cisco路由器IPSEC vpn

原创

gltglt 2011-04-05 19:17:00 博主文章分类：Security ©著作权

文章标签 思科 VPN IPSEC L2L sit点对点 文章分类 网络安全

©著作权归作者所有：来自51CTO博客作者gltglt的原创作品，请联系作者获取转载授权，否则将追究法律责任

最近比较蛋疼。闲的的无聊。。决定做点什么。什么简单做什么咯！

学习MPLS-×××过程中，提到了IPSEC ×××，决定复习下。

实验拓扑：

实验要求：

1、R12和R13之间启用IPSEC ×××。

2、R12和R15之间启用IPSEC ×××。

3、R11、R14、R16模拟PC。实验完成后R11、R14互通，R11、R16互通。

通过PING。引发感兴趣流，通过show命令验证×××的结果。

实验过程：

R11配置：

R11#show runn
Building configuration...

Current configuration : 1690 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R11
!
!
interface Ethernet0/1
ip address 1.1.1.2 255.255.255.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!

R12配置：

R12#show runn
Building configuration...

Current configuration : 2523 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R12
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address 23.1.1.2
crypto isakmp key black address 25.1.1.2
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
crypto ipsec transform-set black esp-des esp-md5-hmac
!
crypto map black 1 ipsec-isakmp
set peer 25.1.1.2
set security-association lifetime seconds 86400
set transform-set black
set pfs group1
match address 120
!
crypto map cisco 110 ipsec-isakmp
set peer 23.1.1.2
set security-association lifetime seconds 86400
set transform-set cisco
set pfs group1
match address 110
!
!
!
!
!
!
!
interface Ethernet0/0
ip address 23.1.1.1 255.255.255.0
crypto map cisco
!
interface Ethernet0/1
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/2
ip address 25.1.1.1 255.255.255.0
crypto map black
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 2.1.1.0 255.255.255.0 23.1.1.2
ip route 3.1.1.0 255.255.255.0 25.1.1.2
!
access-list 110 permit ip 1.1.1.0 0.0.0.255 2.1.1.0 0.0.0.255
access-list 120 permit ip 1.1.1.0 0.0.0.255 3.1.1.0 0.0.0.255
!
!
!

R13配置：

饿。。R13的配置丢了。。稍等！！。。重新来配。

OK了。。3分钟搞定！

R13#show runn
Building configuration...

Current configuration : 2098 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R13
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
clock timezone CST 8
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip source-route
!
!
!
!
ip cef
no ipv6 traffic interface-statistics
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address 23.1.1.1
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto map cisco 110 ipsec-isakmp
set peer 23.1.1.1
set security-association lifetime seconds 86400
set transform-set cisco
set pfs group1
match address 110
!
!
!
!
!
!
!
interface Ethernet0/0
ip address 23.1.1.2 255.255.255.0
crypto map cisco
!
interface Ethernet0/1
ip address 2.1.1.1 255.255.255.0
!
!
!
no ip http server
no ip http secure-server
ip route 1.1.1.0 255.255.255.0 23.1.1.1
!
access-list 110 permit ip 2.1.1.0 0.0.0.255 1.1.1.0 0.0.0.255
!
!
!
!

R14配置：

R14#show runn
Building configuration...

Current configuration : 1680 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R14
interface Ethernet0/0
ip address 2.1.1.2 255.255.255.0
!
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 2.1.1.1
!
!
!

R15配置：

R15#show runn
Building configuration...

Current configuration : 2166 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R15
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
clock timezone CST 8
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip source-route
!
!
!
!
ip cef
no ipv6 traffic interface-statistics
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key black address 25.1.1.1
!
!
crypto ipsec transform-set black esp-des esp-md5-hmac
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto map black 1 ipsec-isakmp
set peer 25.1.1.1
set security-association lifetime seconds 86400
set transform-set black
set pfs group1
match address 120
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
!
interface Ethernet0/1
ip address 3.1.1.1 255.255.255.0
!
interface Ethernet0/2
ip address 25.1.1.2 255.255.255.0
crypto map black
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 1.1.1.0 255.255.255.0 25.1.1.1
!
access-list 120 permit ip 3.1.1.0 0.0.0.255 1.1.1.0 0.0.0.255
!
!

R16配置：

R16#show runn
Building configuration...

Current configuration : 1690 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R16

!
!
!
interface Ethernet0/0
no ip address
shutdown
!
interface Ethernet0/1
ip address 3.1.1.2 255.255.255.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 3.1.1.1
!
!
!

show命令：

R12#show crypto isakmp peers
Peer: 23.1.1.2 Port: 500 Local: 23.1.1.1
Phase1 id: 23.1.1.2
Peer: 25.1.1.2 Port: 500 Local: 25.1.1.1
Phase1 id: 25.1.1.2
R12#

R13#show crypto isakmp peers
Peer: 23.1.1.1 Port: 500 Local: 23.1.1.2
Phase1 id: 23.1.1.1
R13#

R15#show crypto isakmp peers
Peer: 25.1.1.1 Port: 500 Local: 25.1.1.2
Phase1 id: 25.1.1.1
R15#

R15#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
25.1.1.1 25.1.1.2 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

R15#show crypto isakmp po
R15#show crypto isakmp policy

R12#show crypto isakmp policy

Global IKE policy
Protection suite of priority 10
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Message Digest 5
        authentication method: Pre-Shared Key
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
R12#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
25.1.1.1        25.1.1.2        QM_IDLE           1001 ACTIVE
23.1.1.1        23.1.1.2        QM_IDLE           1002 ACTIVE

IPv6 Crypto ISAKMP SA

R12#

R12#show crypto ipsec sa

interface: Ethernet0/0
Crypto map tag: cisco, local addr 23.1.1.1

   protected vrf: (none)
   local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (2.1.1.0/255.255.255.0/0/0)
   current_peer 23.1.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 23.1.1.1, remote crypto endpt.: 23.1.1.2
     path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0x53578226(1398243878)
     PFS (Y/N): Y, DH group: group1

     inbound esp sas:
      spi: 0x2D3C2A37(758917687)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3, flow_id: SW:3, sibling_flags 80000046, crypto map: cisco
        sa timing: remaining key lifetime (k/sec): (4433511/85971)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0x53578226(1398243878)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 4, flow_id: SW:4, sibling_flags 80000046, crypto map: cisco
        sa timing: remaining key lifetime (k/sec): (4433511/85971)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Ethernet0/2
Crypto map tag: black, local addr 25.1.1.1

   protected vrf: (none)
   local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (3.1.1.0/255.255.255.0/0/0)
   current_peer 25.1.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 25.1.1.1, remote crypto endpt.: 25.1.1.2
     path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/2
     current outbound spi: 0x65861355(1703285589)
     PFS (Y/N): Y, DH group: group1

     inbound esp sas:
      spi: 0x5A037DFB(1510178299)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, sibling_flags 80000046, crypto map: black
        sa timing: remaining key lifetime (k/sec): (4430371/85515)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0x65861355(1703285589)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, sibling_flags 80000046, crypto map: black
        sa timing: remaining key lifetime (k/sec): (4430371/85515)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

outbound pcp sas:
R12#

=============================

东西太多。。。大家自己尝试吧。。