MSR产品3G接口使用IPsec国密卡加密采用SM2方式功能的配置
一、 组网需求:
用IPsec国密卡加密3G接口的数据流量,IPsec国密卡加密采用SM2方式。
二、 组网图:
三、 配置步骤:
适用设备和版本:MSR系列、2314及以后版本。
1. 路由器1配置概要说明:
#
ike local-name ra
//使能ike oscca-main-mode enable 保证ike协商使用国密卡的算法
ike oscca-main-mode enable
#
ipsec session idle-time 60
#
dns resolve //配置本地DNS解析与DNS代理功能
dns proxy enable
#
acl number 3000 //配置安全匹配ACL 3000
rule 0 permit ip
#
//密钥相关配置,请参考 “密钥配置步骤说明”
public-key peer 60.191.123.86
public-key-code begin
308201333081EC06072A8648CE3D02013081E0020101302C06072A8648CE3D0101022100FF
FFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF30440420FFFF
FFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC042028E9FA9E9D
9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E9304410432C4AE2C1F1981
195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7BC3736A2F4F6779C59BDCEE3
6B692153D0A9877CC62A474002DF32E52139F0A0022100FFFFFFFEFFFFFFFFFFFFFFFFFFFF
FFFF7203DF6B21C6052B53BBF40939D54123020101034200045B8EF86170CE70614F50DFA6
BD589239BA401EBADEF372D2EE4BAF2A777DCB48392719ED5A218F7978D3E302A014E98EE0
8531CBE87EDC75537CCF9327AF5AFC
public-key-code end
peer-public-key end
#
ike proposal 1 //配置ike proposal
authentication-method oscca-sm2
encryption-algorithm sm1-cbc-128
authentication-algorithm sm3
#
ike peer 1 //配置ike对等体
proposal 1
remote-name rb
remote-address 60.191.123.86
#
ipsec transform-set 1 //配置安全提议
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sm3
esp encryption-algorithm sm1-cbc-128
#
ipsec policy 1 1 isakmp //配置IPsec安全策略
security acl 3000
ike-peer 1
transform-set 1
#
//配置Cellular接口的公共属性,与3G相关配置
interface Cellular2/0
async mode protocol
link-protocol ppp
ppp chap user card
ppp chap password cipher $c$3$nX7WRahR3o7UX7mA7wLOAhVBevZhUF4=
ppp pap local-user card password cipher $c$3$77lSoQFVYY5poPShWaUG5FfLrY43BPE=
ppp ipcp dns admit-any
ppp ipcp dns request
ip address ppp-negotiate
dialer enable-circular
dialer-group 1
dialer timer autodial 1
dialer number *99#
pin verify cipher $c$3$X88QTsn7MOrxJr0Q4LiWp4IksgAsrmU=
ipsec policy 1 //接口绑定IPSEC策略
#
ip route-static 0.0.0.0 0.0.0.0 Cellular2/0 //配置默认路由
#
dialer-rule 1 ip permit //配置感兴趣流量
#
//先通过命令display user-interface查看Cellular接口所对应的tty编号,此处为32,然后进入对应的tty视图,更改modem方式,配置modem允许呼出
user-interface tty 32
modem both
#
2.路由器2配置概要说明:
#
ike local-name rb
//使能ike oscca-main-mode enable 保证ike协商使用国密卡的算法
ike oscca-main-mode enable
#
acl number 3000 //配置安全匹配ACL 3000
rule 0 permit ip
#
//密钥相关配置,请参考 “密钥配置步骤说明”
public-key peer 115.170.3.106
public-key-code begin
308201333081EC06072A8648CE3D02013081E0020101302C06072A8648CE3D0101022100FF
FFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF30440420FFFF
FFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC042028E9FA9E9D
9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E9304410432C4AE2C1F1981
195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7BC3736A2F4F6779C59BDCEE3
6B692153D0A9877CC62A474002DF32E52139F0A0022100FFFFFFFEFFFFFFFFFFFFFFFFFFFF
FFFF7203DF6B21C6052B53BBF40939D54123020101034200046EE751BEAFE63E5A6DC14AEE
93020556AF5E00B2077BD67C76F7374036AEB915D978F9440E604420243AA1B3D45AD0AFF9
72D15B5557315BC3B2FCB175A9885A
public-key-code end
peer-public-key end
#
ike proposal 1 //配置ike proposal
authentication-method oscca-sm2
encryption-algorithm sm1-cbc-128
authentication-algorithm sm3
#
ike peer 1 //配置ike对等体
proposal 1
remote-name ra
remote-address 115.170.3.106
#
ipsec transform-set 1 //配置安全提议
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sm3
esp encryption-algorithm sm1-cbc-128
#
ipsec policy 1 1 isakmp //配置IPsec安全策略
security acl 3000
ike-peer 1
transform-set 1
#
interface GigabitEthernet0/0
port link-mode route
ip address 60.191.123.86 255.255.255.0
ipsec policy 1 //接口绑定ipsec策略
#
ip route-static 0.0.0.0 0.0.0.0 60.191.123.1 //配置静态路由
#
3 密钥配置步骤说明,以路由器1为例
生成本地非对称密钥对并配置远端主机公钥
// 配置本地非对称密钥对,此密钥对为国密卡专有密钥对
[MSR]public-key local create sm2
Generating Keys...
#显示本地非对称密钥对
[H3C]dis public-key local sm2 public
=====================================================
Time of Key pair created: 00:52:41 2012/01/01
Key name: HOST_KEY
Key type: SM2 Encryption Key
=====================================================
Key code:
308201343081ED06082A811C814501822D3081E0020101302C06072A8648CE3D0101022100FFFFFF
FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF30440420FFFFFFFEFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC042028E9FA9E9D9F5E344D5A9E4BCF
6509A7F39789F515AB8F92DDBCBD414D940E9304410432C4AE2C1F1981195F9904466A39C9948FE3
0BBFF2660BE1715A4589334C74C7BC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF
32E52139F0A0022100FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D541
23020101034200046EE751BEAFE63E5A6DC14AEE93020556AF5E00B2077BD67C76F7374036AEB915
D978F9440E604420243AA1B3D45AD0AFF972D15B5557315BC3B2FCB175A9885A
// 配置远端主机公钥,将路由器2的本地非对称密钥对sm2复制过来
[MSR]public-key peer 60.191.123.86
Public key view: return to System View with "peer-public-key end".
[MSR-pkey-public-key]public-key-code begin
Public key code view: return to last view with "public-key-code end".
[MSR-pkey-key-code]308201343081ED06082A811C814501822D3081E0020101302C06072A8648C
E3D0101022100FFFFFF
[MSR-pkey-key-code]FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF304
40420FFFFFFFEFFFFFF
[MSR-pkey-key-code]FFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC042028E9FA9
E9D9F5E344D5A9E4BCF
[MSR-pkey-key-code]6509A7F39789F515AB8F92DDBCBD414D940E9304410432C4AE2C1F1981195
F9904466A39C9948FE3
[MSR-pkey-key-code]0BBFF2660BE1715A4589334C74C7BC3736A2F4F6779C59BDCEE36B692153D
0A9877CC62A474002DF
[MSR-pkey-key-code]32E52139F0A0022100FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C
6052B53BBF40939D541
[MSR-pkey-key-code]23020101034200045B8EF86170CE70614F50DFA6BD589239BA401EBADEF37
2D2EE4BAF2A777DCB48
[MSR-pkey-key-code]392719ED5A218F7978D3E302A014E98EE08531CBE87EDC75537CCF9327AF5
AFC
[MSR-pkey-key-code] public-key-code end
[MSR-pkey-public-key] peer-public-key end
四、 配置关键点:
1. 国密办加密卡加密算法:SM1 : SM1对称加密算法, 用于IPsec AH, ESP协议对报文进行加密;CBC模式的SM1算法,密钥长度为128比特,192比特,256比特三种,IV长度为128比特。SM2 : 非对称加密算法,用于生成SM2类型的公钥对。SM3 : SM3 hash算法。密钥长度为256位,IV长度为256位,杂凑值长度为256位。
2. 国密卡有命令:由于国密卡的算法是非标准算法,所以ike sa协商阶段如果认证方法使用国密办rsa方法或者国密办sm2方法,必须使能ike oscca-main-mode enable。使得在ike sa协商阶段中,可以正确执行国密卡的算法进行认证。如果认证方法使用与共享密钥或者RSA数字签名方法,则不需要使能ike oscca-main-mode enable。
3. 如果配置了undo cryptoengine enable,ike/ipsec又采用SM1算法,那么将无法协商通过(软件无法计算SM1)。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作