文章

ipsec配置

Posted 2024-01-5 Updated 2024-01- 26
By qiaoqiao
10~13 min read

ipsec配置

环境如下:总部是固定公网IP,分部是pppoe拨号,总部设备型号:huawei AR6300,分支设备型号:华为AR611E-S

总部ipsec配置

ipsec proposal zongbu      //配置IPSec提议
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256

ike proposal 1             //配置IKE提议
 encryption-algorithm aes-256 
 dh group14 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 

ike peer zongbu           //配置IKE对等体及其使用的协议
 version 1
 exchange-mode aggressive
 pre-shared-key cipher %^%#/7{v&\A3/TDK&f(ZY'U5T^-WEefB.20$y8E|xyu69tDJ;B}YZWEdPO=H1Vn'%^%#
 ike-proposal 1
 rsa encryption-padding oaep
 rsa signature-padding pss
 undo local-id-preference certificate enable
 ikev2 authentication sign-hash sha2-256

ipsec policy-template temp 1   //配置IPSec策略模板
 ike-peer zongbu
 proposal zongbu
 sa duration traffic-based 1843200
 sa duration time-based 3600
 route inject dynamic

ipsec policy zongbu 1 isakmp template temp     //配置IPSec策略,引入策略模板

int g 0/0/1
ipsec policy zongbu

分支机构

acl 3100
rule 5 permit ip source 10.40.40.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

ipsec proposal fenzhi
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256 


ike proposal 1
 encryption-algorithm aes-256 
 dh group14 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 

ike peer fenzhi
 version 1
 exchange-mode aggressive
 pre-shared-key cipher %^%#RE5EJM-&fW9DP''w+</#&eP5!1-!#.k{+l>>n.8JDmqBUi3M^,NZ|`SIp]$W%^%#
 ike-proposal 1
 remote-address 11.22.33.44 
 rsa encryption-padding oaep
 rsa signature-padding pss
 undo local-id-preference certificate enable
 ikev2 authentication sign-hash sha2-256
#
ipsec policy fenzhi 1 isakmp
 security acl 3100
 ike-peer fenzhi
 proposal fenzhi
 tunnel local applied-interface
 sa duration traffic-based 1843200
 sa duration time-b
 

interface Dialer1
 link-protocol ppp
 ppp chap user 123
 ppp chap password cipher %^%#Ekt;"7*3ADkh<p:.$,Q:8fq8:w(+gE;e!)!KS5:E%^%#
 ppp pap local-user 123 password cipher %^%#`U=dKu=(fGA41_&b|,K&GPs}6Wk$M<J=@|U"7^Y<%^%#
 ppp ipcp dns admit-any
 ppp ipcp dns request
 ip address ppp-negotiate
 dialer user arweb
 dialer bundle 1
 dialer number 1 autodial
 dialer-group 1
 ipsec policy fenzhi

interface GigabitEthernet0/0/4
 pppoe-client dial-bundle-number 1

dialer-rule
 dialer-rule 1 ip permit

ip route-static 0.0.0.0 0 dialer1

ipsec和pppoe拨号的配置强烈建议用网页配置,基本不会出什么问题,命令行太容易出各种问题。

网页配置如下
总部
131.1.png 分支 131.2.png

如果执行dis ipsec sa和dis ike sa有内容的话基本上建立成功了。

131.3.png

建立成功后才是第一步,后面问题接踵而至,第一个问题就是两边都ping不通

该问题是因为路由器wan口同时配置NAT和IPSec导致IPSec工作异常,数据报文到达路由器先执行NAT,将所有报文进行NAT操作替换源地址,导致在执行IPSec查找时无法命中IPSec的ACL。这样使IPSec流量无法进入IPSec隧道,IPSec工作不正常。

解决办法:在总部和分支的外网口做的nat配置加一条拒绝对方内网的命令

NAT ACL:
acl number 3000
rule 5 deny ip destination 10.1.2.0 0.0.0.255  
rule 10 permit ip

IPSec ACL:
acl number 3003
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

然后发现分支可以ping通总部,总部不能ping通分支

这个问题应该是比较特殊,不是普遍存在,这是因为在总部内网口做了策略路由,只要放通允许去分支内网的流量即可。

第三个问题是两边都可以互通后,发现业务不正常,无法打开总部的服务器的web页面,共享也进不去,但是可以ping通,也可以扫到开放的端口。而从总部访问分支一切正常。

在总部路由器内网口和外网口添加一条命令,问题解决

tcp adjust-mss 1360

具体原因搞不清楚

网络
License:  CC BY 4.0