11IPsec ×××

1.1.1、实验描述

在配制ipsec ***时一般按照以下几个频骤

第一.R1发送感兴流量到R2(设定感兴流量即ACL)

第二.R1和R2协商IKE 第一阶段(phase 1)

   * 确定密钥分发方式

   * 确定验证方式

   * 对等方确定ISAKMP策略(加密算法、hash算法、IKE SA生存期)

第三.R1和R2协商IKE 第二阶段(phase 2)

第四.通过IPsec信道交互信息

第五.在无数据发送的时候自动关团信道

 

1.1.2、拓扑

 

 

如图所示,R1和R2为两个路由器,它们是通过internet连一起的,(但实验是通过串口直接连在一起),R1的loopback 0模拟R1这边的内网,R2的loopback 0模拟R2的内网,最后实现两边的loopback是通过×××实现互连的

1.1.3、基本配制

R1=========================

host R1

no ip domain-lookup

line con 0

logg sy

exec-time 0 0

!

int s1/1

ip add 200.200.100.1 255.255.255.252

no sh

int loopback 0

ip add 10.1.1.1 255.255.255.0

exit

 

R2=================================

host R2

no ip domain-lookup

line con 0

logg sy

exec-time 0 0

!

int s1/0

ip add 200.200.100.2 255.255.255.252

cl ra 56000

no sh

int loopback 0

ip add 10.2.2.1 255.255.255.0

exit

!

1.1.4×××配制

 

R1=================================================

access-list 101 permit ip host 10.1.1.1 host 10.2.2.1

crypto isakmp policy 1

  authentication pre-share

  hash md5

exit

!

crypto isakmp key 0 cisco address 200.200.100.2 255.255.255.0

!    

crypto ipsec transform-set shanghai esp-des esp-md5-hmac

!

crypto map ***_to_shanghai 10 ipsec-isakmp

  match add 101

  set peer 200.200.100.2

  set transform shanghai

!

ip route 10.2.2.0 255.255.255.0 200.200.100.2

 

int s1/1

crypto map ***_to_shanghai

 

R2 ================================================

access-list 101 permit ip host 10.2.2.1 host 10.1.1.1

crypto isakmp policy 1

  authentication pre-share

  hash md5

  exit

!

crypto isakmp key 0 cisco address 200.200.100.1 255.255.255.0

!

crypto ipsec transform-set shanghai esp-des esp-md5-hmac

!

crypto map ***_to_shanghai 10 ipsec-isakmp

  match add 101

  set peer 200.200.100.1

  set transform shanghai

!

ip route 10.1.1.0 255.255.255.0 200.200.100.1

!

int s1/0

crypto map ***_to_shanghai

!

 

 

1.1.5、校验

在R1上扩展ping   10.2.2.1

R1#ping

Protocol [ip]:

Target IP address: 10.2.2.1

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: loo 0

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

..!!!

Success rate is 60 percent (3/5), round-trip min/avg/max = 172/238/288 ms

R1#show crypto map

Crypto Map "***_to_shanghai" 10 ipsec-isakmp

        Peer = 200.200.100.2

        Extended IP access list 101

            access-list 101 permit ip host 10.1.1.1 host 10.2.2.1

        Current peer: 200.200.100.2

        Security association lifetime: 4608000 kilobytes/3600 seconds

        PFS (Y/N): N

        Transform sets={

                shanghai,

        }

        Interfaces using crypto map ***_to_shanghai:

                Serial1/1

R1#show crypto ipsec sa

 

interface: Serial1/1

    Crypto map tag: ***_to_shanghai, local addr 200.200.100.1

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (10.2.2.1/255.255.255.255/0/0)

   current_peer 200.200.100.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3

    #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 2, #recv errors 0

 

     local crypto endpt.: 200.200.100.1, remote crypto endpt.: 200.200.100.2

     path mtu 1500, ip mtu 1500

     current outbound spi: 0xC57F1ABD(3313441469)

 

     inbound esp sas:

      spi: 0x9C8542B5(2625979061)

        transform: esp-des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2001, flow_id: SW:1, crypto map: ***_to_shanghai

        sa timing: remaining key lifetime (k/sec): (4416419/3493)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

      spi: 0xC57F1ABD(3313441469)

        transform: esp-des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2002, flow_id: SW:2, crypto map: ***_to_shanghai

        sa timing: remaining key lifetime (k/sec): (4416419/3492)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

 

     outbound ah sas:

 

     outbound pcp sas:

R1#show crypto isakmp sa

dst             src             state          conn-id      slot     status

200.200.100.2   200.200.100.1   QM_IDLE              1    0      ACTIVE