实验拓扑
实验要求
本次实验只是给出一个IPSec站点到站点 配置实例,并不给出具体解释。
本次实验由三台7200平台路由器完成,其中端口连接如上图所示,R1和R3上存在环回口1.1.1.1和3.3.3.3。全网运行EIGRP保证各个接口可达。
实验配置
R1: R1#conf t R1(config)#int f0/0 R1(config-if)#ip add 10.10.12.1 255.255.255.0 R1(config-if)#no sh R1(config-if)#int loo0 R1(config-if)#ip add 1.1.1.1 255.255.255.0 R1(config-if)#no sh R2: R2#conf t R2(config)#int f0/1 R2(config-if)#ip add 10.10.12.2 255.255.255.0 R2(config-if)#no sh R2(config-if)#int f0/0 R2(config-if)#ip add 10.10.23.2 255.255.255.0 R2(config-if)#no sh R2(config-if)#int loo0 R2(config-if)#ip add 2.2.2.2 255.255.255.0 R2(config-if)#no sh R3: R3#conf t R3(config)#int f0/1 R3(config-if)#ip add 10.10.23.3 255.255.255.0 R3(config-if)#no sh R3(config-if)#int lo0 R3(config-if)#ip add 3.3.3.3 255.255.255.0 R3(config-if)#no sh
R1; R1(config)#router eigrp 1 R1(config-router)#net 1.1.1.0 R1(config-router)#net 10.10.12.0 R2: R2(config)#router eigrp 1 R2(config-router)#net 2.2.2.0 R2(config-router)#net 10.10.12.0 R2(config-router)#net 10.10.23.0 R3: R3(config)#router eigrp 1 R3(config-router)#net 3.3.3.0 R3(config-router)#net 10.10.23.0
配置好R1,R2和R3的相关接口的IP地址,并且在全网运行EIGRP,使得各个接口直接可达。
在配置完成后查看R1和R3的路由表。
现要求配置R1到R3的站点到站点 IPSec VPN 并且对1.1.1.1到3.3.3.3的流量进行加密。那么分别在R1和R3上进行配置。
其中R1的配置如下:
R1(config)#crypto isakmp policy 10 //定义阶段1SA的策略 R1(config-isakmp)#authentication pre-share //预共享密钥以及对端IP地址 R1(config-isakmp)#encryption ? 3des Three key triple DES aes AES - Advanced Encryption Standard. des DES - Data Encryption Standard (56 bit keys). R1(config-isakmp)#encryption 3des //加密算法为3DES R1(config-isakmp)#group 5 R1(config-isakmp)#hash sha //hash 算法为 sha R1(config-isakmp)#exit R1(config)#crypto isakmp key cisco address 10.10.23.3 //定义预共享密钥以及对端IP地址 R1(config)#access-list 100 permit ip host 1.1.1.1 host 3.3.3.3 //定义加密ACL即选出需要加密的流量 R1(config)#crypto ipsec transform-set myset esp-3des esp-sha-hmac //定义变集 R1(cfg-crypto-trans)#crypto map mymap 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R1(config-crypto-map)#set peer 10.10.23.3 R1(config-crypto-map)#set transform-set myset R1(config-crypto-map)#match address 100 R1(config-crypto-map)#exit //上述命令定义是一个加密图 R1(config)#int f0/0 R1(config-if)#crypto map mymap //将加密图mymap使用在接口F0/0上
同样的,由于该IPSec VPN 也是单向的,因此需要在R3上进行返回流量配置。
R3(config)#crypto isakmp policy 10 R3(config-isakmp)#authentication pre-share R3(config-isakmp)#encryption 3des R3(config-isakmp)#group 5 R3(config-isakmp)#sash sha ^ % Invalid input detected at '^' marker. R3(config-isakmp)#hash sha R3(config-isakmp)#exit R3(config)#crypto isakmp key cisco address 10.10.12.1 R3(config)#access-list 100 permit ip host 3.3.3.3 host 1.1.1.1 R3(config)#crypto ipsec transform-set myset esp-3des esp-sha-hmac R3(cfg-crypto-trans)#exit R3(config)#crypto map mymap 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R3(config-crypto-map)#set peer 10.10.12.1 R3(config-crypto-map)#set transform-set myset R3(config-crypto-map)#match address 100 R3(config-crypto-map)#exit R3(config)#int f0/1 R3(config-if)#crypto map mymap R3(config-if)# *May 16 15:45:44.459: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R3(config-if)#exit
配置完毕后,需要注意,两端的阶段一和阶段二的各种认证加密策略必须要一致。
在R1上验证去往R3的环回口3.3.3.3。
R1#ping 3.3.3.3 source lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 80/93/108 ms R1#
上述命令是查看阶段一的 SA。
R1#show crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: mymap, local addr 10.10.12.1 protected vrf: (none) local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0) current_peer 10.10.23.3 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9 #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 10.10.12.1, remote crypto endpt.: 10.10.23.3 path mtu 1500, ip mtu 1500 current outbound spi: 0x77DBD158(2010894680) inbound esp sas: spi: 0x58A96EBA(1487498938) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: SW:1, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4552411/2905) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x77DBD158(2010894680) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: SW:2, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4552411/2896) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:
上述命令是查看阶段二的SA。
