L2TP ***雖然簡單易用,效率較高,使用的也是非常廣泛,但由於其保密性能不是非常強,在很多場合的應用中都受到了限制!而IPSec是能夠更強的保密特性的,如數據加密,認證等等!
IPSec在協商時主要分爲兩個階段:第一階段爲ISAKMP/IKE階段,主要進行驗證方法、加密方法及密鑰協商的確定,這可以通過手工設置(Manual),也可以通過通信雙方的協商(IKE)來設置,前者都是手工靜態指定,這樣雖然可以減輕
路由器運算壓力,但是密鑰指定之後不會改變,不夠
安全!後者雖然是
路由器協商確定,且定期變更的,
安全性比較高!第二階段主要是去調用上述的驗證方法、加密方法及密鑰,以達到形成IPSec安全通道!
一般情況下,我們都是採用IKE方式來確定加密和認證算法的!
這裏先介紹一下,兩個路由器之間建立IPSec通道的案例!
網絡結構簡要如下:
LAN1(192.168.0.0/24)——RT1(10.0.0.1/24)——(10.0.0.2/24)RT2——LAN2(172.16.0.0/24)
RT1#show run
Building configuration... Current configuration: ! !version 1.3.2C service timestamps log date service timestamps debug date no service password-encryption ! hostname RT1 ! crypto isakmp key 123456 10.0.0.2 255.255.255.255 //ISAKMP的密鑰,與對端一致 ! crypto isakmp policy 100 //建立ISAKMP策略 hash md5 //哈希算法,保障數據完整性 ! crypto ipsec transform-set 100 //建立變換集合 transform-type ah-md5-hmac esp-des //md5認證和des加密,可自定,但要與對端一致 ! //前面是第一階段的配置;從這裏開始第二階段的協商 crypto map bdcom 100 ipsec-isakmp //建立ipsec映射 set peer 10.0.0.2 //指定對端路由器(運行ipsec)ip set transform-set 100 //調用變換集合 match address ACL //調用訪問控制列表,指定哪些數據流量需要ipsec保護 ! interface Loopback0 //建立loopback端口,模擬本地局域網網段 ip address 192.168.0.1 255.255.255.0 no ip directed-broadcast ! ! interface Ethernet1/2 //路由器外網口 ip address 10.0.0.1 255.255.255.0 no ip directed-broadcast crypto map bdcom //將ipsec應用到物理端口上,生效 duplex half ! interface Serial1/0 no ip address no ip directed-broadcast ! interface Serial1/1 no ip address no ip directed-broadcast ! interface Serial2/0 no ip address no ip directed-broadcast ! interface Serial2/1 no ip address no ip directed-broadcast ! interface Serial2/2 no ip address no ip directed-broadcast ! interface Serial2/3 no ip address no ip directed-broadcast ! interface Async0/0 no ip address no ip directed-broadcast ! ! ip route 172.16.0.0 255.255.255.0 10.0.0.2 //靜態路由,下一跳ip爲ipsec隧道端口地址 ! gateway-cfg Gateway keepAlive 60 shutdown ! ! ip access-list extended ACL //擴展型訪問列表,定義哪些ip數據要被保護 permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0 //這裏只能配置一條,即使有多條,也只能是第一條生效 ! ! ivr-cfg ! !
|
RT2#show run
!version 1.3.1S service timestamps log date service timestamps debug date no service password-encryption ! hostname RT2 ! ! crypto isakmp key 123456 10.0.0.1 255.255.255.255 //ISAKMP的密鑰,與對端一致 ! crypto isakmp policy 100 //定義ISAKMP策略, hash md5 //哈希算法 ! crypto ipsec transform-set 100 //所有的配置、註釋和RT1一致,但注意兩端保持一致 transform-type ah-md5-hmac esp-des ! crypto map bdcom 100 ipsec-isakmp set peer 10.0.0.1 set transform-set 100 match address ACL ! ! interface Loopback0 ip address 172.16.0.1 255.255.255.0 no ip directed-broadcast ! ! interface FastEthernet0/0 ip address 10.0.0.2 255.255.255.0 crypto map bdcom no ip directed-broadcast ! interface Serial1/0 no ip address no ip directed-broadcast ! interface Async0/0 ip address negotiated no ip directed-broadcast ! ! ip route 192.168.0.0 255.255.255.0 10.0.0.1 ! gateway-cfg Gateway keepAlive 60 shutdown ! ! ip access-list extended ACL permit ip 172.16.0.0 255.255.255.0 192.168.0.0 255.255.255.0 ! ivr-cfg !
|
IPsec配置比較複雜,可能剛開始不是很好記憶,這裏提供一下模板:
ip access-list extended access-list-name //建立ACL,指定哪些數據包需要保護 crypto isakmp policy priority //第一階段,IKE方式的認證,加密,完整驗證等 authentication { pre-share|rsa-sig|rsa-encr} encryption {des|3des} group {1|2} hash {sha|md5} lifetime seconds crypto isakmp key keystring peer-address //IKE階段的預共享key crypto ipsec transform-set transform-set-name //第二階段ipsec開始 transform-type transfor-type //指定對上層數據的加密、認證方式 mode {tunnel | transport} //ipsec工作模式,默認爲tunnel crypto map map-name seq-num ipsec-isakmp //建立ipsec的映射關係,主要是調用前面的策略 set peer ip-address match address access-list-name set transform-set transform-set-name1 [transform-set-name2...transform-set-name6] set pfs [group1|group2] set security-association lifetime [seconds seconds | kilobytes kilobytes]
|
注意,這裏提到的參數不是所有都需要的,但基本一點是:兩邊的配置必須一致;另外協商的參數少,速度就快,但安全性較低,協商的參數多,安全性高,但是路由器的負荷就大!
前面介紹的是兩路由器都是固定ip地址的情況,但是更多的情況是:中心路由器是固定ip,而多個網點是ADSL或類似的不固定ip的情況,這種情況我們就需要採用動態的IPSec,基本上配置沒有什麼大的區別,只是要注意中心端的配置!
RT1#show run
Building configuration... Current configuration: ! !version 1.3.2C service timestamps log date service timestamps debug date no service password-encryption ! hostname RT1 ! crypto isakmp key 123456 10.0.0.2 255.255.255.255 //ISAKMP的密鑰,與對端一致 ! crypto isakmp policy 100 //建立ISAKMP策略 hash md5 //哈希算法,保障數據完整性 ! crypto ipsec transform-set 100 //建立變換集合 transform-type ah-md5-hmac esp-des //md5認證和des加密,可自定,但要與對端一致 ! //前面是第一階段的配置;從這裏開始第二階段的協商 crypto map bdcom 100 ipsec-isakmp //建立ipsec映射 set peer 10.0.0.2 //指定對端路由器(運行ipsec)ip set transform-set 100 //調用變換集合 match address ACL //調用訪問控制列表,指定哪些數據流量需要ipsec保護 ! interface Loopback0 //建立loopback端口,模擬本地局域網網段 ip address 192.168.0.1 255.255.255.0 no ip directed-broadcast ! ! interface Ethernet1/2 //路由器外網口 ip address 10.0.0.1 255.255.255.0 no ip directed-broadcast crypto map bdcom //將ipsec應用到物理端口上,生效 duplex half ! interface Serial1/0 no ip address no ip directed-broadcast ! interface Serial1/1 no ip address no ip directed-broadcast ! interface Serial2/0 no ip address no ip directed-broadcast ! interface Serial2/1 no ip address no ip directed-broadcast ! interface Serial2/2 no ip address no ip directed-broadcast ! interface Serial2/3 no ip address no ip directed-broadcast ! interface Async0/0 no ip address no ip directed-broadcast ! ! ip route 172.16.0.0 255.255.255.0 10.0.0.2 //靜態路由,下一跳ip爲ipsec隧道端口地址 ! gateway-cfg Gateway keepAlive 60 shutdown ! ! ip access-list extended ACL //擴展型訪問列表,定義哪些ip數據要被保護 permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0 //這裏只能配置一條,即使有多條,也只能是第一條生效 ! ! ivr-cfg ! !
|
這樣的話,只要加密等、認證等算法都正確,無論是那個遠端路由器/局域網過來了的的ipsec協商都會被接受!所以即使有多個ipsec網點的話,我們也無需建立多套配置了!
BD1710#show run
Building configuration... Current configuration: ! !version 1.3.1S service timestamps log date service timestamps debug date service password-encryption ! hostname BD1710 //網點接入路由器 ! aaa authentication login default enable enable password 7 123233445E28 level 15 ! crypto isakmp key test 211.162.108.36 255.255.255.255 //指定中心路由器的ip ! crypto isakmp policy 100 //IKE策略 hash md5 ! crypto ipsec transform-set test //ipsec變化集合 transform-type ah-md5-hmac esp-3des ! crypto map bdcom 10 ipsec-isakmp //靜態的ipsec映射 set peer 211.162.108.36 set pfs group1 set transform-set test match address ipsec ! ! interface FastEthernet0/0 //接入網點的外網口,也可以是adsl等情況 ip address 220.114.196.122 255.255.255.128 no ip directed-broadcast crypto map bdcom //ipsec應用到路由器 ! interface Ethernet0/1 //網點路由器的局域網 ip address 10.1.128.10 255.255.255.0 no ip directed-broadcast duplex full ! interface Serial0/2 no ip address no ip directed-broadcast ! ! ip route default 220.114.196.126 ! gateway-cfg Gateway keepAlive 60 shutdown ! ! ip access-list extended ipsec permit ip 10.1.128.0 255.255.255.0 192.166.1.0 255.255.255.0 ! ! ivr-cfg ! !
|