L2TP ***雖然簡單易用,效率較高,使用的也是非常廣泛,但由於其保密性能不是非常強,在很多場合的應用中都受到了限制!而IPSec是能夠更強的保密特性的,如數據加密,認證等等!
IPSec在協商時主要分爲兩個階段:第一階段爲ISAKMP/IKE階段,主要進行驗證方法、加密方法及密鑰協商的確定,這可以通過手工設置(Manual),也可以通過通信雙方的協商(IKE)來設置,前者都是手工靜態指定,這樣雖然可以減輕
路由器運算壓力,但是密鑰指定之後不會改變,不夠
安全!後者雖然是
路由器協商確定,且定期變更的,
安全性比較高!第二階段主要是去調用上述的驗證方法、加密方法及密鑰,以達到形成IPSec安全通道!
一般情況下,我們都是採用IKE方式來確定加密和認證算法的!
這裏先介紹一下,兩個路由器之間建立IPSec通道的案例!
網絡結構簡要如下:
LAN1(192.168.0.0/24)——RT1(10.0.0.1/24)——(10.0.0.2/24)RT2——LAN2(172.16.0.0/24)
|
RT1#show run
Building configuration...
Current configuration:
! !version 1.3.2C
service timestamps log date
service timestamps debug date
no service password-encryption
! hostname RT1
! crypto isakmp key 123456 10.0.0.2 255.255.255.255 //ISAKMP的密鑰,與對端一致
! crypto isakmp policy 100 //建立ISAKMP策略
hash md5 //哈希算法,保障數據完整性
! crypto ipsec transform-set 100 //建立變換集合
transform-type ah-md5-hmac esp-des //md5認證和des加密,可自定,但要與對端一致
! //前面是第一階段的配置;從這裏開始第二階段的協商
crypto map bdcom 100 ipsec-isakmp //建立ipsec映射
set peer 10.0.0.2 //指定對端路由器(運行ipsec)ip
set transform-set 100 //調用變換集合
match address ACL //調用訪問控制列表,指定哪些數據流量需要ipsec保護
! interface Loopback0 //建立loopback端口,模擬本地局域網網段
ip address 192.168.0.1 255.255.255.0
no ip directed-broadcast
! !
interface Ethernet1/2 //路由器外網口
ip address 10.0.0.1 255.255.255.0
no ip directed-broadcast
crypto map bdcom //將ipsec應用到物理端口上,生效
duplex half
! interface Serial1/0
no ip address
no ip directed-broadcast
! interface Serial1/1
no ip address
no ip directed-broadcast
! interface Serial2/0
no ip address
no ip directed-broadcast
! interface Serial2/1
no ip address
no ip directed-broadcast
! interface Serial2/2
no ip address
no ip directed-broadcast
! interface Serial2/3
no ip address
no ip directed-broadcast
! interface Async0/0
no ip address
no ip directed-broadcast
! !
ip route 172.16.0.0 255.255.255.0 10.0.0.2 //靜態路由,下一跳ip爲ipsec隧道端口地址
! gateway-cfg
Gateway keepAlive 60
shutdown
! !
ip access-list extended ACL //擴展型訪問列表,定義哪些ip數據要被保護
permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0 //這裏只能配置一條,即使有多條,也只能是第一條生效
! !
ivr-cfg
! !
|
|
RT2#show run
!version 1.3.1S
service timestamps log date
service timestamps debug date
no service password-encryption
! hostname RT2
! !
crypto isakmp key 123456 10.0.0.1 255.255.255.255 //ISAKMP的密鑰,與對端一致
! crypto isakmp policy 100 //定義ISAKMP策略,
hash md5 //哈希算法
! crypto ipsec transform-set 100 //所有的配置、註釋和RT1一致,但注意兩端保持一致
transform-type ah-md5-hmac esp-des
! crypto map bdcom 100 ipsec-isakmp
set peer 10.0.0.1
set transform-set 100
match address ACL
! !
interface Loopback0
ip address 172.16.0.1 255.255.255.0
no ip directed-broadcast
! !
interface FastEthernet0/0
ip address 10.0.0.2 255.255.255.0
crypto map bdcom
no ip directed-broadcast
! interface Serial1/0
no ip address
no ip directed-broadcast
! interface Async0/0
ip address negotiated
no ip directed-broadcast
! !
ip route 192.168.0.0 255.255.255.0 10.0.0.1
! gateway-cfg
Gateway keepAlive 60
shutdown
! !
ip access-list extended ACL
permit ip 172.16.0.0 255.255.255.0 192.168.0.0 255.255.255.0
! ivr-cfg
!
|
IPsec配置比較複雜,可能剛開始不是很好記憶,這裏提供一下模板:
|
ip access-list extended access-list-name //建立ACL,指定哪些數據包需要保護
crypto isakmp policy priority //第一階段,IKE方式的認證,加密,完整驗證等
authentication { pre-share|rsa-sig|rsa-encr}
encryption {des|3des}
group {1|2}
hash {sha|md5}
lifetime seconds
crypto isakmp key keystring peer-address //IKE階段的預共享key
crypto ipsec transform-set transform-set-name //第二階段ipsec開始
transform-type transfor-type //指定對上層數據的加密、認證方式
mode {tunnel | transport} //ipsec工作模式,默認爲tunnel
crypto map map-name seq-num ipsec-isakmp //建立ipsec的映射關係,主要是調用前面的策略
set peer ip-address
match address access-list-name
set transform-set transform-set-name1 [transform-set-name2...transform-set-name6]
set pfs [group1|group2]
set security-association lifetime [seconds seconds | kilobytes kilobytes]
|
注意,這裏提到的參數不是所有都需要的,但基本一點是:兩邊的配置必須一致;另外協商的參數少,速度就快,但安全性較低,協商的參數多,安全性高,但是路由器的負荷就大!
前面介紹的是兩路由器都是固定ip地址的情況,但是更多的情況是:中心路由器是固定ip,而多個網點是ADSL或類似的不固定ip的情況,這種情況我們就需要採用動態的IPSec,基本上配置沒有什麼大的區別,只是要注意中心端的配置!
|
RT1#show run
Building configuration...
Current configuration:
! !version 1.3.2C
service timestamps log date
service timestamps debug date
no service password-encryption
! hostname RT1
! crypto isakmp key 123456 10.0.0.2 255.255.255.255 //ISAKMP的密鑰,與對端一致
! crypto isakmp policy 100 //建立ISAKMP策略
hash md5 //哈希算法,保障數據完整性
! crypto ipsec transform-set 100 //建立變換集合
transform-type ah-md5-hmac esp-des //md5認證和des加密,可自定,但要與對端一致
! //前面是第一階段的配置;從這裏開始第二階段的協商
crypto map bdcom 100 ipsec-isakmp //建立ipsec映射
set peer 10.0.0.2 //指定對端路由器(運行ipsec)ip
set transform-set 100 //調用變換集合
match address ACL //調用訪問控制列表,指定哪些數據流量需要ipsec保護
! interface Loopback0 //建立loopback端口,模擬本地局域網網段
ip address 192.168.0.1 255.255.255.0
no ip directed-broadcast
! !
interface Ethernet1/2 //路由器外網口
ip address 10.0.0.1 255.255.255.0
no ip directed-broadcast
crypto map bdcom //將ipsec應用到物理端口上,生效
duplex half
! interface Serial1/0
no ip address
no ip directed-broadcast
! interface Serial1/1
no ip address
no ip directed-broadcast
! interface Serial2/0
no ip address
no ip directed-broadcast
! interface Serial2/1
no ip address
no ip directed-broadcast
! interface Serial2/2
no ip address
no ip directed-broadcast
! interface Serial2/3
no ip address
no ip directed-broadcast
! interface Async0/0
no ip address
no ip directed-broadcast
! !
ip route 172.16.0.0 255.255.255.0 10.0.0.2 //靜態路由,下一跳ip爲ipsec隧道端口地址
! gateway-cfg
Gateway keepAlive 60
shutdown
! !
ip access-list extended ACL //擴展型訪問列表,定義哪些ip數據要被保護
permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0 //這裏只能配置一條,即使有多條,也只能是第一條生效
! !
ivr-cfg
! !
|
這樣的話,只要加密等、認證等算法都正確,無論是那個遠端路由器/局域網過來了的的ipsec協商都會被接受!所以即使有多個ipsec網點的話,我們也無需建立多套配置了!
|
BD1710#show run
Building configuration...
Current configuration:
! !version 1.3.1S
service timestamps log date
service timestamps debug date
service password-encryption
! hostname BD1710 //網點接入路由器
! aaa authentication login default enable
enable password 7 123233445E28 level 15
! crypto isakmp key test 211.162.108.36 255.255.255.255 //指定中心路由器的ip
! crypto isakmp policy 100 //IKE策略
hash md5
! crypto ipsec transform-set test //ipsec變化集合
transform-type ah-md5-hmac esp-3des
! crypto map bdcom 10 ipsec-isakmp //靜態的ipsec映射
set peer 211.162.108.36
set pfs group1
set transform-set test
match address ipsec
! !
interface FastEthernet0/0 //接入網點的外網口,也可以是adsl等情況
ip address 220.114.196.122 255.255.255.128
no ip directed-broadcast
crypto map bdcom //ipsec應用到路由器
! interface Ethernet0/1 //網點路由器的局域網
ip address 10.1.128.10 255.255.255.0
no ip directed-broadcast
duplex full
! interface Serial0/2
no ip address
no ip directed-broadcast
! !
ip route default 220.114.196.126
! gateway-cfg
Gateway keepAlive 60
shutdown
! !
ip access-list extended ipsec
permit ip 10.1.128.0 255.255.255.0 192.166.1.0 255.255.255.0
! !
ivr-cfg
! !
|
