1. 程式人生 > >CiscoIPSEC –無固定IP 總部有固定IP—ID(分支機構ID—hostname 總部來區分

CiscoIPSEC –無固定IP 總部有固定IP—ID(分支機構ID—hostname 總部來區分

timestamp 分享 second RoCE RKE key res list logging

總部R5 : PC4-inside F0/1 NAT F0/0 outside
分部R4 : PC5- inside F0/1 NAT F0/0 outside
分部R6 : PC6- inside F0/1 NAT F0/0 outside
技術分享圖片
說明:
R4:pre-share key 123456 localid:CiscoA
R6:pre-share key 1234567 localid:CiscoC
R5 作為總部僅僅允許相應ID 對應相應的網絡訪問。
采用野蠻模式互通時,作為隧道發起方和響應方的配置是有區別的。
Cisco作為隧道發起方:
crypto isakmp peer address 10.1.1.2 //發起方必須配置
set aggressive-mode password 123456 (pre-share key)
set aggressive-mode client-endpoint fqdn CiscoA (發起方定義本地ID)
Cisco作為隧道響應方:
crypto isakmp key 123456 hostname CiscoA 作為響應方對應發起方配置(安全)
crypto isakmp identity hostname

二個分支沒有固定IP方式測試
R4:配置
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec

no service password-encryption
!
hostname Cisco
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!

!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2

lifetime 28800
!
crypto isakmp peer address 10.1.1.2
set aggressive-mode password 123456
set aggressive-mode client-endpoint fqdn CiscoA
!
!
crypto ipsec transform-set set1 esp-3des esp-sha-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 10.1.1.2
set security-association lifetime seconds 28800
set transform-set set1
set pfs group2
match address 110
!
!ip tcp synwait-time 5
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
ip address 172.99.99.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.254
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 deny ip 172.99.99.0 0.0.0.255 172.99.98.0 0.0.0.255
access-list 100 permit ip any any
access-list 110 permit ip 172.99.99.0 0.0.0.255 172.99.98.0 0.0.0.255
no cdp log mismatch duplex
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end

R6:配置
!
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CiscoC
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!!
no ip domain lookup
!
multilink bundle-name authenticated
!

archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp peer address 10.1.1.2
set aggressive-mode password 1234567
set aggressive-mode client-endpoint fqdn CiscoC
!
!
crypto ipsec transform-set set1 esp-3des esp-sha-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 10.1.1.2
set security-association lifetime seconds 28800
set transform-set set1
set pfs group2
match address 110
!
ip tcp synwait-time 5
!

interface FastEthernet0/0
ip address 10.1.1.3 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
ip address 172.99.97.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.254
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 deny ip 172.99.97.0 0.0.0.255 172.99.98.0 0.0.0.255
access-list 100 permit ip any any
access-list 110 permit ip 172.99.97.0 0.0.0.255 172.99.98.0 0.0.0.255
no cdp log mismatch duplex
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

R5:
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CiscoB
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key 123456 hostname CiscoA
crypto isakmp key 1234567 hostname CiscoC
crypto isakmp identity hostname
!
!
crypto ipsec transform-set set1 esp-3des esp-sha-hmac
!
crypto dynamic-map dyna 10
set transform-set set1
match address 110
crypto dynamic-map dyna 20
set transform-set set1
match address 120
!
!
crypto map mymap 10 ipsec-isakmp dynamic dyna
!
ip tcp synwait-time 5
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
ip address 172.99.98.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.254
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 deny ip 172.99.98.0 0.0.0.255 172.99.99.0 0.0.0.255
access-list 100 deny ip 172.99.98.0 0.0.0.255 172.99.97.0 0.0.0.255
access-list 100 permit ip any any
access-list 110 permit ip 172.99.98.0 0.0.0.255 172.99.99.0 0.0.0.255
access-list 120 permit ip 172.99.98.0 0.0.0.255 172.99.97.0 0.0.0.255
no cdp log mismatch duplex
!
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

CiscoIPSEC –無固定IP 總部有固定IP—ID(分支機構ID—hostname 總部來區分