一、实验原理

IPsec在互联网中提供端到端的数据报通信安全，通过加密和认证方式保护IP数据报及其封装的数据。IPsec是一个框架协议，包括AH、ESP、SA、IKE等协议。IPsec可以采用直接传输和隧道封装两种模式工作，在通过互联网承载的站点间VPN中通常采用隧道模式。隧道模式是将原始IP数据报作为有效载荷封装在IPsec报头里。

二、实验拓扑图

 

三、实验步骤

1. 将MSR36-20_4路由器重命名为R_SH进行配置

[R_SH]int ge 0/0
[R_SH-GigabitEthernet0/0]ip address 10.1.1.254 24
[R_SH-GigabitEthernet0/0]quit[R_SH]int se 1/0
[R_SH-Serial1/0]ip address 219.230.139.1 24
[R_SH-Serial1/0]quit
[R_SH]save// 启用OSFP[R_SH]ospf 1
[R_SH-ospf-1]area 0
[R_SH-ospf-1-area-0.0.0.0]network 219.230.139.0 0.0.0.255
[R_SH-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[R_SH-ospf-1-area-0.0.0.0]quit
[R_SH-ospf-1]save

 2.第二阶段，定义IKE策略

//一、第一阶段,定义IKE策略//定义预共享密钥
//设置对等体地址，预设身份认证口令
[R_SH]ike keychain key1
[R_SH-ike-keychain-key1]pre-shared-key address 202.96.34.1 key simple ike//注意：如果配置错误，我们可以删除配置的预共享密钥，重新配置
[R_SH-ike-keychain-key1]undo pre-shared-key address 202.96.34.1//进入创建IKE提议，进入配置模式
[R_SH]ike proposal 1//创建IKE提议的配置文件
[R_SH-ike-proposal-1]ike profile profile1//(1)进入配置文件模式，设置本端IP地址
[R_SH-ike-profile-profile1]local-identity address 219.230.139.1[R_SH-ike-profile-profile1]proposal 1//(2)设置采用的预共享密钥key1
[R_SH-ike-profile-profile1]keychain key1//(3)设置对端IP地址
[R_SH-ike-profile-profile1]match remote identity address 202.96.34.1

 

3.第二阶段，定义安全提议

//二、第二阶段,定义安全提议
//创建安全提议
[R_SH]ipsec transform-set tran1//选择隧道封装模式
[R_SH-ipsec-transform-set-tran1]encapsulation-mode tunnel//协商封装协议
[R_SH-ipsec-transform-set-tran1]protocol esp//协商认证算法
[R_SH-ipsec-transform-set-tran1]esp authentication-algorithm sha1
//协商加密算法
[R_SH-ipsec-transform-set-tran1]esp encryption-algorithm 3des-cbc

4.第三阶段访问控制列表，应用控制策略

//三、第三阶段访问控制列表，应用控制策略//创建高级访问控制列表ACL，进入ACL配置模式
[R_SH]acl advanced 3000
//定义访问控制规则
[R_SH-acl-ipv4-adv-3000]rule permit ip source 10.1.1.0 0.0.0.255 destination 10.
1.2.0 0.0.0.255
[R_SH-acl-ipv4-adv-3000]quit//创建密钥管理策略，进入策略配置模式
[R_SH]ipsec policy policy1 10 isakmp
[R_SH-ipsec-policy-isakmp-policy1-10]security acl 3000
[R_SH-ipsec-policy-isakmp-policy1-10]ike-profile profile1
[R_SH-ipsec-policy-isakmp-policy1-10]transform-set tran1
[R_SH-ipsec-policy-isakmp-policy1-10]remote-address 202.96.34.1//在接口se0/1上应用上述密钥管理策略
[R_SH]int ser 1/0
[R_SH-Serial1/0]ipsec apply policy policy1
[R_SH-Serial1/0]save

 5.将MSR36-20_1路由器重命名为R_ISP进行配置

（二）配置运营商路由器R_ISP
<H3C>sys
System View: return to User View with Ctrl+Z.
[H3C]sysname R_ISP
[R_ISP]int se 1/0
[R_ISP-Serial1/0]ip address 219.230.139.2 24
[R_ISP-Serial1/0]quit
[R_ISP]int se 2/0
[R_ISP-Serial2/0]ip address 202.96.34.2 24
[R_ISP-Serial2/0]quit
[R_ISP]save//配置动态路由
[R_ISP]ospf 1
[R_ISP-ospf-1]area 0
[R_ISP-ospf-1-area-0.0.0.0]network 219.230.139.0 0.0.0.255
[R_ISP-ospf-1-area-0.0.0.0]network 202.96.34.0 0.0.0.255
[R_ISP-ospf-1-area-0.0.0.0]save

6.将MSR36-20_4路由器重新命名为R_B进行配置

[R_BJ]int se 1/0
[R_BJ-Serial1/0]ip address 202.96.34.1 24
[R_BJ-Serial1/0]quit
[R_BJ]int ge 0/0
[R_BJ-GigabitEthernet0/0]ip address 10.1.2.254 24
[R_BJ-GigabitEthernet0/0]quit
[R_BJ]save//配置动态路由协议ospf
[R_BJ]ospf 1
[R_BJ-ospf-1]area 0
[R_BJ-ospf-1-area-0.0.0.0]network 10.1.2.0 0.0.0.255
[R_BJ-ospf-1-area-0.0.0.0]network 202.96.34.0 0.0.0.255
[R_BJ-ospf-1-area-0.0.0.0]save

 

//配置IKE提议
//设置对等体IP地址，配置身份验证密码
[R_BJ]ike keychain key1
[R_BJ-ike-keychain-key1]pre-shared-key address 219.230.139.1 key simple ike[R_BJ]ike profile profile1
[R_BJ-ike-profile-profile1]local-identity address 202.96.34.1
[R_BJ-ike-profile-profile1]proposal 1
[R_BJ-ike-profile-profile1]keychain key1
[R_BJ-ike-profile-profile1]match remote identity address 219.230.139.1
[R_BJ-ike-profile-profile1]save//配置安全提议
[R_BJ]ipsec transform-set tran1
[R_BJ-ipsec-transform-set-tran1]encapsulation-mode tunnel
[R_BJ-ipsec-transform-set-tran1]protocol esp
[R_BJ-ipsec-transform-set-tran1]esp authentication-algorithm sha1
[R_BJ-ipsec-transform-set-tran1]esp encryption-algorithm 3des-cbc
[R_BJ-ipsec-transform-set-tran1]save//配置高级访问控制列表ACL
[R_BJ]acl advance 3000
[R_BJ-acl-ipv4-adv-3000]rule permit ip source 10.1.2.0 0.0.0.255 destination 10.
1.1.0 0.0.0.255
[R_BJ-acl-ipv4-adv-3000]save//配置安全策略Policy
[R_BJ]ipsec policy policy1 10 isakmp
[R_BJ-ipsec-policy-isakmp-policy1-10]security acl 3000
[R_BJ-ipsec-policy-isakmp-policy1-10]ike-profile profile1
[R_BJ-ipsec-policy-isakmp-policy1-10]transform-set tran1
[R_BJ-ipsec-policy-isakmp-policy1-10]remote-address 219.230.139.1
[R_BJ-ipsec-policy-isakmp-policy1-10]save//将上述策略应用到路由器接口
[R_BJ]int se1/0
[R_BJ-Serial1/0]ipsec apply policy policy1
[R_BJ-Serial1/0]save

 

 

 

 

 四、最后实验结果

PC1与PC2之间能够相互ping通