×××配置例項_04:思科路由器IPSEC_OVER_TUNNEL
一,Site1路由器IPsectunnel配置:
cryptoisakmppolicy10//定義第一階段安全策略
encr3des
hashmd5
authenticationpre-share
group2
cryptoisakmpkeyciscoaddress61.128.1.1//定義兩端的密碼,cisco為密碼。
!
!
cryptoipsectransform-setciscoesp-des
modetransport
!
cryptoipsecprofileTo_site2_ipsec//定義第二階感安全策略
settransform-setcisco
!
!
!
!
!
interfaceLoopback0
ipaddress1.1.1.1255.255.255.0
interfaceTunnel0
ipaddress172.16.1.1255.255.255.0
tunnelsource202.100.1.1
tunneldestination61.128.1.1
tunnelprotectionipsecprofileTo_site2_ipsec//安全策略應用到TUNNEL介面。TUNNEL定義了感興趣流。
!
interfaceFastEthernet0/0
ipaddress202.100.1.1255.255.255.0
duplexauto
speedauto
!
interfaceFastEthernet1/0
noipaddress
shutdown
duplexauto
speedauto
!
interfaceFastEthernet2/0
shutdown
duplexauto
speedauto
!
interfaceFastEthernet3/0
noipaddress
shutdown
duplexauto
speedauto
!
routerospf1
log-adjacency-changes
network1.1.1.00.0.0.255area0
network172.16.1.00.0.0.255area0
!
noiphttpserver
noiphttpsecure-server
!
ipforward-protocolnd
iproute0.0.0.00.0.0.0202.100.1.10
!
!
control-plane
!
!
linecon0
exec-timeout00
privilegelevel15
lineaux0
exec-timeout00
privilegelevel15
loggingsynchronous
linevty04
login
!
!
end
Site1#
二,Site2IPSEC配置:
!
cryptoisakmppolicy10//定義第一階段ISAKMP策略
encr3des
hashmd5
authenticationpre-share
group2
cryptoisakmpkeyciscoaddress202.100.1.1
!
!
cryptoipsectransform-setciscoesp-des
modetransport
!
cryptomapcisco10ipsec-isakmp//定義第二階段IPSEC安全策略。
setpeer202.100.1.1
settransform-setcisco
matchaddress***
!
!
!
!
interfaceLoopback0
ipaddress2.2.2.2255.255.255.0
!
interfaceTunnel0
ipaddress172.16.1.2255.255.255.0
tunnelsourceFastEthernet1/0
tunneldestination202.100.1.1
!
interfaceFastEthernet0/0
noipaddress
shutdown
duplexauto
speedauto
!
interfaceFastEthernet1/0
ipaddress61.128.1.1255.255.255.0
duplexauto
speedauto
cryptomapcisco//定義好的cisco應用到介面。
!
interfaceFastEthernet2/0
noipaddress
shutdown
duplexauto
speedauto
!
interfaceFastEthernet3/0
noipaddress
shutdown
duplexauto
speedauto
!
routerospf1
log-adjacency-changes
network2.2.2.00.0.0.255area0
network172.16.1.00.0.0.255area0
!
noiphttpserver
noiphttpsecure-server
!
ipforward-protocolnd
iproute0.0.0.00.0.0.061.128.1.10
!
!
!
ipaccess-listextended***
permitgrehost61.128.1.1host202.100.1.1//定義感興趣流
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
linecon0
exec-timeout00
privilegelevel15
loggingsynchronous
lineaux0
exec-timeout00
privilegelevel15
loggingsynchronous
linevty04
login
!
!
end
Site2#
三,×××測試:
Site1#ping2.2.2.2so1.1.1.1
Typeescapesequencetoabort.
Sending5,100-byteICMPEchosto2.2.2.2,timeoutis2seconds:
Packetsentwithasourceaddressof1.1.1.1
!!!!!
Successrateis100percent(5/5),round-tripmin/avg/max=24/56/96ms
Site1#
四,×××狀態檢視:
1,Site1:
Site1#showcryptoengiconnecac
IDInterfaceIP-AddressStateAlgorithmEncryptDecrypt
1Tunnel0172.16.1.1setHMAC_MD5+3DES_56_C00
2001Tunnel0202.100.1.1setDES2340
2002Tunnel0202.100.1.1setDES0233
Site1#showcryptoisakmpsa
dstsrcstateconn-idslotstatus
61.128.1.1202.100.1.1QM_IDLE10ACTIVE
Site1#showcryptoipsecsa
interface:Tunnel0
Cryptomaptag:Tunnel0-head-0,localaddr202.100.1.1
protectedvrf:(none)
localident(addr/mask/prot/port):(202.100.1.1/255.255.255.255/47/0)
remoteident(addr/mask/prot/port):(61.128.1.1/255.255.255.255/47/0)
current_peer61.128.1.1port500
PERMIT,flags={origin_is_acl,}
#pktsencaps:236,#pktsencrypt:236,#pktsdigest:236
#pktsdecaps:235,#pktsdecrypt:235,#pktsverify:235
#pktscompressed:0,#pktsdecompressed:0
#pktsnotcompressed:0,#pktscompr.failed:0
#pktsnotdecompressed:0,#pktsdecompressfailed:0
#senderrors0,#recverrors0
localcryptoendpt.:202.100.1.1,remotecryptoendpt.:61.128.1.1
pathmtu1500,ipmtu1500,ipmtuidbFastEthernet0/0
currentoutboundspi:0x698BB99(110672793)
inboundespsas:
spi:0x911DD429(2434651177)
transform:esp-des,
inusesettings={Transport,}
connid:2002,flow_id:SW:2,cryptomap:Tunnel0-head-0
satiming:remainingkeylifetime(k/sec):(4428651/1493)
IVsize:8bytes
replaydetectionsupport:N
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x698BB99(110672793)
transform:esp-des,
inusesettings={Transport,}
connid:2001,flow_id:SW:1,cryptomap:Tunnel0-head-0
satiming:remainingkeylifetime(k/sec):(4428650/1490)
IVsize:8bytes
replaydetectionsupport:N
Status:ACTIVE
outboundahsas:
outboundpcpsas:
Site1#
2,Site2:
Site2#showcryptoengiconnecac
IDInterfaceIP-AddressStateAlgorithmEncryptDecrypt
1FastEthernet1/061.128.1.1setHMAC_MD5+3DES_56_C00
2001FastEthernet1/061.128.1.1setDES2420
2002FastEthernet1/061.128.1.1setDES0243
Site2#showcryptoisakmpsa
dstsrcstateconn-idslotstatus
61.128.1.1202.100.1.1QM_IDLE10ACTIVE
Site2#showcryptoipsecsa
interface:FastEthernet1/0
Cryptomaptag:cisco,localaddr61.128.1.1
protectedvrf:(none)
localident(addr/mask/prot/port):(61.128.1.1/255.255.255.255/47/0)
remoteident(addr/mask/prot/port):(202.100.1.1/255.255.255.255/47/0)
current_peer202.100.1.1port500
PERMIT,flags={origin_is_acl,}
#pktsencaps:414,#pktsencrypt:414,#pktsdigest:414
#pktsdecaps:415,#pktsdecrypt:415,#pktsverify:415
#pktscompressed:0,#pktsdecompressed:0
#pktsnotcompressed:0,#pktscompr.failed:0
#pktsnotdecompressed:0,#pktsdecompressfailed:0
#senderrors16,#recverrors0
localcryptoendpt.:61.128.1.1,remotecryptoendpt.:202.100.1.1
pathmtu1500,ipmtu1500,ipmtuidbFastEthernet1/0
currentoutboundspi:0x911DD429(2434651177)
inboundespsas:
spi:0x698BB99(110672793)
transform:esp-des,
inusesettings={Transport,}
connid:2002,flow_id:SW:2,cryptomap:cisco
satiming:remainingkeylifetime(k/sec):(4472959/1405)
IVsize:8bytes
replaydetectionsupport:N
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x911DD429(2434651177)
transform:esp-des,
inusesettings={Transport,}
connid:2001,flow_id:SW:1,cryptomap:cisco
satiming:remainingkeylifetime(k/sec):(4472960/1404)
IVsize:8bytes
replaydetectionsupport:N
Status:ACTIVE
outboundahsas:
outboundpcpsas:
Site2#
轉載於:https://blog.51cto.com/ccie18405/1214608