IPSec configuration in the Enterprise network VPN

Introduction to IPSec:

IPSec provides a series of protocol standards, the IPSec protocol is not a separate protocol, it gives a set of architecture applied to IP network data security, in the peer selection includes network authentication protocol authentication Header (AH), Encapsulating Secure Payload Protocol Encapsulating Security Payload (ESP), Key Management protocol Internet Key Exchange (IKE), and some algorithms for network authentication and encryption.

The IPSec protocol has two major advantages:

One is that IPSec introduces a complete security mechanism, including encryption, authentication, and data tamper-proof capabilities. The original TCP/IP system in the middle, does not include a security based design, anyone, as long as the line can be built, you can analyze all the communication data.

The second is to realize the interconnection of remote networks. Through package encapsulation technology, the IPSec protocol can use the Internet routable address, encapsulate the IP address of the internal network, and realize the interworking of the remote network.

IPSec is divided into the following steps in the process of establishing a VPN:

First, the data encapsulation, so that can not communicate with each other LAN through the export of IP address packaging to achieve off-site Lan-lan communication.

The security protocol is then used to encrypt the data and convert the plaintext into ciphertext.

Next to the data authentication, using encryption algorithm to send the message characteristics of the encryption generated a digital signature, the message was restored by the receiver, will check whether the digital signature is the same. If it is different, it has been modified.

Then identity authentication, VPN identity authentication has preshared key (Pre-shared-key), communication between the two parties to achieve the agreed encryption and decryption password, direct communication on it.

VPN Features:

After the VPN establishes the tunnel, it determines the tunnel route, that is, where to go and which tunnel to take. Many VPN tunneling configurations define the protection network so that tunnel routing is determined based on the protected network relationship. Other users in the middle of the network will not be able to access the network.

The following example describes how IPSec is configured on a H3C device:

Equipment requirements:

This experiment employs 3 h3c2600 routers and a three-layer h3cs3526e switch.

Test requirements:

Using IPSec to establish a VPN allows the head office to interoperate with each branch, and the branch can communicate with each other

Head Office Routing configuration:

[Router]int E1

[Router-ethernet1]ip Add 192.168.1.1 255.255.255.0

[Router-ethernet1]int E0

[Router-ethernet0]ip Add 192.168.4.10 24

[Router-ethernet0]quit

[Router]ip Route 0.0.0.0 0 192.168.1.254 "Configure a default route to simulate Internet network interoperability between 3-tier switches and 3 routers ' external nodes"

[Router]acl 3000 "Create access Control List"

[Router-acl-3000]rule Permit IP source 192.168.4.0 0.0.0.255 dest 192.168.5.0 ' Allow packets sent 4.0 packets and destination 5.0 packets passed '

[Router-acl-3000]rule Permit IP source 192.168.6.0 0.0.0.255 dest 192.168.5.0 0.0.0.255 "As a result of only 2 VPN tunnels, in order to achieve two branch communications, From branch 2 (6.0 network segment) sent packets to reach the branch 1 (5.0 network segment), must go through the Head Office (4.0 network segment) to be able to reach the head office in the router to allow 6.0 to reach 5.0 network segment of the packet through "

[Router-acl-3000]rule deny IP source any dest "deny all other packets through"

[Router-acl-3000]quit

[Router]acl 3001

[Router-acl-3001]rule Permit IP source 192.168.4.0 0.0.0.255 dest 192.168.6.0 0.0.0.255 "Allow packets from 4.0 to 6.0 to pass"

[Router-acl-3001]rule Permit IP source 192.168.5.0 0.0.0.255 dest 192.168.6.0 0.0.0.255 "Allow 5.0 to 6.0 packets through"

[Router-acl-3001]rule deny IP source any dest "reject other packages through"

[Router-acl-3001]quit

[Router]ipsec propo Tran1 "Create security proposal Tran1"

[Router-ipsec-proposal-tran1]encap Tunnel "Select Tunnel Connection"

[Router-ipsec-proposal-tran1]transform ESP ' Select Security protocol '

[Router-ipsec-proposal-tran1]esp encry des "Select encryption Algorithm"

[ROUTER-IPSEC-PROPOSAL-TRAN1]ESP auth MD5 "Select encryption Mode"

[Router-ipsec-proposal-tran1]quit

[Router]ipsec policy celue1 ISAKMP "Create security policy celue1 and write to the 10th sentence"

[Router-ipsec-policy-celue1-10]security ACL 3000 applies access control List 3000 to this policy.

[Router-ipsec-policy-celue1-10]proposal Tran1 to write security proposal Tran1 to this security policy.

[Router-ipsec-policy-celue1-10]tunnel remote 192.168.2.1 "interface to the remote tunnel"

[Router-ipsec-policy-celue1-10]quit

[Router]ipsec policy Celue1 ISAKMP "the 20th sentence of the celue1"

[router-ipsec-policy-celue1-20]security ACL 3001 "Apply access control List 3001"

[Router-ipsec-policy-celue1-20]proposal Tran1 "Application Security proposal Tran1"

[Router-ipsec-policy-celue1-20]tunnel remote 192.168.3.1 "Remote direct-attached VPN port"

[Router-ipsec-policy-celue1-20]quit

[Router]int E1

[Router-ethernet1]ipsec Policy celue1

[Router-ethernet1]quit

[Router]ike pre-sha FGS1 remote 192.168.2.1 "Preshared key, mutual authentication between the ports and both sides of the VPN to configure the same pre-shared key"

[Router]ike pre-s FGS2 Remote 192.168.3.1 "3.0 network segment preshared key"

[Router]