L2TP VPN虽然简单易用,效率较高,使用的也是非常广泛,但由于其保密性能不是非常强,在很多场合的应用中都受到了限制!而IPSec是能够更强的保密特性的,如数据加密,认证等等!
IPSec在协商时主要分为两个阶段:第一阶段为ISAKMP/IKE阶段,主要进行验证方法、加密方法及密钥协商的确定,这可以通过手工设置(Manual),也可以通过通信双方的协商(IKE)来设置,前者都是手工静态指定,这样虽然可以减轻路由器运算压力,但是密钥指定之后不会改变,不够安全!后者虽然是路由器协商确定,且定期变更的,安全性比较高!第二阶段主要是去调用上述的验证方法、加密方法及密钥,以达到形成IPSec安全通道!
一般情况下,我们都是采用IKE方式来确定加密和认证算法的!
这里先介绍一下,两个路由器之间建立IPSec通道的案例!
网络结构简要如下:
LAN1(192.168.0.0/24)——RT1(10.0.0.1/24)——(10.0.0.2/24)RT2——LAN2(172.16.0.0/24)
RT1#show run Building configuration... Current configuration: ! !version 1.3.2C service timestamps log date service timestamps debug date no service password-encryption ! hostname RT1 ! crypto isakmp key 123456 10.0.0.2 255.255.255.255 //ISAKMP的密钥,与对端一致 ! crypto isakmp policy 100 //建立ISAKMP策略 hash md5 //哈希算法,保障数据完整性 ! crypto ipsec transform-set 100 //建立变换集合 transform-type ah-md5-hmac esp-des //md5认证和des加密,可自定,但要与对端一致 ! //前面是第一阶段的配置;从这里开始第二阶段的协商 crypto map bdcom 100 ipsec-isakmp //建立ipsec映射 set peer 10.0.0.2 //指定对端路由器(运行ipsec)ip set transform-set 100 //调用变换集合 match address ACL //调用访问控制列表,指定哪些数据流量需要ipsec保护 ! interface Loopback0 //建立loopback端口,模拟本地局域网网段 ip address 192.168.0.1 255.255.255.0 no ip directed-broadcast ! ! interface Ethernet1/2 //路由器外网口 ip address 10.0.0.1 255.255.255.0 no ip directed-broadcast crypto map bdcom //将ipsec应用到物理端口上,生效 duplex half ! interface Serial1/0 no ip address no ip directed-broadcast ! interface Serial1/1 no ip address no ip directed-broadcast ! interface Serial2/0 no ip address no ip directed-broadcast ! interface Serial2/1 no ip address no ip directed-broadcast ! interface Serial2/2 no ip address no ip directed-broadcast ! interface Serial2/3 no ip address no ip directed-broadcast ! interface Async0/0 no ip address no ip directed-broadcast ! ! ip route 172.16.0.0 255.255.255.0 10.0.0.2 //静态路由,下一跳ip为ipsec隧道端口地址 ! gateway-cfg Gateway keepAlive 60 shutdown ! ! ip access-list extended ACL //扩展型访问列表,定义哪些ip数据要被保护 permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0 //这里只能配置一条,即使有多条,也只能是第一条生效 ! ! ivr-cfg ! !
RT2#show run !version 1.3.1S service timestamps log date service timestamps debug date no service password-encryption ! hostname RT2 ! ! crypto isakmp key 123456 10.0.0.1 255.255.255.255 //ISAKMP的密钥,与对端一致 ! crypto isakmp policy 100 //定义ISAKMP策略, hash md5 //哈希算法 ! crypto ipsec transform-set 100 //所有的配置、注释和RT1一致,但注意两端保持一致 transform-type ah-md5-hmac esp-des ! crypto map bdcom 100 ipsec-isakmp set peer 10.0.0.1 set transform-set 100 match address ACL ! ! interface Loopback0 ip address 172.16.0.1 255.255.255.0 no ip directed-broadcast ! ! interface FastEthernet0/0 ip address 10.0.0.2 255.255.255.0 crypto map bdcom no ip directed-broadcast ! interface Serial1/0 no ip address no ip directed-broadcast ! interface Async0/0 ip address negotiated no ip directed-broadcast ! ! ip route 192.168.0.0 255.255.255.0 10.0.0.1 ! gateway-cfg Gateway keepAlive 60 shutdown ! ! ip access-list extended ACL permit ip 172.16.0.0 255.255.255.0 192.168.0.0 255.255.255.0 ! ivr-cfg !
IPsec配置比较复杂,可能刚开始不是很好记忆,这里提供一下模板:
ip access-list extended access-list-name //建立ACL,指定哪些数据包需要保护 crypto isakmp policy priority //第一阶段,IKE方式的认证,加密,完整验证等 authentication { pre-share|rsa-sig|rsa-encr} encryption {des|3des} group {1|2} hash {sha|md5} lifetime seconds crypto isakmp key keystring peer-address //IKE阶段的预共享key crypto ipsec transform-set transform-set-name //第二阶段ipsec开始 transform-type transfor-type //指定对上层数据的加密、认证方式 mode {tunnel | transport} //ipsec工作模式,默认为tunnel crypto map map-name seq-num ipsec-isakmp //建立ipsec的映射关系,主要是调用前面的策略 set peer ip-address match address access-list-name set transform-set transform-set-name1 [transform-set-name2...transform-set-name6] set pfs [group1|group2] set security-association lifetime [seconds seconds | kilobytes kilobytes] |
注意,这里提到的参数不是所有都需要的,但基本一点是:两边的配置必须一致;另外协商的参数少,速度就快,但安全性较低,协商的参数多,安全性高,但是路由器的负荷就大!
前面介绍的是两路由器都是固定ip地址的情况,但是更多的情况是:中心路由器是固定ip,而多个网点是ADSL或类似的不固定ip的情况,这种情况我们就需要采用动态的IPSec,基本上配置没有什么大的区别,只是要注意中心端的配置!
RT1#show run Building configuration... Current configuration: ! !version 1.3.2C service timestamps log date service timestamps debug date no service password-encryption ! hostname RT1 ! crypto isakmp key 123456 10.0.0.2 255.255.255.255 //ISAKMP的密钥,与对端一致 ! crypto isakmp policy 100 //建立ISAKMP策略 hash md5 //哈希算法,保障数据完整性 ! crypto ipsec transform-set 100 //建立变换集合 transform-type ah-md5-hmac esp-des //md5认证和des加密,可自定,但要与对端一致 ! //前面是第一阶段的配置;从这里开始第二阶段的协商 crypto map bdcom 100 ipsec-isakmp //建立ipsec映射 set peer 10.0.0.2 //指定对端路由器(运行ipsec)ip set transform-set 100 //调用变换集合 match address ACL //调用访问控制列表,指定哪些数据流量需要ipsec保护 ! interface Loopback0 //建立loopback端口,模拟本地局域网网段 ip address 192.168.0.1 255.255.255.0 no ip directed-broadcast ! ! interface Ethernet1/2 //路由器外网口 ip address 10.0.0.1 255.255.255.0 no ip directed-broadcast crypto map bdcom //将ipsec应用到物理端口上,生效 duplex half ! interface Serial1/0 no ip address no ip directed-broadcast ! interface Serial1/1 no ip address no ip directed-broadcast ! interface Serial2/0 no ip address no ip directed-broadcast ! interface Serial2/1 no ip address no ip directed-broadcast ! interface Serial2/2 no ip address no ip directed-broadcast ! interface Serial2/3 no ip address no ip directed-broadcast ! interface Async0/0 no ip address no ip directed-broadcast ! ! ip route 172.16.0.0 255.255.255.0 10.0.0.2 //静态路由,下一跳ip为ipsec隧道端口地址 ! gateway-cfg Gateway keepAlive 60 shutdown ! ! ip access-list extended ACL //扩展型访问列表,定义哪些ip数据要被保护 permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0 //这里只能配置一条,即使有多条,也只能是第一条生效 ! ! ivr-cfg ! !
这样的话,只要加密等、认证等算法都正确,无论是那个远端路由器/局域网过来了的的ipsec协商都会被接受!所以即使有多个ipsec网点的话,我们也无需建立多套配置了!
BD1710#show run Building configuration... Current configuration: ! !version 1.3.1S service timestamps log date service timestamps debug date service password-encryption ! hostname BD1710 //网点接入路由器 ! aaa authentication login default enable enable password 7 123233445E28 level 15 ! crypto isakmp key test 211.162.108.36 255.255.255.255 //指定中心路由器的ip ! crypto isakmp policy 100 //IKE策略 hash md5 ! crypto ipsec transform-set test //ipsec变化集合 transform-type ah-md5-hmac esp-3des ! crypto map bdcom 10 ipsec-isakmp //静态的ipsec映射 set peer 211.162.108.36 set pfs group1 set transform-set test match address ipsec ! ! interface FastEthernet0/0 //接入网点的外网口,也可以是adsl等情况 ip address 220.114.196.122 255.255.255.128 no ip directed-broadcast crypto map bdcom //ipsec应用到路由器 ! interface Ethernet0/1 //网点路由器的局域网 ip address 10.1.128.10 255.255.255.0 no ip directed-broadcast duplex full ! interface Serial0/2 no ip address no ip directed-broadcast ! ! ip route default 220.114.196.126 ! gateway-cfg Gateway keepAlive 60 shutdown ! ! ip access-list extended ipsec permit ip 10.1.128.0 255.255.255.0 192.166.1.0 255.255.255.0 ! ! ivr-cfg ! !