配置OSPFv3 IPSec示例

在OSPFv3网络中互为OSPFv3邻居的设备接口上配置OSPFv3 IPSec,防止伪造的OSPFv3协议报文对设备进行非法攻击。

组网需求

图1所示,RouterA和RouterB透过一段公共网络相连,RouterA和RouterB之间运行OSPFv3。如果不定义任何认证机制,RouterA和RouterB之间的路由协议报文很可能会被网络中的攻击者更改或者仿冒,造成RouterA和RouterB的邻接关系断开,或者引入错误路由。

为了防止上述情况发生,在RouterA和RouterB之间配置IPSec安全隧道,对它们收发的OSPFv3报文进行安全保护。安全协议采用ESP(Encapsulating Security Payload),认证算法采用SHA-1(Secure Hash Algorithm-1)。

图1 配置IPSec组网图

配置思路

采用如下的思路配置IPSec for OSPFv3特性:

配置OSPFv3基本功能,使RouterA和RouterB之间能够建立OSPFv3路由。

配置安全提议,以决定需要实施的安全协议、认证算法等。

配置安全联盟参数。

OSPFv3进程上应用安全联盟,以实现IPSec对RouterA和RouterB之间OSPFv3路由协议报文的保护。

数据准备

为完成此配置例,需要准备如下数据:

设备名称

Router ID

Process ID

IPv6地址

安全索引参数SPI

字符串密钥

RouterA

1.1.1.1

1

GE1/0/1: 2001:DB8:100::1/64

12345

Huawei-123

RouterB

2.2.2.2

1

GE1/0/1: 2001:DB8:100::2/64

12345

Huawei-123

操作步骤
  1. 在RouterA和RouterB上配置OSPFv3。

# 配置RouterA。

<HUAWEI> system-view

[HUAWEI] sysname RouterA

[RouterA] ospfv3 1

[RouterA-ospfv3-1] router-id 1.1.1.1

[RouterA-ospfv3-1] area 1

[RouterA-ospfv3-1-area-0.0.0.1] quit

[RouterA-ospfv3-1] quit

# 配置RouterB。

<HUAWEI> system-view

[HUAWEI] sysname RouterB

[RouterB] ospfv3 1

[RouterB-ospfv3-1] router-id 2.2.2.2

[RouterB-ospfv3-1] area 1

[RouterB-ospfv3-1-area-0.0.0.1] quit

[RouterB-ospfv3-1] quit

  1. 在接口上配置IPv6地址并使能OSPFv3。

# 配置RouterA。

[RouterA] ipv6

[RouterA] interface gigabitethernet1/0/1

[RouterA-GigabitEthernet1/0/1] ipv6 enable

[RouterA-GigabitEthernet1/0/1] ipv6 address 2001:DB8:100::1 64

[RouterA-GigabitEthernet1/0/1] ospfv3 1 area 1

[RouterA-GigabitEthernet1/0/1] quit

# 配置RouterB。

[RouterB] ipv6

[RouterB] interface gigabitethernet1/0/1

[RouterB-GigabitEthernet1/0/1] ipv6 enable

[RouterB-GigabitEthernet1/0/1] ipv6 address 2001:DB8:100::2 64

[RouterB-GigabitEthernet1/0/1] ospfv3 1 area 1

[RouterB-GigabitEthernet1/0/1] quit

  1. 在RouterA和RouterB上创建安全提议。

# 在RouterA上创建安全提议。

[RouterA] ipsec proposal proposal1

[RouterA-ipsec-proposal-proposal1] encapsulation-mode transport

[RouterA-ipsec-proposal-proposal1] transform esp

[RouterA-ipsec-proposal-proposal1] undo esp encryption-algorithm

[RouterA-ipsec-proposal-proposal1] esp authentication-algorithm sha1

[RouterA-ipsec-proposal-proposal1] quit

# 在RouterB上创建安全提议。

[RouterB] ipsec proposal proposal2

[RouterB-ipsec-proposal-proposal2] encapsulation-mode transport

[RouterB-ipsec-proposal-proposal2] transform esp

[RouterB-ipsec-proposal-proposal2] undo esp encryption-algorithm

[RouterB-ipsec-proposal-proposal2] esp authentication-algorithm sha1

[RouterB-ipsec-proposal-proposal2] quit

# 在RouterA和RouterB上执行display ipsec proposal命令以查看配置信息。以RouterA显示内容为示例。

[RouterA] display ipsec proposal

Total IP security proposal number: 1

IP security proposal name: proposal1

encapsulation mode: transport

transform: esp-new

ESP protocol: authentication MD5-HMAC-96, not use encryption

  1. 配置IPSec SA,并在RouterA和RouterB的SA上应用提议。

# 配置IPSec SA并在RouterA的SA上应用提议。

[RouterA] ipsec sa sa1

[RouterA-ipsec-sa-sa1] proposal proposal1

[RouterA-ipsec-sa-sa1] quit

# 配置IPSec SA并在RouterB的SA上应用提议。

[RouterB] ipsec sa sa2

[RouterB-ipsec-sa-sa2] proposal proposal2

[RouterB-ipsec-sa-sa2] quit

  1. 在RouterA和RouterB上配置安全参数索引(SPI)及字符串格式密钥。

# 在RouterA上配置安全参数索引(SPI)和字符串格式密钥。

[RouterA] ipsec sa sa1

[RouterA-ipsec-sa-sa1] sa spi inbound esp 12345

[RouterA-ipsec-sa-sa1] sa spi outbound esp 12345

[RouterA-ipsec-sa-sa1] sa string-key inbound esp Huawei-123

[RouterA-ipsec-sa-sa1] sa string-key outbound esp Huawei-123

[RouterA-ipsec-sa-sa1] quit

# 在RouterB上配置安全参数索引(SPI)和字符串格式密钥。

[RouterB] ipsec sa sa2

[RouterB-ipsec-sa-sa2] sa spi outbound esp 12345

[RouterB-ipsec-sa-sa2] sa spi inbound esp 12345

[RouterB-ipsec-sa-sa2] sa string-key outbound esp Huawei-123

[RouterB-ipsec-sa-sa2] sa string-key inbound esp Huawei-123

[RouterB-ipsec-sa-sa2] quit

  1. 为OSPFv3进程配置安全联盟。

# 在RouterA的OSPFv3进程上配置SA。

[RouterA] ospfv3 1

[RouterA-ospfv3-1] ipsec sa sa1

[RouterA-ospfv3-1] quit

# 在RouterB的OSPFv3进程上配置SA。

[RouterB] ospfv3 1

[RouterB-ospfv3-1] ipsec sa sa2

[RouterB-ospfv3-1] quit

  1. 验证配置结果。

# 在RouterA和RouterB上执行display ipsec sa命令以查看配置。以RouterA上的显示内容为示例。

[RouterA] display ipsec sa

  IP security association name: sa1

  Number of references: 1

    proposal name: proposal1

    inbound AH setting:

      AH spi:

      AH string-key:

      AH authentication hex key:

    inbound ESP setting:

      ESP spi: 12345 (0x3039)

      ESP string-key: b{br9\zi%X+/Y@:Y>Lw(L\v#

      ESP encryption hex key:

      ESP authentication hex key:

    outbound AH setting:

      AH spi:

      AH string-key:

      AH authentication hex key:

    outbound ESP setting:

      ESP spi: 12345 (0x3039)

      ESP string-key: D0>GQf"}w2@X,k6.E\Z,z\{#

      ESP encryption hex key:

      ESP authentication hex key:

# 执行display ipsec statistics命令,可以查看报文的统计信息,包括入方向/出方向的安全报文数目、丢弃的报文数目等。如果有入方向/出方向的安全报文计数,则说明配置成功。例如:

[RouterA] display ipsec statistics

  IPv6 security packet statistics:

    input/output security packets: 184/19

    input/output security bytes: 13216/1312

    input/output dropped security packets: 0/0

    dropped security packet detail:

      memory process problem: 0

      can't find SA: 0

      queue is full: 0

      authentication is failed: 0

      wrong length: 0

      replay packet: 0

      too long packet: 0

      invalid SA: 0

      policy deny: 0

  the normal packet statistics:

    input/output dropped normal packets: 0/0

  IPv4 security packet statistics:

    input/output security packets: 0/0

    input/output security bytes: 0/0

    input/output dropped security packets: 0/0

    dropped security packet detail:

      memory process problem: 0

      can't find SA: 0

      queue is full: 0

      authentication is failed: 0

      wrong length: 0

      replay packet: 0

      too long packet: 0

      invalid SA: 0

      policy deny: 0

  the normal packet statistics:

    input/output dropped normal packets: 0/0

配置文件

RouterA的配置文件

#

sysname RouterA

#

ipsec proposal proposal1

 encapsulation-mode transport

 esp authentication-algorithm sha1

 undo esp encryption-algorithm

#

ipsec sa sa1

 proposal proposal1

 sa spi inbound esp 12345

 sa string-key inbound esp cipher %^%#b{br9\zi%X+/Y@:Y>Lw(L\v#%^%#

 sa spi outbound esp 12345

 sa string-key outbound esp cipher %^%#D0>GQf"}w2@X,k6.E\Z,z\{#%^%#

#

ospfv3 1

 router-id 1.1.1.1

 ipsec sa sa1

 area 0.0.0.1   

#

ipv6

#

interface GigabitEthernet1/0/1

 undo shutdown

 ipv6 enable

 ipv6 address 2001:DB8:100::1/64

 ospfv3 1 area 0.0.0.1

#

RouterB的配置文件

#

sysname RouterB

#

ipsec proposal proposal2

 encapsulation-mode transport

 esp authentication-algorithm sha1

 undo esp encryption-algorithm

#

ipsec sa sa2

 proposal proposal2

 sa spi inbound esp 12345

 sa string-key inbound esp cipher %^%#VlrZ=1vTW":z9:%F`[a=o[t#%^%#

 sa spi outbound esp 12345

 sa string-key outbound esp cipher %^%#)YTP%@nFE7bL^B&WSBiQ1[p#%^%#

#

ospfv3 1

 router-id 2.2.2.2

 ipsec sa sa2

 area 0.0.0.1

#

ipv6

#

interface GigabitEthernet1/0/1

 undo shutdown

 ipv6 enable

 ipv6 address 2001:DB8:100::2/64

 ospfv3 1 area 0.0.0.1

#

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

精彩网络技术

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值