配置OSPFv3 IPSec示例

在OSPFv3网络中互为OSPFv3邻居的设备接口上配置OSPFv3 IPSec，防止伪造的OSPFv3协议报文对设备进行非法攻击。

组网需求

如图1所示，RouterA和RouterB透过一段公共网络相连，RouterA和RouterB之间运行OSPFv3。如果不定义任何认证机制，RouterA和RouterB之间的路由协议报文很可能会被网络中的攻击者更改或者仿冒，造成RouterA和RouterB的邻接关系断开，或者引入错误路由。

为了防止上述情况发生，在RouterA和RouterB之间配置IPSec安全隧道，对它们收发的OSPFv3报文进行安全保护。安全协议采用ESP（Encapsulating Security Payload），认证算法采用SHA-1（Secure Hash Algorithm-1）。

图1 配置IPSec组网图

配置思路

采用如下的思路配置IPSec for OSPFv3特性：

配置OSPFv3基本功能，使RouterA和RouterB之间能够建立OSPFv3路由。

配置安全提议，以决定需要实施的安全协议、认证算法等。

配置安全联盟参数。

OSPFv3进程上应用安全联盟，以实现IPSec对RouterA和RouterB之间OSPFv3路由协议报文的保护。

数据准备

为完成此配置例，需要准备如下数据：

设备名称	Router ID	Process ID	IPv6地址	安全索引参数SPI	字符串密钥
RouterA	1.1.1.1	1	GE1/0/1: 2001:DB8:100::1/64	12345	Huawei-123
RouterB	2.2.2.2	1	GE1/0/1: 2001:DB8:100::2/64	12345	Huawei-123

操作步骤

1. 在RouterA和RouterB上配置OSPFv3。

# 配置RouterA。

<HUAWEI> system-view

[HUAWEI] sysname RouterA

[RouterA] ospfv3 1

[RouterA-ospfv3-1] router-id 1.1.1.1

[RouterA-ospfv3-1] area 1

[RouterA-ospfv3-1-area-0.0.0.1] quit

[RouterA-ospfv3-1] quit

# 配置RouterB。

<HUAWEI> system-view

[HUAWEI] sysname RouterB

[RouterB] ospfv3 1

[RouterB-ospfv3-1] router-id 2.2.2.2

[RouterB-ospfv3-1] area 1

[RouterB-ospfv3-1-area-0.0.0.1] quit

[RouterB-ospfv3-1] quit

1. 在接口上配置IPv6地址并使能OSPFv3。

# 配置RouterA。

[RouterA] ipv6

[RouterA] interface gigabitethernet1/0/1

[RouterA-GigabitEthernet1/0/1] ipv6 enable

[RouterA-GigabitEthernet1/0/1] ipv6 address 2001:DB8:100::1 64

[RouterA-GigabitEthernet1/0/1] ospfv3 1 area 1

[RouterA-GigabitEthernet1/0/1] quit

# 配置RouterB。

[RouterB] ipv6

[RouterB] interface gigabitethernet1/0/1

[RouterB-GigabitEthernet1/0/1] ipv6 enable

[RouterB-GigabitEthernet1/0/1] ipv6 address 2001:DB8:100::2 64

[RouterB-GigabitEthernet1/0/1] ospfv3 1 area 1

[RouterB-GigabitEthernet1/0/1] quit

1. 在RouterA和RouterB上创建安全提议。

# 在RouterA上创建安全提议。

[RouterA] ipsec proposal proposal1

[RouterA-ipsec-proposal-proposal1] encapsulation-mode transport

[RouterA-ipsec-proposal-proposal1] transform esp

[RouterA-ipsec-proposal-proposal1] undo esp encryption-algorithm

[RouterA-ipsec-proposal-proposal1] esp authentication-algorithm sha1

[RouterA-ipsec-proposal-proposal1] quit

# 在RouterB上创建安全提议。

[RouterB] ipsec proposal proposal2

[RouterB-ipsec-proposal-proposal2] encapsulation-mode transport

[RouterB-ipsec-proposal-proposal2] transform esp

[RouterB-ipsec-proposal-proposal2] undo esp encryption-algorithm

[RouterB-ipsec-proposal-proposal2] esp authentication-algorithm sha1

[RouterB-ipsec-proposal-proposal2] quit

# 在RouterA和RouterB上执行display ipsec proposal命令以查看配置信息。以RouterA显示内容为示例。

[RouterA] display ipsec proposal

Total IP security proposal number: 1

IP security proposal name: proposal1

encapsulation mode: transport

transform: esp-new

ESP protocol: authentication MD5-HMAC-96, not use encryption

1. 配置IPSec SA，并在RouterA和RouterB的SA上应用提议。

# 配置IPSec SA并在RouterA的SA上应用提议。

[RouterA] ipsec sa sa1

[RouterA-ipsec-sa-sa1] proposal proposal1

[RouterA-ipsec-sa-sa1] quit

# 配置IPSec SA并在RouterB的SA上应用提议。

[RouterB] ipsec sa sa2

[RouterB-ipsec-sa-sa2] proposal proposal2

[RouterB-ipsec-sa-sa2] quit

1. 在RouterA和RouterB上配置安全参数索引(SPI)及字符串格式密钥。

# 在RouterA上配置安全参数索引(SPI)和字符串格式密钥。

[RouterA] ipsec sa sa1

[RouterA-ipsec-sa-sa1] sa spi inbound esp 12345

[RouterA-ipsec-sa-sa1] sa spi outbound esp 12345

[RouterA-ipsec-sa-sa1] sa string-key inbound esp Huawei-123

[RouterA-ipsec-sa-sa1] sa string-key outbound esp Huawei-123

[RouterA-ipsec-sa-sa1] quit

# 在RouterB上配置安全参数索引(SPI)和字符串格式密钥。

[RouterB] ipsec sa sa2

[RouterB-ipsec-sa-sa2] sa spi outbound esp 12345

[RouterB-ipsec-sa-sa2] sa spi inbound esp 12345

[RouterB-ipsec-sa-sa2] sa string-key outbound esp Huawei-123

[RouterB-ipsec-sa-sa2] sa string-key inbound esp Huawei-123

[RouterB-ipsec-sa-sa2] quit

1. 为OSPFv3进程配置安全联盟。

# 在RouterA的OSPFv3进程上配置SA。

[RouterA] ospfv3 1

[RouterA-ospfv3-1] ipsec sa sa1

[RouterA-ospfv3-1] quit

# 在RouterB的OSPFv3进程上配置SA。

[RouterB] ospfv3 1

[RouterB-ospfv3-1] ipsec sa sa2

[RouterB-ospfv3-1] quit

1. 验证配置结果。

# 在RouterA和RouterB上执行display ipsec sa命令以查看配置。以RouterA上的显示内容为示例。

[RouterA] display ipsec sa

  IP security association name: sa1

  Number of references: 1

    proposal name: proposal1

    inbound AH setting:

      AH spi:

      AH string-key:

      AH authentication hex key:

    inbound ESP setting:

      ESP spi: 12345 (0x3039)

      ESP string-key: b{br9\zi%X+/Y@:Y>Lw(L\v#

      ESP encryption hex key:

      ESP authentication hex key:

    outbound AH setting:

      AH spi:

      AH string-key:

      AH authentication hex key:

    outbound ESP setting:

      ESP spi: 12345 (0x3039)

      ESP string-key: D0>GQf"}w2@X,k6.E\Z,z\{#

      ESP encryption hex key:

      ESP authentication hex key:

# 执行display ipsec statistics命令，可以查看报文的统计信息，包括入方向/出方向的安全报文数目、丢弃的报文数目等。如果有入方向/出方向的安全报文计数，则说明配置成功。例如：

[RouterA] display ipsec statistics

  IPv6 security packet statistics:

    input/output security packets: 184/19

    input/output security bytes: 13216/1312

    input/output dropped security packets: 0/0

    dropped security packet detail:

      memory process problem: 0

      can't find SA: 0

      queue is full: 0

      authentication is failed: 0

      wrong length: 0

      replay packet: 0

      too long packet: 0

      invalid SA: 0

      policy deny: 0

  the normal packet statistics:

    input/output dropped normal packets: 0/0

  IPv4 security packet statistics:

    input/output security packets: 0/0

    input/output security bytes: 0/0

    input/output dropped security packets: 0/0

    dropped security packet detail:

      memory process problem: 0

      can't find SA: 0

      queue is full: 0

      authentication is failed: 0

      wrong length: 0

      replay packet: 0

      too long packet: 0

      invalid SA: 0

      policy deny: 0

  the normal packet statistics:

    input/output dropped normal packets: 0/0

配置文件

RouterA的配置文件

#

sysname RouterA

#

ipsec proposal proposal1

 encapsulation-mode transport

 esp authentication-algorithm sha1

 undo esp encryption-algorithm

#

ipsec sa sa1

 proposal proposal1

 sa spi inbound esp 12345

 sa string-key inbound esp cipher %^%#b{br9\zi%X+/Y@:Y>Lw(L\v#%^%#

 sa spi outbound esp 12345

 sa string-key outbound esp cipher %^%#D0>GQf"}w2@X,k6.E\Z,z\{#%^%#

#

ospfv3 1

 router-id 1.1.1.1

 ipsec sa sa1

 area 0.0.0.1   

#

ipv6

#

interface GigabitEthernet1/0/1

 undo shutdown

 ipv6 enable

 ipv6 address 2001:DB8:100::1/64

 ospfv3 1 area 0.0.0.1

#

RouterB的配置文件

#

sysname RouterB

#

ipsec proposal proposal2

 encapsulation-mode transport

 esp authentication-algorithm sha1

 undo esp encryption-algorithm

#

ipsec sa sa2

 proposal proposal2

 sa spi inbound esp 12345

 sa string-key inbound esp cipher %^%#VlrZ=1vTW":z9:%F`[a=o[t#%^%#

 sa spi outbound esp 12345

 sa string-key outbound esp cipher %^%#)YTP%@nFE7bL^B&WSBiQ1[p#%^%#

#

ospfv3 1

 router-id 2.2.2.2

 ipsec sa sa2

 area 0.0.0.1

#

ipv6

#

interface GigabitEthernet1/0/1

 undo shutdown

 ipv6 enable

 ipv6 address 2001:DB8:100::2/64

 ospfv3 1 area 0.0.0.1

#