野蠻模式的特別之處:
1. 野蠻模式支持NAT轉化,主動模式不支持;
2. 野蠻模式支持以Name方式標識對等體,主動模式只支持ip地址方式標識。
當部署***兩端是動態ip地址的時候,例如通過ADSL方式上網,主動模式就束手無策了,因爲它只支持ip地址方式標識,當ip地址不是固定的。而野蠻模式可以通過Name標識,沒有經過不確定的ip地址,能夠成功的構建***。
IPSec主模式和野蠻模式的區別包含如下幾點:
1. 交換的消息:主模式爲6個,野蠻模式爲3個。
2. NAT支持:對預共享密鑰認證:主模式不支持NAT轉換,而野蠻模式支持。而對於證書方式認證:兩種模式都能支持。
3. 對等體標識:主模式只能採用IP地址方式標識對等體;而野蠻模式可以採用IP地址方式或者Name方式標識對等體。這是由於主模式在交換完3、4消息以後,需要使用預共享密鑰來計算SKEYID,當一個設備有多個對等體時,必須查找到該對等體對應的預共享密鑰,但是由於其對等體的ID信息在消息5、6中才會發送,此時主模式的設備只能使用消息3、4中的IP報文源地址來找到與其對應的預共享密鑰;如果主模式採用Name方式,Name信息卻包含在消息5、6中,而設備必須在消息5、6之前找到其對等體的預共享密鑰,所以就造成了矛盾,無法完成Name方式的標識。
而在野蠻模式中,ID消息在消息1、2中就已經發送了,設備可以根據ID信息查找到對應的預共享密鑰,從而計算SKEYID。但是由於野蠻模式交換的3個消息沒有經過加密,所以ID信息也是明文的,也相應造成了安全隱患。
4. 提議轉換對數量:在野蠻模式中,由於第一個消息就需要交換DH消息,而DH消息本身就決定了採用哪個DH組,這樣在提議轉換對中就確定了使用哪個DH組,如果第一個消息中包含多個提議轉換對,那麼這多個轉換對的DH組必須相同(和DH消息確定的DH組一致),否則消息1中只能攜帶和確定DH組相同的提議轉換對。
5. 協商能力:由於野蠻模式交換次數的限制,因此野蠻模式協商能力低於主模式。
配置任務
更多關於ipsec的介紹請參考附件
下面做實際配置,設備三臺H3C SecPath F100-C 防火牆,一臺HUAWEI Quidway 三層交換機
拓撲
![]()
三層交換機配置
配置ip地址
[S13]vlan 5
[S13-vlan5]port Ethernet 0/5
[S13-vlan5]vlan 10
[S13-vlan10]port ethernet 0/10
[S13-vlan10]vlan 15
[S13-vlan15]port ethernet 0/15
[S13-vlan15]inter vlan 5
[S13-Vlan-interface5]ip ad 193.168.10.2 255.255.255.0
[S13-Vlan-interface5]inter vlan 10
[S13-Vlan-interface10]ip ad 193.168.20.2 255.255.255.0
[S13-Vlan-interface10]inter vlan 15
[S13-Vlan-interface15]ip ad 193.168.30.2 255.255.255.0
配置dhcp服務
[SW13]dhcp enable
[SW13]dhcp server ip-pool fw2
[SW13-dhcp-fw2]network 193.168.20.0
[SW13-dhcp-fw2]dhcp server ip-pool fw3
[SW13-dhcp-fw3]network 193.168.30.0
[SW13]dhcp server forbidden-ip 193.168.20.2
[SW13]dhcp server forbidden-ip 193.168.30.2
FW1配置
爲簡單起見將所需端口都加入trust zone
[FW1]firewall zone trust
[FW1-zone-trust]add interface Ethernet 0/1
[FW1-zone-trust]add interface Ethernet 0/2
配置ip地址
[FW1]interface Ethernet0/1
[FW1-Ethernet0/1]ip address 193.168.10.1 255.255.255.0
[FW1-Ethernet0/1]interface ethernet 0/2
[FW1-Ethernet0/2]ip address 192.168.10.1 255.255.255.0
配置默認路由
[FW1]ip route-static 0.0.0.0 0 193.168.10.2
爲了減少不必要讓人鬱悶的錯誤[FW1]ping 193.168.10.2確認FW1與三層交換機鏈路狀態
配置acl
[FW1]acl number 3000
[FW1-acl-adv-3000]rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
[FW1-acl-adv-3000]rule deny ip source any destination any
[FW1]acl number 3001
[FW1-acl-adv-3001]rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
[FW1-acl-adv-3001]rule deny ip source any destination any
配置ike
[FW1]ike local-name fw1
[FW1]ike peer peer1
[FW1-ike-peer-peer1]exchange-mode aggressive
[FW1-ike-peer-peer1]id-type name
[FW1-ike-peer-peer1]pre-shared-key 12345
[FW1-ike-peer-peer1]remote-name fw2
[FW1-ike-peer-peer1]local-address 193.168.10.1
[FW1]ike peer peer2
[FW1-ike-peer-peer2]exchange-mode aggressive
[FW1-ike-peer-peer2]id-type name
[FW1-ike-peer-peer2]local-address 193.168.10.1
[FW1-ike-peer-peer2]pre-shared-key abcde
[FW1-ike-peer-peer2]remote-name fw3
配置proposal
[FW1]ipsec proposal proposal1
[FW1-ipsec-proposal-proposal1]encapsulation-mode tunnel
[FW1-ipsec-proposal-proposal1]esp authentication-algorithm md5
[FW1-ipsec-proposal-proposal1]esp encryption-algorithm des
[FW1-ipsec-proposal-proposal1]transform esp
配置policy
[FW1]ipsec policy policy 1 isakmp
[FW1-ipsec-policy-isakmp-policy-1]ike-peer peer1
[FW1-ipsec-policy-isakmp-policy-1]proposal proposal1
[FW1-ipsec-policy-isakmp-policy-1]security acl 3000
[FW1]ipsec policy policy 2 isakmp
[FW1-ipsec-policy-isakmp-policy-2]ike-peer peer2
[FW1-ipsec-policy-isakmp-policy-2]proposal proposal1
[FW1-ipsec-policy-isakmp-policy-2]security acl 3001
將ipsec policy應用到接口上
[FW1]inter Ethernet 0/1
[FW1-Ethernet0/1]ipsec policy policy
FW2配置
[FW2]firewall zone trust
[FW2-zone-trust]add interface Ethernet 0/1
[FW2-zone-trust]add interface Ethernet 0/2
配置ip地址
[FW2]interface Ethernet 0/1
[FW2-Ethernet0/1]ip address 193.168.20.1 255.255.255.0
[FW2-Ethernet0/3]interface ethernet 0/2
[FW2-Ethernet0/2]ip address 192.168.20.1 255.255.255.0
配置默認路由
[FW2]ip route-static 0.0.0.0 0 193.168.20.2
配置acl
[FW2]acl number 3000
[FW2-acl-adv-3000]rule permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
[FW2-acl-adv-3000]rule deny ip source any destination any
配置ike
[FW2]ike local-name fw2
[FW2-ike-peer-peer1]exchange-mode aggressive
[FW2-ike-peer-peer1]id-type name
[FW2-ike-peer-peer1]pre-shared-key 12345
[FW2-ike-peer-peer]remote-name fw1 //在啓用aggressive ,id-type爲name時配置
[FW2-ike-peer-peer]remote-address 193.168.10.1 //remote-address或remote-name都可以
配置ipsec proposal
[FW2-ipsec-proposal-proposal]encapsulation-mode tunnel
[FW2-ipsec-proposal-proposal]esp authentication-algorithm md5
[FW2-ipsec-proposal-proposal]esp encryption-algorithm des
[FW2-ipsec-proposal-proposal]transform esp
配置ipsec policy
[FW2]ipsec policy policy 1 isakmp
[FW2-ipsec-policy-isakmp-plicy-1]ike-peer peer1
[FW2-ipsec-policy-isakmp-plicy-1]proposal proposal
[FW2-ipsec-policy-isakmp-plicy-1]security acl 3000
將ipsec policy應用到接口上
[FW2]inter Ethernet 0/1
[FW2-Ethernet0/1]ipsec policy policy
FW3配置
[FW3]firewall zone trust
[FW3-zone-trust]add interface Ethernet 0/1
[FW3-zone-trust]add interface Ethernet 0/2
配置ip地址
[FW3]interface Ethernet 0/1
[FW3-Ethernet0/1]ip address 193.168.30.1 255.255.255.0
[FW3-Ethernet0/3]interface ethernet 0/2
[FW3-Ethernet0/2]ip address 192.168.30.1 255.255.255.0
配置默認路由
[FW3]ip route-static 0.0.0.0 0 193.168.30.2
配置acl
[FW3]acl number 3000
[FW3-acl-adv-3000]rule permit ip source 192.168.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
[FW3-acl-adv-3000]rule deny ip source any destination any
配置ike
[FW3]ike local-name fw3
[FW3-ike-peer-peer1]exchange-mode aggressive
[FW3-ike-peer-peer1]id-type name
[FW3-ike-peer-peer1]pre-shared-key abcde
[FW3-ike-peer-peer]remote-name fw1 //在啓用aggressive ,id-type爲name時配置
[FW3-ike-peer-peer]remote-address 193.168.10.1 //remote-address或remote-name都可以
配置ipsec proposal
[FW3-ipsec-proposal-proposal]encapsulation-mode tunnel
[FW3-ipsec-proposal-proposal]esp authentication-algorithm md5
[FW3-ipsec-proposal-proposal]esp encryption-algorithm des
[FW3-ipsec-proposal-proposal]transform esp
配置ipsec policy
[FW3]ipsec policy policy 1 isakmp
[FW3-ipsec-policy-isakmp-plicy-1]ike-peer peer1
[FW3-ipsec-policy-isakmp-plicy-1]proposal proposal
[FW3-ipsec-policy-isakmp-plicy-1]security acl 3000
將ipsec policy應用到接口上
[FW3]inter Ethernet 0/1
[FW3-Ethernet0/1]ipsec policy policy
