system-view //進系統檢視enter system view, return user view with ctrl+z.
[huawei]sysname ar-1 //修改主機名為ar-1
[ar-1]int g0/0/0 //進介面
[ar-1-gigabitethernet0/0/0]ip address 172.16.10.254 24 //配置ip位址和子網掩碼
[ar-1-gigabitethernet0/0/0]int g0/0/1 //切換介面
[ar-1-gigabitethernet0/0/1]ip address 100.0.0.1 30 //配置ip位址和子網掩碼
[ar-1]ip route-static 0.0.0.0 0.0.0.0 100.0.0.2 //配置靜態路由
[r1]ike proposal 1 //進入安全提議檢視[r1-ike-proposal-1]encryption-algorithm 3des-cbc //配置使用的加密演算法
[r1-ike-proposal-1]authentication-algorithm md5 //配置使用的認證演算法
[r1-ike-proposal-1]authentication-method pre-share //配置身份驗證-預共享金鑰
[r1-ike-proposal-1]dh group2 //配置dh演算法--保證秘鑰安全的
[ar-1-ike-proposal-1]q //退到上一層,系統檢視
---指定隧道對端(對等體)
[r1]ike peer 200.0.0.2 v1 //建立對等體關係
[r1-ike-peer-200.0.0.2]pre-shared-key ****** abc //配置身份驗證口令
[r1-ike-peer-200.0.0.2]ike-proposal 1 //呼叫安全提議
[r1-ike-peer-200.0.0.2]remote-address 200.0.0.2 //指向具體的對等體
[r3]dis ike proposal //檢視安全提議資訊
r1]acl number 3000[r1-acl-adv-3000]rule permit ip source 172.16.10.0 0.0.0.255 destination 10.10.33.0 0.0.0.255
[r1]ipsec proposal 1
[r1-ipsec-proposal-1]transform esp
[r1]ipsec policy jiayou 1 isakmp
[r1-ipsec-policy-isakmp-jiayou-1]security acl 3000
[r1-ipsec-policy-isakmp-jiayou-1]proposal 1
[r1-ipsec-policy-isakmp-jiayou-1]ike-peer 200.0.0.2
r1]acl number 3000[r1-acl-adv-3000]rule permit ip source 172.16.10.0 0.0.0.255 destination 10.10.33.0 0.0.0.255
[ar-1-acl-adv-3000]q //退到上一層,系統檢視
[r1]ipsec proposal 1
[r1-ipsec-proposal-1]transform esp
[ar-1-ipsec-proposal-1]q //退到上一層,系統檢視
[r1]ipsec policy jiayou 1 isakmp
[r1-ipsec-policy-isakmp-jiayou-1]security acl 3000
[r1-ipsec-policy-isakmp-jiayou-1]proposal 1
[r1-ipsec-policy-isakmp-jiayou-1]ike-peer 200.0.0.2
[ar-1]int g0/0/1 //進入g0/0/1介面[ar-1-gigabitethernet0/0/1]ipsec policy jiayou //應用介面的策略
system-view //進系統檢視enter system view, return user view with ctrl+z.
[huawei]sysname isp-1 //修改主機名為isp-1
[isp-1-gigabitethernet0/0/0]ip address 100.0.0.2 30 //配置ip位址和子網掩碼
[isp-1-gigabitethernet0/0/0]int g0/0/1 //切換介面
[isp-1-gigabitethernet0/0/1]ip address 200.0.0.1 30 //配置ip位址和子網掩碼
:system-view //進系統檢視enter system view, return user view with ctrl+z.
[huawei]sysname ar-3 //修改主機名為ar-3
[ar-3]int g0/0/0 //進介面
[ar-3-gigabitethernet0/0/0]ip address 200.0.0.2 30 //配置ip位址和子網掩碼
[ar-3-gigabitethernet0/0/0]int g0/0/1 //切換介面
[ar-3-gigabitethernet0/0/1]ip address 10.10.33.254 24 //配置ip位址和子網掩碼
[ar-3]ip route-static 0.0.0.0 0.0.0.0 200.0.0.1 //配置靜態路由
[r3]ike proposal 1 //進入安全提議檢視[r3-ike-proposal-1]encryption-algorithm 3des-cbc //配置使用的加密演算法
[r3-ike-proposal-1]authentication-algorithm md5 //配置使用的認證演算法
[r3-ike-proposal-1]authentication-method pre-share //配置身份驗證-預共享金鑰
[r3-ike-proposal-1]dh group2 //配置dh演算法--保證秘鑰安全的
[ar-3-ike-proposal-1]q //退到上一層,系統檢視
---指定隧道對端(對等體)
[r3]ike peer 100.0.0.1 v1 //建立對等體關係
[r3-ike-peer-100.0.0.1]pre-shared-key ****** abc //配置身份驗證口令
[r3-ike-peer-100.0.0.1]ike-proposal 1 //呼叫安全提議
[r3-ike-peer-100.0.0.1]remote-address 100.0.0.1 //指向具體的對等體
r3]acl number 3000[r1-acl-adv-3000]rule permit ip source 10.10.33.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
[ar-3-acl-adv-3000]q //退到上一層,系統檢視
[r1]ipsec proposal 1
[r1-ipsec-proposal-1]transform esp
[ar-3-ipsec-proposal-1]q //退到上一層,系統檢視
[r1]ipsec policy jiayou 1 isakmp
[r1-ipsec-policy-isakmp-jiayou-1]security acl 3000
[r1-ipsec-policy-isakmp-jiayou-1]proposal 1
[r1-ipsec-policy-isakmp-jiayou-1]ike-peer 100.0.0.1
[ar-3]int g0/0/0 //進入g0/0/0介面[ar-3-gigabitethernet0/0/0]ipsec policy jiayou //應用介面的策略
[r3]dis ike sa //檢視隧道建立情況
簡單ipsec實驗
簡單ipsec實驗 實驗拓撲 需求如上圖 第一步先配置好各裝置的ip位址,然後分別在r1 r3分別配置一條靜態路由使網路可達 第二步再配置acl,來選擇出需要進行ipsec處理的興趣流 r1 acl adv 3000 rule permit ip source 192.168.10.0 0.0.0....
雲計算專業IPsec實驗
ipsec實驗 拓撲圖如圖所示 路由器配置命令 ar1 system view sysname isp inte ce g0 0 0 ip address 6.6.6.2 29 inte ce g0 0 1 ip address 16.16.16.2 29 ar2 system view sysna...
IPSec學習小結
近期學習了ipsec的一些基礎知識,在此作個簡短的總結。ipsec是ip層的一套加密協議 包含ah esp ike協議以及一些加密演算法 之所以會出現ipsec協議,是因為ip網路存在一些安全缺陷,比如ip層報文可以被明文看到 資料可能被篡改 源身份不好驗證 可以進行重放攻擊等。針對這些問題,ips...