IPSEC+GRE IKE协商配置举例本次内容为ipsec+gre配置举例 ipsec采用ike协商方式加密隧道 ips

拓扑

图片.png

CEA配置

# 感兴趣流
acl advanced 3001
 rule 15 permit gre source 12.1.1.2 0 destination 34.1.1.2 0

# ipsec提议
ipsec transform-set cea
 encapsulation-mode transport
 esp encryption-algorithm aes-cbc-192 
 esp authentication-algorithm sha1

# ike提议 prf算法需要ike2版本
ike proposal 1
 dh group14                          // DH组      默认:group1
 encryption-algorithm aes-cbc-256    // 加密算法   默认:des-cbc
 authentication-algorithm sha256     // 认证算法   默认:sha1
 authentication-method pre-share     // 认证模式   默认:pre-share [预共享密钥PSK]
 sa duration 86400                   // sa超时时间 默认86400
 
# 配置协商双方的密钥信息
ike keychain key
 pre-shared-key address 34.1.1.2 key simple 123456  // 对端地址为34.1.1.2 密码为123456
 
# ike对等体
ike profile 1
 keychain key                              // 指定引用的IKE keychain为key
 exchange-mode aggressive                  // 交换模式 为野蛮模式 默认主模式
 local-identity address 12.1.1.2           // 配置本端的身份信息为IP地址 [可选]
 match remote identity address 34.1.1.2 24 // 配置匹配对端身份的规则为IP地址 [可选]
 proposal 1 // 引用ike提议
 
# ike策略
ipsec policy P2 10 isakmp
 transform-set cea                         // 引用ipsec提议
 security acl 3001                         // 引用感兴趣流
 remote-address 34.1.1.2                   // 指定对端地址
 ike-profile 1                             // 引用ike对等体
 
# 应用ipsec
interface GigabitEthernet0/2
 ipsec apply policy P2

CEB配置

# 感兴趣流
acl advanced 3001
 rule 15 permit gre source 34.1.1.2 0 destination 12.1.1.2 0

# ipsec提议
ipsec transform-set ceb
 encapsulation-mode transport
 esp encryption-algorithm aes-cbc-192 
 esp authentication-algorithm sha1

# ike提议 prf算法需要ike2版本
ike proposal 1
 dh group14                          // DH组      默认:group1
 encryption-algorithm aes-cbc-256    // 加密算法   默认:des-cbc
 authentication-algorithm sha256     // 认证算法   默认:sha1
 authentication-method pre-share     // 认证模式   默认:pre-share [预共享密钥PSK]
 sa duration 86400                   // sa超时时间 默认86400
 
# 配置协商双方的密钥信息
ike keychain key
 pre-shared-key address 12.1.1.2 key simple 123456  // 对端地址为12.1.1.2 密码为123456
 
# ike对等体
ike profile 1
 keychain key                              // 指定引用的IKE keychain为key
 exchange-mode aggressive                  // 交换模式 为野蛮模式 默认主模式
 local-identity address 34.1.1.2           // 配置本端的身份信息为IP地址 [可选]
 match remote identity address 12.1.1.2 24 // 配置匹配对端身份的规则为IP地址 [可选]
 proposal 1 // 引用ike提议
 
# ike策略
ipsec policy P2 10 isakmp
 transform-set cea                         // 引用ipsec提议
 security acl 3001                         // 引用感兴趣流
 remote-address 12.1.1.2                   // 指定对端地址
 ike-profile 1                             // 引用ike对等体
 
# 应用ipsec
interface GigabitEthernet0/2
 ipsec apply policy P2

验证

[CEA]display ike proposal 
 Priority Authentication Authentication Encryption  Diffie-Hellman Duration
              method       algorithm    algorithm       group      (seconds)
----------------------------------------------------------------------------
 1        PRE-SHARED-KEY     SHA256     AES-CBC-256 Group 14       86400    
 default  PRE-SHARED-KEY     SHA1       DES-CBC     Group 1        86400    
[CEA]
[CEA]ping 192.168.2.2
Ping 192.168.2.2 (192.168.2.2): 56 data bytes, press CTRL+C to break
56 bytes from 192.168.2.2: icmp_seq=0 ttl=254 time=2.252 ms
56 bytes from 192.168.2.2: icmp_seq=1 ttl=254 time=1.939 ms
56 bytes from 192.168.2.2: icmp_seq=2 ttl=254 time=1.431 ms
56 bytes from 192.168.2.2: icmp_seq=3 ttl=254 time=1.561 ms
56 bytes from 192.168.2.2: icmp_seq=4 ttl=254 time=1.568 ms

--- Ping statistics for 192.168.2.2 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.431/1.750/2.252/0.303 ms
[CEA]%Oct  6 14:16:42:840 2024 CEA PING/6/PING_STATISTICS: Ping statistics for 192.168.2.2: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.431/1.750/2.252/0.303 ms.

[CEA]ping 2.2.2.2
Ping 2.2.2.2 (2.2.2.2): 56 data bytes, press CTRL+C to break
56 bytes from 2.2.2.2: icmp_seq=0 ttl=254 time=0.815 ms
56 bytes from 2.2.2.2: icmp_seq=1 ttl=254 time=0.758 ms
56 bytes from 2.2.2.2: icmp_seq=2 ttl=254 time=0.794 ms
56 bytes from 2.2.2.2: icmp_seq=3 ttl=254 time=0.716 ms
56 bytes from 2.2.2.2: icmp_seq=4 ttl=254 time=0.976 ms

--- Ping statistics for 2.2.2.2 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.716/0.812/0.976/0.089 ms
[CEA]%Oct  6 14:20:16:460 2024 CEA PING/6/PING_STATISTICS: Ping statistics for 2.2.2.2: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.716/0.812/0.976/0.089 ms.

图片.png