IPv6在校园网中的应用-IP安全分析 第11页
Type a semicolon at the end of the entry configuring this security policy. Policy entries must be placed in decreasing numerical order.
3. On Host 1, edit the .sad file, adding SA entries to secure all traffic between Host 1 and Host 2. Two security associations must be created, one for traffic to Host 2 and one for traffic from Host 2
The following table shows the first SA entry that is added to zzq.sad (for traffic to Host 2):
.sad file field name Example value
SAEntry 2
SPI 3001
ADestIPAddr 1::2e0:4cff:fe95:792f
DestIPAddr POLICY
SrcIPAddr POLICY
Protocol POLICY
DestPort POLICY
SrcPort POLICY
AuthAlg HMAC-MD5
KeyFile Test
Direction OUTBOUND
SecPolicyIndex 1
Type a semicolon at the end of the entry configuring this SA.
The following table shows the second SA entry that is added to zzq.sad (for traffic from Host 2):
.sad file field name Example value
SAEntry 1
SPI 3000
SADestIPAddr 1::20d:87ff:fe2d:e6e5
DestIPAddr POLICY
SrcIPAddr POLICY
Protocol POLICY
DestPort POLICY
SrcPort POLICY
AuthAlg HMAC-MD5
KeyFile Test
Direction INBOUND
SecPolicyIndex 1
Type a semicolon at the end of the entry configuring this SA. SA entries must be placed in decreasing numerical order.
4. On Host 1, create a file that contains data used to create and validate the Message Digest 5 (MD5) keyed hash on each IPSec-protected packet that is exchanged with Host 2. In this example, a text file is used. Test is created with the contents This is a test. There are no extra characters, spaces, or lines.
The IPv6 protocol supports only manually configured keys for quick mode SAs (also known as IPSec or Phase II SAs), because main mode negotiation through Internet Key Exchange (IKE) is not performed. Manual keys are configured by creating files that contain either the text or binary data of the manual key. In this example, the same key for the SAs is used in both directions. You can use different keys for inbound and outbound SAs by creating different key files and referencing them with the KeyFile field in the .sad file.
5. On Host 2, use the ipsec6 s command to create blank security association (.sad) and security policy (.spd) files. In this example, the Ipsec6.exe command is ipsec6 s test. This creates two files with blank entries for manually configuring security associations (zhqz.sad) and security policies (zhqz.spd).
图表 5 4
6. On Host 2, edit the .spd file, adding a security policy that secures all traffic between Host 2 and Host 1.
The following table shows the security policy entry that is added to zhqz.spd before the first entry (the first entry in zhqz.spd is not modified):
.spd file field name Example value
Policy 2
Remote IPAddr 1::20d:87ff:fe2d:e6e5
LocalIPAddr - *
Protocol - *
RemotePort - *
LocalPort - *
IPSecProtocol AH
IPSecMode TRANSPORT
RemoteGWIPAddr *
SABundleImdex NONE
Direction BIDIRECT
Action APPLY
InterfaceIndex 0
Type a semicolon at the end of the entry configuring this security policy. Policy entries must be placed in decreasing numerical order
7. On Host 2, edit the .sad file, adding SA entries to secure all traffic between Host 2 and Host 1. Two security associations must be created: one for traffic to Host 1 and one for traffic from Host 1.
The following table shows the first SA entry that is added to zhqz.sad (for traffic to Host 1):
.sad file field name Example value
SAEntry 2
SPI 3001
SADestIPAddr 1::20d:87ff:fe2d:e6e5
DestIPAddr POLICY
SrcIPAddr POLICY
协议 POLICY
DestPort POLICY
SrcPort POLICY
AuthAlg HMAC-MD5
KeyFile Test
Direction OUTBOUND
SecPolicyIndex 2
Type a semicolon at the end of the entry configuring this SA.
The following table shows the second SA entry that is added to zhqz.sad (for traffic from Host 1):
.sad file field name Example value
SAEntry 1
SPI 3000
SADestIPAddr 1::2e0:4cff:fe95:792f
DestIPAddr POLICY
SrcIPAddr POLICY
Protocol POLICY
DestPort POLICY
SrcPort POLICY
AuthAlg HMAC-MD5
KeyFile Test
Direction INBOUND
SecPolicyIndex 2
Type a semicolon at the end of the entry configuring this SA. SA entries must be placed in decreasing numerical order.
8. On Host 2, create a text file that contains a text string that is used to authenticate the SAs created with Host 1. In this example, Test is created with the contents This is a test. There are no extra characters, spaces, or lines.
9. On Host 1, use the ipsec6 l command to add the configured security policies and SAs from the .spd and .sad files. In this example, the ipsec6 l zzq command is run on Host 1
10. On Host 2, use the ipsec6 l command to add the configured security policies and SAs from the .spd and .sad files. In this example, the ipsec6 l zhqz command is run on Host 2
11. On Host 2, use the ping command to ping Host 1's link-local address.
12. If you use Network Monitor to capture the traffic, you should see the exchange of ICMPv6 Echo Request and Echo Reply messages, with an Authentication Header (AH) listed between the IPv6 header and the ICMPv6 header.