IPSec Configuration Guide
此内容尚不支持你的语言。
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) for providing secure transmission of data over IP networks. These protocols include the Authentication Header (AH) and Encapsulation Security Payload (ESP). The IPSec framework also includes key exchange and algorithms used for authentication and encryption.
These protocols allow two devices to establish an IPSec tunnel between them, so that data is securely forwarded over the IPSec tunnel.
IPSec Configuration
Section titled “IPSec Configuration”Create IPSec
Section titled “Create IPSec”| Operation | Command | Description |
|---|---|---|
| Enter the system configuration view | configure terminal | |
| Create and enter the IPSec configuration view | ipsec |
Configure IKE
Section titled “Configure IKE”| Operation | Command | Description |
|---|---|---|
| Enter the system configuration view | configure terminal | |
| Enter the IPSec configuration view | ipsec | |
| Configure IKE authentication algorithms, key lengths, encryption algorithms, and DH algorithms. | ike crypto_alg {des-iv64|des|3des|rc5|idea|cast|blowfish|3idea|des-iv32|null|aes-cbc|aes-ctr|aes-gcm-16} crypto_alg_size <0-65535> integ_alg {none|md5-96|sha1-96|des-mac|kpdk-md5|aes-xcbc-96|md5-128|sha1-160|cmac-96|aes-128-gmac|aes-192-gmac|aes-256-gmac|hmac-sha2-256-128|hmac-sha2-384-192|hmac-sha2-512-256} dh {none|modp-768|modp-1024|modp-1536|modp-2048|modp-3072|modp-4096|modp-6144|modp-8192|ecp-192|ecp-256|ecp-384|ecp-512|modp-1024-160|modp-2048-224|modp-2048-256} | crypto_alg: encryption algorithms crypto_alg_size: key lengths integ_alg:authentication algorithms dh: DH algorithms |
| Configure ID type and ID value of local user | ike local type {ip4|ip6|rfc822|fqdn} data | type: ID type data: ID value |
| Configure ID type and ID value of remote user | ike remote type {ip4|ip6|rfc822|fqdn} data | type: ID type data: ID value |
| Configure shared key | shared_key_mic {string|hex} |
Configure sa
Section titled “Configure sa”| Operation | Command | Description |
|---|---|---|
| Enter the system configuration view | configure terminal | |
| Enter the IPSec configuration view | ipsec | |
| Configure IKE authentication algorithms, key lengths and encryption algorithms. | sa {des-iv64|des|3des|rc5|idea|cast|blowfish|3idea|des-iv32|null|aes-cbc|aes-ctr|aes-gcm-16} crypto_alg_size <0-65535> integ_alg {none|md5-96|sha1-96|des-mac|kpdk-md5|aes-xcbc-96|md5-128|sha1-160|cmac-96|aes-128-gmac|aes-192-gmac|aes-256-gmac|hmac-sha2-256-128|hmac-sha2-384-192|hmac-sha2-512-256} | sa: encryption algorithms crypto_alg_size: key lengths integ_alg:authentication algorithms |
| sa negotiation switch | sa init | |
| sa negotiation configuration | sa lifetime | lifetime: lifetime of sa jitter: Random jitter time (seconds), to avoid simultaneous renegotiation at both ends handover: Smooth transition time (seconds), old SA retention time to ensure that traffic is not interrupted before the new SA is established Random jitter time (seconds) to avoid simultaneous renegotiation at both ends max_bytes: SA data transfer limit; renegotiation triggered when limit is exceeded |
| NAT traversal detection switch | sa natt {enable|disable} | |
| Configure sa tunnel | sa tunnel {ip4|ip6} src_ip <A.B.C.D> dst_ip <A.B.C.D> next_hop <A.B.C.D> remote_ip <A.B.C.D/M> shared_interface | ip4|ip6: tunnel ip type src_ip: ike local ip dst_ip: ike remote ip next_hop: next node remote_ip: router to destination shared_interface: IPsec tunnel port |
Bind IPSec to port
Section titled “Bind IPSec to port”| Operation | Command | Description |
|---|---|---|
| Enter the system configuration view | configure terminal | |
| Enter the interface configuration view | interface Ethernet | |
| Bind ipsec to port | ipsec | name: name of ipsec A.B.C.D|X:X::X:X: peer ipv4/ipv6 address |
Display and Maintenance
Section titled “Display and Maintenance”| Operation | Command |
|---|---|
| Display ipsec information | show ipsec |
IPSEC Configuration Example
Section titled “IPSEC Configuration Example”Network Requirements
The enterprise wants to protect data flows between the branch subnet and the headquarters subnet. An IPSec tunnel can be set up between the branch gateway and headquarters gateway because they communicate over the Internet.
Procedure
Device1:
sonic(config)# interface ethernet 2sonic(config-if-2)# ip address 1.1.1.1/24sonic(config-if-2)# ipsec test peer ip4 1.1.1.2sonic(config-if-2)# mtu 1492sonic(config)# interface ethernet 1sonic(config-if-1)# ip address 10.1.1.1/24sonic(config)# ipsec testsonic(config-ipsec-test)# shared_key_mic string test1234sonic(config-ipsec-test)# ike crypto_alg aes-cbc crypto_alg_size 256 integ_alg sha1-96 dh modp-2048sonic(config-ipsec-test)# ike local type ip4 data 1.1.1.1sonic(config-ipsec-test)# ike remote type ip4 data 1.1.1.2sonic(config-ipsec-test)# ike traffic_selector local ip4 addr_start 10.1.1.0 addr_end 10.1.1.255sonic(config-ipsec-test)# ike traffic_selector remote ip4 addr_start 10.1.2.0 addr_end 10.1.2.255sonic(config-ipsec-test)# sa crypto_alg aes-cbc crypto_alg_size 256 integ_alg sha1-96sonic(config-ipsec-test)# sa tunnel ip4 src_ip 1.1.1.1 dst_ip 1.1.1.2 next_hop 1.1.1.2 remote_ip 10.1.2.0/24 shared_interface Ethernet2Device2:
sonic(config)# interface ethernet 2sonic(config-if-2)# ip address 1.1.1.2/24sonic(config-if-2)# mtu 1492sonic(config)# interface ethernet 1sonic(config-if-1)# ip address 10.1.2.1/24sonic(config)# ipsec testsonic(config-ipsec-test)# shared_key_mic string test1234sonic(config-ipsec-test)# ike crypto_alg aes-cbc crypto_alg_size 256 integ_alg sha1-96 dh modp-2048sonic(config-ipsec-test)# ike local type ip4 data 1.1.1.2sonic(config-ipsec-test)# ike remote type ip4 data 1.1.1.1sonic(config-ipsec-test)# ike traffic_selector local ip4 addr_start 10.1.2.0 addr_end 10.1.2.255sonic(config-ipsec-test)# ike traffic_selector remote ip4 addr_start 10.1.1.0 addr_end 10.1.1.255sonic(config-ipsec-test)# sa crypto_alg aes-cbc crypto_alg_size 256 integ_alg sha1-96sonic(config-ipsec-test)# sa tunnel ip4 src_ip 1.1.1.2 dst_ip 1.1.1.1 next_hop 1.1.1.1 remote_ip 10.1.1.0/24 shared_interface Ethernet2Example of IPSEC configuration in PPPoE scenario
Section titled “Example of IPSEC configuration in PPPoE scenario”Network Requirements
The enterprise wants to protect data flows between the branch subnets and the headquarters subnet. An IPSec tunnel can be set up between the branch gateway and headquarters gateway because they communicate over the Internet. The branch gateway functions as the PPPoE client to obtain an IP address, so the headquarters gateway cannot obtain the branch gateway’s IP address and can only respond to IPSec negotiation requests initiated by the branch gateway.
Procedure
Device1:
sonic(config)# interface dialer 1sonic(config-dialerif-1)# ppp chap username test1 test123sonic(config-dialerif-1)# ipsec test peer ip4 20.1.1.2sonic(config-dialerif-1)# mtu 1492sonic(config)# interface ethernet 2sonic(config-if-2)# ip address 80.0.0.1/24sonic(config)# interface ethernet 1sonic(config-if-1)# pppoe-client 1sonic(config)# ipsec testsonic(config-ipsec-test)# shared_key_mic string test1234sonic(config-ipsec-test)# ike crypto_alg aes-cbc crypto_alg_size 256 integ_alg sha1-96 dh modp-2048sonic(config-ipsec-test)# ike local type ip4 data 10.1.1.2sonic(config-ipsec-test)# ike remote type ip4 data 20.1.1.2sonic(config-ipsec-test)# ike traffic_selector local ip4 addr_start 80.0.0.0 addr_end 80.0.0.255sonic(config-ipsec-test)# ike traffic_selector remote ip4 addr_start 90.0.0.0 addr_end 90.0.0.255sonic(config-ipsec-test)# sa crypto_alg aes-cbc crypto_alg_size 256 integ_alg sha1-96sonic(config-ipsec-test)# sa tunnel ip4 src_ip 10.1.1.2 dst_ip 20.1.1.2 next_hop 10.1.1.1 remote_ip 90.0.0.0/24 shared_interface Dialer1sonic(config)# ip route 20.1.1.0/24 dialer 1Device2:
sonic(config)# interface ethernet 1sonic(config-if-1)# ip address 20.1.1.2/24sonic(config-if-1)# mtu 1492sonic(config)# interface ethernet 2sonic(config-if-2)# ip address 90.0.0.1/24sonic(config)# ipsec testsonic(config-ipsec-test)# shared_key_mic string test1234sonic(config-ipsec-test)# ike crypto_alg aes-cbc crypto_alg_size 256 integ_alg sha1-96 dh modp-2048sonic(config-ipsec-test)# ike local type ip4 data 20.1.1.2sonic(config-ipsec-test)# ike remote type ip4 data 10.1.1.2sonic(config-ipsec-test)# ike traffic_selector local ip4 addr_start 90.0.0.0 addr_end 90.0.0.255sonic(config-ipsec-test)# ike traffic_selector remote ip4 addr_start 80.0.0.0 addr_end 80.0.0.255sonic(config-ipsec-test)# sa crypto_alg aes-cbc crypto_alg_size 256 integ_alg sha1-96sonic(config-ipsec-test)# sa tunnel ip4 src_ip 20.1.1.2 dst_ip 10.1.1.2 next_hop 20.1.1.1 remote_ip 80.0.0.0/24 shared_interface Ethernet5sonic(config)# ip route 10.1.1.0/24 20.1.1.1