MSR产品3G接口使用IPsec国密卡加密采用共享密钥认证功能的配置

MSR产品3G接口使用IPsec国密卡加密采用共享密钥认证功能的配置

 

一、  组网需求：

用IPsec国密卡加密3G接口的数据流量，IPsec国密卡加密使用共享密钥认证。

二、  组网图：

 

三、  配置步骤：

适用设备和版本：MSR系列、2314及以后版本。

1.     路由器1配置概要说明：                                         

#                                                                              

 ipsec session idle-time 60                                                    

#                                                                              

 domain default enable system                                                  

#                                                                               

 dns resolve       //配置本地DNS解析与DNS代理功能                                                            

 dns proxy enable                                    

#                                                                              

acl number 3000    //配置acl                                                         

 rule 0 permit ip                                                                                                                                            

#                                                                               

ike proposal 1    //配置ike proposal                                                             

 encryption-algorithm sm1-cbc-128                                              

 authentication-algorithm sm3                                                  

#                                                                               

ike peer 1      //配置ike对等体                                                             

 proposal 1                                                                    

 pre-shared-key cipher $c$3$EK2V1ReDDXeBl7YGyJjcSf1nq2420w==                   

 remote-name rb                                                                

 remote-address 60.191.123.86                                                  

#                                                                               

ipsec transform-set 1      //配置安全提议                                                  

 encapsulation-mode tunnel                                                     

 transform esp                                                                 

 esp authentication-algorithm sm3                                               

 esp encryption-algorithm sm1-cbc-128                                          

#                                                                              

ipsec policy 1 1 isakmp    //配置ipsec安全策略                                                          

 security acl 3000                                                             

 ike-peer 1                                                                    

 transform-set 1  

#                                                                               

interface Cellular2/0    //配置3G网络EVDO网络的3G接口相关属性                                                    

 async mode protocol                                                           

 link-protocol ppp                                                             

 ppp chap user card                                                            

 ppp chap password cipher $c$3$nX7WRahR3o7UX7mA7wLOAhVBevZhUF4=                

 ppp pap local-user card password cipher $c$3$77lSoQFVYY5poPShWaUG5FfLrY43BPE= 

 ppp ipcp dns admit-any                                                         

 ppp ipcp dns request                                                          

 ip address ppp-negotiate                                                      

 dialer enable-circular                                                         

 dialer-group 1                                                                

 dialer timer autodial 1                                                       

 dialer number *99#                                                             

 pin verify cipher $c$3$X88QTsn7MOrxJr0Q4LiWp4IksgAsrmU=                       

 ipsec policy 1      //在相应接口上配置ipsec policy                                                    

#                                                                              

 ip route-static 0.0.0.0 0.0.0.0 Cellular2/0     //配置默认路由                              

#                                                                                                                                                              

 dialer-rule 1 ip permit   //配置感兴趣流量

#                                                                               

user-interface tty 12     //更改modem方式                                                     

 modem both  

2．路由器2配置概要说明：                     

#                                                                              

acl number 3000      //配置acl                                                              

 rule 0 permit ip                                  

#                                                                           

ike proposal 1        //配置ike proposal                                                             

 encryption-algorithm sm1-cbc-128                                              

 authentication-algorithm sm3                                                  

#                                                                               

ike peer 1             //配置ike对等体                                                             

 proposal 1                                                                    

 pre-shared-key cipher $c$3$iOBTaYL6jKZbYvhAaqWZCaVwqpLDLA==                   

 remote-name ra                                                                

 remote-address 115.170.3.106                                                  

#                                                                               

ipsec transform-set 1       //配置安全提议                                                        

 encapsulation-mode tunnel                                                     

 transform esp                                                                  

 esp authentication-algorithm sm3                                              

 esp encryption-algorithm sm1-cbc-128                         

#                                                                              

ipsec policy 1 1 isakmp      //配置ipsec安全策略                                                   

 security acl 3000                                                             

 ike-peer 1                                                                    

 transform-set 1  

#                                                                              

interface GigabitEthernet0/0                                                   

 port link-mode route                                                          

 ip address 60.191.123.86 255.255.255.0                                        

 ipsec policy 1        //在相应接口上配置ipsec policy                    

#                                                                               

 ip route-static 0.0.0.0 0.0.0.0 60.191.123.1       //配置默认路由                                   

#                                                                 

四、  配置关键点：

1.    国密办加密卡加密算法：SM1 : SM1对称加密算法, 用于IPsec AH, ESP协议对报文进行加密；CBC模式的SM1算法，密钥长度为128比特，192比特，256比特三种，IV长度为128比特。SM2 : 非对称加密算法，用于生成SM2类型的公钥对。SM3 : SM3 hash算法。密钥长度为256位，IV长度为256位，杂凑值长度为256位。

2.    国密卡有命令：由于国密卡的算法是非标准算法，所以ike sa协商阶段如果认证方法使用国密办rsa方法或者国密办sm2方法，必须使能ike oscca-main-mode enable。使得在ike sa协商阶段中，可以正确执行国密卡的算法进行认证。如果认证方法使用与共享密钥或者RSA数字签名方法，则不需要使能ike oscca-main-mode enable。

3.    如果配置了undo cryptoengine enable，ike/ipsec又采用SM1算法，那么将无法协商通过（软件无法计算SM1）。