野蛮模式的特别之处:
1. 野蛮模式支持NAT转化,主动模式不支持;
2. 野蛮模式支持以Name方式标识对等体,主动模式只支持ip地址方式标识。
当部署***两端是动态ip地址的时候,例如通过ADSL方式上网,主动模式就束手无策了,因为它只支持ip地址方式标识,当ip地址不是固定的。而野蛮模式可以通过Name标识,没有经过不确定的ip地址,能够成功的构建***。
IPSec主模式和野蛮模式的区别包含如下几点:
1. 交换的消息:主模式为6个,野蛮模式为3个。
2. NAT支持:对预共享密钥认证:主模式不支持NAT转换,而野蛮模式支持。而对于证书方式认证:两种模式都能支持。
3. 对等体标识:主模式只能采用IP地址方式标识对等体;而野蛮模式可以采用IP地址方式或者Name方式标识对等体。这是由于主模式在交换完3、4消息以后,需要使用预共享密钥来计算SKEYID,当一个设备有多个对等体时,必须查找到该对等体对应的预共享密钥,但是由于其对等体的ID信息在消息5、6中才会发送,此时主模式的设备只能使用消息3、4中的IP报文源地址来找到与其对应的预共享密钥;如果主模式采用Name方式,Name信息却包含在消息5、6中,而设备必须在消息5、6之前找到其对等体的预共享密钥,所以就造成了矛盾,无法完成Name方式的标识。
而在野蛮模式中,ID消息在消息1、2中就已经发送了,设备可以根据ID信息查找到对应的预共享密钥,从而计算SKEYID。但是由于野蛮模式交换的3个消息没有经过加密,所以ID信息也是明文的,也相应造成了安全隐患。
4. 提议转换对数量:在野蛮模式中,由于第一个消息就需要交换DH消息,而DH消息本身就决定了采用哪个DH组,这样在提议转换对中就确定了使用哪个DH组,如果第一个消息中包含多个提议转换对,那么这多个转换对的DH组必须相同(和DH消息确定的DH组一致),否则消息1中只能携带和确定DH组相同的提议转换对。
5. 协商能力:由于野蛮模式交换次数的限制,因此野蛮模式协商能力低于主模式。
配置任务
更多关于ipsec的介绍请参考附件
下面做实际配置,设备三台H3C SecPath F100-C 防火墙,一台HUAWEI Quidway 三层交换机
拓扑
![]()
三层交换机配置
配置ip地址
[S13]vlan 5
[S13-vlan5]port Ethernet 0/5
[S13-vlan5]vlan 10
[S13-vlan10]port ethernet 0/10
[S13-vlan10]vlan 15
[S13-vlan15]port ethernet 0/15
[S13-vlan15]inter vlan 5
[S13-Vlan-interface5]ip ad 193.168.10.2 255.255.255.0
[S13-Vlan-interface5]inter vlan 10
[S13-Vlan-interface10]ip ad 193.168.20.2 255.255.255.0
[S13-Vlan-interface10]inter vlan 15
[S13-Vlan-interface15]ip ad 193.168.30.2 255.255.255.0
配置dhcp服务
[SW13]dhcp enable
[SW13]dhcp server ip-pool fw2
[SW13-dhcp-fw2]network 193.168.20.0
[SW13-dhcp-fw2]dhcp server ip-pool fw3
[SW13-dhcp-fw3]network 193.168.30.0
[SW13]dhcp server forbidden-ip 193.168.20.2
[SW13]dhcp server forbidden-ip 193.168.30.2
FW1配置
为简单起见将所需端口都加入trust zone
[FW1]firewall zone trust
[FW1-zone-trust]add interface Ethernet 0/1
[FW1-zone-trust]add interface Ethernet 0/2
配置ip地址
[FW1]interface Ethernet0/1
[FW1-Ethernet0/1]ip address 193.168.10.1 255.255.255.0
[FW1-Ethernet0/1]interface ethernet 0/2
[FW1-Ethernet0/2]ip address 192.168.10.1 255.255.255.0
配置默认路由
[FW1]ip route-static 0.0.0.0 0 193.168.10.2
为了减少不必要让人郁闷的错误[FW1]ping 193.168.10.2确认FW1与三层交换机链路状态
配置acl
[FW1]acl number 3000
[FW1-acl-adv-3000]rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
[FW1-acl-adv-3000]rule deny ip source any destination any
[FW1]acl number 3001
[FW1-acl-adv-3001]rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
[FW1-acl-adv-3001]rule deny ip source any destination any
配置ike
[FW1]ike local-name fw1
[FW1]ike peer peer1
[FW1-ike-peer-peer1]exchange-mode aggressive
[FW1-ike-peer-peer1]id-type name
[FW1-ike-peer-peer1]pre-shared-key 12345
[FW1-ike-peer-peer1]remote-name fw2
[FW1-ike-peer-peer1]local-address 193.168.10.1
[FW1]ike peer peer2
[FW1-ike-peer-peer2]exchange-mode aggressive
[FW1-ike-peer-peer2]id-type name
[FW1-ike-peer-peer2]local-address 193.168.10.1
[FW1-ike-peer-peer2]pre-shared-key abcde
[FW1-ike-peer-peer2]remote-name fw3
配置proposal
[FW1]ipsec proposal proposal1
[FW1-ipsec-proposal-proposal1]encapsulation-mode tunnel
[FW1-ipsec-proposal-proposal1]esp authentication-algorithm md5
[FW1-ipsec-proposal-proposal1]esp encryption-algorithm des
[FW1-ipsec-proposal-proposal1]transform esp
配置policy
[FW1]ipsec policy policy 1 isakmp
[FW1-ipsec-policy-isakmp-policy-1]ike-peer peer1
[FW1-ipsec-policy-isakmp-policy-1]proposal proposal1
[FW1-ipsec-policy-isakmp-policy-1]security acl 3000
[FW1]ipsec policy policy 2 isakmp
[FW1-ipsec-policy-isakmp-policy-2]ike-peer peer2
[FW1-ipsec-policy-isakmp-policy-2]proposal proposal1
[FW1-ipsec-policy-isakmp-policy-2]security acl 3001
将ipsec policy应用到接口上
[FW1]inter Ethernet 0/1
[FW1-Ethernet0/1]ipsec policy policy
FW2配置
[FW2]firewall zone trust
[FW2-zone-trust]add interface Ethernet 0/1
[FW2-zone-trust]add interface Ethernet 0/2
配置ip地址
[FW2]interface Ethernet 0/1
[FW2-Ethernet0/1]ip address 193.168.20.1 255.255.255.0
[FW2-Ethernet0/3]interface ethernet 0/2
[FW2-Ethernet0/2]ip address 192.168.20.1 255.255.255.0
配置默认路由
[FW2]ip route-static 0.0.0.0 0 193.168.20.2
配置acl
[FW2]acl number 3000
[FW2-acl-adv-3000]rule permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
[FW2-acl-adv-3000]rule deny ip source any destination any
配置ike
[FW2]ike local-name fw2
[FW2-ike-peer-peer1]exchange-mode aggressive
[FW2-ike-peer-peer1]id-type name
[FW2-ike-peer-peer1]pre-shared-key 12345
[FW2-ike-peer-peer]remote-name fw1 //在启用aggressive ,id-type为name时配置
[FW2-ike-peer-peer]remote-address 193.168.10.1 //remote-address或remote-name都可以
配置ipsec proposal
[FW2-ipsec-proposal-proposal]encapsulation-mode tunnel
[FW2-ipsec-proposal-proposal]esp authentication-algorithm md5
[FW2-ipsec-proposal-proposal]esp encryption-algorithm des
[FW2-ipsec-proposal-proposal]transform esp
配置ipsec policy
[FW2]ipsec policy policy 1 isakmp
[FW2-ipsec-policy-isakmp-plicy-1]ike-peer peer1
[FW2-ipsec-policy-isakmp-plicy-1]proposal proposal
[FW2-ipsec-policy-isakmp-plicy-1]security acl 3000
将ipsec policy应用到接口上
[FW2]inter Ethernet 0/1
[FW2-Ethernet0/1]ipsec policy policy
FW3配置
[FW3]firewall zone trust
[FW3-zone-trust]add interface Ethernet 0/1
[FW3-zone-trust]add interface Ethernet 0/2
配置ip地址
[FW3]interface Ethernet 0/1
[FW3-Ethernet0/1]ip address 193.168.30.1 255.255.255.0
[FW3-Ethernet0/3]interface ethernet 0/2
[FW3-Ethernet0/2]ip address 192.168.30.1 255.255.255.0
配置默认路由
[FW3]ip route-static 0.0.0.0 0 193.168.30.2
配置acl
[FW3]acl number 3000
[FW3-acl-adv-3000]rule permit ip source 192.168.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
[FW3-acl-adv-3000]rule deny ip source any destination any
配置ike
[FW3]ike local-name fw3
[FW3-ike-peer-peer1]exchange-mode aggressive
[FW3-ike-peer-peer1]id-type name
[FW3-ike-peer-peer1]pre-shared-key abcde
[FW3-ike-peer-peer]remote-name fw1 //在启用aggressive ,id-type为name时配置
[FW3-ike-peer-peer]remote-address 193.168.10.1 //remote-address或remote-name都可以
配置ipsec proposal
[FW3-ipsec-proposal-proposal]encapsulation-mode tunnel
[FW3-ipsec-proposal-proposal]esp authentication-algorithm md5
[FW3-ipsec-proposal-proposal]esp encryption-algorithm des
[FW3-ipsec-proposal-proposal]transform esp
配置ipsec policy
[FW3]ipsec policy policy 1 isakmp
[FW3-ipsec-policy-isakmp-plicy-1]ike-peer peer1
[FW3-ipsec-policy-isakmp-plicy-1]proposal proposal
[FW3-ipsec-policy-isakmp-plicy-1]security acl 3000
将ipsec policy应用到接口上
[FW3]inter Ethernet 0/1
[FW3-Ethernet0/1]ipsec policy policy
