_au
x(10F2234)
adding10FAF94
transport10FAF94nowhas1references
allocated100D004
message100D004
KEY_EXCH
148
adding10FB414
adding10D0934
ReceivedIPSec(ESP)Packet!
SPI:
1426831585(0x550bb8e1)from202.10.1.1to202.10.1.2
NewESP(RFC2406)EncAlg:
DES;
AuthAlg:
HMAC-SHA1-96;
AuthenticationSucceed!
DecryptionSucceed!
Tunnelmode.OuterIPheaderchoppingsucceed!
NewSrcAddr:
10.10.1.2NewDstAddr:
10.20.1.2
NowsendittoIPinputprocess...
SendIPSecPacket!
From10.20.1.2to10.10.1.2
TunnelMode.AddingouterIPheadersucceed!
4288804284(0xffa1f5bc)SrcAddr:
202.10.1.2DstAddr:
202.10.1.1
DESAuthAlg:
HMAC-SHA1-96
AuthenticationFinished!
(NewESP:
RFC2406)
EncryptionFinished!
RFC2406)SequenceNumber:
1
NowsendittoIPoutputprocess....
5.在PC1上执行“ping-n100010.20.1.2”,然后利用“NetXray”之类的抓包软件截获从以太口发出的加密报文,并对他们进行传输。
接下来我们再观察报文的情况,会发现他们在接收端会被丢弃。
大家可以根据前面的知识思考一下为什么会这样?
5.1.5思考题
通过上面的实验,相信大家对IPSec的基本配置和IKE建立安全联盟的过程已经有了一个比较清晰的认识了吧。
IPSec中还有一些参数的设置,由于和GRE比较类似,所以再这里就不作详细介绍了。
在这里作为思考题布置给大家,请大家自己试着去配置一下,熟悉一下相关的命令。