1、HKBKT mi丄卜;GE OF 1NDUSTKY AND TECinDLOGY實訓指導書所在系別：計算機技術(shù)系 所屬專業(yè) ： 計算機網(wǎng)絡(luò)技術(shù) 指導教師：董科鵬 專業(yè)負責人： 孫志成指導書填寫要求1. 實訓設(shè)計指導書由指導教師根據(jù)課題的具體情況進行設(shè)計填寫，經(jīng)學生所在專業(yè)的負責人審查、系領(lǐng)導簽字后生效。此指導書應(yīng)在課程設(shè)計開始前一周內(nèi)填好并發(fā)給學生；2. 指導書填寫的內(nèi)容，必須具有指導學生課程設(shè)計的要求。若有變更，應(yīng)當經(jīng)過所在專業(yè)教研室及系主管領(lǐng)導審批后方可重新填寫；3. 本指導書內(nèi)有關(guān)“系”、“專業(yè)”等名稱的填寫，應(yīng)寫中文全稱，學生的“學號”要寫全，不能只寫最后 2位或1位數(shù)字；4. 有關(guān)年

2、月日等日期的填寫，一律用阿拉伯數(shù)字書寫。如“2015年3 月 2 日”或“ 2015-03-02 ”。1.目錄一實訓的目的與要求： 4二. 實訓的前期準備（設(shè)備、用具與軟件環(huán)境） 5三. 實訓的設(shè)計步驟 5四實訓的設(shè)計要點及主要技術(shù)分析16五實訓的設(shè)計進度安排 16六主要參考文獻及資源 17.實訓的目的與要求:分部一設(shè)備為G0/3：。SecBlade防火墻插卡；軟件版本 Feature 3171P11 ；公網(wǎng)出接口分部二設(shè)備為SecPath V3防火墻；軟件版本Release 1662P07公網(wǎng)出接口 G0/1:。因特網(wǎng)設(shè)備為 為 G0/0/25 :，S7503E-S交換機；軟件版本 Rele

3、ase 6616P01 ;實驗中所用接口 G0/0/27 :，G0/0/28:客戶的網(wǎng)絡(luò)拓撲比較大，一個中心網(wǎng)點和N個分支網(wǎng)點，且每個分支網(wǎng)點都需要 利用GRE OVER IPSe與中心網(wǎng)點建立 VPN連接。由于GRE隧道有一定的局限性，Tunnel接口過多，造成配置的復雜，而 Tunnel 接口的最大數(shù)目為4096個,那么，分支數(shù)目超過此數(shù)就無法繼續(xù)建立 GRE隧道, 且還沒有算上有些是備份的鏈路。 采用P2MF將大大簡化Tunnel接口的配置，且 也解決了 Tunnel接口數(shù)目不足帶來的問題。同樣，設(shè)備的公網(wǎng)出接口數(shù)目是有限的，我們不可能在N個出接口上建立IPSec隧道。采用IPsec的模

4、板配置，解決相應(yīng)配置的問題。屮心業(yè)務(wù)網(wǎng)LookbackO 1.L1.1 GREJ4 裝 Lookback 1 192A68.1C4 172.16.10.1Tunnell10.0.0.1分部業(yè)徐網(wǎng)LookbackO 2.2.2.2GRE OVER IPSGREj-tU lookbackl 192.16840.2172.1630.1Tunnell10.0.07實驗所用設(shè)備: 中心設(shè)備為SecBlade防火墻插卡；軟件版本Feature 3171P11 ；公網(wǎng)出接口 G0/3：。二. 實訓的前期準備（設(shè)備、用具與軟件環(huán)境）設(shè)備：開通局域網(wǎng)與實習用機H3CMS系列路由器，H3C交換機軟件環(huán)境：Win

5、dows XP超級終端HCL三. 實訓的設(shè)計步驟大量分支GREover IPSec接入的簡易配1）基本配置各個設(shè)備的接口和區(qū)域的配置。分部的ip地址本應(yīng)該為動態(tài)獲取，這里為了簡 化配置，直接改為靜態(tài)了。路由配置：中心：ip route-static公網(wǎng)路由ip route-static將業(yè)務(wù)數(shù)據(jù)流引向Tunnel接口，從而觸發(fā)GRE封裝分部一：ip route-static公網(wǎng)路由ip route-static/將業(yè)務(wù)數(shù)據(jù)流引向Tunnel接口，從而觸發(fā)GRE封裝分部二：ip route-static prefere nee 60ip route-static prefere nee 602）

6、GR0配置中心設(shè)備：in terface Tunn ellip addresstunnel-protocolgre p2mp / 這里默認采用 GRE 改為 P2MPsource/源圭寸裝地址為回環(huán)接口 Lookbackl的地址gre p2mpbranch-n etwork-mask/采用P2MP勺封裝模式，無表示對端的封裝地址為多少，只能設(shè)置一個 掩碼表示范圍分部一設(shè)備：in terface Tunn ellip address sourcedest in atio n分部設(shè)備對中心設(shè)備來與是點到點的類型，直接封裝相應(yīng)的源地址和目標地址就行了分部二：in terface Tunn el1ip

7、 address sourcedest in ati on3）IPSec 配置在本實驗中，分部的IP都不是固定的，都為動態(tài)獲取所得，所以，IKE的 協(xié)商方式這里采用野蠻模式中心設(shè)備：ike local-name fw1/IKE 本端名字（千萬不能忘記）ike peer 10excha nge-mode aggressive pre-shared-key cipher $c$3$/3EvhWhcCcwOSYCWzLohlg2r1bGeCVY=id-type n ameremote-name fw2remote-address fw2 dyn amic/此處可以不做配置，如果不做配置默認為所有IP

8、地址，如圖所示：ipsec proposal 10/安全提議采用默認的配置即可，也可以自行更改，默認為:10resecD9CKGrugiipsec policy-template zb1 10ike-peer 10proposal 10/總部的類型為點到多點，所以這里采用模板的方法，這樣無法配置 ACL進行數(shù)據(jù)流匹配ipsec policy cnc 10 isakmp template zb1/模板的應(yīng)用方式in terface GigabitEther netO/3port lin k-mode routeip address ipsec policy cnc分部一：acl number 3

9、000rule 0 permit ip source 0 dest in ati on 0ike local-name fw2 /配置本端名字ike peer 10excha nge-mode aggressivepre-shared-key cipher $c$3$UaPgUwWG/SiXbHB6XVbtbAVmEBQk1AE= id-type n ameremote-name fw1remote-address proposal 10/ 采用默認，這里也可以不做配置#ipsec policy fb 10 isakmpsecurity acl 3000ike-peer 10proposal

10、10/分部為點到點模式，不用配置模板，此里的 acl可以用于中心設(shè)備的 反向匹配分部二：ike peer 10excha nge-mode aggressivepre-shared-key cipher KqbfKcrPdHA=id-type n ameremote-namefw1remote-address proposal 10#ipsec policy fb 10 isakmpsecurity acl 3000ike-peer 10proposal 10#acl number 3000rule 0 permit ip source 0 dest in ati on 04）連通性測試只能由

11、分部觸發(fā)建立，中心側(cè)無法觸發(fā)。分部一：H3Cpi ng -aPING 56 data bytes, press CTRL_C to breakRequest time outReply from bytes=56 Seque nce=2 ttl=255 time=1 msReply from bytes=56 Seque nce=3 ttl=255 time=1 msReply from bytes=56 Seque nce=4 ttl=255 time=1 msReply from bytes=56 Seque nce=5 ttl=255 time=1 ms-pi ng statistics

12、 -5 packet(s) tran smitted4 packet(s) received% packet lossroun d-trip min /avg/max = 1/1/1 msH3C分部二:p ing -aPING 56 data bytes, press CTRL_C to breakReply from bytes=56 Seque nce=1 ttl=255 time=1 msReply from bytes=56 Seque nce=2 ttl=255 time=1 msReply from bytes=56 Seque nce=3 ttl=255 time=1 msRep

13、ly from bytes=56 Seque nce=4 ttl=255 time=1 msReply from bytes=56 Seque nce=5 ttl=255 time=1 ms-pi ng statistics -5 packet(s) tran smitted5 packet(s) received% packet lossroun d-trip min /avg/max = 1/1/1 ms中心設(shè)備情況：display ike satotal phase-1 SAs:2phasconnection-id peerflage doistatus3RD1IPSEC-2RD2IPS

14、EC-4RD2IPSEC-flag meaningRD-READY ST-STAYALIVE RL-REPLACED FD-FADING TO-TIMEOUT分部一與分部二都已經(jīng)成功建立隧道查看IPSec SA隧道display ipsec saIn terface: GigabitEthernetO/3path MTU: 1500IPsec policy n ame: zbseque nee nu mber: 10mode: templateconn ecti on id: 1en capsulati on mode: tunnel perfect forward secrecy: tunn

15、 el:local address:remoteaddress:/這個是分部一flow:sour addr:port: 0 protocol: IPdest addr:port: 0 protocol: IPin bou nd ESP SAsspi: 01 (0xe00bef25)/ /這個與分部一的出方向的 SA相同proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa duration (kilobytes/sec): 1843200/3600sa remaining duration (kilobytes/sec): 1843196/1246max receiv

16、ed seque nce-nu mber: 34an ti-replay check en able: Yan ti-replay wi ndow size: 32 udp en capsulati on used for nat traversal: N status:-outbou nd ESP SAsspi: 02 (0xab191eba)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa duration (kilobytes/sec): 1843200/3600sa remaining duration (kilobytes/sec): 1843196

17、/1246 max received seque nce-nu mber: 35udp en capsulati on used for nat traversal: N status:-IPsec policy n ame: zbseque nee nu mber: 10mode: templateconn ecti on id: 2en capsulati on mode: tunnelperfect forward secrecy:tunn el:local address:remoteaddress:/這個是分部二flow:sour addr:port: 0 protocol: IPd

18、est addr:port: 0 protocol: IPin bou nd ESP SAsspi: 67 (0xd9a7efc7)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa durati on (kilobytes/sec): 1843200/3600sa remai ning duratio n (kilobytes/sec): 1843197/1559max received seque nce-nu mber: 19an ti-replay check en able: Yan ti-replay wi ndow size: 32udp en ca

19、psulati on used for nat traversal: N status:-outbou nd ESP SAsspi: 3 (0x1b790983)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa durati on (kilobytes/sec): 1843200/3600sa remai ning duratio n (kilobytes/sec): 1843197/1559max received seque nce-nu mber: 20 udp en capsulati on used for nat traversal: N statu

20、s:-分部一的IPSec SAdisplay ipsec saIn terface: GigabitEthernetO/3path MTU: 1500IPsec policy n ame: fbseque nee nu mber: 10mode: isakmpconnection id: 1en capsulati on mode: tunnel perfect forward secrecy: tunn el:local address:總部方向建立SAflow:sour addr:port: 0dest addr:port: 0remote address: / 與protocol: IP

21、protocol: IPin bou nd ESP SAsspi: 02 (0xab191eba)/對比總部的第一個出方向的SA這兩個值相同proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa durati on (kilobytes/sec): 1843200/3600sa remai ning duratio n (kilobytes/sec): 1843196/738max received seque nce-nu mber: 34an ti-replay check en able: Yan ti-replay wi ndow size: 32udp e

22、n capsulati on used for nat traversal: N status:-outbou nd ESP SAsspi: 01 (0xe00bef25)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa durati on (kilobytes/sec): 1843200/3600sa remai ning duratio n (kilobytes/sec): 1843196/738 max received seque nce-nu mber: 35udp en capsulati on used for nat traversal: N

23、status:-分部二 IPSec SAdisplay ipsec saIn terface: GigabitEthernetO/1path MTU: 1500IPsec policy n ame: fbseque nee nu mber: 10mode: isakmpCreated by: Hostconn ecti on id: 4en capsulati on mode: tunnel perfect forward secrecy: Nonetunn el:local address:remoteaddress:/與總部方向建立 SAflow:(38 times matched)sou

24、r addr:port:0protocol:IPdest addr:port:0protocol:IPin bou nd ESP SAs/spi: 3 (0x1b790983)/與總部第二個出方向的SA值相同proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa key duration (bytes/sec): 00/3600sa remaining key duration (bytes/sec): 48/938max received seque nce-nu mber: 19udp en capsulati on used for nat traversal: Noutbou nd ESP SAsspi: 67 (0xd9a7efc7)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa key duration (bytes/sec): 00/3600sa remaining key duration (bytes/sec): 4