3G+IPsec配置.docx

3G+IPsec配置.docx

《3G+IPsec配置.docx》由会员分享，可在线阅读，更多相关《3G+IPsec配置.docx（11页珍藏版）》请在冰豆网上搜索。

3G+IPsec配置

组网图

第1阶段检查版本和Cellular0/0的TTY号

[111-MSR2021]disver

H3CComwarePlatformSoftware

ComwareSoftware,Version5.20,ESS1807,Standard

Copyright（c）2004-2009HangzhouH3CTech.Co.,Ltd.Allrightsreserved.

H3CMSR20-21uptimeis0week,0day,0hour,50minutes

Lastreboot2009/06/0508:

32:

07

SystemreturnedtoROMByPower-up.

CPUtype:

FREESCALEPowerPC8248400MHz

256MbytesSDRAMMemory

4MbytesFlashMemory

PcbVersion:

3.0

LogicVersion:

3.0

BasicBootROMVersion:

3.08

ExtendedBootROMVersion:

3.08

[SLOT0]ETH0/0（Hardware）3.0,（Driver）1.0,（Cpld）3.0

[SLOT0]ETH0/1（Hardware）3.0,（Driver）1.0,（Cpld）3.0

[SLOT0]CELLULAR0/0（Hardware）3.0,（Driver）1.0,（Cpld）3.0

[111-MSR2021]displayuser-interface

IdxTypeTx/RxModemPriviAuthInt

0CON09600-3N-

13TTY139600inout0NCellular0/0

81AUX09600-0P-

+82VTY0-3N-

83VTY1-3N-

84VTY2-3N-

85VTY3-3N-

86VTY4-3N-

UI（s）notinasyncmode-or-withnohardwaresupport:

1-1214-80

+:

CurrentUIisactive.

F:

CurrentUIisactiveandworkinasyncmode.

Idx:

AbsoluteindexofUIs.

Type:

TypeandrelativeindexofUIs.

Privi:

TheprivilegeofUIs.

Auth:

TheauthenticationmodeofUIs.

Int:

ThephysicallocationofUIs.

A:

AuthenticationuseAAA.

L:

Authenticationuselocaldatabase.

N:

CurrentUIneednotauthentication.

P:

AuthenticationusecurrentUI'spassword.

[111-MSR2021]

第2阶段IPsec发起端（使用3G-Modem的设备）配置

[111-MSR2021]discur

#

//使能DNS解析能力

dnsresolve

#

//ACL3000用于NAT，先把需要IPsec的目的网段过滤掉

aclnumber3000

rule0denyipdestination10.0.0.00.255.255.255

rule5denyipdestination172.16.0.00.15.255.255

rule10denyipdestination192.168.0.00.0.255.255

rule15permitip

//ACL3001用于发起IPsec

aclnumber3001

rule0permitipsource192.168.111.00.0.0.255destination192.168.11.00.0.0.255

#

//IKEPeer设置，对端地址必须固定，对端如果也是3G接入那么IPsec有可能会突然中断

ikepeernavigator

pre-shared-keysimpleh3c

remote-address60.191.99.140

#

//默认的IPsec安全提议

ipsecproposaldef

#

//IPsec策略配置

ipsecpolicymypolicy1isakmp

securityacl3001

ike-peernavigator

proposaldef

#

//进入到USB3GModem接口视图配置dialercircular-group0即绑定dialer0接口，接口其余配置会自动添加

interfaceCellular0/0

asyncmodeprotocol

link-protocolppp

dialerenable-circular

dialer-group4

dialercircular-group0

dialertimeridle0

#

//Dialer0接口配置

interfaceDialer0

//配置NAT

natoutbound3000

link-protocolppp

//指定PPPCHAP和PAP认证用户名密码都为card，可和运营商确认，电信一般使用card

pppchapusercard

pppchappasswordsimplecard

ppppaplocal-usercardpasswordsimplecard

//接收对端分配的DNS

pppipcpdnsadmit-any

//主动向对方请求DNS

pppipcpdnsrequest

//IP地址由对端分配

ipaddressppp-negotiate

//使能轮询DCC

dialerenable-circular

//使用dialer-rule4ippermit

dialer-group4

//拨号成功后不主动断开连接

dialertimeridle0

//拨号串#777，可和运营商确认，电信一般使用#777

dialernumber#777

//接口配置IPsec策略

ipsecpolicymypolicy

#

//连接内网接口

interfaceEthernet0/1

portlink-moderoute

//接口网段192.168.111.0/24

ipaddress192.168.111.1255.255.255.0

#

//默认路由指向Dialer0接口

iproute-static0.0.0.00.0.0.0Dialer0

#

//dialer-rule配置

dialer-rule4ippermit

#

//用户接口，tty13可由一开始displayuser-interface确认

user-interfacetty13

//使能该接口的双向modem能力

modemboth

#

[111-MSR2021]

第3阶段IPsec响应端（中心端，使用固定地址）配置

#

//用于NAT的ACL3000，要把IPsec的流量先deny掉

aclnumber3000

rule0denyipdestination192.168.0.00.0.255.255

rule5denyipdestination10.0.0.00.255.255.255

rule10denyipdestination172.16.0.00.15.255.255

rule15permitipsource192.168.1.00.0.0.255

rule20permitipsource192.168.2.00.0.0.255

rule25permitipsource192.168.10.00.0.0.255

rule30permitipsource192.168.11.00.0.0.255

rule35permitipsource192.168.111.00.0.0.255

rule40denyip

#

//响应端IKEPeer的配置，只配置pre-shared-key即可

ikepeer2021

pre-shared-keysimpleh3c

#

//IPsec安全提议，和发起端保持一致

ipsecproposaldef

#

//IPsec策略模板配置，不需要配置安全ACL

ipsecpolicy-templatept1

ike-peer2021

proposaldef

#

//使用模板方式的IPsec策略mypolicy

ipsecpolicymypolicy1isakmptemplatept

#

//在设备连接互联网的接口设置NAT、IP地址和IPsec策略

interfaceEthernet0/0

portlink-moderoute

natoutbound3000

ipaddress60.191.99.140255.255.255.0

ipsecpolicymypolicy

#

//连接内网的VLAN接口

interfaceVlan-interface11

ipaddress192.168.11.1255.255.255.0

#

第4阶段触发拨号并查看是否成功

[111-MSR2021-Dialer0]ping1.1.1.1

PING1.1.1.1:

56databytes,pressCTRL_Ctobreak

Requesttimeout

Requesttimeout

Requesttimeout

Requesttimeout

Requesttimeout

---1.1.1.1pingstatistics---

5packet（s）transmitted

0packet（s）received

100.00%packetloss

[111-MSR2021-Dialer0]disipintb

*down:

administrativelydown

（s）:

spoofing

InterfacePhysicalProtocolIPAddressDescription

Aux0downdownunassignedAux0Inte...

Cellular0/0upup（s）unassignedCellular0...

Dialer0upup（s）115.171.251.239Dialer0I...

Ethernet0/0upup10.153.49.79Ethernet0...

Ethernet0/1upup192.168.111.1Ethernet0...

LoopBack0upup（s）202.38.1.1LoopBack0...

Serial1/0downdownunassignedSerial1/0...

Tunnel0updownunassignedTunnel0I...

[111-MSR2021-Dialer0]disintd0

Dialer0currentstate:

UP

Lineprotocolcurrentstate:

UP（spoofing）

Description:

Dialer0Interface

TheMaximumTransmitUnitis1448,Holdtimeris10（sec）

InternetAddressisnegotiated,115.171.251.239/32

LinklayerprotocolisPPP

LCPinitial

PhysicalisDialer,baudrate:

64000bps

Outputqueue:

（Urgentqueuing:

Length）100

Outputqueue:

（Protocolqueuing:

Length）500

Outputqueue:

（FIFOqueuing:

Length）75

Lastclearingofcounters:

Never

Last5secondsinputrate:

233bytes/sec,1864bits/sec,0packets/sec

Last5secondsoutputrate:

128bytes/sec,1024bits/sec,1packets/sec

7216packetsinput,6298820bytes,0drops

6053packetsoutput,928710bytes,12drops

[111-MSR2021-Dialer0]disintc0/0

Cellular0/0currentstate:

UP

Lineprotocolcurrentstate:

UP（spoofing）

Description:

Cellular0/0Interface

TheMaximumTransmitUnitis1500,Holdtimeris10（sec）

Internetprotocolprocessing:

disabled

LinklayerprotocolisPPP

PrimaryDNSaddressis219.141.136.10,SecondaryDNSaddressis219.141.140.10

LCPopened,IPCPopened

Outputqueue:

（Urgentqueuing:

Size/Length/Discards）0/100/0

Outputqueue:

（Protocolqueuing:

Size/Length/Discards）0/500/0

Outputqueue:

（FIFOqueuing:

Size/Length/Discards）0/75/0

Transfertime:

00:

49:

33

Lastclearingofcounters:

Never

Last5secondsinputrate62787.60bytes/sec,502300bits/sec,80.00packets/sec

Last5secondsoutputrate15027.20bytes/sec,120217bits/sec,75.80packets/sec

Input:

6439packets,5173108bytes

0broadcasts,0multicasts

0errors,0runts,0giants

0CRC,0alignerrors,0overruns

0dribbles,0aborts,0nobuffers

0frameerrors

Output:

5428packets,831579bytes

0errors,0underruns,0collisions

0deferred

<111-MSR2021>

第5阶段触发IPSec并检查

<111-MSR2021>ping-a192.168.111.1192.168.11.1

PING192.168.11.1:

56databytes,pressCTRL_Ctobreak

Requesttimeout

Replyfrom192.168.11.1:

bytes=56Sequence=2ttl=255time=138ms

Replyfrom192.168.11.1:

bytes=56Sequence=3ttl=255time=133ms

Replyfrom192.168.11.1:

bytes=56Sequence=4ttl=255time=140ms

Replyfrom192.168.11.1:

bytes=56Sequence=5ttl=255time=135ms

---192.168.11.1pingstatistics---

5packet（s）transmitted

4packet（s）received

20.00%packetloss

round-tripmin/avg/max=133/136/140ms

<111-MSR2021>disikesa

totalphase-1SAs:

1

connection-idpeerflagphasedoi

----------------------------------------------------------

560.191.99.140RD|ST1IPSEC

660.191.99.140RD|ST2IPSEC

flagmeaning

RD--READYST--STAYALIVERL--REPLACEDFD--FADINGTO--TIMEOUT

<111-MSR2021>disipsecsa

===============================

Interface:

Dialer0

pathMTU:

1448

===============================

-----------------------------

IPsecpolicyname:

"mypolicy"

sequencenumber:

1

mode:

isakmp

-----------------------------

connectionid:

4

encapsulationmode:

tunnel

perfectforwardsecrecy:

None

tunnel:

localaddress:

115.171.251.239

remoteaddress:

60.191.99.140

Flow:

souraddr:

192.168.111.0/255.255.255.0port:

0protocol:

IP

destaddr:

192.168.11.0/255.255.255.0port:

0protocol:

IP

[inboundESPSAs]

spi:

2839623968（0xa9413920）

proposal:

ESP-ENCRYPT-DESESP-AUTH-MD5

saduration（kilobytes/sec）:

1843200/3600

saremainingduration（kilobytes/sec）:

1843199/3593

maxreceivedsequence-number:

4

anti-replaycheckenable:

Y

anti-replaywindowsize:

32

udpencapsulationusedfornattraversal:

N

[outboundESPSAs]

spi:

2954648694（0xb01c5c76）

proposal:

ESP-ENCRYPT-DESESP-AUTH-MD5

saduration（kilobytes/sec）:

1843200/3600

saremainingduration（kilobytes/sec）:

1843199/3593

maxsentsequence-number:

5

udpencapsulationusedfornattraversal:

N

<111-MSR2021>

第6阶段PC上验证

C:

\DocumentsandSettings\Administrator>ipconfig

WindowsIPConfiguration

Ethernetadapter{8B4396B8-A01B-4C0B-B7A3-FA715A2DED48}:

MediaState...........:

Mediadisconnected

EthernetadapterGigabitEthernet0:

Connection-specificDNSSuffix.:

IPAddress............:

192.168.111.250

SubnetMask...........:

255.255.255.0

DefaultGateway.........:

192.168.111.1

C:

\DocumentsandSettings\Administrator>ping192.168.11.1

Pinging192.168.11.1with32bytesofdata:

Replyfrom192.168.11.1:

bytes=32time=192msTTL=254

Replyfrom192.168.11.1:

bytes=32time=154msTTL=254

Replyfrom192.168.11.1:

bytes=32time=146msTTL=254

Replyfrom192.168.11.1:

bytes=32time=173msTTL=254

Pingstatisticsfor192.168.11.1:

Packets:

Sent=4,Received=4,Lost=0（0%loss）,

Approximateroundtriptimesinmilli-seconds:

Minimum=146ms,Maximu