Implementation of Ipsec Configuration

Another protocol for implementing vpn is ipsec. To be precise, ipsec is a framework composed of multiple protocols. Its implementation can be divided into the following four steps:

1. implement data stream filtering control (control by acl)

2. Security proposal (implementing the working mode, selecting the security protocol, verifying the algorithm, and selecting the consistency of the encryption algorithm if the esp protocol is used)

3. Create a security policy (acl + security proposal + ike neighbor). Generally, automatic negotiation is selected for policy implementation.

4. Apply the policy to the port

The following figure shows the topology of this experiment (sw is the firewall isp as the switch ):

The following are some configurations on the isp:

[Quidway] sysname isp

[Isp] int vlan 10

A [isp-vlan10] port Ethernet 0/2

[Isp-vlan10] vlan 20

A [isp-vlan20] port Ethernet 0/10

[Isp-vlan20] vlan 30

A [isp-vlan30] port Ethernet 0/3

[Isp-vlan30] vlan 40

A [isp-vlan40] port Ethernet 0/20

[Isp-vlan40] qu

[Isp] int Vlan-interface 10

[Isp-Vlan-interface10] ip add 61.130.132.2 255.255.255.252

[Isp-Vlan-interface10] qu

[Isp] int vlan 20

[Isp-Vlan-interface20] ip add 61.130.134.2 255.255.255.252

[Isp-Vlan-interface20] qu

[Isp] int vlan 30

[Isp-Vlan-interface30] ip add 61.130.133.2 255.255.255.252

[Isp-Vlan-interface30] qu

[Isp] int vlan 40

[Isp-Vlan-interface40] ip add 61.130.135.2 255.255.255.252

Some configurations on Sw1:

[H3C] sysname sw1

[Sw1] int eth0/0

[Sw1-Ethernet0/0] ip add 192.168.1.254 24

[Sw1-Ethernet0/0] int eth0/3

[Sw1-Ethernet0/3] ip add 61.130.132.1 30

[Sw1-Ethernet0/3] int eth 0/4

[Sw1-Ethernet0/4] ip add 61.130.133.1 30

[Sw1-Ethernet0/4] qu

[Sw1] firewall zone trust

[Sw1-zone-trust] add interface e0/0

[Sw1-zone-trust] qu

[Sw1] firewall zone untrust

[Sw1-zone-untrust] add int e0/3

[Sw1-zone-untrust] add int e0/4

Some configurations on Sw3:

[H3C] sysname sw3

[Sw3] int e0/4

[Sw3-Ethernet0/4] ip add 61.130.135.1 255.255.255.252

[Sw3-Ethernet0/4] int eth0/0

[Sw3-Ethernet0/0] ip add 192.168.3.254 255.255.255.0

[Sw3-Ethernet0/0] loopback

[Sw3-Ethernet0/0] qu

[Sw3] firewall zone untrust

[Sw3-zone-untrust] add int e0/4

[Sw3] ip route 0.0.0.0 0 61.130.135.2

Some configurations on Sw2:

[H3C] sysname sw2

[Sw2] int e0/4

[Sw2-Ethernet0/4] ip add 61.130.134.1 255.255.255.252

[Sw2-Ethernet0/4] int e0/0

[Sw2-Ethernet0/0] ip add 192.168.2.254 255.255.255.0

[Sw2-Ethernet0/0] loopback

[Sw2-Ethernet0/0] qu

[Sw2] firewall zone untrust

[Sw2-zone-untrust] add int e0/4

[Sw2] ip route 0.0.0.0 0 61.130.134.2

Configure ipsec on sw1:

// Stream filtering using acl

[Sw1] acl number 3000 match-order auto

[Sw1-acl-adv-3000] rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

[Sw1-acl-adv-3000] rule 20 deny ip source any destination any

[Sw1-acl-adv-3000] qu

// Make a security proposal

[Sw1] ipsec proposal tran3

[Sw1-ipsec-proposal-tran3] encapsulation-mode tunnel

[Sw1-ipsec-proposal-tran3] transform esp

[Sw1-ipsec-proposal-tran3] esp authentication-algorithm md5

A [sw1-ipsec-proposal-tran3] esp en des

[Sw1-ipsec-proposal-tran3] quit

// Configure ike neighbors

[Sw1] ike peer fw3

[Sw1-ike-peer-fw3] pre-shared-key simple 12345

The [sw1-ike-peer-fw3] local-address 61.130.132.1

[Sw1-ike-peer-fw3] remote-address 61.130.134.1

[Sw1-ike-peer-fw3] qu

// Configure the policy

[Sw1] ipsec policy policy3 10 isakmp

[Sw1-ipsec-policy-isakmp-policy3-10] security acl 3000

[Sw1-ipsec-policy-isakmp-policy3-10] proposal tran3

The [sw1-ipsec-policy-isakmp-policy3-10] ike-peer fw3

[Sw1-ipsec-policy-isakmp-policy3-10] qu

// Apply to interface

[Sw1] int eth0/3

[Sw1-Ethernet0/3] ipsec policy policy3

[Sw1-Ethernet0/3] qu

Similarly, make the same settings on sw2 and sw3. Pay attention to the proposed consistency with ike pre-shared-key.

The result is as follows: