MSR系列路由器
使用加密卡处理IPSec功能的配置
关键字:MSR;IPSec;IKE;加密卡;调试
一、组网需求:
RT1和RT2建立IPSec连接,RT1使用加密卡进行数据加密、解密处理
设备清单:MSR系列路由器2台
二、组网图:
三、配置步骤:
适用设备和版本:MSR系列、Version 5.20, Beta 1202后所有版本。
RT1配置
#
//使能加密卡快转
encrypt-card fast-switch
#
//IKE Peer配置
ike peer 20
pre-shared-key h3c
remote-address 1.2.0.2
#
//IPSec提议配置
ipsec proposal def
encapsulation-mode transport
#
//IPSec策略配置
ipsec policy 20 1 isakmp
security acl 3000
ike-peer 20
proposal def
#
//ACL配置
acl number 3000
rule 0 permit ip source 1.2.0.1 0 destination 1.2.0.2 0
#
//对接接口
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 1.2.0.1 255.255.255.252
//绑定IPSec策略
ipsec policy 20
#
//加密卡视图
interface Encrypt11/0
//绑定IPSec策略20
ipsec binding policy 20
#
RT2配置
#
//IKE Peer配置
ike peer 50
pre-shared-key h3c
remote-address 1.2.0.1
#
//IPSec提议配置
ipsec proposal def
encapsulation-mode transport
#
//IPSec策略配置
ipsec policy 50 1 isakmp
security acl 3000
ike-peer 50
proposal def
#
//ACL配置
acl number 3000
rule 0 permit ip source 1.2.0.2 0 destination 1.2.0.1 0
#
//对接接口
interface Ethernet0/0
port link-mode route
combo enable copper
ip address 1.2.0.2 255.255.255.252
//绑定IPSec策略
ipsec policy 50
#
RT1上进行IPSec调试
msr50>display debugging
IPSec packet debugging switch is on
<msr50>ping -c 1 1.2.0.2
PING 1.2.0.2: 56 data bytes, press CTRL_C to break
*Jan 16 14:17:18:273 2007 msr50 IPSEC/7/DBG:--- Receive IPSec(ESP) packet ---
*Jan 16 14:17:18:273 2007 msr50 IPSEC/7/DBG:Src:1.2.0.2 Dst:1.2.0.1 SPI:1016432062(0x3c9585be)
*Jan 16 14:17:18:273 2007 msr50 IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:DES Auth Alg:HMAC-MD5-96
*Jan 16 14:17:18:273 2007 msr50 IPSEC/7/DBG:Replay Checking Enabled! SN:16
Reply from 1.2.0.2: bytes=56 Sequence=1 ttl=255 time=3 ms
--- 1.2.0.2 ping statistics ---
1 packet(s) transmitted
1 packet(s) received
0.00% packet loss
round-trip min/avg/max = 3/3/3 ms
<msr50>
<msr50>display debugging
IPSec packet debugging switch is on
interface Encrypt11/0
Encrypt11/0 Packet debugging switch is on.
<msr50>ping -c 1 1.2.0.2
PING 1.2.0.2: 56 data bytes, press CTRL_C to break
*Jan 16 14:17:51:591 2007 msr50 IPSEC/7/DBG:
Send data to encrypt card retry: success to send data to encrypt card!
*Jan 16 14:17:51:594 2007 msr50 IPSEC/7/DBG:--- Receive IPSec(ESP) packet ---
*Jan 16 14:17:51:594 2007 msr50 IPSEC/7/DBG:Src:1.2.0.2 Dst:1.2.0.1 SPI:1016432062(0x3c9585be)
*Jan 16 14:17:51:594 2007 msr50 IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:DES Auth Alg:HMAC-MD5-96
*Jan 16 14:17:51:594 2007 msr50 IPSEC/7/DBG:Replay Checking Enabled! SN:17
*Jan 16 14:17:51:594 2007 msr50 IPSEC/7/DBG:
Send data to encrypt card retry: success to send data to encrypt card!
Reply from 1.2.0.2: bytes=56 Sequence=1 ttl=255 time=4 ms
--- 1.2.0.2 ping statistics ---
1 packet(s) transmitted
1 packet(s) received
0.00% packet loss
round-trip min/avg/max = 4/4/4 ms
<msr50>
四、配置关键点:
1) 在加密卡视图下绑定IPSec策略;
2) 使能加密卡快转可以提高加密卡转发性能。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作