IPv6在校园网中的应用-IP安全分析 第8页
At the router1, first, we assign the interface Ethernet 0/0, interface Ethernet 3/0 and interface serial 1/0with the following IP addresses 103.3.3.254/24, 104.4.4.1/24, 10.1.1.1/30. Second, we must add a static route to router2. Third, we must configuration DHCP relay on the interface Ehernet0/0, which relay the DHCP server is 101.1.1.1
We can see the result with the following configuration file
#
interface Ethernet0/0
ip address 103.3.3.254 255.255.255.0
ip relay address 101.1.1.1
dhcp select relay
#
interface Ethernet3/0
ip address 104.4.4.1 255.255.255.0
#
interface Serial2/0
clock DTECLK1
link-protocol ppp
ip address 10.1.1.1 255.255.255.252
#
ip route-static 0.0.0.0 0 10.1.1.2 preference 80
#
At the router3, first, we assign the interface Ethernet 0/0, interface Ethernet 0/1, interface serial 1/1with the following IP addresses 104.4.4.254/24, 102.2.2.254/24, 11.1.1.2/30. Second, we must add a static route to router2. Third, we must configuration DHCP relay on the interface Ehernet0/0 and Ethernet 0/1, which relay the DHCP server is 101.1.1.1.
We can see the result with the following configuration file
#
interface Ethernet0/0
ip address 104.4.4.254 255.255.255.0
ip relay address 101.1.1.1
dhcp select relay
#
interface Ethernet0/1
ip address 102.2.2.254 255.255.255.0
ip relay address 101.1.1.1
dhcp select relay
#
interface Serial1/1
link-protocol ppp
ip address 11.1.1.2 255.255.255.252
#
ip route-static 0.0.0.0 0 11.1.1.1
#
5.1.3 Test the platform
Computer A gets IP address 103.3.3.1/24,and computer E gets IP address 102.2.2.5/24. The users of subnet1 can use ping command to test the accessibility to subnet3. According to follow figure, which provides that it success.
 
图表 5 1: The accessibility of two subnets
5.2 implement IPsec
In order to enhance the security of the communications at IP layer between subnet1 and subnet2, we will implement IPsec on the router1 and router3
5.2.1 The main step of configure IPsec
1. configure access control lists (ACL)
2. define security proposal
 create security proposal
 select security protocol
 select security arithmetic
 select the form of the encapsulation-mode
3. create security policy
Include using manual and IKE creates to security policy.
Using manual to create security policy
1. manual create security policy
2. quote security proposal in the security policy
3. quote ACL in the security policy
4. configure the tunnel’s local and remote peer
5. configure the SA’s SPI
6. configure the key of SA
Using IKE to create security policy
1. using IKE create security policy
2. quote security proposal in the security policy
3. quote ACL in the security policy
4. quote IKE peer in the security policy
4 apply security policy on the interface
In order to enhance, we decides to use IKE SA to create IPsec. Because the manual SA’s IPsec use pre-hared keys, and pre-shared keys are stored in plaintext, so manual SA’s IPsec is a relatively weak authentication method
Let us view the part of configuration files which is concern about IPsec on the router1 and router3
 On router1
#
ike peer router3
 pre-shared-key 123456
 remote-address 104.4.4.254
#
ipsec proposal router1
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ipsec policy torouter3 1 isakmp
 security acl 3001
 ike-peer router3
 proposal router1
#
interface Ethernet0/0
 ip address 103.3.3.254 255.255.255.0
 ip relay address 101.1.1.1
 dhcp select relay
#
interface Ethernet3/0
 ip address 104.4.4.1 255.255.255.0
ipsec policy torouter3
#
interface Serial2/0
clock DTECLK1
 link-protocol ppp
 ip address 10.1.1.1 255.255.255.252
#
acl number 300
rule 0 permit ip source 103.3.3.0 0.0.0.255 destination 102.2.2.0 0.0.0.255
#
ip route-static 102.2.2.254 24 104.4.4.254
ip route-static 0.0.0.0 0 10.1.1.2 preference 80
On router3
#
ike peer router1
 pre-shared-key 123456
 remote-address 104.4.4.1
#
ipsec proposal router3
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ipsec policy torouter1 1 isakmp
security acl 3001
ike-peer router1
proposal router3
#
interface Ethernet0/0
ip address 104.4.4.254 255.255.255.0

上一页  [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]  ... 下一页  >>