马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?立即注册
x
本帖最后由 Jason 于 2020-1-29 22:43 编辑
H3C V7平台主模式(NAT穿越)下ipsec实验报告 某运营商云公司客户需求:通过我司VSR路由器与华为建立IPSEC时ike sa协商ok,ipsec sa为空。MSR-01、MSR-02、MSR-03路由器为我司MSR36-20,MSR-03设备在内网,ipsec采用野蛮模式并启用NAT穿越,前面出口处4G路由器作为NAT设备。组网图如下: MSR-01设备配置: # sysname MSR-01 # interface LoopBack0 ip address 172.16.2.1255.255.255.255 # interface GigabitEthernet0/0 port link-mode route combo enable copper ip address 100.1.1.1255.255.255.0 ipsec apply policy policy1 # ip route-static 172.16.1.132 100.1.1.2 # ipsec transform-set 1 esp encryption-algorithm3des-cbc espauthentication-algorithm md5 # ipsec policy-template 1 1 transform-set 1 ike-profile 1 # ipsec policy policy1 1 isakmp template 1 # ike profile 1 keychain 1 exchange-mode aggressive match remote identity fqdnb # ike keychain 1 pre-shared-key hostname bkey cipher $c$3$SHBNrYcnJFyZd4LgSfNRFMNmRx07P8S5Wr4= # MSR-02设备配置: # sysname MSR-02 # interface GigabitEthernet0/0 port link-mode route ipaddress 100.1.1.2 255.255.255.0 nat outbound 2000 # interface GigabitEthernet0/1 port link-mode route ipaddress 10.1.1.1 255.255.255.0 # ip route-static 172.16.1.1 32 10.1.1.2 # acl basic 2000 description nat_acl rule 0 permit source10.1.1.2 0 # MSR-03设备配置: sysname MSR-03 # interface LoopBack0 ip address 172.16.1.1255.255.255.255 # interface GigabitEthernet0/0 port link-mode route combo enable copper ip address 10.1.1.2255.255.255.0 ipsec apply policy policy1 # ip route-static 0.0.0.0 0 10.1.1.1 # acl advanced 3000 rule 0 permit ip source172.16.1.1 0 destination 172.16.2.1 0 # ipsec transform-set 1 esp encryption-algorithm3des-cbc espauthentication-algorithm md5 # ipsec policy policy1 1 isakmp transform-set 1 security acl 3000 remote-address 100.1.1.1 ike-profile 1 # ike profile 1 keychain 1 exchange-mode aggressive local-identity fqdn b match remote identityaddress 100.1.1.1 255.255.255.255 # ike keychain 1 pre-shared-key address100.1.1.1 255.255.255.255 key cipher $c$3$Sp6XajvQwQaKEQLnj8ax38M0YCZHRpj8Zjs= # 测试效果: [MSR-03] [MSR-03]ping -a 172.16.1.1 172.16.2.1 Ping 172.16.2.1 (172.16.2.1) from 172.16.1.1: 56 data bytes, pressCTRL_C to break Request time out 56 bytes from 172.16.2.1: icmp_seq=1 ttl=255 time=1.120 ms 56 bytes from 172.16.2.1: icmp_seq=2 ttl=255 time=1.158 ms 56 bytes from 172.16.2.1: icmp_seq=3 ttl=255 time=1.627 ms 56 bytes from 172.16.2.1: icmp_seq=4 ttl=255 time=1.193 ms --- Ping statistics for 172.16.2.1 --- 5 packets transmitted, 4 packets received, 20.0% packet loss round-trip min/avg/max/std-dev = 1.120/1.274/1.627/0.205 ms [MSR-03] [MSR-03] [MSR-03]dis ipsec sa ------------------------------- Interface: GigabitEthernet0/0 ------------------------------- ----------------------------- IPsec policy: policy1 Sequence number: 1 Mode: ISAKMP ----------------------------- Tunnel id: 0 Encapsulation mode:tunnel Perfect forward secrecy: Path MTU: 1435 Tunnel: local address: 10.1.1.2 remote address:100.1.1.1 Flow: sour addr: 172.16.1.1/255.255.255.255 port: 0 protocol: ip dest addr:172.16.2.1/255.255.255.255 port: 0 protocol: ip [Inbound ESP SAs] SPI: 1295737344(0x4d3b6200) Connection ID:4294967296 Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5 SA duration(kilobytes/sec): 1843200/3600 SA remaining duration(kilobytes/sec): 1843199/3587 Max receivedsequence-number: 4 Anti-replay checkenable: Y Anti-replay windowsize: 64 UDP encapsulation usedfor NAT traversal: Y Status: Active [Outbound ESP SAs] SPI: 3828054490(0xe42b79da) Connection ID:4294967297 Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5 SA duration(kilobytes/sec): 1843200/3600 SA remaining duration(kilobytes/sec): 1843199/3587 Max sentsequence-number: 4 UDP encapsulation usedfor NAT traversal: Y Status: Active [MSR-03] MSR-02 Session:
MSR-02 下连口ipsec协商过程抓包: | 
窥视卡
雷达卡
体力
贡献
金币
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡