拓扑图:
配置脚本:
Internet:
conf t
no ip domain-lookup
line vty 0 15
logging synchronous
exec-timeout 0 0
password cisco
line console 0
logging synchronous
exec-timeout 0 0
exit
int f0/0
ip add 61.128.1.10 255.255.255.0
no shut
int f1/0
ip add 202.100.1.10 255.255.255.0
no shut
int f2/0
ip add 61.128.2.10 255.255.255.0
no shut
end
==========================================================================
GW:
conf t
no ip domain-lookup
line vty 0 15
logging synchronous
exec-timeout 0 0
password cisco
line console 0
logging synchronous
exec-timeout 0 0
exit
int f0/0
ip add 202.100.1.1 255.255.255.0
no shut
int f1/0
ip add 10.1.1.1 255.255.255.0
no shut
exit
ip route 0.0.0.0 0.0.0.0 202.100.1.10
end
ping 202.100.1.10
Easy×××配置部分:
第1阶段——认证:
GW(config)#crypto isakmp policy 10
GW(config-isakmp)#authentication pre-share
GW(config-isakmp)#group 2//采用预共享密钥 + Easy的AM模式下,DH的组必须为2
GW(config-isakmp)#hash md5 //认证策略不能使用DES + SHA组合,所以修改认证或加密算法
GW(config-isakmp)#exit
GW(config)#crypto isakmp client configuration group IPSECGROUP //认证和预共享密钥由组名(因为可以对多个组分配不同的策略,这个组可理解为不同部门)和密钥组成
GW(config-isakmp-group)#key CISCO
GW(config-isakmp-group)#exit
第1.5阶段——两个方面,XAUTH和MODE-CFG
XAUTH:
GW(config)#aaa new-model
GW(config)#aaa authentication login noacs line none //启用线下保护策略
GW(config)#line console 0
GW(config-line)#login authentication noacs//保证任何时候都可以访问console
GW(config-line)#exit
GW(config)#line aux 0
GW(config-line)#login authentication noacs
GW(config-line)#exit
GW(config)#aaa authentication login Ez×××-XAUTH local//XAUTH用本地数据库认证
GW(config)#username REMOTE password CISCO//在本地启用一个用户
MODE-CFG:
GW(config)#ip local pool Ez×××Pool 123.1.1.100 123.1.1.200//生成一本地地址池,该池中的IP将分配给客户端。注意:尽量不使用GW身后网络的地址,并要保证GW身后的设备最终能路由到GW的inside商品
GW(config)#aaa authorization network Ez×××-MODE-CFG local//授权策略使用本地数据库
GW(config)#crypto isakmp client configuration group IPSECGROUP//注意group下边配置授权策略,至少需要配置key和pool
GW(config-isakmp-group)#pool Ez×××Pool
GW(config-isakmp-group)#exit
第2阶段——
转换集:
GW(config)#crypto ipsec transform-set Ez×××-Trans esp-3des esp-sha-hmac
GW(cfg-crypto-trans)#exit
动态map:
GW(config)#crypto dynamic-map Ez×××-DyMap 10
GW(config-crypto-map)#set transform-set Ez×××-Trans
GW(config-crypto-map)#exit
GW(config)#crypto isakmp profile Ez×××-Profile//创建一个Easy×××的Profile,来匹配Easy×××证和授权
GW(conf-isa-prof)#match identity group IPSECGROUP//匹配Easy×××的组
GW(conf-isa-prof)#client authentication list Ez×××-XAUTH//配置用于认证的策略
GW(conf-isa-prof)#isakmp authorization list Ez×××-MODE-CFG//配置用于授权的策略,向客户端推送策略
GW(conf-isa-prof)#client configuration address respond //启用MODE-CFG
GW(conf-isa-prof)#exit
GW(config)#crypto dynamic-map Ez×××-DyMap 10
GW(config-crypto-map)#set isakmp-profile Ez×××-Profile//在dynamic-map调用Easy×××的Profile
GW(config-crypto-map)#exit
GW(config)#crypto map cisco 10000 ipsec-isakmp dynamic Ez×××-DyMap//普通map调用动态map
将map调用到外部端口:
GW(config)#int f0/0
GW(config-if)#crypto map cisco
GW(config-if)#end
配置隧道分割:
GW(config)#ip access-list extended SplitTunnel
GW(config-ext-nacl)#permit ip 10.1.1.0 0.0.0.255 any
GW(config-ext-nacl)#exit
GW(config)#crypto isakmp client configuration group IPSECGROUP
GW(config-isakmp-group)#acl SplitTunnel
GW(config-isakmp-group)#exit
配置Save-Password:
GW(config)#crypto isakmp client configuration group IPSECGROUP
GW(config-isakmp-group)#save-password
GW(config-isakmp-group)#exit
L2L IPSec×××配置部分:
第1阶段——IKE SA:
GW#conf t
GW(config)#crypto isakmp policy 20//IKE SA可以与Easy×××的IKE SA重用,也可单独配置
GW(config-isakmp)#authentication pre-share
GW(config-isakmp)#encryption des
GW(config-isakmp)#hash sha
GW(config-isakmp)#group 1
GW(config-isakmp)#exit
第2阶段——IPSEC SA:
GW(config)#ip access-list extended L2L×××
GW(config-ext-nacl)#permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
GW(config-ext-nacl)#exit
GW(config)#crypto ipsec transform-set L2LTrans esp-aes esp-sha-hmac //IPSEC SA也可与Easy×××的crypto map重用
GW(cfg-crypto-trans)#mode tunnel
GW(cfg-crypto-trans)#exit
GW(config)#crypto keyring L2L-Keyring
GW(conf-keyring)#pre-shared-key address 61.128.2.1 key CISCO123
GW(conf-keyring)#exit
GW(config)#crypto isakmp profile L2L-Profile
GW(conf-isa-prof)#keyring L2L-Keyring
GW(conf-isa-prof)#match identity address 61.128.2.1
GW(conf-isa-prof)#exit
GW(config)#crypto map cisco 10
GW(config-crypto-map)#set isakmp-profile L2L-Profile
GW(config-crypto-map)#end
配置加密图:
GW(config)#crypto map cisco 10 ipsec-isakmp //一个端口只能调用一个map,一个map可以有多个ID。所以使用之前Easy×××已经创建的map,但序列号ID不能一样
GW(config-crypto-map)#set peer 61.128.2.1
GW(config-crypto-map)#set transform-set L2LTrans
GW(config-crypto-map)#match address L2L×××
GW(config-crypto-map)#end
调用crypto map到外部端口:
==========================================================================
Server:
conf t
no ip domain-lookup
line vty 0 15
logging synchronous
exec-timeout 0 0
password cisco
line console 0
logging synchronous
exec-timeout 0 0
exit
enable password password
ip http server
int f0/0
ip add 10.1.1.10 255.255.255.0
no shut
exit
no ip routing
ip default-gateway 10.1.1.1
end
ping 10.1.1.1
==========================================================================
Branch:
conf t
no ip domain-lookup
line vty 0 15
logging synchronous
exec-timeout 0 0
password cisco
line console 0
logging synchronous
exec-timeout 0 0
exit
enable password password
ip http server
int f0/0
ip add 61.128.2.1 255.255.255.0
no shut
int loopback 0
ip add 172.16.1.1 255.255.255.0
no shut
exit
ip route 0.0.0.0 0.0.0.0 61.128.2.10
end
ping 61.128.2.10
配置L2L IPSec×××
第1阶段——IKE SA:
Branch(config)#crypto isakmp policy 10
Branch(config-isakmp)#authentication pre-share
Branch(config-isakmp)#exit
Branch(config)#crypto isakmp key 0 CISCO123 address 202.100.1.1
第2阶段——IPSEC SA:
Branch(config)#ip access-list extended L2L×××
Branch(config-ext-nacl)#permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
Branch(config-ext-nacl)#exit
Branch(config)#crypto ipsec transform-set L2LTrans esp-aes esp-sha-hmac
Branch(cfg-crypto-trans)#mode tunnel
Branch(cfg-crypto-trans)#exit
配置加密图:
Branch(config)#crypto map L2L××× 10 ipsec-isakmp
Branch(config-crypto-map)#set peer 202.100.1.1
Branch(config-crypto-map)#set transform-set L2LTrans
Branch(config-crypto-map)#match address L2L×××
Branch(config-crypto-map)#exit
调用crypto map到外部端口:
Branch(config)#int f0/0
Branch(config-if)#crypto map L2L×××
Branch(config-if)#end
##################################################################################
GW#sh run
Building configuration...
Current configuration : 2471 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GW
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login noacs line none
aaa authentication login Ez×××-XAUTH local
aaa authorization network Ez×××-MODE-CFG local
!
aaa session-id common
!
resource policy
!
memory-size iomem 5
no ip icmp rate-limit unreachable
ip tcp synwait-time 5
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username REMOTE password 0 CISCO
!
!
crypto keyring L2L-Keyring
pre-shared-key address 61.128.2.1 key CISCO123
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
authentication pre-share
!
crypto isakmp client configuration group IPSECGROUP
key CISCO
pool Ez×××Pool
acl SplitTunnel
save-password
crypto isakmp profile Ez×××-Profile
match identity group IPSECGROUP
client authentication list Ez×××-XAUTH
isakmp authorization list Ez×××-MODE-CFG
client configuration address respond
crypto isakmp profile L2L-Profile
keyring L2L-Keyring
match identity address 61.128.2.1 255.255.255.255
!
!
crypto ipsec transform-set Ez×××-Trans esp-3des esp-sha-hmac
crypto ipsec transform-set L2LTrans esp-aes esp-sha-hmac
!
crypto dynamic-map Ez×××-DyMap 10
set transform-set Ez×××-Trans
set isakmp-profile Ez×××-Profile
!
!
crypto map cisco 10 ipsec-isakmp
set peer 61.128.2.1
set transform-set L2LTrans
set isakmp-profile L2L-Profile
match address L2L×××
crypto map cisco 10000 ipsec-isakmp dynamic Ez×××-DyMap
!
!
!
!
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
duplex auto
speed auto
crypto map cisco
!
interface FastEthernet1/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
ip local pool Ez×××Pool 123.1.1.100 123.1.1.200
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 202.100.1.10
!
!
!
!
ip access-list extended L2L×××
permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
ip access-list extended SplitTunnel
permit ip 10.1.1.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
login authentication noacs
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
login authentication noacs
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
line vty 5 15
exec-timeout 0 0
password cisco
logging synchronous
!
!
end
实验来自明教教主!!
转载于:https://blog.51cto.com/yinkai/1793088