好消息,超酷的在线虚拟网络实验室上线了!点击开始实验

为获得更好的浏览效果,建议您使用 Firefox 或者 Chrome 浏览器



MSR系列路由器

使用加密卡处理IPSec功能的配置

 

关键字:MSR;IPSec;IKE;加密卡;调试

 

一、组网需求

RT1RT2建立IPSec连接,RT1使用加密卡进行数据加密、解密处理

设备清单:MSR系列路由器2

二、组网图:

三、配置步骤:

设备和版本:MSR系列、Version 5.20, Release 1509

RT1配置

#

//IKE Peer配置

ike peer 20

 pre-shared-key h3c

 remote-address 1.2.0.2

#

//IPSec提议配置

ipsec proposal def

 encapsulation-mode transport

#

//IPSec策略配置

ipsec policy 20 1 isakmp

 security acl 3000

 ike-peer 20

 proposal def

#

//ACL配置

acl number 3000

 rule 0 permit ip source 1.2.0.1 0 destination 1.2.0.2 0

#

//对接接口

interface GigabitEthernet0/0

 port link-mode route

 combo enable copper

 ip address 1.2.0.1 255.255.255.252

 //绑定IPSec策略

 ipsec policy 20

#

//加密卡视图

interface Encrypt11/0

 //绑定IPSec策略20

 ipsec binding policy 20

#

RT2配置

#

//IKE Peer配置

ike peer 50

 pre-shared-key h3c

 remote-address 1.2.0.1

#

//IPSec提议配置

ipsec proposal def

 encapsulation-mode transport

#

//IPSec策略配置

ipsec policy 50 1 isakmp

 security acl 3000

 ike-peer 50

 proposal def

#

//ACL配置

acl number 3000

 rule 0 permit ip source 1.2.0.2 0 destination 1.2.0.1 0

#

//对接接口

interface Ethernet0/0

 port link-mode route

 combo enable copper

 ip address 1.2.0.2 255.255.255.252

 //绑定IPSec策略

 ipsec policy 50

#

RT1上进行IPSec调试

msr50>display debugging

IPSec packet debugging switch is on

<msr50>ping -c 1 1.2.0.2

  PING 1.2.0.2: 56  data bytes, press CTRL_C to break

*Jan 16 14:17:18:273 2007 msr50 IPSEC/7/DBG:--- Receive IPSec(ESP) packet ---

*Jan 16 14:17:18:273 2007 msr50 IPSEC/7/DBG:Src:1.2.0.2 Dst:1.2.0.1 SPI:1016432062(0x3c9585be)

*Jan 16 14:17:18:273 2007 msr50 IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:DES Auth Alg:HMAC-MD5-96

*Jan 16 14:17:18:273 2007 msr50 IPSEC/7/DBG:Replay Checking Enabled! SN:16

    Reply from 1.2.0.2: bytes=56 Sequence=1 ttl=255 time=3 ms

 

  --- 1.2.0.2 ping statistics ---

    1 packet(s) transmitted

    1 packet(s) received

    0.00% packet loss

    round-trip min/avg/max = 3/3/3 ms

 

<msr50>

 

<msr50>display debugging

IPSec packet debugging switch is on

interface Encrypt11/0

 Encrypt11/0 Packet debugging switch is on.

<msr50>ping -c 1 1.2.0.2

  PING 1.2.0.2: 56  data bytes, press CTRL_C to break

*Jan 16 14:17:51:591 2007 msr50 IPSEC/7/DBG:

 Send data to encrypt card retry: success to send data to encrypt card!

*Jan 16 14:17:51:594 2007 msr50 IPSEC/7/DBG:--- Receive IPSec(ESP) packet ---

*Jan 16 14:17:51:594 2007 msr50 IPSEC/7/DBG:Src:1.2.0.2 Dst:1.2.0.1 SPI:1016432062(0x3c9585be)

*Jan 16 14:17:51:594 2007 msr50 IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:DES Auth Alg:HMAC-MD5-96

*Jan 16 14:17:51:594 2007 msr50 IPSEC/7/DBG:Replay Checking Enabled! SN:17

*Jan 16 14:17:51:594 2007 msr50 IPSEC/7/DBG:

 Send data to encrypt card retry: success to send data to encrypt card!

    Reply from 1.2.0.2: bytes=56 Sequence=1 ttl=255 time=4 ms

 

  --- 1.2.0.2 ping statistics ---

    1 packet(s) transmitted

    1 packet(s) received

    0.00% packet loss

    round-trip min/avg/max = 4/4/4 ms

 

<msr50>

四、配置关键点

1) 在加密卡视图下绑定IPSec策略。

X Close
X Close