需要注意的问题:
1.了解封装的过程:始终查询外层源目地址,并进行相应处理,例如:如果源目地址是隧道的,则进行隧道封装,变成以物理地址为源目的新包;如果在隧道封装之前已经进行了ESP封装,且新包的源目已经是物理地址,则不会进行隧道封装,而是直接送到物理接口发出
2.cryto map有两个作用,1.撞击从配置map接口发出且源目为感兴趣流的数据包,并进行封装。2.检查如果进入接口的数据包,如果是感兴趣流且没有加密,则丢弃数据包,因为从外面进来的数据包正常因该是被加密的,出现没有加密,很有可能是伪装的数据包,丢弃则更加安全,因此,
即使感兴趣流即使没有从某个接口发出,但同样建议在此物理接口上应用cryto map,用于丢弃没有被丢弃的感兴趣流。
3.因为可能在匹配了t0的cryto map之后,变成新包,因此送到t0的包可能在撞击cryto map之后不走t0,需要注意
site2:
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key l2lkey address 11.11.11.11
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map cisco local-address Loopback1
crypto map cisco 10 ipsec-isakmp
set peer 11.11.11.11
set transform-set trans
match address cisco
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface Loopback1
ip address 22.22.22.22 255.255.255.0
!
interface Tunnel0
ip address 123.1.1.2 255.255.255.0
tunnel source 202.100.2.2
tunnel destination 202.100.1.1
crypto map cisco
!
interface Ethernet0/0
ip address 202.100.2.2 255.255.255.0
half-duplex
!
router ospf 1
log-adjacency-changes
network 2.2.2.0 0.0.0.255 area 0
network 22.22.22.0 0.0.0.255 area 0
network 123.1.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 202.100.2.10
!
ip access-list extended cisco
permit ip host 2.2.2.2 host 1.1.1.1
site1:
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key l2lkey address 22.22.22.22
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map cisco local-address Loopback1
crypto map cisco 10 ipsec-isakmp
set peer 22.22.22.22
set transform-set trans
match address cisco
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Loopback1
ip address 11.11.11.11 255.255.255.0
!
interface Tunnel0
ip address 123.1.1.1 255.255.255.0
tunnel source 202.100.1.1
tunnel destination 202.100.2.2
crypto map cisco
!
interface Ethernet0/0
ip address 202.100.1.1 255.255.255.0
half-duplex
!
router ospf 1
log-adjacency-changes
network 1.1.1.0 0.0.0.255 area 0
network 11.11.11.0 0.0.0.255 area 0
network 123.1.1.0 0.0.0.255 area 0
!
!
ip route 0.0.0.0 0.0.0.0 202.100.1.10
!
ip access-list extended cisco
permit ip host 1.1.1.1 host 2.2.2.2
!
1.了解封装的过程:始终查询外层源目地址,并进行相应处理,例如:如果源目地址是隧道的,则进行隧道封装,变成以物理地址为源目的新包;如果在隧道封装之前已经进行了ESP封装,且新包的源目已经是物理地址,则不会进行隧道封装,而是直接送到物理接口发出
2.cryto map有两个作用,1.撞击从配置map接口发出且源目为感兴趣流的数据包,并进行封装。2.检查如果进入接口的数据包,如果是感兴趣流且没有加密,则丢弃数据包,因为从外面进来的数据包正常因该是被加密的,出现没有加密,很有可能是伪装的数据包,丢弃则更加安全,因此,
即使感兴趣流即使没有从某个接口发出,但同样建议在此物理接口上应用cryto map,用于丢弃没有被丢弃的感兴趣流。
3.因为可能在匹配了t0的cryto map之后,变成新包,因此送到t0的包可能在撞击cryto map之后不走t0,需要注意
site2:
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key l2lkey address 11.11.11.11
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map cisco local-address Loopback1
crypto map cisco 10 ipsec-isakmp
set peer 11.11.11.11
set transform-set trans
match address cisco
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface Loopback1
ip address 22.22.22.22 255.255.255.0
!
interface Tunnel0
ip address 123.1.1.2 255.255.255.0
tunnel source 202.100.2.2
tunnel destination 202.100.1.1
crypto map cisco
!
interface Ethernet0/0
ip address 202.100.2.2 255.255.255.0
half-duplex
!
router ospf 1
log-adjacency-changes
network 2.2.2.0 0.0.0.255 area 0
network 22.22.22.0 0.0.0.255 area 0
network 123.1.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 202.100.2.10
!
ip access-list extended cisco
permit ip host 2.2.2.2 host 1.1.1.1
site1:
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key l2lkey address 22.22.22.22
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map cisco local-address Loopback1
crypto map cisco 10 ipsec-isakmp
set peer 22.22.22.22
set transform-set trans
match address cisco
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Loopback1
ip address 11.11.11.11 255.255.255.0
!
interface Tunnel0
ip address 123.1.1.1 255.255.255.0
tunnel source 202.100.1.1
tunnel destination 202.100.2.2
crypto map cisco
!
interface Ethernet0/0
ip address 202.100.1.1 255.255.255.0
half-duplex
!
router ospf 1
log-adjacency-changes
network 1.1.1.0 0.0.0.255 area 0
network 11.11.11.0 0.0.0.255 area 0
network 123.1.1.0 0.0.0.255 area 0
!
!
ip route 0.0.0.0 0.0.0.0 202.100.1.10
!
ip access-list extended cisco
permit ip host 1.1.1.1 host 2.2.2.2
!