IPSec基本配置
配置
LAN-to-LAN ×××
时的必要步骤:
1、 配置IKE(ISAKMP)策略
2、 定义认证标识(如:是预共享就必须设定密码)
3、 配置IPsec transform
4、 定义感兴趣流量
5、 创建crypto map
6、 将crypto map应用于接口
网络拓扑:
基本配置:
1、 R1与R5模拟内网主机(使用默认路由模拟PC默认网关,分别指向R2与R4)
2、 R2与R4模拟出口路由器(即使用默认路由指向R3-Internet)
3、 R3模拟Internet(只具有去往R2与R4的路由即可)
R1#sho run
Building configuration...
Current configuration : 1071 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
ip address 12.1.1.1 255.255.255.0
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
no ip address
shutdown
duplex half
!
ip route 0.0.0.0 0.0.0.0 Serial1/1
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
!
End
R2#sho run
Building configuration...
Current configuration : 1657 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
crypto isakmp policy 1------------------------- |此处是IKE第一阶段:定义加密(DES、3DES、AES、
encr 3des -----------------------------------------| RSA)、认证(pre-share、rsa-sig、rsa-encr)、hash
hash md5 ----------------------------------------|(md5、sha)、DH(group1、group2、group5)、lifetime
authentication pre-share ---------------------|(设置×××安全对话存活时间)等。
crypto isakmp key ccie address 34.1.1.4---因为与对端的认证是预共享方式,所以必须定义共享
!
密钥。
!
crypto ipsec transform-set ccna ah-md5-hmac esp-des-----定义转换集,IKE第一阶段主要是针对
!
密钥,而转换集主要是针对数据定义采用什么方式加密。
crypto map ccnp 1 ipsec-isakmp-----|定义策略组(图)
set peer 34.1.1.4------------------------|设置加密对端
set transform-set ccna-----------------|调用转换集
match address aaa----------------------|匹配感兴趣流
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 12.1.1.2 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip address 23.1.1.2 255.255.255.0
serial restart-delay 0
crypto map ccnp-----------------------------------必须在接口底下调用策略组(图)
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
no ip address
shutdown
duplex half
!
ip route 0.0.0.0 0.0.0.0 Serial1/1
ip route 1.1.1.0 255.255.255.0 Serial1/0
no ip http server
no ip http secure-server
!
!
!
ip access-list extended aaa
permit ip 1.1.1.0 0.0.0.255 5.5.5.0 0.0.0.255
permit ip 12.1.1.0 0.0.0.255 45.1.1.0 0.0.0.255
使用命名ACL可以在crypto map下匹配多个条件
!
logging alarm informational
access-list 100 permit ip 12.1.1.0 0.0.0.255 45.1.1.0 0.0.0.255
access-list 111 permit ip 1.1.1.0 0.0.0.255 5.5.5.0 0.0.0.255
使用普通ACL只能在crypto map下匹配其中一个条件
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
!
End
R3#sho run
Building configuration...
*Apr 8 20:59:59.339: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 990 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 23.1.1.3 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip address 34.1.1.3 255.255.255.0
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
no ip address
shutdown
duplex half
!
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
!
End
R4#sho run
Building configuration...
Current configuration : 1585 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
crypto isakmp policy 1------------------------- |此处是IKE第一阶段:定义加密(DES、3DES、AES、
encr 3des -----------------------------------------| RSA)、认证(pre-share、rsa-sig、rsa-encr)、hash
hash md5 ----------------------------------------|(md5、sha)、DH(group1、group2、group5)、lifetime
authentication pre-share ---------------------|(设置×××安全对话存活时间)等。
crypto isakmp key ccie address 23.1.1.2---因为与对端的认证是预共享方式,所以必须定义共享
!
密钥。
!
crypto ipsec transform-set ccna ah-md5-hmac esp-des-----定义转换集,IKE第一阶段主要是针对
!
密钥,而转换集主要是针对数据定义采用什么方式加密。
crypto map ccnp 1 ipsec-isakmp-----|定义策略组(图)
set peer 23.1.1.2------------------------|设置加密对端
set transform-set ccna-----------------|调用转换集
match address aaa----------------------|匹配感兴趣流
!
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip address 34.1.1.4 255.255.255.0
serial restart-delay 0
crypto map ccnp-------------------------------------------必须在接口底下调用策略组(图)
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
ip address 45.1.1.4 255.255.255.0
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
no ip address
shutdown
duplex auto
speed auto
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Serial1/0
ip route 5.5.5.0 255.255.255.0 Serial1/2
!
!
!
ip access-list extended aaa
permit ip 5.5.5.0 0.0.0.255 1.1.1.0 0.0.0.255
permit ip 45.1.1.0 0.0.0.255 12.1.1.0 0.0.0.255
使用命名ACL可以在crypto map下匹配多个条件
access-list 100 permit ip 45.1.1.0 0.0.0.255 12.1.1.0 0.0.0.255
access-list 111 permit ip 5.5.5.0 0.0.0.255 1.1.1.0 0.0.0.255
使用普通ACL只能在crypto map下匹配其中一个条件
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
End
R5#sho run
Building configuration...
Current configuration : 749 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R5
!
!
ip subnet-zero
!
!
no ip domain-lookup
!
!
!
!
interface Loopback0
ip address 5.5.5.5 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
ip address 45.1.1.5 255.255.255.0
serial restart-delay 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1/3
ip http server
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
end
转载于:https://blog.51cto.com/2533474/538416
扫一扫
811
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
