IPSec proporciona una comunicación IP segura entre dos puntos finales. A continuación encontraran un ejemplo de configiración de este tipo de VPN para que la puedan implementar en el simulador eNSP o en su red de datos.
Esquema de topología y direccionamiento IP:
1. Configuración del nombre del dispositivo y la dirección IP.
<Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname HUAWEI-R1 [HUAWEI-R1]interface serial 0/0/1 [HUAWEI-R1-Serial0/0/1]ip address 10.0.12.1 24 [HUAWEI-R1-Serial0/0/1]interface LoopBack 0 [HUAWEI-R1-LoopBack0]ip address 10.0.1.1 24 [HUAWEI-R1]interface loopback 1 [HUAWEI-R1-LoopBack1]ip address 10.0.11.11 24
<Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname HUAWEI-R2 [HUAWEI-R2]interface serial 0/0/1 [HUAWEI-R2-Serial0/0/1]ip address 10.0.12.2 24 [HUAWEI-R2-Serial0/0/1]interface serial 0/0/2 [HUAWEI-R2-Serial0/0/2]ip address 10.0.23.2 24 [HUAWEI-R2-Serial0/0/2]interface LoopBack0 [HUAWEI-R2-LoopBack0]ip address 10.0.2.2 24
<Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname HUAWEI-R3 [HUAWEI-R3]interface serial 0/0/2 [HUAWEI-R3-Serial0/0/2]ip address 10.0.23.3 24 [HUAWEI-R3-Serial0/0/2]interface loopback 0 [HUAWEI-R3-LoopBack0]ip address 10.0.3.3 24 [HUAWEI-R3]interface loopback 1 [HUAWEI-R3-LoopBack1]ip address 10.0.33.33 24
2. Configuración de OSPF
[HUAWEI-R1]ospf router-id 10.0.1.1 [HUAWEI-R1-ospf-1]area 0 [HUAWEI-R1-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255 [HUAWEI-R1-ospf-1-area-0.0.0.0]network 10.0.1.0 0.0.0.255 [HUAWEI-R1-ospf-1-area-0.0.0.0]network 10.0.11.0 0.0.0.255
[HUAWEI-R2]ospf router-id 10.0.2.2 [HUAWEI-R2-ospf-1]area 0 [HUAWEI-R2-ospf-1-area-0.0.0.0]network 10.0.2.0 0.0.0.255 [HUAWEI-R2-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255 [HUAWEI-R2-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255
[HUAWEI-R3]ospf router-id 10.0.3.3 [HUAWEI-R3-ospf-1]area 0 [HUAWEI-R3-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255 [HUAWEI-R3-ospf-1-area-0.0.0.0]network 10.0.3.0 0.0.0.255 [HUAWEI-R3-ospf-1-area-0.0.0.0]network 10.0.33.0 0.0.0.255
Verifiquemos que los vecinos OSPF estén establecidos.
[HUAWEI-R2]display ospf peer brief OSPF Process 1 with Router ID 10.0.2.2 Peer Statistic Information —————————————————————————- Area Id Interface Neighbor id State 0.0.0.0 Serial0/0/1 10.0.1.1 Full 0.0.0.0 Serial0/0/2 10.0.3.3 Full —————————————————————————-
[HUAWEI-R1]display ip routing-table Route Flags: R – relay, D – download to fib —————————————————————————— Routing Tables: Public Destinations : 13 Routes : 13 Destination/Mask Proto Pre. Cost Flags NextHop Interface 10.0.1.0/24 Direct 0 0 D 10.0.1.1 LoopBack0 10.0.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack0 10.0.2.2/32 OSPF 10 1562 D 10.0.12.2 Serial0/0/1 10.0.3.3/32 OSPF 10 3124 D 10.0.12.2 Serial0/0/1 10.0.11.0/24 Direct 0 0 D 10.0.11.11 LoopBack1 10.0.11.11/32 Direct 0 0 D 127.0.0.1 LoopBack1 10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial0/0/1 10.0.12.1/32 Direct 0 0 D 127.0.0.1 Serial0/0/1 10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial0/0/1 10.0.23.0/24 OSPF 10 3124 D 10.0.12.2 Serial0/0/1 10.0.33.33/32 OSPF 10 3124 D 10.0.12.2 Serial0/0/1 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[HUAWEI-R3]display ip routing-table Route Flags: R – relay, D – download to fib —————————————————————————— Routing Tables: Public Destinations : 13 Routes : 13 Destination/Mask Proto Pre. Cost Flags NextHop Interface 10.0.1.1/32 OSPF 10 3124 D 10.0.23.2 Serial0/0/2 10.0.2.2/32 OSPF 10 1562 D 10.0.23.2 Serial0/0/2 10.0.3.0/24 Direct 0 0 D 10.0.3.3 LoopBack0 10.0.3.3/32 Direct 0 0 D 127.0.0.1 LoopBack0 10.0.11.11/32 OSPF 10 3124 D 10.0.23.2 Serial0/0/2 10.0.12.0/24 OSPF 10 3124 D 10.0.23.2 Serial0/0/2 10.0.23.0/24 Direct 0 0 D 10.0.23.3 Serial0/0/2 10.0.23.2/32 Direct 0 0 D 10.0.23.2 Serial0/0/2 10.0.23.3/32 Direct 0 0 D 127.0.0.1 Serial0/0/2 10.0.33.0/24 Direct 0 0 D 10.0.33.33 LoopBack1 10.0.33.33/32 Direct 0 0 D 127.0.0.1 LoopBack1 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
3. Configuración de ACL
[HUAWEI-R1]acl 3001 [HUAWEI-R1-acl-adv-3001]rule 5 permit ip source 10.0.1.0 0.0.0.255 destination 10.0.3.0 0.0.0.255
[HUAWEI-R3]acl 3001 [HUAWEI-R3-acl-adv-3001]rule 5 permit ip source 10.0.3.0 0.0.0.255 destination 10.0.1.0 0.0.0.255
4. Configuración de una VPN IPSec
Ingresemos al modo de propuesta de IPsec y configuremos sus ajustes para crear una propuesta de IPsec y especificar los protocolos de seguridad que se utilizarán.
Asegurémonos de que estén en los mismos protocolos en sus dispositivos.
[HUAWEI-R1]ipsec proposal tran1 [HUAWEI-R1-ipsec-proposal-tran1]esp authentication-algorithm sha1 [HUAWEI-R1-ipsec-proposal-tran1]esp encryption-algorithm 3des
[HUAWEI-R3]ipsec proposal tran1 [HUAWEI-R3-ipsec-proposal-tran1]esp authentication-algorithm sha1 [HUAWEI-R3-ipsec-proposal-tran1]esp encryption-algorithm 3des
Usemos el comando display ipsec proposal para verificar la corrección de la configuración.
<HUAWEI-R1>display ipsec proposal Number of proposals: 1 IPSec proposal name: tran1 Encapsulation mode: Tunnel Transform : esp-new ESP protocol : Authentication SHA1-HMAC-96 Encryption 3DES
<HUAWEI-R3>display ipsec proposal Number of proposals: 1 IPSec proposal name: tran1 Encapsulation mode: Tunnel Transform : esp-new ESP protocol : Authentication SHA1-HMAC-96 Encryption 3DES
5. Configuración de las políticas de IPSec
[HUAWEI-R1]ipsec policy P1 10 manual [HUAWEI-R1-ipsec-policy-manual-P1-10]security acl 3001 [HUAWEI-R1-ipsec-policy-manual-P1-10]proposal tran1 [HUAWEI-R1-ipsec-policy-manual-P1-10]tunnel remote 10.0.23.3 [HUAWEI-R1-ipsec-policy-manual-P1-10]tunnel local 10.0.12.1 [HUAWEI-R1-ipsec-policy-manual-P1-10]sa spi outbound esp 54321 [HUAWEI-R1-ipsec-policy-manual-P1-10]sa spi inbound esp 12345 [HUAWEI-R1-ipsec-policy-manual-P1-10]sa string-key outbound esp simple huawei [HUAWEI-R1-ipsec-policy-manual-P1-10]sa string-key inbound esp simple huawei
[HUAWEI-R3]ipsec policy P1 10 manual [HUAWEI-R3-ipsec-policy-manual-P1-10]security acl 3001 [HUAWEI-R3-ipsec-policy-manual-P1-10]proposal tran1 [HUAWEI-R3-ipsec-policy-manual-P1-10]tunnel remote 10.0.12.1 [HUAWEI-R3-ipsec-policy-manual-P1-10]tunnel local 10.0.23.3 [HUAWEI-R3-ipsec-policy-manual-P1-10]sa spi outbound esp 12345 [HUAWEI-R3-ipsec-policy-manual-P1-10]sa spi inbound esp 54321 [HUAWEI-R3-ipsec-policy-manual-P1-10]sa string-key outbound esp simple huawei [HUAWEI-R3-ipsec-policy-manual-P1-10] sa string-key inbound esp simple huawei
Comprobemos la configuración con el comando display ipsec policy.
<HUAWEI-R1>display ipsec policy =========================================== IPSec policy group: “P1” Using interface: =========================================== Sequence number: 10 Security data flow: 3001 Tunnel local address: 10.0.12.1 Tunnel remote address: 10.0.23.3 Qos pre-classify: Disable Proposal name:tran1 Inbound AH setting: AH SPI: AH string-key: AH authentication hex key: Inbound ESP setting: ESP SPI: 12345 (0x3039) ESP string-key: huawei ESP encryption hex key: ESP authentication hex key: Outbound AH setting: AH SPI: AH string-key: AH authentication hex key: Outbound ESP setting: ESP SPI: 54321 (0xd431) ESP string-key: huawei ESP encryption hex key: ESP authentication hex key:
<HUAWEI-R3>display ipsec policy =========================================== IPSec policy group: “P1” Using interface: =========================================== Sequence number: 10 Security data flow: 3001 Tunnel local address: 10.0.23.3 Tunnel remote address: 10.0.12.1 Qos pre-classify: Disable Proposal name:tran1 Inbound AH setting: AH SPI: AH string-key: AH authentication hex key: Inbound ESP setting: ESP SPI: 54321 (0xd431) ESP string-key: huawei ESP encryption hex key: ESP authentication hex key: Outbound AH setting: AH SPI: AH string-key: AH authentication hex key: Outbound ESP setting: ESP SPI: 12345 (0x3039) ESP string-key: huawei ESP encryption hex key: ESP authentication hex key:
6. Aplicar la política IPsec a las interfaces.
Creemos físicamente IPsec en interfaces.
[HUAWEI-R1]interface Serial 0/0/1 [HUAWEI-R1-Serial0/0/1]ipsec policy P1
[HUAWEI-R3]interface Serial 0/0/2 [HUAWEI-R3-Serial0/0/2]ipsec policy P1
7. Comprobemos las conexiones entre dispositivos.
Después de probar las conexiones entre dispositivos, observemos las configuraciones de IPsec.
<HUAWEI-R1>ping -a 10.0.11.11 10.0.33.33 PING 10.0.33.33: 56 data bytes, press CTRL_C to break Reply from 10.0.33.33: bytes=56 Sequence=1 ttl=254 time=70 ms Reply from 10.0.33.33: bytes=56 Sequence=2 ttl=254 time=80 ms Reply from 10.0.33.33: bytes=56 Sequence=3 ttl=254 time=50 ms Reply from 10.0.33.33: bytes=56 Sequence=4 ttl=254 time=100 ms Reply from 10.0.33.33: bytes=56 Sequence=5 ttl=254 time=50 ms — 10.0.33.33 ping statistics — 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 50/70/100 ms
<HUAWEI-R1>display ipsec statistics esp Inpacket count: 0 Inpacket auth count :0 Inpacket decap count : 0 Outpacket count :0 Outpacket auth count : 0 Outpacket encap count : 0 Inpacket drop count :0 Outpacket drop count : 0 BadAuthLen count : 0 AuthFail count :0 PktDuplicateDrop count : 0 PktSeqNoTooSmallDrop count: 0 PktInSAMissDrop count : 0
Observemos el tráfico de VPN IPsec.
<HUAWEI-R1>ping -a 10.0.1.1 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=40 ms Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=30 ms Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=70 ms Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=60 ms Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=30 ms — 10.0.3.3 ping statistics — 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 30/46/70 ms
<HUAWEI-R1>display ipsec statistics esp Inpacket count: 5 Inpacket auth count : 0 Inpacket decap count : 0 Outpacket count : 5 Outpacket auth count : 0 Outpacket encap count : 0 Inpacket drop count :0 Outpacket drop count : 0 BadAuthLen count : 0 AuthFail count : 0 PktDuplicateDrop count : 0 PktSeqNoTooSmallDrop count: 0 PktInSAMissDrop count : 0
8. Redefinamos la ACL.
Redefinimos la ACL para definir OSPF.
HUAWEI-R1]acl 3001 [HUAWEI-R1-acl-adv-3001]rule 5 permit ospf source any destination any
[HUAWEI-R3]acl 3001 [HUAWEI-R3-acl-adv-3001]rule 5 permit ospf source any destination any
Comprobando a los vecinos.
<HUAWEI-R1>display ospf peer brief OSPF Process 1 with Router ID 10.0.1.1 Peer Statistic Information —————————————————————————- Area Id Interface Neighbor id State 0.0.0.0 Serial0/0/1 10.0.2.2 Init —————————————————————————-
<HUAWEI-R1>display ip routing-table Route Flags: R – relay, D – download to fib —————————————————————————— Routing Tables: Public Destinations: 13 Routes: 13 Destination/Mask Proto Pre. Cost Flags NextHop Interface 10.0.1.0/24 Direct 0 0 D 10.0.1.1 LoopBack0 10.0.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack0 10.0.2.2/32 OSPF 0 0 D 10.0.12.2 Serial0/0/1 10.0.3.3/32 OSPF 0 0 D 10.0.12.2 Serial0/0/1 10.0.11.0/24 Direct 0 0 D 10.0.11.11 LoopBack1 10.0.11.11/32 Direct 0 0 D 127.0.0.1 LoopBack1 10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial0/0/1 10.0.12.1/32 Direct 0 0 D 127.0.0.1 Serial0/0/1 10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial0/0/1 10.0.23.0/24 OSPF 0 0 D 10.0.12.2 Serial0/0/1 10.0.33.33/32 OSPF 0 0 D 10.0.12.2 Serial0/0/1 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
<HUAWEI-R3>display ospf peer brief OSPF Process 1 with Router ID 10.0.3.3 Peer Statistic Information —————————————————————————- Area Id Interface Neighbor id State 0.0.0.0 Serial0/0/2 10.0.2.2 Init —————————————————————————-
Saludos.
FIN.
También te puede interesar:
Conoce como operar y mantener la solución NIP6000 de Huawei
Compilación de publicaciones sobre configuraciones rápidas para firewalls de Huawei
Una introducción a las zonas de seguridad en un firewall de Huawei
Conoce más de esta línea de productos en:
O pregúntale al robot inteligente de Huawei, conócelo aquí:
Infografía: Conoce a iKnow, el robot inteligente
