Technical documentation
发布日期:2023-04-23 浏览次数:1491 来源:崔志鹏
HCIE Datacom培训课程复习理论笔记IKE(OSPF)动态协商方式
WOLFLAB官方微信:17316362402,【WOLF-LAB网络技术实验室】HCIE Datacom培训课程每月循环开班,联系网站客服了解:HCIE Datacom近期开班时间、HCIE Datacom需要多少钱,HCIE Datacom培训费用等!
HCIE Datacom培训课程理论课笔记:
PC1访问PC2的数据需要IPSEC加密,那到底是用ESP进行封装还是用AH封装?
AR1和AR3需要交互isakmp协商,这个协商的报文需要加密,不能被攻击者截取;
IKE动态协商工作原理:
IKE有两个版本V1和V2,这里以V1为例:
IKE协商过程:分为两个阶段
第一阶段:建立IKE SA为第二阶段的协商提供保护
两种模式:
主模式(Main mode)6条ISAKMP消息交互,用于站点VPN;
野蛮模式(Aggressive mode):3条ISAKIP消息交互,用户远程vpn;
第二阶段:建立IPSec SA,为数据提供安全保护
快速模式(Quick Mode):3条ISAKMP消息交互;
配置步骤:
第一步:配置感兴趣流(需要保护的数据):
[AR1-acl-adv-3000]dis this
[V200R003C00]
#
acl number 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[AR3-acl-adv-3000]dis this
[V200R003C00]
#
acl number 3000
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
第二步:配置第一阶段
[AR1-ike-proposal-10]dis this
[V200R003C00]
#
ike proposal 10
[AR3-ike-proposal-10]dis this
[V200R003C00]
#
ike proposal 10
[AR1]dis ike proposal
Number of IKE Proposals: 2
-------------------------------------------
IKE Proposal: 10
Authentication method : pre-shared //认证的模式:域共享密钥的方式
Authentication algorithm : SHA1 //认证的算法
Encryption algorithm : DES-CBC //对称加密的算法
DH group : MODP-768 //非对称加密的算法
SA duration : 86400
PRF : PRF-HMAC-SHA
-------------------------------------------
-------------------------------------------
IKE Proposal: Default
Authentication method : pre-shared
Authentication algorithm : SHA1
Encryption algorithm : DES-CBC
DH group : MODP-768
SA duration : 86400
PRF : PRF-HMAC-SHA
-------------------------------------------
[AR1-ike-peer-AR3]dis this
[V200R003C00]
#
ike peer AR3 v1 //配置IKE的对等体
pre-shared-key simple huawei
ike-proposal 10
remote-address 1.1.23.3
[AR3-ike-peer-AR1]dis this
[V200R003C00]
#
ike peer AR1 v1
pre-shared-key simple huawei
ike-proposal 10
remote-address 1.1.12.1
第三步:配置第二阶段
[AR1-ipsec-proposal-wolf]dis this
[V200R003C00]
#
ipsec proposal wolf
[AR3-ipsec-proposal-wolf]dis this
[V200R003C00]
#
ipsec proposal wolf
[AR1]dis ipsec proposal
Number of proposals: 1
IPSec proposal name: wolf
Encapsulation mode: Tunnel
Transform : esp-new
ESP protocol : Authentication MD5-HMAC-96
Encryption DES
第四步:配置安全策略(将感兴趣流+第一阶段+第二阶段做关联)
[AR1-ipsec-policy-isakmp-wolf-10]dis this
[V200R003C00]
#
ipsec policy wolf 10 isakmp
security acl 3000
ike-peer AR3
proposal wolf
[AR3-ipsec-policy-isakmp-wolf-10]dis this
[V200R003C00]
#
ipsec policy wolf 10 isakmp
security acl 3000
ike-peer AR1
proposal wolf
[AR1-GigabitEthernet0/0/0]dis this
[V200R003C00]
#
interface GigabitEthernet0/0/0
ip address 1.1.12.1 255.255.255.0
ipsec policy wolf
[AR3-GigabitEthernet0/0/1]dis this
[V200R003C00]
#
interface GigabitEthernet0/0/1
ip address 1.1.23.3 255.255.255.0
ipsec policy wolf
下一篇文章验证:HCIE Datacom培训课程中的6个第一阶段报文,3个第二阶段报文
HCIE Datacom培训课程预约免费试听,联系WOLFLAB网络实验室网站客服https://www.wolf-lab.com/
WOLFLAB官方微信:17316362402
WOLFLAB官方QQ:2569790740
我们提供:思科认证|华为认证
CCNA|CCNP|EI CCIE;HCIA|HCIP|HCIE Datacom|VMware等培训课程