好消息，超酷的在线虚拟网络实验室上线了！点击开始实验

为获得更好的浏览效果，建议您使用 Firefox 或者 Chrome 浏览器

MSR系列路由器

使用加密卡处理IPSec功能的配置

关键字：MSR;IPSec;IKE;加密卡;调试

一、组网需求：

RT1和RT2建立IPSec连接，RT1使用加密卡进行数据加密、解密处理

设备清单：MSR系列路由器2台

二、组网图：

三、配置步骤：

设备和版本：MSR系列、Version 5.20, Release 1509

RT1配置

//IKE Peer配置

ike peer 20

pre-shared-key h3c

remote-address 1.2.0.2

//IPSec提议配置

ipsec proposal def

encapsulation-mode transport

//IPSec策略配置

ipsec policy 20 1 isakmp

security acl 3000

ike-peer 20

proposal def

//ACL配置

acl number 3000

rule 0 permit ip source 1.2.0.1 0 destination 1.2.0.2 0

//对接接口

interface GigabitEthernet0/0

port link-mode route

combo enable copper

ip address 1.2.0.1 255.255.255.252

//绑定IPSec策略

ipsec policy 20

//加密卡视图

interface Encrypt11/0

//绑定IPSec策略20

ipsec binding policy 20

RT2配置

//IKE Peer配置

ike peer 50

pre-shared-key h3c

remote-address 1.2.0.1

//IPSec提议配置

ipsec proposal def

encapsulation-mode transport

//IPSec策略配置

ipsec policy 50 1 isakmp

security acl 3000

ike-peer 50

proposal def

//ACL配置

acl number 3000

rule 0 permit ip source 1.2.0.2 0 destination 1.2.0.1 0

//对接接口

interface Ethernet0/0

port link-mode route

combo enable copper

ip address 1.2.0.2 255.255.255.252

//绑定IPSec策略

ipsec policy 50

RT1上进行IPSec调试

msr50>display debugging

IPSec packet debugging switch is on

<msr50>ping -c 1 1.2.0.2

PING 1.2.0.2: 56 data bytes, press CTRL_C to break

*Jan 16 14:17:18:273 2007 msr50 IPSEC/7/DBG:--- Receive IPSec(ESP) packet ---

*Jan 16 14:17:18:273 2007 msr50 IPSEC/7/DBG:Src:1.2.0.2 Dst:1.2.0.1 SPI:1016432062(0x3c9585be)

*Jan 16 14:17:18:273 2007 msr50 IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:DES Auth Alg:HMAC-MD5-96

*Jan 16 14:17:18:273 2007 msr50 IPSEC/7/DBG:Replay Checking Enabled! SN:16

Reply from 1.2.0.2: bytes=56 Sequence=1 ttl=255 time=3 ms

--- 1.2.0.2 ping statistics ---

1 packet(s) transmitted

1 packet(s) received

0.00% packet loss

round-trip min/avg/max = 3/3/3 ms

<msr50>

<msr50>display debugging

IPSec packet debugging switch is on

interface Encrypt11/0

Encrypt11/0 Packet debugging switch is on.

<msr50>ping -c 1 1.2.0.2

PING 1.2.0.2: 56 data bytes, press CTRL_C to break

*Jan 16 14:17:51:591 2007 msr50 IPSEC/7/DBG:

Send data to encrypt card retry: success to send data to encrypt card!

*Jan 16 14:17:51:594 2007 msr50 IPSEC/7/DBG:--- Receive IPSec(ESP) packet ---

*Jan 16 14:17:51:594 2007 msr50 IPSEC/7/DBG:Src:1.2.0.2 Dst:1.2.0.1 SPI:1016432062(0x3c9585be)

*Jan 16 14:17:51:594 2007 msr50 IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:DES Auth Alg:HMAC-MD5-96

*Jan 16 14:17:51:594 2007 msr50 IPSEC/7/DBG:Replay Checking Enabled! SN:17

*Jan 16 14:17:51:594 2007 msr50 IPSEC/7/DBG:

Send data to encrypt card retry: success to send data to encrypt card!

Reply from 1.2.0.2: bytes=56 Sequence=1 ttl=255 time=4 ms

--- 1.2.0.2 ping statistics ---

1 packet(s) transmitted

1 packet(s) received

0.00% packet loss

round-trip min/avg/max = 4/4/4 ms

<msr50>

四、配置关键点：

1) 在加密卡视图下绑定IPSec策略。