防火墙之间用vpn通信
**理论知识请见:**上一篇关于IPsec的文章
实验拓扑图:
局域网1——ASA1配置:
ASA1> en
Password:
ASA1# conf t
ASA1(config)# int e0/0
ASA1(config-if)# ip add 192.168.1.1 255.255.255.0
ASA1(config-if)# no sh
ASA1(config-if)# nameif inside //划分内网区域
ASA1(config-if)# security-level 100 //优先级为·100
ASA1(config-if)# exit
ASA1(config)# int e0/1
ASA1(config-if)# ip add 1.0.0.1 255.255.255.0
ASA1(config-if)# no sh
ASA1(config-if)# nameif outside //划分外网区域
ASA1(config-if)# security-level 0 //优先级为0
ASA1(config-if)# exit
ASA1(config)# route outside 0.0.0.0 0.0.0.0 1.0.0.2 //宣告外网区域的外部路由
ASA1(config)# nat-control //开启nat控制
//开启后,不做nat的网络是不可以进行通信的
ASA1(config)# nat (inside) 1 0 0 //nat转换组为1,转换内部的所有网段
ASA1(config)# global (outside) 1 interface //将nat转换组进行PAT转换
INFO: outside interface address added to PAT pool
ASA1(config)# access-list 100 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
//定义内网地址池
ASA1(config)# nat (inside) 0 access-list 100 //进行nat豁免,豁免acl 100内的IP
ASA1(config)# crypto isakmp enable outside //在外网区域开启IKE
ASA1(config)# crypto isakmp policy 1 //创建IKE为1的策略
ASA1(config-isakmp-policy)# authentication pre-share //开启共享密钥模式验证
ASA1(config-isakmp-policy)# encryption des //数据加密算法选择des
ASA1(config-isakmp-policy)# hash sha //摘要验证算法选择sha
ASA1(config-isakmp-policy)# lifetime 1600 //超时时间为1600
ASA1(config-isakmp-policy)# group 2 //密码组为2
ASA1(config-isakmp-policy)# exit
ASA1(config)# crypto isakmp key 123.com address 1.0.0.1 //配置IKE的共享密钥为123.com,对等体IP
ASA1(config)# crypto ipsec transform-set name-set esp-des esp-sha-hmac //定义ipsec的数据加密为des,摘要验证算法为sha
ASA1(config)# tunnel-group 1.0.0.1 ipsec-attributes // 定义隧道模式的属性
ASA1(config-tunnel-ipsec)# pre-shared-key 123.com //验证密钥为123.com
ASA1(config-tunnel-ipsec)# exit
ASA1(config)# crypto map name-map 1 match address 100 //创建映射表,匹配acl 100的地址
ASA1(config)# crypto map name-map 1 set transform-set name-set //创建映射表匹配加密算法
ASA1(config)# crypto map name-map 1 set peer 1.0.0.1 //定义对等体IP
ASA1(config)# crypto map name-map interface outside //将这个map应用到接口
ASA1(config)# exit
ASA1# show crypto isakmp sa //查看sa的状态
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.0.0.2
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE //连接成功
ISP——R1配置:
R1#conf t
R1(config)#int e0/0
R1(config-if)#ip add 1.0.0.2 255.255.255.0
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#int e0/1
R1(config-if)#ip add 2.0.0.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#exit
局域网2——ASA2配置:
ASA2> en
Password:
ASA2# conf t
ASA2(config)# int e0/0
ASA2(config-if)# ip add 2.0.0.2 255.255.255.0
ASA2(config-if)# no sh
ASA2(config-if)# nameif outside
ASA2(config-if)# security-level 0
ASA2(config-if)# exit
ASA2(config)# int e0/1
ASA2(config-if)# ip add 192.168.2.1 255.255.255.0
ASA2(config-if)# no sh
ASA2(config-if)# nameif inside
ASA2(config-if)# security-level 100
ASA2(config)# route outside 0.0.0.0 0.0.0.0 2.0.0.1
ASA2(config)# nat-control
ASA2(config)# nat (inside) 1 0 0
ASA2(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool
ASA2(config)# access-list 100 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ASA2(config)# nat (inside) 0 access-list 100
ASA2(config)# crypto isakmp enable outside
ASA2(config)# crypto isakmp policy 1
ASA2(config-isakmp-policy)# authentication pre-share
ASA2(config-isakmp-policy)# encryption des
ASA2(config-isakmp-policy)# hash sha
ASA2(config-isakmp-policy)# lifetime 1600
ASA2(config-isakmp-policy)# group 2
ASA2(config-isakmp-policy)# exit
ASA2(config)# crypto isakmp key 123.com address 1.0.0.1
ASA2(config)# crypto ipsec transform-set name-set esp-des esp-sha-hmac
ASA2(config)# tunnel-group 1.0.0.1 ipsec-attributes
ASA2(config-tunnel-ipsec)# pre-shared-key 123.com
ASA2(config-tunnel-ipsec)# exit
ASA2(config)# crypto map name-map 1 match address 100
ASA2(config)# crypto map name-map 1 set transform-set name-set
ASA2(config)# crypto map name-map 1 set peer 1.0.0.1
ASA2(config)# crypto map name-map interface outside
ASA2(config)# exit
ASA2# show crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.0.0.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
验证:
在ISP——R2没有配置路由表的情况下用vpc1---->ping---->vpc2
结果: